After posting my article on Reddit about setting up Pi-Hole and PiVPN, I learned about ZRAM from fellow redditor u/Bubbagump210. I’m basing this article off of his post.
Zram allows one to create compressed RAM drives – including swap drives. So, what we will be going over below is running a swap drive under ZRAM. When regular RAM feels memory pressure, it shuffles data from regular RAM to the ZRAM swap – which is also actually RAM but compressed.
Open a terminal window or SSH into your RPi.
Make sure your RPi is up-to-date with the following commands:
sudo apt-get update sudo apt-get upgrade
Install ZRAM by running the following command, and then typing ‘Y’ to proceed.
sudo apt install zram-tools
By default, this package will create a 256MB swap drive. If you want to bump that up a tad higher, then you will need to edit /etc/default/zramswap. Edit the file with the following line.
sudo nano /etc/default/zramswap
We will need to add the ‘Allocation’ variable. To increase your swap drive to 512MB, add the following line.
Press “Ctrl-X” to exit the editor, “Y” to confirm you want to save your changes, then “Enter” to save it.
Run the following two commands to enable and start ZRAM
Fail2Ban is an amazing piece of software when it comes to security and protecting your RPi. Even more so if your RPi is exposed to, or publicly accessible on, the Internet. Fail2Ban continually monitors your system’s log files and watches for malicious connections, proactively blocking them.
Fail2Ban becomes an active, almost real-time, learning form of defense. Think of it as a “poor man’s” Intrusion Protection System (IPS). It will notice any unusual activity, like multiple failed login attempts or exploit scans, and automatically update your firewall rules to ban that IP address.
While it’s not a true IPS, it comes close enough and is very helpful for the average person. While I would not advise it for use it as front line, or rather a singular, defense within a company, it would likely suffice for home use. Not to say that it should not or could not be used by companies, I only want to clarify that it should be one layer of multiple defenses if used in a company environment.
So now that we know what Fail2Ban is… Lets get started setting it up.
While Fail2Ban is recommended if you have SSH exposed to the Internet, it is not necessarily needed if you are running a a VPN. It won’t hurt to have it installed… If you have a secure VPN setup, you don’t/shouldn’t even need to have SSH exposed to the insternet. See my article about setting up PiVPN.
Lets begin by updating your RPi before we begin with the following commands.
sudo apt update sudo apt upgrade
Now that your RPi is updated, lets get on with the software install. Run the following command to install Fail2Ban, press ‘Y’ to proceed.
sudo apt-get install fail2ban
Now Fail2Ban has changed a lot since version 0.9.x.
We want to create a “jail.local” file with the following command and edit it.
sudo nano /etc/fail2ban/jail.local
You’ll want to copy/paste the info below
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 192.168.1.0/24
# Ban hosts for two days:
bantime = 172800
# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport
enabled = true
filter = sshd
port = ssh
banaction = iptables-multiport
bantime = 172800
maxretry = 3
findtime = 600
logpath = %(sshd_log)s
backend = %(sshd_backend)s
ignoreip: This option lets you specify IP that Fail2Ban will ignore. You likely want to ignore events directly triggered on the device, as well as perhaps more trusted networks like your home network or office ip address. Example:ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24
bantime: This option defines how long an IP address will be banned, the default is 10 minutes.
maxretry: This option defines the number of failures a host is allowed before it is banned.
findtime: This option is used along with the ‘maxretry’ option. If a host exceeds the ‘maxretry’ value within the time period specified in ‘findtime’ it will be banned for the amount of time specified in ‘bantime’.
Now save the file by pressing ‘Ctrl+X’ then ‘Y’.
To restart the Fail2Ban service (and reload our config file changes):
sudo systemctl restart fail2ban
To check the Fail2Ban status:
sudo fail2ban-client status
You’ll get output similar to this.
|- Number of jail: 1
`- Jail list: sshd
To check individual jails:
sudo fail2ban-client status sshd
You’ll get output similar to this.
Status for the jail: sshd
| |- Currently failed: 0
| |- Total failed: 0
| - File list: /var/log/auth.log - Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
There is even more you can do with Fail2Ban, more ‘jails’ that you can configure to keep your device (and network) safe. But you are on your own to figure it out from here… Good Luck.
So I already have PiHole installed at home and it works great to block ads at home. But if you’re not at home, how do you to block ads? What about if you want to access resources you have at home (i.e. – printers, file storage, remote support of non-tech-savvy family) while you are away? Well the answer is PiVPN.
You’ve probably heard of VPN services before or you might already use one. They are common for work places to use, to connect back to your office. As well as for individuals looking to bypass geo-location filters when you are overseas, to make it appear that you are in the U.S.
VPN actually stands for virtual private network. What that means is that when you connect to a VPN, you are essentially creating a secure encrypted tunnel from your device to the network on the other side. A VPN prevents “snooping eyes” from seeing the actual network traffic that crosses the wire, meaning that you only you and the other end know what you are doing. The caveat to that, depending on how your VPN is set up, is that the internet traffic on your device will appear to be coming from the network you are VPNed into and that will be visible to the ISP. So don’t think that just because you setup a VPN on your Raspberry Pi at home that you can blindly surf the Internet and download illegal torrents without consequence, because you’d be wrong. The best use case, in my opinion, for setting up a VPN, or in our case PiVPN, is to access your files and storage when you’re not at home.
Lets get started with setting up PiVPN. As a prerequisites, make sure that you have already installed and setup PiHole.
Open a terminal window or SSH into your Raspberry Pi (RPi)
Enter the following command:
curl -L https://install.pivpn.io | bash
By running the above command essentially piping the curl command to bash, the RPi will automatically download and run PiVPN.
A cautionary note about piping curl to bash – Basically, be sure you trust the source, because you’re essentially letting them run whatever they want on your device!
The PiVPN Automated Installer should appear. Click ‘Ok’.
The installer will need to apply a static IP address to your Raspberry Pi. This is a PiVPN requirement. If you’re running PiHole, you should already have a static IP assigned to your device. If you don’t… go fix that now, and come back. If you do already have a static IP address assigned at this screen, click ‘No’.
Comment on the above step… Even if you set a static IP on the device, if that IP is within the DHCP reservation pool, the DHCP server (the router, for most people) could theoretically still assign that IP to another device. That should never happen for an always on device, but if you take it offline for a while or switch routers it could happen. So when setting static IP addresses, take a look into your network’s settings and assign addresses outside of the DHCP pool’s range. This will help prevent the possible scenario i just mentioned above.
The next screen shows your current network settings and confirms that you want to use it as your static address. Click ‘Yes’.
The next screen is just a warning of what could happen with an IP conflict if the RPi does not have a static IP address and is using DHCP. We’re all set though using a static IP, so click ‘Ok’.
Next we will choose the user which we’ll install PiVPN under… Click ‘Ok’.
Then choose the desired user, and click ‘Ok’ again.
We want to install WireGuard. So on this screen, select it and click ‘Ok’.
*If you need, or wish, to install OpenVPN to meet you needs then that option is available. My recommendation – If this is your first time setting up a VPN, stick with the default – WireGuard.
Wait and watch the status bar complete….
Select your default port. I am going to leave mine set to the default value “51820”. Click ‘Ok’.
Confirm the port, click ‘Yes’.
Because PiHole is already install, PiVPN detects it and offers to set that as our desired DNS. This is what we want, so click ‘Yes’.
This next screen asks how we will be connecting remotely to our PiVPN.
Most of us do not have a static “external” IP given to us by our ISP. So with that in mind, we do not want to use the public IP address that is shown.
We want to use a Dynamic DNS (DDNS) service. The best example of this type of DDNS service is No-IP (noip.com). This type of service allows you to run a client within your network that will go out and check what your external IP is, and then update No-IP with that address any time it changes. Dynamically updating the DNS record that you have setup with the DDNS service provider.
Note: This DDNS value can be changed later if your DDNS public name ever changes, though you would need to update your user/client endpoints to use the updated name.
Since we already have DDNS set up, we will be chooseing “DNS Entry – Use a public DNS”. Click ‘Ok’.
Enter your DDNS public DNS name. Click ‘OK’.
Confirm your entry. Click ‘Yes’.
The generation of the encryption keys are the next step. Click ‘Ok’.
We will want to acknowledge the ‘Unattended Upgrades’ page. It’s just letting us know that we should enable this feature and have the RPi automatically check for and install security updated for us daily. Note, that it will not automatically reboot the RPi, so we’ll need to do that manually from time to time. Click ‘Ok’.
Wait and watch the status bar complete….
Click ‘Ok’. PiVPN has now been installed! Woohoo!!! We will still need to add our users/profiles before we can log in.
Click ‘Yes’ to reboot your RPi. Then ‘Ok’ again to initiate the reboot.
Now we need to log into our router. We will need to setup a port forwarding. We need to forward port 51820 to our Raspberry Pi. This will allow traffic both ways between the Internet and your PiVPN.
Note: If you skip this port forwarding step, you will not be able to connect remotely to your PiVPN.
Typing “pivpn” will show you all of the available options of PiVPN.
Now that PiVPN is running, it’s time to add device profiles to the VPN and grant them the permissions they need to be able to connect.
Ideally you will want to create a new client account for each device that will be connecting remotely to your VPN. This is a best practice, and my recommendation. It gives you the granular control, per device, in case you need to revoke or regenerate a device’s credentials. It’s easier to redo one device then it is to redo every device.
To add your user, type the following command below.
Then add the name of your user. In my example, my user is named “P-W-W-F”
Just like that you’ve added a user to your VPN!
Repeat the above steps as many times as necessary to add profiles for every device that will be connecting to your VPN.
This default setup will create a user with a “full” VPN, meaning that all of their traffic is going to get routed thru the Internet over to your RPi. Your RPi will then determine what traffic is meant for your home network, and anything else will get re-routed back out of your home network to the Internet.
The config can be copied to the home config directory if you choose. This will make it easier if you are going to manually transferring a config file to a device
To copy or backup your configuration files use the following command:
So PiVPN is setup. We’ve added the user/client into PiVPN. Now we need to setup the endpoint so they can connect back to PiVPN.
When we set up PiVPN we had to make a choice. We had to choose whether we wanted to use WireGuard or OpenVPN for the “magic” behind our VPN. In my article, we set up PiVPN using WireGuard, which was the PiVPN default.
So… we are going to want to download and install the WireGuard client on our endpoint device(s). Go ahead and get the latest/greatest version of the WireGuard client for your Operating System directly from WireGuard.
I’ll go over how to add it via QR code on your mobile iOS device. As well as how to add it from a config file onto a Desktop PC.
Note: If you created both a full and split-tunnel VPN client/user, then you will need to repeat the steps below to add the second profile.
Using a mobile OS like Apple’s iOS or Google’s Android, or other system that can read a QR code is probably going to be the easiest way to setup the endpoint device with it’s PiVPN configuration and encryption keys.
On the RPi, it’s possible to use PiVPN to generate a QR code for each client/device that you setup. That QR code will hold all the info that WireGuard needs on the endpoint to properly configure it. Just remember to guard that QR code and keep it safe… as it is literally the keys to your Castle/Home Network.
On the RPi, enter the following command below:
PiVPN will then list the users you have created, and you can choose which user you want a QR code to be generated for.
In my example, I get the QR code for the user “P-W-W-F”
On your mobile iOS device, open the WireGuard app. Tap “+” to add a new tunnel. Then tap “Create from QR code”.
Your phone’s camera will open and allow you to scan the QR code.
Give the VPN connection a name when prompted. I used the name “PiVPN”.
Click “Allow” when prompted to allow WireGuard to “Add VPN Confiurations” to your device.
It will then proceed to auto-magically set everything up for you. You’ll have a simple toggle available in the WireGuard app that you can use to enable/disable your VPN.
Setting up the WireGuard app on a desktop is not hard, but it’s not as easy as simply scanning a QR code. PiVPN will automatically generate a file that will contain the configuration and encryption keys for each user/client, as you create each of your users/clients. We just have to copy that file from the RPi on to our desktop.
When we create the user/client in PiVPN, it generated a file named “User/Client.conf” and placed in the RPi’s users’ home folder.
In my example below, when I created the user “P-W-W-F” it generated the file “P-W-W-F.conf” and placed in the folder “/home/pi/configs”.
From your Desktop, open WinSCP, and connect to your RPi. On the RPi side, navigate to the folder that was listed when you created your user/client in PiVPN. Copy that “User/Client.conf” file over to your desktop.
On your Desktop, open the WireGuard app. Click on button to “Import tunnels(s) from file”.
Browse to the file you copied off of your RPi, and click ‘Open’. It will load all of your settings. Click the ‘Activate’ button to turn on your VPN.
Your PiVPN VPN using Wiregaurd is now active. You are now connected to it and can access all of your resources safely and securely. To disconnect, just click the “Deactivate” button.
On this screen you choose the upstream DNS provider we want to use. I’m going with Cisco’s OpenDNS, but can choose which ever you want.
Any of them are better then using your default ISP’s DNS. Regardless of what anyone tells you, none of them on this list are really that much better than any other. Yes, they each have a few different features that you’ll need to look into. But, let me be truthful with you, whichever one you do decide to choose it really just boils down to your personal preference. And… the best part is that you can easily change it anytime you want to use a different upstream DNS provider in the admin console, post-install.
Come back revisit this after you’ve gotten Pi-Hole up and running: When you are ready to dive deeper down into the DNS hole, take a look at Steve Gibson’s DNS benchmark. Apparently one of the biggest considerations to take into account when choosing “the best” DNS is speed, and that is a metric which IS totally location dependent. He has an interesting tool that can help you run benchmarks against multiple DNS providers to see whom is “the best” for you.
Select the block lists you want to use. I’m just leaving it default with all of the lists selected. These can all be changed (enabled/disable) later in the web admin interface.
Select which protocols (IPv4 and/or IPv6) that you wish to block ads on. I’m leaving them both selected, which is the defaulted selection. These values can be changes later.
The next screen shows the RPi’s current IP address. Mine is currently using a DHCP IP address, but we want set it to a static address. So I am going to click “No” here.
This screen is where the desired static IP address, and subnet mask (in CIDR format) gets set. Your network will likely be different than mine, I’m setting mine to use the IP address 192.168.1.254. As for the subnet mask, in most scenarios you can just use “/24”. That is CIDR shorthand for 255.255.255.0 and is basically saying that this subnet has 256 addresses in it; 192.168.1.0 to 192.168.1.255.
On this screen we enter the gateway. This will most likely be your router’s IP address. Mine is 192.168.1.1.
This screen shows us our updated settings. Click “Yes” to accept the values you have entered.
Yes, we wish to install the web admin interface.
Yes, we wish for the web server to be installed and enabled.
Yes, we wish to log queries.
I want to see EVERYTHING! You can change this to what you prefer. These will be the statistics you can see on the web admin interface. This value can get changed later from the web admin interface. More info about this at: https://docs.pi-hole.net/ftldns/privacylevels
Pi-Hole will finish applying all of the settings it’s collected…
And then you are done. You did it!
The last screen of the Pi-Hole setup will show you the IP address and the URL for the web admin interface, as well as the admin password.
Press “Enter” to exit the installer and return to the command line.
Make your Pi-Hole the DNS of your network
Log into your router.
Navigate to it’s settings and clear any values that are currently set as it’s DNS.
Now enter the IP address of your Pi-Hole.
That’s it. Your network is now using Pi-Hole for all of it’s DNS queries.
Viewing your Network DNS Queries
Open a web browser and go to either the IP address of your RPi, or enter “pi.hole” as the URL. In my example, I am either going to enter either “192.168.1.254/admin” or “pi.hole/admin”
That will load the Pi-Hole Web Admin Interface. Go ahead and click that login button. You’ll get even more details about what devices are doing on your network.
Pi-Hole does have some more advances features available in it that can allow it to act as your network’s DHCP server, on top of already serving up DNS. However I’ll save that for another time though…. For now, just sit back and enjoy fewer ads.
Raspbian ships with the SSH server disabled by default. Which is an excellent security baseline. However if you want to be able to remotely connect to your RPi, you’re going to need to enable it. Thankfully, it can be manually enabled from the desktop very easily.
Note: When enabling SSH on a Pi, or any device, you should change its default password to ensure that it remains secure. Especially if you are connecting that device to the internet.
These instructions are straight from the RPi documentation (which can be found here).
Launch “Raspberry Pi Configuration” from the “Preferences” menu Navigate to the “Interfaces” tab Select “Enabled” next to “SSH” Click “Ok”
Alternatively, raspi-config can be used in the terminal:
Enter “sudo raspi-config” in a terminal window Select “Interfacing Options” Navigate to and select “SSH” Choose “Yes” Select “Ok” Choose “Finish”
The one special use case regarding enabling SSH that is not covered above is running your RPi “headless”. Which simply means that you are using the RPi without a display plugged into it.
For headless setup, SSH can be enabled by placing a file named “ssh”, without any extension, onto the boot partition of the SD card from another computer. When the Pi boots, it looks for the “ssh” file. If it is found, SSH is enabled and the file is deleted. The content of the file does not matter; it could contain text, or nothing at all.
If you have loaded Raspbian onto a blank SD card, you will have two partitions. The first one, which is the smaller one, is the boot partition. Place the file into this one.
Now you can use your favorite SSH tool to console into your Raspberry Pi device remotely.
I mostly work on Windows machines, and my go to SSH tool is called “Putty“. However, there’s LOTS of different SSH programs out there. So… do some googling, try a few, and use whichever one you like best.
VMware is doing their part to help make it easy for folks to contribute to the Folding@Home (F@H) project. They have packaged together an appliance as an OVA file on VMware Flings that you can deploy on any of their virtualization products either on your hardware or in a cloud, using Workstation or Fusion, or ESXi hosts. That means that with just a few clicks you can download and deploy a VM running on the super light-weight PhotonOS that has the F@H client pre-installed and is ready-to-go.
You might be asking why this is so great, I mean the client isn’t exactly difficult to setup on other operating systems. Well you are correct. This fling is geared towards VMware virtualization enthusiasts and professionals that already have homelabs or datacenters, with idle compute power they want to contribute. By using those idle resources and dedicating an VM appliance towards contributing, it basically becomes a set-it-and-forget-it deal that will always be chugging along in the background.
If you are new to virtualization, then deploying this appliance can serve as a great way to learn about flings, appliances, and deploying a VM in general while contributing to a cause.
Note: If you intent to deploy this in your company’s data center, or your work pc/laptop, you should make sure to have permission to allow for it from the appropriate people in your organization before deploying, just to cover your ass.
Step 1: Create your Passkey
If you don’t already have a username and passkey, then the first thing you’ll need to do is create your user and get your passkey. You’ll use this later as you deploy the appliance. If you already have yours, then proceed to the next step.
Just to let you know, when I signed up earlier this week, it took a few hours for me to receive my passkey from F@H. So don’t get upset if you don’t hear from them immediately after clicking “Get Passkey”.
1. Double-click on the OVA file you download to launch VMware Workstation. It will present you a wizard to “Import Virtual Machine”. Enter a name and file path for your F@H appliance, then click ‘Next’.
2. Now to work down the options from the left pane…
-Enter a hostname -Enter an IP address (leave blank if DHCP) -Gateway -DNS
-Enter password for the appliance; VMware1! *This is the root password for the appliance
-Enter you F@H username -Enter your F@H team (Leave as 52737 to contribute as part of VMware’s team) -Enter your Passkey -GPU (If using a GPU change to TRUE, if you are using a virtual machine with a GPU, this must be in passthrough mode) -Enter F@H management networks info (can probably leave alone) -F@H password defaults to the OS password (VMware1!)
Then click ‘Import’.
Go ahead and use my F@H username & passkey if you really want to fold as me… It just means my F@H user will get credit for any folding you do.
3. Once the import is complete, it should automatically power on. Go ahead and power it off. The first thing I recommend to do is upgrade the VM.
Click on “Upgrade this virtual machine” and follow the wizard to upgrade it to the highest version that is compatible in your environment. For me, it is Workstation 14.x.
Because this is an OVA file and so easy to re-deploy if I screw something up, I choose to just alter the VM, and not make a clone.
4. Next step is to edit the VM and add more CPUs, if desired. Click on “Edit virtual machine settings”.
Click on ‘Processors’. From the “Number of processors” dropdown you can choose how many processors you want to dedicate to this appliance. Then click ‘Ok’.
5. Go ahead and power on your F@H appliance.
ESXi / vCenter
1. In vCenter or on your ESXi host, right click on your Datacenter/Cluster/Host and select “Deploy OVF Template”.
2. Select the OVA file you downloaded earlier, and click ‘Next’.
3. Give your VM appliance a name, and click ‘Next’.
4. Walk thru the rest of the wizard. Choose your computer resource you wish to deploy it on to. Review the details. Select your storage. Select your network.
5. Customize the F@H template setting for your environment. -Hostname -IP address -Gateway -DNS -OS ‘root’ password -F@H username -F@H passkey -GPU -F@H remote management password
Then click ‘Next’ and ‘Finish’ to deploy your new appliance.
6. Once deployed, make sure the vm is powered off. Right click on the vm and select ‘Edit Settings…”. Select CPU and from the dropdown adjust the CPU to the desired number you wish to dedicate to your appliance, and click ‘Ok’.
7. Power on your F@H vm and you are ready to start contributing.
Step 4: Troubleshooting
Once your appliance is up and running, there are a few command that you will find helpful.
Start and Stop /etc/init.d/FAHClient start /etc/init.d/FAHClient stop Restart /etc/init.d/FAHClient restart Status /etc/init.d/FAHClient status Check the Logs /etc/init.d/FAHClient log -v Check CPU stats top
With the huge growth of contributors to F@H, it has made getting work units more difficult. If you check your logs and see messages similar the what is in my screenshot below, then your appliance IS working, it is just waiting for work.
Leave it running and you’ll eventually see it start chugging along when it gets a work unit.
Also, on the F@H fling website you can also find two PDFs, one about deployment and another with FAQs. Give those a look if you run into any other issues.
The Folding@Home (F@H) team has released v7 (currently v7.5.1) of their F@H software. It has a newer simpler graphical interface aimed at making it easier for people to install and contribute to the project. Here is how to make it run on your Linux computer. Linux has been growing in popularity as a desktop OS, so it’s great to see projects like this include it as a viable platform for contributing to F@H.