Tweet
Raspberry Pi + tinc
I'm in the process of building up some Raspberry Pi devices with tinc to create my own low-budget vpn devices. The plan is to have these at all my trusted families' homes.
One use: I plan to keep a multi-TB drive at some of these homes so I can do offsite backups. I'll ask them to keep the drive in their fireproof safe, except when I ask so I can run a monthly backup (after paying bills, taxes, etc.). The backup will use an encryption system such that the contents are encrypted before they leave my local system, so the loss of the drive or compromise of the remote system doesn't affect the security of my data. I'll do the same for them if/when they supply the drives (shoot, it could be a GB thumb drive, they could store plenty that way). The point to this is distributed backups beyond one geographical location (thinking floods, but any major regional disaster could apply).
Second use: allow for private family sharing of communications so we can talk about stuff
Presently we use a combination of free services and privately owned services. The problem with this is that say an email goes to just private servers, but then after someone does a reply and includes another person with a public email service, like Gmail, Yahoo, or Outlook.com account (or even a work email system), and sends a reply with the thread, then it's not longer private. My plan is to create a couple second private email servers which won't communicate with external mail systems. Or perhaps it might allow public email system access just to notify family via their public email service that they have an email on our private system (banks, insurance, medical providers do this sort of thing). Kind of a hassle, but not really a big deal for privacy.
Along with that will be a private family calendaring system. I'm not exactly sure how I want to do this. But the same basic idea, it would allow them to add a "private appt" meeting on their public calendar, but the details (location, phone, etc.) would only be available on the private calendaring system. I already do this manually between our immediate family's calendar and my work's calendar system (work will just say "Private Appt" and be marked as Out of the Office).
Of course we'll have a private contacts list as well. That way we can update our phone numbers, addresses, etc. and have it automatically distribute to each other.
Fourth use: Private file-sharing network. I've some family members who won't use Facebook, etc., and at this point I don't blame them. This way we can share photos and videos (you know, all the stuff most people share on Facebook). This will allow us to have our own private file-sharing network. One idea is to use one of the two Raspberry Pi USB ports to permanently keep a 64gb thumb drive installed for this purpose. It would replicate to all the other RPi's so that local access of the files will be nearly instant. With this I want to set up a private Dropbox-type folder system which allows a local desktop PC's contents to be replicated to this RPi USB system. I've done this before on a local basis, but it's fairly technical to set up. Also, most of us have smart DVD/Bluray systems and picture frames that can automatically view these sorts of shares. This is great for non-technical older family to view the photos.
Fifth use: Private real-time video/voice/chat system. Same thing as you can do with public services, just using our own private network so there is no eavesdropping.
Additionally, I plan to get tinc working on our smart phones. This will allow us to securely access all these services away from home (including VOIP for voice).
Some of this is hobby, some of this is because I can, and the big motivation is because I just don't like what is going on these days with the giving up of privacy. I'm not some freak or pervert, and I don't copy movies/music illegally
(everything I have digital, I own). I just don't believe my family's doings is anyone else's business.
One of the things I'd like to do in all this is document and try to automate/simplify the process. The goal would be so that someone else with a legitimate use could do the same. Thing is, I'd want to control access to the docs/installers that I'd create (although, I know that once it is shared with someone else, I have no control). I just don't want low-end criminals or pervs to have access (let's face it, high-end criminals already have this and better). Those legitimate uses that I think it would be useful for use with are those in countries violating human rights (China, etc.) and/or persecuting Christians.
At this point I've got the RPi working with tinc and a mesh of 4 systems. All systems can talk directly to each other, or I can designate and configure it such that there are just a handful of central hubs (minimum 2, preferably 3-4). Any system on the same local network as one of these RPi devices can communicate with this setup with zero configuration other than having IPv6 enabled.
I've got it all working with IPv6 addressing for the private network because IPv6 allows other local routers beyond your default gateway. I'll have a local IPv4 address as well so legacy device like home A/V equipment can talk to the RPi as well (but not across the network, as there is no real need, plus the pics/videos will auto-replicate between the RPis)). I've got it using both IPv6 & IPv4 for the public network, using whatever is available (IPv6 and IPv4, or either).
One nice thing about this system is that it will allow all RPi nodes to talk to each other, with end-node to end-node encryption (the middle nodes just forward it on), but can allow one or both of the end-nodes to be behind a proxy or single or double NAT where no inbound connections are allowed, so long as they can get to a hub system. Hub systems might be located at a paid colo service (or work), etc., but where the physical system is not to be trusted.
I'm going to do a bit more testing and then some hardening of the RPis, and then ship them off to family that want to be in the first deployment wave. Because it is easy to do, my next step will be to get will be to file syncing going and a Dropbox-type client for folks to install on their Desktops.
Sorry for the long post, but lots to get down
One use: I plan to keep a multi-TB drive at some of these homes so I can do offsite backups. I'll ask them to keep the drive in their fireproof safe, except when I ask so I can run a monthly backup (after paying bills, taxes, etc.). The backup will use an encryption system such that the contents are encrypted before they leave my local system, so the loss of the drive or compromise of the remote system doesn't affect the security of my data. I'll do the same for them if/when they supply the drives (shoot, it could be a GB thumb drive, they could store plenty that way). The point to this is distributed backups beyond one geographical location (thinking floods, but any major regional disaster could apply).
Second use: allow for private family sharing of communications so we can talk about stuff
Presently we use a combination of free services and privately owned services. The problem with this is that say an email goes to just private servers, but then after someone does a reply and includes another person with a public email service, like Gmail, Yahoo, or Outlook.com account (or even a work email system), and sends a reply with the thread, then it's not longer private. My plan is to create a couple second private email servers which won't communicate with external mail systems. Or perhaps it might allow public email system access just to notify family via their public email service that they have an email on our private system (banks, insurance, medical providers do this sort of thing). Kind of a hassle, but not really a big deal for privacy.Along with that will be a private family calendaring system. I'm not exactly sure how I want to do this. But the same basic idea, it would allow them to add a "private appt" meeting on their public calendar, but the details (location, phone, etc.) would only be available on the private calendaring system. I already do this manually between our immediate family's calendar and my work's calendar system (work will just say "Private Appt" and be marked as Out of the Office).
Of course we'll have a private contacts list as well. That way we can update our phone numbers, addresses, etc. and have it automatically distribute to each other.
Fourth use: Private file-sharing network. I've some family members who won't use Facebook, etc., and at this point I don't blame them. This way we can share photos and videos (you know, all the stuff most people share on Facebook). This will allow us to have our own private file-sharing network. One idea is to use one of the two Raspberry Pi USB ports to permanently keep a 64gb thumb drive installed for this purpose. It would replicate to all the other RPi's so that local access of the files will be nearly instant. With this I want to set up a private Dropbox-type folder system which allows a local desktop PC's contents to be replicated to this RPi USB system. I've done this before on a local basis, but it's fairly technical to set up. Also, most of us have smart DVD/Bluray systems and picture frames that can automatically view these sorts of shares. This is great for non-technical older family to view the photos.
Fifth use: Private real-time video/voice/chat system. Same thing as you can do with public services, just using our own private network so there is no eavesdropping.
Additionally, I plan to get tinc working on our smart phones. This will allow us to securely access all these services away from home (including VOIP for voice).
Some of this is hobby, some of this is because I can, and the big motivation is because I just don't like what is going on these days with the giving up of privacy. I'm not some freak or pervert, and I don't copy movies/music illegally
(everything I have digital, I own). I just don't believe my family's doings is anyone else's business.One of the things I'd like to do in all this is document and try to automate/simplify the process. The goal would be so that someone else with a legitimate use could do the same. Thing is, I'd want to control access to the docs/installers that I'd create (although, I know that once it is shared with someone else, I have no control). I just don't want low-end criminals or pervs to have access (let's face it, high-end criminals already have this and better). Those legitimate uses that I think it would be useful for use with are those in countries violating human rights (China, etc.) and/or persecuting Christians.
At this point I've got the RPi working with tinc and a mesh of 4 systems. All systems can talk directly to each other, or I can designate and configure it such that there are just a handful of central hubs (minimum 2, preferably 3-4). Any system on the same local network as one of these RPi devices can communicate with this setup with zero configuration other than having IPv6 enabled.
I've got it all working with IPv6 addressing for the private network because IPv6 allows other local routers beyond your default gateway. I'll have a local IPv4 address as well so legacy device like home A/V equipment can talk to the RPi as well (but not across the network, as there is no real need, plus the pics/videos will auto-replicate between the RPis)). I've got it using both IPv6 & IPv4 for the public network, using whatever is available (IPv6 and IPv4, or either).
One nice thing about this system is that it will allow all RPi nodes to talk to each other, with end-node to end-node encryption (the middle nodes just forward it on), but can allow one or both of the end-nodes to be behind a proxy or single or double NAT where no inbound connections are allowed, so long as they can get to a hub system. Hub systems might be located at a paid colo service (or work), etc., but where the physical system is not to be trusted.
I'm going to do a bit more testing and then some hardening of the RPis, and then ship them off to family that want to be in the first deployment wave. Because it is easy to do, my next step will be to get will be to file syncing going and a Dropbox-type client for folks to install on their Desktops.
Sorry for the long post, but lots to get down
Comment