This guide is intended for a Raspberry Pi device running either Raspberry Pi OS or Ubuntu, both of which derive from Debian.
Refer to the separate “Install Raspberry Pi OS headless” or “Install Ubuntu on Raspberry Pi headless” guides for OS installation instructions.
Locate on local network
Here’s how to locate an SSH-accessible headless Pi server running on the local network.
Install Nmap; supported by Homebrew on macOS or apt on Debian.
For an Apple AirPort router, use:
nmap -p 22 10.0.1.1/24
For other routers, in general, use:
nmap -p 22 192.168.1.1/24
Reboot or shutdown
Use sudo reboot
to reboot or sudo shutdown now
to shut down the device.
Change password
During a clean install, it is essential to change the default user password.
passwd
Rename device hostname
Add the desired hostname to /etc/hostname
.
raspberry-pi
Ensure these lines exist in /etc/hosts
.
127.0.0.1 localhost
127.0.0.1 raspberry-pi
SSH key-based authentication
Key pairs are two cryptographically secure keys. One is private, and one is public. Refer to the Securing your Raspberry Pi guide for more information.
First, copy the public SSH key from your local machine.
cat ~/.ssh/id_rsa.pub
Now paste this key into authorized_keys
on the Pi.
mkdir ~/.ssh
nano ~/.ssh/authorized_keys
# Paste your public key
Upgrades
Use apt-get
to upgrade your installation. Note that dist-upgrade
is recommended instead of upgrade
for Raspbian, according to the official documentation.
sudo apt-get update
# Use `dist-upgrade` instead of `upgrade`.
sudo apt-get dist-upgrade -y
If you start to run out of disk space, run this to clean up apt
:
sudo apt-get clean
Verify that nothing went wrong.
dpkg -C
apt-mark showhold
To clean up and remove old packages, use autoremove
, but inspect each package manually, rather than running automatically with the -y
flag.
sudo apt-get autoremove
sudo apt-get autoclean
It doesn’t hurt to reboot after applying updates.
sudo reboot
Here’s how to check the kernel version.
uname -a
Automatic upgrades
Automatic updates are an essential part of Linux security. The preferred method on Debian is to use unattended-upgrades
.
sudo apt-get install -y unattended-upgrades apt-listchanges
sudo dpkg-reconfigure -plow unattended-upgrades
Alternatively, you can use the root crontab
method.
sudo su
crontab -e
0 0 * * 0 apt-get update && sudo apt-get dist-upgrade -y
Dynamic DNS
Get a free subdomain at FreeDNS. Copy their update key and set a cron
entry to run hourly.
crontab -e
Use the “Direct URL” method, which requires a private key.
0 * * * * curl -s http://sync.afraid.org/u/TOKEN/ >> ~/freedns.log 2>&1
fail2ban
Fail2ban, written in Python, is a scanner that examines the log files produced by the Raspberry Pi, and checks them for suspicious activity. It catches things like multiple brute-force attempts to log in, and can inform any installed firewall to stop further login attempts from suspicious IP addresses.
If you’re exposing port 22 for SSH, it’s recommended to install fail2ban. If you’re simply using OpenVPN via PiVPN, then fail2ban isn’t required.
sudo apt-get install fail2ban
Pi-Hole
Load the default configuration with the setup script.
curl -sSL https://install.pi-hole.net | bash
We recommend using the CloudFlare 1.1.1.1 service for DNS, rather than Google 8.8.8.8.
Set it to update automatically, every Sunday at 4 AM, for example.
crontab -e
0 4 * * 0 pihole -up >> ~/pihole.log 2>&1
Note: We recommend using Cloudflare DNS on the router and enabling Pi-Hole ad-blocking per device, rather than using Pi-Hole DNS directly on the router. This software can cause issues with some devices and it can make re-configuration of a fresh Raspberry Pi device install cumbersome.
Reboot before installing the VPN software.
sudo reboot
PiVPN
Load the default configuration with the setup script.
curl -sSL https://install.pivpn.io | bash
This may warn about Debian Buster not being currently supported, but it does work.
If not already enabled, PiVPN will suggest that you turn on automatic updates.
Use port 1194 over UDP instead of TCP. UDP is faster for tunneling. Ensure that UDP port forwarding is used in the router configuration.
Opt to enable OpenVPN 2.4, if prompted.
Use 2048-bit encryption (recommended default).
Since we’ve enabled dynamic DNS, we can choose a public DNS name instead of using an IP address for the VPN.
Select CloudFlare as the DNS provider.
The install log gets saved to /etc/pivpn
.
Run pivpn add
to add user profiles. Create user profilers per computer.
Profiles get saved to /home/pi/ovpns
.
You can get a list of profile with pivpn list
.
Pi-Hole and PiVPN can be installed together. The setup process is easier if you install Pi-Hole first then PiVPN. After both are installed, edit the /etc/dnsmasq.conf
file to allow DNS resolution from the VPN interface: listen-address=127.0.0.1, XXX, 10.8.0.1
. Note here that 10.8.0.1
is the address for Pi-Hole.
If PiVPN isn’t working with the OpenVPN client, check to make sure that dynamic DNS is working, using ping
to the VPN domain/IP address. This can look like a problem with frequent disconnect and reconnect attempts in the Tunnelblick client, for example.