Flexio Pi Introduction

The Issue

As we move into the new era of technology, the demand of security, accessibility and convenience is getting higher and higher.

For example, imagine this. You’re on vacation on another side of the world, but your boss suddenly calls you from the corporate office, and orders you to send him the contract file that you left in the desktop PC at home. If you don’t send this important file, your company loses one crucial client that the company has been working with for months. The boss is going to be mad as the company wasted months for nothing, and you’re going to lose your job. However, if you do decide to send him the files, you’ll have to catch a flight all the way back to Canada, which means that your vacation is puffed into bubbles of nothingness.

What if there’s another way of doing this? What if you can just access your computer from wherever you are? This is where VPN technology comes into the show. With VPN, which stands for Virtual Private Network, you can establish a secured tunnel back to your home, as if you are physically at home connected to your AP. Doesn’t this make things much easier?

To fulfill demands and needs like this, companies like Cisco, Juniper Network and Huawei provide enterprise-level solutions that are secure, reliable and scalable. However, it is hard for home users to enjoy convenience like this, since the solutions for enterprises have sky-high prices that an ordinary individual simply cannot afford.

Our Solution

To make the Internet experience more convenient, comfortable and secure, we want to build our own cost-effective yet secure and reliable solution for normal individual Internet users. With this project, only a Raspberry Pi is needed for most of the benefits and convenience of enterprise solutions to come to your home.

In our design, the Raspberry Pi will play the role of a VPN gateway, a RADIUS server and a DNS advertisement filtering server. There will be even more features added into the mix that can further more enhance the user experience of this affordable networking solution.

An OpenConnect server will be installed and configured to provide secure and reliable remote connectivity. It uses Cisco AnyConnect compatible DTLS (Datagram Transport Layer Security), which is both reliable and secure. Thanks to the DTLS protocol, OpenConnect uses UDP for regular data transferring to achieve a higher speed. If UDP fails, then it will switch over to an always-standing-by TLS connection to provide an uninterrupted user experience.

Pi-hole will be installed and configured as the icing on top of the cake. With DNS advertisement filtering, you can get rid of most of the ads on all your devices. DNS filtering doesn’t only block the ads on your browsers, it also blocks ads that are in applications like YouTube clients and etc. Moreover, it’s all configured on terminal devices automatically by DHCP. Remote users can also enjoy this feature when they are connected to the network through a VPN tunnel, and you’ll be able to bring this experience everywhere you travel.

As the packaged mentioned above will support most of the Raspberry Pi’s role, additional packages will provide extra gorgeousness services like DHCP or RADIUS to make the journey even more colorful.

Topology Design

Option 1: Network and Security Appliance

The Raspberry Pi will serve as a VPN gateway and a DNS ad filter, leaving all the routing and DHCP works to the ISP provided router. This minimizes the workload of the Raspberry Pi, which allows the RPi to dedicate all of its resources on VPN and ad filtering.

A RADIUS package can be installed to control APs and VPN users. However, it is totally optional. The built-in AP of the ISP router can be used, and secret file based user authentication can be selected to verify remote users.

In summary, the Raspberry Pi will have the following roles on the network:

  • VPN Gateway
  • DNS Advertisement Filtering Server
  • RADIUS Server

Option 2: Multipurpose Gateway

Different to option 1, the Raspberry Pi will serve as the router in this scenario. All routing will be controlled by the RPi to hand all controls to the user. IPSec, GRE, mGRE, DMVPN or FlexVPN can be used in this case to build LAN to LAN or site to site tunnels.

Due to the hardware limitation of the Raspberry Pi, which it only has one Ethernet interface, this might be harder to implement comparing to option 1. The Raspberry Pi might also overheat if the workload is too heavy, and it’s more likely to happen comparing to option 1 since it has to do all the routing on LAN.

In summary, the raspberry pi will have the following roles on the network:

  • VPN Gateway
  • DNS Advertisement Filtering Server
  • RADIUS Server
  • Router
  • DHCP Server