Implementing Physical Networking/Workspace Isolation with Raspberry Pi 2

Discussion in 'privacy problems' started by mirimir, Mar 16, 2015.

  1. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    I've written a how-to guide for physical isolation of networking and workspace, using two Raspberry Pi 2 Model B v1.1 ARM-based microcomputers, running Raspbian wheezy. I would very much appreciate review, comments, criticisms, and so on. It's at http://lwcl5doqq2uzjmom.onion/Raspian-wheezy-VPN-Tor-Gateway-Workspace-r0.html (or at http://lwcl5doqq2uzjmom.onion.city/Raspian-wheezy-VPN-Tor-Gateway-Workspace-r0.html if you don't want to bother using Tor).

    Next steps will include adding apps to the workspace, and hardening. I'm looking at shielding both networking Pi and workspace Pi (perhaps in aluminum, or maybe monel) and embedding the boards in something like http://www.amazon.com/Arctic-Alumin.../B0009IQ1BU/ref=sr_1_1?ie=UTF8&qid=1426546059 . And of course testing for leaks, both networking and as discussed in https://www.wilderssecurity.com/thr...re-not-safe-from-side-channel-attacks.374227/

     
  2. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    Extremely tasty, will look forward to salivating over the setup. I've long enjoyed the Pi, and baulked at the Whonix/hardening part. Does the 4 core make this more usable for general purpose computing?

    Are you using (and is it supplied on Rpi2), the hardware RNG?
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    I did attempt https://www.whonix.org/wiki/Dev/Build_Documentation/Physical_Isolation/8 but required packages seem to be missing in Raspbian wheezy. So I'm just locking down iptables. Plus the hardware isolation. And building the browser package for Tor Browser. I need to explore what else is possible in Raspbian wheezy.
    I find Pi 2 comparable to a VM on a decent multicore host with SSD. Performance with class 4 SDHC is noticeably worse than with class 10 SDHC. The best measure so far is that building the browser package for Tor Browser took 6-7 hours at 100% CPU. I don't know how many cores that used, but suspect that it was just one.
    I'll look into that. I'm rather a n00b with the Pi.

    Edit: I just found http://www.raspberrypi.org/forums/viewtopic.php?f=91&t=104384
    Code:
    sudo sh -c "echo bcm2708-rng >> /etc/modules"
    sudo modprobe bcm2708-rng
    But I also see stuff online about the need to install rng-tools, and to put "HRNGDEVICE=/dev/hwrng" /etc/default/rng-tools.
     
    Last edited: Mar 18, 2015
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    Great that the performance is now decent. I'm inwardly seething at the glacial progress in desktop core count for a reasonable price that Intel deigns to give us, and I'm hoping that the quad and octacore mobile parts now available will start to rattle that cage. I've even recently been looking at resurrecting my beautiful Q6600 cpu, simply because the price/performance development of the desktop processors has been so slow.

    Looks like they've kept the hardware RNG in on the Rpi2? I'm really interested in using the Rpi as a kind of open crypto assistant to to other general purpose computers, so that it can store keys, operate KDF or general crypto, and generate randoms with less risk of subversion than the "main" system. There are even some little touchscreen extras which could allow for pin entry for example.

    On the SD card front, I tend to use UHS-I cards which have a better write speed in most cases.
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Yes, but you need to activate it. From http://www.berthon.eu/2015/installing-linux-on-raspberry-pi-the-easy-way/ I get:
    Code:
    $ sudo modprobe bcm2708-rng
    $ sudo bash -c 'echo bcm2708_rng >> /etc/modules'
    $ sudo apt-get install rng-tools
    But he adds: "The implication of using such HW RNG is debatable and I will discuss it in the coming article." It's not there yet, but there is a discussion of randomness from TPM being debatable ;)
    The terminology is confusing. I have some SanDisk cards that are "Ultra", "SDHC I" and class 10, but they claim just 48 MB/s. So are they "UHS-I"?
     
  6. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,948
    Location:
    USA
    Could someone recommend a privacy friendly blog provider that does not use java script? I'm thinking about starting a blog, and want it to be anonymous.
     
  7. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    Yes the terminology is rubbish. I tend to filter on UHS-I, then look at the actual performance data for the card on small random read-write, which is probably what the OS is doing. Some of the cards are optimised for video, and some are counterfeit!

    Here's the links I've looked at regarding the RNG. Looks like you have to get the random data as root (as well as installing the necessary libraries as you've found).

    http://scruss.com/blog/2013/06/07/w...spberry-pis-hardware-random-number-generator/

    Dieharder random number tests
    http://www.phy.duke.edu/~rgb/General/dieharder.php

    A sample project
    http://cryptosense.com/building-a-raspberry-pi-hsm-for-rsa-2014/
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    I just found an unopened package, and see that it's "UHS-I" :)
    OK, thanks. I'll dig. I wonder how this affects the Tor client.
     
  9. quietman

    quietman Registered Member

    Joined:
    Dec 27, 2014
    Posts:
    489
    Location:
    Earth .... occasionally
    I just spotted this on BBC's website :-

    Build a Raspberry Pi powered VPN

    It looks like a very comprehensive step-by-step guide.

    I'd be interested to hear any comments on the viability of this.

    Can anyone foresee any potential problems ?
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    This guide explains how to setup an OpenVPN server in a Pi2. You might use this to access your LAN from your notebook, smartphone, etc. It doesn't cover using a Pi2 as a VPN-client router, for using VPN services.