{"id":524,"date":"2022-12-22T20:30:57","date_gmt":"2022-12-22T19:30:57","guid":{"rendered":"https:\/\/coneixement.info\/blog\/?p=524"},"modified":"2023-02-19T08:54:37","modified_gmt":"2023-02-19T07:54:37","slug":"building-a-privacy-box-with-a-raspberry-pi","status":"publish","type":"post","link":"https:\/\/coneixement.info\/blog\/building-a-privacy-box-with-a-raspberry-pi\/","title":{"rendered":"Building a Privacy Box (with a Raspberry Pi)"},"content":{"rendered":"<p lang=\"en-GB\" align=\"center\"><span style=\"font-size: x-large;\"><b>Privacy for you Internet access plus a monitor for your devices, a Wi-Fi\/LAN intruder detector and a VPN Server for remote access with a Raspberry Pi + Bonus Track: a Password Manager<\/b><\/span><\/p>\n<p lang=\"en-GB\">Building a Privacy Box with a Raspberry Pi \u00a9 2022 by Daniel Alomar is licensed under CC BY-NC-SA 4.0. To view a copy of this license, visit <a href=\"http:\/\/creativecommons.org\/licenses\/by-nc-sa\/4.0\/\">http:\/\/creativecommons.org\/licenses\/by-nc-sa\/4.0\/<\/a><\/p>\n<p lang=\"en-GB\">You can dowload a PDF of this article here: <a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/BuildingPrivacyBox-20230103.pdf\" target=\"_blank\" rel=\"noopener\">BuildingPrivacyBox<\/a><\/p>\n<p class=\"reader-text-block__paragraph\"><strong>Changelog<\/strong><\/p>\n<ul>\n<li>20230103 &#8211; Added Netdata as a monitoring solution recommended instead RPi-monitor<\/li>\n<\/ul>\n<p><strong>Index<\/strong><\/p>\n<ol>\n<li><strong>Introduction<\/strong><\/li>\n<li><strong>Objective<\/strong><\/li>\n<li><strong>Requirements<\/strong><\/li>\n<li><strong>Setup of the Privacy Box<\/strong><\/li>\n<li><strong>Installing WireGuard (light, secure and fast VPN)<\/strong><\/li>\n<li><strong>Installing Pi.Alert, a Wi-Fi\/LAN intruder detector (optional)<\/strong><\/li>\n<li><strong>Installing a monitoring tool (optional)<\/strong><\/li>\n<li><strong>Securing the Raspberry<\/strong><\/li>\n<li><strong>Backup and restore<\/strong><\/li>\n<li><strong>Bonus track. Password manager: Vaultwarden<\/strong><\/li>\n<li><strong>Bibliography<\/strong><\/li>\n<\/ol>\n<h1 class=\"western\" lang=\"en-GB\">Introduction<\/h1>\n<h1 class=\"western\" lang=\"en-GB\">Background<\/h1>\n<p class=\"western\" lang=\"en-GB\">In these uncertainty and strange times we are living &#8211; it seems to be &#8211; forever, we <b>should <\/b>take care of our privacy. The saying \u201cif you are not paying for it, then you are the product\u201d<sup>1,2<\/sup> it is absolutely true.<\/p>\n<p class=\"western\" lang=\"en-GB\">We have not been trained at school in the use of Information and Communications Technologies (ICT). Most of us are not digital natives, and even if we were, the evolution of technology is faster than the speed of adaptation of training. Those of us who are lucky enough to like technology and to be early adapters of it, we have &#8216;somewhat less difficult&#8217;, like an intuition, to manage ICT, but that does not mean we are safe from the dangers of exposing our lives to the Internet, where different companies are on the lookout to collect our data in order to create the most reliable profile they can from us, a detailed description of our tastes, our preferences, our habits&#8230; they know us much better than we know ourselves, and that is not a clich\u00e9, <b>it is a reality<\/b>.<\/p>\n<p class=\"western\" lang=\"en-GB\">This data is collected by companies called <a href=\"https:\/\/clearcode.cc\/blog\/what-is-data-broker\/\">Data Brokers<\/a><sup>3<\/sup> through multiple techniques. The data is used to create profile of us to different purposes, like marketing and advertising, risk-mitigation, people-search services<sup>4,5<\/sup>, etc&#8230;. Regarding marketing and advertising, while this could sound nice for someone who wants to have personalizing advertisements, we have to know some side effect, such as the price not being the same for everyone, and other worse effects. Since companies have a wide information from us, better than us, they will know also our risks and the potential collateral effects from our habits. All this information let us calculate, with a high accuracy, prices for the services or products we want to acquired or advertisements we see. For example, the price for a health insurance will not the same if the company knows, through the information from us acquired from the Data Brokers. The same apply to the advertisements we see in our devices. Here you have an example from Signal: <a href=\"https:\/\/signal.org\/blog\/the-instagram-ads-you-will-never-see\/\">https:\/\/signal.org\/blog\/the-instagram-ads-you-will-never-see\/<\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">It is common to hear someone say: \u201cI do not care about privacy concerns. I do not have nothing to hide\u201d\u2026 The quick answer you could provide, with a smile on your face: \u201cIf you do not have nothing to hide, then you can give me your email password&#8230;\u201d. For sure he\/she will not, so EVERYONE have some information to protect.<\/p>\n<h2 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc5486_4020776324\"><\/a>What is a Privacy Box<\/h2>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">What I call <\/span><span lang=\"en-GB\">Privacy Box<\/span><span lang=\"en-GB\"> is a <\/span><span lang=\"en-GB\">device that will provide privacy to your Internet <\/span><span lang=\"en-GB\">access. <\/span><span lang=\"en-GB\">Various tools are installed and configured within this device. It will<\/span> <span lang=\"en-GB\">block advertisements, throug<\/span><span lang=\"en-GB\">h<\/span> <span lang=\"en-GB\">the <\/span><span lang=\"en-GB\">pi-hole <\/span><span lang=\"en-GB\">application<\/span><span lang=\"en-GB\">, <\/span><span lang=\"en-GB\">to all your network and for all kind of devices without to have to install software on each one. <\/span><span lang=\"en-GB\">With unbound we are going to have <\/span><span lang=\"en-GB\">a validating, recursive, and caching DNS resolver <\/span><span lang=\"en-GB\">locally. This means that our Internet Service Providers (ISP) will not see what we are searching for, the Domain Name Resolution will be locale, <\/span><span lang=\"en-GB\">and even faster<\/span><span lang=\"en-GB\">, within our Raspberry Pi. <\/span><span lang=\"en-GB\">Along <\/span><span lang=\"en-GB\">with the previous tools<\/span> <span lang=\"en-GB\">we will <\/span><span lang=\"en-GB\">also add Wire<\/span><span lang=\"en-GB\">G<\/span><span lang=\"en-GB\">uard, <\/span><span lang=\"en-GB\">a<\/span><span lang=\"en-GB\"> VPN Server that will alow us a remote and secure connection to our network and continue provide privacy when we are outside our local network.<\/span><\/p>\n<p class=\"western\" lang=\"en-GB\">All this functionalities are going to be installed inside a Raspberry Pi device in order to have it running 24&#215;7 at low cost.<\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/Raspberry.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-553 aligncenter\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/Raspberry-300x213.png\" alt=\"\" width=\"300\" height=\"213\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/Raspberry-300x213.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/Raspberry.png 474w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">The main characteristics of the privacy box are:<\/p>\n<ul>\n<li class=\"western\" lang=\"en-GB\">Blocking unwanted contend to all devices connected, without installing any client-side software (Pi-hole)<\/li>\n<li class=\"western\" lang=\"en-GB\">Network-wide protection (Pi-hole)<\/li>\n<li class=\"western\" lang=\"en-GB\">Improve network performance (Pi-hole)<\/li>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: Open Sans, sans-serif;\">Secure open-source recursive DNS server for local resolution (unbound)<\/span><\/li>\n<li class=\"western\" lang=\"en-GB\">Network intrude detector (Pi.Alert)<\/li>\n<li class=\"western\" lang=\"en-GB\">Device monitoring (RPI-Monitor)<\/li>\n<li class=\"western\" lang=\"en-GB\">Secure and remote access through a VPN (WireGuard)<\/li>\n<\/ul>\n<p class=\"western\" lang=\"en-GB\">As a bonus track I have added a tutorial to setup a raspberry pi to host a password manager and how to access it from Internet. I have choose <b>Vaultwarden<\/b>, based on the well know solution <b>Bitwarden<\/b>. Due to technical reasons, it is easier to run this server on another raspberry pi. You can try to setup on the same device where you have Pi-hole, but I will not recommend you.<\/p>\n<p class=\"western\" lang=\"en-GB\">If you do not have enough technological knowledge to follow this guide and build this Privacy Box for yourself, ask a friend with more knowledge in technology (maybe a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Geek\">geek<\/a>) to help you to setup it. Those of us who are techies love to help others. My will has been to create a very simple tutorial, with step-by-step instructions, explaining the reason for each step so that we can understand what we are doing.<\/p>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">Before start<\/span><span lang=\"en-GB\">ing<\/span><span lang=\"en-GB\">, I will like to thank<\/span><span lang=\"en-GB\">s <\/span><span lang=\"en-GB\">Mr.Smashy (<\/span><a href=\"https:\/\/twitter.com\/THESMASHY\">@THESMASHY<\/a><span lang=\"en-GB\">) who wrote a guide<\/span><sup><span lang=\"en-GB\">6<\/span><\/sup><span lang=\"en-GB\">, origin and source of inspiration of this one.<\/span><\/p>\n<p class=\"western\" lang=\"en-GB\"><b>Note <\/b><b>1<\/b><b>:<\/b> Commands are identified using a different text style framed within a grey box like this:<\/p>\n<pre class=\"western\" lang=\"en-GB\">$ls -l<\/pre>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">The command will start with a $ or # symbol. That means the command is executed without administrator privileges ($ symbol) or with administrator privileges (# symbol). To elevate privileges (from $ to #) we must run \u2018sudo -s\u2019 command or start the command with sudo. In both cases you will need the administrator password. <\/span><span lang=\"en-GB\">Examples:<\/span><\/p>\n<pre class=\"western\" lang=\"en-GB\">$sudo -s\r\n<span lang=\"en-GB\">#<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\">Running ls command with elevated privileges<\/p>\n<pre class=\"western\" lang=\"en-GB\">$sudo ls -l<\/pre>\n<h1 class=\"western\" lang=\"en-GB\">Objective<\/h1>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">A<\/span><span lang=\"en-GB\">s I mention in the <\/span><span lang=\"en-GB\">previous section<\/span><span lang=\"en-GB\">, <\/span><span lang=\"en-GB\">I am going to show <\/span><span lang=\"en-GB\">also <\/span><span lang=\"en-GB\">how to set <\/span><span lang=\"en-GB\">up <\/span><span lang=\"en-GB\">a <\/span><span lang=\"en-GB\">password manager. <\/span><span lang=\"en-GB\">This tool <\/span><span lang=\"en-GB\">it will installed <\/span><span lang=\"en-GB\">on another Raspberry Pi device.<\/span><\/p>\n<h1 class=\"western\" lang=\"en-GB\">Requirements<\/h1>\n<p class=\"western\" lang=\"en-GB\">This is the list of requirements:<\/p>\n<ul>\n<li class=\"western\" lang=\"en-GB\">Raspberry Pi 3 Model B (or higher)<\/li>\n<li class=\"western\" lang=\"en-GB\">Computer to write the image and connect to the Raspberry to configure it<\/li>\n<li class=\"western\" lang=\"en-GB\">SD Card or USB memory stick (capacity: 16 GB or higher)<\/li>\n<li class=\"western\" lang=\"en-GB\">Internet connection<\/li>\n<li class=\"western\" lang=\"en-GB\">Basic knowledge of computers or have a geek friend on hand<\/li>\n<li class=\"western\" lang=\"en-GB\">Power supply<\/li>\n<li class=\"western\" lang=\"en-GB\">Curiosity<\/li>\n<li class=\"western\" lang=\"en-GB\">Time<\/li>\n<\/ul>\n<p class=\"western\" lang=\"en-GB\"><b>Note 1: <\/b>Regarding the computer, I have used my laptop with GNU\/Linux (Manjaro flavour) to write the image and connect to the Raspberry, so the commands you will see belongs to the GNU\/Linux operating system. The remaining instructions are independent of the operating system you use. If you are a Windows or Mac user, you will find several alternatives easily on Internet to write the image to the SD Card or USB stick and connect to the Raspberry.<\/p>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\"><b>Note 2: <\/b><\/span><span lang=\"en-GB\">Whether to choose SD Card or USB memory stick? People says the lifetime of a SD Card is shorter than the USB memory stick, so many people boot from SD Card and use the USB memory stick (or even a SSD <\/span><span lang=\"en-GB\">h<\/span><span lang=\"en-GB\">ard d<\/span><span lang=\"en-GB\">rive<\/span><span lang=\"en-GB\">) to run the operating system. From Raspberry Pi 3 and up the operating system can be booted and run directly from the USB. In this manual I have added some tools to decrease the write cycles to the disk using the RAM memory. Which one to choose? There is not a right answer.. well, yes.. <\/span><span lang=\"en-GB\"><b>MAKE <\/b><\/span><span lang=\"en-GB\"><b>REGULAR <\/b><\/span><span lang=\"en-GB\"><b>BACKUPS <\/b><\/span><span lang=\"en-GB\">to ensure you have a plan B for any incident related the device.<\/span><\/p>\n<h1 class=\"western\"><a name=\"__RefHeading___Toc5090_3502121496\"><\/a>S<span lang=\"en-GB\">etup <\/span><span lang=\"en-GB\">of <\/span><span lang=\"en-GB\">the <\/span><span lang=\"en-GB\">P<\/span><span lang=\"en-GB\">rivacy <\/span><span lang=\"en-GB\">B<\/span><span lang=\"en-GB\">ox<\/span><\/h1>\n<p class=\"western\" lang=\"en-GB\">This section will explain how to setup Pi-hole and unbound plus another optional and recommended tools.<\/p>\n<h2 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc3873_3431065437\"><\/a> <span lang=\"en-US\">Why <\/span><span lang=\"en-US\">I choose <\/span><span lang=\"en-US\">Debian instead Raspbian or RaspberryPi OS<\/span><\/h2>\n<p class=\"western\" lang=\"en-GB\"><strong><span lang=\"en-US\">There are several reasons why I choose <\/span><\/strong><strong><span lang=\"en-US\">a <\/span><\/strong><strong><span lang=\"en-US\">Debian <\/span><\/strong><strong><span lang=\"en-US\">image <\/span><\/strong><strong><span lang=\"en-US\">instead <\/span><\/strong><strong><span lang=\"en-US\">Raspbian <\/span><\/strong><strong><span lang=\"en-US\">or<\/span><\/strong><strong><span lang=\"en-US\"> RaspberryPi OS. <\/span><\/strong><strong><span lang=\"en-US\">The main reason is freedom. Debian is a full GNU\/Linux flavour, with no commercial nor propietary software.<\/span><\/strong><\/p>\n<p class=\"western\" lang=\"en-GB\"><strong><span lang=\"en-US\">A second reason is the incident related with the internal repository files modification without notification Raspbian did in February 2021<\/span><\/strong><strong><sup><span lang=\"en-US\">7,8,9<\/span><\/sup><\/strong><strong><span lang=\"en-US\">. A Microsoft repositoy pointing to a Microsoft server was added secreatly without any notification. The reason was to provide Visual Studio Code for some scenarios. This modification wihout consent crossed the boundaries of (my) trust and make me decide to move to a full open source distribution like Debian. If they changed this without notification, what could they do next time?<\/span><\/strong><\/p>\n<h2 class=\"western\" lang=\"en-US\">Identifying the device<\/h2>\n<p class=\"western\" lang=\"en-US\">First we have to check which raspberry model we have. If using visual inspection we are not sure, we can do a \u00ablogical inspection\u00bb, asking the device throught a command.<\/p>\n<p class=\"western\" lang=\"en-US\">Run the command below will be the first option. The output will be the Raspberry Pi Model<\/p>\n<pre class=\"western\" lang=\"en-US\">$cat \/proc\/device-tree\/model<\/pre>\n<p class=\"western\" lang=\"en-US\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-554\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP1.png\" alt=\"\" width=\"406\" height=\"38\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP1.png 406w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP1-300x28.png 300w\" sizes=\"auto, (max-width: 406px) 100vw, 406px\" \/><\/a> <br clear=\"left\" \/>In case we have installed Raspbian as operating system, we can run the following command to check the model. It will returns us information from our device:<\/p>\n<pre class=\"western\" lang=\"en-US\">$rev=$(awk '\/^Revision\/ { print $3 }' \/proc\/cpuinfo) &amp;&amp; curl -L perturb.org\/rpi?rev=$rev<\/pre>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-555 aligncenter\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP2.png\" alt=\"\" width=\"829\" height=\"127\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP2.png 829w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP2-300x46.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP2-768x118.png 768w\" sizes=\"auto, (max-width: 829px) 100vw, 829px\" \/><\/a><\/p>\n<h2 class=\"western\" lang=\"en-US\"><a name=\"__RefHeading___Toc3879_3431065437\"><\/a>Download and flash an image<\/h2>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-US\">D<\/span><span lang=\"en-US\">ebian image for raspberry pi <\/span><span lang=\"en-US\">can be downloader <\/span><span lang=\"en-US\">from: <\/span><a href=\"https:\/\/raspi.debian.net\/\">https:\/\/raspi.debian.net\/<\/a><span lang=\"en-US\">. For a production environment I would recommend to use a Tested image<\/span><\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-556\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP3.png\" alt=\"\" width=\"1891\" height=\"769\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP3.png 1891w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP3-300x122.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP3-1024x416.png 1024w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP3-768x312.png 768w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP3-1536x625.png 1536w\" sizes=\"auto, (max-width: 1891px) 100vw, 1891px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-US\">Choose the (xz-compressed) image according the hardware you have<\/p>\n<p class=\"western\" lang=\"en-US\">Locate where the file was donwloaded and open a console session into that folder. Decompress the image downloaded using the following unxz command:<\/p>\n<pre class=\"western\" lang=\"en-US\">$unxz 20210823_raspi_3_bullseye.img.xz<\/pre>\n<p class=\"western\" lang=\"en-US\">You will get a img file. In my case 20210823_raspi_3_bullseye.img<\/p>\n<p class=\"western\" lang=\"en-US\">Plug a SD card or USB memory stick into your laptop and flash the image to the device with the following command (sdb is how the SD Card or USB has been identified. Check the partition in your case)<\/p>\n<pre class=\"western\" lang=\"en-US\">$sudo dd bs=4M if=20210823_raspi_3_bullseye.img of=\/dev\/sdb conv=fdatasync status=progress<\/pre>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-US\">If you have choose to <\/span><span lang=\"en-US\">boot and run the operating system from the USB stick<\/span><span lang=\"en-US\">, you have to configure the device in order to boot from USB. Setting the <\/span><span lang=\"en-US\">b<\/span><span lang=\"en-US\">oot from USB <\/span><span lang=\"en-US\">can be found at Raspberry site<\/span><sup><span lang=\"en-US\">10<\/span><\/sup><\/p>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-US\">If you <\/span><span lang=\"en-US\">have a RaspberryPi 2 version 1.1<\/span><span lang=\"en-US\"> or lower <\/span><span lang=\"en-US\">your can only boot from SD but then you switch to the USB.<\/span><\/p>\n<h3 class=\"western\" lang=\"en-GB\"><span lang=\"en-US\"><strong>C<\/strong><\/span><strong><span lang=\"en-US\">onfiguring remote access with SSH<\/span><\/strong><\/h3>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-US\">The <\/span><span lang=\"en-US\">secure way to connect to your Raspberry Pi is through a SSH connection. This can be done in two ways:<\/span><\/p>\n<ol>\n<li>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-US\">Using a login and password we set. This will let connect to the device anyone who knows the user and password from anyplace<\/span><\/p>\n<\/li>\n<li>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-US\">Using a SSH key, which are more secure. Our public key is stored on the remote machine and a private key is stored on our machine. The two SSH keys are required to make a secure connection<\/span><\/p>\n<\/li>\n<\/ol>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-US\">In this guide I will show you how to set the second one.<\/span><\/p>\n<h3 class=\"western\" lang=\"en-GB\"><span lang=\"en-US\"><strong>E<\/strong><\/span><strong><span lang=\"en-US\">nable SSH on Raspberry Pi in headless mode <\/span><\/strong><span lang=\"en-US\">without keys (easy way)<\/span><\/h3>\n<p class=\"western\" lang=\"en-US\">First we have to enable the SSH connection, disabled by default for security reasons.<\/p>\n<ol>\n<li>\n<p class=\"western\" lang=\"en-GB\"><strong><span lang=\"en-US\">Turn off the device and remove the card <\/span><\/strong><strong><span lang=\"en-US\">or USB stick<\/span><\/strong><\/p>\n<\/li>\n<li>\n<p class=\"western\" lang=\"en-GB\"><strong><span lang=\"en-US\">Put the microSD card in the card reader <\/span><\/strong><strong><span lang=\"en-US\">or USB stick into the <\/span><\/strong><strong><span lang=\"en-US\">computer<\/span><\/strong><\/p>\n<\/li>\n<li>\n<p class=\"western\" lang=\"en-GB\">Create an empty file inside boot partition called SSH<\/p>\n<\/li>\n<\/ol>\n<h3 class=\"western\" lang=\"en-US\">Pre-configuration and enabling ssh remote connection using SSH key<\/h3>\n<p class=\"western\" lang=\"en-GB\">We are going to generate ssh keys on our computer and copy the public key inside sysconf.txt (raspifirm partition)<\/p>\n<pre class=\"western\" lang=\"en-GB\">$ssh-keygen -t rsa<\/pre>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-557\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP4.png\" alt=\"\" width=\"544\" height=\"347\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP4.png 544w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP4-300x191.png 300w\" sizes=\"auto, (max-width: 544px) 100vw, 544px\" \/><\/a><br clear=\"left\" \/>Edit sysconf.txt<span lang=\"en-US\">, <\/span><span lang=\"en-US\">uncomment <\/span><span lang=\"en-US\">the \u201c<\/span><span lang=\"en-US\">r<\/span>oot_authorized_key\u201d entry and paste the public key generated in previous step (located at id_rsa.pub file). We can also modify the hostname of the Raspberry (I have chosen Anuk)<\/p>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP5.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-558\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP5.png\" alt=\"\" width=\"753\" height=\"331\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP5.png 753w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP5-300x132.png 300w\" sizes=\"auto, (max-width: 753px) 100vw, 753px\" \/><\/a><br clear=\"left\" \/>Go to the RASPIROOT partition (has this name) and set an static IP address modifying the eth0 file located at the following path: <i>\/etc\/network\/interfaces.d\/eth0<\/i>. Set the IP address you want and the IP of the router gateway (192.168.1.1 in my case). As a DNS we are going to set the cloudflare one (1.1.1.1):<\/p>\n<pre class=\"western\" lang=\"en-GB\">iface eth0 inet static\r\n        <span lang=\"en-GB\">address 192.168.1.10<\/span>\r\n        <span lang=\"en-GB\">netmask 255.255.255.0<\/span>\r\n        <span lang=\"en-GB\">gateway 192.168.1.1<\/span>\r\n        <span lang=\"en-GB\">dns-nameservers 1.1.1.1<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\">Create the file \/etc\/resolv.conf with the content:<\/p>\n<pre class=\"western\" lang=\"en-GB\">nameserver 1.1.1.1<\/pre>\n<p class=\"western\" lang=\"en-GB\">Put the SD Card or USB stick back to the Raspberry Pi and boot it.<\/p>\n<p class=\"western\" lang=\"en-GB\">Now we can try to connect to the Raspberry using the username root and IP we set.<\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">$<\/span><span lang=\"en-GB\">ssh root@192.168.1.10<\/span><\/pre>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP6.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-559\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP6.png\" alt=\"\" width=\"589\" height=\"190\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP6.png 589w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP6-300x97.png 300w\" sizes=\"auto, (max-width: 589px) 100vw, 589px\" \/><\/a><\/p>\n<h2 class=\"western\" lang=\"en-US\">Basic configurations<\/h2>\n<h3 class=\"western\" lang=\"en-US\">Setting the host name<\/h3>\n<p class=\"western\" lang=\"en-GB\">Set the hostname at the file \/etc\/hostname<\/p>\n<pre lang=\"en-GB\">#nano \/etc\/hostname<\/pre>\n<p class=\"western\" lang=\"en-GB\">and add a hostname entry to the hosts file <span lang=\"en-US\">(<\/span><span lang=\"en-US\">Anuk<\/span><span lang=\"en-US\"> in <\/span><span lang=\"en-US\">my <\/span><span lang=\"en-US\">case<\/span><span lang=\"en-US\">)<\/span><\/p>\n<pre lang=\"en-GB\">#nano \/etc\/hosts<\/pre>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP7.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-563\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP7.png\" alt=\"\" width=\"454\" height=\"46\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP7.png 454w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP7-300x30.png 300w\" sizes=\"auto, (max-width: 454px) 100vw, 454px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">In case you are using Raspbian, you can set hostname through <i>raspi-config <\/i>application<\/p>\n<h3 class=\"western\" lang=\"en-US\">Updating the system<\/h3>\n<p class=\"western\" lang=\"en-US\">Let\u2019s going to update the system to grab the latest uptades<\/p>\n<pre class=\"western\" lang=\"en-US\">#apt update &amp;&amp; apt-get upgrade -y<\/pre>\n<p class=\"western\" lang=\"en-US\">Install some additional software stuff we will need<\/p>\n<pre class=\"western\" lang=\"en-US\">#apt install sudo dnsutils gnupg wget curl git<\/pre>\n<h3 class=\"western\" lang=\"en-US\">Adding a non root user<\/h3>\n<p class=\"western\" lang=\"en-US\">Add a non root user and set a password for it<\/p>\n<pre class=\"western\" lang=\"en-US\">#adduser daniel<\/pre>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP8.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-564\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP8.png\" alt=\"\" width=\"461\" height=\"309\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP8.png 461w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP8-300x201.png 300w\" sizes=\"auto, (max-width: 461px) 100vw, 461px\" \/><\/a> <br clear=\"left\" \/>Add user to sudo and video groups<\/p>\n<pre class=\"western\" lang=\"en-US\">#adduser daniel video\r\n<span lang=\"en-US\">#adduser daniel sudo<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\"><strong>Attention:<\/strong> In case we are using a Raspbian OS, the default user is \u2018pi\u2019. I will recommend to create another user and remove the default one once you have created the new one with the following command:<\/p>\n<pre class=\"western\" lang=\"en-GB\">$sudo pkill -u pi <span lang=\"en-GB\">$sudo deluser -remove-home pi<\/span><\/pre>\n<h3 lang=\"en-GB\"><span lang=\"en-GB\">Lock down the SSH service<\/span><\/h3>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-US\">Edit the SSH config file. We recommend to use the ssh keys generated <\/span><span lang=\"en-US\">previously and disable password access<\/span><\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-US\">$nano \/etc\/ssh\/sshd_config<\/span><\/pre>\n<p lang=\"en-GB\"><span lang=\"en-US\">U<\/span><span lang=\"en-US\">ncomment the lines of the following image that are <\/span><span lang=\"en-US\">in <\/span><span lang=\"en-US\">white<\/span><\/p>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP9.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-565\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP9.png\" alt=\"\" width=\"602\" height=\"492\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP9.png 602w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP9-300x245.png 300w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-US\">and <\/span><span lang=\"en-US\">copy-paste the pub key we have generated previously.<\/span><\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-US\">$mkdir -p ~\/.ssh<\/span> \r\n<span lang=\"en-GB\"><span lang=\"en-US\">$nano ~\/.ssh\/authorized_keys<\/span><\/span><\/pre>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP10.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-566\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP10.png\" alt=\"\" width=\"718\" height=\"58\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP10.png 718w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP10-300x24.png 300w\" sizes=\"auto, (max-width: 718px) 100vw, 718px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-US\">Save <\/span><span lang=\"en-US\">changes <\/span><span lang=\"en-US\">and exit <\/span><span lang=\"en-US\">the editor<\/span><span lang=\"en-US\">. <\/span><span lang=\"en-US\">Restart SSH:<\/span><\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-US\">$sudo service ssh restart\r\n<\/span><\/pre>\n<p class=\"western\" lang=\"en-US\">Restart the service We are going to be disconnected in case we were connected through ssh.<\/p>\n<pre class=\"western\" lang=\"en-US\">$sudo service networking restart<\/pre>\n<p class=\"western\" lang=\"en-US\">In case you have assigned previously this IP address, you will get this message<\/p>\n<p lang=\"en-US\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP11.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-567\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP11.png\" alt=\"\" width=\"668\" height=\"226\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP11.png 668w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP11-300x101.png 300w\" sizes=\"auto, (max-width: 668px) 100vw, 668px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-US\">Just delete the entry in your know hosts data base:<\/p>\n<pre class=\"western\" lang=\"en-US\">$nano ~\/.ssh\/known_hosts<\/pre>\n<p class=\"western\" lang=\"en-US\">Logout root &amp; login as the new user (daniel in my case)<\/p>\n<pre class=\"western\" lang=\"en-US\">$ssh daniel@192.168.1.10<\/pre>\n<p class=\"western\" lang=\"en-US\">Check IP configuration (static IP and DNS configuration)<\/p>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP12.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-568\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP12.png\" alt=\"\" width=\"825\" height=\"282\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP12.png 825w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP12-300x103.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP12-768x263.png 768w\" sizes=\"auto, (max-width: 825px) 100vw, 825px\" \/><\/a><\/p>\n<h3>Seting the time zone<\/h3>\n<p class=\"western\" lang=\"en-US\">Let\u2019s gone set our time zone. We can check all the timezones listed with the command:<\/p>\n<pre class=\"western\" lang=\"en-US\">$timedatectl list-timezones<\/pre>\n<p class=\"western\" lang=\"en-US\">Choose the one that fits you best. In my case I choose Europe\/Madrid<\/p>\n<pre class=\"western\" lang=\"en-US\">$sudo timedatectl set-timezone Europe\/Madrid<\/pre>\n<p class=\"western\" lang=\"en-US\">Once set, I can retrieve the status with the following command:<\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-US\">$timedatectl status\r\n<\/span><\/pre>\n<p class=\"western\" lang=\"en-US\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP13.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-569\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP13.png\" alt=\"\" width=\"470\" height=\"138\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP13.png 470w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP13-300x88.png 300w\" sizes=\"auto, (max-width: 470px) 100vw, 470px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-US\">We are going to set the time automatically, using the NTP protocol who help us to change and synchronize periodically the date and time.<\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-US\">$sudo nano \/etc\/systemd\/timesyncd.conf\r\n<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-US\">set NTP to<\/span><span lang=\"en-US\"> \u201ctime.cloudflare.com\u201d <\/span><span lang=\"en-US\">and <\/span><span lang=\"en-US\">uncomment the FallbackNTP and PollIntervalMaxSec lines<\/span><\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP14.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-570\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP14.png\" alt=\"\" width=\"800\" height=\"101\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP14.png 800w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP14-300x38.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP14-768x97.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/a><\/p>\n<h3 class=\"western\" lang=\"en-GB\">Installing unattended upgrades package (recommended)<\/h3>\n<p class=\"western\" lang=\"en-US\"><span style=\"font-family: Open Sans, sans-serif;\">To have unattended upgrades, we need to install an additional package<\/span><\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-US\">$<\/span><span lang=\"en-US\">sudo apt install unattended-upgrades<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-US\">The configuration of unnattended upgrades is set <\/span><span lang=\"en-US\">inside this file:<\/span><\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-US\">$<\/span><span lang=\"en-US\">sudo nano \/etc\/apt\/apt.conf.d\/50unattended-upgrades<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-US\">You may want to update some settings, I recommend uncomment and chang<\/span><span lang=\"en-US\">e<\/span><span lang=\"en-US\"> \u201cUnattended-Upgrade::Remove-Unused-Dependencies\u201d to \u201ctrue\u201d. Exit and save the file.<\/span><\/p>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP15.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-571\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP15.png\" alt=\"\" width=\"486\" height=\"57\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP15.png 486w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP15-300x35.png 300w\" sizes=\"auto, (max-width: 486px) 100vw, 486px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-US\">Basically, we commented out those type of upgrade we want to apply. The second last line allows the system to email us the status. We must install mailutils or mailx first in Raspbian for the email notification to be effective. The last line allow the system to reboot automatically. Please also make sure that update-notifier-common has been installed.<\/span><\/p>\n<p lang=\"en-GB\"><span lang=\"en-US\">There are more option that we can set such as reboot time and log file in the configuration file. Uncomment any option when necessary.<\/span><\/p>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-US\">Create a periodic upgrade file <\/span><span lang=\"en-US\">with the following <\/span><span lang=\"en-US\">command<\/span><span lang=\"en-US\">:<\/span><\/p>\n<pre lang=\"en-GB\"><span lang=\"en-GB\">$<\/span><span lang=\"en-GB\">sudo <\/span><span lang=\"en-GB\">nano <\/span><tt><span lang=\"en-GB\">\/etc\/apt\/apt.conf.d\/02periodic<\/span><\/tt><\/pre>\n<p class=\"western\" lang=\"en-GB\"><tt><span style=\"font-family: Open Sans, sans-serif;\"><span lang=\"en-US\">And the following c<\/span><\/span><\/tt><tt><span style=\"font-family: Open Sans, sans-serif;\"><span lang=\"en-US\">ontent:<\/span><\/span><\/tt><\/p>\n<pre class=\"western\" lang=\"en-GB\">\/\/ Control parameters for cron jobs by \/etc\/cron.daily\/apt-compat \/\/\r\n\r\n\/\/ Enable the update\/upgrade script (0=disable)\r\nAPT::Periodic::Enable \"1\";\r\n\r\n\/\/ Do \"apt-get update\" automatically every n-days (0=disable)\r\nAPT::Periodic::Update-Package-Lists \"1\";\r\n\r\n\/\/ Do \"apt-get upgrade --download-only\" every n-days (0=disable)\r\nAPT::Periodic::Download-Upgradeable-Packages \"1\";\r\n\r\n\/\/ Run the \"unattended-upgrade\" security upgrade script\r\n\/\/ every n-days (0=disabled)\r\n\/\/ Requires the package \"unattended-upgrades\" and will write\r\n\/\/ a log in \/var\/log\/unattended-upgrades\r\nAPT::Periodic::Unattended-Upgrade \"1\";\r\n\r\n\/\/ Do \"apt-get autoclean\" every n-days (0=disable)\r\nAPT::Periodic::AutocleanInterval \"7\";\r\n\r\n\/\/ Send report mail to root\r\n\/\/ 0: no report (or null string)\r\n\/\/ 1: progress report (actually any string)\r\n\/\/ 2: + command outputs (remove -qq, remove 2&gt;\/dev\/null, add -d)\r\n\/\/ 3: + trace on\r\nAPT::Periodic::Verbose \"2\";\r\n<\/pre>\n<p><span lang=\"en-GB\">Check your unattended upgrades by running this command to debug<br \/>\nyour configuration:<\/span><\/p>\n<pre>$sudo unattended-upgrades -d<\/pre>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP16.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-572\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP16-1024x317.png\" alt=\"\" width=\"474\" height=\"147\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP16-1024x317.png 1024w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP16-300x93.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP16-768x238.png 768w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP16.png 1253w\" sizes=\"auto, (max-width: 474px) 100vw, 474px\" \/><\/a><\/p>\n<h3 class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">Install<\/span><span lang=\"en-GB\">ing<\/span><span lang=\"en-GB\"> Fail2Ban <\/span><span lang=\"en-GB\">(<\/span><span lang=\"en-GB\">o<\/span><span lang=\"en-GB\">ptional<\/span><span lang=\"en-GB\">)<\/span><\/h3>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-US\">Fail2ban <\/span><span lang=\"en-US\">is an instrusion prevention software <\/span><span lang=\"en-US\">designed to prevent against brute-force attacks. <\/span><span lang=\"en-US\">Firtst we need to install the package<\/span><\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-US\">$sudo apt install fail2ban -y\r\n<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\">Fail2ban will block attackers IP if they fail to login after 5 failures for 10 minutes.<\/p>\n<p class=\"western\" lang=\"en-GB\"><strong><span lang=\"en-GB\">Note:<\/span><\/strong><span lang=\"en-GB\"> Fail2Ban installed from the repo<\/span><span lang=\"en-GB\">sitory<\/span><span lang=\"en-GB\"> will only provide security on IPv4 <\/span><span lang=\"en-GB\">protocol<\/span><span lang=\"en-GB\">. If you want Fail2Ban to support IPv6, please look at this <\/span><a href=\"https:\/\/www.niih.de\/how-to-upgrade-fail2ban-to-support-ipv6\/\">guide<\/a><span lang=\"en-GB\">.<\/span><\/p>\n<p class=\"western\" lang=\"en-GB\">The configuration of fail2ban is set in the following file:<\/p>\n<pre class=\"western\" lang=\"en-GB\"><a name=\"a3fa\"><\/a>\/etc\/fail2ban\/jail.conf<\/pre>\n<p class=\"western\" lang=\"en-GB\">If <span lang=\"en-US\">you make any config changes, restart the service via:<\/span><\/p>\n<pre class=\"western\" lang=\"en-GB\"><a name=\"4a12\"><\/a><span lang=\"en-US\">sudo service fail2ban restart<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\"><a name=\"cc351\"><\/a><span lang=\"en-US\">If you make any config changes, restart the service via:<\/span><\/p>\n<pre lang=\"en-GB\"><a name=\"4a121\"><\/a>s<span lang=\"en-US\">udo service fail2ban restart<\/span><\/pre>\n<p lang=\"en-GB\"><span lang=\"en-US\">In <\/span><span lang=\"en-US\">order to recover acces <\/span><\/p>\n<pre lang=\"en-GB\"><span lang=\"en-US\">$ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no user@your.vps.ip<\/span><\/pre>\n<h3 lang=\"en-GB\"><a name=\"__RefHeading___Toc3889_3431065437\"><\/a><span lang=\"en-GB\">I<\/span><span lang=\"en-GB\">nstall<\/span><span lang=\"en-GB\">ing<\/span><span lang=\"en-GB\"> a firewall (<\/span><span lang=\"en-GB\">o<\/span><span lang=\"en-GB\">ptional<\/span><span lang=\"en-GB\">)<\/span><\/h3>\n<h4><a name=\"__RefHeading___Toc3891_3431065437\"><\/a><a name=\"bc96\"><\/a> <span lang=\"en-GB\">Install the package<\/span><span lang=\"en-GB\">s<\/span><\/h4>\n<pre lang=\"en-GB\"><a name=\"3516\"><\/a><span lang=\"en-GB\">$<\/span><span lang=\"en-GB\">sudo apt install ufw<\/span><\/pre>\n<h4><a name=\"__RefHeading___Toc3893_3431065437\"><\/a><span lang=\"en-GB\">Configuring the firewall<\/span><\/h4>\n<p lang=\"en-GB\"><a name=\"ee0c\"><\/a>Create your access list to the ports you need<\/p>\n<pre class=\"western\" lang=\"en-GB\"><a name=\"41a8\"><\/a>$sudo ufw allow 80\r\n<a name=\"41a81\"><\/a><span lang=\"en-GB\">$sudo ufw allow 443<\/span>\r\n<a name=\"41a82\"><\/a><span lang=\"en-GB\">$sudo ufw allow 53<\/span>\r\n<a name=\"41a83\"><\/a><span lang=\"en-GB\">$sudo ufw allow 8888<\/span>\r\n<a name=\"41a84\"><\/a><span lang=\"en-GB\">$sudo ufw allow 22<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\"><a name=\"0ca6\"><\/a>You can even be more restrictive with extended parameters on the rules, like SSH for example. You can only allow access on port 22 from your computer\u2019s IP address:<\/p>\n<pre lang=\"en-GB\"><a name=\"97ad\"><\/a><span lang=\"en-GB\">$<\/span><span lang=\"en-GB\">sudo ufw allow from 192.168.1.120 port 22<\/span><\/pre>\n<h4 lang=\"en-GB\"><a name=\"__RefHeading___Toc3895_3431065437\"><\/a>Enabling the firewall<\/h4>\n<pre lang=\"en-GB\"><a name=\"7440\"><\/a><span lang=\"en-GB\">$<\/span><span lang=\"en-GB\">sudo ufw enable<\/span><\/pre>\n<p lang=\"en-GB\"><a name=\"5d13\"><\/a>To show rules once the firewall is enabled, run the following command:<\/p>\n<pre lang=\"en-GB\"><a name=\"c700\"><\/a><span lang=\"en-GB\">sudo ufw status verbose<\/span><\/pre>\n<h3 lang=\"en-GB\"><span lang=\"en-GB\">I<\/span><span lang=\"en-GB\">nstall<\/span><span lang=\"en-GB\">ing<\/span><span lang=\"en-GB\"> log2ram <\/span><span lang=\"en-GB\">to <\/span><span lang=\"en-GB\">expand SSD life <\/span><span lang=\"en-GB\">(recommended)<\/span><\/h3>\n<p lang=\"en-GB\"><span lang=\"en-GB\">SSD Disks, SD Cards and USB sticks have a SSD inside, have a life span determined by the write cycles mainly (times we write something to the disk). To reduce the times we write to the SSD memory, we can derive the writing of the system logs to RAM memory using log2ram. To do that we have to install the log2ram application. <\/span><\/p>\n<p lang=\"en-GB\" align=\"left\">First we need to force a log reduction before to start to use log2ram<\/p>\n<pre lang=\"en-GB\"><span lang=\"en-GB\">$sudo journalctl --vacuum-size=16M<\/span><\/pre>\n<p lang=\"en-GB\"><span lang=\"en-GB\">Let\u2019s gonna add <\/span><span lang=\"en-GB\">the repository <\/span><span lang=\"en-GB\">where we are going to install the application <\/span><span lang=\"en-GB\">and his key. <\/span><span lang=\"en-GB\">Please check the Debian flavour you are using (bullseye in my case)<\/span><\/p>\n<pre lang=\"en-GB\"><a name=\"1c481\"><\/a><span lang=\"en-GB\">$<\/span><span lang=\"en-GB\">sudo echo \"deb <\/span><a href=\"http:\/\/packages.azlux.fr\/debian\/\">http:\/\/packages.azlux.fr\/debian\/<\/a><span lang=\"en-GB\"> bullseye main\" | sudo tee \/etc\/apt\/sources.list.d\/azlux.list<\/span> <span lang=\"en-GB\">$sudo wget -qO - <a href=\"https:\/\/azlux.fr\/repo.gpg.key\">https:\/\/azlux.fr\/repo.gpg.key<\/a> | sudo apt-key add -<\/span><\/pre>\n<p lang=\"en-GB\">Let\u2019s gonna update the system database and install the application.<\/p>\n<pre lang=\"en-GB\">$sudo apt-get update\r\n<span lang=\"en-GB\">$sudo apt install log2ram -y<\/span><\/pre>\n<p lang=\"en-GB\"><a name=\"296c\"><\/a><span lang=\"en-GB\">Once installed we need a r<\/span><span lang=\"en-GB\">eboot<\/span><\/p>\n<pre lang=\"en-GB\"><a name=\"242a\"><\/a><span lang=\"en-GB\">$sudo reboot<\/span><\/pre>\n<h4 lang=\"en-GB\"><a name=\"__RefHeading___Toc3899_3431065437\"><\/a><a name=\"12b2\"><\/a>Configuring log2ram<\/h4>\n<p lang=\"en-GB\">We need to configure log2ram to increase the size<\/p>\n<pre lang=\"en-GB\"><a name=\"8815\"><\/a><span lang=\"en-GB\">$sudo nano \/etc\/log2ram.conf<\/span><\/pre>\n<p lang=\"en-GB\"><a name=\"9336\"><\/a>Increase the SIZE parameter to 128MB, disable the mail notification and increase the LOG_DISK_SIZE to 200M. Exit and save.<\/p>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP17.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-577\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP17.png\" alt=\"\" width=\"694\" height=\"552\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP17.png 694w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP17-300x239.png 300w\" sizes=\"auto, (max-width: 694px) 100vw, 694px\" \/><\/a><br clear=\"left\" \/>Restart log2ram<\/p>\n<pre lang=\"en-GB\"><a name=\"f10a\"><\/a><span lang=\"en-GB\">$sudo service log2ram restart<\/span><\/pre>\n<p lang=\"en-GB\"><a name=\"e4e4\"><\/a>And check that log2ram is running.<\/p>\n<pre class=\"western\" lang=\"en-GB\"><a name=\"470f\"><\/a><span lang=\"en-GB\">$df -h<\/span><\/pre>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP18.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-578\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP18.png\" alt=\"\" width=\"427\" height=\"193\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP18.png 427w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP18-300x136.png 300w\" sizes=\"auto, (max-width: 427px) 100vw, 427px\" \/><\/a><\/p>\n<h3 lang=\"en-GB\"><span lang=\"en-GB\">Installing a DDNS service (<\/span><span lang=\"en-GB\">in case <\/span><span lang=\"en-GB\">you do not have <\/span><span lang=\"en-GB\">a <\/span><span lang=\"en-GB\">static IP address)<\/span><\/h3>\n<p lang=\"en-GB\"><span lang=\"en-GB\">To access to your network from outside through a VPN (Wire<\/span><span lang=\"en-GB\">G<\/span><span lang=\"en-GB\">uard) you will need to know the public IP address of your local network (or a domain name associated). Usually this IP address is dynamic and can change. Static IP addresses are limited in number and are more expensive. One solution is to use a DDNS service. This service provide a free domain that will point to a public IP address. A script will update periodically my public IP to this service, so in case my IP changes, the domain will point to the new IP.<\/span><\/p>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">If you have a static public IP address, you can skip this step. I will use <\/span><a href=\"https:\/\/www.duckdns.org\/\">duckdns<\/a><span lang=\"en-GB\">. They have detailed instructions and provide scripts to install to several devices, including raspberry pi.<\/span><\/p>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP19.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-579\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP19.png\" alt=\"\" width=\"1492\" height=\"1033\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP19.png 1492w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP19-300x208.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP19-1024x709.png 1024w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP19-768x532.png 768w\" sizes=\"auto, (max-width: 1492px) 100vw, 1492px\" \/><\/a><\/p>\n<p lang=\"en-GB\"><span lang=\"en-GB\">In our case we are going to create the cron with the sudo <\/span><span lang=\"en-GB\">command and execute the script at 5 minutes past every hour. I think it is enough update every hour and not every 5 minutes. My script has <\/span><span lang=\"en-GB\">xiuxiueig.sh<\/span><span lang=\"en-GB\"> as its name since I will be adding more scripts.<\/span><\/p>\n<pre lang=\"en-GB\">$sudo crontab -e<\/pre>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">This is how the crontab looks<\/span><\/p>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP20.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-580\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP20.png\" alt=\"\" width=\"561\" height=\"71\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP20.png 561w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP20-300x38.png 300w\" sizes=\"auto, (max-width: 561px) 100vw, 561px\" \/><\/a><br clear=\"left\" \/><span lang=\"en-GB\">With crontab guru you can play with different combinations: <\/span><a href=\"https:\/\/crontab.guru\/\">https:\/\/crontab.guru\/<\/a><\/p>\n<h2 class=\"western\" lang=\"en-GB\">Installing and configuring Pi-hole<\/h2>\n<p class=\"western\" lang=\"en-GB\"><a name=\"3572\"><\/a>Now that system is configured and secured, we can install Pi-hole. The install process is very simple, we just to execute the following command and the script downloaded it will start to install the application:<\/p>\n<pre class=\"western\" lang=\"en-GB\"><a name=\"4b72\"><\/a><span lang=\"en-GB\">$<\/span><span lang=\"en-GB\">sudo curl -sSL https:\/\/install.pi-hole.net | bash<\/span><\/pre>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP21.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-581\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP21.png\" alt=\"\" width=\"687\" height=\"788\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP21.png 687w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP21-262x300.png 262w\" sizes=\"auto, (max-width: 687px) 100vw, 687px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\"><a name=\"d1f9\"><\/a>After some checks, you\u2019ll be greeted with the install screen:<\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP22.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-582\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP22.png\" alt=\"\" width=\"572\" height=\"365\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP22.png 572w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP22-300x191.png 300w\" sizes=\"auto, (max-width: 572px) 100vw, 572px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">Remember to give a donation to the project if you find useful (I did it)<\/p>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP23.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-583\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP23.png\" alt=\"\" width=\"571\" height=\"360\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP23.png 571w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP23-300x189.png 300w\" sizes=\"auto, (max-width: 571px) 100vw, 571px\" \/><\/a> <br clear=\"left\" \/><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP24.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-584\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP24.png\" alt=\"\" width=\"570\" height=\"358\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP24.png 570w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP24-300x188.png 300w\" sizes=\"auto, (max-width: 570px) 100vw, 570px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP25.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-585\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP25.png\" alt=\"\" width=\"569\" height=\"358\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP25.png 569w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP25-300x189.png 300w\" sizes=\"auto, (max-width: 569px) 100vw, 569px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">I recommend to select all the third-party list listed. We can add additional sources later.<\/p>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP26.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-586\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP26.png\" alt=\"\" width=\"569\" height=\"358\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP26.png 569w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP26-300x189.png 300w\" sizes=\"auto, (max-width: 569px) 100vw, 569px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">Choose the protocols you have in your network<\/p>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP27.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-587\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP27.png\" alt=\"\" width=\"567\" height=\"357\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP27.png 567w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP27-300x189.png 300w\" sizes=\"auto, (max-width: 567px) 100vw, 567px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP28.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-588\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP28.png\" alt=\"\" width=\"569\" height=\"359\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP28.png 569w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP28-300x189.png 300w\" sizes=\"auto, (max-width: 569px) 100vw, 569px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">Ensure you have a IP reservation for your raspberry<\/p>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP29.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-589\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP29.png\" alt=\"\" width=\"569\" height=\"358\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP29.png 569w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP29-300x189.png 300w\" sizes=\"auto, (max-width: 569px) 100vw, 569px\" \/><\/a><br clear=\"left\" \/>I will recommend to install the web interface<\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP30.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-590\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP30.png\" alt=\"\" width=\"567\" height=\"356\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP30.png 567w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP30-300x188.png 300w\" sizes=\"auto, (max-width: 567px) 100vw, 567px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">Let the log enable<\/p>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP31.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-591\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP31.png\" alt=\"\" width=\"567\" height=\"356\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP31.png 567w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP31-300x188.png 300w\" sizes=\"auto, (max-width: 567px) 100vw, 567px\" \/><\/a> <br clear=\"left\" \/><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP32.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-592\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP32.png\" alt=\"\" width=\"567\" height=\"356\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP32.png 567w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP32-300x188.png 300w\" sizes=\"auto, (max-width: 567px) 100vw, 567px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">When the installation is complete you will get a final screen with some important info. Save this information to access to the Pi-hole server:<br \/>\n<a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP33.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-593\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP33.png\" alt=\"\" width=\"567\" height=\"356\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP33.png 567w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP33-300x188.png 300w\" sizes=\"auto, (max-width: 567px) 100vw, 567px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">Save the admin webpage password in your password manager for now, it should be changed later.<\/p>\n<p class=\"western\" lang=\"en-GB\"><a name=\"cfd5\"><\/a><span style=\"font-family: Open Sans, sans-serif;\"><span lang=\"en-GB\">This same info is displayed once you return to the shell, note the command to change the web admin password<\/span><\/span><span lang=\"en-GB\"> (<\/span><span lang=\"en-GB\">pihole -a -p<\/span><span lang=\"en-GB\">)<\/span><br clear=\"left\" \/><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP34.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-594\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP34.png\" alt=\"\" width=\"658\" height=\"370\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP34.png 658w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP34-300x169.png 300w\" sizes=\"auto, (max-width: 658px) 100vw, 658px\" \/><\/a><\/p>\n<h4 class=\"western\"><a name=\"__RefHeading___Toc3905_3431065437\"><\/a><span lang=\"en-GB\">Tweaking<\/span><span lang=\"en-GB\"> Pi-<\/span><span lang=\"en-GB\">h<\/span><span lang=\"en-GB\">ole<\/span><\/h4>\n<p lang=\"en-GB\"><span lang=\"en-GB\">To change the privacy setting from <\/span><span lang=\"en-GB\">P<\/span><span lang=\"en-GB\">i-hole application, we have to edit the following file:<\/span><\/p>\n<pre lang=\"en-GB\"><span lang=\"en-GB\">$<\/span><span lang=\"en-GB\">sudo nano \/etc\/pihole\/pihole-FTL.conf <\/span><\/pre>\n<p lang=\"en-GB\"><span lang=\"en-GB\">Set the privacy level and the days to store the queries in the database.<\/span><\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">#Which privacy level is used?. More info: <\/span><a href=\"https:\/\/docs.pi-hole.net\/ftldns\/privacylevels\/\">https:\/\/docs.pi-hole.net\/ftldns\/privacylevels\/<\/a>\r\n<span lang=\"en-GB\">PRIVACYLEVEL=0<\/span> \r\n<span lang=\"en-GB\">#How long should queries be stored in the database? Setting this to 0 disables the database. Default 365<\/span>\r\n<span lang=\"en-GB\">MAXDBDAYS=30<\/span><\/pre>\n<h2 class=\"western\" lang=\"en-GB\">Installing Unbound<\/h2>\n<h3 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc3909_3431065437\"><\/a> <span lang=\"en-GB\">Enhancing Pi-<\/span><span lang=\"en-GB\">h<\/span><span lang=\"en-GB\">ole Security <\/span><span lang=\"en-GB\">(optional if we are not fine with Cloudfare DNS)<\/span><\/h3>\n<p class=\"western\" lang=\"en-GB\">So now we have a working Pi-hole, but it has minimal blocking and just forwards lookup to Google DNS. We can change our upstream DNS provider, but that is just changing who we trust with our DNS. What if we don\u2019t trust anyone? We can install Unbound and resolve DNS ourselves using root servers to recursively resolve DNS names. A more in depth explanation of how this works can be found here: <a href=\"https:\/\/docs.pi-hole.net\/guides\/dns\/unbound\/\">https:\/\/docs.pi-hole.net\/guides\/dns\/unbound\/<\/a> but essentially Unbound will look up a DNS query by asking TLD servers for DNS in a recursive manner. The benefit is more security; you do not have to trust an upstream provider with your DNS traffic. The drawback is performance for initial lookup, as they need to traverse and this takes time. Pi-hole and Unbound can both be configured with caching, which will help mitigate this for subsequent lookup.<\/p>\n<pre lang=\"en-GB\"><span lang=\"en-GB\">$<\/span><span lang=\"en-GB\">sudo apt install unbound -<\/span><span lang=\"en-GB\">y<\/span> <span lang=\"en-GB\">$wget <a href=\"https:\/\/www.internic.net\/domain\/named.root\">https:\/\/www.internic.net\/domain\/named.root<\/a> -qO- | sudo tee \/var\/lib\/unbound\/root.hints<\/span><\/pre>\n<h3 lang=\"en-GB\"><a name=\"__RefHeading___Toc3911_3431065437\"><\/a><a name=\"b076\"><\/a><span lang=\"en-GB\">Creat<\/span><span lang=\"en-GB\">ing<\/span> <span lang=\"en-GB\">a<\/span><span lang=\"en-GB\"> configuration for Pi-<\/span><span lang=\"en-GB\">h<\/span><span lang=\"en-GB\">ole<\/span><\/h3>\n<pre class=\"western\" lang=\"en-GB\"><a name=\"66ff\"><\/a><span lang=\"en-GB\">$<\/span><span lang=\"en-GB\">sudo nano \/etc\/unbound\/unbound.conf.d\/pi-hole.conf<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\"><a name=\"d1f8\"><\/a><span style=\"font-family: Open Sans, sans-serif;\">Paste into the file this configuration. This is different than the one in Pi-hole\u2019s documentation. It includes caching configuration that will improve performance.<\/span><\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">server:\r\n    # If no logfile is specified, syslog is used\r\n    # logfile: \"\/var\/log\/unbound\/unbound.log\"\r\n    verbosity: 0\r\n    \r\ninterface: 127.0.0.1\r\n    port: 5335\r\n    do-ip4: yes\r\n    do-udp: yes\r\n    do-tcp: yes\r\n\r\n# May be set to yes if you have IPv6 connectivity\r\n    do-ip6: no\r\n    \r\n# You want to leave this to no unless you have *native* IPv6. With 6to4 and\r\n    # Terredo tunnels your web browser should favor IPv4 for the same reasons\r\n    prefer-ip6: no\r\n    \r\n# Use this only when you downloaded the list of primary root servers!\r\n    # If you use the default dns-root-data package, unbound will find it automatically\r\n    root-hints: \"\/var\/lib\/unbound\/root.hints\"\r\n    \r\n# Trust glue only if it is within the server's authority\r\n    harden-glue: yes\r\n    \r\n# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS\r\n    harden-dnssec-stripped: yes\r\n    \r\n# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes\r\n    # see https:\/\/discourse.pi-hole.net\/t\/unbound-stubby-or-dnscrypt-proxy\/9378 for further details\r\n    use-caps-for-id: no\r\n    \r\n# Reduce EDNS reassembly buffer size.\r\n    # Suggested by the unbound man page to reduce fragmentation reassembly problems\r\n    edns-buffer-size: 1472\r\n    \r\n# Perform prefetching of close to expired message cache entries\r\n    # This only applies to domains that have been frequently queried\r\n    # This refreshes expiring cache entries if they have been accessed with\r\n    # less than 10% of their TTL remaining\r\n    prefetch: yes\r\n\r\n    # This attempts to reduce latency by serving the outdated record before\r\n    # updating it instead of the other way around. Alternative is to increase\r\n    # cache-min-ttl to e.g. 3600.\r\n    cache-min-ttl: 0\r\n    serve-expired: yes\r\n    # I had best success leaving this next entry unset.\r\n    # serve-expired-ttl: 3600 # 0 or not set means unlimited (I think)\r\n\r\n    # Use about 2x more for rrset cache, total memory use is about 2-2.5x\r\n    # total cache size. Current setting is way overkill for a small network.\r\n    # Judging from my used cache size you can get away with 8\/16 and still\r\n    # have lots of room, but I've got the ram and I'm not using it on anything else.\r\n    # Default is 4m\/4m\r\n    msg-cache-size: 128m\r\n    rrset-cache-size: 256m\r\n\r\n# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.\r\n    num-threads: 1\r\n    \r\n# Ensure kernel buffer is large enough to not lose messages in traffic spikes\r\n    so-rcvbuf: 1m\r\n    \r\n# Ensure privacy of local IP ranges\r\n    private-address: 192.168.0.0\/16\r\n    private-address: 169.254.0.0\/16\r\n    private-address: 172.16.0.0\/12\r\n    private-address: 10.0.0.0\/8\r\n    private-address: fd00::\/8\r\n    private-address: fe80::\/10\r\n\r\n# To get unbound stats (sudo unbound-control stats_noreset)\r\nremote-control:\r\n    control-enable: yes\r\n<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\">Let\u2019s gonna check the unbound configuration<\/p>\n<pre class=\"western\" lang=\"en-GB\">$sudo unbound-checkconf<\/pre>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP35.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-595\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP35.png\" alt=\"\" width=\"475\" height=\"39\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP35.png 475w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP35-300x25.png 300w\" sizes=\"auto, (max-width: 475px) 100vw, 475px\" \/><\/a><br clear=\"left\" \/>Last step: restart the service<\/p>\n<pre lang=\"en-GB\"><a name=\"f2e9\"><\/a><span lang=\"en-GB\">$<\/span><span lang=\"en-GB\">sudo service unbound restart<\/span><\/pre>\n<h3 lang=\"en-GB\"><a name=\"__RefHeading___Toc3917_3431065437\"><\/a>Testing Unbound<\/h3>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">Now <\/span><span lang=\"en-GB\">we are going to test unbound, measuring the time it spend to reach a domain, coneixement.info in this example.<\/span><\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP36.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-597\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP36.png\" alt=\"\" width=\"671\" height=\"374\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP36.png 671w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP36-300x167.png 300w\" sizes=\"auto, (max-width: 671px) 100vw, 671px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">As you can see in the second test, the time decrease, since unbound has a cache.<\/p>\n<h4 class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP37.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-598\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP37.png\" alt=\"\" width=\"552\" height=\"375\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP37.png 552w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP37-300x204.png 300w\" sizes=\"auto, (max-width: 552px) 100vw, 552px\" \/><\/a> <br clear=\"left\" \/><a name=\"__RefHeading___Toc3919_34310654371\"><\/a> Keeping unbound updated<\/h4>\n<p class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc3919_3431065437\"><\/a><a name=\"fef0\"><\/a> Let\u2019s setup some cron jobs to keep unbound updated<\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">$sudo crontab -e<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\">Add a new line at the end and paste the following:<\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">01 02 03 *\/4 * wget -<\/span><span lang=\"en-GB\">N <\/span><span lang=\"en-GB\">-O -<\/span><span lang=\"en-GB\">q<\/span><span lang=\"en-GB\"> \/var\/lib\/unbound\/root.hints <\/span><a href=\"https:\/\/www.internic.net\/domain\/named.root\">https:\/\/www.internic.net\/domain\/named.root<\/a><\/pre>\n<p class=\"western\" lang=\"en-GB\"><a name=\"8a86\"><\/a>Exit and save.<\/p>\n<p class=\"western\" lang=\"en-GB\"><span style=\"color: #000000;\">With the -O option we have to tell it the path to store the file. Also the -N will only update it if the remote file is newer than the file you have. The -q option will keep it quiet so it doesn&#8217;t dump a bunch of output in your logs needlessly.<\/span><\/p>\n<p class=\"western\" lang=\"en-GB\"><span style=\"color: #000000;\">The update will be done at 02:01 on day-of-month 3 every 4 months. I think it is not necessary to update more often.<\/span><\/p>\n<h2 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc5546_2402385239\"><\/a> Keeping updated Pi-hole (optional)<\/h2>\n<p class=\"western\" lang=\"en-GB\"><a name=\"fef01\"><\/a><span lang=\"en-GB\">Let\u2019s setup some cron jobs to keep <\/span><span lang=\"en-GB\">Pi-hole <\/span><span lang=\"en-GB\">updated. <\/span><span lang=\"en-GB\">In case we want to keep Pi-hole updated, we have to run periodically the \u2018pihole -up\u2019 command.<\/span><\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">$sudo crontab -e<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\"><a name=\"12721\"><\/a>Paste the following to update every sunday at 2:30 AM<\/p>\n<pre class=\"western\" lang=\"en-GB\">#30 2 * * SUN  pihole -up<\/pre>\n<p class=\"western\" lang=\"en-GB\"><strong><span lang=\"en-GB\">Warning<\/span><\/strong><strong><span lang=\"en-GB\">: <\/span><\/strong><span lang=\"en-GB\">The PiHole team does not recommend updating Pi-<\/span><span lang=\"en-GB\">h<\/span><span lang=\"en-GB\">ole via cron jobs. Be aware that <\/span><span lang=\"en-GB\">with the previous configuration <\/span><span lang=\"en-GB\">your server will update Pi-<\/span><span lang=\"en-GB\">h<\/span><span lang=\"en-GB\">ole every Sunday via cr<\/span><span lang=\"en-GB\">on, and stay up-to-date on patch notes. If there is a major change, and you don\u2019t want to update,<\/span><span lang=\"en-GB\"> run<\/span><span lang=\"en-GB\"> \u2018<\/span><span lang=\"en-GB\">sudo crontabe -e\u2019 again <\/span><span lang=\"en-GB\">an<\/span><span lang=\"en-GB\">d comment out the line to update Pi-hole (place a # before the line).<\/span><\/p>\n<h3 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc3923_3431065437\"><\/a> Configuring Pi-hole to use unbound<\/h3>\n<p class=\"western\" lang=\"en-GB\"><a name=\"05a4\"><\/a><span lang=\"en-GB\">Login to your Pi-<\/span><span lang=\"en-GB\">h<\/span><span lang=\"en-GB\">ole admin page at <\/span><a href=\"http:\/\/pi.hole\/admin\">http:\/\/pi.hole\/admin<\/a><span lang=\"en-GB\"> and use the password you saved from the install. Navigate to Settings, and click on the DNS tab. Uncheck <\/span><span lang=\"en-GB\">the D<\/span><span lang=\"en-GB\">N<\/span><span lang=\"en-GB\">S Servers checked<\/span> <span lang=\"en-GB\">a<\/span><span lang=\"en-GB\">nd check custom <\/span><span lang=\"en-GB\">1 <\/span><span lang=\"en-GB\">and ente<\/span><span lang=\"en-GB\">r <\/span><span lang=\"en-GB\">127.0.0.1#5335<\/span><span lang=\"en-GB\">. <\/span><span lang=\"en-GB\">Click Save <\/span><span lang=\"en-GB\">button <\/span><span lang=\"en-GB\">at the bottom <\/span><span lang=\"en-GB\">of the page.<\/span><\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP38.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-599\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP38.png\" alt=\"\" width=\"904\" height=\"323\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP38.png 904w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP38-300x107.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP38-768x274.png 768w\" sizes=\"auto, (max-width: 904px) 100vw, 904px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">As things get queried initial performance will be slow but quickly improve because of the caching nature of Pi-hole and the cache that has been configured for Unbound. Here is an example:<\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP39.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-600\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP39.png\" alt=\"\" width=\"597\" height=\"734\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP39.png 597w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP39-244x300.png 244w\" sizes=\"auto, (max-width: 597px) 100vw, 597px\" \/><\/a><\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP40.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-601\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP40.png\" alt=\"\" width=\"595\" height=\"382\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP40.png 595w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP40-300x193.png 300w\" sizes=\"auto, (max-width: 595px) 100vw, 595px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">If we login into the web interface, we will see some statistics.<\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP41.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-602\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP41.png\" alt=\"\" width=\"1289\" height=\"613\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP41.png 1289w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP41-300x143.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP41-1024x487.png 1024w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP41-768x365.png 768w\" sizes=\"auto, (max-width: 1289px) 100vw, 1289px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">And here how the statistics of queries blocked increase over time<\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP42.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-603\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP42.png\" alt=\"\" width=\"1259\" height=\"479\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP42.png 1259w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP42-300x114.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP42-1024x390.png 1024w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP42-768x292.png 768w\" sizes=\"auto, (max-width: 1259px) 100vw, 1259px\" \/><\/a><\/p>\n<h2 class=\"western\" lang=\"en-GB\">Improving our Blocklists (Blacklist, Adlist and Whitelist)<\/h2>\n<p class=\"western\" lang=\"en-GB\">I strongly recommend to understand which kind of block do you want (advertising, telemetry, parental control, NSFW, malware domain, etc..) and add list from each category. Pi-hole comes out-the-box with an optional blocklist (in case we have selected them during the installation process). This list is maintained and updated regularly. In case we want to add additional blocklist, we can check several sources. <a href=\"https:\/\/firebog.net\/\">Firebog<\/a> is the main reference (The Big Blocklist Collection) of blocklist where we can find several lists separated into categories:<\/p>\n<ul>\n<li class=\"western\" lang=\"en-GB\">Suspicious<\/li>\n<li class=\"western\" lang=\"en-GB\">Advertising<\/li>\n<li class=\"western\" lang=\"en-GB\">Tracking &amp; Telemetry<\/li>\n<li class=\"western\" lang=\"en-GB\">Malicious<\/li>\n<li class=\"western\" lang=\"en-GB\">Other<\/li>\n<\/ul>\n<p class=\"western\" lang=\"en-GB\">We can start adding from one to three list from each category you are interested to block, but before starting to add sources, read the points regarding each list from Firebog page. To add a new list, once logged into the Pi-hole web interface, you should to the Adlists option and paste the url list.<\/p>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP43.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-604\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP43.png\" alt=\"\" width=\"1240\" height=\"738\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP43.png 1240w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP43-300x179.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP43-1024x609.png 1024w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP43-768x457.png 768w\" sizes=\"auto, (max-width: 1240px) 100vw, 1240px\" \/><\/a> <br clear=\"left\" \/>If the list has been successfully added, a message like this will appear:<a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP44.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-605 aligncenter\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP44.png\" alt=\"\" width=\"235\" height=\"109\" \/><\/a>In case we have added previously this list, this will be ignored and a warning message like this will appear:<a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP45.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-606 aligncenter\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP45.png\" alt=\"\" width=\"242\" height=\"125\" \/><\/a>Once we have added all the lists, we have to update the internal database to have applied the new blocklists. This can be done running \u2018pihole -g\u2019 at the command line or through the web interface, clicking the update button we can find under \u2018Update Gravity\u2019.<\/p>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP46.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-607\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP46.png\" alt=\"\" width=\"864\" height=\"667\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP46.png 864w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP46-300x232.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP46-768x593.png 768w\" sizes=\"auto, (max-width: 864px) 100vw, 864px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">This will take a while . Be patient. As appear on the screen, do not navigate away from or close the page<\/p>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP47.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-608\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP47.png\" alt=\"\" width=\"997\" height=\"308\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP47.png 997w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP47-300x93.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP47-768x237.png 768w\" sizes=\"auto, (max-width: 997px) 100vw, 997px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">Wait until a success message appears<\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP48.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-609\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP48.png\" alt=\"\" width=\"1005\" height=\"139\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP48.png 1005w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP48-300x41.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP48-768x106.png 768w\" sizes=\"auto, (max-width: 1005px) 100vw, 1005px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">Remember \u201cThe more is not always the better\u201d. If you add too much lists, you will get <a href=\"https:\/\/en.wikipedia.org\/wiki\/False_positives_and_false_negatives\">false positives<\/a>, which implies you will get troubles while you are surfing Internet, being some services inaccessible, unreachable or not fully functional<\/p>\n<p class=\"western\" lang=\"en-GB\">Some domains should be added to the Whitelist to avoid malfunctions or troubles while browsing.<\/p>\n<p class=\"western\" lang=\"en-GB\">You can also add domains to the Blacklist or Whitelist (Domains menu). Here you have an example of domains enabled:<\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP49.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-610\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP49.png\" alt=\"\" width=\"1245\" height=\"854\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP49.png 1245w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP49-300x206.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP49-1024x702.png 1024w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP49-768x527.png 768w\" sizes=\"auto, (max-width: 1245px) 100vw, 1245px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">For example, if you have problems with gmail icons (does not appear), you should add the domain gstaticadssl.l.google.com to the whitelist.<\/p>\n<h2 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc5532_3798494860\"><\/a> Removing existing blocklist<\/h2>\n<p class=\"western\" lang=\"en-GB\">To remove the existing blocklist, we have to run this command:<\/p>\n<pre class=\"western\" lang=\"en-GB\">$sudo sqlite3 \/etc\/pihole\/gravity.db \"DELETE FROM adlist\"<\/pre>\n<h3 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc5506_3798494860\"><\/a>Backup Pi-hole configuration<\/h3>\n<p class=\"western\" lang=\"en-GB\">After all the tuning done, I will recommend to make a backup. This can be done through the web interface, creating a file (steps 1 to 3) that can be imported (4) in the same client or another pi-hole, saving configuration time:<\/p>\n<h3 class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP50.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-611\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP50.png\" alt=\"\" width=\"1232\" height=\"637\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP50.png 1232w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP50-300x155.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP50-1024x529.png 1024w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP50-768x397.png 768w\" sizes=\"auto, (max-width: 1232px) 100vw, 1232px\" \/><\/a><\/h3>\n<h3 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc5508_3798494860\"><\/a> Additional functionalities<\/h3>\n<p class=\"western\" lang=\"en-GB\">Here&#8217;s a list of additional functionalities, among others, that Pi-hole can do:<\/p>\n<ul>\n<li class=\"western\" lang=\"en-GB\">Transforming Pi-hole to our DHCP service provider<\/li>\n<li class=\"western\" lang=\"en-GB\">Managing clients and groups<\/li>\n<li class=\"western\" lang=\"en-GB\">Disable blocking<\/li>\n<li class=\"western\" lang=\"en-GB\">Query log to review black and white list, allowing to add or remove from black or whitelist<\/li>\n<\/ul>\n<h1 class=\"western\"><span lang=\"en-GB\">Installing<\/span><span lang=\"en-GB\"> WireGuard <\/span><span lang=\"en-GB\">(light, secure and fast VPN)<\/span><\/h1>\n<p class=\"western\" lang=\"en-GB\">A light, secure and fast VPN Server to allow remote and secure access.<\/p>\n<h2 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc3931_3431065437\"><\/a> Introduction<\/h2>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">WireGuard is a communication protocol and free and open-source software that implements encrypted virtual private networks (VPNs), and was designed with the goals of ease of use, high speed performance, and low attack surface. It aims for better performance and more power than others VPN Servers like IPsec and OpenVPN. (From the Wikipedia :-<\/span><span lang=\"en-GB\">)<\/span><span lang=\"en-GB\">)<\/span><\/p>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">To install the most recent version of WireGuard, we\u2019ll need packages from the Debian unstable release. Add the Debian unstable release, and <\/span><a href=\"https:\/\/wiki.debian.org\/AptConfiguration\">pin the Debian unstable priority behind Raspbian stable<\/a><span lang=\"en-GB\">. This allows us to install packages that are not available in Debian stable, while keeping the \u201cstable\u201d versions of everything else.<\/span><\/p>\n<h2 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc5443_917097692\"><\/a> Configuring repositories<\/h2>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">By default, Raspbian doesn\u2019t trust the Debian package repository. <\/span><span lang=\"en-GB\">We need to a<\/span><span lang=\"en-GB\">dd Debian\u2019s public keys to the trusted set of keys.<\/span><\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">$sudo apt-key adv --keyserver http:\/\/p80.pool.sks-keyservers.net:80 --recv-keys 04EE7237B7D453EC 648ACFD622F3D138<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\">And<\/p>\n<pre class=\"western\" lang=\"en-GB\">$sudo sh -c \"echo 'deb http:\/\/deb.debian.org\/debian\/ unstable main' &gt;&gt; \/etc\/apt\/sources.list.d\/unstable.list\"<\/pre>\n<p class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc3935_3431065437\"><\/a><span lang=\"en-GB\">And p<\/span><span lang=\"en-GB\">revent RPi from using the Debian distro for normal Raspbian packages <\/span><span lang=\"en-GB\">to avoid conflicts.<\/span><\/p>\n<pre class=\"western\" lang=\"en-GB\">$sudo sh -c \"printf 'Package: *\\nPin: release a=unstable\\nPin-Priority: 90\\n' &gt;&gt; \/etc\/apt\/preferences.d\/limit-unstable\"<\/pre>\n<p class=\"western\" lang=\"en-GB\">And<\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">$<\/span><span lang=\"en-GB\">wget -O - https:\/\/ftp-master.debian.org\/keys\/archive-key-$(lsb_release -sr).asc | sudo apt-key add -<\/span><\/pre>\n<h2 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc3937_3431065437\"><\/a><strong><span lang=\"en-GB\">Install<\/span><\/strong><strong><span lang=\"en-GB\">ing<\/span><\/strong> <strong><span lang=\"en-GB\">applications<\/span><\/strong><\/h2>\n<p lang=\"en-GB\"><span lang=\"en-GB\">We need some additional stuff along WireGuard, so let\u2019s gonna update the system database<\/span><\/p>\n<pre class=\"western\" lang=\"en-GB\">$sudo apt-get update<\/pre>\n<p lang=\"en-GB\">And <span lang=\"en-GB\">install all the packages needed.<\/span><\/p>\n<pre class=\"western\" lang=\"en-GB\">$sudo apt-get install wireguard wireguard-dkms wireguard-tools linux-headers-$(uname r) qrencode linux-hearders<\/pre>\n<p class=\"western\" lang=\"en-GB\">Note: In case you are using a raspbian OS, you will need the kernel headers:<\/p>\n<pre class=\"western\" lang=\"en-GB\">$sudo apt-get install raspberrypi-kernel-headers<\/pre>\n<h2 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc3939_3431065437\"><\/a><a name=\"set-up-and-configure-the-wireguard-vpn-server\"><\/a> Set Up and Configuring the WireGuard VPN Server<\/h2>\n<p class=\"western\" lang=\"en-GB\">We are going to configure 2 access, from a phone and from a laptop.<\/p>\n<h3 class=\"western\" lang=\"en-GB\">Generating security keys<\/h3>\n<p class=\"western\" lang=\"en-GB\">To ensure that not just anyone gets access to our network and ensure a secure connection, we&#8217;ll first need to generate a set of public\/private key pairs with the following commands (execute them one line at a time in your RPi):<\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">$<\/span><span lang=\"en-GB\">sudo su -<\/span><\/pre>\n<pre lang=\"en-GB\"><span lang=\"en-GB\">#<\/span><span lang=\"en-GB\">cd \/etc\/wireguard<\/span><\/pre>\n<pre lang=\"en-GB\"><span lang=\"en-GB\">#<\/span><span lang=\"en-GB\">umask 077<\/span><\/pre>\n<pre lang=\"en-GB\"><span lang=\"en-GB\">#<\/span><span lang=\"en-GB\">wg genkey | tee server_private_key | wg pubkey &gt; server_public_key<\/span><\/pre>\n<pre lang=\"en-GB\"><span lang=\"en-GB\">#<\/span><span lang=\"en-GB\">wg genkey | tee phone_private_key | wg pubkey &gt; phone_public_key<\/span><\/pre>\n<pre lang=\"en-GB\"><span lang=\"en-GB\">#wg genkey | tee laptop_private_key | wg pubkey &gt; laptop_public_key<\/span><\/pre>\n<pre lang=\"en-GB\"><span lang=\"en-GB\">#wg genpsk &lt; phone_private_key &gt; phone_preshared_key<\/span><\/pre>\n<pre lang=\"en-GB\"><span lang=\"en-GB\">#wg genpsk &lt; laptop_private_key &gt; laptop_preshared_key<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\">This is the list of files created:<\/p>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP51.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-614\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP51.png\" alt=\"\" width=\"518\" height=\"186\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP51.png 518w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP51-300x108.png 300w\" sizes=\"auto, (max-width: 518px) 100vw, 518px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">This is the content of each file (in this particular case, you will get another result)<\/p>\n<pre lang=\"en-GB\">server_public o7Omx+P\/xRTtIAYw04msRW2IU3llreJ\/EZ2ZLVeTEA8=\r\nserver_private yL3BldjULCz\/zqitAReoPLTfDTCM8khZbOV1+g0ZtHg=\r\nphone_public M0bXWPhF\/qbDJeKP52gAM+igeR6csNnKf4pWZexYynM=\r\nphone_private 4LGoHHvFUacRvXC19LvMldEKZWsLpY3SupcLg5Dx\/V8=\r\nphone_preshared RP37rPp6ARczPuL0j8NDMB41vEOLqHvtSjmVAlPYzoI=\r\nlaptop_public PQ1k3QVZoV1OOCKHBG8PGH5XIsakI+44W4aKYp\/IKic=\r\nlaptop_private IMT6LFk00+iJbRrY0\/yWTUnfh\/rOb1AHrXtoh\/yfV1A=\r\nlaptop_preshared CeBp3tPfoDBRX+5qpvugNVajs217nFeeJg3OjJAyomg=<\/pre>\n<h3 class=\"western\" lang=\"en-GB\">Generating server configuration<\/h3>\n<p class=\"western\" lang=\"en-GB\">We need to create the server configuration:<\/p>\n<pre class=\"western\" lang=\"en-GB\">#nano \/etc\/wireguard\/server.conf<\/pre>\n<p class=\"western\" lang=\"en-GB\">With this content<\/p>\n<pre lang=\"en-GB\">[Interface]\r\nPrivateKey = \r\n#SaveConfig = false\r\nListenPort = 51900\r\nPostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\r\nPostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE\r\n### begin phone configuration ###\r\n[Peer]\r\nPublicKey = \r\n#PresharedKey = \r\n#AllowedIPs = 10.6.0.2\/32\r\nAllowedIPs = 0.0.0.0\/0\r\nPersistentKeepalive = 25\r\n### end phone ###\r\n### begin laptop configuration ###\r\n[Peer]\r\nPublicKey = \r\n#PresharedKey = \r\nAllowedIPs = 10.6.0.3\/32\r\nPersistentKeepalive = 25\r\n### end laptop ###<\/pre>\n<p class=\"western\" lang=\"en-GB\"><span style=\"font-family: Open Sans, sans-serif;\"><span style=\"font-size: large;\">In case you need to edit the server configuration later, you will have to stop the interface with this command:<\/span><\/span><\/p>\n<pre class=\"western\" lang=\"en-GB\">#systemctl stop wg-quick@wg0.service<\/pre>\n<h2 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc3945_3431065437\"><\/a><strong><span lang=\"en-GB\">Gotchas<\/span><\/strong><\/h2>\n<ol>\n<li>\n<p class=\"western\" lang=\"en-GB\">Be sure to replace the key values in the configuration for PrivateKey and PublicKey.<\/p>\n<\/li>\n<li>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">Note that the above configuration assumes you are using a wired ethernet connection on your RPi WireGuard server. <\/span><strong><span lang=\"en-GB\">If you instead wish to use wifi (wlan0)<\/span><\/strong><span lang=\"en-GB\">, change the above config to use <\/span><strong><span lang=\"en-GB\">-o wlan0<\/span><\/strong><span lang=\"en-GB\"> in PostUp and PostDown. <\/span><a href=\"https:\/\/forums.engineerworkshop.com\/t\/how-to-set-up-wireguard-on-a-raspberry-pi\/159\/9?u=torquewrench\">See this forum post for additional information.<\/a><\/p>\n<\/li>\n<\/ol>\n<h2 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc3947_3431065437\"><\/a><a name=\"enable-ip-forwarding-on-the-server\"><\/a> Enabling IP Forwarding on the Server<\/h2>\n<p class=\"western\" lang=\"en-GB\">Edit sysctl.conf on the Raspberry Pi with:<\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">#<\/span><span lang=\"en-GB\">nano \/etc\/sysctl.conf<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">Uncomment the line with &#8220;net.ipv4.ip_forward<\/span><strong><span lang=\"en-GB\">=<\/span><\/strong><span lang=\"en-GB\">1&#8243; and save changes.<\/span><\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP52.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-615\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP52.png\" alt=\"\" width=\"514\" height=\"136\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP52.png 514w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP52-300x79.png 300w\" sizes=\"auto, (max-width: 514px) 100vw, 514px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">And enable the interface<\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">#systemctl enable wg-quick@wg0<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP53.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-616\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP53.png\" alt=\"\" width=\"977\" height=\"40\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP53.png 977w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP53-300x12.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP53-768x31.png 768w\" sizes=\"auto, (max-width: 977px) 100vw, 977px\" \/><\/a><\/p>\n<h2 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc3949_3431065437\"><\/a> <span lang=\"en-GB\">Securing access to sensitive files<\/span><\/h2>\n<p lang=\"en-GB\"><span lang=\"en-GB\">Ensure sensitive files are protected (root rw olny)<\/span><\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">#<\/span><span lang=\"en-GB\">chown -R root:root \/etc\/wireguard\/<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\">And<\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">#<\/span><span lang=\"en-GB\">chmod -R og-rwx \/etc\/wireguard\/*<\/span><\/pre>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP54.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-617\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP54.png\" alt=\"\" width=\"502\" height=\"204\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP54.png 502w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP54-300x122.png 300w\" sizes=\"auto, (max-width: 502px) 100vw, 502px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">Reboot the raspberry<\/p>\n<pre class=\"western\" lang=\"en-GB\">$sudo reboot<\/pre>\n<p class=\"western\" lang=\"en-GB\">Access to your raspberry and check the WireGuard interface is correctly created with the command \u2018ip addr\u2019<\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP55.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-618\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP55.png\" alt=\"\" width=\"861\" height=\"331\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP55.png 861w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP55-300x115.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP55-768x295.png 768w\" sizes=\"auto, (max-width: 861px) 100vw, 861px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">You need to access to your router to forwards 51900 to the internal IP address and port 51900 of the Raspberry protocol UDP. This is an example of configuration:<\/p>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP56.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-619\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP56.png\" alt=\"\" width=\"948\" height=\"352\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP56.png 948w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP56-300x111.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP56-768x285.png 768w\" sizes=\"auto, (max-width: 948px) 100vw, 948px\" \/><\/a><\/p>\n<h2 class=\"western\" lang=\"en-GB\">S<span style=\"font-family: Open Sans, sans-serif;\">et Up the WireGuard Client for each client<\/span><\/h2>\n<p class=\"western\" lang=\"en-GB\"><span style=\"font-family: Open Sans, sans-serif;\">Create a file for each client with the content<\/span><\/p>\n<h3 class=\"western\" lang=\"en-GB\">P<span style=\"font-family: Open Sans, sans-serif;\">hone access<\/span><\/h3>\n<p class=\"western\" lang=\"en-GB\"><span style=\"font-family: Open Sans, sans-serif;\">Creating the file for the phone client<\/span><\/p>\n<pre class=\"western\" lang=\"en-GB\">$sudo nano \/etc\/wireguard\/phone.conf<\/pre>\n<p class=\"western\" lang=\"en-GB\">With this content<\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">[Interface]\r\nAddress = 10.6.0.2\/24\r\nPrivateKey = \r\nDNS = 10.6.0.1\r\n\r\n[Peer]\r\nPublicKey = \r\n#PresharedKey = \r\nEndpoint = :51900\r\nAllowedIPs = 0.0.0.0\/0, ::\/0<\/span><\/pre>\n<h3 class=\"western\" lang=\"en-GB\">L<span lang=\"en-GB\">aptop access<\/span><\/h3>\n<p class=\"western\" lang=\"en-GB\">Creating the file for the laptop client<\/p>\n<pre lang=\"en-GB\"><span lang=\"en-GB\">$sudo nano \/etc\/wireguard\/laptop.conf<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\">With this content<\/p>\n<pre lang=\"en-GB\"><span lang=\"en-GB\">[Interface]\r\nAddress = 10.6.0.3\/24\r\nPrivateKey = \r\nDNS = 10.6.0.1\r\n\r\n[Peer]\r\nPublicKey = \r\n#PresharedKey = \r\nEndpoint = :51900\r\nAllowedIPs = 0.0.0.0\/0, ::\/0<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\">With the qrencode command we generate a qr code to import the configuration easily into the wireguard app.<\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">#qrencode -t ansiutf8 &lt; \/etc\/wireguard\/phone.conf<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP57.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-620\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP57.png\" alt=\"\" width=\"593\" height=\"651\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP57.png 593w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP57-273x300.png 273w\" sizes=\"auto, (max-width: 593px) 100vw, 593px\" \/><\/a><\/p>\n<h2 class=\"western\" lang=\"en-GB\">Set Up the WireGuard Server<\/h2>\n<p class=\"western\" lang=\"en-GB\">To configure WireGuard we have to create the wg0 file:<\/p>\n<pre class=\"western\" lang=\"en-GB\">$sudo nano \/etc\/network\/interfaces.d\/wg0<\/pre>\n<p class=\"western\" lang=\"en-GB\">With this information<\/p>\n<pre class=\"western\" lang=\"en-GB\"># indicate that wg0 should be created when the system boots, and on ifup -a \r\nauto wg0 \r\n\r\n# describe wg0 as an IPv4 interface with static address \r\niface wg0 inet static \r\n\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# static IP address \u00a0\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0address 10.6.0.1\/24 \r\n\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# before ifup, create the device with this ip link command \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0pre-up ip link add wg0 type wireguard \r\n\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# before ifup, set the WireGuard config from earlier \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0pre-up wg setconf wg0 \/etc\/wireguard\/server.conf \r\n\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# Routing \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0pre-up iptables -A FORWARD -i wg0 -j ACCEPT \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0pre-up iptables -A FORWARD -o wg0 -j ACCEPT \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0pre-up iptables -t nat -A \u00a0POSTROUTING -o eth0 -j MASQUERADE \r\n\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# route packages when the VPN interface is up \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0#post-up sysctl --write net.ipv4.ip_forward=1 \r\n\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# and stop routing when stopping the VPN interface \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0#post-down sysctl --write net.ipv4.ip_forward=0 \r\n\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# Routing post-down \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0post-down iptables -D FORWARD -i wg0 -j ACCEPT \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0post-down iptables -D FORWARD -o wg0 -j ACCEPT \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0post-down iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE \r\n\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# after ifdown, destroy the wg0 interface \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0post-down ip link del wg0<\/pre>\n<h3 class=\"western\" lang=\"en-GB\">Adding unattended upgrades (optional)<\/h3>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">If you are using third-party packages (e.g. via <\/span><a href=\"https:\/\/launchpad.net\/ubuntu\/+ppas\" target=\"_blank\" rel=\"noopener\">PPAs<\/a><span lang=\"en-GB\">), the system has no idea about security updates for those packages. So you need to take an additional step and get them included manually.<\/span><\/p>\n<p class=\"western\" lang=\"en-GB\">Remember to determine the PPA Origin and Suite<\/p>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">The first goal is to determine the details from the PPA (or other external package type). This can be done by peeking in the <\/span><strong><span lang=\"en-GB\">\/var\/lib\/apt\/lists<\/span><\/strong><span lang=\"en-GB\"> directory. Use the related files ending with <\/span><strong><span lang=\"en-GB\">InRelease<\/span><\/strong><span lang=\"en-GB\">, to see more details about the specific package.<\/span><\/p>\n<pre class=\"western\" lang=\"en-GB\">$less \/var\/lib\/apt\/lists\/deb.debian.org_debian_dists_unstable_InRelease<\/pre>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP58.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-621\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP58.png\" alt=\"\" width=\"691\" height=\"351\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP58.png 691w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP58-300x152.png 300w\" sizes=\"auto, (max-width: 691px) 100vw, 691px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">The two things we need from this file is the field <\/span><em><span lang=\"en-GB\">Origin<\/span><\/em><span lang=\"en-GB\"> and <\/span><em><span lang=\"en-GB\">Suite<\/span><\/em><span lang=\"en-GB\">. These two strings have to be combined and provided to <\/span><em><span lang=\"en-GB\">unattended-upgrade<\/span><\/em><span lang=\"en-GB\">. It then understands that this PPA should be upgraded automatically.<\/span><\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP59.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-622\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP59.png\" alt=\"\" width=\"637\" height=\"381\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP59.png 637w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP59-300x179.png 300w\" sizes=\"auto, (max-width: 637px) 100vw, 637px\" \/><\/a><\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP60.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-623\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP60.png\" alt=\"\" width=\"558\" height=\"351\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP60.png 558w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP60-300x189.png 300w\" sizes=\"auto, (max-width: 558px) 100vw, 558px\" \/><\/a><\/p>\n<h1 class=\"western\"><span lang=\"en-GB\">I<\/span><span lang=\"en-GB\">nstall<\/span><span lang=\"en-GB\">ing<\/span> <span lang=\"en-GB\">P<\/span><span lang=\"en-GB\">i.<\/span><span lang=\"en-GB\">A<\/span><span lang=\"en-GB\">lert, <\/span><span lang=\"en-GB\">a <\/span><span lang=\"en-GB\">W<\/span><span lang=\"en-GB\">i-<\/span><span lang=\"en-GB\">F<\/span><span lang=\"en-GB\">i<\/span><span lang=\"en-GB\">\/LAN intruder detector<\/span> <span lang=\"en-GB\">(optional)<\/span><\/h1>\n<p class=\"western\" lang=\"en-GB\">Pi.Alert is a nice and small project that provide a Wi-Fi and LAN intruder detector. Check the devices connected and alert you with unknown devices. It also warns of the disconnection of &#8220;always connected&#8221; devices. It can be located at <a href=\"https:\/\/github.com\/pucherot\/Pi.Alert\"><span style=\"font-family: Open Sans, sans-serif;\"><span style=\"font-size: large;\">https:\/\/github.com\/pucherot\/Pi.Alert<\/span><\/span><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">The installation is quite simple. Just run the following script (It will ask for the sudo password)<\/p>\n<pre class=\"western\" lang=\"en-GB\">$curl -sSL https:\/\/github.com\/pucherot\/Pi.Alert\/raw\/main\/install\/pialert_install.sh | bash<\/pre>\n<p class=\"western\" lang=\"en-GB\">Here you have the screens you will have with the options I have choose for my system:<\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP61.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-626\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP61.png\" alt=\"\" width=\"567\" height=\"220\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP61.png 567w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP61-300x116.png 300w\" sizes=\"auto, (max-width: 567px) 100vw, 567px\" \/><\/a><\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP62.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-627\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP62.png\" alt=\"\" width=\"567\" height=\"220\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP62.png 567w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP62-300x116.png 300w\" sizes=\"auto, (max-width: 567px) 100vw, 567px\" \/><\/a><\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP63.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-628\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP63.png\" alt=\"\" width=\"567\" height=\"220\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP63.png 567w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP63-300x116.png 300w\" sizes=\"auto, (max-width: 567px) 100vw, 567px\" \/><\/a><\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP64.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-629\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP64.png\" alt=\"\" width=\"567\" height=\"220\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP64.png 567w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP64-300x116.png 300w\" sizes=\"auto, (max-width: 567px) 100vw, 567px\" \/><\/a><\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP65.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-630\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP65.png\" alt=\"\" width=\"566\" height=\"219\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP65.png 566w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP65-300x116.png 300w\" sizes=\"auto, (max-width: 566px) 100vw, 566px\" \/><\/a><\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP66.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-631\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP66.png\" alt=\"\" width=\"567\" height=\"220\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP66.png 567w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP66-300x116.png 300w\" sizes=\"auto, (max-width: 567px) 100vw, 567px\" \/><\/a><\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP67.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-632\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP67.png\" alt=\"\" width=\"567\" height=\"220\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP67.png 567w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP67-300x116.png 300w\" sizes=\"auto, (max-width: 567px) 100vw, 567px\" \/><\/a><\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP68.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-633\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP68.png\" alt=\"\" width=\"567\" height=\"220\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP68.png 567w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP68-300x116.png 300w\" sizes=\"auto, (max-width: 567px) 100vw, 567px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">Save this information to access to the <\/span><span lang=\"en-GB\">P<\/span><span lang=\"en-GB\">i.<\/span><span lang=\"en-GB\">Alert<\/span><span lang=\"en-GB\"> server:<\/span><\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP69.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-634\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP69.png\" alt=\"\" width=\"488\" height=\"261\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP69.png 488w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP69-300x160.png 300w\" sizes=\"auto, (max-width: 488px) 100vw, 488px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">And this is how Pi.Alert looks like<\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP70.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-635\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP70.png\" alt=\"\" width=\"1555\" height=\"620\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP70.png 1555w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP70-300x120.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP70-1024x408.png 1024w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP70-768x306.png 768w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP70-1536x612.png 1536w\" sizes=\"auto, (max-width: 1555px) 100vw, 1555px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">Here you will find more information regarding device management:<\/p>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/github.com\/pucherot\/Pi.Alert\/blob\/main\/docs\/DEVICE_MANAGEMENT.md\">https:\/\/github.com\/pucherot\/Pi.Alert\/blob\/main\/docs\/DEVICE_MANAGEMENT.md<\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">To have Pi.alert updated, we have to add to the cron<\/p>\n<pre class=\"western\" lang=\"en-GB\">$sudo crontab -e<\/pre>\n<p class=\"western\" lang=\"en-GB\">And paste this command at the end of the file<\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">3 1 4 *\/1 * curl -sSL https:\/\/github.com\/pucherot\/Pi.Alert\/raw\/main\/install\/pialert_update.sh | bash\r\n<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\"><b>Attention:<\/b> Since I start to write this guide, it seems Pi.Alert project has not quite activity, and others users has started to create forks that are more updated:<\/p>\n<ul>\n<li>\n<p class=\"western\" lang=\"en-GB\">Installation in a server: <a href=\"https:\/\/github.com\/leiweibau\/Pi.Alert\">leiweibau\/Pi.Alert<\/a><\/p>\n<\/li>\n<li>\n<p class=\"western\" lang=\"en-GB\">Container version: <a href=\"https:\/\/github.com\/jokob-sk\/Pi.Alert\">jokob-sk\/Pi.Alert<\/a><\/p>\n<\/li>\n<\/ul>\n<h1 class=\"western\" lang=\"en-GB\">Installing a monitoring tool (optional)<\/h1>\n<p class=\"reader-text-block__paragraph\">We have several options to monitor our system. We can use light applications or heavier ones with a lot of functionalities but with more resource consumptions.<\/p>\n<p class=\"reader-text-block__paragraph\">When I started to write this guide I choose <a href=\"https:\/\/github.com\/XavierBerger\/RPi-Monitor\">RPi-Monitor<\/a>. An simple and light monitor with all the basic parameters. The problem I found is that is not longer maintained. The last version is from august 2017, so I decided to find another light solution and I found <a href=\"https:\/\/learn.netdata.cloud\/guides\/monitor\/pi-hole-raspberry-pi\">NetData<\/a>, an open source tool designed to collect real-time metrics, such as CPU usage, disk activity, bandwidth usage, website visits, etc., and then display them in live, easy-to-interpret charts. It offers the possibility to create a free cloud account to complement the netdata agent to provide:<\/p>\n<ul>\n<li>Infrastructure level dashboards (each chart aggregates data from multiple nodes)<\/li>\n<li>Central dispatch of alert notifications<\/li>\n<li>Custom dashboards editor<\/li>\n<li>Intelligence assisted troubleshooting, to help surface the root cause of issues<\/li>\n<\/ul>\n<p class=\"reader-text-block__paragraph\">The offer some paid functionalities but they claim the free account will be free forever.<\/p>\n<p class=\"reader-text-block__paragraph\">In case you need a powerful solution to monitor devices with a lot of integrations and functionalities like Machine Learning, you can use <a href=\"https:\/\/grafana.com\/grafana\/\">Grafana<\/a>. There is a <a href=\"https:\/\/play.grafana.org\/\">sandbox<\/a> where you can play with Dashboards.<\/p>\n<h2 class=\"reader-text-block__heading1\">Installing RPi-Monitor (deprecated)<\/h2>\n<p class=\"western\" lang=\"en-GB\">Rpi-Monitor let us to monitor basic parameters like temperature, CPU load, disk space, and packages upgradables. To install we need to execute the following commands:<\/p>\n<pre class=\"western\" lang=\"en-GB\">$sudo apt-get install dirmngr<\/pre>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">$sudo apt-key adv --recv-keys --keyserver <\/span><span lang=\"en-GB\">hkp:\/\/keyserver.ubuntu.com:80 2C0D3C0F\r\n<\/span><\/pre>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">$sudo wget <a href=\"http:\/\/goo.gl\/vewCLL\">http:\/\/goo.gl\/vewCLL<\/a> -O \/etc\/apt\/sources.list.d\/rpimonitor.list<\/span><\/pre>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">$sudo apt-get update<\/span><\/pre>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">$sudo apt-get install rpimonitor<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\">Configure RPi-Monitor to show network statistics:<\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">$<\/span><span lang=\"en-GB\">sudo nano \/etc\/rpimonitor\/template\/network.conf<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\">Uncomment the first two sections that start with \u201cdynamic.10\u201d and \u201cdynamic.11\u201d. Comment out the third, fourth and fifth lines in the next section that start with \u201cweb.status.1\u201d and uncomment the last one. Uncomment the next section that starts with \u201cweb.statistics.1\u201d. Exit and save.<\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP71.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-636\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP71.png\" alt=\"\" width=\"624\" height=\"275\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP71.png 624w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP71-300x132.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\">Restart RPi-Monitor.<\/p>\n<pre class=\"western\" lang=\"en-GB\"><a name=\"0572\"><\/a><span lang=\"en-GB\">$<\/span><span lang=\"en-GB\">sudo service rpimonitor restart<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\"><a name=\"8e11\"><\/a>Update RPi-Monitor package status:<\/p>\n<pre class=\"western\" lang=\"en-GB\"><a name=\"78b9\"><\/a>$sudo \/etc\/init.d\/rpimonitor update<\/pre>\n<p class=\"western\" lang=\"en-GB\"><a name=\"8d60\"><\/a><span lang=\"en-GB\">Check the RPi-Monitor web page at <\/span><a href=\"https:\/\/thesmashy.medium.com\/%3CIPAddress%3E:8888\">http:\/\/&lt;IPAddress&gt;:8888<\/a><\/p>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP72.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-637\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP72.png\" alt=\"\" width=\"624\" height=\"523\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP72.png 624w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP72-300x251.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/a><\/p>\n<p class=\"western\" lang=\"en-GB\"><a name=\"9054\"><\/a>You now have a web dashboard of your server\u2019s status, and there is a historical view under Statistics. This can be helpful for monitoring and troubleshooting. Here is a view in Statistics of temperature over 14 days:<\/p>\n<p class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP73.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-638\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP73.png\" alt=\"\" width=\"624\" height=\"277\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP73.png 624w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP73-300x133.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/a><\/p>\n<h2 class=\"reader-text-block__heading1\">Installing Netdata (recommended)<\/h2>\n<p class=\"reader-text-block__paragraph\">Netdata helps to monitor and troubleshoot several kind of devices and applications they run, like raspberry pi and Pi-hole.<\/p>\n<p class=\"reader-text-block__paragraph\">Afet a quick installation and with no additional configuration required, you will be able to see device parameters like CPU load, memory and disk usage, bandwidth\u2026 Netdata collects about 1.500 metrics every second.<\/p>\n<p class=\"reader-text-block__paragraph\">On Raspberry Pi, the installation is done by one commands script. This script asks you tto install dependencies and compile Netdata from the source:<\/p>\n<pre class=\"reader-text-block__code\">$wget -O \/tmp\/netdata-kickstart.sh https:\/\/my-netdata.io\/kickstart.sh &amp;&amp; sh \/tmp\/netdata-kickstart.sh --disable-telemetry<\/pre>\n<p class=\"reader-text-block__paragraph\">Parameters:<\/p>\n<ul>\n<li>Use a stable release: \u2018&#8211;stable-channel\u2019<\/li>\n<li>Do not send anonymous statistics, \u2018&#8211;disable-telemetry\u2019<\/li>\n<li>No automatic updates: \u2018&#8211;no-updates\u2019<\/li>\n<\/ul>\n<p class=\"reader-text-block__paragraph\">As you can see, the command line use a nightly version (more updated), I do not want to sent anonymous statistics and I want to receive automatic updates.<\/p>\n<p class=\"reader-text-block__paragraph\">When we run this script, it will ask for you administrator account and install all the required packages.<\/p>\n<p class=\"reader-text-block__paragraph\">Once finished, we have to modify a configuration file in order to enable the temperature sensor monitoring. We have to uncomment the sensors=force line from the charts.d.conf configuration file. The installation path differs if we have Debian or Raspbian<\/p>\n<p class=\"reader-text-block__paragraph\"><strong>Debian:<\/strong><\/p>\n<pre class=\"reader-text-block__code\">$cd \/etc\/netdata\r\n$sudo .\/edit-config charts.d.conf<\/pre>\n<p class=\"reader-text-block__paragraph\"><strong>Raspbian:<\/strong><\/p>\n<pre class=\"reader-text-block__code\">$cd \/opc\/netdata\r\n$sudo cp usr\/lib\/netdata\/conf.d\/charts.d.conf etc\/netdata\/\r\n$cd etc\/netdata\r\n$sudo .\/edit-config charts.d.conf<\/pre>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP74.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-650\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP74.png\" alt=\"\" width=\"486\" height=\"224\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP74.png 486w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP74-300x138.png 300w\" sizes=\"auto, (max-width: 486px) 100vw, 486px\" \/><\/a><\/p>\n<p class=\"reader-text-block__paragraph\">Once modified we have to restart the service to enable Raspberry Pi temperature sensor monitoring:<\/p>\n<pre class=\"reader-text-block__code\">$sudo systemctl restart netdata<\/pre>\n<p class=\"reader-text-block__paragraph\">Another improvement suggested by Netdata is to increase the allocation to increase historical metrics. As they said on their website, I will recommend to use their <a href=\"https:\/\/learn.netdata.cloud\/docs\/store\/change-metrics-storage#calculate-the-system-resources-ram-disk-space-needed-to-store-metrics\">database sizing calculator<\/a> and <a href=\"https:\/\/learn.netdata.cloud\/guides\/longer-metrics-storage\">guide on storing historical metrics<\/a> to help you determine the right setting for your Raspberry Pi.<\/p>\n<p class=\"reader-text-block__paragraph\">Once installed, we can point our browser to our raspberry pi IP with the port 19999 (http:\/\/[our raspberry pi IP]:19999)<\/p>\n<p class=\"reader-text-block__paragraph\">The first login will show a reminder to create a cloud account to access your data through Internet and provide:<\/p>\n<ul>\n<li>Infrastructure level dashboards (each chart aggregates data from multiple nodes)<\/li>\n<li>Central dispatch of alert notifications<\/li>\n<li>Custom dashboards editor<\/li>\n<li>Intelligence assisted troubleshooting, to help surface the root cause of issues<\/li>\n<\/ul>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP75.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-649\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP75.png\" alt=\"\" width=\"708\" height=\"349\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP75.png 708w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP75-300x148.png 300w\" sizes=\"auto, (max-width: 708px) 100vw, 708px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP76.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-648\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP76.png\" alt=\"\" width=\"1525\" height=\"667\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP76.png 1525w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP76-300x131.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP76-1024x448.png 1024w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP76-768x336.png 768w\" sizes=\"auto, (max-width: 1525px) 100vw, 1525px\" \/><\/a><\/p>\n<p>Through the right menu you can browse different metrics Netdata collects, from the device like CPU, memory, Disks, network, temperature (under sensors Section)\u2026 to metrics from the applications installed, like Fail2ban, firewall, Pi-hole, WireGuard<\/p>\n<p lang=\"en-GB\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP77.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-647\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP77.png\" alt=\"\" width=\"656\" height=\"698\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP77.png 656w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2022\/12\/PBP77-282x300.png 282w\" sizes=\"auto, (max-width: 656px) 100vw, 656px\" \/><\/a><\/p>\n<p class=\"reader-text-block__paragraph\">In case you create a cloud account, a command with an agent to be installed is provided in order to grab the data and send to the cloud.<\/p>\n<p class=\"reader-text-block__paragraph\">I will also strongly recommend the use of their app to monitoring remotely our systems.<\/p>\n<h2 class=\"reader-text-block__heading1\">Grafana<\/h2>\n<p class=\"reader-text-block__paragraph\">Grafana has a web where explain step by step how to install an agent for <a href=\"https:\/\/grafana.com\/tutorials\/install-grafana-on-raspberry-pi\/\">raspberry pi<\/a>.<\/p>\n<h1 class=\"western\" lang=\"en-GB\">Securing the Raspberry<\/h1>\n<p class=\"western\" lang=\"en-GB\">In case we have a raspberry with a Wi-Fi interface and we do not use it, we can disable it<\/p>\n<p class=\"western\" lang=\"en-GB\">To completely disable the onboard WiFi from the firmware on the Pi3 \/ Pi4, add in \/boot\/config.txt<\/p>\n<pre class=\"western\" lang=\"en-GB\">dtoverlay=disable-wifi\r\n<span lang=\"en-GB\">dtoverlay=pi3-disable-wifi<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\">Or can add to this two lines<\/p>\n<pre class=\"western\" lang=\"en-GB\">blacklist brcmfmac\r\n<span lang=\"en-GB\">blacklist brcmutil<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\">to the module blacklist<\/p>\n<pre class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">$<\/span><span lang=\"en-GB\">sudo nano \/etc\/modprobe.d\/raspi-blacklist.conf<\/span><\/pre>\n<h1 lang=\"en-GB\"><a name=\"__RefHeading___Toc4991_2944357706\"><\/a> Backup &amp; restore<\/h1>\n<h2 lang=\"en-GB\"><a name=\"__RefHeading___Toc3981_3431065437\"><\/a><a name=\"Method_1_Copy_the_SD_Card_Image\"><\/a> <span lang=\"en-GB\">Method 1: Copy the SD Card Image<\/span><\/h2>\n<p lang=\"en-GB\"><span lang=\"en-GB\">The easiest way is <\/span><span lang=\"en-GB\">dump the SD Card or USB to an image. Let\u2019s assume the SD is at the sdb partition.<\/span><\/p>\n<pre class=\"western\" lang=\"en-GB\">$sudo dd bs=4M if=\/dev\/sdb of=raspbian_bck.img conv=fdatasync status=progress<\/pre>\n<h2 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc3983_3431065437\"><\/a><a name=\"Method_2_Zip_the_Home_Directory\"><\/a> Method 2: Zip the Home Directory<\/h2>\n<p class=\"western\" lang=\"en-GB\">(To Be Done)<\/p>\n<h2 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc3985_3431065437\"><\/a><a name=\"Method_3_Scheduled_Backups\"><\/a> Method 3: Scheduled Backups<\/h2>\n<p class=\"western\" lang=\"en-GB\">(To Be Done)<\/p>\n<h1 class=\"western\" lang=\"en-GB\">Bonus track. Password manager: Vaultwarden<\/h1>\n<p class=\"western\" lang=\"en-GB\">When I started to use password managers, I choose a light an open-source solution, <a href=\"https:\/\/keepass.info\/\">keepass<\/a>. I have written on my blog an article a few years ago <a href=\"https:\/\/coneixement.info\/blog\/how-to-set-and-use-passwords-in-a-safety-way\/\">how to set and use passwords in a safety way<\/a> using this solution. With the time, a new solution has appear with more functionalities and open-source also: <a href=\"https:\/\/bitwarden.com\/\">Bitwarden<\/a>.<\/p>\n<p class=\"western\" lang=\"en-GB\">Instead Bitwarden I choose <a href=\"https:\/\/github.com\/dani-garcia\/vaultwarden\">Vaultwarden<\/a>, an alternative implementation of the Bitwarden server API written in Rust and compatible with upstream <a href=\"https:\/\/bitwarden.com\/download\/\">Bitwarden clients<\/a>, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.<\/p>\n<p class=\"western\" lang=\"en-GB\">The basic installation of Vaultwarden can be done following the instructions from <a href=\"https:\/\/www.wundertech.net\/how-to-self-host-bitwarden-on-a-raspberry-pi\/\">here<\/a>. I decided to use another raspberry pi since the first one has dedicated exclusively to privacy filter and VPN Server and I prefer to not overload with more services running in the same device.<\/p>\n<p class=\"western\" lang=\"en-GB\">To access to the password manager server a proxy manager is needed (Nginx). We will need a container manager, portainer, since Vaultwarden and Nginx (application and database) are running within containers.<\/p>\n<p class=\"western\" lang=\"en-GB\">As we did it before, a DDNS service is needed in order to reach the raspberry from Internet. This also will help us to have a secure connection since it is mandatory to access the password manager. It will be foolish to access your passwords with an http connection.<\/p>\n<h2 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc5449_917097692\"><\/a> How to update components<\/h2>\n<p class=\"western\" lang=\"en-GB\">Here I detailed the steps to update all the components we have inside this raspberry pi. The update procedure is not always explained in the installation pages, so I decided to describe how to update each component.<\/p>\n<h3 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc5451_917097692\"><\/a> Portainer<\/h3>\n<p class=\"western\" lang=\"en-GB\">Updating Portainer can be done in 4 steps from the raspberry pi command line:<\/p>\n<ol>\n<li>\n<p class=\"western\" lang=\"en-GB\">stop portainer dock<\/p>\n<pre class=\"western\" lang=\"en-GB\">$docker stop portainer<\/pre>\n<\/li>\n<li>\n<p class=\"western\" lang=\"en-GB\">Remove the container<\/p>\n<pre class=\"western\" lang=\"en-GB\">$docker rm portainer<\/pre>\n<\/li>\n<li>\n<p class=\"western\" lang=\"en-GB\">Pull the new version<\/p>\n<pre class=\"western\" lang=\"en-GB\">$docker pull portainer\/portainer-ce:latest<\/pre>\n<\/li>\n<li>\n<p class=\"western\" lang=\"en-GB\">Run the docker<\/p>\n<pre class=\"western\" lang=\"en-GB\">$sudo docker run -d -p 9000:9000 --name=portainer --restart=always -v \/var\/run\/docker.sock:\/var\/run\/docker.sock -v portainer_data:\/data portainer\/portainer-ce:latest<\/pre>\n<\/li>\n<\/ol>\n<h3 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc5453_917097692\"><\/a> Containers<\/h3>\n<p class=\"western\" lang=\"en-GB\">Every certain time we should check if a new version has been released and evaluate if we want to update it. The update can be done in two ways, through portainer or by command line.<\/p>\n<h4 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc5455_917097692\"><\/a> Updating through portainer<\/h4>\n<ol>\n<li class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">Select <\/span><strong><span lang=\"en-GB\">Containers<\/span><\/strong><span lang=\"en-GB\">, then <\/span><strong><span lang=\"en-GB\">stop<\/span><\/strong><span lang=\"en-GB\"> the container that you\u2019d like to update.<\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">Select the container, and you\u2019ll see a button named <\/span><strong><span lang=\"en-GB\">Recreate<\/span><\/strong><span lang=\"en-GB\">. By selecting this button, the container will take the persistent data and recreate the container. Keep in mind that the only data that will stay on the container is data that was mapped to a volume.<br \/>\n<\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">Select <\/span><strong><span lang=\"en-GB\">Pull latest image<\/span><\/strong><span lang=\"en-GB\">, then <\/span><strong><span lang=\"en-GB\">Recreate<\/span><\/strong><span lang=\"en-GB\">.<\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><span lang=\"en-GB\">When this process is finished, the container will be recreated with the latest image. Select the container and <\/span><strong><span lang=\"en-GB\">Start<\/span><\/strong><span lang=\"en-GB\"> it. The status will change to <\/span><strong><span lang=\"en-GB\">running<\/span><\/strong><span lang=\"en-GB\">.<\/span><\/li>\n<li class=\"western\" lang=\"en-GB\">The container will now exist with the newest released version!<\/li>\n<\/ol>\n<p class=\"western\" lang=\"en-GB\"><b>Note 1:<\/b> It will take some time. Be patient.<\/p>\n<p class=\"western\" lang=\"en-GB\"><b>Note 2: <\/b>You can remove old container images in order to save space.<\/p>\n<h4 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc5457_917097692\"><\/a> Updating command line<\/h4>\n<p class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc5455_9170976921\"><\/a> First we pull the latest image<\/p>\n<pre class=\"western\" lang=\"en-GB\">$docker pull vaultwarden\/server:latest\r\n <span lang=\"en-GB\">sudo docker run -d --name bitwarden \\<\/span>\r\n    <span lang=\"en-GB\">--restart=always \\<\/span>\r\n    <span lang=\"en-GB\">-v \/bw-data\/:\/data\/ \\<\/span>\r\n    <span lang=\"en-GB\">-p 127.0.0.1:8080:80 \\<\/span>\r\n    <span lang=\"en-GB\">-p 127.0.0.1:3012:3012 \\<\/span>\r\n    <span lang=\"en-GB\">vaultwarden\/server:latest<\/span><\/pre>\n<p class=\"western\" lang=\"en-GB\">And with this command we launch it removing the previous one<\/p>\n<pre class=\"western\" lang=\"en-GB\">$docker run --rm -it --mount type=volume,source=vaultwarden-rclone-data,target=\/config\/ ttionya\/vaultwarden-backup:latest rclone config<\/pre>\n<h4 class=\"western\" lang=\"en-GB\">Updating Nginx<\/h4>\n<p class=\"western\" lang=\"en-GB\">The reverse proxy should be updated in this order. First the app<\/p>\n<pre class=\"western\" lang=\"en-GB\">$sudo docker update --restart always nginx_app_1<\/pre>\n<p class=\"western\" lang=\"en-GB\">And later the database<\/p>\n<pre class=\"western\" lang=\"en-GB\">$sudo docker update --restart always nginx_db_1<\/pre>\n<h1 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc3987_3431065437\"><\/a>Bibliography<\/h1>\n<h2 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc3989_3431065437\"><\/a> Base<\/h2>\n<ol>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><a href=\"https:\/\/www.forbes.com\/sites\/marketshare\/2012\/03\/05\/if-youre-not-paying-for-it-you-become-the-product\/\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/www.forbes.com\/sites\/marketshare\/2012\/03\/05\/if-youre-not-paying-for-it-you-become-the-product\/<\/u><\/span><\/span><\/span><\/span><\/a><\/span><\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u><a href=\"https:\/\/medium.com\/change-your-mind\/if-you-are-not-paying-for-the-product-you-are-the-product-4dbc15b9a3f2\">https:\/\/medium.com\/change-your-mind\/if-you-are-not-paying-for-the-product-you-are-the-product-4dbc15b9a3f2<\/a> <\/u><\/span><\/span><\/span><\/span><\/span><\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><a href=\"https:\/\/clearcode.cc\/blog\/what-is-data-broker\/\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/clearcode.cc\/blog\/what-is-data-broker\/<\/u><\/span><\/span><\/span><\/span><\/a><\/span><\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><a href=\"https:\/\/www.peekyou.com\/\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/www.peekyou.com\/<\/u><\/span><\/span><\/span><\/span><\/a><\/span><\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/www.toptenreviews.com\/best-people-search-services\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/www.toptenreviews.com\/best-people-search-services<\/u><\/span><\/span><\/span><\/span><\/a><\/li>\n<li class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/thesmashy.medium.com\/building-a-pihole-for-privacy-and-performance-f762dbcb66e5\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/thesmashy.medium.com\/building-a-pihole-for-privacy-and-performance-f762dbcb66e5<\/u><\/span><\/span><\/span><\/span><\/a><\/li>\n<li class=\"western\" lang=\"en-GB\"><strong><a href=\"https:\/\/www.thetechherald.com\/tech-news\/raspberry-pi-raspbian-os-gets-a-microsoft-repo-without-any-notification-heres-how-to-remove-concerns-of-telemetry-data-collection\/\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/www.thetechherald.com\/tech-news\/raspberry-pi-raspbian-os-gets-a-microsoft-repo-without-any-notification-heres-how-to-remove-concerns-of-telemetry-data-collection\/<\/u><\/span><\/span><\/span><\/span><\/a><\/strong><\/li>\n<li class=\"western\" lang=\"en-GB\"><strong><a href=\"https:\/\/arstechnica.com\/gadgets\/2021\/02\/raspberry-pi-os-added-a-microsoft-repo-no-its-not-an-evil-secret\/\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/arstechnica.com\/gadgets\/2021\/02\/raspberry-pi-os-added-a-microsoft-repo-no-its-not-an-evil-secret\/<\/u><\/span><\/span><\/span><\/span><\/a><\/strong><\/li>\n<li class=\"western\" lang=\"en-GB\"><strong><a href=\"https:\/\/betanews.com\/2021\/02\/08\/linux-based-raspberry-pi-os-secret-microsoft-repo\/\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/betanews.com\/2021\/02\/08\/linux-based-raspberry-pi-os-secret-microsoft-repo\/<\/u><\/span><\/span><\/span><\/span><\/a><\/strong><\/li>\n<li class=\"western\" lang=\"en-GB\"><strong><a href=\"https:\/\/www.raspberrypi.org\/documentation\/hardware\/raspberrypi\/bootmodes\/msd.md\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/www.raspberrypi.org\/documentation\/hardware\/raspberrypi\/bootmodes\/msd.md<\/u><\/span><\/span><\/span><\/span><\/a><\/strong><\/li>\n<\/ol>\n<h2 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc3991_34310654371\"><\/a> Pi-hole<\/h2>\n<ul>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><a href=\"https:\/\/dev.to\/jldohmann\/the-ultimate-ad-blocker-configuring-pi-hole-with-unbound-dns-20eo\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/dev.to\/jldohmann\/the-ultimate-ad-blocker-configuring-pi-hole-with-unbound-dns-20eo<\/u><\/span><\/span><\/span><\/span><\/a><\/span><\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><a href=\"https:\/\/www.bentasker.co.uk\/blog\/the-internet\/703-scaling-pihole-to-cope-with-huge-query-rates\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/www.bentasker.co.uk\/blog\/the-internet\/703-scaling-pihole-to-cope-with-huge-query-rates<\/u><\/span><\/span><\/span><\/span><\/a><\/span><\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><a href=\"https:\/\/www.vcloudinfo.com\/2019\/02\/my-pi-hole-is-out-of-space-how-to-free-up-space-to-upgrade.html\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/www.vcloudinfo.com\/2019\/02\/my-pi-hole-is-out-of-space-how-to-free-up-space-to-upgrade.html<\/u><\/span><\/span><\/span><\/span><\/a><\/span><\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><a href=\"https:\/\/firebog.net\/\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>h<\/u><\/span><\/span><\/span><\/span><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>ttps:\/\/firebog.net<\/u><\/span><\/span><\/span><\/span><\/a><\/span><\/span><\/li>\n<li class=\"western\" lang=\"zxx\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><u>https:\/\/github.com\/topics\/pihole-ads-list<\/u><\/span><\/span><\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><a href=\"https:\/\/blog.mandos.io\/p\/ultimate-guide-setup-raspberry-pi-hole-boost-privacy-browsing-speed\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>h<\/u><\/span><\/span><\/span><\/span><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>ttps:\/\/blog.mandos.io\/p\/ultimate-guide-setup-raspberry-pi-hole-boost-privacy-browsing-speed<\/u><\/span><\/span><\/span><\/span><\/a><\/span><\/span><\/li>\n<li class=\"western\" lang=\"zxx\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><u>https:\/\/avoidthehack.com\/best-pihole-blocklists<\/u><\/span><\/span><\/span><\/li>\n<\/ul>\n<h2 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc3991_3431065437\"><\/a> Unbound<\/h2>\n<ul>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><a href=\"https:\/\/docs.pi-hole.net\/guides\/dns\/unbound\/\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/docs.pi-hole.net\/guides\/dns\/unbound\/<\/u><\/span><\/span><\/span><\/span><\/a><\/span><\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><a href=\"https:\/\/github.com\/pi-hole\/docs\/issues\/207\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/github.com\/pi-hole\/docs\/issues\/207<\/u><\/span><\/span><\/span><\/span><\/a><\/span><\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><a href=\"https:\/\/www.reddit.com\/r\/pihole\/comments\/d9j1z6\/unbound_as_recursive_dns_server_slow_performance\/\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/www.reddit.com\/r\/pihole\/comments\/d9j1z6\/unbound_as_recursive_dns_server_slow_performance\/<\/u><\/span><\/span><\/span><\/span><\/a><\/span><\/span><\/li>\n<\/ul>\n<h2 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc3993_3431065437\"><\/a> Fail2ban<\/h2>\n<ul>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: Open Sans, sans-serif;\"><span style=\"font-size: medium;\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span lang=\"zxx\"><u><a href=\"https:\/\/www.niih.de\/how-to-upgrade-fail2ban-to-support-ipv6\/\">https:\/\/www.niih.de\/how-to-upgrade-fail2ban-to-support-ipv6\/<\/a> <\/u><\/span><\/span><\/span><\/span><\/span><\/li>\n<\/ul>\n<h2 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc3995_3431065437\"><\/a> Unattended-Upgrades<\/h2>\n<ul>\n<li class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/pimylifeup.com\/unattended-upgrades-debian-ubuntu\/\"><span style=\"font-family: Open Sans Condensed, sans-serif;\">https:\/\/pimylifeup.com\/unattended-upgrades-debian-ubuntu\/<\/span><\/a><\/li>\n<li class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/www.zealfortechnology.com\/2018\/08\/configure-unattended-upgrades-on-raspberry-pi.html\"><span style=\"font-family: Open Sans Condensed, sans-serif;\">https:\/\/www.zealfortechnology.com\/2018\/08\/configure-unattended-upgrades-on-raspberry-pi.html<\/span><\/a><\/li>\n<li class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/wiki.debian.org\/UnattendedUpgrades\"><span style=\"font-family: Open Sans Condensed, sans-serif;\">https:\/\/wiki.debian.org\/UnattendedUpgrades<\/span><\/a><\/li>\n<li class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/kb.iu.edu\/d\/aews\"><span style=\"font-family: Open Sans Condensed, sans-serif;\">https:\/\/kb.iu.edu\/d\/aews<\/span><\/a><\/li>\n<li class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/linux-audit.com\/upgrading-external-packages-with-unattended-upgrade\/\"><span style=\"font-family: Open Sans Condensed, sans-serif;\">https:\/\/linux-audit.com\/upgrading-external-packages-with-unattended-upgrade\/<\/span><\/a><\/li>\n<li class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/pimylifeup.com\/unattended-upgrades-debian-ubuntu\/\"><span style=\"font-family: Open Sans Condensed, sans-serif;\">https:\/\/pimylifeup.com\/unattended-upgrades-debian-ubuntu\/<\/span><\/a><\/li>\n<\/ul>\n<h2 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc3999_3431065437\"><\/a> Pi.Alert<\/h2>\n<ul>\n<li class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc5461_917097692\"><\/a> <a href=\"https:\/\/github.com\/pucherot\/Pi.Alert\"><span style=\"font-family: Open Sans Condensed, sans-serif;\">https:\/\/github.com\/pucherot\/Pi.Alert<\/span><\/a><\/li>\n<li class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/github.com\/jokob-sk\/Pi.Alert\"><span style=\"font-family: Open Sans Condensed, sans-serif;\">https:\/\/github.com\/jokob-sk\/Pi.Alert<\/span><\/a><\/li>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: Open Sans Condensed, sans-serif;\">https:\/\/github.com\/leiweibau\/Pi.Alert<\/span><\/li>\n<\/ul>\n<h2 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc5463_917097692\"><\/a> WireGuard<\/h2>\n<ul>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><a href=\"https:\/\/wireguard.how\/server\/debian\/\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/wireguard.how\/server\/debian\/<\/u><\/span><\/span><\/span><\/span><\/a><\/span><\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u><a href=\"https:\/\/engineerworkshop.com\/blog\/how-to-set-up-wireguard-on-a-raspberry-pi\/\">https:\/\/engineerworkshop.com\/blog\/how-to-set-up-wireguard-on-a-raspberry-pi\/<\/a> <\/u><\/span><\/span><\/span><\/span><\/span><\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><code><a href=\"https:\/\/www.cyberciti.biz\/faq\/debian-10-set-up-wireguard-vpn-server\/\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/www.cyberciti.biz\/faq\/debian-10-set-up-wireguard-vpn-server\/<\/u><\/span><\/span><\/span><\/span><\/a><\/code><\/span><\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><a href=\"https:\/\/serversideup.net\/generating-wireguard-qr-codes-for-fast-mobile-deployments\/\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/serversideup.net\/generating-wireguard-qr-codes-for-fast-mobile-deployments\/<\/u><\/span><\/span><\/span><\/span><\/a><\/span><\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><a href=\"https:\/\/serversideup.net\/courses\/gain-flexibility-and-increase-privacy-with-wireguard-vpn\/\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/serversideup.net\/courses\/gain-flexibility-and-increase-privacy-with-wireguard-vpn\/<\/u><\/span><\/span><\/span><\/span><\/a><\/span><\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><a href=\"https:\/\/www.procustodibus.com\/blog\/2020\/12\/wireguard-site-to-site-config\/\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/www.procustodibus.com\/blog\/2020\/12\/wireguard-site-to-site-config\/<\/u><\/span><\/span><\/span><\/span><\/a><\/span><\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: medium;\"><a href=\"https:\/\/wiki.debian.org\/SimplePrivateTunnelVPNWithWireGuard\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span lang=\"zxx\"><u>https:\/\/wiki.debian.org\/SimplePrivateTunnelVPNWithWireGuard<\/u><\/span><\/span><\/span><\/a><\/span><\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: medium;\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span lang=\"zxx\"><u><a href=\"https:\/\/kirelos.com\/set-up-your-own-wireguard-vpn-server-on-debian\/\">https:\/\/kirelos.com\/set-up-your-own-wireguard-vpn-server-on-debian\/<\/a> <\/u><\/span><\/span><\/span><\/span><\/span><\/li>\n<\/ul>\n<h2 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc5465_917097692\"><\/a> Monitoring tools<\/h2>\n<ul>\n<li class=\"western\" lang=\"en-GB\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u><a href=\"https:\/\/github.com\/XavierBerger\/RPi-Monitor\">https:\/\/github.com\/XavierBerger\/RPi-Monitor<\/a> <\/u><\/span><\/span><\/span><\/span><\/li>\n<li class=\"western\" lang=\"zxx\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><u>https:\/\/grafana.com\/tutorials\/install-grafana-on-raspberry-pi\/<\/u><\/span><\/span><\/span><\/li>\n<\/ul>\n<h2 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc4009_3431065437\"><\/a> Backup<\/h2>\n<ul>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u><a href=\"https:\/\/raspberryexpert.com\/how-to-backup-raspberry-pi\/\">https:\/\/raspberryexpert.com\/how-to-backup-raspberry-pi\/<\/a> <\/u><\/span><\/span><\/span><\/span><\/span><\/span><\/li>\n<\/ul>\n<h2 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc5157_2657682376\"><\/a> Vaultwarden<\/h2>\n<ul>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><a href=\"https:\/\/www.wundertech.net\/how-to-self-host-bitwarden-on-a-raspberry-pi\/\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/www.wundertech.net\/how-to-self-host-bitwarden-on-a-raspberry-pi\/<\/u><\/span><\/span><\/span><\/span><\/a><\/span><\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><a href=\"https:\/\/medium.com\/codex\/complete-self-hosted-bitwarden-for-raspberry-pi-24b59c3b02df\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/medium.com\/codex\/complete-self-hosted-bitwarden-for-raspberry-pi-24b59c3b02df<\/u><\/span><\/span><\/span><\/span><\/a><\/span><\/span><\/li>\n<li class=\"western\" lang=\"zxx\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><u>https:\/\/pimylifeup.com\/raspberry-pi-bitwarden\/<\/u><\/span><\/span><\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><a href=\"https:\/\/phoenixnap.com\/kb\/update-docker-image-container\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/phoenixnap.com\/kb\/update-docker-image-container<\/u><\/span><\/span><\/span><\/span><\/a><\/span><\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u><a href=\"https:\/\/www.wundertech.net\/how-to-update-a-docker-container-using-portainer\/\">https:\/\/www.wundertech.net\/how-to-update-a-docker-container-using-portainer\/<\/a> <\/u><\/span><\/span><\/span><\/span><\/span><\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><a href=\"https:\/\/github.com\/NginxProxyManager\/nginx-proxy-manager\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/github.com\/NginxProxyManager\/nginx-proxy-manager<\/u><\/span><\/span><\/span><\/span><\/a><\/span><\/span><\/li>\n<\/ul>\n<h2 class=\"western\" lang=\"en-GB\"><a name=\"__RefHeading___Toc4005_3431065437\"><\/a> Others<\/h2>\n<ul>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><a href=\"https:\/\/serverfault.com\/questions\/1006595\/cannot-setup-wireguard-vpn\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/serverfault.com\/questions\/1006595\/cannot-setup-wireguard-vpn<\/u><\/span><\/span><\/span><\/span><\/a><\/span><\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/wireguard.how\/server\/debian\/\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/wireguard.how\/server\/debian\/<\/u><\/span><\/span><\/span><\/span><\/a><\/li>\n<li class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/raspberrytips.com\/disable-wifi-raspberry-pi\/\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/raspberrytips.com\/disable-wifi-raspberry-pi\/<\/u><\/span><\/span><\/span><\/span><\/a><\/li>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><a href=\"https:\/\/www.raspberrypi.org\/forums\/viewtopic.php?t=290611\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/www.raspberrypi.org\/forums\/viewtopic.php?t=290611<\/u><\/span><\/span><\/span><\/span><\/a><\/span><\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><span style=\"font-family: monospace;\"><span style=\"font-size: large;\"><a href=\"https:\/\/www.raspberrypi.org\/forums\/viewtopic.php?f=63&amp;t=138610\"><span style=\"color: #000080;\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\"><span lang=\"zxx\"><u>https:\/\/www.raspberrypi.org\/forums\/viewtopic.php?f=63&amp;t=138610<\/u><\/span><\/span><\/span><\/span><\/a><\/span><\/span><\/li>\n<li class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/www.simonpreston.dev\/2019\/03\/01\/using-the-raspberry-pi-as-a-dhcp-server\/\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\">https:\/\/www.simonpreston.dev\/2019\/03\/01\/using-the-raspberry-pi-as-a-dhcp-server\/<\/span><\/span><\/a><\/li>\n<li class=\"western\" lang=\"en-GB\"><a href=\"https:\/\/www.privacyguides.org\/\"><span style=\"font-family: Open Sans Condensed, sans-serif;\"><span style=\"font-size: medium;\">https:\/\/www.privacyguides.org\/<\/span><\/span><\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Privacy for you Internet access plus a monitor for your devices, a Wi-Fi\/LAN intruder detector and a VPN Server for remote access with a Raspberry Pi + Bonus Track: a Password Manager Building a Privacy Box with a Raspberry Pi \u00a9 2022 by Daniel Alomar is licensed under CC BY-NC-SA 4.0. To view a copy &hellip; <a href=\"https:\/\/coneixement.info\/blog\/building-a-privacy-box-with-a-raspberry-pi\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Building a Privacy Box (with a Raspberry Pi)<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[41,8],"tags":[],"class_list":["post-524","post","type-post","status-publish","format-standard","hentry","category-security","category-technology"],"_links":{"self":[{"href":"https:\/\/coneixement.info\/blog\/wp-json\/wp\/v2\/posts\/524","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/coneixement.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/coneixement.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/coneixement.info\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/coneixement.info\/blog\/wp-json\/wp\/v2\/comments?post=524"}],"version-history":[{"count":23,"href":"https:\/\/coneixement.info\/blog\/wp-json\/wp\/v2\/posts\/524\/revisions"}],"predecessor-version":[{"id":673,"href":"https:\/\/coneixement.info\/blog\/wp-json\/wp\/v2\/posts\/524\/revisions\/673"}],"wp:attachment":[{"href":"https:\/\/coneixement.info\/blog\/wp-json\/wp\/v2\/media?parent=524"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/coneixement.info\/blog\/wp-json\/wp\/v2\/categories?post=524"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/coneixement.info\/blog\/wp-json\/wp\/v2\/tags?post=524"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}