4 May 2022

Install AdGuard-Home on RaspberryPi

I’ve used Pi-Hole for longer than I can remember, so it’s time to test drive another solution, AdGuard Home, to see how it compares on my network.

To start, as the title suggests you’ll need a RaspberryPi. While not required, I recommend starting with a new fresh image of the RaspbianOS on it. The next thing you’ll want to do, which I won’t cover in this article, is set up your RaspberryPi with a static IP address and then enable SSH on it so that you can connect to it.

Install AdGuard Home

Before you get started make sure to update your RaspberryPi using these two commands. After that you will be ready to get started.

sudo apt-get -y update
sudo apt-get -y upgrade 

The easiest way to begin the installation of AdGuard Home and get it ready to go is to copy and paste the command below and then run it. It will take care of everything; downloading the proper version for your RaspberryPi, installing it, starting it as a service on boot.

curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v

After a few minutes, the installation completes and you are ready to proceed. Towards the bottom of the output from the install, there are a few lines that tell us what IP the RPi is listening on, on port 3000. Open your browser and go to the third entry which should be the same as the static IP address you applied to your RaspberryPi before we got started. Referencing the example in my image above, I would be going to: http://192.168.1.2:3000. You should be greeted by a five-step getting started wizard.

Using my RaspberryPi 3, I prefer to only use my wired ethernet connection. I usually go into the OS and disable the WiFi. So on this page, I will select my ‘eth0’ interface as the one that I want to listen to for DNS calls on.

Create your username and a password.

Time to set up your devices to point their DNS to your “new” AdGuard Home.
At this point, this is when you should be repointing the DNS in your router to now be pointing at your RaspberryPi’s IP address. This will make all of the devices on your network that is pulling a DHCP address from your router start to use AdGuard Home.

Note: This is also when I like to go back into my RaspberryPi’s NIC to statically repoint it’s DNS setting to its own IP address since it is now able to resolve DNS.

The last step is to open the dashboard and login.

Dashboard

The dashboard is what you see as soon as you log into your AdGuard Home. It is where you get to see at a single glance the summary of all of the statistics it has collected. From the number of allowed and blocked DNS queries, to what the top queried and blocked domains are, you can even see which clients are being the “chattiest” and making the most DNS requests. Being the summary page, you can use it as the launchpad to click around and dive deeper into what the devices on your network are doing and who they are talking to.

The only other thing really worth mentioning on the dashboard is the “Disable Protection” button that is near the top of the page next to the ‘Dashboard’ title. If you ever need to troubleshoot an issue with one of the devices on your network, this is how you can easily disable all of the DNS blocking/filters that AdGuard Home is doing so that you can [hopefully] rule it out as the culprit.

Settings

Under ‘General Settings’ I like to enable the longest log and statistic retention. Being that this is for a home network, I’m not too concerned about anonymizing the client IP info.

Under the ‘DNS Settings’ I like to set my upstream DNS servers. I personally use Cisco’s OpenDNS. Here is a link to known DNS providers that you could choose from if you don’t want to use Cisco. I also have it run the requests in parallel for faster results. However, I tend to leave almost everything else set to its default values.

Examples you can set as your Upstream DNS Servers:

  • regular DNS (over UDP) –
    • 94.140.14.140
  • regular DNS (over TCP) –
    • tcp://94.140.14.140
  • encrypted DNS-over-TLS
    • tls://dns-unfiltered.adguard.com
  • encrypted DNS-over-HTTPS
    • https://dns-unfiltered.adguard.com/dns-query
  • encrypted DNS-over-QUIC (experimental) –
    • quic://dns-unfiltered.adguard.com:784
  • DNS Stamps for DNSCrypt or DNS-over-HTTPS resolvers –
    • sdns://...
  • an upstream for specific domains
    • [/example.local/]94.140.14.140
  • a comment –
    • #comment

One of the final ‘DNS Settings’ I like to apply is at the very bottom of the page. I want to limit the use of my DNS to only machines that are on my home network. To do this, under “Allowed clients” I’m adding the CIDR notation for my home network.

I’m adding “192.168.0.0/16” so that it will apply to every address from 192.168.0.0 thru 192.168.255.255. However, while not wrong, this is probably going to be overkill for most home networks that only use a single subnet.

So depending on your home network’s IP address space, you could probably choose to just use a /24 – so it would look more like 192.168.0.0/24. In this example, it would allow all the addresses from 192.168.0.0 thru 192.168.0.255. Again, match up that address space (ie the third octet) to what is in use on your network if you use the /24. If your home network uses a different

Filters

Filters are an easy way to quickly block or allow, many different popular sites and services. For example, if you had a hatred for social media, by flipping a toggle in this menu, you could completely cut off and block all services from Facebook on your network.

Note this is not blocking applications, aka Layer 7, it is simply blocking a list of know domains that are owned and/or used by the specific service or website.

The ‘Filters’ is also where you can add/remove DNS blocklists. AdGuard Home comes with quite a few pre-defined lists that you can choose to enable if desired. To get there, click on ‘Filters’, then ‘DNS blocklists’, then click on the ‘Add blocklist’ at the bottom of the page.

Next, you will click ‘Choose from the list’ to start adding the pre-defined blocklists. Alternatively, if you had a custom list you wanted to add, you could do so right here using the ‘Add a custom list’ button.

Here is where the magic happens. This is where you can select any or all of the pre-defined block lists. When you are done, click the save button.

Query Log

This page is a comprehensive log of everything that AdGuard is doing. You can see what client on your network is making what DNS query. You can filter to see what DNS queries are getting processed or blocked. It is also here that you can see what external resolver answered a particular DNS query. It’s not as snazzy or flashy as the graphs and top charts on the dashboard, but if you are trying to look for the dirty details of whats going on, then your answer is definitely going to be here in this query log.

AdGuard Home service – Start/Stop/Restart/Status

To control the AdGuard Home service and manage it from the command line of your RaspberryPi you can use the following commands.

sudo /opt/AdGuardHome/AdGuardHome -s status
sudo /opt/AdGuardHome/AdGuardHome -s start
sudo /opt/AdGuardHome/AdGuardHome -s stop
sudo /opt/AdGuardHome/AdGuardHome -s restart

Likewise, if you need to you could also uninstall or re-install the AGH service.

sudo /opt/AdGuardHome/AdGuardHome -s uninstall
sudo /opt/AdGuardHome/AdGuardHome -s install

Test if AdGuard Home is working

So your devices should be pointing to AdGuard Home. To test if the ad-blocking is working you have a couple of options.

On your Windows machine open a command prompt, then type this command.

nslookup doubleclick.net

If AdGuard Home is working, it should return “0.0.0.0” as the answer. Meaning that it can not lookup the IP address of the domain “doubleclick.net”.

The other way that you can test your new ad-blocking abilities is by going to a URL and checking how well it blocks ads. A quick google search returned this site as one option to test ad-blocking: https://adblock-tester.com/ I’m sure you can find others…

What is AdGuard Home missing

  • No Layer 7 Application filtering capabilities

AdGuard does not have any packet inspection capability. Because it can not inspect packets it can not actually block or filter based on content or applications. AdGuard relies completely on DNS and the reputation of the actual domain/URL that is being called. Instead of blocking the content itself, it blocks the IP address lookup for the domain being requested. If you need to block/filter content you will need to look into some sort of Next-Gen Firewall as a solution.

  • Blocking all Ads

AdGuard and Pi-Hole both suffer from the inability to block ALL ads. This is because sometimes the advertisements, and the content you are actually wanting, come from the same domain. Because they are coming from the same place we are unable to block the actual domain name.

Some examples of a few sites that serve ads and content from the same domain name include:

  • YouTube
  • Twitter
  • Facebook
  • Instagram.
24 April 2020

RDP on Raspberry Pi

If you are like me, the computers around my house are predominately Windows based. Which is fine until you try to remotely connect to the desktop of your RPi. The Raspbian OS just doesn’t work MS’s Remote Desktop Protocol out of the box.

It can though, and all it takes a few is a few steps to enable to the RDP on Raspbian. And in my opinion, since I’m mostly on Windows, it is well worth it just for the convenience. I’ll be using Raspbian Buster in my examples below. If you’re not already on Buster, check out my article on upgrading Stretch to Buster.


Installing Xrdp on Rpi

Lets begin by updating your RPi with the following commands.

sudo apt update && sudo apt upgrade

Lets install Pixel on our RPi. Pixel is the default desktop environment on Raspbian desktop images. It’s stable, light weight, and fast. Which is perfect for running remotely on our RPi. To install Pixel, use the command below.

sudo apt-get install raspberrypi-ui-mods xinit xserver-xorg

After installing Pixel, it’s time for a reboot

sudo reboot now

Next we install the Xrdp package. It is available in the default Raspbian repositories. Use the command below to install Xrdp.

sudo apt install xrdp

The service will automatically start once it has installed, but we can check it’s status with the following command. It should display the status of “running” on the screen.

systemctl show -p SubState --value xrdp

Lastly we need to add the user that is running the service to the “ssl-cert” group. Xrdp uses the key file “/etc/ssl/private/ssl-cert-snakeoil.key” which is only read-able to the users of the “ssl-cert” group. USe the folowing command to add the user to the group.

sudo adduser xrdp ssl-cert

Your RPi now supports RDP! You can easily connect to it using the MS Remote Desktop Connection your Windows machines.


Connecting to your RPi from Windows

From your windows machine, click on the ‘Start menu’ or Windows Search field and type “remote”.

Once the Remote Desktop Connection App launches, enter the IP address of your RPi. Then click the “Connect” button.

Enter the login credentials for your RPi. Then click ‘Ok’.

BAM! Just like that you have successfully connected to and just RDP-ed into your RPi. Well done!

18 April 2020

Network (RPi) Printer

Using a simple RPi we can turn an otherwise normal USB printer into a network printer. Making it easier to print from anywhere in your house, and using any computer in your house. Literally breathing a bit more life into your “old” printer that you were just considering tossing away.

We’ll take advantage of the CUPS software to make this happen. CUPS stands for Common Unix Printing System and is what runs most Linux printing software. It’s going to be the bit that does the communication to your printer to properly print your files. Lets get started…


To save some time before you do do this… First check if your printer is supported by visiting this link: https://www.openprinting.org/printers


Setting up CUPS

Open a terminal window or SSH into your RPi.

Make sure your RPi is up-to-date with the following commands:

sudo apt-get update
sudo apt-get upgrade

Install CUPS with the following command

sudo apt-get install cups

Add the user ‘pi’ to the ‘lpadmin’ group. This will allow your user ‘pi’ to access all of the administrative functions of CUPS without having to be a superuser. Use the following command.

sudo usermod -a -G lpadmin pi

We need to make CUPS accessible to your whole network. Currently it is only accessible on the RPi itself. To allow it to accept all traffic, use the following commands.

sudo cupsctl --remote-any
sudo /etc/init.d/cups restart

You can now access the RPi print server from any computer on your network. Use the following command if you are unsure of your IP adderss.

hostname -I

Now with that IP address open a web browser and enter the following url, replacing <ip-address> with the IP address of your RPi

http://<ip-address>:631

To allow our CUPS printer server to talk to Windows and to let our windows computers print to it, we need to setup SAMBA on the RPi. Use the following command to install SAMBA.

sudo apt-get install samba

After installing SAMBA, we will need to make a few edit it’s configuration file. Use the following command to open it’s config file in the nano editor.

sudo nano /etc/samba/smb.conf

Scroll down to the end of the file. Edit it to make it match the following:

# CUPS print server  
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = yes
read only = yes
create mask = 0700

# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = no
guest ok = no

Save and exit the editor by pressing ‘Ctrl-X’, then ‘Y’, then ‘Enter’

Restart SAMBA with the following command to load our configuration changes.

sudo systemctl restart smbd


Adding a printer to CUPS

Now with the software portion installed, we need to add the printer to CUPS. Make sure that you have turned the printer ‘On’ and that you have it connected to your RPi.

Open a web browser and enter the following url, replacing <ip-address> with the IP address of your RPi

http://<ip-address>:631

Click on the ‘Administrative’ tab at the top of the page.
Then click the “Add Printer” button.

On the ‘Add Printer’ screen select the name of the printer you want to set up, and click “Continue”.
In this example, we are setting up a HP LaserJet P2055d printer.

Note: If your printer appear on the screen, make sure that it is indeed ‘On’ and connected to your RPi. After verifying that it is, if it is still not appearing, you may need to try restarting your RPi while leaving the printer ‘On’ and connected.

This screen is where you give your printer a name, set a description for it, and a location. The most important thing to do on this screen is to click the tick box for “Sharing: Share This Printer”

On this screen you will select the model of your printer. CUPS tries to auto-detect the model of printer and will select a driver based off what you select. Your selection will differ from mine. Once you are happy with your selection, click the “Add Printer” button at the bottom.

The final screen will let you set the default printer options; paper size, tray, resolution, double-sided, etc….

While not required, I like to give the RPi one more reboot after adding the printer.

To check the status of the print and it’s print queue, use the following command on the RPi.

lpq HP_LaserJet_P2055d

It will display the printer name and if it’s “ready” and if any print jobs are pending.


Adding RPi printer to Windows 10

One thing I noticed when trying to add the printer to to my Windows 10 machines is that I had initially had problems auto-detecting and adding it. It just simply would not work. After a bit of searching the internet, I found a solution that did work for me.

Click on the ‘Start Menu’ and start typing “Printers”, then click on ‘Printers & scanner’.

Click on ‘Add a printer or scanner’

Windows will begin searching for printers… After a moment a link that appears that says “The printer that I want isn’t listed”. Click on that link.

This will open a ‘Add Printer’ window.
Click on the option “Select a shared printer by name”

Enter the “name” of your shared printer in the following format, then click ‘Next’.

http://<RPi/CUPS-IP_Address>:631/printers/<PrinterName>

  • Replace <RPi/CUP-IP_Address> with the IP address of your RPi
  • Replace <PrinterName> with the name of your shared printer

Note: You might have to manually select your printer driver if it is not automatically detected.

The page will show that the printer has been successfully added, and it will appear in your “Printers & scanners”

You can now print to your RPi printer!

12 April 2020

Upgrade Raspbian Stretch to Buster

These instructions are taken from the Raspberry Pi Blog.

As with all major version changes, it is my recommendation to download a new clean image and start fresh with a clean system. (Raspbian Download page)
I don’t know what changes people have made to their system, and so have no idea what may break when you move to Buster. The instructions below will likely work on your system. However, that does not guarantee that it will work on your system.

I cannot provide support (or be held responsible) for any problems that arise if you try it. You have been warned! Make a backup before even considering to attempt this…

Open a terminal or SSH window to your RPi.
In the files /etc/apt/sources.list and /etc/apt/sources.list.d/raspi.list, change every use of the word “stretch” to “buster”.

sudo nano /etc/apt/sources.list
sudo nano /etc/apt/sources.list.d/raspi.list

Then run the following command

sudo apt update && sudo apt dist-upgrade

Wait for the upgrade to complete, answering ‘yes’ to any prompt. There may also be a point at which the install pauses while a page of information is shown on the screen – hold the ‘space’ key to scroll through all of this and then hit ‘q’ to continue.

The update will take anywhere from half an hour to several hours, depending on your network speed. When it completes, reboot your Raspberry Pi.

When the Pi has rebooted, launch ‘Appearance Settings’ from the main menu, go to the ‘Defaults’ tab, and press whichever ‘Set Defaults’ button is appropriate for your screen size in order to load the new UI theme.

Buster will have installed several new applications which we do not support. To remove these, open a terminal window and run the following command.

sudo apt purge timidity lxmusic gnome-disk-utility deluge-gtk evince wicd wicd-gtk clipit usermode gucharmap gnome-system-tools pavucontrol

Then run

sudo apt autoremove

The reboot your RPi one last time to complete the upgrade process.


To check the OS version of Raspbian you are running, run this command.

cat /etc/os-release

And remember…. Make a new backup of your RPi once you have finished testing things out on your new upgraded OS version.

12 April 2020

Restoring your RPi

As I’ve said before, the data running on your RPi is only as good as it’s last backup. You have already backed up your RPi, right?

This article is going to cover how to restore the backup image of your RPi with Windows. While can also restore it using Linux or MacOS, I’m not going to cover those as I primarily use the Windows Operating System. If you desire more info on the RPi backup/restore process, please consult the official documentation here.

Restore on Windows

In Windows, we’ll use a utility called “Win32 Disk Imager”. If you followed my previous article on backing up your RPi you should already have it installed. If you haven’t, please go download and install Win32 Disk Imager onto your computer. It is this software that will allow us to restore the full image copy we made back to the micro-SD card of your RPi.

On your Windows computer, open the Win32 Disk Imager program.

In the upper right, under ‘Device’, select the drive letter of the card reader.
Mine is “D:\”, your will likely be different.

In the ‘Image File’ box, click on the folder button to browse to, and select, the location of your backup image file, which you’d like to restore.

Click the ‘Write’ button at the button to begin restoring your backup image.
There will be a popup message that warns about writing to the device, click ‘Yes’ and it will begin your restore

Once the restore completes, there will be a popup message stating that the write is complete that you need to click ‘OK’ to.

Your restore is now complete!

Go ahead and eject the card from your card reader and return it to your RPi. You can then reconnect the power and turn it back on. Everything should be there, exactly as it was at the time you made the backup.

12 April 2020

Backing up your RPi

Like any other computer system, the data running on your RPi is only as good as it’s last backup. Heck, have you ever even backed-up your RPi since you got it up and running? Well let me show you how to get backed-up so that you can get back up in the event that you ever have a RPi catastrophe.

This article is going to focus on backing up your RPi with Windows. While can also back it up using Linux or MacOS, I’m not going to cover those as I primarily use the Windows Operating System. If you desire more info on backing up your RPi, please consult the official documentation here.

Backup on Windows

In Windows, we’ll use a utility called “Win32 Disk Imager”. Go ahead and download and install Win32 Disk Imager onto your computer. It will allow us to make a full image copy of the micro-SD card that is used in our RPi. That way we can restore a 1:1 image of that micro-SD card as it is at the time of backup, back onto the card or onto a new card if we ever need to. We can keep that image copy on a desktop or NAS or cloud storage.

Start by shutting down the RPi with the following command.

sudo shutdown now

One the RPi has shut down, disconnect the power. You can now pull the micro-SD card out of it. Place it into the the card reader on your Windows computer. This might be a usb adapter that you are using, or there might be a SD slot on your laptop that will take a “micro-SD to SD card” adapter.

On your Windows computer, open the Win32 Disk Imager program.

In the upper right, under ‘Device’, select the drive letter of the card reader.
Mine is “D:\”, your will likely be different.

In the ‘Image File’ box, click on the folder button to browse to, and select, the location of where you would like to save the image file to.

Click the ‘Read’ button at the button to begin creating your backup image.

Once the backup completes, there will be a popup message you need to click ‘OK’ to.

Your backup is complete!

Go ahead and eject the card from your card reader and return it to your RPi. You can then reconnect the power and turn it back on.

You can now restore you RPi to this point-in-time image when anything ever goes wrong in the future.

10 April 2020

How to setup WiFi on headless RPi

These instructions are straight from the RPi documentation (which can be found here).

If you do not use a monitor or keyboard to run your Pi (known as headless), but you still need to do some wireless setup, there is a facility to enable wireless networking and SSH when creating a image.

Once an image is created on an SD card, by inserting it into a card reader on a Linux or Windows machines the boot folder can be accessed. Adding certain files to this folder will activate certain setup features on the first boot of the Pi itself.

Setting up wireless networking

You will need to define a “wpa_supplicant.conf” file for your particular wireless network. Put this file in the boot folder, and when the Pi first boots, it will copy that file into the correct location in the Linux root file system and use those settings to start up wireless networking.

“wpa_supplicant.conf” file example:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=<Insert country code here>

network={
 ssid="<Name of your WiFi>"
 psk="<Password for your WiFi>"
}

Note that some older WiFi dongles don’t support 5GHz networks.

More information on the “wpa_supplicant.conf” file can be found here. See Wikipedia for a list of country codes.

9 April 2020

How to Setup ZRAM on RPi

After posting my article on Reddit about setting up Pi-Hole and PiVPN, I learned about ZRAM from fellow redditor u/Bubbagump210. I’m basing this article off of his post.

Zram allows one to create compressed RAM drives – including swap drives. So, what we will be going over below is running a swap drive under ZRAM. When regular RAM feels memory pressure, it shuffles data from regular RAM to the ZRAM swap – which is also actually RAM but compressed.

Open a terminal window or SSH into your RPi.

Make sure your RPi is up-to-date with the following commands:

sudo apt-get update
sudo apt-get upgrade

Install ZRAM by running the following command, and then typing ‘Y’ to proceed.

sudo apt install zram-tools

By default, this package will create a 256MB swap drive. If you want to bump that up a tad higher, then you will need to edit /etc/default/zramswap. Edit the file with the following line.

sudo nano /etc/default/zramswap

We will need to add the ‘Allocation’ variable. To increase your swap drive to 512MB, add the following line.

ALLOCATION=512

Press “Ctrl-X” to exit the editor, “Y” to confirm you want to save your changes, then “Enter” to save it.

Run the following two commands to enable and start ZRAM

sudo systemctl enable zramswap
sudo systemctl start zramswap

If you open top, you should now see your new swap space at the size allocated above.

How to check your compression ratio? Run the command below.

cat /sys/block/zram0/mm_stat

On this rpi, my output currently is:
790528 189901 507904 0 507904 18 0 2


The first value is the uncompressed data size, the second value is the compressed data size. (More details found here)

189901/790528=~0.24

So a 76% reduction in size – not bad.

Certainly there is a tiny performance hit and buying more RAM is a technically better solution, but for fixed RAM cases like a Pi or free tier VM, this works.


Note, this initially didn’t work for me on Raspbian Stretch. I updated my RPi to Raspbian Buster and it worked just fine.

9 April 2020

How to Setup Fail2Ban on RPi

Fail2Ban is an amazing piece of software when it comes to security and protecting your RPi. Even more so if your RPi is exposed to, or publicly accessible on, the Internet. Fail2Ban continually monitors your system’s log files and watches for malicious connections, proactively blocking them.

Fail2Ban becomes an active, almost real-time, learning form of defense. Think of it as a “poor man’s” Intrusion Protection System (IPS). It will notice any unusual activity, like multiple failed login attempts or exploit scans, and automatically update your firewall rules to ban that IP address.

While it’s not a true IPS, it comes close enough and is very helpful for the average person. While I would not advise it for use it as front line, or rather a singular, defense within a company, it would likely suffice for home use. Not to say that it should not or could not be used by companies, I only want to clarify that it should be one layer of multiple defenses if used in a company environment.

So now that we know what Fail2Ban is… Lets get started setting it up.


While Fail2Ban is recommended if you have SSH exposed to the Internet, it is not necessarily needed if you are running a a VPN. It won’t hurt to have it installed… If you have a secure VPN setup, you don’t/shouldn’t even need to have SSH exposed to the insternet. See my article about setting up PiVPN.


Lets begin by updating your RPi before we begin with the following commands.

sudo apt update
sudo apt upgrade

Now that your RPi is updated, lets get on with the software install.
Run the following command to install Fail2Ban, press ‘Y’ to proceed.

sudo apt-get install fail2ban

Now Fail2Ban has changed a lot since version 0.9.x.

We want to create a “jail.local” file with the following command and edit it.

sudo nano /etc/fail2ban/jail.local

You’ll want to copy/paste the info below

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 192.168.1.0/24

# Ban hosts for two days:
bantime = 172800

# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport

[sshd]
enabled = true
filter = sshd
port = ssh
banaction = iptables-multiport
bantime = 172800
maxretry = 3
findtime = 600
logpath = %(sshd_log)s
backend = %(sshd_backend)s
  • ignoreip: This option lets you specify IP that Fail2Ban will ignore. You likely want to ignore events directly triggered on the device, as well as perhaps more trusted networks like your home network or office ip address. Example:ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24
  • bantime: This option defines how long an IP address will be banned, the default is 10 minutes.
  • maxretry: This option defines the number of failures a host is allowed before it is banned.
  • findtime: This option is used along with the ‘maxretry’ option. If a host exceeds the ‘maxretry’ value within the time period specified in ‘findtime’ it will be banned for the amount of time specified in ‘bantime’.

Now save the file by pressing ‘Ctrl+X’ then ‘Y’.

To restart the Fail2Ban service (and reload our config file changes):

sudo systemctl restart fail2ban

To check the Fail2Ban status:

sudo fail2ban-client status

You’ll get output similar to this.

Status
|- Number of jail:      1
`- Jail list:   sshd

To check individual jails:

sudo fail2ban-client status sshd

You’ll get output similar to this.

Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - File list: /var/log/auth.log - Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:

There is even more you can do with Fail2Ban, more ‘jails’ that you can configure to keep your device (and network) safe. But you are on your own to figure it out from here… Good Luck.

9 April 2020

Creating a Split-tunnel user in PiVPN



Okay. So we’ve gone over creating users. In doing so we’ve gone over creating a user that would have a “full” vpn by using the default configuration that happens when you create a user with PiVPN…. But how do we set up a user with a “split-tunnel” vpn, in which only traffic destined for your home network goes thru your RPi?

What exactly is this “split-tunnel”? In a split-tunnel VPN, the endpoint device will be able to make a determination as to where to route it’s traffic, due to changes in the configuration rules. It will route traffic to your home network over the VPN, while routing all other traffic directly out to the Internet.

This split-tunneling actually my ideal setup. It is also ideal if you just wish to use just your Pi-Hole for DNS queries when you are not at home.

Because PiVPN makes things so easy, I currently just create two profiles for my devices. One full and one split-tunnel. However, I seem to be primarily using only the split-tunnel. So who knows… I’ll probably change this practice of mine in the future and just create the one profile, but for now I’m keeping both.

Okay. I’ve talked long enough about split-tunnels. How do we make this magic happen? Lets dive in…

We will add a user just as we did previously, then edit it’s configuration file to allow for the split tunnel. To add your split-tunnel user, type the following command below.

pivpn add

Then add the name of your split-tunnel user.
In my example, my user is named “P-W-W-F-split”

The next step is to open and edit the configuration file with the followign command.

sudo nano /etc/wireguard/configs/P-W-W-F-split.conf

A full tunnel will have the line:

AllowedIPs = 0.0.0.0/0, ::0/0

That is the line we want to change. The split tunnel config would be modified to show the subnet of your home network. This is the magic line that makes this a split-tunnel.

AllowedIPs = 192.168.1.0/24


*Note: It’s been mentioned in the comments that for this split tunnel to work correctly, folks have had to also add the VPN network’s range to the allowed networks for things and work as expected. That updated line is:

Allowed IP addresses: 10.6.0.0/24, 192.168.1.0/24

I’m not going to re-edit the images as I am no longer using this as my VPN solution. I only wanted to leave this note here for those that are following thru my tutorial so that they don’t become stuck.


The updated configs can be copied to the home config directory if you choose. This will make it easier if you are going to manually transferring a config file to a device, but I usually don’t, and just use the QR code mention in the next article.

To copy or backup your configuration files use the following command:

cp /etc/wireguard/configs/P-W-W-F.conf /home/pi/configs/P-W-W-F.conf
cp /etc/wireguard/configs/P-W-W-F-split.conf /home/pi/configs/P-W-W-F-split.conf


Next Article in this series: Part 6: Setup PiVPN Endpoint Device