These instructions are straight from the RPi documentation (which can be found here).
If you do not use a monitor or keyboard to run your Pi (known as headless), but you still need to do some wireless setup, there is a facility to enable wireless networking and SSH when creating a image.
Once an image is created on an SD card, by inserting it into a card reader on a Linux or Windows machines the boot folder can be accessed. Adding certain files to this folder will activate certain setup features on the first boot of the Pi itself.
Setting up wireless networking
You will need to define a “wpa_supplicant.conf” file for your particular wireless network. Put this file in the boot folder, and when the Pi first boots, it will copy that file into the correct location in the Linux root file system and use those settings to start up wireless networking.
“wpa_supplicant.conf” file example:
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=<Insert country code here>
network={
ssid="<Name of your WiFi>"
psk="<Password for your WiFi>"
}
Note that some older WiFi dongles don’t support 5GHz networks.
More information on the “wpa_supplicant.conf” file can be found here. See Wikipedia for a list of country codes.
BGinfo is a great utility/tool that I really like and I literally have on every server I deploy. It is totally customize-able and able to display whatever system information that you feel is important to you, right on the desktop background making it easy to see at a glance. It could be used to display anything from the server’s name, IP addresses, hard drive usage, memory usage, OS version, or even the user that you are currently logged in as.
Create a folder, c:\utilities\, and make sure that all users have read and write access to it.
Move the BGInfo utility into the c:\utilities\ folder. I also like to place any other Sysinternals utilities that I am using into this c:\utilities\ folder.
Run the BGinfo utility and take a few minutes to configure what information you wish to be displayed on your background. Then save your configuration to the c:\utilities\ folder.
Create a shortcut to either Bginfo.exe (if you are on a 32-bit machine) or Bginfo64.exe (if are on a 64-bit machine).
Edit the target of that shortcut to include the name of your BGinfo configuration file. In the picture below I’ve named mine “c:\utilities\mybgconfig.bgi”.
A few more handy suggestions to include in your shortcut’s target are:
/timer:0 – to avoid the typical UI popup
/nolicprompt – to make sure new users are not prompted with the EULA
/silent – to silence and errors
Which would result with the target field looking like:
Follow my article about finding the startup folder in Windows, and make a copy of your shortcut into that startup folder. I prefer to copy the shortcut to the “Common Startup” folder, that way it will launch for any user that logs into the machine… But it’s up to you if you want to put it in the “User Startup” or “Common Startup” folder.
Now it’s time to test it out! Try logging out and then logging back in.
In recent years Microsoft has moved around where they “hide” the startup folder. That’s the folder that gets used to launch applications that start automatically when the user logs in. It’s not necessary hard to find, but it is well hidden.
There’s actually two places that startup folder lives. Each user has their own startup folder that will launch programs specific to that user. And there is also a common startup folder which will launch programs for any and all users that log into that machine.
How to find the users’ individual startup folder
Right click on the start menu and select ‘Run’.
Type “shell:startup” and click ok.
The startup folder will open, and you can drag-and-drag and shortcuts or applications you need into.
If you need to manually dive thru folders to get to the user’s startup folder, go to, but remember to change “<USER>” to the one you’re looking for:
After posting my article on Reddit about setting up Pi-Hole and PiVPN, I learned about ZRAM from fellow redditor u/Bubbagump210. I’m basing this article off of his post.
Zram allows one to create compressed RAM drives – including swap drives. So, what we will be going over below is running a swap drive under ZRAM. When regular RAM feels memory pressure, it shuffles data from regular RAM to the ZRAM swap – which is also actually RAM but compressed.
Open a terminal window or SSH into your RPi.
Make sure your RPi is up-to-date with the following commands:
sudo apt-get update sudo apt-get upgrade
Install ZRAM by running the following command, and then typing ‘Y’ to proceed.
sudo apt install zram-tools
By default, this package will create a 256MB swap drive. If you want to bump that up a tad higher, then you will need to edit /etc/default/zramswap. Edit the file with the following line.
sudo nano /etc/default/zramswap
We will need to add the ‘Allocation’ variable. To increase your swap drive to 512MB, add the following line.
ALLOCATION=512
Press “Ctrl-X” to exit the editor, “Y” to confirm you want to save your changes, then “Enter” to save it.
Run the following two commands to enable and start ZRAM
If you open top, you should now see your new swap space at the size allocated above.
How to check your compression ratio? Run the command below.
cat /sys/block/zram0/mm_stat
On this rpi, my output currently is: 790528 189901 507904 0 507904 18 0 2
The first value is the uncompressed data size, the second value is the compressed data size. (More details found here)
189901/790528=~0.24
So a 76% reduction in size – not bad.
Certainly there is a tiny performance hit and buying more RAM is a technically better solution, but for fixed RAM cases like a Pi or free tier VM, this works.
Fail2Ban is an amazing piece of software when it comes to security and protecting your RPi. Even more so if your RPi is exposed to, or publicly accessible on, the Internet. Fail2Ban continually monitors your system’s log files and watches for malicious connections, proactively blocking them.
Fail2Ban becomes an active, almost real-time, learning form of defense. Think of it as a “poor man’s” Intrusion Protection System (IPS). It will notice any unusual activity, like multiple failed login attempts or exploit scans, and automatically update your firewall rules to ban that IP address.
While it’s not a true IPS, it comes close enough and is very helpful for the average person. While I would not advise it for use it as front line, or rather a singular, defense within a company, it would likely suffice for home use. Not to say that it should not or could not be used by companies, I only want to clarify that it should be one layer of multiple defenses if used in a company environment.
So now that we know what Fail2Ban is… Lets get started setting it up.
While Fail2Ban is recommended if you have SSH exposed to the Internet, it is not necessarily needed if you are running a a VPN. It won’t hurt to have it installed… If you have a secure VPN setup, you don’t/shouldn’t even need to have SSH exposed to the insternet. See my article about setting up PiVPN.
Lets begin by updating your RPi before we begin with the following commands.
sudo apt update sudo apt upgrade
Now that your RPi is updated, lets get on with the software install. Run the following command to install Fail2Ban, press ‘Y’ to proceed.
sudo apt-get install fail2ban
Now Fail2Ban has changed a lot since version 0.9.x.
We want to create a “jail.local” file with the following command and edit it.
sudo nano /etc/fail2ban/jail.local
You’ll want to copy/paste the info below
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 192.168.1.0/24
# Ban hosts for two days:
bantime = 172800
# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport
[sshd]
enabled = true
filter = sshd
port = ssh
banaction = iptables-multiport
bantime = 172800
maxretry = 3
findtime = 600
logpath = %(sshd_log)s
backend = %(sshd_backend)s
ignoreip: This option lets you specify IP that Fail2Ban will ignore. You likely want to ignore events directly triggered on the device, as well as perhaps more trusted networks like your home network or office ip address. Example:ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24
bantime: This option defines how long an IP address will be banned, the default is 10 minutes.
maxretry: This option defines the number of failures a host is allowed before it is banned.
findtime: This option is used along with the ‘maxretry’ option. If a host exceeds the ‘maxretry’ value within the time period specified in ‘findtime’ it will be banned for the amount of time specified in ‘bantime’.
Now save the file by pressing ‘Ctrl+X’ then ‘Y’.
To restart the Fail2Ban service (and reload our config file changes):
sudo systemctl restart fail2ban
To check the Fail2Ban status:
sudo fail2ban-client status
You’ll get output similar to this.
Status
|- Number of jail: 1
`- Jail list: sshd
To check individual jails:
sudo fail2ban-client status sshd
You’ll get output similar to this.
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - File list: /var/log/auth.log - Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
There is even more you can do with Fail2Ban, more ‘jails’ that you can configure to keep your device (and network) safe. But you are on your own to figure it out from here… Good Luck.
To remove a user/client it’s easy. Type the following command.
pivpn remove
You’ll be presented with a list of the clients you have created. Enter the name of client you wish to remove and press “Enter”.
In my example below, I’m removing the user named “P-W-W-F”.
You’re all done! You have a completed setting up a VPN. You have completed setting up your endpoints. You can manage your VPN users. Congratulations. We’re all done here!
If you’re still itching to do more on your RPi… consider taking a look at my articles on installing ZRAM or installing Fail2Ban.
Okay. So we’ve gone over creating users. In doing so we’ve gone over creating a user that would have a “full” vpn by using the default configuration that happens when you create a user with PiVPN…. But how do we set up a user with a “split-tunnel” vpn, in which only traffic destined for your home network goes thru your RPi?
What exactly is this “split-tunnel”? In a split-tunnel VPN, the endpoint device will be able to make a determination as to where to route it’s traffic, due to changes in the configuration rules. It will route traffic to your home network over the VPN, while routing all other traffic directly out to the Internet.
This split-tunneling actually my ideal setup. It is also ideal if you just wish to use just your Pi-Hole for DNS queries when you are not at home.
Because PiVPN makes things so easy, I currently just create two profiles for my devices. One full and one split-tunnel. However, I seem to be primarily using only the split-tunnel. So who knows… I’ll probably change this practice of mine in the future and just create the one profile, but for now I’m keeping both.
Okay. I’ve talked long enough about split-tunnels. How do we make this magic happen? Lets dive in…
We will add a user just as we did previously, then edit it’s configuration file to allow for the split tunnel. To add your split-tunnel user, type the following command below.
pivpn add
Then add the name of your split-tunnel user. In my example, my user is named “P-W-W-F-split”
The next step is to open and edit the configuration file with the followign command.
That is the line we want to change. The split tunnel config would be modified to show the subnet of your home network. This is the magic line that makes this a split-tunnel.
AllowedIPs = 192.168.1.0/24
*Note: It’s been mentioned in the comments that for this split tunnel to work correctly, folks have had to also add the VPN network’s range to the allowed networks for things and work as expected. That updated line is:
Allowed IP addresses: 10.6.0.0/24, 192.168.1.0/24
I’m not going to re-edit the images as I am no longer using this as my VPN solution. I only wanted to leave this note here for those that are following thru my tutorial so that they don’t become stuck.
The updated configs can be copied to the home config directory if you choose. This will make it easier if you are going to manually transferring a config file to a device, but I usually don’t, and just use the QR code mention in the next article.
To copy or backup your configuration files use the following command:
VPN actually stands for virtual private network. What that means is that when you connect to a VPN, you are essentially creating a secure encrypted tunnel from your device to the network on the other side. A VPN prevents “snooping eyes” from seeing the actual network traffic that crosses the wire, meaning that you only you and the other end know what you are doing. That traffic will be visible from the other end as it comes out there, but that is a network you “trust”, and that traffice is protected as it traverses across the Internet.
You’ve probably heard of VPN services before or you might already use one. They are common for work places to use, to connect back to your office. As well commercial VPN services for individuals looking to bypass geo-location filters when they are overseas to make it appear that you are in the U.S., or users as an attempt to anonymize their internet traffic. Those are all great examples of VPNs. But those are not what I am going to cover….
So what about if you want to access resources you have at home while you are away? (i.e. – printers, file storage or file backups, remote support of a non-tech-savvy family member)
Or what if you want to use the Pi-Hole adblocker you set up at home while your at school/work/traveling?
This is the type of “home VPN” that I am talking about. This “home VPN” will keep your browsing secure while you are hopping onto free WiFi hotspots all across town, but it will not anonymize your traffic at all. All of your traffic is [securely] going to go thru your VPN and it will be as if you are surfing the Internet from home. So don’t think that just because you setup a VPN on your Raspberry Pi at home that you can blindly surf the Internet and download illegal torrents without consequence, because you’d be wrong. You will however, be able to connect back home and retrieve those files you forgot to put on your thumb drive before walking out the door.
The magic that will make it happen is called PiVPN. It’s a small piece of software that can be installed on a Raspberry Pi with a single line of code, and can be configured, ready-to-go, in less time than it take to watch a sitcom episode on Netflix.
So I already have PiHole installed at home and it works great to block ads at home. But if you’re not at home, how do you to block ads? What about if you want to access resources you have at home (i.e. – printers, file storage, remote support of non-tech-savvy family) while you are away? Well the answer is PiVPN.
You’ve probably heard of VPN services before or you might already use one. They are common for work places to use, to connect back to your office. As well as for individuals looking to bypass geo-location filters when you are overseas, to make it appear that you are in the U.S.
VPN actually stands for virtual private network. What that means is that when you connect to a VPN, you are essentially creating a secure encrypted tunnel from your device to the network on the other side. A VPN prevents “snooping eyes” from seeing the actual network traffic that crosses the wire, meaning that you only you and the other end know what you are doing. The caveat to that, depending on how your VPN is set up, is that the internet traffic on your device will appear to be coming from the network you are VPNed into and that will be visible to the ISP. So don’t think that just because you setup a VPN on your Raspberry Pi at home that you can blindly surf the Internet and download illegal torrents without consequence, because you’d be wrong. The best use case, in my opinion, for setting up a VPN, or in our case PiVPN, is to access your files and storage when you’re not at home.
Lets get started with setting up PiVPN. As a prerequisites, make sure that you have already installed and setup PiHole.
Open a terminal window or SSH into your Raspberry Pi (RPi)
Enter the following command:
curl -L https://install.pivpn.io | bash
By running the above command essentially piping the curl command to bash, the RPi will automatically download and run PiVPN.
A cautionary note about piping curl to bash – Basically, be sure you trust the source, because you’re essentially letting them run whatever they want on your device!
The PiVPN Automated Installer should appear. Click ‘Ok’.
The installer will need to apply a static IP address to your Raspberry Pi. This is a PiVPN requirement. If you’re running PiHole, you should already have a static IP assigned to your device. If you don’t… go fix that now, and come back. If you do already have a static IP address assigned at this screen, click ‘No’.
Comment on the above step… Even if you set a static IP on the device, if that IP is within the DHCP reservation pool, the DHCP server (the router, for most people) could theoretically still assign that IP to another device. That should never happen for an always on device, but if you take it offline for a while or switch routers it could happen. So when setting static IP addresses, take a look into your network’s settings and assign addresses outside of the DHCP pool’s range. This will help prevent the possible scenario i just mentioned above.
The next screen shows your current network settings and confirms that you want to use it as your static address. Click ‘Yes’.
The next screen is just a warning of what could happen with an IP conflict if the RPi does not have a static IP address and is using DHCP. We’re all set though using a static IP, so click ‘Ok’.
Next we will choose the user which we’ll install PiVPN under… Click ‘Ok’.
Then choose the desired user, and click ‘Ok’ again.
We want to install WireGuard. So on this screen, select it and click ‘Ok’.
*If you need, or wish, to install OpenVPN to meet you needs then that option is available. My recommendation – If this is your first time setting up a VPN, stick with the default – WireGuard.
Wait and watch the status bar complete….
Select your default port. I am going to leave mine set to the default value “51820”. Click ‘Ok’.
Confirm the port, click ‘Yes’.
Because PiHole is already install, PiVPN detects it and offers to set that as our desired DNS. This is what we want, so click ‘Yes’.
This next screen asks how we will be connecting remotely to our PiVPN.
Most of us do not have a static “external” IP given to us by our ISP. So with that in mind, we do not want to use the public IP address that is shown.
We want to use a Dynamic DNS (DDNS) service. The best example of this type of DDNS service is No-IP (noip.com). This type of service allows you to run a client within your network that will go out and check what your external IP is, and then update No-IP with that address any time it changes. Dynamically updating the DNS record that you have setup with the DDNS service provider.
Note: This DDNS value can be changed later if your DDNS public name ever changes, though you would need to update your user/client endpoints to use the updated name.
Since we already have DDNS set up, we will be chooseing “DNS Entry – Use a public DNS”. Click ‘Ok’.
Enter your DDNS public DNS name. Click ‘OK’.
Confirm your entry. Click ‘Yes’.
The generation of the encryption keys are the next step. Click ‘Ok’.
We will want to acknowledge the ‘Unattended Upgrades’ page. It’s just letting us know that we should enable this feature and have the RPi automatically check for and install security updated for us daily. Note, that it will not automatically reboot the RPi, so we’ll need to do that manually from time to time. Click ‘Ok’.
Click ‘Yes’
Wait and watch the status bar complete….
Click ‘Ok’. PiVPN has now been installed! Woohoo!!! We will still need to add our users/profiles before we can log in.
Click ‘Yes’ to reboot your RPi. Then ‘Ok’ again to initiate the reboot.
Now we need to log into our router. We will need to setup a port forwarding. We need to forward port 51820 to our Raspberry Pi. This will allow traffic both ways between the Internet and your PiVPN.
Note: If you skip this port forwarding step, you will not be able to connect remotely to your PiVPN.
Typing “pivpn” will show you all of the available options of PiVPN.
Now that PiVPN is running, it’s time to add device profiles to the VPN and grant them the permissions they need to be able to connect.
Ideally you will want to create a new client account for each device that will be connecting remotely to your VPN. This is a best practice, and my recommendation. It gives you the granular control, per device, in case you need to revoke or regenerate a device’s credentials. It’s easier to redo one device then it is to redo every device.
To add your user, type the following command below.
pivpn add
Then add the name of your user. In my example, my user is named “P-W-W-F”
Just like that you’ve added a user to your VPN!
Repeat the above steps as many times as necessary to add profiles for every device that will be connecting to your VPN.
This default setup will create a user with a “full” VPN, meaning that all of their traffic is going to get routed thru the Internet over to your RPi. Your RPi will then determine what traffic is meant for your home network, and anything else will get re-routed back out of your home network to the Internet.
The config can be copied to the home config directory if you choose. This will make it easier if you are going to manually transferring a config file to a device
To copy or backup your configuration files use the following command: