Tech Blog: raspberry pi

Showing posts with label raspberry pi. Show all posts

Browse Securely Using an SSH Tunnel and Raspberry Pi

Any time you use an unsecured wifi connection at a public location such as a coffee shop, you run the risk of a nearby device spying on data you are sending and receiving. This post will go over setting up an SSH tunnel connected to a Raspberry Pi (or other linux device) at home that will not only secure your connection, but also get around any content filtering the location may have in place. It is also a quick and easy way to remote into your home network without having to use a VPN.

The Raspberry Pi is an ideal device for this because it is cheap, easy to setup, and uses very little power.

Keep in mind, this does not anonymize your internet activity so don't get any ideas about using this for nefarious purposes.

If you already have your SSH server configured, skip ahead to the computer setup.
Mac
Linux
Windows

Hardware Requirements
1. Raspberry Pi Model B running Raspbian and connected to your home LAN.
2. Internet router capable of port forwarding
2a. Internet router capable of Dynamic DNS (Optional)
2b. Dynamic DNS Service (Optional)

Actually, any model Raspberry Pi will do. I list the Model B because all you need to do is plug it into your home network.
For the router, I think it would be harder to find a device that doesn't support port forwarding. Consult your manual for setup, as the process can be quite different depending on the brand you have.
I definitely recommend using a dynamic DNS service as it will make your life a lot easier in the long run. While I haven't used it, I have read good things about Duck DNS at https://duckdns.org/about.jsp

Raspberry Pi Setup
Follow one of the many multitudes of setup guides. This is an excellent place to start: http://www.raspberrypi.org/help/quick-start-guide/
For this guide, the Pi must:
1. Be able to reach the internet
2. Have a static IP on your LAN.

Please note your LAN IP address for the router setup.

Router Setup
Follow the instructions for your router to forward port 22 to the IP address of the Pi..

Note your home IP address
If you don't have a static WAN IP and are not using a Dynamic DNS service you need to check your IP before you leave home. There are many options to find your IP, here are a few:

Go to http://dustinbarnett.com/ip

Go to google.com and type "what is my ip" and your public address should be at the top of the page.

Setup Your Device

OS X Yosemite
1. Open the terminal and type the command below. Change user to the username on the destination Raspberry Pi (usually "pi"), and home_fqdn to your Dynamic DNS name or WAN IP.

ssh -D 5000 -N user@home_fqdn

-D = Port to listen on
-N = Don't execute a remote command
-C = Compression (only use on very slow connections)

Type type yes if prompted about a security certificate, and then type the password for your user. When you hit enter the cursor will move down to a new blank line. Leave the terminal window open until you are done using the internet.

2. Configure your internet browser.

Go to "System Preferences"
Go to "Network"
Click your connection (probably Wi-Fi) and then click the advanced towards the bottom right.
Click "Proxies" then check "SOCKS Proxy"
In the "SOCKS Proxy Server" field that appears on the right, type "localhost" in the first box, and "5000" in the second box. Click OK, then apply.

At this point Safari and any other browser that check the system preferences (Chrome and Firefox) will now use the SSH tunnel. You can test by going to http://dustinbarnett.com/ip and your home IP address should be displayed.

When you are done, go back to the terminal and press ctrl-c on the keyboard, then reverse the network configuration settings.

Linux
Open a terminal and type:

ssh -D 5000 -N user@home_fqdn

Type type yes if prompted about a security certificate, and then type the password for the user. When you hit enter the cursor will move down to a new blank line. Leave the terminal window open. Configure a SOCKS proxy server that points to localhost:5000. The procedure for this depends on the browser and distribution you are using.
When done, hit ctrl-c on the terminal to end the ssh session, then reverse the proxy settings.

Windows
For Windows, the process is different since it doesn't have a built in SSH client. First download Putty here:
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
(Don't mind the sketchy-looking download link)

1. Open Putty, click on "Tunnels" located under Connection->SSH tree.

2. Type "5000" into the Source port field.
3. Click the "Dynamic" radio button.
3. At the top of the menu tree click "Session"

4. Enter your home IP in the host name field, Then click the save button. Next time you want to connect you can just use the saved session as long as your IP stays the same.
5. Edit the SOCKS proxy to localhost:5000 and you're good to go.

Hopefully my instructions are clear enough. Let me know if you have any questions!

Raspberry Pi Resource Monitor

There are plenty of resource monitors and graph utilities out there for the Raspberry Pi. RPi-Monitor is a great one. However, I wanted to learn a little more about how to collect data for the various resources, so I made my own simple bash script. Here are some basic commands that can be stringed together to monitor the basic resources of the Raspberry Pi. I output the data to a csv file that can be graphed using gnuplot.

Skip to the bottom for the full script.

First, create a new file using text editor.

nano resourcelog.sh

Start with the basics. Tell the shell to use bash.

#!/bin/bash

Most of the time I am getting time from a GPS dongle. Wait a minute to allow a GPS lock.

sleep 60

Create a date/time variable used to name the log file. I do this so that every time the Pi is powered on, it creates a new file with a name based on the date/time the logging was started.

LABELDATE=$(date +"%Y-%m-%d_%H:%M")

Make a directory to put the log files.

mkdir -vp /home/pi/resourcelog_archive/

Name the columns in the csv file. You can see we will be logging date, time, degrees celcius of the pi CPU, average CPU loads, free memory, cached memory, swap total, and swap free. This gets put into a new file in the resourcelog_archive directory, using the date variable defined above. (The command should be one line)

echo "Date,Time,Degrees Celcius,CPU 1 Min,CPU 5 min,CPU 15 min,Memory,Free Memory,Cached Memory,Swap Total,Swap Free" > /home/pi/resourcelog_archive/resourcelog_"$LABELDATE".csv

Create a while loop that will query for the info specified. I do this by defining a variable ($CYCLE) and the loop runs while the variable equals the original value (1).

CYCLE=1
while [ $CYCLE -eq 1 ]
do

Create variables for data gathering. These variables are part of the while loop and are updated every 60 seconds.

Define the current date in YY-MM-DD format.

DATESTAMP=$(date +"%Y-%m-%d")

Define the current time in HH:MM format.

TIMESTAMP=$(date +"%H:%M")

Define the temperature of the APU (CPU) in degrees celcius. This command uses vcgencmd measure_temp, shows only data after the = symbol, and then removes the "'C" so we are left with only a decimal number.

TEMP=$(/opt/vc/bin/vcgencmd measure_temp | cut -d '=' -f 2 | sed s/\'C//g)

Define the CPU load average. This runs the loadavg command, only shows the last three fields, and then replaces the spaces with commas, giving an output formatted as 0.0,0.0,0.0

CPU=$(cat /proc/loadavg | cut -d ' ' -f -3 | sed 's/ /,/g')

Define the total amount of memory in kB. This uses /proc/meminfo, finds "MemTotal", displays only column 2, then removes the "kB" so only numbers are output.

MEMTOTAL=$(cat /proc/meminfo | egrep MemTotal | awk '{print $2}' | sed 's/kB//g')

Define the total amount of free memory. Similar to above, but searches for "MemFree".

MEMFREE=$(cat /proc/meminfo | egrep MemFree | awk '{print $2}' | sed 's/kB//g')

Define the total amount of cached memory. Similar to above, but searches for only matches that start with Cached. (^Cached).

CACHED=$(cat /proc/meminfo | egrep '^Cached' | awk '{print $2}' | sed 's/kB//g')

Define the swap file allocation. Similar to above, but searches for "SwapTotal".

SWAPTOTAL=$(cat /proc/meminfo | egrep SwapTotal | awk '{print $2}' | sed 's/kB//g')

Define the amount of swap available (unused).

SWAPFREE=$(cat /proc/meminfo | egrep SwapFree | awk '{print $2}' | sed 's/kB//g')

That's all the resources I monitor. Now the variables need to be written to the file created at the beginning of the script. This just writes a new line at the end of the file with the variable specified above seperated by commas.

echo "$DATESTAMP","$TIMESTAMP","$TEMP","$CPU","$MEMTOTAL","$MEMFREE","$CACHED","$SWAPTOTAL","$SWAPFREE" >> /home/pi/resourcelog_archive/resourcelog_"$LABELDATE".csv

Wait for 60 seconds and then start again.

sleep 60

Close the loop.

done

Save the file and exit. Make the file executable.

chmod +x resourcelog.sh

Make the file run on every reboot. This assumes you are logged in as the user "pi".

crontab -e
@reboot /home/pi/resourcelog.sh

That's it, the pi will run the resourcelog.sh script every time it's powered on, and record the results in a new file in the resourcelog_archive directory. Feel free to tell me there's a better way to do this, I'm sure there is something more efficient. The next post will go over creating graphs automatically using gnuplot.

Here is the full code:

       
#!/bin/bash
# Wait for GPS time
sleep 60

LABELDATE=$(date +"%Y-%m-%d_%H:%M")
mkdir -vp /home/pi/resourcelog_archive/
echo "Date,Time,Degrees Celcius,CPU 1 Min,CPU 5 min,CPU 15 min,Memory,Free Memory,Cached Memory,Swap Total,Swap Free" > /home/pi/resourcelog_archive/resourcelog_"$LABELDATE".csv
CYCLE=1
while  [ $CYCLE -eq 1 ]
do

DATESTAMP=$(date +"%Y-%m-%d")
TIMESTAMP=$(date +"%H:%M")
TEMP=$(/opt/vc/bin/vcgencmd measure_temp | cut -d '=' -f 2 | sed s/\'C//g)
CPU=$(cat /proc/loadavg | cut -d ' ' -f -3 | sed 's/ /,/g')
MEMTOTAL=$(cat /proc/meminfo | egrep MemTotal | awk '{print $2}' | sed 's/kB//g')
MEMFREE=$(cat /proc/meminfo | egrep MemFree | awk '{print $2}' | sed 's/kB//g')
CACHED=$(cat /proc/meminfo | egrep '^Cached' | awk '{print $2}' | sed 's/kB//g')
SWAPTOTAL=$(cat /proc/meminfo | egrep SwapTotal | awk '{print $2}' | sed 's/kB//g')
SWAPFREE=$(cat /proc/meminfo | egrep SwapFree | awk '{print $2}' | sed 's/kB//g')


echo "$DATESTAMP","$TIMESTAMP","$TEMP","$CPU","$MEMTOTAL","$MEMFREE","$CACHED","$SWAPTOTAL","$SWAPFREE" >> /home/pi/resourcelog_archive/resourcelog_"$LABELDATE".csv
sleep 60
done

Upside-Down-Ternet: Raspberry Pi Edition

I did a post on this a few years ago, here is an update for 2013. This walkthrough is based on the technique found here: http://www.ex-parrot.com/pete/upside-down-ternet.html

First the disclaimer: Do not do this to any sort of important computer or network, because it WILL break things. This is meant as a prank for home use only; such as confusing your brother, sister, kids, wife, etc... Doing this to a network you don't own could be considered a serious offense by your local law enforcement, and could result in fines or imprisonment.

What it does

A small device (Raspberry Pi) powered by either a battery or cell phone charger is connected to your network in front of the intended victim's computer, which will wreak havoc on your victim's internet browsing. This method does not require changing any settings on any target computers.

The instructions assume that the computer you want to prank is using a DHCP assigned IP address. If the computer is using a manually assigned IP address, the only thing that will happen is the internet will be completely cut off - which isn't very funny. If you want to be really evil, you could put it in front of your internet router, causing all the devices that use your internet to be effected.

How it works

The Raspberry Pi is configured with with a dnsmasq DHCP server which will assign downstream computers a new IP address and gateway. A squid transparent proxy is installed on the Pi where traffic is redirected using iptables. A redirection script uses mogrify to alter images and then re-hosts the images through the a web server.

Equipment and Software

* Raspberry Pi Model B with Raspbian installed

* USB Ethernet Adapter

* CAT5 Patch Cable

These instructions assume that the Raspberry Pi is accessible through SSH, and also has access to the internet. Installing and configuring Raspbian is out of the scope of this post. If you need help, here is a great place to start: http://www.raspbian.org/RaspbianInstaller

Prepare the Software

For best results, overclock the pi to 800Mhz, and set to memory split to 32 or 16MB. For some reason my raspberry pi wouldn't boot when configured with 16MB. Also make sure that eth1 is configured with static IP 192.168.254.1.

Dnsmasq

Install with:

sudo apt-get -y install dnsmasq
Add the following config to /etc/dnsmasq.conf to configure the dhcp server on eth1, which should be the USB ethernet adapter.
domain-needed
interface=eth1
domain=upside-down-ternet

dhcp-range=192.168.254.100,192.168.254.200,255.255.255.0,12h

Edit /etc/sysctl.conf to allow the Raspberry Pi to act as a gateway router. Add or uncomment:

 net.ipv4.ip_forward=1

Type /etc/init.d/dnsmasq restart and then plug a laptop into the USB ethernet adapter. You should get an IP in the 192.168.254.xxx range. At this point although the gateway should be reachable, there is no NAT configuration so you won't be able to access the internet.

Squid

Install squid, iptables, and imagemagick:

sudo apt-get -y install squid3 iptables imagemagick

Edit /etc/squid3/squid.conf and copy the text below. This configures squid to act as a transparent proxy with no caching. It also specifies a redirect script at /etc/squid3/upsidedown.sh.
cache_mgr dustin
cachemgr_passwd dustin all
cache deny all
redirect_program /etc/squid3/upsidedown.sh
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.254.0/24 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 transparent
cache_mem 64 MB
#cache_dir ufs /var/spool/squid3 150 16 256
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

Iptables

Create a file iptables.sh and copy the text below:

#nat
iptables -t nat -A POSTROUTING -j MASQUERADE
#squid transparent proxy
iptables -t nat -A PREROUTING -i wlan0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.254.1:3128
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

Hit ctrl-o to save the file, then ctrl-x to exit. Now the file needs to be made executable and copied to an appropriate location.

chmod +x iptables.sh
sudo cp iptables.sh /etc/init.d/

Apply the configuration at boot:

sudo update-rc.d iptables.sh start 99

Upside Down Redirection Script

First make sure Apache and perl are installed:

sudo apt-get install apache2 perl

Create a directory for the modified images and assign permissions:

sudo mkdir /var/www/images

sudo chmod 777 /var/www/images

Create the redirection script:

sudo nano /etc/squid3/upsidedown.pl

Paste this code:

#!/usr/bin/perl

$|=1;

$count = 0;

$pid = $$;

while (<>) {

chomp $_;

if ($_ =~ /(.*\.jpg)/i) {

$url = $1;

system("/usr/bin/wget", "-q", "-O","/var/www/images/$pid-$count.jpg", "$url");

system("/usr/bin/mogrify", "-flip","/var/www/images/$pid-$count.jpg");

print "http://127.0.0.1/images/$pid-$count.jpg\n";

}

elsif ($_ =~ /(.*\.gif)/i) {

$url = $1;

system("/usr/bin/wget", "-q", "-O","/var/www/images/$pid-$count.gif", "$url");

system("/usr/bin/mogrify", "-flip","/var/www/images/$pid-$count.gif");

print "http://127.0.0.1/images/$pid-$count.gif\n";

}

elsif ($_ =~ /(.*\.png)/i) {

$url = $1;

system("/usr/bin/wget", "-q", "-O","/var/www/images/$pid-$count.png", "$url");

system("/usr/bin/mogrify", "-flip","/var/www/images/$pid-$count.png");

print "http://127.0.0.1/images/$pid-$count.png\n";

}

elsif ($_ =~ /(.*\.jpeg)/i) {

$url = $1;

system("/usr/bin/wget", "-q", "-O","/var/www/images/$pid-$count.jpeg", "$url");

system("/usr/bin/mogrify", "-flip","/var/www/images/$pid-$count.jpeg");

print "http://127.0.0.1/images/$pid-$count.jpeg\n";

}

else {

print "$_\n";;

}

$count++;

}

Press ctrl-o to save, then ctrl-x to exit. Make the script executable:

sudo chmod +x /etc/squid3/upsidedown.pl

Reboot the raspberry pi and make sure everything starts up automatically. Most images should now be shown upside down!

Raspberry Pi Personal Hotspot - Squid with Adzapper Config (part 2)

-- Link to Part 1 --

Here are the steps I used to finish my personal wifi hotspot. I was able to find lots of tutorials that show how to make a simple wifi to ethernet bridge, but I wanted to save the max bandwidth possible. I'll be using adzapper and a squid3 cache for bandwidth saving. I don't usually block ads, but since this is a metered internet connection I don't like the thought of paying for ads. Squid can be configured for very aggressive caching, but I have left it on the default configuration.

Inside view of the "PiSpot". The video and audio port have been removed to save space.

Battery, 4 port USB hub, 4G dongle, and a shortened USB Cable.

Here we see the fully operational battle station -- err, PiSpot.

You can see the various components in the pictures above. I removed the plastic casings to save space. I haven't done any testing on the battery life, but it should last at least a few hours with light traffic. Here are the parts I used:

Raspberry Pi Model B 1st generation (256MB RAM) --Model A would work as well
4 port USB 2.0 Hub - Iogear Model GUH285 -- I chose this because of its size and it was <$10 at Fry's.
EasyACC BP8400 Power Bank 5600mAh Battery - Amazon Link
Belkin F9L1005 Wifi Adapter (rtl8192cu)
FreedomPop 4G Adapter - Amazon Link

TODO:
Charge battery without opening case.
Power button so the the unit can be turned on or off without opening the case.

This post will assume that you are already able to connect to the Raspberry Pi WiFi network that was created in part 1.

Install Software

Make sure squid and adzapper are installed

apt-get install squid3 adzapper

Configure Squid

First make sure that the pi is configured for ip forwarding at /etc/systcl.conf. Uncomment or add:

net.ipv4.ip_forward=1

Edit /etc/squid3/squid.conf and to something similar to the config below. This config includes lines to enable adzapper and transparent proxy. Max storage size is 1.5GB. Make sure to change the IP address to your network. **I'm sure this can be fine tuned for better bandwidth savings, let me know if you have any suggestions!

cache_mgr dustin
cachemgr_passwd dustin all
redirect_program /usr/bin/adzapper.wrapper
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.254.0/24 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 transparent
cache_mem 128 MB
cache_dir ufs /var/spool/squid3 1500 16 256
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

Configure Adzapper

/etc/adzapper.conf should look something like this:

ZAP_MODE=""

ZAP_BASE=http://adzapper.sourceforge.net/zaps

ZAP_BASE_SSL=https://adzapper.sourceforge.net/zaps # this can probably be ignored

ZAP_PREMATCH=

ZAP_POSTMATCH=

STUBURL_AD=$ZAP_BASE/ad.gif

STUBURL_ADSSL=$ZAP_BASE_SSL/ad.gif

STUBURL_ADBG=$ZAP_BASE/adbg.gif

STUBURL_ADJS=$ZAP_BASE/no-op.js

STUBURL_ADHTML=$ZAP_BASE/no-op.html

STUBURL_ADMP3=$ZAP_BASE/ad.mp3

STUBURL_ADPOPUP=$ZAP_BASE/closepopup.html

STUBURL_ADSWF=$ZAP_BASE/ad.swf

STUBURL_COUNTER=$ZAP_BASE/counter.gif

STUBURL_COUNTERJS=$ZAP_BASE/no-op-counter.js

STUBURL_WEBBUG=$ZAP_BASE/webbug.gif

STUBURL_WEBBUGJS=$ZAP_BASE/webbug.js

Now iptables needs to be configured to route traffic through squid. Create a new file:

nano iptables.sh

Add the the rules below. Careful with line breaks when cut/pasting, there should only be 5 lines total.

#nat for wifi
iptables -t nat -A POSTROUTING -j MASQUERADE
#squid transparent cache
iptables -t nat -A PREROUTING -i wlan0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.254.1:3128
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

Hit ctrl+o to save the file, then ctrl-x to exit. Now the file needs to be made executable and copied to an appropriate location.

chmod +x iptables.sh
sudo cp iptables.sh /etc/init.d/

Apply the configuration at boot.

sudo update-rc.d iptables.sh start 99

That should wrap it up. At this point I suggest doing a power cycle on the Pi to make sure everything comes up automatically.

Raspberry Pi Personal WiFi Hotspot (part 1)

I recently bought a Nexus 7 16GB WiFi with the hopes that it could replace my aging and heavy laptop. My first thought for remote connectivity was to use the personal hotspot feature on my phone... until I saw the prices. $20/month on top of what I already pay for a service I will rarely use? No thanks! Here's what I did instead. I already had everything except for the 4G* usb adapter I bought off of Amazon.

*The 4G service is Clearwire wimax (now owned by Sprint). Sprint is replacing wimax with LTE, but will be keeping the wimax online until sometime in 2015.

Equipment
- Raspberry Pi - Model A will work for this project, but I only have a Model B.
- 4GB or greater SDCard
- 1A or greater micro usb phone charger. I have successfully used the stock HTC charger, and a generic 1 amp car charger with both USB devices connected directly to the pi.
- USB WiFi Adapter - I used a Belkin F9L1005 (rtl8192cu) - I DO NOT recommend using this model!
- USB 4G Adapter - I am using a FreedomPop branded adapter which appears to be this: http://www.ubeeinteractive.com/products/mobility/ubee-4g-wimax-usb-pxu-1960. I purchased one from amazon here: http://www.amazon.com/Freedom-Stick-Bolt-Modem-Black/dp/B009FCGASA/ref=sr_1_3?s=wireless&ie=UTF8&qid=1377739418&sr=1-3&keywords=freedompop

There are undoubtedly cheaper ways to get internet connectivity, you could probably buy a MiFi device for cheaper than the total cost of this setup, but I have another project in mind that I plan on using the same Raspberry Pi for.

Part 1 - Prepare the Raspberry Pi OS

Start with the official Rasbian distro. Instructions and the download can be found here: http://www.raspberrypi.org/downloads

Run the raspi-config utility and configure your desired settings.
* Set your password
* Expand Filesystem
* Disable boot to desktop
* Enable SSH
* Use the 16MB memory split if possible. I had some problems booting my revision 1 pi on the 16MB setting and had to go with 32MB.

Reboot and update assuming you are plugged into a network.
sudo apt-get update
sudo apt-get upgrade

Remove the Desktop environment for a little extra space on the SD card. The only reason for this is to allow a larger squid disk cache size.
apt-get remove --auto-remove --purge libx11-.*
apt-get auto-remove

Install the software we will be using.
apt-get install hostapd hostapd-utils dnsmasq squid3 adzapper

At this point the software components need to be configured.

Part 2 - Configure WiFi AP

Plug in your wifi adapter and make sure the system recognizes it by running ifconfig. It will probably be listed as wlan0.
Configure the interfaces at /etc/network/interfaces. The sample below includes dhcp setting for eth1, which will be the USB 4G adapter.

auto lo

iface lo inet loopback
iface eth0 inet dhcp

iface eth1 inet dhcp

iface wlan0 inet static
address 192.168.254.1
netmask 255.255.255.0

Configure hostapd. If using the rtl8192cu usb adapter then you will need a custom hostapd binary available here: http://blog.sip2serve.com/post/38010690418/raspberry-pi-access-point-using-rtl8192cu
Edit /etc/hostapd/hostapd.conf to something like the sample below.

interface=wlan0
driver=rtl871xdrv
country_code=US
ssid=Mobile-Wifi
hw_mode=g
channel=1
wpa=2
wpa_passphrase=Your_Password
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
auth_algs=2
macaddr_acl=0

Configure dnsmasq as a dhcp server. Create a new /etc/dnsmasq.conf file or add the following sample to the top of the existing one. This specifies the dhcp pool as 192.168.254.100-200 with a 12 hour lease.

domain-needed
interface=wlan0
domain=mobile-wifi.local
dhcp-range=192.168.254.100,192.168.254.200,255.255.255.0,12h

Now we need to make the pi act as a gateway and forward packets. This is just a matter of uncommenting a line in /etc/sysctl.conf. Add or uncomment:
net.ipv4.ip_forward=1

That should be all that's needed for a simple AP. Shut down the pi and plug in the USB 4G adapter. Start it back up and attempt to connect to the wifi. If connected, open an ssh connection to 192.168.254.1 and see if you can ping google.
That's all I have time for at the moment. I'll work on posting a quick howto for saving a little bandwidth using squid and adzapper.

Raspberry Pi with Wifi and 4G USB adapter.