5 April 2020

Setup PiVPN Endpoint Device



So PiVPN is setup. We’ve added the user/client into PiVPN. Now we need to setup the endpoint so they can connect back to PiVPN.

When we set up PiVPN we had to make a choice. We had to choose whether we wanted to use WireGuard or OpenVPN for the “magic” behind our VPN. In my article, we set up PiVPN using WireGuard, which was the PiVPN default.

So… we are going to want to download and install the WireGuard client on our endpoint device(s). Go ahead and get the latest/greatest version of the WireGuard client for your Operating System directly from WireGuard.

https://www.wireguard.com/install/

I’ll go over how to add it via QR code on your mobile iOS device. As well as how to add it from a config file onto a Desktop PC.

Note: If you created both a full and split-tunnel VPN client/user, then you will need to repeat the steps below to add the second profile.


Mobile Devices

Using a mobile OS like Apple’s iOS or Google’s Android, or other system that can read a QR code is probably going to be the easiest way to setup the endpoint device with it’s PiVPN configuration and encryption keys.

On the RPi, it’s possible to use PiVPN to generate a QR code for each client/device that you setup. That QR code will hold all the info that WireGuard needs on the endpoint to properly configure it. Just remember to guard that QR code and keep it safe… as it is literally the keys to your Castle/Home Network.

On the RPi, enter the following command below:

pivpn -qr

PiVPN will then list the users you have created, and you can choose which user you want a QR code to be generated for.

In my example, I get the QR code for the user “P-W-W-F”

On your mobile iOS device, open the WireGuard app.
Tap “+” to add a new tunnel.
Then tap “Create from QR code”.

Your phone’s camera will open and allow you to scan the QR code.

Give the VPN connection a name when prompted. I used the name “PiVPN”.

Click “Allow” when prompted to allow WireGuard to “Add VPN Confiurations” to your device.

It will then proceed to auto-magically set everything up for you.
You’ll have a simple toggle available in the WireGuard app that you can use to enable/disable your VPN.


Desktop Devices

Setting up the WireGuard app on a desktop is not hard, but it’s not as easy as simply scanning a QR code. PiVPN will automatically generate a file that will contain the configuration and encryption keys for each user/client, as you create each of your users/clients. We just have to copy that file from the RPi on to our desktop.

When we create the user/client in PiVPN, it generated a file named “User/Client.conf” and placed in the RPi’s users’ home folder.

In my example below, when I created the user “P-W-W-F” it generated the file “P-W-W-F.conf” and placed in the folder “/home/pi/configs”.

From your Desktop, open WinSCP, and connect to your RPi.
On the RPi side, navigate to the folder that was listed when you created your user/client in PiVPN.
Copy that “User/Client.conf” file over to your desktop.

On your Desktop, open the WireGuard app.
Click on button to “Import tunnels(s) from file”.

Browse to the file you copied off of your RPi, and click ‘Open’.
It will load all of your settings. Click the ‘Activate’ button to turn on your VPN.

Your PiVPN VPN using Wiregaurd is now active. You are now connected to it and can access all of your resources safely and securely.
To disconnect, just click the “Deactivate” button.


Next Article in this series: Remove PiVPN user/client

5 April 2020

Installing Pi-Hole



Installing Pi-Hole is really simple. In fact it only takes entering one line to setup.

curl -sSL https://install.pi-hole.net | bash

By running the above command essentially piping the curl command to bash, the RPi will automatically download and run PiVPN.

A cautionary note about piping curl to bash – Basically, be sure you trust the source, because you’re essentially letting them run whatever they want on your device!

You’ll see it start to load

Then you’ll have a few informational screens to click “Ok” through.

Note: Consider donating to Pi-Hole to keep the Pi-Hole project going – https://pi-hole.net/donate/

https://pi-hole.net/donate/

On this screen you choose the upstream DNS provider we want to use.
I’m going with Cisco’s OpenDNS, but can choose which ever you want.

Any of them are better then using your default ISP’s DNS. Regardless of what anyone tells you, none of them on this list are really that much better than any other. Yes, they each have a few different features that you’ll need to look into. But, let me be truthful with you, whichever one you do decide to choose it really just boils down to your personal preference. And… the best part is that you can easily change it anytime you want to use a different upstream DNS provider in the admin console, post-install.

Come back revisit this after you’ve gotten Pi-Hole up and running:
When you are ready to dive deeper down into the DNS hole, take a look at Steve Gibson’s DNS benchmark. Apparently one of the biggest considerations to take into account when choosing “the best” DNS is speed, and that is a metric which IS totally location dependent. He has an interesting tool that can help you run benchmarks against multiple DNS providers to see whom is “the best” for you.

Select the block lists you want to use.
I’m just leaving it default with all of the lists selected. These can all be changed (enabled/disable) later in the web admin interface.

Select which protocols (IPv4 and/or IPv6) that you wish to block ads on.
I’m leaving them both selected, which is the defaulted selection. These values can be changes later.

The next screen shows the RPi’s current IP address.
Mine is currently using a DHCP IP address, but we want set it to a static address. So I am going to click “No” here.

This screen is where the desired static IP address, and subnet mask (in CIDR format) gets set.
Your network will likely be different than mine, I’m setting mine to use the IP address 192.168.1.254.
As for the subnet mask, in most scenarios you can just use “/24”. That is CIDR shorthand for 255.255.255.0 and is basically saying that this subnet has 256 addresses in it; 192.168.1.0 to 192.168.1.255.

On this screen we enter the gateway.
This will most likely be your router’s IP address.
Mine is 192.168.1.1.

This screen shows us our updated settings.
Click “Yes” to accept the values you have entered.

Yes, we wish to install the web admin interface.

Yes, we wish for the web server to be installed and enabled.

Yes, we wish to log queries.

I want to see EVERYTHING!
You can change this to what you prefer. These will be the statistics you can see on the web admin interface. This value can get changed later from the web admin interface.
More info about this at: https://docs.pi-hole.net/ftldns/privacylevels

Pi-Hole will finish applying all of the settings it’s collected…

And then you are done. You did it!

The last screen of the Pi-Hole setup will show you the IP address and the URL for the web admin interface, as well as the admin password.

Press “Enter” to exit the installer and return to the command line.


Make your Pi-Hole the DNS of your network

Log into your router.

Navigate to it’s settings and clear any values that are currently set as it’s DNS.

Now enter the IP address of your Pi-Hole.

That’s it. Your network is now using Pi-Hole for all of it’s DNS queries.


Viewing your Network DNS Queries

Open a web browser and go to either the IP address of your RPi, or enter “pi.hole” as the URL.
In my example, I am either going to enter either “192.168.1.254/admin” or “pi.hole/admin”

That will load the Pi-Hole Web Admin Interface. Go ahead and click that login button. You’ll get even more details about what devices are doing on your network.

Pi-Hole does have some more advances features available in it that can allow it to act as your network’s DHCP server, on top of already serving up DNS. However I’ll save that for another time though…. For now, just sit back and enjoy fewer ads.


If you happened to this post by following my series about PiVPN, then click the following link to go to the next step: Part 3: Installing PiVPN

5 April 2020

Enabling SSH on Raspberry Pi

Raspbian ships with the SSH server disabled by default. Which is an excellent security baseline. However if you want to be able to remotely connect to your RPi, you’re going to need to enable it. Thankfully, it can be manually enabled from the desktop very easily.

Note: When enabling SSH on a Pi, or any device, you should change its default password to ensure that it remains secure. Especially if you are connecting that device to the internet.

These instructions are straight from the RPi documentation (which can be found here).

Launch “Raspberry Pi Configuration” from the “Preferences” menu
Navigate to the “Interfaces” tab
Select “Enabled” next to “SSH”
Click “Ok”

Alternatively, raspi-config can be used in the terminal:

Enter “sudo raspi-config” in a terminal window
Select “Interfacing Options”
Navigate to and select “SSH”
Choose “Yes”
Select “Ok”
Choose “Finish”

Alternatively, use systemctl to start the service

sudo systemctl enable ssh
sudo systemctl start ssh

The one special use case regarding enabling SSH that is not covered above is running your RPi “headless”. Which simply means that you are using the RPi without a display plugged into it.

For headless setup, SSH can be enabled by placing a file named “ssh”, without any extension, onto the boot partition of the SD card from another computer. When the Pi boots, it looks for the “ssh” file. If it is found, SSH is enabled and the file is deleted. The content of the file does not matter; it could contain text, or nothing at all.

If you have loaded Raspbian onto a blank SD card, you will have two partitions. The first one, which is the smaller one, is the boot partition. Place the file into this one.


Now you can use your favorite SSH tool to console into your Raspberry Pi device remotely.

I mostly work on Windows machines, and my go to SSH tool is called “Putty“. However, there’s LOTS of different SSH programs out there.
So… do some googling, try a few, and use whichever one you like best.


Going headless? See my article on setting up WiFi on a headless RPi


If you happened to this post by following my either of my series about Pi-Hole or PiVPN, then click the following link to go to the next step: Part 2: Installing Pi-Hole

4 April 2020

Run Application as Different User

Windows makes it incredibly easy to run an application or script as another user on your computer. I find that I most often use this to run administrative or domain tools, when I’m logged in as just a normal user.

Method 1

This is the easiest method. While it took me a little while to remember it, I now use it almost daily and without even thinking about it.

Press and hold down the ‘Shift’ key on your keyboard, while you right-click on the program you want to launch.

This will only work on executable (EXE) files or shortcuts to executable files. If you try this and don’t see the option, then it is not an executable file.

Method 2

This method will create a shortcut that “knows” to launch an application as another user.

Create a shortcut to your executable

Right-click on the shortcut and modify the “Target” to:

runas /user:DOMAIN\USERNAME "path to executable"

Click ‘OK’. Then launch your shortcut. You will get prompted for your password everytime you launch your shortcut.

If you need to store the password with your shortcut, then modify the “Target” to this instead:

runas /savecred /user:DOMAIN\USERNAME "path to executable"

Click ‘OK’. Then right-click and select “Run as Administrator” the first time you use the shortcut. You will be prompted for the user password and it will get saved. From then on, just clicking the shortcut will launch it as your desired user.

Method 2.5

Alright this is basically the same method as above, so I didn’t feel right calling it a third method.

You can take the same trick from “Method 2” and just use it to run an application from a command prompt window.

C:\> runas /user:DOMAIN\USERNAME "path to executable"

3 April 2020

Pull Certificate from Digitally Signed Application

Most companies will use a certificate to sign their applications before they release their software to the world. This helps the user know to that the software they are running actually came from the software vendor, and hasn’t been altered or changed by someone.

Certificates are based on key pairs. There is a public key, and a private key. In terms of digitally signing an application, the public key is often just referred to as the Certificate.

How it works, in simpified terms… The software vendor holds a private key, and they guard it, keeping it safe in their organization. You can also think of is their fingerprint that they’ll use when signing something as it is unique. The public key is what we can see. Using a hash in the digitally signed application, we can use their public key, to see is if the hash value can be verified. If it checks out then we know that the digital signature is valid. If it doesn’t, well then we know the signature has been altered.

The I’ll show you below how you can pull the public half of the Certificate from an application. In this example we’ll pull Adobe’s certificate from Adobe Reader DC.


Right click on the application you want the signature of and select “Properties”

Click the “Digital Signature” tab, select the signature, then click the “Details” button.

Note: If you do not see the “Digital Signature” tab, then the file is not digitally signed.

Click the “View Certificate” button.


Click the “Details” tab and then select the “Copy to File” button.

Follow the “Certificate Export Wizard”.

After completing the export wizard, you’ll have the digital signature certificate of the digitally signed application.


Here’s an article I wrote that includes how to set a software restriction GPO policy using a certificate rule.

1 April 2020

Software Restriction by GPO

Using GPOs is a great way to allow or block programs from running on your corporate network. Just be careful and limit yourself to only blocking the applications which you actually have a need to block. Don’t go too crazy locking down programs

Microsoft first made the introduction of “Software Restriction Policies” in Windows Server 2008 and they’ve continued to evolve. Today I will show you four ways which Microsoft allows us to restrict programs from running.

  1. File Path / File Name Rule
  2. Network Zone Rule
  3. Hash Rule
  4. Certificate Rule

To begin, fire up the Group Policy Management Editor. Click on the start menu and type “gpmc.msc”. If you are on a Domain Controller it should work. If you’re on a workstation you’ll likely have to run Server Manager as a Domain Admin (or other user with the correct administrative privileges), choose “Group Policy Management” from the ‘Tools’ dropdown.

Once it’s open, scroll down to the folder “Group Policy Objects” and right-click on it to create a “New ” policy object. Give it an appropriate name, something like “Software Restrictions – Test”. Now find and right-click on your new policy and select “Edit…”.

The software restriction policy exists under both “Computer Configuration” and “User Configuration”. So depending on your needs, you can lock down either the user or the computer. 

Drill down into the policy… “Policies” -> “Windows Settings” -> “Security Settings” -> “Software Restriction Policies”.

Right-click on “Software Restriction Policies” and click “New Software Restriction Policies”

Select and open the “Additional Rules” folder.

Right-click under the two pre-existing default entries, and then from that drop-down menu select the type of rule you want to create. I’ll expand on the four methods below…

There are three security levels used in all of these rules:

  1. DISALLOWED: Software will not run, regardless of the access rights of the user.
  2. BASIC USER: Allows programs to run only as standard user.  Removes the ability to “Run as Administrator”.
  3. UNRESTRICTED: No changes made by this policy – Software access rights are determined by the file access rights of the user.

My examples below all show how to block software with ‘dissallowed’ rules. But just remember that you can just as easily allow for software by using ‘basic user’ and ‘unrestricted’ rules. Use them wisely!

1. Block by File Path / File Name Rule

In this example I will show you how to lock down the computer from running WordPad.

Select “New Path Rule”.

Type, or use the “Browse…” button, to enter the file path or file name you wish to block. Make sure that the ‘Security level’ is set to “Dissallow”. Then click ‘OK’.

Note: System variables will all function in the rule, variables such as %windir%, %ProgramFiles(x86)%, %AppData%, %userprofile%, and others.

It is important to note that many applications launch in more than just one way. So you may have to block multiple executables to fully block the application, just fyi.

You also need to take note of where/how software get launched from, as some applications have multiple ways they can be launched. Just FYI, in case you start banging your head as to why some block rule doesn’t seem to be working.

Also be careful using just the file name itself to try to block a program from running. If you were to block just the file name ‘update.exe’ for example, hundreds of applications all ship with an ‘update’ executable and they would all be hindered and unable run.

My rule of thumb is to always use the full path unless it’s truly a unique file name, and even then I still prefer to use the full path.

2. Block by Network Zone Rule

Select “New Network Rule”.

Select the Network zone you want to block. Make sure that the ‘Security level’ is set to “Dissallow”. Then click ‘OK’.

These rules allow you to block programs if they come from sites you’ve designated into a zone, like your Restricted sites. Or in the case that you were to be creating an allow rule, your local Intranet. While this option exists, it seems unlikely to me that most SMBs ever use it.

3. Block by Hash Rule

In this example I will show you how to lock down the computer from running WordPad.

Select “New Hash Rule”.

Use the “Browse…” button to navigate to the file which you are wanting to block. Select the file and click ‘Open’. It will automatically pull the needed file information and the “hash” it needs from the file you selected. Make sure that the ‘Security level’ is set to “Dissallow”. Then click ‘OK’.

The only problem this method has is that file hashes change any time there is ANY change to file. It doesn’t matter how small of a change is made, it will always create a new hash. That means that hash rules are best applied to older software that you are trying to kill, and not for programs that get updated often.

4. Block by Certificate Rule

In this example we will be blocking applications signed by Adobe Inc.

Select “New Certificate Rule”.

Use the “Browse…” button to navigate to the certificate file which you are wanting to use to block signed software. Select the file and click ‘Open’. Make sure that the ‘Security level’ is set to “Dissallow”. Then click ‘OK’.

Certificate rules are by far one of the most secure rules as they rely on certificates from trusted publishers. Because of this but they require more work on the PC’s part as it goes out and tries to verify the validity of the certificate, so they may significantly effect performance. I can’t tell you how much of an impact they’ll create, but it’s enough that MS warns us. Also, if the certificate ever expires, you’ll need create a new rule.

Here is how you can pull a certificate from a digitally signed application.

30 March 2020

Fix Quick Access Links in Windows

The Quick Access links is a feature in Windows that gives the user an easy way to access the folders which use frequently by pinning them to the top of the left pane in ‘File Explorer’. Sometimes the file that stores the pinned items can get corrupted and thus you loose access to the Quick Access pinned items. Here’s a few ways to fix it.

Method 1

We can reset the Quick Access Recent Items. This method will only apply to “stuck” recent folders, and won’t affect your pinned folders.

Right click on the Quick Access star icon and then click on ‘Options’.

Click the ‘Clear’ button under ‘Privacy’.

All of your Recent folders will be cleared from the Quick Access list.

Method 2

This method will reset and clear the Quick access shortcuts. But in my opinion this is the better way to fix it, as you can always re-pin your shortcuts.

Open File Explorer and copy/paste the following folder location:

%AppData%\Microsoft\Windows\Recent\AutomaticDestinations

Look for and then delete this file from the folder:

cmd.exe /c del “%AppData%\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms”

*Or you can open a ‘Run’ dialog (Windows key + R) and copy/paste the following command into it to delete the file.

cmd.exe /c del "%AppData%\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms"

This method will remove and clear any custom pinned items and frequent items from the Quick Access list. Windows will automatically regenerate the “f01b4d95cf55d32a.automaticDestinations-ms” file the next time that you launch File Explorer and wil list the default Quick Access links which you can expand upon.

26 March 2020

Folding@Home


The corona virus and COVID-19 are at the top of everyone’s mind right now. The whole world is trying to deal with this pandemic. States are issuing stay-at-home orders and just about every company is trying to figure out how to allow their staff to work from home. The least that a tech nerd like me can do is contribute a few clock cycles towards the research that will hopefully help to bring about an end to all this madness.

Folding@Home (F@H) is a project focused on disease research thru distributed computing power. They get folks like you and I to share our otherwise unused computer power (when our PCs sit idle) to solve calculations that help them get answers to their medical questions about proteins and disease. The more people that set-up the Folding@Home client in their Home-Labs or on that spare laptops/PCs laying around their house to contribute towards their project, the bigger the distributed supercomputer we create. How cool is that!

Before the global COVID-19 outbreak F@H had roughly 30,000 users globally that contributed their spare compute power. In the past couple weeks, that number has surged. They have over 400,000 users that are now contributing and that number keeps growing daily. The F@H project is now at over 470 PetaFLOPs (FLOPs = floating point operations per second) of raw compute power. That makes it over twice as fast as the fastest supercomputer in the world (2019). Not only that, but it is faster the the top seven supercomputers combined. Combined! That’s equivalent to the horsepower of 27,433,824 CPU/GPU cores. I can’t even fathom that. They are predicting that F@H will soon reach exaFLOP levels. That’s a billion billion operations per second. Totally crazy!


Here are a couple links to news articles about the recent explosion in growth around the Folding@Home project:
https://www.forbes.com/sites/jasonevangelho/2020/03/24/the-new-supercomputer-researching-coronavirus-is-powered-by-400000-ordinary-pc-users/

https://techcrunch.com/2020/03/26/coronavirus-pushes-foldinghomes-crowdsourced-molecular-science-to-exaflop-levels/


While F@H 1,200%+ increase in contributors and associated surge in demand has temporarily lead to a shortage of work units, the F@H team is working to expand and increase their capacity to serve units. In F@H terms, work units are the smaller bits of a larger workload, and are what is actually sent to each user.

It takes just minutes to setup. They have clients for Windows, Mac, and Linux, as well as support for both CPUs and GPUs. Once it is setup, it’s effortless on your part and just runs in the background.

Now that you are ready to contribute, the first step is to create a passkey. The passkey will identify you and will allow FAH to assign you work units. To create your passkey, use the link below.

https://apps.foldingathome.org/getpasskey

Just to let you know, when I signed up this week, it took a few hours for me to receive my passkey from F@H. So don’t get upset if you don’t hear from them immediately after clicking “Get Passkey”.

Once you have your Passkey, follow one of my posts (coming soon!) below to install and deploy the Folding@Home client on your system.

26 March 2020

Howto: Folding@Home – VMware Fling


VMware is doing their part to help make it easy for folks to contribute to the Folding@Home (F@H) project. They have packaged together an appliance as an OVA file on VMware Flings that you can deploy on any of their virtualization products either on your hardware or in a cloud, using Workstation or Fusion, or ESXi hosts. That means that with just a few clicks you can download and deploy a VM running on the super light-weight PhotonOS that has the F@H client pre-installed and is ready-to-go.

You might be asking why this is so great, I mean the client isn’t exactly difficult to setup on other operating systems. Well you are correct. This fling is geared towards VMware virtualization enthusiasts and professionals that already have homelabs or datacenters, with idle compute power they want to contribute. By using those idle resources and dedicating an VM appliance towards contributing, it basically becomes a set-it-and-forget-it deal that will always be chugging along in the background.

If you are new to virtualization, then deploying this appliance can serve as a great way to learn about flings, appliances, and deploying a VM in general while contributing to a cause.

Note: If you intent to deploy this in your company’s data center, or your work pc/laptop, you should make sure to have permission to allow for it from the appropriate people in your organization before deploying, just to cover your ass.

Step 1: Create your Passkey

If you don’t already have a username and passkey, then the first thing you’ll need to do is create your user and get your passkey. You’ll use this later as you deploy the appliance. If you already have yours, then proceed to the next step.

https://apps.foldingathome.org/getpasskey

Just to let you know, when I signed up earlier this week, it took a few hours for me to receive my passkey from F@H. So don’t get upset if you don’t hear from them immediately after clicking “Get Passkey”.

Step 2: Download the Fling

The first thing we need to do is download the OVA from the WMware Flings website.
https://flings.vmware.com/vmware-appliance-for-folding-home

Step 3: Deploy

Workstation

1. Double-click on the OVA file you download to launch VMware Workstation. It will present you a wizard to “Import Virtual Machine”.
Enter a name and file path for your F@H appliance, then click ‘Next’.

2. Now to work down the options from the left pane…

-Enter a hostname
-Enter an IP address (leave blank if DHCP)
-Gateway
-DNS

-Enter password for the appliance; VMware1!
*This is the root password for the appliance

-Enter you F@H username
-Enter your F@H team (Leave as 52737 to contribute as part of VMware’s team)
-Enter your Passkey
-GPU (If using a GPU change to TRUE, if you are using a virtual machine with a GPU, this must be in passthrough mode)
-Enter F@H management networks info (can probably leave alone)
-F@H password defaults to the OS password (VMware1!)

Then click ‘Import’.

Go ahead and use my F@H username & passkey if you really want to fold as me… It just means my F@H user will get credit for any folding you do.

3. Once the import is complete, it should automatically power on. Go ahead and power it off. The first thing I recommend to do is upgrade the VM.

Click on “Upgrade this virtual machine” and follow the wizard to upgrade it to the highest version that is compatible in your environment. For me, it is Workstation 14.x.

Because this is an OVA file and so easy to re-deploy if I screw something up, I choose to just alter the VM, and not make a clone.

4. Next step is to edit the VM and add more CPUs, if desired. Click on “Edit virtual machine settings”.

Click on ‘Processors’. From the “Number of processors” dropdown you can choose how many processors you want to dedicate to this appliance. Then click ‘Ok’.

5. Go ahead and power on your F@H appliance.

ESXi / vCenter

1. In vCenter or on your ESXi host, right click on your Datacenter/Cluster/Host and select “Deploy OVF Template”.

2. Select the OVA file you downloaded earlier, and click ‘Next’.

3. Give your VM appliance a name, and click ‘Next’.

4. Walk thru the rest of the wizard. Choose your computer resource you wish to deploy it on to. Review the details. Select your storage. Select your network.

5. Customize the F@H template setting for your environment.
-Hostname
-IP address
-Gateway
-DNS
-OS ‘root’ password
-F@H username
-F@H passkey
-GPU
-F@H remote management password

Then click ‘Next’ and ‘Finish’ to deploy your new appliance.

6. Once deployed, make sure the vm is powered off. Right click on the vm and select ‘Edit Settings…”. Select CPU and from the dropdown adjust the CPU to the desired number you wish to dedicate to your appliance, and click ‘Ok’.

7. Power on your F@H vm and you are ready to start contributing.

Step 4: Troubleshooting

Once your appliance is up and running, there are a few command that you will find helpful.

Start and Stop
/etc/init.d/FAHClient start
/etc/init.d/FAHClient stop

Restart
/etc/init.d/FAHClient restart
Status
/etc/init.d/FAHClient status
Check the Logs
/etc/init.d/FAHClient log -v
Check CPU stats
top

With the huge growth of contributors to F@H, it has made getting work units more difficult. If you check your logs and see messages similar the what is in my screenshot below, then your appliance IS working, it is just waiting for work.

Leave it running and you’ll eventually see it start chugging along when it gets a work unit.

Also, on the F@H fling website you can also find two PDFs, one about deployment and another with FAQs. Give those a look if you run into any other issues.