Wifi Boat Overview

Services

UGR wifi boat ships the following services in Docker containers:

• stunnel server
• web server (hello world, report, file management)
• https web server 9hello world)
• mongodb database

Stretch goals:

• Data to inform the server about processes that are running? How to install a program that runs on the pi and tries to call home and send updates on information going on with the operating system, running processes, etc.?

Please make a note:

• The UGR wifi boat does not receive or process raw packet data. The Raspberry Pi device will extract network data, either by using a tool that extracts relevant information or by running a tool like scapy or aircrack on the Raspberry Pi to capture and process network data local to the Pi. Only small, digested, processed data is sent back to the server.

Getting Set Up For The Boat

Make sure your node is all set: Deployment/New Node Checklist

Make sure docker installed: Docker/Installing

Boat Containers

Stunnel

Stunnel is a server/client service that allows arbitrary traffic to be transported through an encrypted HTTP over SSL layer (HTTPS). Since port 443 is usually open even on locked-down networks, this is an extremely handy tool for punching through firewalls. Due to the nature of encrypted traffic, the contents of an HTTPS packet cannot be inspected, so services that would otherwise be blocked due to their protocols, like SSH, can pass in and out of the network just fine by being wrapped up in HTTPS.

Here's how the Stunnel Docker container will be set up:

• Create a Dockerfile (you can download a prepared one, but they are easy enough to make that it is worth doing yourself.)
• Make a Docker Stunnel container image
• Run a Docker Stunnel container image
• Ensure that Stunnel is working and configured properly (ignoring network)
• Ensure that networking with host is working and configured properly

Get Files

Get the Dockerfile from the git.charlesreid1.com repo: https://charlesreid1.com:3000/docker/d-stunnel

$ mkdir ~/docker
$ cd ~/docker
$ git clone https://charlesreid1.com:3000/docker/d-stunnel
$ cd d-stunnel

This will also have some supporting scripts and example config files.

Create Certificate

Next step is to create a certificate.

See Stunnel#Certificate

Option 1 is to use Let's Encrypt (recommended). Use the LetsEncrypt page and the generate_letsencrypt_cert.sh script in the d-stunnel repository.

Option 2 is to use a self-signed certificate. See RaspberryPi/SSH Stunnel for details and use the generate_ss_cert.sh script in the d-stunnel repository.

Link to d-stunnel repository: https://charlesreid1.com:3000/docker/d-stunnel

Networking/Ports Configuration

Stunnel exposes one port externally (for clients to connect on), typically 443. This is the port on which all of the SSL-wrapped traffic will pass. We will need to map this port from the Docker container to the host, and open that port on the host's firewall.

Stunnel accept encrypted traffic on that exposed port. It will unwrap the traffic, removing the SSL layer, and forward the unencrypted traffic on to another local port, typically one that is not publicly exposed.

For our test, the stunnel container will listen for connections on 443. It will forward these to local port 8443. We will set up a Python HTTP server on port 8443 that only listens for local requests and responds with a "HALLO WURLLD" page. If the stunnel container is configured correctly, we should be able to send HTTP requests to the stunnel container, and have it pass those through to the Python HTTP server, which will serve up the "HALLO WURLLD" page.

Start with the configuration file for stunnel. It will live in /etc/stunnel/stunnel.conf. Here is what we will use:

output = /var/log/stunnel4/stunnel.log
cert=/etc/stunnel/stunnel.pem
key=/etc/stunnel/stunnel.pem
pid=/var/run/stunnel4/stunnel.pid
client=yes
[ssh]
accept = 443
connect = 127.0.0.1:8443

This will accept inbound encrypted connections on 443, and will decrypt them and forward them along to local port 8443, where Python will be listening. Because this is a server, we are emulating inbound requests, just like a web server. Stunnel will be wrapping HTTP requests from a browser with SSL.

Now we have the SSL certificates and the configuration file finished, and we are ready to build our Docker image..

Build Docker stunnel container image from Dockerfile

From the git repo checked out above, which contains a Dockerfile, run docker build to build the image:

$ docker build -t cmr_stunnel .

This may take a minute. Once that's finished make sure Docker now lists the image:

$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
cmr_stunnel         latest              2b197f506e02        59 seconds ago      219 MB

Run the Docker stunnel conainer image

You can fire up the docker container and get a Bash shell:

$ docker run -ti cmr_stunnel /bin/bash

Test that the stunnel command works.

Now that stunnel is running okay, and the certificates are working, let's get the networking and ports figured out.

Port Mapping

Docker networking guide provides some useful info: https://docs.docker.com/engine/userguide/networking/

We can specify three networks: the host network, a bridge network (shared between host and container only), or no network at all.

We want to attach the container to the outside world via the standard network interface onboard the host. Use --network=host when running the container .

ok,

but now prob is,

how to id self, container missing ifconfig

Load Image with Networking/Ports Configured

Links

Stunnel documentation (man page): https://www.stunnel.org/static/stunnel.html

Stunnel Dockerfile that is about as simple as it is going to get: https://github.com/taskworld/docker-stunnel/blob/master/Dockerfile

Note: ufw needs to accept, not drop, traffic: [1]

Note: container needs to bind to 0.0.0.0, not localhost, or it won't be accessible outside the container: [2]