12 April 2020

Backing up your RPi

Like any other computer system, the data running on your RPi is only as good as it’s last backup. Heck, have you ever even backed-up your RPi since you got it up and running? Well let me show you how to get backed-up so that you can get back up in the event that you ever have a RPi catastrophe.

This article is going to focus on backing up your RPi with Windows. While can also back it up using Linux or MacOS, I’m not going to cover those as I primarily use the Windows Operating System. If you desire more info on backing up your RPi, please consult the official documentation here.

Backup on Windows

In Windows, we’ll use a utility called “Win32 Disk Imager”. Go ahead and download and install Win32 Disk Imager onto your computer. It will allow us to make a full image copy of the micro-SD card that is used in our RPi. That way we can restore a 1:1 image of that micro-SD card as it is at the time of backup, back onto the card or onto a new card if we ever need to. We can keep that image copy on a desktop or NAS or cloud storage.

Start by shutting down the RPi with the following command.

sudo shutdown now

One the RPi has shut down, disconnect the power. You can now pull the micro-SD card out of it. Place it into the the card reader on your Windows computer. This might be a usb adapter that you are using, or there might be a SD slot on your laptop that will take a “micro-SD to SD card” adapter.

On your Windows computer, open the Win32 Disk Imager program.

In the upper right, under ‘Device’, select the drive letter of the card reader.
Mine is “D:\”, your will likely be different.

In the ‘Image File’ box, click on the folder button to browse to, and select, the location of where you would like to save the image file to.

Click the ‘Read’ button at the button to begin creating your backup image.

Once the backup completes, there will be a popup message you need to click ‘OK’ to.

Your backup is complete!

Go ahead and eject the card from your card reader and return it to your RPi. You can then reconnect the power and turn it back on.

You can now restore you RPi to this point-in-time image when anything ever goes wrong in the future.

Category: Backups, Linux, RaspberryPi, Raspbian | LEAVE A COMMENT
10 April 2020

Manually force an Azure AD Connect sync

The Azure AD Connect tool has a default sync schedule to run every 30 minutes. However sometime you need changes you make to get sync-ed NOW! So from time-to-time it’s necessary to manually force Azure AD Connect to run and sync your on-prem AD up to Azure AD. This can be done with PowerShell as either a full sync or a delta sync.

Open Powershell.

If you’re running PowerShell on the server where AD Connect Sync resides, you can skip this step. Connect to the AAD Connect Sync server by running the following command to create a PSRemoting session. Replacing <SERVERNAME> with the name of your AD Connect server.

Enter-PSSession -ComputerName <SERVERNAME>

Import the ADSync module with the following command.

Import-Module ADSync

Run one of the following command to manually force the sync.

For a Delta Sync (most commonly use cases)

Start-ADSyncSyncCycle -PolicyType Delta

For a Full Sync (less common use cases)

Start-ADSyncSyncCycle -PolicyType Initial

If you used the “Enter-PSSession” command earlier, then you need to exit that session. Otherwise it will stay open even after terminating the connection. To close the “PSSession” use the following command:

Exit

Category: Microsoft, PowerShell | LEAVE A COMMENT
10 April 2020

How to setup WiFi on headless RPi

These instructions are straight from the RPi documentation (which can be found here).

If you do not use a monitor or keyboard to run your Pi (known as headless), but you still need to do some wireless setup, there is a facility to enable wireless networking and SSH when creating a image.

Once an image is created on an SD card, by inserting it into a card reader on a Linux or Windows machines the boot folder can be accessed. Adding certain files to this folder will activate certain setup features on the first boot of the Pi itself.

Setting up wireless networking

You will need to define a “wpa_supplicant.conf” file for your particular wireless network. Put this file in the boot folder, and when the Pi first boots, it will copy that file into the correct location in the Linux root file system and use those settings to start up wireless networking.

“wpa_supplicant.conf” file example:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=<Insert country code here>

network={
 ssid="<Name of your WiFi>"
 psk="<Password for your WiFi>"
}

Note that some older WiFi dongles don’t support 5GHz networks.

More information on the “wpa_supplicant.conf” file can be found here. See Wikipedia for a list of country codes.

Category: Linux, RaspberryPi, Raspbian | LEAVE A COMMENT
9 April 2020

Setup BGInfo on Windows

BGinfo is a great utility/tool that I really like and I literally have on every server I deploy. It is totally customize-able and able to display whatever system information that you feel is important to you, right on the desktop background making it easy to see at a glance. It could be used to display anything from the server’s name, IP addresses, hard drive usage, memory usage, OS version, or even the user that you are currently logged in as.

Download BgInfo – https://docs.microsoft.com/en-us/sysinternals/downloads/bginfo

Create a folder, c:\utilities\, and make sure that all users have read and write access to it.

Move the BGInfo utility into the c:\utilities\ folder.
I also like to place any other Sysinternals utilities that I am using into this c:\utilities\ folder.

Run the BGinfo utility and take a few minutes to configure what information you wish to be displayed on your background.
Then save your configuration to the c:\utilities\ folder.

Create a shortcut to either Bginfo.exe (if you are on a 32-bit machine) or Bginfo64.exe (if are on a 64-bit machine).

Edit the target of that shortcut to include the name of your BGinfo configuration file.
In the picture below I’ve named mine “c:\utilities\mybgconfig.bgi”.

A few more handy suggestions to include in your shortcut’s target are:

  • /timer:0 – to avoid the typical UI popup
  • /nolicprompt – to make sure new users are not prompted with the EULA
  • /silent – to silence and errors

Which would result with the target field looking like:

c:\utilities\Bginfo64.exe c:\utilities\mybgconfig.bgi /timer:0 /nolicprompt /silent

Follow my article about finding the startup folder in Windows, and make a copy of your shortcut into that startup folder.
I prefer to copy the shortcut to the “Common Startup” folder, that way it will launch for any user that logs into the machine… But it’s up to you if you want to put it in the “User Startup” or “Common Startup” folder.

Now it’s time to test it out! Try logging out and then logging back in.

Category: Windows 10, Windows 2012/2012R2, Windows 2016, Windows 2019 | LEAVE A COMMENT
9 April 2020

Finding the Startup Folder on Windows

In recent years Microsoft has moved around where they “hide” the startup folder. That’s the folder that gets used to launch applications that start automatically when the user logs in. It’s not necessary hard to find, but it is well hidden.

There’s actually two places that startup folder lives. Each user has their own startup folder that will launch programs specific to that user. And there is also a common startup folder which will launch programs for any and all users that log into that machine.

How to find the users’ individual startup folder

  • Right click on the start menu and select ‘Run’.
  • Type “shell:startup” and click ok.
  • The startup folder will open, and you can drag-and-drag and shortcuts or applications you need into.

If you need to manually dive thru folders to get to the user’s startup folder, go to, but remember to change “<USER>” to the one you’re looking for:

C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

How to find the all users’ common startup folder

  • Right click on the start menu and select ‘Run’.
  • Type “shell:common startup” and click ok.
  • The startup folder will open, and you can drag-and-drag and shortcuts or applications you need into.

If you need to manually dive thru folders to get to the common startup folder, go to:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
Category: Microsoft, Windows 10, Windows 2012/2012R2, Windows 2016, Windows 2019 | LEAVE A COMMENT
9 April 2020

How to Setup ZRAM on RPi

After posting my article on Reddit about setting up Pi-Hole and PiVPN, I learned about ZRAM from fellow redditor u/Bubbagump210. I’m basing this article off of his post.

Zram allows one to create compressed RAM drives – including swap drives. So, what we will be going over below is running a swap drive under ZRAM. When regular RAM feels memory pressure, it shuffles data from regular RAM to the ZRAM swap – which is also actually RAM but compressed.

Open a terminal window or SSH into your RPi.

Make sure your RPi is up-to-date with the following commands:

sudo apt-get update
sudo apt-get upgrade

Install ZRAM by running the following command, and then typing ‘Y’ to proceed.

sudo apt install zram-tools

By default, this package will create a 256MB swap drive. If you want to bump that up a tad higher, then you will need to edit /etc/default/zramswap. Edit the file with the following line.

sudo nano /etc/default/zramswap

We will need to add the ‘Allocation’ variable. To increase your swap drive to 512MB, add the following line.

ALLOCATION=512

Press “Ctrl-X” to exit the editor, “Y” to confirm you want to save your changes, then “Enter” to save it.

Run the following two commands to enable and start ZRAM

sudo systemctl enable zramswap
sudo systemctl start zramswap

If you open top, you should now see your new swap space at the size allocated above.

How to check your compression ratio? Run the command below.

cat /sys/block/zram0/mm_stat

On this rpi, my output currently is:
790528 189901 507904 0 507904 18 0 2


The first value is the uncompressed data size, the second value is the compressed data size. (More details found here)

189901/790528=~0.24

So a 76% reduction in size – not bad.

Certainly there is a tiny performance hit and buying more RAM is a technically better solution, but for fixed RAM cases like a Pi or free tier VM, this works.

Note, this initially didn’t work for me on Raspbian Stretch. I updated my RPi to Raspbian Buster and it worked just fine.

Category: Linux, RaspberryPi, Raspbian | LEAVE A COMMENT
9 April 2020

How to Setup Fail2Ban on RPi

Fail2Ban is an amazing piece of software when it comes to security and protecting your RPi. Even more so if your RPi is exposed to, or publicly accessible on, the Internet. Fail2Ban continually monitors your system’s log files and watches for malicious connections, proactively blocking them.

Fail2Ban becomes an active, almost real-time, learning form of defense. Think of it as a “poor man’s” Intrusion Protection System (IPS). It will notice any unusual activity, like multiple failed login attempts or exploit scans, and automatically update your firewall rules to ban that IP address.

While it’s not a true IPS, it comes close enough and is very helpful for the average person. While I would not advise it for use it as front line, or rather a singular, defense within a company, it would likely suffice for home use. Not to say that it should not or could not be used by companies, I only want to clarify that it should be one layer of multiple defenses if used in a company environment.

So now that we know what Fail2Ban is… Lets get started setting it up.

While Fail2Ban is recommended if you have SSH exposed to the Internet, it is not necessarily needed if you are running a a VPN. It won’t hurt to have it installed… If you have a secure VPN setup, you don’t/shouldn’t even need to have SSH exposed to the insternet. See my article about setting up PiVPN.

Lets begin by updating your RPi before we begin with the following commands.

sudo apt update
sudo apt upgrade

Now that your RPi is updated, lets get on with the software install.
Run the following command to install Fail2Ban, press ‘Y’ to proceed.

sudo apt-get install fail2ban

Now Fail2Ban has changed a lot since version 0.9.x.

We want to create a “jail.local” file with the following command and edit it.

sudo nano /etc/fail2ban/jail.local

You’ll want to copy/paste the info below

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 192.168.1.0/24

# Ban hosts for two days:
bantime = 172800

# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport

[sshd]
enabled = true
filter = sshd
port = ssh
banaction = iptables-multiport
bantime = 172800
maxretry = 3
findtime = 600
logpath = %(sshd_log)s
backend = %(sshd_backend)s
  • ignoreip: This option lets you specify IP that Fail2Ban will ignore. You likely want to ignore events directly triggered on the device, as well as perhaps more trusted networks like your home network or office ip address. Example:ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24
  • bantime: This option defines how long an IP address will be banned, the default is 10 minutes.
  • maxretry: This option defines the number of failures a host is allowed before it is banned.
  • findtime: This option is used along with the ‘maxretry’ option. If a host exceeds the ‘maxretry’ value within the time period specified in ‘findtime’ it will be banned for the amount of time specified in ‘bantime’.

Now save the file by pressing ‘Ctrl+X’ then ‘Y’.

To restart the Fail2Ban service (and reload our config file changes):

sudo systemctl restart fail2ban

To check the Fail2Ban status:

sudo fail2ban-client status

You’ll get output similar to this.

Status
|- Number of jail:      1
`- Jail list:   sshd

To check individual jails:

sudo fail2ban-client status sshd

You’ll get output similar to this.

Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - File list: /var/log/auth.log - Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:

There is even more you can do with Fail2Ban, more ‘jails’ that you can configure to keep your device (and network) safe. But you are on your own to figure it out from here… Good Luck.

Category: Linux, RaspberryPi, Raspbian | LEAVE A COMMENT
9 April 2020

Remove PiVPN user/client

To remove a user/client it’s easy. Type the following command.

pivpn remove

You’ll be presented with a list of the clients you have created.
Enter the name of client you wish to remove and press “Enter”.

In my example below, I’m removing the user named “P-W-W-F”.

You’re all done! You have a completed setting up a VPN. You have completed setting up your endpoints. You can manage your VPN users. Congratulations. We’re all done here!

If you’re still itching to do more on your RPi… consider taking a look at my articles on installing ZRAM or installing Fail2Ban.

Category: Linux, RaspberryPi, Raspbian, VPN | LEAVE A COMMENT
9 April 2020

Creating a Split-tunnel user in PiVPN

Okay. So we’ve gone over creating users. In doing so we’ve gone over creating a user that would have a “full” vpn by using the default configuration that happens when you create a user with PiVPN…. But how do we set up a user with a “split-tunnel” vpn, in which only traffic destined for your home network goes thru your RPi?

What exactly is this “split-tunnel”? In a split-tunnel VPN, the endpoint device will be able to make a determination as to where to route it’s traffic, due to changes in the configuration rules. It will route traffic to your home network over the VPN, while routing all other traffic directly out to the Internet.

This split-tunneling actually my ideal setup. It is also ideal if you just wish to use just your Pi-Hole for DNS queries when you are not at home.

Because PiVPN makes things so easy, I currently just create two profiles for my devices. One full and one split-tunnel. However, I seem to be primarily using only the split-tunnel. So who knows… I’ll probably change this practice of mine in the future and just create the one profile, but for now I’m keeping both.

Okay. I’ve talked long enough about split-tunnels. How do we make this magic happen? Lets dive in…

We will add a user just as we did previously, then edit it’s configuration file to allow for the split tunnel. To add your split-tunnel user, type the following command below.

pivpn add

Then add the name of your split-tunnel user.
In my example, my user is named “P-W-W-F-split”

The next step is to open and edit the configuration file with the followign command.

sudo nano /etc/wireguard/configs/P-W-W-F-split.conf

A full tunnel will have the line:

AllowedIPs = 0.0.0.0/0, ::0/0

That is the line we want to change. The split tunnel config would be modified to show the subnet of your home network. This is the magic line that makes this a split-tunnel.

AllowedIPs = 192.168.1.0/24

*Note: It’s been mentioned in the comments that for this split tunnel to work correctly, folks have had to also add the VPN network’s range to the allowed networks for things and work as expected. That updated line is:

Allowed IP addresses: 10.6.0.0/24, 192.168.1.0/24

I’m not going to re-edit the images as I am no longer using this as my VPN solution. I only wanted to leave this note here for those that are following thru my tutorial so that they don’t become stuck.

The updated configs can be copied to the home config directory if you choose. This will make it easier if you are going to manually transferring a config file to a device, but I usually don’t, and just use the QR code mention in the next article.

To copy or backup your configuration files use the following command:

cp /etc/wireguard/configs/P-W-W-F.conf /home/pi/configs/P-W-W-F.conf
cp /etc/wireguard/configs/P-W-W-F-split.conf /home/pi/configs/P-W-W-F-split.conf

Next Article in this series: Part 6: Setup PiVPN Endpoint Device

Category: Linux, RaspberryPi, Raspbian, VPN | 13 Comments on Creating a Split-tunnel user in PiVPN
7 April 2020

Home VPN with a Raspberry Pi

VPN actually stands for virtual private network. What that means is that when you connect to a VPN, you are essentially creating a secure encrypted tunnel from your device to the network on the other side. A VPN prevents “snooping eyes” from seeing the actual network traffic that crosses the wire, meaning that you only you and the other end know what you are doing. That traffic will be visible from the other end as it comes out there, but that is a network you “trust”, and that traffice is protected as it traverses across the Internet.

You’ve probably heard of VPN services before or you might already use one. They are common for work places to use, to connect back to your office. As well commercial VPN services for individuals looking to bypass geo-location filters when they are overseas to make it appear that you are in the U.S., or users as an attempt to anonymize their internet traffic. Those are all great examples of VPNs. But those are not what I am going to cover….

So what about if you want to access resources you have at home while you are away? (i.e. – printers, file storage or file backups, remote support of a non-tech-savvy family member)

Or what if you want to use the Pi-Hole adblocker you set up at home while your at school/work/traveling?

This is the type of “home VPN” that I am talking about. This “home VPN” will keep your browsing secure while you are hopping onto free WiFi hotspots all across town, but it will not anonymize your traffic at all. All of your traffic is [securely] going to go thru your VPN and it will be as if you are surfing the Internet from home. So don’t think that just because you setup a VPN on your Raspberry Pi at home that you can blindly surf the Internet and download illegal torrents without consequence, because you’d be wrong. You will however, be able to connect back home and retrieve those files you forgot to put on your thumb drive before walking out the door.

The magic that will make it happen is called PiVPN. It’s a small piece of software that can be installed on a Raspberry Pi with a single line of code, and can be configured, ready-to-go, in less time than it take to watch a sitcom episode on Netflix.

Follow the articles below to get setup.

Category: Linux, Networking, Raspbian, VPN | LEAVE A COMMENT