Demo Setup

Project Golden Gate – Demo Installation

Purpose of this page is to ensure user is able to install demo RPI3 images.  At the end of procedure, user will be able to:

  • Install and boot RPI3 demo image
  • Connect to RPI3 and change default passwords
  • Access web interfaces (Luci (router), OpenHAB, Home Assistant) and configure various settings
  • Access different cells (Router, application, VPN/DIT) using ssh
  • Generate VPN certificates and install them on devices for secure remote access

Hardware Needs


Mandatory

  • Raspberry Pi-3 Model B
  • 4-32GB Micro-SD Card, 16GB or larger recommended / Card reader
  • USB Adapter for Z-Wave or Zigbee
  • Smart Switches / Multi Sensor / Hue lights
  • Ethernet Cable – network connection

Optional

  • Keyboard / Mouse / Monitor
  • HDMI Cable
  • USB Adapter – Ethernet

Installation Steps


Step 1 : Assemble Hardware


Step 2: Burn SD-Card (Use Etcher)


Step 3 (Boot-up RPI3 & Connect to WiFi)


Once the Raspberry Pi boots, it assumes the following

  • eth0 : Untrusted – Wired Interface connected to the Internet
    • only incoming VPN (IPSec) are accepted on this interface
  • eth1 : Trusted – Requires a supported USB Ethernet adapter
    • full access is available on this interface
  • wlan0 : Trusted : Wifi Access Point
    • full access is available on this interface

Untrusted interfaces are accessible only over VPN connections. It will not respond to pings and all web servers are inaccessible over this interface. This interface is expected to be exposed to the public Internet.

Trusted interfaces are intended for use within the home network and allow unrestricted access to the system components. These interfaces will respond to pings and allow user access through SSH.

As soon as board boots up it will expose a wifi access point, connect to this interface to continue setup.

ssid: d4-secure-<serial number>

password: CHANGE-THIS-KEY-<serial number>

The serial number is a 32-bit hex number extracted from the boot device tree. In the unlikely event that the serial number cannot be found, a random 32-bit value will be generated instead. The SSID will be broadcast so that the serial number or random hex number can be seen and the key easily determined.

The key should be changed as soon as possible after connecting to the hotspot for the first time. See Step 5 below for details of how to do this.

Step 4: Remote login to RPI3


After connecting to the Wifi access point, the next step is to connect to the board,

For this use

ssh root@gw-wlan.d4-secure

Or if doesn’t work (e.g in case of multiple network connected to device, use)

ssh root@10.34.91.1

 

From Driver cell to login to OpenWRT Cell (e.g. In case you are connecting to RPI3 by direct keyboard / mouse), please use ssh root@10.34.90.5

There are four main Virtual Machines that perform different tasks in the Project Golden Gate image.

LEDE (Router VM)

LEDE is a fork of the OpenWRT project and functions as the networking controller in the system. This VM is the entry point to the system through SSH, allowing the user access to other parts of the system.

Driver (Application VM)

The VM which contains the main application functions. The demonstrations provided include driver cell images for openHABian, Kodi, or Hassbian. This VM is the main focus for the user and is accessible through the HDMI/Keyboard or SSH through the Router VM.

DIT (Data In Transit VPN VM)

Thsi VM contains a VPN (StrongSWAN IPSec) server to allow secure remote access to the system. This VM is user accessible only through SSH connections from the Router VM or successful VPN connections.

SD Driver VM

This VM is the only one which has direct access to the SD card.  It exports partitions individually to the other VMs so that each VM can only access its own partition and cannot access data belonging to the other VMs in the system.  There is no network access to this VM so it remains isolated from the rest of the system.

NOTE: the boot partition is not exported to any other VM, so any applications which expect to be able to access files on this partiton (e.g. raspi-config) will not work as expected.

Accessing system components over SSH

The best way to gain access to the command lines of the system components is over SSH.

A simple script called ssh-demux.sh has been provided which uses tmux to allow access to each component. After SSHing into the router cell, run

ssh-demx.sh <user name> where user name is the login for the driver (application) cell

e.g. run ssh-demux.sh pi for HASSbian or KODI or,

ssh-demux.sh openhabian for OpenHABian.

 

Step 5: Update Hostapd to reset credentials for WiFI Access point


At this stage, it will be interesting to reconfigure default Wifi ssid / wpa_passphrase to make it more secure.

From driver cell, run

sudo vi /etc/hostapd/hostapd.conf

and edit the ssid and wpa_passphrase fields, then restart the hotspot to apply the changes:

service hostapd restart

Note : This step will disconnect you from Wifi, and will require reconnection with new credentials.

Step 6: Lanuch applications (OpenHAB / Home Assistant / KODI / …)


Default IP Address of PI (from Wifi) : 10.34.91.1

For OpenHAB installation please refers to OpenHAB Configuration

For Home Assistant installation please refers to Home Assistant Configuration

For KODI, please refers to KODI Configuration

Step 7: Configure using Luci (Web interface for OpenWRT/LEDE)


 

For more details on OpenWRT configuration, please refers to OpenWrt Configuration

Step 8: Get Debugging traces (Optional)


Step 9: Generate VPN certificates for remote access (ipsec)


In order to generate VPN client certificates, ensure you go to VPN VM window

From Step 5.

 

Type user name as root and press enter, expect to see something like following

From within the VPN server cell, execute the following commands.

root@vpn: generate_client_key.sh

You will be asked to enter a password to secure the certificate. The resulting VPN cert will be located at

/etc/ipsec.d/certs/client1.d4-secure.p12

This file is stored on the SDCard partition 3.

Step 10: Extract VPN Certs from RPI3 / Transfer to device for remote access


To setup VPN, we need to transfer certificates from board (VPN cell),

for this copy /etc/ipsec.d/certs/client1.d4-secure.p12 file and copy to your phone.

This can be done in 2 ways

  1. Either through scp (e.g. scp /etc/ipsec.d/certs/client1.d4-secure.p12 <user name>@<your machine ip>:/<folder where you want to store> )
  2. Mount partition 3 of SD Card to extract certificate


 

Step 11: Configure IPSec client on remote device


Here is Strongswan configuration


Server: <ip addr of RPI3>

(To find out ip address or RPI3, from OpenWRT cell, type ifconfig and check IP address assigned to eth0_ext, alternatively, try Official RPI3 documentation)

IKEV2 Certificate : Choose certificates extracted from RPI3

User Identity : client1.d4-secure

CA Certificate : Select automatically

Advanced Settings

Server Identity : vpn.d4-secure


Step 12 : Install Client applications (Optional) / Use web browser on remote device


At this stage, if everything goes well, we are connected to VPN, and you can connect to OpenHAB / Home Assistant like you access them from home network.

Step 13 : Control / Play


Save

Save