Raspberry Pi VPN Hotspot (or How To Infuriate Theresa May For Under £40)

As you’re no-doubt aware, Home Secretary Theresa May is probably going to get her way with her “snooper’s charter” by capitalising on events in Paris (even though that makes no sense), and before long, people working for law enforcement will be able to read your Internet usage history without so much as a warrant (or, to put it as the UN’s privacy chief put it, it’s “worse than scary”).

John Oliver on Last Week Tonight discusses the bill.
Or as John Oliver put it, “This bill could write into law a huge invasion of privacy.” Click to see a clip.

In a revelation that we should be thankful of as much as we’re terrified by, our government does not understand how the Internet works. And that’s why it’s really easy for somebody with only a modicum of geekery to almost-completely hide their online activities from observation by their government and simultaneously from hackers. Here’s a device that I built the other weekend, and below I’ll tell you how to do it yourself (and how it keeps you safe online from a variety of threats, as well as potentially giving you certain other advantages online):

"Iceland", one of my Raspberry Pi VPN hotspots
It’s small, it’s cute, and it goes a long way to protecting my privacy online.

I call it “Iceland”, for reasons that will become clear later. But a more-descriptive name would be a “Raspberry Pi VPN Hotspot”. Here’s what you’ll need if you want to build one:

  • A Raspberry Pi Model B (or later) – you can get these from less than £30 online and it’ll come with an SD card that’ll let it boot Raspbian, which is the Linux distribution I’ve used in my example: there’s no reason you couldn’t use another one if you’re familiar with it
  • A USB WiFi dongle that supports “access point” mode – I’m using an Edimax one that cost me under a fiver – but it took a little hacking to make it work – I’ve heard that Panda and RALink dongles are easier
  • A subscription to a VPN with OpenVPN support and at least one endpoint outside of the UK – I’m using VyprVPN because I have a special offer, but there are lots of cheaper options: here’s a great article about choosing one
  • A basic familiarity with a *nix command line, an elementary understanding of IP networking, and a spare 20 minutes.

From here on, this post gets pretty geeky. Unless you plan on building your own little box to encrypt all of your home’s WiFi traffic until it’s well out of the UK and close-to-impossible to link to you personally (which you should!), then you probably ought to come back to it another time.

Here’s how it’s done:

1. Plug in, boot, and install some prerequisites

Plug the WiFi dongle into a USB port and connect the Ethernet port to your Internet router.  Boot your Raspberry Pi into Raspbian (as described in the helpsheet that comes with it), and run:

sudo apt-get install bridge-utils hostapd udhcpd bind9 openvpn

2. Make HostAPD support your Edimax dongle

If, like me, you’re using an Edimax dongle, you need to do an extra couple of steps to make it work as an access point. Skip this bit if you’re using one of the other dongles I listed or if you know better.

wget http://dl.dropbox.com/u/1663660/hostapd/hostapd.zip
unzip hostapd.zip
sudo mv /usr/sbin/hostapd /usr/sbin/hostapd.original
sudo mv hostapd /usr/sbin/hostapd.edimax
sudo ln -sf /usr/sbin/hostapd.edimax /usr/sbin/hostapd
sudo chown root.root /usr/sbin/hostapd
sudo chmod 755 /usr/sbin/hostapd

3. Set up OpenVPN

Get OpenVPN configuration files from your VPN provider: often these will be available under the iOS downloads. There’ll probably be one for each available endpoint. I chose the one for Reyjkavik, because Iceland’s got moderately sensible privacy laws and I’m pretty confident that it would take judicial oversight for British law enforcement to collaborate with Icelandic authorities on getting a wiretap in place, which is the kind of level of privacy I’m happy with. Copy your file to /etc/openvpn/openvpn.conf and edit it: you may find that you need to put your VPN username and password into it to make it work.

sudo service openvpn start

You can now test your VPN’s working, if you like. I suggest connecting to the awesome icanhazip.com and asking it where you are (you can use your favourite GeoIP website to tell you what country it thinks you’re in, based on that):

curl -4 icanhazip.com

Another option would be to check with a GeoIP service directly:

curl freegeoip.net/json/

4. Set up your firewall and restart the VPN connection

Unless your VPN provider gives you DNAT (and even if they do, if you’re paranoid), you should set up a firewall to allow only outgoing connections to be established, and then restart your VPN connection:

sudo iptables -A INPUT -i tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -i tun0 -j DROP
sudo sh -c "iptables-save > /etc/iptables.nat.vpn.secure"
sudo sh -c "echo 'up iptables-restore < /etc/iptables.nat.vpn.secure' >> /etc/network/interfaces"
sudo service openvpn restart

5. Configure your WiFi hotspot

Configure bind as your DNS server, caching responses on behalf of Google’s DNS servers, or another DNS server that you trust. Alternatively, you can just configure your DHCP clients to use Google’s DNS servers directly, but caching will probably improve your performance overall. To do this, add a forwarder to /etc/bind/named.conf.options:

forwarders {
  8.8.8.8;
  8.8.4.4;
};

Restart bind, and make sure it loads on boot:

sudo service bind9 restart
sudo update-rc.d bind9 enable

Edit /etc/udhcpd.conf. As a minimum, you should have a configuration along these lines (you might need to tweak your IP address assignments to fit with your local network – the “router” and “dns” settings should be set to the IP address you’ll give to your Raspberry Pi):

start 192.168.0.2
end 192.168.0.254
interface wlan0
remaining yes
opt dns 192.168.0.1
option subnet 255.255.255.0
opt router 192.168.0.1
option lease 864000 # 10 days

Enable DHCP by uncommenting (remove the hash!) the following line in /etc/default/udhcpd:

#DHCPD_ENABLED="yes"

Set a static IP address on your Raspberry Pi in the same subnet as you configured above (but not between the start and end of the DHCP list):

sudo ifconfig wlan0 192.168.0.1

And edit your /etc/network/interfaces file to configure it to retain this on reboot (you’ll need to use tabs, not spaces, for indentation):

iface wlan0 inet static
  address 192.168.0.1
  netmask 255.255.255.0

And comment out the lines relating to hot-plugging of WiFi adapters/network hopping:

#allow-hotplug wlan0
#wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
#iface default inet manual

Right – onto hostapd, the fiddliest of the tools you’ll have to configure. Create or edit /etc/hostapd/hostapd.conf as follows, but substitute in your own SSID, hotspot password, and channel (to minimise interference, which can slow your network down, I recommend using WiFi scanner tool on your mobile to find which channels your neighbours aren’t using, and use one of those – you should probably avoid the channel your normal WiFi uses, too, so you don’t slow your own connection down with crosstalk):

interface=wlan0
driver=nl80211
ssid=your network name
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=your network password
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

Hook up this configuration by editing /etc/default/hostapd:

DAEMON_CONF="/etc/hostapd/hostapd.conf"

Fire up the hotspot, and make sure it runs on reboot:

sudo service hostapd start
sudo service udhcpd start
sudo update-rc.d hostapd enable
sudo update-rc.d udhcpd enable

Finally, set up NAT so that people connecting to your new hotspot are fowarded through the IP tunnel of your VPN connection:

sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
sudo sh -c "echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf"
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo sh -c "iptables-save > /etc/iptables.nat.vpn.secure"

6. Give it a go!

Connect to your new WiFi hotspot, and go to your favourite GeoIP service. Or, if your VPN endpoint gives you access to geographically-limited services, give those a go (you’d be amazed how different the Netflix catalogues are in different parts of the world). And give me a shout if you need any help or if you have any clever ideas about how this magic little box can be improved.

Further reading:

×

Review of Hacknet

This review originally appeared on Steam. See more reviews by Dan.

I’ve been a huge fan of the “hacker game” ever since I first played 1985’s Hacker on my Amstrad CPC: I’m pretty hardened to the genre, and I can confidently say that not since Uplink has anything broken through my firewall like Hacknet did. If you’re looking for an easy-to-pick up and compelling puzzle game in a cyberpunk theme, it’s a clear winner: I got 6 hours of thoroughly enjoyable playtime out of it, and I’m sure I’ll go back and get the same again when I find the chance to go and explore deeper.

Twee2 – Interactive Fiction Authoring for Geeks

There’s a wonderful tool for making web-based “choose your own adventure”-type games, called Twine. One of the best things about it is that it’s so accessible: if you wanted to, you could be underway writing your first ever story with it in about 5 minutes from now, without installing anything at all, and when it was done you could publish it on the web and it would just work.

Screenshot of a Twine 2 story map
A “story map” in Twine 2. Easy interactive fiction writing for normal people.

But the problem with Twine is that, in its latest and best versions, you’re trapped into using the Twine IDE. The Twine IDE is an easy-to-use, highly visual, ‘drag-and-drop’ interface for making interactive stories. Which is probably great if you’re into IDEs or if you don’t “know better”… but for those of us who prefer to do our writing in a nice clean, empty text editor like Sublime or TextMate or to script/automate our builds, it’s just frustrating to lose access to the tools we love. Plus, highly-visual IDEs make it notoriously hard to collaborate with other authors on the same work without simply passing it back and forwards between you: unless they’ve been built with this goal in mind, you generally can’t have two people working in the same file at the same time.

Sublime Text demonstrating multi-line-selection.
Now THIS is what code editing should look like.

Earlier versions of Twine had a command-line tool called Twee that perfectly filled this gap. But the shiny new versions don’t. That’s where I came in.

In that way that people who know me are probably used to by now, I was very-slightly unsatisfied with one aspect of an otherwise fantastic product and decided that the correct course of action was to reimplement it myself. So that’s how, a few weeks ago, I came to release Twee2.

Twee2 logo
Twee2’s logo integrates the ‘branching’ design of Twine adventures with the ‘double-colon’ syntax of Twee.

If you’re interested in writing your own “Choose Your Own Adventure”-type interactive fiction, whether for the world or just for friends, but you find user-friendly IDEs like Twine limiting (or you just prefer a good old-fashioned text editor), then give Twee2 a go. I’ve written a simple 2-minute tutorial to get you started, it works on Windows, MacOS, Linux, and just-about everything else, and it’s completely open-source if you’d like to expand or change it yourself.

(there are further discussions about the concept and my tool on Reddit here, here, here and here, and on the Twinery forums herehere and here)

Get Twee2

× ×

Dan Q posted a note for GC54F7N Oxford Steganography #4 – Tilt

This checkin to GC54F7N Oxford Steganography #4 - Tilt reflects a geocaching.com log entry. See more of Dan's cache logs.

This is definitely now inaccessible and has been muggled. I’m scouting for a new location for this cache, but in the meantime, anybody who wants to complete the series can send me a private message stating the co-ordinates of this cache and I’ll provide them with the secret code from within it: that way – so long as you’ve found #1, #2, and #3 – you can still eventually find #5!

Thanks for your patience, and happy ‘caching!

Into the Lair of the Bladder Monster

Warning: this blog post contains pictures of urine, invasive equipment, and the inside of a bladder. It’s probably safe for all audiences, but you might like to put your glass of apple juice down for a minute or two. The short of it all is that I’m probably healthy.

Since my hospitalisation the other month with a renal system infection, I’ve undergone a series of investigations to try to determine if there’s an underlying reason that I fell ill. As my doctor explained to me, it’s quite possible that what I’d experienced was a random opportunistic infection (perhaps aided by a course of unrelated antibiotics I’d been on earlier this year or by certain lifestyle habits), but if that wasn’t the case – if there were some deeper explanation for my health problems – it was important to find out sooner, rather than later.

A sterile pot full of Dan Q's urine.
I’ve peed in so many little pots! If you laid them end-to-end across your kitchen counter, people would think that you were some kind of pervert.

Early on I had several ultrasound scans of my bladder (at a number of different times and at a variety of levels of fullness) and one of my kidneys, the latter of which revealed some “minor scarring” of one of them which apparently isn’t something I should be worried about… although I wish they’d started the two-page letter I got with that rather than opening with, effectively, “Contrary to what we told you at the hospital, we did later see something wrong with you…” But still, good to be reassured that this is probably not an issue.

Ultrasound scan of one of Dan Q's kidneys.
An ultrasound scan of one of my kidneys. Can you tell the sex yet?

More recently, I went to the hospital to have a “flow rate test” and a cystoscopy. The flow rate test involved the most-ghetto looking piece of NHS equipment I’ve ever seen: functionally, it seemed to be little more than a funnel on top of a large measuring beaker, in turn on top of a pressure-sensitive digital scale. The scale was connected up to the only fancy-looking bit of equipment in the room, a graphing printer that output the calculated volume (based on their weight) of the same and, more-importantly, the rate of change: the “flow rate” of the stream of urine.

A stream of urine pours down into a funnel.
I’m right, aren’t I? That’s basically a kitchen funnel, isn’t it?

I suppose one advantage of using equipment like this is that it basically operates itself. Which meant that the nurse was able to give me five seconds worth of instruction and then leave the room, which saved us from our own Britishness forcing us to make small-talk while I urinated in front of her or something. Ultimately, I turned out to be within the range of normalcy here, too, although I was a little disappointed to find that the ward didn’t maintain a daily “score board” of flow rates, as sort-of a science-backed literal pissing contest.

A graphing printer describes Dan Q's urine flow. The 'flow rate' graph shows an initial peak, then a trough, then continues to a higher sustained peak.
Apparently not all men experience that ‘spurt-and-then-full-pressure’ thing you’ll see on the graph on the right, when they start to pee, but some of us do, and it’s perfectly normal. I’m learning so much!

Finally came the cystoscopy, and this was the bit that I’d been most-nervous about. This procedure involves the insertion of a long flexible tube into the urethra at the tip of the penis, under local anasthetic, and pushing it all the way down, through the sphincter, down through the prostate and then back up into the bladder. It’s then used as a channel to pump water into the bladder, filling it to capacity and stretching out the sides, after which the fibreoptic cord (and light) that runs along its length is used to look around inside the bladder to inspect for any of a plethora of different problems.

Cystoscopy equipment, ready for insertion.
You’re going to put that WHERE?

The doctor invited me to watch with him on the monitor, which I initially assumed was because I was clearly interested in everything and kept asking questions, but in hindsight I wonder if it’s just that he – quite rightly – assumed that I might have panicked if I’d have been looking in the direction of the piece of equipment he brought in and jabbed at my penis with. I only looked at it while it was on its way out, and my god its a scary-looking thing: sort of like a cross between a tyre pressure gauge and a blowtorch. The first few inches were painless – the local anasthetic had made me completely numb right up to and including the external sphincter, which is at the base of the penis. However, what I can only assume was the second sphincter complained of the discomfort, and it stung pretty sharply any time the doctor would twist the cystoscope to change the angle of the picture.

View up a urethra, from a cystoscope.
The view as you ‘travel’ up the urethra looks pretty much like I expected. With a motion simulator, it would make a pretty cool ride!

Seeing the inside of your own body is an amazing experience. I mean: it’s not amazing enough to even be worth the experience of a cystoscopy, never mind the illness that in my case preceeded it… but it’s still pretty cool. The ultrasounds were interesting, but there’s nothing quite so immersive as seeing a picture of the inside of your own bladder, gritting your teeth while the doctor points to an indentation and explains that it’s the opening to the ureter that connects to your own left kidney!

Unfortunately I neglected to take my phone into the operating room, having put it into a locker when I changed into a gown, and so I wasn’t able to (as I’d hoped) take photos of the inside of my own bladder. So you’ll have to make do with this video I found, which approximates the experience pretty well. The good news is that there’s probably nothing wrong with me, now that the infection from earlier this year has passed: nothing to suggest that there’s any deeper underlying issue that caused me to get sick, anyway!

The bad news is that while the procedure itself was shorter and more-bearable than I’d expected, the recovery’s been a real drag. A week later, it still hurts a lot to urinate (although I’ve stopped yelping out loud when I do so) and my crotch is still too sore for me to be able to cycle. I’ve also discovered that an errection can be painful enough to wake me up, which is definitely not the most-pleasant way I’ve been roused by a penis. But it’s getting better, day by day, and at least I know for sure that I’m more-or-less “right” in the renal system, now.

× × × × × ×

Post-It Minesweeper

Remember Minesweeper? It’s probably been forever since you played, so go have a game online now. And there went your afternoon.

A game of Microsoft Minesweeper in progress.
This is actually a pretty tough move.

My geek-crush Ben Foxall posted on Twitter on Monday morning to share that he’d had a moment of fun nostalgia when he’d come into the office to discover that somebody in his team had covered his monitor with two layers of Post-It notes. The bottom layer contained numbers – and bombs! – to represent the result of a Minesweeper board, and the upper layer ‘covered’ them so that individual Post-Its could be removed to reveal what lay beneath. Awesome.

Ben Foxall discovers Post-It Minesweeper
Unlike most computerised implementations of Minesweeper, the first move isn’t guaranteed to be safe. Tread carefully…

Not to be outdone, I hunted around my office and found some mini-Post-Its. Being smaller meant that I could fit more of them onto a monitor and thus make a more-sophisticated (and more-challenging!) play space. But how to generate the board? Sure: I could do it by hand, but that doesn’t seem very elegant at all – plus, humans make really bad random number generators! I didn’t need quantum-tunnelling-seeded Minesweeper (yes, that’s a thing) levels of entropy, sure, but it’d still be nice to outsource the heavy lifting to a computer, right?

Screenshot of my Post-It Minesweeper board generator.
Yes, I’m quite aware of the irony of using a computer to generate a paper-based version of a computer game, why do you ask?

So naturally, I wrote a program to do it for me. Want to see? It’s at danq.me/minesweeper. Just line up some Post-Its on a co-worker’s monitor to work out how many you can fit across it in each dimension (I found that I could get 6 × 4 standard-sized Post-Its but 7 × 5 or even 8 × 5 mini-sized Post-Its very comfortably onto one of the typical widescreen monitors in my office), decide how many mines you want, and click Generate. Don’t like the board you get? Click it again!

Liz McCarthy tweets about her experience of being given a Post-It Minesweeper game to play.
I set up the first game on my colleague Liz’s computer, before she came in this morning.

And because I was looking for a fresh excuse to play with Periscope, I broadcast the first game I set up live to the Internet. In the end, 66 people ended up watching some or all of a paper-based game of Minesweeper played by my colleague Liz, including moments of cheering her on and, in one weird moment, despair at the revelation that she was married. The internet’s strange, yo.

Anyway: in case you missed the Periscope broadcast, I’ve put it on YouTube. Sorry about the portrait-orientation filming: I think it’s awful, too, but it’s a Periscope thing and I haven’t installed the new update that fixes it yet.

Now go set up a game of Post-It Minesweeper for a friend or co-worker.

× ×