Project Golden Gate – Demo Installation
Purpose of this page is to ensure user is able to install demo RPI3 images. At the end of procedure, user will be able to:
- Install and boot RPI3 demo image
- Connect to RPI3 and change default passwords
- Access web interfaces (Luci (router), OpenHAB, Home Assistant) and configure various settings
- Access different cells (Router, application, VPN/DIT) using ssh
- Generate VPN certificates and install them on devices for secure remote access
- Raspberry Pi-3 Model B
- 4-32GB Micro-SD Card, 16GB or larger recommended / Card reader
- USB Adapter for Z-Wave or Zigbee
- Smart Switches / Multi Sensor / Hue lights
- Ethernet Cable – network connection
- Keyboard / Mouse / Monitor
- HDMI Cable
- USB Adapter – Ethernet
Step 1 : Assemble Hardware
Step 2: Burn SD-Card (Use Etcher)
Step 3 (Boot-up RPI3 & Connect to WiFi)
Once the Raspberry Pi boots, it assumes the following
- eth0 : Untrusted – Wired Interface connected to the Internet
- only incoming VPN (IPSec) are accepted on this interface
- eth1 : Trusted – Requires a supported USB Ethernet adapter
- full access is available on this interface
- wlan0 : Trusted : Wifi Access Point
- full access is available on this interface
Untrusted interfaces are accessible only over VPN connections. It will not respond to pings and all web servers are inaccessible over this interface. This interface is expected to be exposed to the public Internet.
Trusted interfaces are intended for use within the home network and allow unrestricted access to the system components. These interfaces will respond to pings and allow user access through SSH.
As soon as board boots up it will expose a wifi access point, connect to this interface to continue setup.
ssid: d4-secure-<serial number>
password: CHANGE-THIS-KEY-<serial number>
The serial number is a 32-bit hex number extracted from the boot device tree. In the unlikely event that the serial number cannot be found, a random 32-bit value will be generated instead. The SSID will be broadcast so that the serial number or random hex number can be seen and the key easily determined.
The key should be changed as soon as possible after connecting to the hotspot for the first time. See Step 5 below for details of how to do this.
Step 4: Remote login to RPI3
After connecting to the Wifi access point, the next step is to connect to the board,
For this use
Or if doesn’t work (e.g in case of multiple network connected to device, use)
From Driver cell to login to OpenWRT Cell (e.g. In case you are connecting to RPI3 by direct keyboard / mouse), please use ssh firstname.lastname@example.org
There are four main Virtual Machines that perform different tasks in the Project Golden Gate image.
LEDE (Router VM)
LEDE is a fork of the OpenWRT project and functions as the networking controller in the system. This VM is the entry point to the system through SSH, allowing the user access to other parts of the system.
Driver (Application VM)
The VM which contains the main application functions. The demonstrations provided include driver cell images for openHABian, Kodi, or Hassbian. This VM is the main focus for the user and is accessible through the HDMI/Keyboard or SSH through the Router VM.
DIT (Data In Transit VPN VM)
Thsi VM contains a VPN (StrongSWAN IPSec) server to allow secure remote access to the system. This VM is user accessible only through SSH connections from the Router VM or successful VPN connections.
SD Driver VM
This VM is the only one which has direct access to the SD card. It exports partitions individually to the other VMs so that each VM can only access its own partition and cannot access data belonging to the other VMs in the system. There is no network access to this VM so it remains isolated from the rest of the system.
NOTE: the boot partition is not exported to any other VM, so any applications which expect to be able to access files on this partiton (e.g. raspi-config) will not work as expected.
Accessing system components over SSH
The best way to gain access to the command lines of the system components is over SSH.
A simple script called ssh-demux.sh has been provided which uses tmux to allow access to each component. After SSHing into the router cell, run
ssh-demx.sh <user name> where user name is the login for the driver (application) cell
e.g. run ssh-demux.sh pi for HASSbian or KODI or,
ssh-demux.sh openhabian for OpenHABian.
Step 5: Update Hostapd to reset credentials for WiFI Access point
At this stage, it will be interesting to reconfigure default Wifi ssid / wpa_passphrase to make it more secure.
From driver cell, run
sudo vi /etc/hostapd/hostapd.conf
and edit the ssid and wpa_passphrase fields, then restart the hotspot to apply the changes:
service hostapd restart
Note : This step will disconnect you from Wifi, and will require reconnection with new credentials.
Step 6: Lanuch applications (OpenHAB / Home Assistant / KODI / …)
Default IP Address of PI (from Wifi) : 10.34.91.1
For OpenHAB installation please refers to OpenHAB Configuration
For Home Assistant installation please refers to Home Assistant Configuration
For KODI, please refers to KODI Configuration
Step 7: Configure using Luci (Web interface for OpenWRT/LEDE)
For more details on OpenWRT configuration, please refers to OpenWrt Configuration
Step 8: Get Debugging traces (Optional)
Step 9: Generate VPN certificates for remote access (ipsec)
In order to generate VPN client certificates, ensure you go to VPN VM window
From Step 5.
Type user name as root and press enter, expect to see something like following
From within the VPN server cell, execute the following commands.
You will be asked to enter a password to secure the certificate. The resulting VPN cert will be located at
This file is stored on the SDCard partition 3.
Step 10: Extract VPN Certs from RPI3 / Transfer to device for remote access
To setup VPN, we need to transfer certificates from board (VPN cell),
for this copy /etc/ipsec.d/certs/client1.d4-secure.p12 file and copy to your phone.
This can be done in 2 ways
- Either through scp (e.g. scp /etc/ipsec.d/certs/client1.d4-secure.p12 <user name>@<your machine ip>:/<folder where you want to store> )
- Mount partition 3 of SD Card to extract certificate
Step 11: Configure IPSec client on remote device
Here is Strongswan configuration
Server: <ip addr of RPI3>
(To find out ip address or RPI3, from OpenWRT cell, type ifconfig and check IP address assigned to eth0_ext, alternatively, try Official RPI3 documentation)
IKEV2 Certificate : Choose certificates extracted from RPI3
User Identity : client1.d4-secure
CA Certificate : Select automatically
Server Identity : vpn.d4-secure
Step 12 : Install Client applications (Optional) / Use web browser on remote device
At this stage, if everything goes well, we are connected to VPN, and you can connect to OpenHAB / Home Assistant like you access them from home network.
Step 13 : Control / Play