Telemetry VPN SSL - it's about security & safety ! - Volta Robots

Hello everyone !

Has discuss with Silvio, here is a short explanation of what i've done.

Plateform: IRIS+ 3DR

For the telemetry over 4G : Raspberry pi B + 4G dongle.

The fancy part is that is when the Pi boot : it autoconnect to the web using the 4G dongle and then open a VPN SSL to a dedicated server of mine running linux ( Ubuntu server 14.04). Then i connect my GCS to the same VPN and voila, i' am on a Virtual Private Network ( yeah the VPN of course :) ).

Then simply make a ser2net from the pi on port 8082 and connect with mission planner to tcp @ip (in the vpn for instance 10.8.0.6) and specify the port 8082.

So why ? First i cannot get Public ip from my ISP. and second but it's actually my primary goal : SECURITY has we see everyday new technology brings new vulnerability and all the things that come with. If your facebook profile is hack, well bad day. But imagine if you Quad is hijack and crash into a car or worst a human, well that's horific and you are the one that will be in trouble.

So if you guys things that it's sound a good idea ask and i'll post the code and make a tutorial on how to implement this. Has reminder this i juste a short brief of what i've done , more feature actually ( Connectivity Test, Health Check, etc)

Just a short answer i'll make a nice scheme and stuff later about the deep protocol and the configuration.

@Silvio : Actually its an UDP SSL VPN on port 1194. In which i tunnel TCP for the MAVLINK.

For the security aspect. I create two client pair of certificate, using the Public Key Infrastructure, One for the drone and one for the gcs, so no one else can contact the drone. For those who are not familiar with PKI and Asymetric encryption may i suggest take a look at https://www.digicert.com/ssl-cryptography.htm . But for those who don't really care about the details no need to be a crypto addict to make it run.

In case of VPN failing for any reason, the linux (raspi) on board will send what we call a reverse shell (http://resources.infosecinstitute.com/icmp-reverse-shell/) to my server, so even with no public ip i can get a CLI access to troubleshoot the issue, but in normal situation if VPN failed a script (wacthdog ) will try to restart it.

Learn about asymmetric encryption, symmetric encryption, key strength, public-key encryption, pre-shared key encryption, and how it all fits together.

Replies

Daniel June 20, 2016 at 9:45pm

Thanks Thibaud!

Great idea, could you please post some of the code? Which 4g dongle are you using? Trying to pick the right one for the USA has been a challenge.

-Dan
Volta Robots June 28, 2015 at 5:51am

Great Thibaud!
NOTE: All the 4Gmetry PRO comes with a dedicated, secure, VPN connection to Coriandola, that allows fleet management.
I'm sure that this community will appreciate your tutorial, expecially for other developers or DIY lovers.
Thanks!!!
S.
- Fredrik Falkman > Volta Robots April 15, 2016 at 12:06am
  
  @silvio Trying to read up on Coriandola / Volta CS, but all the links if find seem to be bad. Is it related to MAVProxy Server or something altogether different? Very curious!
Thibaud April 13, 2015 at 3:29pm

Just a short answer i'll make a nice scheme and stuff later about the deep protocol and the configuration.

@Silvio : Actually its an UDP SSL VPN on port 1194. In which i tunnel TCP for the MAVLINK.

For the security aspect. I create two client pair of certificate, using the Public Key Infrastructure, One for the drone and one for the gcs, so no one else can contact the drone. For those who are not familiar with PKI and Asymetric encryption may i suggest take a look at https://www.digicert.com/ssl-cryptography.htm . But for those who don't really care about the details no need to be a crypto addict to make it run.

In case of VPN failing for any reason, the linux (raspi) on board will send what we call a reverse shell (http://resources.infosecinstitute.com/icmp-reverse-shell/) to my server, so even with no public ip i can get a CLI access to troubleshoot the issue, but in normal situation if VPN failed a script (wacthdog ) will try to restart it.

All about SSL Cryptography | DigiCert.com

Learn about asymmetric encryption, symmetric encryption, key strength, public-key encryption, pre-shared key encryption, and how it all fits together.
- Richard Sterling > Thibaud June 13, 2015 at 2:33pm
  
  @Thibaud, that sounds interesting. I am interested to see what the latency would be?
  
  I would like to learn more?
  
  Cheers,
  
  RS
Volta Robots April 13, 2015 at 2:52pm

Thank you Thibaud for the excellent post!!! I'll appreciate expecially the VPN/security part as it's the most challenging. We're curious about the VPN configuration, underlying protocol and relative speedtest. I guess that's not UDP or it's UDP in a TCP tunnel. How packet losses are managed? With Bernt I've already discussed the importance of UDP, and I showed UDP hole punching techniques (for those who don't have public IP). However the security problem you raised is extremely important. My personal suggestion is - so far - to make the drone unreachable (behind carrier grade NAT/firewall) and use UDP versus a DMZ server.

This reply was deleted.