HOW TO SECURELY CONNECT YOUR SECURE RASPBERRY PI TO THE CLOUD
This guide walks you through the steps involved in connecting a Raspberry Pi securely to the AWS cloud. Effectively, you will be tunneling your IP traffic securely using Transport Layer Security (TLS 1.2 ) over a private network defined on the Asavie PassBridge™ platform, to the cloud. We call this IP over TLS and it works seamlessly behind firewalls across Network Address Translation (NAT). This trial is designed to enable you road test new Internet of Things projects without any great expense in a secure and controlled manner.
A Raspberry Pi 2 or 3
Raspian / Debian operating system
Internet Connection - WiFi or Ethernet
You can create your backend services in the cloud on AWS or similar infrastructure, or within your own private network / office network that your devices can connect securely to over your private Asavie PassBridge™ network. We have provided a sample AWS Cloudformation script to help get you started, however, this could just as easily be replaced by any other cloud platform or your own internal network.
The script creates an AWS Virtual Private Cloud (VPC) with two EC2 instances to allow you to connect your devices to an MQTT broker. Additionally, the script allows you to supply metadata which can be used by your IoT devices to read configuration data about your backend network.
Steps to get connected
It is a straight forward procedure to get your devices connected securely. We will be walking you through each of the following steps summarized below.
- Order your Raspberry Pi
- Create an Amazon Web Services (AWS) Account – instructions here
- Setup your AWS cloud infrastructure. We provide you with an AWS cloudformation script for this
- Install and activate the Asavie Passbridge network connector on your previously created AWS instance
- Install and setup an IP over TLS tunnel from your Raspberry PI device
Asavie supplies an AWS cloudformation script which creates a simple Virtual Private Computer (VPC) equipped with an Asavie Network Connector and a MQTT broker. The script creates an AWS VPC with two EC2 instances to allow you to connect your devices to an MQTT broker.
Note this Cloudformation script is supplied "as is" without warranty and is licensed under https://opensource.org/licenses/MIT">MIT License.
You will need an AWS account to deploy your VPC. Asavie is not responsible for any AWS charges incurred.
The script creates two EC2 instances:
- Instance 1: Asavie Network Connector runs on a Windows Server 2012 R2 instance (t2.micro)
- Instance 2: MQTT Broker (t2.micro)
This script is available to download from GitHub at https://raw.githubusercontent.com/asavie/IoT/master/aws/templates/aws_iot_cf.json Before you run the script you will need to have access to an AWS EC2 Key Pair (including the private key). The Key Pair is used to login to your Linux instance and to decrypt the initial Windows Administrator password for the Asavie Network Connector.
If you don't have a Key Pair or can't access the Key Pair file, then we suggest you create a new Key Pair and store it securely. Make a note of the Key Pair name as it will be required when you run the CloudFormation script.
Steps to deploy the AWS VPC
- Download the Cloudformation script from Asavie GitHub
- Go to Cloudformation stack creation wizard and create a new stack
- Upload the previously downloaded Cloudformation json script
- Click next
- Fill in the parameters
- Stack name
- EC2 key pair (previously created or uploaded)
- Client IP address subnet (including /32)
- Click Next
- Sit and relax
When the Cloudformation script has completed successfully you will need to login to the Asavie Network Connector instance to activate and connect it your private Asavie PassBridge™ network – at this point, RDP access from your office network is allowed.
 MQTT stands for MQ Telemetry Transport as defined by mqtt.org. It is a publish/subscribe, extremely simple and lightweight messaging protocol, designed for constrained devices and low-bandwidth, high-latency or unreliable networks. MQTT is often referred to as a machine-to-machine (M2M)/Internet of Things connectivity protocol.
You will need the EC2 KeyPair used to create the VPC (downloaded .pem file) – this will allow you to login to your Windows based Network Connector
Read the AWS instructions at http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/connecting_to_windows_instance.html
You should follow the advice in the guide and change the administrator password from the default value.
- In EC2 right click on the network connector instance and click connect
- Retrieve your password
- Download RDP file
On the desktop of the Windows Instance you will see an Asavie supplied application (agent_18.104.22.16801_asavie_en-us_x64.msi) which will install, activate and connect your instance to the Asavie PassBridge™ network. The installer will prompt you for an activation code, received in the welcome email.
If you are starting from a new Raspbian operating system image, it is reccomended to run the raspi-config utility (http://elinux.org/RPi_raspi-config ), to harden the device and secure the access to it. The root filesystem may need to be extended. It is also a good practice to update/upgrade the operating system before doing any actual work.
For each device you will need to retrieve the one time activation username and password (details sent in in your welcome email).
- Open a terminal shell on your Raspberry Pi - either SSH in or use the desktop interface to open a terminal.
- Download the IPoTLS binary package by entering the following on the command line:
curl -f iot-packages.s3-website-eu-west-1.amazonaws.com/amld_latest_armhf.deb > amld_latest_armhf.deb
- Install the downloaded package – you will be prompted to enter the activation credentials (sent in your welcome email).
sudo dpkg -i amld_latest_armhf.deb
- After the script runs it should display the following:
Unpacking amld (0.1-2) ... Setting up amld (0.1-2) ... Generating device certificate Device certificate generation complete
At this point the device will attempt to connect and enrol on the Asavie PassBridge™ network. Run the command:
pi@raspberrypi:~ $ ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.130.129.18 P-t-P:10.128.0.1 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:7 errors:0 dropped:0 overruns:0 frame:0 TX packets:9 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:715 (715.0 B) TX bytes:679 (679.0 B)
Also, run the following to get the private Asavie PassBridge™ IP address of your device
This address is the static IP address assigned for your device on the Asavie PassBridge™ network, you should be able to confirm this on the Asavie YOKE console.
At this point you should be able to ping the two AWS instances: 10.0.0.10 (the Network Connector) and 10.0.0.20 (the MQTT Broker)
Routing for your device
Now that your device has established a secure tunnel to your network you will want to route traffic from your device to your network. The Raspberry Pi client software package contains utilities which can automatically create the routing entries you will require.
If you want to manually create routes you will need to do the following:
- Get the subnet address range of your backend network, this is normally in the form address/mask e.g. 172.31.0.0/24
- Run ifconfig to confirm the name of the adapter for your network tunnel, normally tun0
- Assuming your tunnel name is tun0 then run the command:
sudo ip route add 172.31.0.0/24 dev tun0
Restart Raspberry PI tunnel
The client application is designed to work with systemd. Also supported are start, stop and reload
sudo systemctl restart amld.service
Get Raspberry PI private IP address
Run the following to get the private Asavie PassBridge™ IP address of your device
Ping the Windows instance from the Raspberry PI device
With this command you will be able to see traffic in your Windows instance network connector traffic monitor
ping -f 10.0.0.10
CIDR invalid with cloudformation script
The script is expecting a valid CIDR format for the external IP subnet of your office. If you don't provide this the script will fail. If it is a single IP address you should add "/32" at the end (e.g. 22.214.171.124/32)
AWS Network Connector tunnel is down
The Asavie Network Connector installs a new adapter interface – on occasion during installation Windows does not initialize the adapter, when this happens you will see the Tunnel state marked "Down"
This is easily corrected by accessing the Control Panel from the Start Menu
Select "Network and Sharing Center"
Select "Change adapter settings"
Click on the Tunnel adapter and then close the dialog box.