Raspberry Pi cheat sheet

Additional recommended software configuration for Raspberry Pi.
  1. Locate on local network
  2. Reboot or shutdown
  3. Change password
  4. Rename device hostname
  5. SSH key-based authentication
  6. Upgrades
  7. Automatic upgrades
  8. Dynamic DNS
  9. fail2ban
  10. Pi-Hole
  11. PiVPN

This guide is intended for a Raspberry Pi device running either Raspberry Pi OS or Ubuntu, both of which derive from Debian.

Refer to the separate “Install Raspberry Pi OS headless” or “Install Ubuntu on Raspberry Pi headless” guides for OS installation instructions.

Locate on local network

Here’s how to locate an SSH-accessible headless Pi server running on the local network.

Install Nmap; supported by Homebrew on macOS or apt on Debian.

For an Apple AirPort router, use:

nmap -p 22 10.0.1.1/24

For other routers, in general, use:

nmap -p 22 192.168.1.1/24

Reboot or shutdown

Use sudo reboot to reboot or sudo shutdown now to shut down the device.

Change password

During a clean install, it is essential to change the default user password.

passwd

Rename device hostname

Add the desired hostname to /etc/hostname.

raspberry-pi

Ensure these lines exist in /etc/hosts.

127.0.0.1 localhost
127.0.0.1 raspberry-pi

SSH key-based authentication

Key pairs are two cryptographically secure keys. One is private, and one is public. Refer to the Securing your Raspberry Pi guide for more information.

First, copy the public SSH key from your local machine.

cat ~/.ssh/id_rsa.pub

Now paste this key into authorized_keys on the Pi.

mkdir ~/.ssh
nano ~/.ssh/authorized_keys
# Paste your public key

Upgrades

Use apt-get to upgrade your installation. Note that dist-upgrade is recommended instead of upgrade for Raspbian, according to the official documentation.

sudo apt-get update
# Use `dist-upgrade` instead of `upgrade`.
sudo apt-get dist-upgrade -y

If you start to run out of disk space, run this to clean up apt:

sudo apt-get clean

Verify that nothing went wrong.

dpkg -C
apt-mark showhold

To clean up and remove old packages, use autoremove, but inspect each package manually, rather than running automatically with the -y flag.

sudo apt-get autoremove
sudo apt-get autoclean

It doesn’t hurt to reboot after applying updates.

sudo reboot

Here’s how to check the kernel version.

uname -a

Automatic upgrades

Automatic updates are an essential part of Linux security. The preferred method on Debian is to use unattended-upgrades.

sudo apt-get install -y unattended-upgrades apt-listchanges
sudo dpkg-reconfigure -plow unattended-upgrades

Alternatively, you can use the root crontab method.

sudo su
crontab -e
0 0 * * 0 apt-get update && sudo apt-get dist-upgrade -y

Dynamic DNS

Get a free subdomain at FreeDNS. Copy their update key and set a cron entry to run hourly.

crontab -e

Use the “Direct URL” method, which requires a private key.

0 * * * * curl -s http://sync.afraid.org/u/TOKEN/ >> ~/freedns.log 2>&1

fail2ban

Fail2ban, written in Python, is a scanner that examines the log files produced by the Raspberry Pi, and checks them for suspicious activity. It catches things like multiple brute-force attempts to log in, and can inform any installed firewall to stop further login attempts from suspicious IP addresses.

If you’re exposing port 22 for SSH, it’s recommended to install fail2ban. If you’re simply using OpenVPN via PiVPN, then fail2ban isn’t required.

sudo apt-get install fail2ban

Pi-Hole

Load the default configuration with the setup script.

curl -sSL https://install.pi-hole.net | bash

We recommend using the CloudFlare 1.1.1.1 service for DNS, rather than Google 8.8.8.8.

Set it to update automatically, every Sunday at 4 AM, for example.

crontab -e
0 4 * * 0 pihole -up >> ~/pihole.log 2>&1

Note: We recommend using Cloudflare DNS on the router and enabling Pi-Hole ad-blocking per device, rather than using Pi-Hole DNS directly on the router. This software can cause issues with some devices and it can make re-configuration of a fresh Raspberry Pi device install cumbersome.

Reboot before installing the VPN software.

sudo reboot

PiVPN

Load the default configuration with the setup script.

curl -sSL https://install.pivpn.io | bash

This may warn about Debian Buster not being currently supported, but it does work.

If not already enabled, PiVPN will suggest that you turn on automatic updates.

Use port 1194 over UDP instead of TCP. UDP is faster for tunneling. Ensure that UDP port forwarding is used in the router configuration.

Opt to enable OpenVPN 2.4, if prompted.

Use 2048-bit encryption (recommended default).

Since we’ve enabled dynamic DNS, we can choose a public DNS name instead of using an IP address for the VPN.

Select CloudFlare as the DNS provider.

The install log gets saved to /etc/pivpn.

Run pivpn add to add user profiles. Create user profilers per computer.

Profiles get saved to /home/pi/ovpns.

You can get a list of profile with pivpn list.

Pi-Hole and PiVPN can be installed together. The setup process is easier if you install Pi-Hole first then PiVPN. After both are installed, edit the /etc/dnsmasq.conf file to allow DNS resolution from the VPN interface: listen-address=127.0.0.1, XXX, 10.8.0.1. Note here that 10.8.0.1 is the address for Pi-Hole.

If PiVPN isn’t working with the OpenVPN client, check to make sure that dynamic DNS is working, using ping to the VPN domain/IP address. This can look like a problem with frequent disconnect and reconnect attempts in the Tunnelblick client, for example.