If you are like me, the computers around my house are predominately Windows based. Which is fine until you try to remotely connect to the desktop of your RPi. The Raspbian OS just doesn’t work MS’s Remote Desktop Protocol out of the box.
It can though, and all it takes a few is a few steps to enable to the RDP on Raspbian. And in my opinion, since I’m mostly on Windows, it is well worth it just for the convenience. I’ll be using Raspbian Buster in my examples below. If you’re not already on Buster, check out my article on upgrading Stretch to Buster.
Installing Xrdp on Rpi
Lets begin by updating your RPi with the following commands.
sudo apt update && sudo apt upgrade
Lets install Pixel on our RPi. Pixel is the default desktop environment on Raspbian desktop images. It’s stable, light weight, and fast. Which is perfect for running remotely on our RPi. To install Pixel, use the command below.
Next we install the Xrdp package. It is available in the default Raspbian repositories. Use the command below to install Xrdp.
sudo apt install xrdp
The service will automatically start once it has installed, but we can check it’s status with the following command. It should display the status of “running” on the screen.
systemctl show -p SubState --value xrdp
Lastly we need to add the user that is running the service to the “ssl-cert” group. Xrdp uses the key file “/etc/ssl/private/ssl-cert-snakeoil.key” which is only read-able to the users of the “ssl-cert” group. USe the folowing command to add the user to the group.
sudo adduser xrdp ssl-cert
Your RPi now supports RDP! You can easily connect to it using the MS Remote Desktop Connection your Windows machines.
Connecting to your RPi from Windows
From your windows machine, click on the ‘Start menu’ or Windows Search field and type “remote”.
Once the Remote Desktop Connection App launches, enter the IP address of your RPi. Then click the “Connect” button.
Enter the login credentials for your RPi. Then click ‘Ok’.
BAM! Just like that you have successfully connected to and just RDP-ed into your RPi. Well done!
Using a simple RPi we can turn an otherwise normal USB printer into a network printer. Making it easier to print from anywhere in your house, and using any computer in your house. Literally breathing a bit more life into your “old” printer that you were just considering tossing away.
We’ll take advantage of the CUPS software to make this happen. CUPS stands for Common Unix Printing System and is what runs most Linux printing software. It’s going to be the bit that does the communication to your printer to properly print your files. Lets get started…
Make sure your RPi is up-to-date with the following commands:
sudo apt-get update sudo apt-get upgrade
Install CUPS with the following command
sudo apt-get install cups
Add the user ‘pi’ to the ‘lpadmin’ group. This will allow your user ‘pi’ to access all of the administrative functions of CUPS without having to be a superuser. Use the following command.
sudo usermod -a -G lpadmin pi
We need to make CUPS accessible to your whole network. Currently it is only accessible on the RPi itself. To allow it to accept all traffic, use the following commands.
You can now access the RPi print server from any computer on your network. Use the following command if you are unsure of your IP adderss.
hostname -I
Now with that IP address open a web browser and enter the following url, replacing <ip-address> with the IP address of your RPi
http://<ip-address>:631
To allow our CUPS printer server to talk to Windows and to let our windows computers print to it, we need to setup SAMBA on the RPi. Use the following command to install SAMBA.
sudo apt-get install samba
After installing SAMBA, we will need to make a few edit it’s configuration file. Use the following command to open it’s config file in the nano editor.
sudo nano /etc/samba/smb.conf
Scroll down to the end of the file. Edit it to make it match the following:
# CUPS print server
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = yes
read only = yes
create mask = 0700
# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = no
guest ok = no
Save and exit the editor by pressing ‘Ctrl-X’, then ‘Y’, then ‘Enter’
Restart SAMBA with the following command to load our configuration changes.
sudo systemctl restart smbd
Adding a printer to CUPS
Now with the software portion installed, we need to add the printer to CUPS. Make sure that you have turned the printer ‘On’ and that you have it connected to your RPi.
Open a web browser and enter the following url, replacing <ip-address> with the IP address of your RPi
http://<ip-address>:631
Click on the ‘Administrative’ tab at the top of the page. Then click the “Add Printer” button.
On the ‘Add Printer’ screen select the name of the printer you want to set up, and click “Continue”. In this example, we are setting up a HP LaserJet P2055d printer.
Note: If your printer appear on the screen, make sure that it is indeed ‘On’ and connected to your RPi. After verifying that it is, if it is still not appearing, you may need to try restarting your RPi while leaving the printer ‘On’ and connected.
This screen is where you give your printer a name, set a description for it, and a location. The most important thing to do on this screen is to click the tick box for “Sharing: Share This Printer”
On this screen you will select the model of your printer. CUPS tries to auto-detect the model of printer and will select a driver based off what you select. Your selection will differ from mine. Once you are happy with your selection, click the “Add Printer” button at the bottom.
The final screen will let you set the default printer options; paper size, tray, resolution, double-sided, etc….
While not required, I like to give the RPi one more reboot after adding the printer.
To check the status of the print and it’s print queue, use the following command on the RPi.
lpq HP_LaserJet_P2055d
It will display the printer name and if it’s “ready” and if any print jobs are pending.
Adding RPi printer to Windows 10
One thing I noticed when trying to add the printer to to my Windows 10 machines is that I had initially had problems auto-detecting and adding it. It just simply would not work. After a bit of searching the internet, I found a solution that did work for me.
Click on the ‘Start Menu’ and start typing “Printers”, then click on ‘Printers & scanner’.
Click on ‘Add a printer or scanner’
Windows will begin searching for printers… After a moment a link that appears that says “The printer that I want isn’t listed”. Click on that link.
This will open a ‘Add Printer’ window. Click on the option “Select a shared printer by name”
Enter the “name” of your shared printer in the following format, then click ‘Next’.
As with all major version changes, it is my recommendation to download a new clean image and start fresh with a clean system. (Raspbian Download page) I don’t know what changes people have made to their system, and so have no idea what may break when you move to Buster. The instructions below will likely work on your system. However, that does not guarantee that it will work on your system.
I cannot provide support (or be held responsible) for any problems that arise if you try it. You have been warned! Make a backup before even considering to attempt this…
Open a terminal or SSH window to your RPi. In the files /etc/apt/sources.list and /etc/apt/sources.list.d/raspi.list, change every use of the word “stretch” to “buster”.
Wait for the upgrade to complete, answering ‘yes’ to any prompt. There may also be a point at which the install pauses while a page of information is shown on the screen – hold the ‘space’ key to scroll through all of this and then hit ‘q’ to continue.
The update will take anywhere from half an hour to several hours, depending on your network speed. When it completes, reboot your Raspberry Pi.
When the Pi has rebooted, launch ‘Appearance Settings’ from the main menu, go to the ‘Defaults’ tab, and press whichever ‘Set Defaults’ button is appropriate for your screen size in order to load the new UI theme.
Buster will have installed several new applications which we do not support. To remove these, open a terminal window and run the following command.
As I’ve said before, the data running on your RPi is only as good as it’s last backup. You have already backed up your RPi, right?
This article is going to cover how to restore the backup image of your RPi with Windows. While can also restore it using Linux or MacOS, I’m not going to cover those as I primarily use the Windows Operating System. If you desire more info on the RPi backup/restore process, please consult the official documentation here.
Restore on Windows
In Windows, we’ll use a utility called “Win32 Disk Imager”. If you followed my previous article on backing up your RPi you should already have it installed. If you haven’t, please go download and install Win32 Disk Imager onto your computer. It is this software that will allow us to restore the full image copy we made back to the micro-SD card of your RPi.
On your Windows computer, open the Win32 Disk Imager program.
In the upper right, under ‘Device’, select the drive letter of the card reader. Mine is “D:\”, your will likely be different.
In the ‘Image File’ box, click on the folder button to browse to, and select, the location of your backup image file, which you’d like to restore.
Click the ‘Write’ button at the button to begin restoring your backup image. There will be a popup message that warns about writing to the device, click ‘Yes’ and it will begin your restore
Once the restore completes, there will be a popup message stating that the write is complete that you need to click ‘OK’ to.
Your restore is now complete!
Go ahead and eject the card from your card reader and return it to your RPi. You can then reconnect the power and turn it back on. Everything should be there, exactly as it was at the time you made the backup.
Like any other computer system, the data running on your RPi is only as good as it’s last backup. Heck, have you ever even backed-up your RPi since you got it up and running? Well let me show you how to get backed-up so that you can get back up in the event that you ever have a RPi catastrophe.
This article is going to focus on backing up your RPi with Windows. While can also back it up using Linux or MacOS, I’m not going to cover those as I primarily use the Windows Operating System. If you desire more info on backing up your RPi, please consult the official documentation here.
Backup on Windows
In Windows, we’ll use a utility called “Win32 Disk Imager”. Go ahead and download and install Win32 Disk Imager onto your computer. It will allow us to make a full image copy of the micro-SD card that is used in our RPi. That way we can restore a 1:1 image of that micro-SD card as it is at the time of backup, back onto the card or onto a new card if we ever need to. We can keep that image copy on a desktop or NAS or cloud storage.
Start by shutting down the RPi with the following command.
sudo shutdown now
One the RPi has shut down, disconnect the power. You can now pull the micro-SD card out of it. Place it into the the card reader on your Windows computer. This might be a usb adapter that you are using, or there might be a SD slot on your laptop that will take a “micro-SD to SD card” adapter.
On your Windows computer, open the Win32 Disk Imager program.
In the upper right, under ‘Device’, select the drive letter of the card reader. Mine is “D:\”, your will likely be different.
In the ‘Image File’ box, click on the folder button to browse to, and select, the location of where you would like to save the image file to.
Click the ‘Read’ button at the button to begin creating your backup image.
Once the backup completes, there will be a popup message you need to click ‘OK’ to.
Your backup is complete!
Go ahead and eject the card from your card reader and return it to your RPi. You can then reconnect the power and turn it back on.
You can now restore you RPi to this point-in-time image when anything ever goes wrong in the future.
These instructions are straight from the RPi documentation (which can be found here).
If you do not use a monitor or keyboard to run your Pi (known as headless), but you still need to do some wireless setup, there is a facility to enable wireless networking and SSH when creating a image.
Once an image is created on an SD card, by inserting it into a card reader on a Linux or Windows machines the boot folder can be accessed. Adding certain files to this folder will activate certain setup features on the first boot of the Pi itself.
Setting up wireless networking
You will need to define a “wpa_supplicant.conf” file for your particular wireless network. Put this file in the boot folder, and when the Pi first boots, it will copy that file into the correct location in the Linux root file system and use those settings to start up wireless networking.
“wpa_supplicant.conf” file example:
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=<Insert country code here>
network={
ssid="<Name of your WiFi>"
psk="<Password for your WiFi>"
}
Note that some older WiFi dongles don’t support 5GHz networks.
More information on the “wpa_supplicant.conf” file can be found here. See Wikipedia for a list of country codes.
After posting my article on Reddit about setting up Pi-Hole and PiVPN, I learned about ZRAM from fellow redditor u/Bubbagump210. I’m basing this article off of his post.
Zram allows one to create compressed RAM drives – including swap drives. So, what we will be going over below is running a swap drive under ZRAM. When regular RAM feels memory pressure, it shuffles data from regular RAM to the ZRAM swap – which is also actually RAM but compressed.
Open a terminal window or SSH into your RPi.
Make sure your RPi is up-to-date with the following commands:
sudo apt-get update sudo apt-get upgrade
Install ZRAM by running the following command, and then typing ‘Y’ to proceed.
sudo apt install zram-tools
By default, this package will create a 256MB swap drive. If you want to bump that up a tad higher, then you will need to edit /etc/default/zramswap. Edit the file with the following line.
sudo nano /etc/default/zramswap
We will need to add the ‘Allocation’ variable. To increase your swap drive to 512MB, add the following line.
ALLOCATION=512
Press “Ctrl-X” to exit the editor, “Y” to confirm you want to save your changes, then “Enter” to save it.
Run the following two commands to enable and start ZRAM
If you open top, you should now see your new swap space at the size allocated above.
How to check your compression ratio? Run the command below.
cat /sys/block/zram0/mm_stat
On this rpi, my output currently is: 790528 189901 507904 0 507904 18 0 2
The first value is the uncompressed data size, the second value is the compressed data size. (More details found here)
189901/790528=~0.24
So a 76% reduction in size – not bad.
Certainly there is a tiny performance hit and buying more RAM is a technically better solution, but for fixed RAM cases like a Pi or free tier VM, this works.
Fail2Ban is an amazing piece of software when it comes to security and protecting your RPi. Even more so if your RPi is exposed to, or publicly accessible on, the Internet. Fail2Ban continually monitors your system’s log files and watches for malicious connections, proactively blocking them.
Fail2Ban becomes an active, almost real-time, learning form of defense. Think of it as a “poor man’s” Intrusion Protection System (IPS). It will notice any unusual activity, like multiple failed login attempts or exploit scans, and automatically update your firewall rules to ban that IP address.
While it’s not a true IPS, it comes close enough and is very helpful for the average person. While I would not advise it for use it as front line, or rather a singular, defense within a company, it would likely suffice for home use. Not to say that it should not or could not be used by companies, I only want to clarify that it should be one layer of multiple defenses if used in a company environment.
So now that we know what Fail2Ban is… Lets get started setting it up.
While Fail2Ban is recommended if you have SSH exposed to the Internet, it is not necessarily needed if you are running a a VPN. It won’t hurt to have it installed… If you have a secure VPN setup, you don’t/shouldn’t even need to have SSH exposed to the insternet. See my article about setting up PiVPN.
Lets begin by updating your RPi before we begin with the following commands.
sudo apt update sudo apt upgrade
Now that your RPi is updated, lets get on with the software install. Run the following command to install Fail2Ban, press ‘Y’ to proceed.
sudo apt-get install fail2ban
Now Fail2Ban has changed a lot since version 0.9.x.
We want to create a “jail.local” file with the following command and edit it.
sudo nano /etc/fail2ban/jail.local
You’ll want to copy/paste the info below
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 192.168.1.0/24
# Ban hosts for two days:
bantime = 172800
# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport
[sshd]
enabled = true
filter = sshd
port = ssh
banaction = iptables-multiport
bantime = 172800
maxretry = 3
findtime = 600
logpath = %(sshd_log)s
backend = %(sshd_backend)s
ignoreip: This option lets you specify IP that Fail2Ban will ignore. You likely want to ignore events directly triggered on the device, as well as perhaps more trusted networks like your home network or office ip address. Example:ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24
bantime: This option defines how long an IP address will be banned, the default is 10 minutes.
maxretry: This option defines the number of failures a host is allowed before it is banned.
findtime: This option is used along with the ‘maxretry’ option. If a host exceeds the ‘maxretry’ value within the time period specified in ‘findtime’ it will be banned for the amount of time specified in ‘bantime’.
Now save the file by pressing ‘Ctrl+X’ then ‘Y’.
To restart the Fail2Ban service (and reload our config file changes):
sudo systemctl restart fail2ban
To check the Fail2Ban status:
sudo fail2ban-client status
You’ll get output similar to this.
Status
|- Number of jail: 1
`- Jail list: sshd
To check individual jails:
sudo fail2ban-client status sshd
You’ll get output similar to this.
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - File list: /var/log/auth.log - Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
There is even more you can do with Fail2Ban, more ‘jails’ that you can configure to keep your device (and network) safe. But you are on your own to figure it out from here… Good Luck.
To remove a user/client it’s easy. Type the following command.
pivpn remove
You’ll be presented with a list of the clients you have created. Enter the name of client you wish to remove and press “Enter”.
In my example below, I’m removing the user named “P-W-W-F”.
You’re all done! You have a completed setting up a VPN. You have completed setting up your endpoints. You can manage your VPN users. Congratulations. We’re all done here!
If you’re still itching to do more on your RPi… consider taking a look at my articles on installing ZRAM or installing Fail2Ban.
Okay. So we’ve gone over creating users. In doing so we’ve gone over creating a user that would have a “full” vpn by using the default configuration that happens when you create a user with PiVPN…. But how do we set up a user with a “split-tunnel” vpn, in which only traffic destined for your home network goes thru your RPi?
What exactly is this “split-tunnel”? In a split-tunnel VPN, the endpoint device will be able to make a determination as to where to route it’s traffic, due to changes in the configuration rules. It will route traffic to your home network over the VPN, while routing all other traffic directly out to the Internet.
This split-tunneling actually my ideal setup. It is also ideal if you just wish to use just your Pi-Hole for DNS queries when you are not at home.
Because PiVPN makes things so easy, I currently just create two profiles for my devices. One full and one split-tunnel. However, I seem to be primarily using only the split-tunnel. So who knows… I’ll probably change this practice of mine in the future and just create the one profile, but for now I’m keeping both.
Okay. I’ve talked long enough about split-tunnels. How do we make this magic happen? Lets dive in…
We will add a user just as we did previously, then edit it’s configuration file to allow for the split tunnel. To add your split-tunnel user, type the following command below.
pivpn add
Then add the name of your split-tunnel user. In my example, my user is named “P-W-W-F-split”
The next step is to open and edit the configuration file with the followign command.
That is the line we want to change. The split tunnel config would be modified to show the subnet of your home network. This is the magic line that makes this a split-tunnel.
AllowedIPs = 192.168.1.0/24
*Note: It’s been mentioned in the comments that for this split tunnel to work correctly, folks have had to also add the VPN network’s range to the allowed networks for things and work as expected. That updated line is:
Allowed IP addresses: 10.6.0.0/24, 192.168.1.0/24
I’m not going to re-edit the images as I am no longer using this as my VPN solution. I only wanted to leave this note here for those that are following thru my tutorial so that they don’t become stuck.
The updated configs can be copied to the home config directory if you choose. This will make it easier if you are going to manually transferring a config file to a device, but I usually don’t, and just use the QR code mention in the next article.
To copy or backup your configuration files use the following command: