{"id":680,"date":"2024-03-27T22:49:49","date_gmt":"2024-03-27T21:49:49","guid":{"rendered":"https:\/\/coneixement.info\/blog\/?p=680"},"modified":"2024-04-22T19:29:48","modified_gmt":"2024-04-22T18:29:48","slug":"enhanced-privacy-box-with-raspberry-pi-revamped-and-containerized","status":"publish","type":"post","link":"https:\/\/coneixement.info\/blog\/enhanced-privacy-box-with-raspberry-pi-revamped-and-containerized\/","title":{"rendered":"Enhanced Privacy Box with Raspberry Pi: Revamped and Containerized"},"content":{"rendered":"<p id=\"ember1184\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Privacy for you Internet access plus a monitor for your devices, a Wi-Fi\/LAN intruder detector and a VPN Server for remote access with a Raspberry Pi + bonus track: password manager. Now with containers!!<\/strong><\/p>\n<p id=\"ember1185\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Changelog<\/strong><\/p>\n<ul>\n<li>20230103 &#8211; Added Netdata as a monitoring solution recommended instead RPi-monitor<\/li>\n<li>20240210 &#8211; Updated for Debian 12 (Bookworm), including instructions for container installation. Corrected some misconfigurations.<\/li>\n<\/ul>\n<h3 id=\"ember1187\" class=\"ember-view\">Note about the changes:<\/h3>\n<p id=\"ember1188\" class=\"ember-view reader-content-blocks__paragraph\">I\u2019m excited to announce the latest update to my comprehensive guide, &#8220;Building a Privacy Box with a Raspberry Pi,&#8221; now titled &#8220;Enhanced Privacy Box with Raspberry Pi: Revamped and Containerized&#8221;. This revised edition addresses and corrects previously inaccuracies, expands on explanations to ensure clarity, and introduces an innovative approach to privacy technology by incorporating containerization. By leveraging containers instead of traditional applications, users gain flexibility, efficiency, and enhanced security for their Internet access, device monitoring, Wi-Fi\/LAN intrusion detection, and VPN server functionalities. Whether you&#8217;re a novice or an experienced Raspberry Pi enthusiast, this guide is your go-to resource for constructing a robust privacy box tailored to the modern digital landscape.<\/p>\n<p id=\"ember1189\" class=\"ember-view reader-content-blocks__paragraph\">Enhanced Privacy Box with Raspberry Pi: Revamped and Containerized \u00a9 2024 by Daniel Alomar is licensed under CC BY-NC-SA 4.0. To view a copy of this license, visit <a class=\"app-aware-link \" href=\"http:\/\/creativecommons.org\/licenses\/by-nc-sa\/4.0\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">http:\/\/creativecommons.org\/licenses\/by-nc-sa\/4.0\/<\/a><\/p>\n<p id=\"ember1190\" class=\"ember-view reader-content-blocks__paragraph\">You can download a PDF of this article here: <a class=\"app-aware-link \" href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/02\/EnhancedPrivacyBox-20240210.pdf\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">EnhancedPrivacyBox<\/a><\/p>\n<h2 id=\"ember1193\" class=\"ember-view\">Introduction<\/h2>\n<h3 id=\"ember1194\" class=\"ember-view\">Background<\/h3>\n<p id=\"ember1195\" class=\"ember-view reader-content-blocks__paragraph\">In these uncertain and peculiar times that seem to be stretching on indefinitely, it\u2019s crucial that <strong>we safeguard our privacy<\/strong>. The adage \u201cif you\u2019re not paying for it, then you are the product\u201d1,2 holds true.<\/p>\n<p id=\"ember1196\" class=\"ember-view reader-content-blocks__paragraph\">We weren\u2019t educated in school on the use of Information and Communication Technologies (ICT). Most of us aren\u2019t digital natives, and even those who are find that technology evolves faster than our ability to adapt to it. Those fortunate enough to have an affinity for technology and to be early adopters may find it \u2018somewhat less difficult\u2019 to navigate ICT, almost like an intuition. However, this doesn\u2019t mean we\u2019re safe from the dangers of exposing our lives on the Internet. Various companies are constantly on the lookout to collect our data to create the most accurate profile possible, detailing our tastes, preferences, and habits. They know us much better than we know ourselves, and that\u2019s not a clich\u00e9, <strong>it\u2019s reality.<\/strong><\/p>\n<p id=\"ember1197\" class=\"ember-view reader-content-blocks__paragraph\">This data is collected by companies known as <a class=\"app-aware-link \" href=\"https:\/\/clearcode.cc\/blog\/what-is-data-broker\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">Data Brokers<\/a>3 using various techniques. The data is used to create profiles of us for different purposes, such as marketing and advertising, risk mitigation, and people-search services4,5. While personalized advertisements might sound appealing to some, it\u2019s important to be aware of the side effects, such as differential pricing and other more severe consequences. Companies, armed with extensive information about us, can calculate prices for the services or products we want to acquire or the advertisements we see with high accuracy. For instance, the price for health insurance won\u2019t be the same if the company has information about us acquired from Data Brokers. The same applies to the advertisements we see on our devices. Here\u2019s an example from Signal: <a class=\"app-aware-link \" href=\"https:\/\/signal.org\/blog\/the-instagram-ads-you-will-never-see\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/signal.org\/blog\/the-instagram-ads-you-will-never-see\/<\/a> .<\/p>\n<p id=\"ember1198\" class=\"ember-view reader-content-blocks__paragraph\">It\u2019s common to hear someone say, \u201cI don\u2019t care about privacy concerns. I have nothing to hide.\u201d A quick response you could give, with a smile on your face, is, \u201cIf you have nothing to hide, then you can give me your email password.\u201d Of course, they won\u2019t, which proves that EVERYONE has some information to protect.<\/p>\n<h3 id=\"ember1199\" class=\"ember-view\">What is a Privacy Box<\/h3>\n<p id=\"ember1200\" class=\"ember-view reader-content-blocks__paragraph\">The Privacy Box, as I call it, is a device designed to enhance your Internet privacy. It comes equipped with various tools that are pre-installed and configured. One of these tools is the Pi-hole application, which blocks advertisements across your entire network for all types of devices, eliminating the need to install software on each individual device.<\/p>\n<p id=\"ember1201\" class=\"ember-view reader-content-blocks__paragraph\">Another tool is Unbound, a local validating, recursive, and caching DNS resolver. This means that your Internet Service Providers (ISP) won\u2019t be able to see what you\u2019re searching for, as the Domain Name Resolution will be local and even faster, within your Raspberry Pi.<\/p>\n<p id=\"ember1202\" class=\"ember-view reader-content-blocks__paragraph\">In addition to these tools, WireGuard, a VPN Server, is also included. This allows for a secure, remote connection to your network, ensuring continued privacy when you\u2019re outside your local network.<\/p>\n<p id=\"ember1203\" class=\"ember-view reader-content-blocks__paragraph\">All these functionalities are installed inside a Raspberry Pi device, allowing it to run 24&#215;7 at a low cost.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-681\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/1.png\" alt=\"\" width=\"474\" height=\"336\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/1.png 474w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/1-300x213.png 300w\" sizes=\"auto, (max-width: 474px) 100vw, 474px\" \/><\/a><\/p>\n<p id=\"ember1205\" class=\"ember-view reader-content-blocks__paragraph\">The main features of the Privacy Box include:<\/p>\n<ul>\n<li><strong>Blocking unwanted content<\/strong> on all connected devices without the need for client-side software (Pi-hole)<\/li>\n<li>Providing <strong>network-wide protection<\/strong> (Pi-hole)<\/li>\n<li><strong>Improving network performance<\/strong> (Pi-hole)<\/li>\n<li>A <strong>secure open-source recursive DNS server<\/strong> for local resolution (Unbound)<\/li>\n<li>A <strong>network intrusion detector<\/strong> (Pi.Alert)<\/li>\n<li><strong>Device monitoring<\/strong> (RPI-Monitor)<\/li>\n<li><strong>Secure and remote access<\/strong> through a VPN (WireGuard)<\/li>\n<\/ul>\n<p id=\"ember1207\" class=\"ember-view reader-content-blocks__paragraph\">As an added bonus, I\u2019ve included a tutorial on setting up a Raspberry Pi to host a password manager and how to access it from the Internet. I\u2019ve chosen Vaultwarden, which is based on the well-known solution, Bitwarden. Due to technical reasons, it\u2019s easier to run this server on another Raspberry Pi. You could try to set it up on the same device where you have Pi-hole, but I wouldn\u2019t recommend it.<\/p>\n<p id=\"ember1208\" class=\"ember-view reader-content-blocks__paragraph\">If you lack the technological knowledge to follow this guide and build this Privacy Box yourself, ask a friend with more tech knowledge (perhaps a geek) to help you set it up. We techies love to help others. My intention has been to create a very simple tutorial, with step-by-step instructions, explaining the reason for each step so that we can understand what we\u2019re doing.<\/p>\n<p id=\"ember1209\" class=\"ember-view reader-content-blocks__paragraph\">Before we begin, I would like to express my gratitude to Mr.Smashy (<a class=\"app-aware-link \" href=\"https:\/\/twitter.com\/THESMASHY\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">@THESMASHY<\/a>)), who authored a guide6 that served as the original source of inspiration for this one. His contributions to this field are greatly appreciated. Now, let\u2019s get started! ?<\/p>\n<p id=\"ember1210\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Note: <\/strong>Commands are identified using a different text style and are framed within a grey box like this:<\/p>\n<pre>$ls -l<\/pre>\n<p id=\"ember1211\" class=\"ember-view reader-content-blocks__paragraph\">The command will start with either a $ or # symbol. This indicates whether the command is executed without administrator privileges ($ symbol) or with administrator privileges (# symbol). To elevate privileges (from $ to #), we must run the sudo -s command or start the command with sudo. In both cases, you will need the administrator password. Here are some examples:<\/p>\n<pre>$sudo -s\n#<\/pre>\n<p id=\"ember1212\" class=\"ember-view reader-content-blocks__paragraph\">Running the ls command with elevated privileges:<\/p>\n<pre>$sudo ls<\/pre>\n<h2 id=\"ember1213\" class=\"ember-view\">Objective<\/h2>\n<p id=\"ember1214\" class=\"ember-view reader-content-blocks__paragraph\">The aim is to provide instructions for installing a set of utilities within a Raspberry Pi to create a Privacy Box that ensures our privacy while browsing the Internet. This includes how to install the WireGuard VPN, which allows us to connect remotely to our network. We will also demonstrate how to set up Vaultwarden, an alternative implementation of the Bitwarden password manager. This tool will be installed on a separate Raspberry Pi device.<\/p>\n<h2 id=\"ember1215\" class=\"ember-view\">Requirements<\/h2>\n<p id=\"ember1216\" class=\"ember-view reader-content-blocks__paragraph\">Here is the list of requirements:<\/p>\n<ul>\n<li>Raspberry Pi 3 Model B (or higher)<\/li>\n<li>A computer to write the image and connect to the Raspberry Pi for configuration<\/li>\n<li>SD Card, USB memory stick, or SSD HD (capacity: 16 GB or higher)<\/li>\n<li>Internet connection<\/li>\n<li>Basic knowledge of computers or a tech-savvy friend<\/li>\n<li>Basic knowledge of the Linux editor nano<\/li>\n<li>Power supply<\/li>\n<li>Curiosity<\/li>\n<li>Time<\/li>\n<\/ul>\n<p id=\"ember1218\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Note 1<\/strong>: Regarding the computer, I have used my laptop with GNU\/Linux (EndevourOS flavor) to write the image and connect to the Raspberry Pi, so the commands you will see belong to the GNU\/Linux operating system. The remaining instructions are independent of the operating system you use. If you are a Windows or Mac user, you will find several alternatives easily on the Internet to write the image to the SD Card or USB stick and connect to the Raspberry Pi.<\/p>\n<p id=\"ember1219\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Note 2<\/strong>: Whether to choose an SD Card, USB memory stick, or SSD HD? People say the lifetime of an SD Card is shorter than a USB memory stick or SSD HD, so many people boot from an SD Card and use a USB memory stick or an SSD hard drive to run the operating system. From Raspberry Pi 3 and up, the operating system can be booted and run directly from the USB. In this manual, I have added some tools to decrease the write cycles to the disk using RAM memory. Which one to choose? I would recommend using an SSD HD.<\/p>\n<p id=\"ember1220\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Important<\/strong>: MAKE REGULAR BACKUPS to ensure you have a plan B for any incident related to the device.<\/p>\n<h2 id=\"ember1221\" class=\"ember-view\">Setup of the Privacy Box<\/h2>\n<p id=\"ember1222\" class=\"ember-view reader-content-blocks__paragraph\">This section will explain how to set up Pi-hole and Unbound, along with other optional and recommended tools.<\/p>\n<h3 id=\"ember1223\" class=\"ember-view\">Why I chose Debian instead of Raspbian or RaspberryPi OS<\/h3>\n<p id=\"ember1224\" class=\"ember-view reader-content-blocks__paragraph\">There are several reasons why I chose a Debian image instead of Raspbian or RaspberryPi OS. The main reason is freedom. Debian is a full GNU\/Linux flavor, with no commercial or proprietary software.<\/p>\n<p id=\"ember1225\" class=\"ember-view reader-content-blocks__paragraph\">A second reason is the incident related to the internal repository files modification without notification that Raspbian did in February <strong>20217,8,9<\/strong>. A Microsoft repository pointing to a Microsoft server was added secretly without any notification. The reason was to provide Visual Studio Code for some scenarios. This modification without consent crossed the boundaries of my trust and made me decide to move to a full open-source distribution like Debian. If they changed this without notification, what could they do next time?<\/p>\n<h3 id=\"ember1226\" class=\"ember-view\">Identifying the device<\/h3>\n<p id=\"ember1227\" class=\"ember-view reader-content-blocks__paragraph\">To identify your Raspberry Pi model, you can use a command that queries the device directly. This is particularly useful if you\u2019re unsure about the model even after visually inspecting it.<\/p>\n<p id=\"ember1228\" class=\"ember-view reader-content-blocks__paragraph\">You can run the following command in the terminal:<\/p>\n<pre>$cat \/proc\/device-tree\/model<\/pre>\n<p id=\"ember1229\" class=\"ember-view reader-content-blocks__paragraph\">This command will return the Raspberry Pi Model. It\u2019s a straightforward and reliable way to confirm the specific model of your Raspberry Pi.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-682\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/2.png\" alt=\"\" width=\"406\" height=\"38\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/2.png 406w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/2-300x28.png 300w\" sizes=\"auto, (max-width: 406px) 100vw, 406px\" \/><\/a><\/p>\n<p id=\"ember1231\" class=\"ember-view reader-content-blocks__paragraph\">If you have installed Raspbian as your operating system, you can use the following command to check your Raspberry Pi model. This command will return information about your device:<\/p>\n<pre>$rev=$(awk '\/^Revision\/ { print $3 }' \/proc\/cpuinfo) &amp;&amp; curl -L perturb.org\/rpi?rev=$rev<\/pre>\n<p id=\"ember1232\" class=\"ember-view reader-content-blocks__paragraph\">This command first retrieves the revision number of your Raspberry Pi from the CPU info, and then uses curl to send a request to perturb.org with the revision number as a parameter. The website will return the model information based on the revision number.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-683\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/3.png\" alt=\"\" width=\"829\" height=\"127\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/3.png 829w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/3-300x46.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/3-768x118.png 768w\" sizes=\"auto, (max-width: 829px) 100vw, 829px\" \/><\/a><\/p>\n<h3 id=\"ember1234\" class=\"ember-view\">Download and Flash an Image<\/h3>\n<p id=\"ember1235\" class=\"ember-view reader-content-blocks__paragraph\">You can download the Debian image for Raspberry Pi from <a class=\"app-aware-link \" href=\"https:\/\/raspi.debian.net\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/raspi.debian.net\/<\/a>. For a production environment, I recommend using a tested image from the daily build available here: <a class=\"app-aware-link \" href=\"https:\/\/raspi.debian.net\/daily-images\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/raspi.debian.net\/daily-images\/<\/a><\/p>\n<p id=\"ember1236\" class=\"ember-view reader-content-blocks__paragraph\">Choose the xz-compressed image that corresponds to your hardware.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-684\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/4.png\" alt=\"\" width=\"1304\" height=\"517\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/4.png 1304w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/4-300x119.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/4-1024x406.png 1024w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/4-768x304.png 768w\" sizes=\"auto, (max-width: 1304px) 100vw, 1304px\" \/><\/a><\/p>\n<p id=\"ember1238\" class=\"ember-view reader-content-blocks__paragraph\">Once you&#8217;ve downloaded the file, locate it and open a console session in that folder. You can decompress the downloaded image using the following unxz command:<\/p>\n<pre>$unxz raspi_3_bookworm.img.xz<\/pre>\n<p id=\"ember1239\" class=\"ember-view reader-content-blocks__paragraph\">This will result in an img file. In my case, it\u2019s raspi_3_bookworm.img.<\/p>\n<p id=\"ember1240\" class=\"ember-view reader-content-blocks__paragraph\">Next, plug an SD card or USB into your laptop and flash the image to the device with the following command (replace sdb with the identifier for your SD Card or USB):<\/p>\n<pre>$sudo dd bs=4M if=raspi_3_bookworm.img of=\/dev\/sdb conv=fdatasync status=progress<\/pre>\n<p id=\"ember1241\" class=\"ember-view reader-content-blocks__paragraph\">If you choose to boot and run the operating system from the USB, you\u2019ll need to configure the device to boot from USB. You can find the settings for booting from USB on the Raspberry Pi website.<\/p>\n<p id=\"ember1242\" class=\"ember-view reader-content-blocks__paragraph\">Please note that if you have a Raspberry Pi 2 version 1.1 or lower, you can only boot from SD, but then you can switch to the USB.<\/p>\n<h3 id=\"ember1243\" class=\"ember-view\">Configuring remote access with SSH<\/h3>\n<p id=\"ember1244\" class=\"ember-view reader-content-blocks__paragraph\">The secure way to connect to your Raspberry Pi is through an SSH connection. This can be done in two ways:<\/p>\n<ol>\n<li><strong> Using a login and password: <\/strong>This method allows anyone who knows the username and password to connect to the device from any location.<\/li>\n<li><strong>Using an SSH key: <\/strong>This method is more secure. Your public key is stored on the remote machine and a private key is stored on your machine. Both SSH keys are required to establish a secure connection.<\/li>\n<\/ol>\n<p id=\"ember1246\" class=\"ember-view reader-content-blocks__paragraph\">I recommend setting up the second method.<\/p>\n<h3 id=\"ember1247\" class=\"ember-view\">Enable SSH on Raspberry Pi in Headless Mode Without Keys<\/h3>\n<p id=\"ember1248\" class=\"ember-view reader-content-blocks__paragraph\">First, we need to enable the SSH connection, which is disabled by default for security reasons. Here are the steps:<\/p>\n<ol>\n<li>Turn off the device and remove the card or USB.<\/li>\n<li>Insert the microSD card into the card reader or plug the USB into the computer.<\/li>\n<li>Create an empty file inside the boot partition called SSH.<\/li>\n<\/ol>\n<h3 id=\"ember1250\" class=\"ember-view\">Pre-configuration and Enabling SSH Remote Connection Using SSH Key<\/h3>\n<p id=\"ember1251\" class=\"ember-view reader-content-blocks__paragraph\">We are going to generate SSH keys on our computer and copy the public key into sysconf.txt (raspifirm partition). Use the following command to generate the keys:<\/p>\n<pre>$ssh-keygen -t rsa<\/pre>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/5.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-685\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/5.png\" alt=\"\" width=\"544\" height=\"347\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/5.png 544w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/5-300x191.png 300w\" sizes=\"auto, (max-width: 544px) 100vw, 544px\" \/><\/a><\/p>\n<p>Next, edit sysconf.txt, uncomment the root_authorized_key entry, and paste the public key generated in the previous step (located in the id_<a class=\"app-aware-link \" href=\"http:\/\/rsa.pub\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">rsa.pub<\/a> file). You can also modify the hostname of the Raspberry Pi (I have chosen \u2018Anuk\u2019).<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/6.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-686\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/6.png\" alt=\"\" width=\"753\" height=\"331\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/6.png 753w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/6-300x132.png 300w\" sizes=\"auto, (max-width: 753px) 100vw, 753px\" \/><\/a><\/p>\n<h3 id=\"ember1255\" class=\"ember-view\">Configuring a static IP address<\/h3>\n<p id=\"ember1256\" class=\"ember-view reader-content-blocks__paragraph\">To set a static IP address, navigate to the RASPIROOT partition and modify the eth0 file located at the following path: \/etc\/network\/interfaces.d\/eth0. Set the IP address of your choice and the IP of the corresponding router gateway. In my case, these are 192.168.1.10 and 192.168.1.1, respectively. The file should look like:<\/p>\n<pre>auto eth0\niface eth0 inet static\n        address 192.168.1.10\n        netmask 255.255.255.0\n        gateway 192.168.1.1<\/pre>\n<h3 id=\"ember1257\" class=\"ember-view\">Configuring DNS<\/h3>\n<p id=\"ember1258\" class=\"ember-view reader-content-blocks__paragraph\">We will set the DNS to Cloudflare (either 1.1.1.1 or 1.0.0.1). Create the file \/etc\/resolv.conf with the chosen DNS:<\/p>\n<pre>nameserver 1.0.0.1<\/pre>\n<p id=\"ember1259\" class=\"ember-view reader-content-blocks__paragraph\">After setting up the DNS, put the SD Card or USB stick back into the Raspberry Pi and boot it. Now, you can try to connect to the Raspberry Pi from your computer using the username\u00a0root\u00a0and the IP address you set.<\/p>\n<pre>$ssh root@192.168.1.10<\/pre>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/7.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-687\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/7.png\" alt=\"\" width=\"589\" height=\"173\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/7.png 589w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/7-300x88.png 300w\" sizes=\"auto, (max-width: 589px) 100vw, 589px\" \/><\/a><\/p>\n<h3 id=\"ember1261\" class=\"ember-view\">Additional configurations<\/h3>\n<h3 id=\"ember1262\" class=\"ember-view\">Setting the Hostname<\/h3>\n<p id=\"ember1263\" class=\"ember-view reader-content-blocks__paragraph\">Set the hostname by editing the file \/etc\/hostname:<\/p>\n<pre>#nano \/etc\/hostname<\/pre>\n<p id=\"ember1264\" class=\"ember-view reader-content-blocks__paragraph\">Add a hostname entry to the hosts file (in my case, \u2018Anuk\u2019):<\/p>\n<pre>#nano \/etc\/hosts<\/pre>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/8.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-688\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/8.png\" alt=\"\" width=\"454\" height=\"46\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/8.png 454w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/8-300x30.png 300w\" sizes=\"auto, (max-width: 454px) 100vw, 454px\" \/><\/a><\/p>\n<p id=\"ember1266\" class=\"ember-view reader-content-blocks__paragraph\">If you\u2019re using Raspbian, you can set the hostname through the raspi-config application.<\/p>\n<h3 id=\"ember1267\" class=\"ember-view\">Updating the System<\/h3>\n<p id=\"ember1268\" class=\"ember-view reader-content-blocks__paragraph\">Update the system to get the latest updates:<\/p>\n<pre>#apt update &amp;&amp; apt-get upgrade -y<\/pre>\n<p id=\"ember1269\" class=\"ember-view reader-content-blocks__paragraph\">Install some additional software that we will need:<\/p>\n<pre>#apt install sudo dnsutils gnupg wget curl git<\/pre>\n<h3 id=\"ember1270\" class=\"ember-view\">Adding a Non-Root User<\/h3>\n<p id=\"ember1271\" class=\"ember-view reader-content-blocks__paragraph\">Add a non-root user and set a password for it:<\/p>\n<pre>#adduser daniel<\/pre>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/9.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-689\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/9.png\" alt=\"\" width=\"461\" height=\"309\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/9.png 461w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/9-300x201.png 300w\" sizes=\"auto, (max-width: 461px) 100vw, 461px\" \/><\/a><\/p>\n<p id=\"ember1273\" class=\"ember-view reader-content-blocks__paragraph\">Add the user to the sudo and video groups:<\/p>\n<pre>#adduser daniel video\n#adduser daniel sudo<\/pre>\n<p id=\"ember1274\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Note<\/strong>: If you\u2019re using Raspbian OS, the default user is \u2018pi\u2019. I recommend creating another user and removing the default one once you\u2019ve created the new one with the following commands:<\/p>\n<pre>$sudo pkill -u pi\n$sudo deluser --remove-home pi<\/pre>\n<h3 id=\"ember1275\" class=\"ember-view\">Lock Down the SSH Service<\/h3>\n<p id=\"ember1276\" class=\"ember-view reader-content-blocks__paragraph\">Edit the SSH config file. We recommend using the SSH keys generated previously and disabling password access:<\/p>\n<pre>$sudo nano \/etc\/ssh\/sshd_config<\/pre>\n<p id=\"ember1277\" class=\"ember-view reader-content-blocks__paragraph\">Uncomment the lines in white<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/10.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-690\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/10.png\" alt=\"\" width=\"602\" height=\"492\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/10.png 602w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/10-300x245.png 300w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/a><\/p>\n<p id=\"ember1279\" class=\"ember-view reader-content-blocks__paragraph\">and copy-paste the public key we generated previously:<\/p>\n<pre>$mkdir -p ~\/.ssh\n$nano ~\/.ssh\/authorized_keys<\/pre>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/11.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-691\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/11.png\" alt=\"\" width=\"718\" height=\"58\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/11.png 718w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/11-300x24.png 300w\" sizes=\"auto, (max-width: 718px) 100vw, 718px\" \/><\/a><\/p>\n<p id=\"ember1281\" class=\"ember-view reader-content-blocks__paragraph\">Save changes and exit the editor. Restart SSH:<\/p>\n<pre>$sudo service ssh restart<\/pre>\n<p id=\"ember1282\" class=\"ember-view reader-content-blocks__paragraph\">Restart the service. We\u2019re going to be disconnected in case we were connected through SSH:<\/p>\n<pre>$sudo service networking restart<\/pre>\n<p id=\"ember1283\" class=\"ember-view reader-content-blocks__paragraph\">If you\u2019ve previously assigned this IP address, you\u2019ll get a message.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/12.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-692\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/12.png\" alt=\"\" width=\"668\" height=\"226\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/12.png 668w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/12-300x101.png 300w\" sizes=\"auto, (max-width: 668px) 100vw, 668px\" \/><\/a><\/p>\n<p id=\"ember1285\" class=\"ember-view reader-content-blocks__paragraph\">Just delete the entry in your known hosts database:<\/p>\n<pre>$nano ~\/.ssh\/known_hosts<\/pre>\n<p id=\"ember1286\" class=\"ember-view reader-content-blocks__paragraph\">Logout as root and login as the new user (in my case, \u2018daniel\u2019):<\/p>\n<pre>$ssh daniel@192.168.1.10<\/pre>\n<p id=\"ember1287\" class=\"ember-view reader-content-blocks__paragraph\">Check the IP configuration (static IP and DNS configuration).<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/13.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-693\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/13.png\" alt=\"\" width=\"825\" height=\"282\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/13.png 825w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/13-300x103.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/13-768x263.png 768w\" sizes=\"auto, (max-width: 825px) 100vw, 825px\" \/><\/a><\/p>\n<h3 id=\"ember1289\" class=\"ember-view\">Setting the Time Zone<\/h3>\n<p id=\"ember1290\" class=\"ember-view reader-content-blocks__paragraph\">Set our time zone. We can check all the time zones listed with the command:<\/p>\n<pre>$timedatectl list-timezones<\/pre>\n<p id=\"ember1291\" class=\"ember-view reader-content-blocks__paragraph\">Choose the one that fits you best. In my case, I chose \u2018Europe\/Madrid\u2019:<\/p>\n<pre>$sudo timedatectl set-timezone Europe\/Madrid<\/pre>\n<p id=\"ember1292\" class=\"ember-view reader-content-blocks__paragraph\">Once set, you can retrieve the status with the following command:<\/p>\n<pre>$timedatectl status<\/pre>\n<p id=\"ember1293\" class=\"ember-view reader-content-blocks__paragraph\">We\u2019re going to set the time automatically, using the NTP protocol which helps us to change and synchronize the date and time periodically:<\/p>\n<pre>$sudo nano \/etc\/systemd\/timesyncd.conf<\/pre>\n<p id=\"ember1294\" class=\"ember-view reader-content-blocks__paragraph\">Set NTP to \u2018<a class=\"app-aware-link \" href=\"http:\/\/time.cloudflare.com\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">time.cloudflare.com<\/a>\u2019 and uncomment the FallbackNTP and PollIntervalMaxSec lines.<\/p>\n<h3 id=\"ember1295\" class=\"ember-view\">Installing Unattended Upgrades Package (Recommended)<\/h3>\n<p id=\"ember1296\" class=\"ember-view reader-content-blocks__paragraph\">To have unattended upgrades, we need to install an additional package:<\/p>\n<pre>$sudo apt install unattended-upgrades<\/pre>\n<p id=\"ember1297\" class=\"ember-view reader-content-blocks__paragraph\">The configuration of unattended upgrades is set inside this file:<\/p>\n<pre>$sudo nano \/etc\/apt\/apt.conf.d\/50unattended-upgrades<\/pre>\n<p id=\"ember1298\" class=\"ember-view reader-content-blocks__paragraph\">You may want to update some settings. I recommend uncommenting and changing \u2018Unattended-Upgrade::Remove-Unused-Dependencies\u2019 to \u2018true\u2019. Exit and save the file.<\/p>\n<p id=\"ember1299\" class=\"ember-view reader-content-blocks__paragraph\">Basically, we commented out the type of upgrade we want to apply. The second last line allows the system to email us the status. We must install mailutils or mailx first in Raspbian for the email notification to be effective. The last line allows the system to reboot automatically. Please also make sure that update-notifier-common has been installed.<\/p>\n<p id=\"ember1300\" class=\"ember-view reader-content-blocks__paragraph\">There are more options that we can set such as reboot time and log file in the configuration file. Uncomment any option when necessary.<\/p>\n<p id=\"ember1301\" class=\"ember-view reader-content-blocks__paragraph\">Create a periodic upgrade file with the following command:<\/p>\n<pre>$sudo nano \/etc\/apt\/apt.conf.d\/02periodic<\/pre>\n<p id=\"ember1302\" class=\"ember-view reader-content-blocks__paragraph\">And add the following content:<\/p>\n<pre>\/\/ Control parameters for cron jobs by \/etc\/cron.daily\/apt-compat \/\/\n\n\/\/ Enable the update\/upgrade script (0=disable)\nAPT::Periodic::Enable \"1\";\n\n\/\/ Do \"apt-get update\" automatically every n-days (0=disable)\nAPT::Periodic::Update-Package-Lists \"1\";\n\n\/\/ Do \"apt-get upgrade --download-only\" every n-days (0=disable)\nAPT::Periodic::Download-Upgradeable-Packages \"1\";\n\n\/\/ Run the \"unattended-upgrade\" security upgrade script\n\/\/ every n-days (0=disabled)\n\/\/ Requires the package \"unattended-upgrades\" and will write\n\/\/ a log in \/var\/log\/unattended-upgrades\nAPT::Periodic::Unattended-Upgrade \"1\";\n\n\/\/ Do \"apt-get autoclean\" every n-days (0=disable)\nAPT::Periodic::AutocleanInterval \"7\";\n\n\/\/ Send report mail to root\n\/\/     0:  no report             (or null string)\n\/\/     1:  progress report       (actually any string)\n\/\/     2:  + command outputs     (remove -qq, remove 2&gt;\/dev\/null, add -d)\n\/\/     3:  + trace on\nAPT::Periodic::Verbose \"2\";<\/pre>\n<p id=\"ember1303\" class=\"ember-view reader-content-blocks__paragraph\">Check your unattended upgrades by running this command to debug your configuration:<\/p>\n<pre>$sudo unattended-upgrades -d<\/pre>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/14.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-694\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/14.png\" alt=\"\" width=\"1253\" height=\"388\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/14.png 1253w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/14-300x93.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/14-1024x317.png 1024w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/14-768x238.png 768w\" sizes=\"auto, (max-width: 1253px) 100vw, 1253px\" \/><\/a><\/p>\n<h3 id=\"ember1305\" class=\"ember-view\">Installing Fail2Ban (Optional)<\/h3>\n<p id=\"ember1306\" class=\"ember-view reader-content-blocks__paragraph\">Fail2Ban is an intrusion prevention software designed to protect against brute-force attacks. First, we need to install the package:<\/p>\n<pre>$sudo apt install fail2ban -y<\/pre>\n<p id=\"ember1307\" class=\"ember-view reader-content-blocks__paragraph\">Fail2Ban will block an attacker\u2019s IP if they fail to log in after 5 attempts for 10 minutes.<\/p>\n<p id=\"ember1308\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Note<\/strong>: Fail2Ban installed from the repository will only provide security on the IPv4 protocol. If you want Fail2Ban to support IPv6, please refer to the relevant guide.<\/p>\n<p id=\"ember1309\" class=\"ember-view reader-content-blocks__paragraph\">The configuration of Fail2Ban is set in the following file: \/etc\/fail2ban\/jail.conf. If you make any config changes, restart the service via:<\/p>\n<pre>$sudo service fail2ban restart<\/pre>\n<p id=\"ember1310\" class=\"ember-view reader-content-blocks__paragraph\">In order to recover access, use:<\/p>\n<pre>$ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no user@your.vps.ip<\/pre>\n<h3 id=\"ember1311\" class=\"ember-view\">Installing a Firewall (Optional)<\/h3>\n<p id=\"ember1312\" class=\"ember-view reader-content-blocks__paragraph\">It is recommended to install a firewall to block unsolicited connections. Uncomplicated Firewall (ufw) is a program for managing a netfilter firewall designed to be easy to use. It uses a command-line interface consisting of a small number of simple commands and uses iptables for configuration. To install ufw, just run this command:<\/p>\n<pre>$sudo apt install ufw<\/pre>\n<h3 id=\"ember1313\" class=\"ember-view\">Configuring the Firewall<\/h3>\n<p id=\"ember1314\" class=\"ember-view reader-content-blocks__paragraph\">Create your access list to the ports you need:<\/p>\n<pre>$sudo ufw allow 80\n$sudo ufw allow 443\n$sudo ufw allow 53\n$sudo ufw allow 8888\n$sudo ufw allow 22\/tcp<\/pre>\n<p id=\"ember1315\" class=\"ember-view reader-content-blocks__paragraph\">You can be even more restrictive with extended parameters on the rules, like SSH for example. You can only allow access on port 22 from your computer\u2019s IP address:<\/p>\n<pre>$sudo ufw allow from 192.168.1.120 to any port 22\/tcp<\/pre>\n<h3 id=\"ember1316\" class=\"ember-view\">Enabling the Firewall<\/h3>\n<pre>$sudo ufw enable<\/pre>\n<p id=\"ember1317\" class=\"ember-view reader-content-blocks__paragraph\">To show rules once the firewall is enabled, run the following command:<\/p>\n<pre>$sudo ufw enable<\/pre>\n<p id=\"ember1318\" class=\"ember-view reader-content-blocks__paragraph\">To show rules once the firewall is enabled, run the following command:<\/p>\n<pre>$sudo ufw status\nStatus: active \nTo \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Action \u00a0\u00a0\u00a0\u00a0\u00a0From \n-- \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0------ \u00a0\u00a0\u00a0\u00a0\u00a0---- \n80 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ALLOW \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Anywhere \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\n443 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ALLOW \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Anywhere \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\n53 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ALLOW \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Anywhere \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\n8888 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ALLOW \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Anywhere \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\n22 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ALLOW \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Anywhere \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\n5335 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ALLOW \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Anywhere \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\n51900\/udp \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ALLOW \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Anywhere \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\n80 (v6) \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ALLOW \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Anywhere (v6) \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\n443 (v6) \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ALLOW \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Anywhere (v6) \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\n53 (v6) \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ALLOW \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Anywhere (v6) \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\n8888 (v6) \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ALLOW \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Anywhere (v6) \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\n22 (v6) \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ALLOW \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Anywhere (v6) \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\n5335 (v6) \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ALLOW \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Anywhere (v6)<\/pre>\n<h3 id=\"ember1319\" class=\"ember-view\">Installing Log2Ram to Expand SSD Life (Recommended)<\/h3>\n<p id=\"ember1320\" class=\"ember-view reader-content-blocks__paragraph\">SSD Disks, SD Cards, and USB sticks have an SSD inside, which has a lifespan determined mainly by the write cycles (times we write something to the disk). To reduce the times we write to the SSD memory, we can redirect the writing of the system logs to RAM memory using Log2Ram. To do this, we have to install the Log2Ram application.<\/p>\n<p id=\"ember1321\" class=\"ember-view reader-content-blocks__paragraph\">First, we need to force a log reduction before starting to use Log2Ram:<\/p>\n<pre>$sudo journalctl --vacuum-size=16M<\/pre>\n<p id=\"ember1322\" class=\"ember-view reader-content-blocks__paragraph\">Let\u2019s add the repository where we are going to install the application and its key. Please check the Debian flavor you are using (bookworm in my case):<\/p>\n<pre>$echo \"deb http:\/\/packages.azlux.fr\/debian\/ bookworm main\" | sudo tee \/etc\/apt\/sources.list.d\/azlux.list\nwget -qO - https:\/\/azlux.fr\/repo.gpg.key | sudo apt-key add -<\/pre>\n<p id=\"ember1323\" class=\"ember-view reader-content-blocks__paragraph\">Let\u2019s update the system database and install the application:<\/p>\n<pre>$sudo apt-get update\n$sudo apt install log2ram -y<\/pre>\n<p id=\"ember1324\" class=\"ember-view reader-content-blocks__paragraph\">Once installed, we need a reboot:<\/p>\n<pre>$sudo reboot<\/pre>\n<h3 id=\"ember1325\" class=\"ember-view\">Configuring Log2Ram<\/h3>\n<p id=\"ember1326\" class=\"ember-view reader-content-blocks__paragraph\">We need to configure Log2Ram to increase the size:<\/p>\n<pre>$sudo nano \/etc\/log2ram.conf<\/pre>\n<p id=\"ember1327\" class=\"ember-view reader-content-blocks__paragraph\">Increase the SIZE parameter to 128MB, disable the mail notification, and increase the LOG_DISK_SIZE to 200M. Exit and save.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/15.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-695\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/15.png\" alt=\"\" width=\"694\" height=\"552\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/15.png 694w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/15-300x239.png 300w\" sizes=\"auto, (max-width: 694px) 100vw, 694px\" \/><\/a><\/p>\n<p id=\"ember1329\" class=\"ember-view reader-content-blocks__paragraph\">Restart Log2Ram:<\/p>\n<pre>$sudo service log2ram restart<\/pre>\n<p id=\"ember1330\" class=\"ember-view reader-content-blocks__paragraph\">And check that Log2Ram is running:<\/p>\n<pre>$df -h<\/pre>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/16.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-696\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/16.png\" alt=\"\" width=\"427\" height=\"193\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/16.png 427w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/16-300x136.png 300w\" sizes=\"auto, (max-width: 427px) 100vw, 427px\" \/><\/a><\/p>\n<h3 id=\"ember1332\" class=\"ember-view\">How to solve apt-key deprecation warning<\/h3>\n<p id=\"ember1333\" class=\"ember-view reader-content-blocks__paragraph\">In case you get the following deprecation warning when adding the Log2Ram repository:<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/17.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-697\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/17.png\" alt=\"\" width=\"1472\" height=\"175\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/17.png 1472w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/17-300x36.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/17-1024x122.png 1024w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/17-768x91.png 768w\" sizes=\"auto, (max-width: 1472px) 100vw, 1472px\" \/><\/a><\/p>\n<pre>W: http:\/\/packages.azlux.fr\/debian\/dists\/bookworm\/InRelease: Key is stored in legacy trusted.gpg keyring (\/etc\/apt\/trusted.gpg), see the DEPRECATION section in apt-key(8) for details<\/pre>\n<p id=\"ember1335\" class=\"ember-view reader-content-blocks__paragraph\">You can fix it by following these steps:<\/p>\n<p id=\"ember1336\" class=\"ember-view reader-content-blocks__paragraph\">1.- Retrieve the list of the repositories. You need the last 8 digits of the public key of the repository you want to trust. In our case, it\u2019s the first entry (0312D8E6).<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/18.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-698\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/18.png\" alt=\"\" width=\"784\" height=\"153\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/18.png 784w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/18-300x59.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/18-768x150.png 768w\" sizes=\"auto, (max-width: 784px) 100vw, 784px\" \/><\/a><\/p>\n<p id=\"ember1338\" class=\"ember-view reader-content-blocks__paragraph\">2.- Create a new file adding the key:<\/p>\n<pre>sudo apt-key export 0312D8E6 | sudo gpg --dearmour -o \/etc\/apt\/trusted.gpg.d\/log2ram.gpg<\/pre>\n<p id=\"ember1339\" class=\"ember-view reader-content-blocks__paragraph\">Now, you should no longer see the warning message.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/19.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-699\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/19.png\" alt=\"\" width=\"624\" height=\"138\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/19.png 624w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/19-300x66.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/a><\/p>\n<h3 id=\"ember1341\" class=\"ember-view\">Installing and configuring Pi-hole<\/h3>\n<p id=\"ember1342\" class=\"ember-view reader-content-blocks__paragraph\">Now that the system is configured and secured, we can install <a class=\"app-aware-link \" href=\"https:\/\/pi-hole.net\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">Pi-hole<\/a>. It can be installed as a native application (bare metal) or using Docker containers. I previously chose bare metal, but recently I moved to the container world. Here are some advantages and disadvantages of running Pi-hole in a container rather than as a native application:<\/p>\n<p id=\"ember1343\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Advantages<\/strong><\/p>\n<ul>\n<li><strong>Portability:<\/strong> You can easily move your Pi-hole configuration to another device or system by using docker volumes or backups (you can have a second pi-hole instance in another raspberry pi or running in a NAS).<\/li>\n<li><strong>Isolation:<\/strong> You can run Pi-hole in a separate environment from your host system, which can improve security and prevent conflicts with other applications.<\/li>\n<li><strong>Flexibility:<\/strong> You can customize your Pi-hole installation by using different docker images. You can also use docker-compose to manage multiple containers and services.<\/li>\n<\/ul>\n<p id=\"ember1345\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Disadvantages<\/strong><\/p>\n<ul>\n<li><strong>Overhead:<\/strong> You have to install and run docker on your host system, which can consume some resources and add some complexity.<\/li>\n<li><strong>Compatibility:<\/strong> You may encounter some issues with Pi-hole features that rely on the host network, such as DHCP or DNSSEC. You may also need to adjust some settings or ports to make Pi-hole work properly with docker.<\/li>\n<li><strong>Updates:<\/strong> You have to manually update your Pi-hole container when a new version is released, or use a script or a cron job to do it automatically. You also have to keep track of the changes in the docker image and the Pi-hole configuration.<\/li>\n<\/ul>\n<p id=\"ember1347\" class=\"ember-view reader-content-blocks__paragraph\">Here there are instructions for both ways:<\/p>\n<h3 id=\"ember1348\" class=\"ember-view\">Bare metal installation<\/h3>\n<p id=\"ember1349\" class=\"ember-view reader-content-blocks__paragraph\">The installation process is very simple. Just download <a class=\"app-aware-link \" href=\"https:\/\/github.com\/pi-hole\/pi-hole\/#one-step-automated-install\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">this<\/a> script from the Pi-hole site and execute it to start the installation with the following command:<\/p>\n<pre>$sudo curl -sSL https:\/\/install.pi-hole.net | bash<\/pre>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/20.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-700\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/20.png\" alt=\"\" width=\"687\" height=\"480\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/20.png 687w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/20-300x210.png 300w\" sizes=\"auto, (max-width: 687px) 100vw, 687px\" \/><\/a><\/p>\n<p id=\"ember1351\" class=\"ember-view reader-content-blocks__paragraph\">After some checks, you\u2019ll be greeted with the install screen<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/21.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-701\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/21.png\" alt=\"\" width=\"572\" height=\"365\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/21.png 572w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/21-300x191.png 300w\" sizes=\"auto, (max-width: 572px) 100vw, 572px\" \/><\/a><\/p>\n<p id=\"ember1353\" class=\"ember-view reader-content-blocks__paragraph\">Remember to give a donation to the project if you find it useful. (I did it)<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/22.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-702\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/22.png\" alt=\"\" width=\"571\" height=\"360\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/22.png 571w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/22-300x189.png 300w\" sizes=\"auto, (max-width: 571px) 100vw, 571px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/23.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-703\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/23.png\" alt=\"\" width=\"570\" height=\"358\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/23.png 570w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/23-300x188.png 300w\" sizes=\"auto, (max-width: 570px) 100vw, 570px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/24.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-704\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/24.png\" alt=\"\" width=\"569\" height=\"358\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/24.png 569w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/24-300x189.png 300w\" sizes=\"auto, (max-width: 569px) 100vw, 569px\" \/><\/a><\/p>\n<p id=\"ember1357\" class=\"ember-view reader-content-blocks__paragraph\">I recommend selecting all the third-party lists listed. We can add additional sources later.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/25.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-705\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/25.png\" alt=\"\" width=\"569\" height=\"358\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/25.png 569w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/25-300x189.png 300w\" sizes=\"auto, (max-width: 569px) 100vw, 569px\" \/><\/a><\/p>\n<p id=\"ember1359\" class=\"ember-view reader-content-blocks__paragraph\">Choose the protocols you have in your network.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/26.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-706\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/26.png\" alt=\"\" width=\"567\" height=\"357\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/26.png 567w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/26-300x189.png 300w\" sizes=\"auto, (max-width: 567px) 100vw, 567px\" \/><\/a><\/p>\n<p id=\"ember1361\" class=\"ember-view reader-content-blocks__paragraph\">Confirm the static IP chosen previously<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/27.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-707\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/27.png\" alt=\"\" width=\"569\" height=\"359\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/27.png 569w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/27-300x189.png 300w\" sizes=\"auto, (max-width: 569px) 100vw, 569px\" \/><\/a><\/p>\n<p id=\"ember1363\" class=\"ember-view reader-content-blocks__paragraph\">Ensure you have an IP reservation for your Raspberry Pi.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/28.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-708\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/28.png\" alt=\"\" width=\"569\" height=\"358\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/28.png 569w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/28-300x189.png 300w\" sizes=\"auto, (max-width: 569px) 100vw, 569px\" \/><\/a><\/p>\n<p id=\"ember1365\" class=\"ember-view reader-content-blocks__paragraph\">I will recommend to install the web interface<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/29.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-709\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/29.png\" alt=\"\" width=\"567\" height=\"356\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/29.png 567w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/29-300x188.png 300w\" sizes=\"auto, (max-width: 567px) 100vw, 567px\" \/><\/a><\/p>\n<p id=\"ember1367\" class=\"ember-view reader-content-blocks__paragraph\">Let the log enable<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/30.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-710\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/30.png\" alt=\"\" width=\"567\" height=\"356\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/30.png 567w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/30-300x188.png 300w\" sizes=\"auto, (max-width: 567px) 100vw, 567px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/31.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-711\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/31.png\" alt=\"\" width=\"567\" height=\"356\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/31.png 567w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/31-300x188.png 300w\" sizes=\"auto, (max-width: 567px) 100vw, 567px\" \/><\/a><\/p>\n<p>When the installation is complete, you will get a final screen with some important info.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/32.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-712\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/32.png\" alt=\"\" width=\"567\" height=\"356\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/32.png 567w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/32-300x188.png 300w\" sizes=\"auto, (max-width: 567px) 100vw, 567px\" \/><\/a><\/p>\n<p id=\"ember1372\" class=\"ember-view reader-content-blocks__paragraph\">Save this information to access to the Pi-hole server:<\/p>\n<p id=\"ember1373\" class=\"ember-view reader-content-blocks__paragraph\">Save this information to access the Pi-hole server. Save the admin webpage password in your password manager for now; it should be changed later. This same info is displayed once you return to the shell. Note the command to change the web admin password (pihole -a -p<em>)<\/em><\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/33.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-713\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/33.png\" alt=\"\" width=\"658\" height=\"370\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/33.png 658w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/33-300x169.png 300w\" sizes=\"auto, (max-width: 658px) 100vw, 658px\" \/><\/a><\/p>\n<h3 id=\"ember1375\" class=\"ember-view\">Containers installation<\/h3>\n<p id=\"ember1376\" class=\"ember-view reader-content-blocks__paragraph\">First, we need to install the Docker engine. To manage containers easily, I will also install Portainer.<\/p>\n<h3 id=\"ember1377\" class=\"ember-view\">Installing using the apt repository<\/h3>\n<p id=\"ember1378\" class=\"ember-view reader-content-blocks__paragraph\">Before you install Docker Engine for the first time on a new host machine, you need to set up the Docker apt repository. Afterward, you can install and update Docker from the repository.<\/p>\n<p id=\"ember1379\" class=\"ember-view reader-content-blocks__paragraph\">Set up Docker&#8217;s apt repository. First, we have to add Docker&#8217;s official GPG key:<\/p>\n<pre>$sudo apt-get update\n$sudo apt-get install ca-certificates curl gnupg\n$sudo install -m 0755 -d \/etc\/apt\/keyrings\n$curl -fsSL https:\/\/download.docker.com\/linux\/debian\/gpg | sudo gpg --dearmor -o \/etc\/apt\/keyrings\/docker.gpg\n$sudo chmod a+r \/etc\/apt\/keyrings\/docker.gpg<\/pre>\n<p id=\"ember1380\" class=\"ember-view reader-content-blocks__paragraph\">Next, add the repository to our apt sources:<\/p>\n<pre>$echo \\\n  \"deb [arch=$(dpkg --print-architecture) signed-by=\/etc\/apt\/keyrings\/docker.gpg] https:\/\/download.docker.com\/linux\/debian \\\n  $(. \/etc\/os-release &amp;&amp; echo \"$VERSION_CODENAME\") stable\" | \\\n  sudo tee \/etc\/apt\/sources.list.d\/docker.list &gt; \/dev\/null\n$sudo apt-get update<\/pre>\n<h3 id=\"ember1381\" class=\"ember-view\">Installing the Docker packages<\/h3>\n<p id=\"ember1382\" class=\"ember-view reader-content-blocks__paragraph\">We are ready to install the docker packages<\/p>\n<p id=\"ember1383\" class=\"ember-view reader-content-blocks__paragraph\">1.- To install the latest version, run:<\/p>\n<pre>$sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin<\/pre>\n<p id=\"ember1384\" class=\"ember-view reader-content-blocks__paragraph\">2.- Verify that the installation is successful by running the hello-world image:<\/p>\n<pre>$sudo docker run hello-world<\/pre>\n<p id=\"ember1385\" class=\"ember-view reader-content-blocks__paragraph\">This command downloads a test image and runs it in a container. When the container runs, it prints a confirmation message and exits.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/33.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-713\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/33.png\" alt=\"\" width=\"658\" height=\"370\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/33.png 658w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/33-300x169.png 300w\" sizes=\"auto, (max-width: 658px) 100vw, 658px\" \/><\/a><\/p>\n<p id=\"ember1387\" class=\"ember-view reader-content-blocks__paragraph\">You have now successfully installed and started Docker Engine.<\/p>\n<h3 id=\"ember1388\" class=\"ember-view\">Installing the portainer images<\/h3>\n<p id=\"ember1389\" class=\"ember-view reader-content-blocks__paragraph\">To install portainer, we have to run this command:<\/p>\n<pre>$sudo docker run -d -p 9000:9000 --name=portainer --restart=always -v \/var\/run\/docker.sock:\/var\/run\/docker.sock -v portainer_data:\/data portainer\/portainer-ce:latest<\/pre>\n<p id=\"ember1390\" class=\"ember-view reader-content-blocks__paragraph\">Pointing to browser to our IP address at port 9000 (<a class=\"app-aware-link \" href=\"http:\/\/192.168.1.10:9000\/#!\/home\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">http:\/\/192.168.1.10:9000\/#!\/home<\/a> in my case), portainer will be ask to set an admin password<\/p>\n<h3 id=\"ember1391\" class=\"ember-view\">Installing pi-hole container<\/h3>\n<p id=\"ember1392\" class=\"ember-view reader-content-blocks__paragraph\">To install pi-hole using portainer, just follow this steps<\/p>\n<p id=\"ember1393\" class=\"ember-view reader-content-blocks__paragraph\">1. Add a new container from Containers menu<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/35.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-715\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/35.png\" alt=\"\" width=\"350\" height=\"215\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/35.png 350w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/35-300x184.png 300w\" sizes=\"auto, (max-width: 350px) 100vw, 350px\" \/><\/a><\/p>\n<p id=\"ember1395\" class=\"ember-view reader-content-blocks__paragraph\">2. Name your container and use the image \u201cpihole\/pihole:latest\u201d.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/36.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-716\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/36.png\" alt=\"\" width=\"555\" height=\"197\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/36.png 555w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/36-300x106.png 300w\" sizes=\"auto, (max-width: 555px) 100vw, 555px\" \/><\/a><\/p>\n<p>3. Publishing ports is only needed if we set the network to bridge. If we set the network to host, there is no need to publish ports, as the container has full access to all network interfaces of the host. If we set the network to bridge, we configure it to publish 5 network ports (53 TCP and UDP, 80 and 443 TCP). If we want to use Pi-hole as a DHCP Server, we should also publish port 67 UDP.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/37.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-717\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/37.png\" alt=\"\" width=\"1236\" height=\"185\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/37.png 1236w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/37-300x45.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/37-1024x153.png 1024w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/37-768x115.png 768w\" sizes=\"auto, (max-width: 1236px) 100vw, 1236px\" \/><\/a><\/p>\n<p id=\"ember1399\" class=\"ember-view reader-content-blocks__paragraph\">4. We need to create two volumes to map on our host. Ensure you have created this path on your host (raspberry pi). I have created the folder DockerVol<\/p>\n<ul>\n<li>\/etc\/dnsmasq.d to \/home\/daniel\/DockerVol\/pihole\/etc-dnsmasq.d<\/li>\n<li>\/etc\/pihole to \/home\/daniel\/DockerVol\/pihole\/etc-pihole<\/li>\n<\/ul>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/38.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-718\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/38.png\" alt=\"\" width=\"860\" height=\"313\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/38.png 860w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/38-300x109.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/38-768x280.png 768w\" sizes=\"auto, (max-width: 860px) 100vw, 860px\" \/><\/a><\/p>\n<p>5. To facilitate the use of unbound, network should be host and we can set the hostname<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/39.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-719\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/39.png\" alt=\"\" width=\"846\" height=\"140\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/39.png 846w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/39-300x50.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/39-768x127.png 768w\" sizes=\"auto, (max-width: 846px) 100vw, 846px\" \/><\/a><\/p>\n<p id=\"ember1404\" class=\"ember-view reader-content-blocks__paragraph\">6. Inside environment variables we set the timezone and webpassword<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/40.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-720\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/40.png\" alt=\"\" width=\"1280\" height=\"318\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/40.png 1280w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/40-300x75.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/40-1024x254.png 1024w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/40-768x191.png 768w\" sizes=\"auto, (max-width: 1280px) 100vw, 1280px\" \/><\/a><\/p>\n<p id=\"ember1406\" class=\"ember-view reader-content-blocks__paragraph\">7. Set the restart policy to \u2018unless stopped\u2019.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/41.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-721\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/41.png\" alt=\"\" width=\"1527\" height=\"153\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/41.png 1527w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/41-300x30.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/41-1024x103.png 1024w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/41-768x77.png 768w\" sizes=\"auto, (max-width: 1527px) 100vw, 1527px\" \/><\/a><\/p>\n<p id=\"ember1408\" class=\"ember-view reader-content-blocks__paragraph\">8. Deploy the container<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/42.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-722\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/42.png\" alt=\"\" width=\"444\" height=\"119\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/42.png 444w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/42-300x80.png 300w\" sizes=\"auto, (max-width: 444px) 100vw, 444px\" \/><\/a><\/p>\n<p id=\"ember1410\" class=\"ember-view reader-content-blocks__paragraph\">Portainer start to download the container and deploy it.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/43.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-723\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/43.png\" alt=\"\" width=\"436\" height=\"214\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/43.png 436w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/43-300x147.png 300w\" sizes=\"auto, (max-width: 436px) 100vw, 436px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/44.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-724\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/44.png\" alt=\"\" width=\"361\" height=\"219\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/44.png 361w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/44-300x182.png 300w\" sizes=\"auto, (max-width: 361px) 100vw, 361px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/45.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-725\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/45.png\" alt=\"\" width=\"541\" height=\"664\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/45.png 541w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/45-244x300.png 244w\" sizes=\"auto, (max-width: 541px) 100vw, 541px\" \/><\/a><\/p>\n<h3 id=\"ember1414\" class=\"ember-view\">Note about network configuration<\/h3>\n<p id=\"ember1415\" class=\"ember-view reader-content-blocks__paragraph\">When you set the network configuration of a Docker container to host, the container uses the Docker host\u2019s network stack directly. In this mode, the container has full access to all network interfaces of the host, and the ports opened by the container are directly accessible on the host\u2019s IP address.<\/p>\n<p id=\"ember1416\" class=\"ember-view reader-content-blocks__paragraph\">Therefore, when using host network mode, there\u2019s no need to publish ports using the -p or &#8211;publish flag. This is because the container\u2019s ports are already directly exposed to the host, and hence, to the outside world.<\/p>\n<p id=\"ember1417\" class=\"ember-view reader-content-blocks__paragraph\">However, please note that the host mode gives the container full access to local system services and is therefore considered insecure. It\u2019s recommended to use it judiciously and understand the security implications.<\/p>\n<p id=\"ember1418\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Adjusting Pi-hole settings<\/strong><\/p>\n<p id=\"ember1419\" class=\"ember-view reader-content-blocks__paragraph\">To modify the privacy settings of the Pi-hole application, the following file needs to be edited:<\/p>\n<pre>$sudo nano \/etc\/pihole\/pihole-FTL.conf<\/pre>\n<p id=\"ember1420\" class=\"ember-view reader-content-blocks__paragraph\">If you&#8217;re using containers, the file is located at:<\/p>\n<pre>$sudo nano ~\/DockerVol\/etc-pihole\/pihole-FTL.conf<\/pre>\n<p id=\"ember1421\" class=\"ember-view reader-content-blocks__paragraph\">Configure the privacy level and the duration for storing queries in the database according to your preferences. In my setup, I&#8217;ve selected a privacy level of 0 and set the database to store queries for 30 days.<\/p>\n<p id=\"ember1422\" class=\"ember-view reader-content-blocks__paragraph\">Here&#8217;s how you can set these parameters:<\/p>\n<pre># Which privacy level is used?. More info: https:\/\/docs.pi-hole.net\/ftldns\/privacylevels\/\nPRIVACYLEVEL=0\n# How long should queries be stored in the database? Setting this to 0 disables the database. Default 365\nMAXDBDAYS=30<\/pre>\n<h3 id=\"ember1423\" class=\"ember-view\">Updating Pi-hole Regularly<\/h3>\n<p id=\"ember1424\" class=\"ember-view reader-content-blocks__paragraph\">Pi-hole frequently receives updates for its components, including Pi-hole core, FTL, and the Web Interface. The update process varies depending on whether Pi-hole is running as a standalone application or inside a container.<\/p>\n<h3 id=\"ember1425\" class=\"ember-view\">Updating the standalone application manually<\/h3>\n<p id=\"ember1426\" class=\"ember-view reader-content-blocks__paragraph\">To update Pi-hole as a standalone application, execute the following command:<\/p>\n<pre>$pihole -up<\/pre>\n<h3 id=\"ember1427\" class=\"ember-view\">Updating via Portainer<\/h3>\n<ol>\n<li>Navigate to &#8216;Containers&#8217;, then stop the container you wish to update.<\/li>\n<li>Select the container, and look for the &#8216;Recreate&#8217; button. This will preserve the data mapped to a volume while recreating the container.<\/li>\n<li>Choose &#8216;Pull latest image&#8217;, then &#8216;Recreate&#8217;.<\/li>\n<li>After recreation, start the container. It should now be running with the latest version.<\/li>\n<li>The container is now updated to the newest release!<\/li>\n<\/ol>\n<p id=\"ember1429\" class=\"ember-view reader-content-blocks__paragraph\">Please be patient as the update process may take some time. Consider removing old container images to save space.<\/p>\n<h3 id=\"ember1430\" class=\"ember-view\">Automating the Update Process<\/h3>\n<p id=\"ember1431\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Important: <\/strong>The Pi-hole team advises against automating Pi-hole updates. It&#8217;s crucial to read release notes as some updates may require additional changes beyond simply updating the image.<\/p>\n<p id=\"ember1432\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Updating standalone Pi-hole via Cron<\/strong><\/p>\n<p id=\"ember1433\" class=\"ember-view reader-content-blocks__paragraph\">To automatically update Pi-hole every Sunday, use a cron job. However, be cautious with automated updates; if a major change occurs that you&#8217;re not ready for, disable the cron job by running sudo crontab -e and commenting out the update line (add a &#8216;#&#8217; at the beginning of the line).<\/p>\n<p id=\"ember1434\" class=\"ember-view reader-content-blocks__paragraph\">To set up the cron job:<\/p>\n<pre>$crontab -e<\/pre>\n<p id=\"ember1435\" class=\"ember-view reader-content-blocks__paragraph\">Add the following line to update every Sunday at 2:30 AM:<\/p>\n<pre>30 2 * * SUN pihole -up<\/pre>\n<p id=\"ember1436\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Updating Container Using Watchtower<\/strong><\/p>\n<p id=\"ember1437\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Warning (From Pi-hole GitHub Site): <\/strong>Many users employ Watchtower for updating Pi-hole containers. However, it&#8217;s advised not to automatically update your Pi-hole container, especially unattended. While updates are generally safe, unexpected issues can occur.<\/p>\n<p id=\"ember1438\" class=\"ember-view reader-content-blocks__paragraph\">To manually update:<\/p>\n<ol>\n<li>Read the release notes thoroughly.<\/li>\n<li>Pull the new image.<\/li>\n<li>Stop and remove the current Pi-hole container. Ensure any important data (logs, customizations) is volume-mapped, or it will be lost.<\/li>\n<li>Recreate the container with the new image.<\/li>\n<\/ol>\n<p id=\"ember1440\" class=\"ember-view reader-content-blocks__paragraph\">Remember, Pi-hole is a critical part of your network. Avoid unattended updates that could cause issues during off-hours.<\/p>\n<h2 id=\"ember1441\" class=\"ember-view\">Setup Unbound<\/h2>\n<h3 id=\"ember1442\" class=\"ember-view\">Boosting Pi-hole security<\/h3>\n<p id=\"ember1443\" class=\"ember-view reader-content-blocks__paragraph\">With Pi-hole operational, it&#8217;s currently set for minimal blocking and defaults to forwarding lookups to Google DNS. While you can switch to another upstream DNS provider, it essentially boils down to whom you trust with your DNS queries. But what if you prefer not to rely on external providers like Cloudflare DNS? That&#8217;s where Unbound comes into play. By installing Unbound, you enable your system to independently resolve DNS queries using root servers, utilizing a recursive approach.<\/p>\n<p id=\"ember1444\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Why Unbound?<\/strong> Unbound allows you to resolve DNS names directly through root servers in a recursive manner. For a detailed explanation, visit <a class=\"app-aware-link \" href=\"https:\/\/docs.pi-hole.net\/guides\/dns\/unbound\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">Pi-hole&#8217;s Unbound Guide<\/a>. The primary advantage here is enhanced security; you don&#8217;t have to depend on an upstream provider for DNS traffic. The trade-off is the initial lookup performance, which can be slower as it involves traversing multiple servers. However, both Pi-hole and Unbound support caching configurations, which significantly improve performance for subsequent lookups.<\/p>\n<h3 id=\"ember1445\" class=\"ember-view\">Installing Unbound<\/h3>\n<p id=\"ember1446\" class=\"ember-view reader-content-blocks__paragraph\">To install Unbound, run:<\/p>\n<pre>$sudo apt install unbound -y<\/pre>\n<h3 id=\"ember1447\" class=\"ember-view\">Setting Up Root Hints Manually<\/h3>\n<p id=\"ember1448\" class=\"ember-view reader-content-blocks__paragraph\">If you&#8217;re not installing Unbound from a repository and have downloaded the list of primary root servers manually, use this command. Note: This step is only necessary if you&#8217;re not using the default dns-root-data package, which Unbound can locate automatically.<\/p>\n<pre>$wget https:\/\/www.internic.net\/domain\/named.root -qO- | sudo tee \/var\/lib\/unbound\/root.hints<\/pre>\n<h3 id=\"ember1449\" class=\"ember-view\">Configuring Unbound for Pi-hole<\/h3>\n<p id=\"ember1450\" class=\"ember-view reader-content-blocks__paragraph\">Create a new configuration file for Unbound:<\/p>\n<pre>$sudo nano \/etc\/unbound\/unbound.conf.d\/pi-hole.conf<\/pre>\n<p id=\"ember1451\" class=\"ember-view reader-content-blocks__paragraph\">In this file, paste the following configuration. This differs from the one in Pi-hole\u2019s documentation, as it includes caching settings to enhance performance.<\/p>\n<pre>server:\n    # If no logfile is specified, syslog is used\n    # logfile: \"\/var\/log\/unbound\/unbound.log\"\n    verbosity: 0\n    \ninterface: 127.0.0.1\n    port: 5335\n    do-ip4: yes\n    do-udp: yes\n    do-tcp: yes\n\n# May be set to yes if you have IPv6 connectivity\n    do-ip6: no\n    \n# You want to leave this to no unless you have *native* IPv6. With 6to4 and\n    # Terredo tunnels your web browser should favor IPv4 for the same reasons\n    prefer-ip6: no\n    \n# Use this only when you downloaded the list of primary root servers!\n    # If you use the default dns-root-data package, unbound will find it automatically\n    #root-hints: \"\/var\/lib\/unbound\/root.hints\"\n    \n# Trust glue only if it is within the server's authority\n    harden-glue: yes\n    \n# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS\n    harden-dnssec-stripped: yes\n    \n# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes\n    # see https:\/\/discourse.pi-hole.net\/t\/unbound-stubby-or-dnscrypt-proxy\/9378 for further details\n    use-caps-for-id: no\n    \n# Reduce EDNS reassembly buffer size.\n    # Suggested by the unbound man page to reduce fragmentation reassembly problems\n    edns-buffer-size: 1472\n    \n# Perform prefetching of close to expired message cache entries\n    # This only applies to domains that have been frequently queried\n    # This refreshes expiring cache entries if they have been accessed with\n    # less than 10% of their TTL remaining\n    prefetch: yes\n\n    # This attempts to reduce latency by serving the outdated record before\n    # updating it instead of the other way around. Alternative is to increase\n    # cache-min-ttl to e.g. 3600.\n    cache-min-ttl: 0\n    serve-expired: yes\n    # I had best success leaving this next entry unset.\n    # serve-expired-ttl: 3600 # 0 or not set means unlimited (I think)\n\n    # Use about 2x more for rrset cache, total memory use is about 2-2.5x\n    # total cache size. Current setting is way overkill for a small network.\n    # Judging from my used cache size you can get away with 8\/16 and still\n    # have lots of room, but I've got the ram and I'm not using it on anything else.\n    # Default is 4m\/4m\n    msg-cache-size: 128m\n    rrset-cache-size: 256m\n\n# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.\n    num-threads: 1\n    \n# Ensure kernel buffer is large enough to not lose messages in traffic spikes\n    so-rcvbuf: 1m\n    \n# Ensure privacy of local IP ranges\n    private-address: 192.168.0.0\/16\n    private-address: 169.254.0.0\/16\n    private-address: 172.16.0.0\/12\n    private-address: 10.0.0.0\/8\n    private-address: fd00::\/8\n    private-address: fe80::\/10\n\n# To get unbound stats (sudo unbound-control stats_noreset)\nremote-control:\n    control-enable: yes<\/pre>\n<h3 id=\"ember1452\" class=\"ember-view\">Verifying the Unbound Configuration<\/h3>\n<p id=\"ember1453\" class=\"ember-view reader-content-blocks__paragraph\">To ensure that your Unbound configuration is correctly set up and free of errors, you can use the unbound-checkconf tool. This tool scans the Unbound configuration file for any syntax errors or misconfigurations. Run the following command in your terminal:<\/p>\n<pre>$sudo unbound-checkconf<\/pre>\n<p id=\"ember1454\" class=\"ember-view reader-content-blocks__paragraph\">This command will provide feedback on your Unbound configuration. If there are no issues, it typically returns a message indicating that the configuration is okay. If it finds any problems, it will display the relevant error messages, which you can use to troubleshoot and correct your configuration.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/46.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-726\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/46.png\" alt=\"\" width=\"475\" height=\"39\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/46.png 475w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/46-300x25.png 300w\" sizes=\"auto, (max-width: 475px) 100vw, 475px\" \/><\/a><\/p>\n<h3 id=\"ember1456\" class=\"ember-view\">Final step: restarting unbound<\/h3>\n<p id=\"ember1457\" class=\"ember-view reader-content-blocks__paragraph\">After configuring Unbound, it&#8217;s essential to restart the service for the changes to take effect. Execute the following command:<\/p>\n<pre>$sudo service unbound restart<\/pre>\n<h3 id=\"ember1458\" class=\"ember-view\">Testing unbound<\/h3>\n<p id=\"ember1459\" class=\"ember-view reader-content-blocks__paragraph\">To verify that Unbound is functioning correctly and to measure its response time, use the dig command. For example, to query the domain coneixement.info, use:<\/p>\n<pre>$dig www.coneixement.info @127.0.0.1 -p 5335<\/pre>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/47.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-727\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/47.png\" alt=\"\" width=\"654\" height=\"359\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/47.png 654w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/47-300x165.png 300w\" sizes=\"auto, (max-width: 654px) 100vw, 654px\" \/><\/a><\/p>\n<p>This command tests the response time of Unbound. You&#8217;ll likely notice a significant reduction in response time on subsequent tests, thanks to caching.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/48.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-728\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/48.png\" alt=\"\" width=\"651\" height=\"363\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/48.png 651w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/48-300x167.png 300w\" sizes=\"auto, (max-width: 651px) 100vw, 651px\" \/><\/a><\/p>\n<h3 id=\"ember1463\" class=\"ember-view\">Keeping Unbound Updated<\/h3>\n<p id=\"ember1464\" class=\"ember-view reader-content-blocks__paragraph\">Setting up a cron job to keep Unbound&#8217;s root hints file updated is a good practice. To do this. Open the crontab editor:<\/p>\n<pre>$sudo crontab -e<\/pre>\n<p id=\"ember1465\" class=\"ember-view reader-content-blocks__paragraph\">At the end of the file, add the following line:<\/p>\n<pre>01 02 03 *\/4 * wget -N -q -O \/var\/lib\/unbound\/root.hints https:\/\/www.internic.net\/domain\/named.root<\/pre>\n<p id=\"ember1466\" class=\"ember-view reader-content-blocks__paragraph\">Save and exit the editor.<\/p>\n<p id=\"ember1467\" class=\"ember-view reader-content-blocks__paragraph\">The cron job is scheduled to run at 02:01 AM on the 3rd day of every 4th month. This frequency is usually sufficient for updating the root hints file. The -N option ensures the file is only downloaded if it&#8217;s newer than the existing one, -q keeps the operation quiet, and -O specifies the path where the file should be stored.<\/p>\n<p id=\"ember1468\" class=\"ember-view reader-content-blocks__paragraph\">This setup ensures your Unbound service remains up-to-date without cluttering your logs with unnecessary output.<\/p>\n<p id=\"ember1469\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Configuring Pi-hole to Use Unbound<\/strong><\/p>\n<p id=\"ember1470\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Access Pi-hole Admin Interface, o<\/strong>pen your web browser and visit the Pi-hole admin page at <a class=\"app-aware-link \" href=\"http:\/\/pi.hole\/admin\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">http:\/\/pi.hole\/admin<\/a>. Log in using the password you set during the Pi-hole installation. <strong>Adjust DNS Settings. o<\/strong>nce logged in, navigate to the &#8216;Settings&#8217; section and click on the &#8216;DNS&#8217; tab. In the DNS settings, uncheck any pre-selected DNS servers.<\/p>\n<ol>\n<li>Check the box next to &#8216;Custom 1 (IPv4)&#8217;.<\/li>\n<li>Enter 127.0.0.1#5335 in the corresponding field. This directs Pi-hole to use Unbound, running on the same device, on port 5335.<\/li>\n<\/ol>\n<p id=\"ember1472\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Save Your Changes. <\/strong>Click the &#8216;Save&#8217; button at the bottom of the page to apply your new DNS settings.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/49.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-729\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/49.png\" alt=\"\" width=\"904\" height=\"323\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/49.png 904w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/49-300x107.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/49-768x274.png 768w\" sizes=\"auto, (max-width: 904px) 100vw, 904px\" \/><\/a><\/p>\n<p><strong>Note on performance:<\/strong> Initially, you might notice slower performance during the first few queries. This is normal as both Pi-hole and Unbound are building their cache.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/50.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-730\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/50.png\" alt=\"\" width=\"557\" height=\"708\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/50.png 557w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/50-236x300.png 236w\" sizes=\"auto, (max-width: 557px) 100vw, 557px\" \/><\/a><\/p>\n<p id=\"ember1476\" class=\"ember-view reader-content-blocks__paragraph\">With time, the response time will significantly improve due to the caching mechanisms in place in both Pi-hole and Unbound.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/51.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-731\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/51.png\" alt=\"\" width=\"567\" height=\"357\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/51.png 567w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/51-300x189.png 300w\" sizes=\"auto, (max-width: 567px) 100vw, 567px\" \/><\/a><\/p>\n<p id=\"ember1478\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Viewing Statistics in the Pi-hole Web Interface<\/strong><\/p>\n<p id=\"ember1479\" class=\"ember-view reader-content-blocks__paragraph\">Once you log in to the Pi-hole web interface, you&#8217;ll begin to see various statistics displayed. These statistics provide valuable insights into your network&#8217;s DNS traffic.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/52.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-732\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/52.png\" alt=\"\" width=\"1243\" height=\"196\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/52.png 1243w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/52-300x47.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/52-1024x161.png 1024w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/52-768x121.png 768w\" sizes=\"auto, (max-width: 1243px) 100vw, 1243px\" \/><\/a><\/p>\n<p id=\"ember1481\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Observing the Increase in Blocked Queries:<\/strong><\/p>\n<ul>\n<li>As time progresses, you can monitor the increase in the number of queries that Pi-hole blocks. This is a key metric in understanding the effectiveness of Pi-hole in filtering unwanted content and ads.<\/li>\n<li>The web interface will display real-time updates, showing how many queries were made, how many were blocked, and what percentage of total traffic this represents.<\/li>\n<li>The visual graphs and charts in the dashboard offer an easy-to-understand overview of these statistics, highlighting trends and patterns in your network&#8217;s DNS queries.<\/li>\n<\/ul>\n<p id=\"ember1483\" class=\"ember-view reader-content-blocks__paragraph\">By regularly checking these statistics, you gain a better understanding of your network&#8217;s behavior and the impact of Pi-hole in enhancing your online privacy and security.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/53.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-733\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/53.png\" alt=\"\" width=\"1259\" height=\"414\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/53.png 1259w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/53-300x99.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/53-1024x337.png 1024w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/53-768x253.png 768w\" sizes=\"auto, (max-width: 1259px) 100vw, 1259px\" \/><\/a><\/p>\n<h3 id=\"ember1485\" class=\"ember-view\">Enhancing filtering with Pi-hole: blocklists, blacklists, adlists, and whitelists<\/h3>\n<p id=\"ember1486\" class=\"ember-view reader-content-blocks__paragraph\">To optimize your Pi-hole setup, it&#8217;s crucial to first identify the types of content you wish to block. This can range from advertising and telemetry to parental controls, NSFW content, malware domains, and more. Here&#8217;s a guide to effectively expanding your filtering capabilities:<\/p>\n<p id=\"ember1487\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Understanding default blocklists: <\/strong>Pi-hole includes a default blocklist, which is optional and can be chosen during installation. This list is regularly maintained and updated, providing a solid foundation for basic filtering.<\/p>\n<p id=\"ember1488\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Adding additional blocklists: <\/strong>For more specific needs, explore external blocklist collections. A prominent resource is Firebog (The Big Blocklist Collection), which categorizes lists into:<\/p>\n<ul>\n<li>Suspicious<\/li>\n<li>Advertising<\/li>\n<li>Tracking &amp; Telemetry<\/li>\n<li>Malicious<\/li>\n<li>Other<\/li>\n<\/ul>\n<p id=\"ember1490\" class=\"ember-view reader-content-blocks__paragraph\">You can choose one to three lists from each category relevant to your filtering objectives.<\/p>\n<p id=\"ember1491\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Before adding new lists: <\/strong>Visit the Firebog page and carefully read the descriptions and notes for each list. This will help you understand the focus and potential impact of each list on your network traffic.<\/p>\n<p id=\"ember1492\" class=\"ember-view reader-content-blocks__paragraph\"><strong>How to add new lists: <\/strong>Once logged into the Pi-hole web interface, navigate to the &#8216;Adlists&#8217; section. Here, you can add new blocklists by pasting their URLs.<\/p>\n<p id=\"ember1493\" class=\"ember-view reader-content-blocks__paragraph\">By tailoring your blocklists, you can significantly enhance the effectiveness of Pi-hole in managing your network&#8217;s content. Remember, the key is to strike a balance between robust filtering and maintaining access to legitimate content. Over-blocking can be just as problematic as under-blocking, so choose your lists judiciously.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/54.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-734\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/54.png\" alt=\"\" width=\"1240\" height=\"738\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/54.png 1240w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/54-300x179.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/54-1024x609.png 1024w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/54-768x457.png 768w\" sizes=\"auto, (max-width: 1240px) 100vw, 1240px\" \/><\/a><\/p>\n<p><strong>Successful addition:<\/strong> When a new list is successfully added to Pi-hole, you&#8217;ll see a confirmation message indicating successful inclusion.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/55.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-735\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/55.png\" alt=\"\" width=\"235\" height=\"109\" \/><\/a><\/p>\n<p id=\"ember1497\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Duplicate lists:<\/strong> If you attempt to add a list that&#8217;s already present, Pi-hole will ignore it and display a warning message to avoid duplication.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/56.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-736\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/56.png\" alt=\"\" width=\"242\" height=\"125\" \/><\/a><\/p>\n<h3 id=\"ember1499\" class=\"ember-view\">Updating the internal database<\/h3>\n<p id=\"ember1500\" class=\"ember-view reader-content-blocks__paragraph\">After adding all desired lists, it&#8217;s crucial to update Pi-hole&#8217;s internal database to apply the new blocklists. This can be done in two ways:<\/p>\n<ol>\n<li>Command Line: Run pihole -g in the terminal.<\/li>\n<li>Web Interface: Click the &#8216;Update Gravity&#8217; button located in the web interface.<\/li>\n<\/ol>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/57.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-737\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/57.png\" alt=\"\" width=\"864\" height=\"667\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/57.png 864w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/57-300x232.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/57-768x593.png 768w\" sizes=\"auto, (max-width: 864px) 100vw, 864px\" \/><\/a><\/p>\n<p id=\"ember1503\" class=\"ember-view reader-content-blocks__paragraph\">The update process might take some time. During this period, do not navigate away from or close the page.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/58.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-738\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/58.png\" alt=\"\" width=\"997\" height=\"308\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/58.png 997w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/58-300x93.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/58-768x237.png 768w\" sizes=\"auto, (max-width: 997px) 100vw, 997px\" \/><\/a><\/p>\n<p id=\"ember1505\" class=\"ember-view reader-content-blocks__paragraph\">Wait for a success message to confirm the completion of the update.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/59.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-739\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/59.png\" alt=\"\" width=\"1005\" height=\"139\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/59.png 1005w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/59-300x41.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/59-768x106.png 768w\" sizes=\"auto, (max-width: 1005px) 100vw, 1005px\" \/><\/a><\/p>\n<p id=\"ember1507\" class=\"ember-view reader-content-blocks__paragraph\">It&#8217;s important to remember that adding too many lists can lead to false positives. This excessive filtering might make some internet services inaccessible, unreachable, or not fully functional. To avoid such issues, some domains may need to be whitelisted.<\/p>\n<h3 id=\"ember1508\" class=\"ember-view\">Whitelisting and blacklisting domains<\/h3>\n<p id=\"ember1509\" class=\"ember-view reader-content-blocks__paragraph\">Manage domains effectively by adding them to the Blacklist or Whitelist under the &#8216;Domains&#8217; menu in the web interface.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/60.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-740\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/60.png\" alt=\"\" width=\"1245\" height=\"854\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/60.png 1245w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/60-300x206.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/60-1024x702.png 1024w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/60-768x527.png 768w\" sizes=\"auto, (max-width: 1245px) 100vw, 1245px\" \/><\/a><\/p>\n<p id=\"ember1511\" class=\"ember-view reader-content-blocks__paragraph\">For example, if you encounter issues with Gmail icons not appearing, you might need to whitelist the domain gstaticadssl.l.google.com.<\/p>\n<h3 id=\"ember1512\" class=\"ember-view\">Removing existing blocklists<\/h3>\n<p id=\"ember1513\" class=\"ember-view reader-content-blocks__paragraph\">To remove an existing blocklist, execute the following command:<\/p>\n<pre>$sudo sqlite3 \/etc\/pihole\/gravity.db \"DELETE FROM adlist\"<\/pre>\n<h3 id=\"ember1514\" class=\"ember-view\">Backing up Pi-hole configuration<\/h3>\n<p id=\"ember1515\" class=\"ember-view reader-content-blocks__paragraph\">After configuring Pi-hole, it&#8217;s wise to create a backup. This can be done through the web interface, which generates a file that can be imported to the same or a different Pi-hole setup, saving time on configuration.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/61.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-741\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/61.png\" alt=\"\" width=\"1232\" height=\"637\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/61.png 1232w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/61-300x155.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/61-1024x529.png 1024w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/61-768x397.png 768w\" sizes=\"auto, (max-width: 1232px) 100vw, 1232px\" \/><\/a><\/p>\n<h3 id=\"ember1517\" class=\"ember-view\">Additional functionalities of Pi-hole<\/h3>\n<p id=\"ember1518\" class=\"ember-view reader-content-blocks__paragraph\">Pi-hole offers several other functionalities, including but not limited to:<\/p>\n<ul>\n<li>Transforming Pi-hole into your DHCP service provider.<\/li>\n<li>Managing clients and groups.<\/li>\n<li>Disabling blocking temporarily.<\/li>\n<li>Using the Query Log to review and manage the blacklist and whitelist, allowing easy addition or removal of domains.<\/li>\n<\/ul>\n<h2 id=\"ember1520\" class=\"ember-view\">Installing WireGuard<\/h2>\n<h3 id=\"ember1521\" class=\"ember-view\">Overview<\/h3>\n<p id=\"ember1522\" class=\"ember-view reader-content-blocks__paragraph\">WireGuard is a lightweight, secure, and fast VPN server designed to facilitate remote and secure access. As a communication protocol and free, open-source software, WireGuard focuses on ease of use, high-speed performance, and a minimal attack surface. Compared to other VPN servers like IPsec and OpenVPN, it aims to deliver superior performance and efficiency (Source: Wikipedia).<\/p>\n<h3 id=\"ember1523\" class=\"ember-view\">Configuration and Installation<\/h3>\n<p id=\"ember1524\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Debian 12:<\/strong><\/p>\n<p id=\"ember1525\" class=\"ember-view reader-content-blocks__paragraph\">WireGuard is available in the Debian 12 repositories. Install necessary packages:<\/p>\n<pre>$sudo apt install software-properties-common python3-launchpadlib\n$sudo apt-get install wireguard wireguard-tools linux-headers-$(uname -r) qrencode<\/pre>\n<p id=\"ember1526\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Debian 11:<\/strong><\/p>\n<p id=\"ember1527\" class=\"ember-view reader-content-blocks__paragraph\">Raspbian, by default, does not trust the Debian package repository. To resolve this, add Debian&#8217;s public keys to the trusted set:<\/p>\n<pre>$sudo apt-key adv --keyserver http:\/\/p80.pool.sks-keyservers.net:80 --recv-keys 04EE7237B7D453EC 648ACFD622F3D138<\/pre>\n<p id=\"ember1528\" class=\"ember-view reader-content-blocks__paragraph\">Add the Debian unstable repository:<\/p>\n<pre>$sudo sh -c \"echo 'deb http:\/\/deb.debian.org\/debian\/ unstable main' &gt;&gt; \/etc\/apt\/sources.list.d\/unstable.list\"<\/pre>\n<p id=\"ember1529\" class=\"ember-view reader-content-blocks__paragraph\">To prevent conflicts with normal Raspbian packages, limit the use of the Debian distribution:<\/p>\n<pre>$sudo sh -c \"printf 'Package: *\\nPin: release a=unstable\\nPin-Priority: 90\\n' &gt;&gt; \/etc\/apt\/preferences.d\/limit-unstable\"<\/pre>\n<p id=\"ember1530\" class=\"ember-view reader-content-blocks__paragraph\">Import additional Debian keys:<\/p>\n<pre>$wget -O - https:\/\/ftp-master.debian.org\/keys\/archive-key-$(lsb_release -sr).asc | sudo apt-key add -<\/pre>\n<p id=\"ember1531\" class=\"ember-view reader-content-blocks__paragraph\">Update the system database and install WireGuard along with necessary packages:<\/p>\n<pre>$sudo apt-get update\n$sudo apt-get install wireguard wireguard-dkms wireguard-tools linux-headers-$(uname -r) qrencode<\/pre>\n<p id=\"ember1532\" class=\"ember-view reader-content-blocks__paragraph\">Note for Raspbian OS users: Kernel headers are required.<\/p>\n<pre>$sudo apt-get install raspberrypi-kernel-headers<\/pre>\n<h3 id=\"ember1533\" class=\"ember-view\">Installing a DDNS Service<\/h3>\n<h3 id=\"ember1534\" class=\"ember-view\">Purpose<\/h3>\n<p id=\"ember1535\" class=\"ember-view reader-content-blocks__paragraph\">When accessing your network remotely via a VPN (like WireGuard), it&#8217;s essential to know your public IP address or have a domain name linked to it. Since most IP addresses are dynamic and can change, and static IP addresses are limited and often costly, a practical solution is to use a DDNS (Dynamic Domain Name System) service. This service provides a free domain that points to your public IP address. A script updates your public IP with the service periodically, ensuring that the domain redirects to the new IP if it changes.<\/p>\n<h3 id=\"ember1536\" class=\"ember-view\">Instructions<\/h3>\n<ol>\n<li><strong>Requirement Check: <\/strong>If you have a static public IP address, this step is not necessary.<\/li>\n<li><strong>Choosing a DDNS Service: <\/strong>For this guide, we&#8217;ll use the DuckDNS DDNS service. DuckDNS offers detailed instructions and scripts for various devices, including the Raspberry Pi.<\/li>\n<li><strong>Setting Up the Script: <\/strong>We&#8217;ll create a cron job to run a script that updates the DDNS. The script, named duck.sh, will be set to execute at 5 minutes past every hour. This frequency is sufficient, as updating every 5 minutes is generally unnecessary.<\/li>\n<li><strong>Creating the Cron Job: <\/strong>Open the crontab with the command:<\/li>\n<\/ol>\n<pre>$sudo crontab -e<\/pre>\n<p id=\"ember1538\" class=\"ember-view reader-content-blocks__paragraph\">Configure the cron job. Here&#8217;s an example of what the crontab entry might look like:<\/p>\n<div class=\"reader-image-block reader-image-block--resize\">\n<figure class=\"reader-image-block__figure\">\n<div class=\"ivm-image-view-model   \">\n<div class=\"ivm-view-attr__img-wrapper\n        display-flex\"><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/62.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-742\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/62.png\" alt=\"\" width=\"570\" height=\"81\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/62.png 570w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/62-300x43.png 300w\" sizes=\"auto, (max-width: 570px) 100vw, 570px\" \/><\/a><img decoding=\"async\" id=\"ember1539\" class=\"ivm-view-attr__img--centered  reader-image-block__img evi-image lazy-image ember-view\" src=\"https:\/\/media.licdn.com\/dms\/image\/D4D12AQGNiDRY8n64EA\/article-inline_image-shrink_1500_2232\/0\/1707592996480?e=1717027200&amp;v=beta&amp;t=KLpL_3Q9EutXhSmz-hzmeeBX5Qek5iMxLSmBqlpQOx4\" alt=\"\" \/><\/div>\n<\/div>\n<\/figure>\n<\/div>\n<p id=\"ember1540\" class=\"ember-view reader-content-blocks__paragraph\">This runs the script at 5 minutes past every hour.<\/p>\n<p id=\"ember1541\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Crontab Scheduling: <\/strong>To explore different scheduling combinations for the cron job, you can use Crontab Guru: <a class=\"app-aware-link \" href=\"https:\/\/crontab.guru\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/crontab.guru\/<\/a>.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/63.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-743\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/63.png\" alt=\"\" width=\"1492\" height=\"1033\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/63.png 1492w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/63-300x208.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/63-1024x709.png 1024w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/63-768x532.png 768w\" sizes=\"auto, (max-width: 1492px) 100vw, 1492px\" \/><\/a><\/p>\n<h3 id=\"ember1543\" class=\"ember-view\">Setting up and configuring a WireGuard VPN Server<\/h3>\n<h3 id=\"ember1544\" class=\"ember-view\">Objective<\/h3>\n<p id=\"ember1545\" class=\"ember-view reader-content-blocks__paragraph\">We will configure WireGuard VPN access for both a phone and a laptop. For enhanced security, we will use a non-default port, opting for port 5900 instead of the standard 5820.<\/p>\n<h3 id=\"ember1546\" class=\"ember-view\">Generating security keys<\/h3>\n<p id=\"ember1547\" class=\"ember-view reader-content-blocks__paragraph\">To secure the connection and restrict access, we need to generate public\/private key pairs and preshared keys. Execute the following commands as root:<\/p>\n<p id=\"ember1548\" class=\"ember-view reader-content-blocks__paragraph\">Switch to root user and navigate to the WireGuard directory:<\/p>\n<pre>$sudo su -\n#cd \/etc\/wireguard\n#umask 077<\/pre>\n<p id=\"ember1549\" class=\"ember-view reader-content-blocks__paragraph\">Generate keys for the server, phone, and laptop:<\/p>\n<pre>#wg genkey | tee server_private_key | wg pubkey &gt; server_public_key\n#wg genkey | tee phone_private_key | wg pubkey &gt; phone_public_key\n#wg genkey | tee laptop_private_key | wg pubkey &gt; laptop_public_key<\/pre>\n<p id=\"ember1550\" class=\"ember-view reader-content-blocks__paragraph\">Generate preshared keys for additional security:<\/p>\n<pre>#wg genpsk &lt; phone_private_key &gt; phone_preshared_key\n#wg genpsk &lt; laptop_private_key &gt; laptop_preshared_key<\/pre>\n<h3 id=\"ember1551\" class=\"ember-view\">Server configuration<\/h3>\n<p id=\"ember1552\" class=\"ember-view reader-content-blocks__paragraph\">Create the server configuration file wg0.conf:<\/p>\n<pre>#nano \/etc\/wireguard\/wg0.conf<\/pre>\n<p id=\"ember1553\" class=\"ember-view reader-content-blocks__paragraph\">Edit the file with the following structure, replacing keys with the ones you generated:<\/p>\n<pre>### Server Configuration ###\n[Interface]\nPrivateKey = &lt;server private key&gt;\nAddress = 10.6.0.1\/24\nPostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\nPostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE\nListenPort = 51900\n\n### Phone Configuration ###\n[Peer]\nPublicKey = &lt;phone public key&gt;\nPresharedKey = &lt;phone preshared key&gt;\nAllowedIPs = 10.6.0.2\/32\n# Optional: PersistentKeepalive = 25\n\n### Laptop Configuration ###\n[Peer]\nPublicKey = &lt;laptop public key&gt;\nPresharedKey = &lt;laptop preshared key&gt;\nAllowedIPs = 10.6.0.3\/32\n# Optional: PersistentKeepalive = 25<\/pre>\n<h3 id=\"ember1554\" class=\"ember-view\">Editing the server configuration:<\/h3>\n<p id=\"ember1555\" class=\"ember-view reader-content-blocks__paragraph\">If you need to edit the server configuration later, stop the interface first:<\/p>\n<pre>#systemctl stop wg-quick@wg0.service<\/pre>\n<p id=\"ember1556\" class=\"ember-view reader-content-blocks__paragraph\">After editing, restart the interface:<\/p>\n<pre>#systemctl start wg-quick@wg0.service<\/pre>\n<h3 id=\"ember1557\" class=\"ember-view\">Firewall configuration and IP masquerading on the server<\/h3>\n<h3 id=\"ember1558\" class=\"ember-view\">Configuring the Firewall<\/h3>\n<p id=\"ember1559\" class=\"ember-view reader-content-blocks__paragraph\">Ensure your server&#8217;s firewall allows traffic on the WireGuard port (here, 51900\/UDP):<\/p>\n<pre>$sudo ufw allow 51900\/udp<\/pre>\n<p id=\"ember1560\" class=\"ember-view reader-content-blocks__paragraph\">Edit the UFW default policy:<\/p>\n<pre>$sudo nano \/etc\/default\/ufw<\/pre>\n<p id=\"ember1561\" class=\"ember-view reader-content-blocks__paragraph\">Change the default forward policy from &#8220;DROP&#8221; to &#8220;ACCEPT&#8221;:<\/p>\n<pre>DEFAULT_FORWARD_POLICY=\"ACCEPT\"<\/pre>\n<p id=\"ember1562\" class=\"ember-view reader-content-blocks__paragraph\">Save and close the file.<\/p>\n<h3 id=\"ember1563\" class=\"ember-view\">Identifying network interface:<\/h3>\n<p id=\"ember1564\" class=\"ember-view reader-content-blocks__paragraph\">Determine your server\u2019s main network interface name:<\/p>\n<pre>$ip addr<\/pre>\n<p id=\"ember1565\" class=\"ember-view reader-content-blocks__paragraph\">(For this guide, it&#8217;s assumed to be eth0.)<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/64.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-744\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/64.png\" alt=\"\" width=\"857\" height=\"293\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/64.png 857w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/64-300x103.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/64-768x263.png 768w\" sizes=\"auto, (max-width: 857px) 100vw, 857px\" \/><\/a><\/p>\n<h3 id=\"ember1567\" class=\"ember-view\">Configuring IP masquerading<\/h3>\n<p id=\"ember1568\" class=\"ember-view reader-content-blocks__paragraph\">Edit the UFW configuration file to add IP masquerading rules:<\/p>\n<pre>$sudo nano \/etc\/ufw\/before.rules<\/pre>\n<p id=\"ember1569\" class=\"ember-view reader-content-blocks__paragraph\">At the end of the file, add the following lines (replace eth0 with your network interface name if different):<\/p>\n<pre># Start IP Masquerading setup\n*nat\n:POSTROUTING ACCEPT [0:0]\n-A POSTROUTING -o eth0 -j MASQUERADE\nCOMMIT\n# End IP Masquerading setup<\/pre>\n<p id=\"ember1570\" class=\"ember-view reader-content-blocks__paragraph\">Save and close the file.<\/p>\n<p id=\"ember1571\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Important Considerations<\/strong><\/p>\n<ul>\n<li><strong>Replace Key Values:<\/strong> Ensure to replace PrivateKey, PublicKey, and PresharedKey in the WireGuard configuration with your generated values.<\/li>\n<li><strong>Network Interface Type:<\/strong> The configuration assumes a wired ethernet connection (eth0). For WiFi (wlan0), modify PostUp and PostDown commands in the WireGuard configuration to use -o wlan0.<\/li>\n<\/ul>\n<h3 id=\"ember1573\" class=\"ember-view\">Enabling IP forwarding<\/h3>\n<p id=\"ember1574\" class=\"ember-view reader-content-blocks__paragraph\">Edit sysctl.conf:<\/p>\n<pre>#nano \/etc\/sysctl.conf<\/pre>\n<p id=\"ember1575\" class=\"ember-view reader-content-blocks__paragraph\">Uncomment net.ipv4.ip_forward=1 and save the changes.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/65.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-745\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/65.png\" alt=\"\" width=\"514\" height=\"136\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/65.png 514w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/65-300x79.png 300w\" sizes=\"auto, (max-width: 514px) 100vw, 514px\" \/><\/a><\/p>\n<p>Enable the WireGuard interface:<\/p>\n<pre>#systemctl enable wg-quick@wg0<\/pre>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/66.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-746\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/66.png\" alt=\"\" width=\"977\" height=\"40\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/66.png 977w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/66-300x12.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/66-768x31.png 768w\" sizes=\"auto, (max-width: 977px) 100vw, 977px\" \/><\/a><\/p>\n<h3 id=\"ember1579\" class=\"ember-view\">Securing sensitive files<\/h3>\n<p id=\"ember1580\" class=\"ember-view reader-content-blocks__paragraph\">Protect sensitive WireGuard files:<\/p>\n<pre>#chown -R root:root \/etc\/wireguard\/\n#chmod -R og-rwx \/etc\/wireguard\/*<\/pre>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/67.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-747\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/67.png\" alt=\"\" width=\"502\" height=\"204\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/67.png 502w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/67-300x122.png 300w\" sizes=\"auto, (max-width: 502px) 100vw, 502px\" \/><\/a><\/p>\n<p id=\"ember1582\" class=\"ember-view reader-content-blocks__paragraph\">Reboot the Raspberry Pi:<\/p>\n<pre>$sudo reboot<\/pre>\n<p id=\"ember1583\" class=\"ember-view reader-content-blocks__paragraph\">After rebooting, verify the WireGuard interface:<\/p>\n<pre>$ip addr<\/pre>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/68.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-748\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/68.png\" alt=\"\" width=\"927\" height=\"348\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/68.png 927w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/68-300x113.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/68-768x288.png 768w\" sizes=\"auto, (max-width: 927px) 100vw, 927px\" \/><\/a><\/p>\n<h3 id=\"ember1585\" class=\"ember-view\">Configuring port forwarding:<\/h3>\n<p id=\"ember1586\" class=\"ember-view reader-content-blocks__paragraph\">Access your router&#8217;s settings and set up port forwarding. Forward external port 51900 (UDP) to the internal IP address and port 51900 of the Raspberry Pi. Example:<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/69.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-749\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/69.png\" alt=\"\" width=\"948\" height=\"352\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/69.png 948w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/69-300x111.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/69-768x285.png 768w\" sizes=\"auto, (max-width: 948px) 100vw, 948px\" \/><\/a><\/p>\n<h3 id=\"ember1588\" class=\"ember-view\">Setting up WireGuard clients<\/h3>\n<h3 id=\"ember1589\" class=\"ember-view\">Common setup for clients<\/h3>\n<p id=\"ember1590\" class=\"ember-view reader-content-blocks__paragraph\"><strong>VPN Server Address:<\/strong> Use the domain server created with DuckDNS as vpn_server_address.<\/p>\n<h3 id=\"ember1591\" class=\"ember-view\">Setting up access<\/h3>\n<p id=\"ember1592\" class=\"ember-view reader-content-blocks__paragraph\">Open the configuration file for the phone client:<\/p>\n<pre>sudo nano \/etc\/wireguard\/phone.conf<\/pre>\n<p id=\"ember1593\" class=\"ember-view reader-content-blocks__paragraph\">Add the following content, replacing placeholders with actual values:<\/p>\n<pre>[Interface]\nAddress = 10.6.0.2\/24\nPrivateKey = &lt;insert phone_private_key&gt;\nDNS = 10.6.0.1\n\n[Peer]\nPublicKey = &lt;insert server_public_key&gt;\nPresharedKey = &lt;insert phone_preshared_key&gt;\nEndpoint = &lt;vpn_server_address&gt;:51900\nAllowedIPs = 0.0.0.0\/0, ::\/0<\/pre>\n<p id=\"ember1594\" class=\"ember-view reader-content-blocks__paragraph\">Open the configuration file for the laptop client:<\/p>\n<pre>$sudo nano \/etc\/wireguard\/laptop.conf<\/pre>\n<p id=\"ember1595\" class=\"ember-view reader-content-blocks__paragraph\">Add similar content as for the phone, replacing placeholders:<\/p>\n<pre>[Interface]\nAddress = 10.6.0.3\/24\nPrivateKey = &lt;insert laptop_private_key&gt;\nDNS = 10.6.0.1\n\n[Peer]\nPublicKey = &lt;insert server_public_key&gt;\nPresharedKey = &lt;insert laptop_preshared_key&gt;\nEndpoint = &lt;vpn_server_address&gt;:51900\nAllowedIPs = 0.0.0.0\/0, ::\/0<\/pre>\n<h3 id=\"ember1596\" class=\"ember-view\">Generate QR code for easy import<\/h3>\n<p id=\"ember1597\" class=\"ember-view reader-content-blocks__paragraph\">Use qrencode to create a QR code:<\/p>\n<pre>#qrencode -t ansiutf8 &lt; \/etc\/wireguard\/phone.conf<\/pre>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/70.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-750\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/70.png\" alt=\"\" width=\"302\" height=\"332\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/70.png 302w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/70-273x300.png 273w\" sizes=\"auto, (max-width: 302px) 100vw, 302px\" \/><\/a><\/p>\n<h3 id=\"ember1599\" class=\"ember-view\">Testing the Connection<\/h3>\n<p id=\"ember1600\" class=\"ember-view reader-content-blocks__paragraph\">After connecting the phone to the local network, test the connection running the command wg:<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/71.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-751\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/71.png\" alt=\"\" width=\"475\" height=\"354\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/71.png 475w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/71-300x224.png 300w\" sizes=\"auto, (max-width: 475px) 100vw, 475px\" \/><\/a><\/p>\n<p id=\"ember1602\" class=\"ember-view reader-content-blocks__paragraph\">Attempt to access local resources (e.g., Pi-hole web interface).<\/p>\n<p id=\"ember1603\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Adding Unattended Upgrades (Optional):<\/strong><\/p>\n<p id=\"ember1604\" class=\"ember-view reader-content-blocks__paragraph\">For third-party packages (e.g., from PPAs), manually include them for security updates.<\/p>\n<p id=\"ember1605\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Determining PPA Origin and Suite:<\/strong><\/p>\n<p id=\"ember1606\" class=\"ember-view reader-content-blocks__paragraph\">Check \/var\/lib\/apt\/lists for files ending with InRelease.<\/p>\n<p id=\"ember1607\" class=\"ember-view reader-content-blocks__paragraph\">Use less to view details:<\/p>\n<pre>$less \/var\/lib\/apt\/lists\/deb.debian.org_debian_dists_unstable_InRelease<\/pre>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/72.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-752\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/72.png\" alt=\"\" width=\"691\" height=\"351\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/72.png 691w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/72-300x152.png 300w\" sizes=\"auto, (max-width: 691px) 100vw, 691px\" \/><\/a><\/p>\n<p id=\"ember1609\" class=\"ember-view reader-content-blocks__paragraph\">Note the Origin and Suite fields to provide to unattended-upgrade for automatic updates.<\/p>\n<p id=\"ember1610\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Installing Pi.Alert, a network security scanner &amp; notification framework (optional)<\/strong><\/p>\n<p id=\"ember1611\" class=\"ember-view reader-content-blocks__paragraph\">Pi.Alert is a compact and effective project designed to detect Wi-Fi and LAN intruders by monitoring connected devices and alerting you to any unknown devices. It also notifies you when &#8220;always connected&#8221; devices are disconnected. Originally developed by pucherot and available at <a class=\"app-aware-link \" href=\"https:\/\/github.com\/pucherot\/Pi.Alert\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">pucherot\/Pi.Alert<\/a>, it has not been updated since 2021. Recognizing its potential, several forks quickly emerged. For this installation, we&#8217;ll be using a containerized version by jokob-sk, available at <a class=\"app-aware-link \" href=\"https:\/\/github.com\/jokob-sk\/Pi.Alert\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">jokob-sk\/Pi.Alert<\/a>, though non-container alternatives like <a class=\"app-aware-link \" href=\"https:\/\/github.com\/leiweibau\/Pi.Alert\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">leiweibau\/Pi.Alert<\/a> are also available.<\/p>\n<p id=\"ember1612\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Installation Guide<\/strong><\/p>\n<p id=\"ember1613\" class=\"ember-view reader-content-blocks__paragraph\">This guide will cover setting up the container using a configuration file through the stacks menu in Portainer. The configuration will include:<\/p>\n<ul>\n<li>Healthcheck feature to monitor the container&#8217;s health status.<\/li>\n<li>Volume mapping for:Synchronizing device data between Pi.Alert and Pi.Hole by mapping the Pi-hole folder where the pihole-FTL.db file is stored (optional).Mapping the Pi.Alert log folder for log access (optional).<\/li>\n<li>Configuring the TimeZone and port.<\/li>\n<li>Setting the user and group ID.<\/li>\n<li>Setting the network mode.<\/li>\n<\/ul>\n<p id=\"ember1615\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Docker Compose Configuration:<\/strong><\/p>\n<pre>version: \"3.9\"\nservices:\n  pi.alert:\n    container_name: Pi.Alert\n    healthcheck:\n      test: curl -f http:\/\/localhost:20211\/ || exit 1\n      interval: 5m\n      timeout: 10s\n      retries: 5\n    volumes:\n      - \/home\/daniel\/DockerVol\/pialert\/config:\/home\/pi\/pialert\/config:rw\n      - \/home\/daniel\/DockerVol\/pialert\/db:\/home\/pi\/pialert\/db:rw\n      # Optional log volume. Uncomment to enable it\n      #- \/home\/daniel\/DockerVol\/pialert\/log:\/home\/pi\/pialert\/front\/log:rw\n      # Optional Pi-hole synchronization. Uncomment to enable it\n      #- \/home\/daniel\/DockerVol\/pihole\/etc-pihole:\/etc\/pihole\/:rw\n    environment:\n      TZ: Europe\/Madrid # Change to your timezone\n      PORT: 20211\n      HOST_USER_ID: 1000\n      HOST_USER_GID: 1000\n    network_mode: host\n    restart: unless-stopped\n    image: jokobsk\/pi.alert:latest<\/pre>\n<p id=\"ember1616\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Firewall Configuration:<\/strong><\/p>\n<p id=\"ember1617\" class=\"ember-view reader-content-blocks__paragraph\">If you&#8217;ve enabled a firewall, remember to open the TCP port and reload the firewall to allow access to the Pi.Alert web interface:<\/p>\n<pre>$sudo ufw allow 20211\/tcp\n$sudo ufw reload<\/pre>\n<p id=\"ember1618\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Securing Access:<\/strong><\/p>\n<p id=\"ember1619\" class=\"ember-view reader-content-blocks__paragraph\">As the default setup is not password-protected, it&#8217;s advisable to change the default password (123456) and enable login protection:<\/p>\n<ol>\n<li>Navigate to the &#8216;Set Password&#8217; option within the System menu in settings.<\/li>\n<li>Enter your desired password in the SETPWD_password field.<\/li>\n<li>Change SETPWD_RUN from disabled to before_config_save and click the play button. A notification should confirm that the password is set.<\/li>\n<li>Access the General settings under the Core menu and enable PIALERT_WEB_PROTECTION.<\/li>\n<li>Finally, click the Pi.Alert icon in the upper right corner and select &#8216;Sign out&#8217;. You will now be prompted for a password upon logging in.<\/li>\n<\/ol>\n<h2 id=\"ember1621\" class=\"ember-view\">Installing a monitoring tool<\/h2>\n<p id=\"ember1622\" class=\"ember-view reader-content-blocks__paragraph\">When it comes to system monitoring, there are a plethora of options ranging from lightweight applications to more comprehensive solutions that offer extensive functionalities at the expense of higher resource consumption.<\/p>\n<p id=\"ember1623\" class=\"ember-view reader-content-blocks__paragraph\">Initially, I opted for <a class=\"app-aware-link \" href=\"https:\/\/github.com\/XavierBerger\/RPi-Monitor\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">RPi-Monitor<\/a> for its simplicity and light footprint, offering all the basic monitoring parameters one might need. However, it became apparent that RPi-Monitor has not been updated since August 2017, prompting a search for a modern, actively maintained alternative. This search led me to discover <a class=\"app-aware-link \" href=\"https:\/\/learn.netdata.cloud\/guides\/monitor\/pi-hole-raspberry-pi\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">NetData<\/a>, a robust, open-source tool designed for real-time metrics collection. NetData excels in presenting metrics such as CPU usage, disk activity, bandwidth utilization, and website traffic through live, intuitive charts. It also allows for the creation of a free cloud account which adds enhanced features like:<\/p>\n<ul>\n<li>Infrastructure-level dashboards aggregating data from multiple nodes.<\/li>\n<li>Centralized alert notifications.<\/li>\n<li>Custom dashboard editor.<\/li>\n<li>Intelligent troubleshooting assistance to identify root causes of issues.<\/li>\n<\/ul>\n<p id=\"ember1625\" class=\"ember-view reader-content-blocks__paragraph\">Although NetData offers premium features, the free account promises to remain free indefinitely.<\/p>\n<p id=\"ember1626\" class=\"ember-view reader-content-blocks__paragraph\">For those requiring a more powerful monitoring solution with extensive integrations and capabilities, including machine learning, <a class=\"app-aware-link \" href=\"https:\/\/grafana.com\/grafana\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">Grafana<\/a> is an excellent choice. Grafana provides a <a class=\"app-aware-link \" href=\"https:\/\/play.grafana.org\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">sandbox<\/a> environment for experimenting with dashboards and data visualization.<\/p>\n<h3 id=\"ember1627\" class=\"ember-view\">Installing RPi-Monitor (Deprecated)<\/h3>\n<p id=\"ember1628\" class=\"ember-view reader-content-blocks__paragraph\">As RPi-Monitor&#8217;s maintenance has ceased, its installation is only recommended for historical reference or specific legacy applications. To install RPi-Monitor, follow these commands:<\/p>\n<pre>$sudo apt-get install dirmngr\n$sudo apt-key adv --recv-keys --keyserver hkp:\/\/keyserver.ubuntu.com:80 2C0D3C0F\n$sudo wget http:\/\/goo.gl\/vewCLL -O \/etc\/apt\/sources.list.d\/rpimonitor.list\n$sudo apt-get update\n$sudo apt-get install rpimonitor<\/pre>\n<p id=\"ember1629\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Configuring RPi-Monitor for Network Statistics:<\/strong><\/p>\n<ol>\n<li>Edit the network configuration template:<\/li>\n<\/ol>\n<pre>$sudo nano \/etc\/rpimonitor\/template\/network.conf<\/pre>\n<p>2. Adjust the configuration by uncommenting and commenting sections as detailed in the original instructions to tailor the displayed network statistics.<\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/73.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-753\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/73.png\" alt=\"\" width=\"624\" height=\"275\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/73.png 624w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/73-300x132.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/a><\/p>\n<p>3. Restart RPi-Monitor to apply changes:<\/p>\n<pre>$sudo service rpimonitor restart<\/pre>\n<p>4. Update RPi-Monitor&#8217;s package status:<\/p>\n<pre>$sudo \/etc\/init.d\/rpimonitor update<\/pre>\n<p id=\"ember1635\" class=\"ember-view reader-content-blocks__paragraph\">Access the RPi-Monitor web interface at http:\/\/&lt;IPAddress&gt;:8888 to view your server&#8217;s status and historical data, facilitating effective monitoring and troubleshooting.<\/p>\n<div class=\"reader-image-block reader-image-block--full-width\">\n<figure class=\"reader-image-block__figure\">\n<div class=\"ivm-image-view-model   \">\n<div class=\"ivm-view-attr__img-wrapper\n        display-flex\"><img decoding=\"async\" id=\"ember1636\" class=\"ivm-view-attr__img--centered  reader-image-block__img evi-image lazy-image ember-view\" src=\"https:\/\/media.licdn.com\/dms\/image\/D4D12AQGUNvGX3eZBVQ\/article-inline_image-shrink_1500_2232\/0\/1707593741808?e=1717027200&amp;v=beta&amp;t=sL3Xfds2Q96Pn6-zKSsR2swpBSMRHoWKO34J9Z-lYAg\" alt=\"\" \/><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/74.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-754\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/74.png\" alt=\"\" width=\"1748\" height=\"668\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/74.png 1748w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/74-300x115.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/74-1024x391.png 1024w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/74-768x293.png 768w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/74-1536x587.png 1536w\" sizes=\"auto, (max-width: 1748px) 100vw, 1748px\" \/><\/a><\/div>\n<div>\n<h3 id=\"ember1637\" class=\"ember-view\">Installing Netdata on Raspberry Pi (Recommended)<\/h3>\n<p id=\"ember1638\" class=\"ember-view reader-content-blocks__paragraph\">Netdata is a powerful tool designed to monitor and troubleshoot a variety of devices and the applications running on them, including Raspberry Pi and Pi-hole. With its quick installation process and no need for additional configuration, Netdata provides instant access to over 1,500 metrics, such as CPU load, memory and disk usage, and bandwidth, collected every second.<\/p>\n<h3 id=\"ember1639\" class=\"ember-view\">Installation process<\/h3>\n<h3 id=\"ember1640\" class=\"ember-view\">Bare metal installation<\/h3>\n<p id=\"ember1641\" class=\"ember-view reader-content-blocks__paragraph\">To install Netdata on a Raspberry Pi, you only need to run a single command script that handles dependency installation and compiles Netdata from the source. On Raspberry Pis running Raspbian, the best way to install Netdata is our one-line kickstart script. This script asks you to install dependencies, then compiles Netdata from source via <a class=\"app-aware-link \" href=\"https:\/\/github.com\/netdata\/netdata\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">GitHub<\/a>.<\/p>\n<pre>$wget -O \/tmp\/netdata-kickstart.sh https:\/\/get.netdata.cloud\/kickstart.sh &amp;&amp; sh \/tmp\/netdata-kickstart.sh --stable-channel --disable-telemetry<\/pre>\n<p id=\"ember1642\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Parameters Explained<\/strong><\/p>\n<ul>\n<li>&#8211;stable-channel: Use this to install from the stable release channel (default nightly).<\/li>\n<li>&#8211;disable-telemetry: Opt out of sending anonymous statistics.<\/li>\n<li>&#8211;no-updates: To disable automatic updates.<\/li>\n<\/ul>\n<p id=\"ember1644\" class=\"ember-view reader-content-blocks__paragraph\">This command opts for a nightly version for the most updated features, disables anonymous statistics, and opts out of automatic updates.<\/p>\n<p id=\"ember1645\" class=\"ember-view reader-content-blocks__paragraph\">During installation, the script will prompt for administrator credentials to install all necessary packages.<\/p>\n<h3 id=\"ember1646\" class=\"ember-view\">Container installation<\/h3>\n<p id=\"ember1647\" class=\"ember-view reader-content-blocks__paragraph\">We will install netdata inside a container using a docker-compose configuration following the instrucions from here: <a class=\"app-aware-link \" href=\"https:\/\/learn.netdata.cloud\/docs\/installing\/docker\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/learn.netdata.cloud\/docs\/installing\/docker<\/a>. Below is the Docker Compose file to load in Portainer&#8217;s stacks menu:<\/p>\n<pre>version: '3'\nservices:\n  netdata:\n    image: netdata\/netdata\n    container_name: netdata\n    environment:\n      - TZ=Europe\/Madrid # Change to your timezone\n    pid: host\n    network_mode: host\n    ports:\n      - 19999:19999\n    restart: unless-stopped\n    cap_add:\n      - SYS_PTRACE\n      - SYS_ADMIN\n    security_opt:\n      - apparmor:unconfined\n    volumes:\n      - netdataconfig:\/etc\/netdata\n      - netdatalib:\/var\/lib\/netdata\n      - netdatacache:\/var\/cache\/netdata\n      - \/etc\/passwd:\/host\/etc\/passwd:ro\n      - \/etc\/group:\/host\/etc\/group:ro\n      - \/etc\/localtime:\/etc\/localtime:ro\n      - \/proc:\/host\/proc:ro\n      - \/sys:\/host\/sys:ro\n      - \/etc\/os-release:\/host\/etc\/os-release:ro\n      - \/var\/log:\/host\/var\/log:ro\n      - \/var\/run\/docker.sock:\/var\/run\/docker.sock:ro\nvolumes:\n  netdataconfig:\n  netdatalib:\n  netdatacache:<\/pre>\n<p id=\"ember1648\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Key Components of the Configuration:<\/strong><\/p>\n<ul>\n<li><strong>Ports:<\/strong> The Netdata web interface is exposed on port 19999, which you can access via http:\/\/&lt;your-raspberry-pi-ip&gt;:19999.<\/li>\n<li><strong>Volumes:<\/strong> Uses persistent storage for configuration, data libraries, and cache to ensure data persists across container restarts. Mounts proc and sys filesystems to allow Netdata to collect system metrics. Remeber, container volumen are mounted under \/var\/lib\/docker\/volumes host folder.<\/li>\n<li><strong>Environment Variables:<\/strong> TZ is set for timezone configuration. Adjust it to match your local timezone.<\/li>\n<li><strong>Capabilities and Security:<\/strong> Adds SYS_PTRACE and SYS_ADMIN to enhance metrics collection capabilities. Sets AppArmor to unconfined to avoid restrictions that could limit Netdata&#8217;s monitoring capabilities.<\/li>\n<li><strong>Default Location of Docker Volumes:<\/strong> On a Linux system, the default location for Docker volumes is under \/var\/lib\/docker\/volumes\/. So, if you have a named volume netdataconfig, the data stored in this volume can be found at: \/var\/lib\/docker\/volumes\/netdataconfig\/_data<\/li>\n<\/ul>\n<p id=\"ember1650\" class=\"ember-view reader-content-blocks__paragraph\">Navigate to the Stacks menu and select \u201c+ Add stack\u201d. Enter a stack name in lowercase and choose the \u201cWeb editor\u201d option. Paste the Docker Compose file provided earlier, modifying any necessary parameters. Next, click the \u201cDeploy the stack\u201d button and wait a few minutes.<\/p>\n<h3 id=\"ember1651\" class=\"ember-view\">Accessing Netdata<\/h3>\n<p id=\"ember1652\" class=\"ember-view reader-content-blocks__paragraph\">Navigate to http:\/\/[your raspberry pi IP]:19999 in your browser to view the Netdata dashboard. Upon first login, you&#8217;ll be prompted to create a cloud account to access additional features such as:<\/p>\n<ul>\n<li>Infrastructure-level dashboards.<\/li>\n<li>Centralized alert notifications.<\/li>\n<li>Custom dashboard editor.<\/li>\n<li>Assisted troubleshooting intelligence.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/76.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-756\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/76.png\" alt=\"\" width=\"708\" height=\"349\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/76.png 708w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/76-300x148.png 300w\" sizes=\"auto, (max-width: 708px) 100vw, 708px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/77.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-757\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/77.png\" alt=\"\" width=\"1378\" height=\"741\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/77.png 1378w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/77-300x161.png 300w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/77-1024x551.png 1024w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/77-768x413.png 768w\" sizes=\"auto, (max-width: 1378px) 100vw, 1378px\" \/><\/a><\/p>\n<p id=\"ember1656\" class=\"ember-view reader-content-blocks__paragraph\">Through the dashboard, you can explore various metrics collected by Netdata, from device-specific data like CPU, memory, disk, network, and temperature (found under the Sensors section), to application-specific metrics for software like Fail2ban, firewall, Pi-hole, and WireGuard.<\/p>\n<h3 id=\"ember1657\" class=\"ember-view\">Configuring Netdata<\/h3>\n<p id=\"ember1658\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Enabling temperature sensor monitoring<\/strong><\/p>\n<p id=\"ember1659\" class=\"ember-view reader-content-blocks__paragraph\">After installation, you&#8217;ll need to modify a configuration file to enable temperature sensor monitoring. This involves uncommenting the sensors=force line in the charts.d.conf configuration file. The location of this file varies depending on your operating system:<\/p>\n<p id=\"ember1660\" class=\"ember-view reader-content-blocks__paragraph\"><strong>For container installation:<\/strong><\/p>\n<pre>$sudo -s\n#cd \/var\/lib\/docker\/volumes\/netdata_netdataconfig\/_data\n$sudo .\/edit-config charts.d.conf<\/pre>\n<p id=\"ember1661\" class=\"ember-view reader-content-blocks__paragraph\"><strong>For Debian:<\/strong><\/p>\n<pre>$cd \/etc\/netdata\n$sudo .\/edit-config charts.d.conf<\/pre>\n<p id=\"ember1662\" class=\"ember-view reader-content-blocks__paragraph\"><strong>For Raspbian:<\/strong><\/p>\n<\/div>\n<\/div>\n<\/figure>\n<\/div>\n<pre>$cd \/opt\/netdata\n$sudo cp usr\/lib\/netdata\/conf.d\/charts.d.conf etc\/netdata\/\n$cd etc\/netdata\n$sudo .\/edit-config charts.d.conf<\/pre>\n<p><a href=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/78.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-758\" src=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/78.png\" alt=\"\" width=\"486\" height=\"224\" srcset=\"https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/78.png 486w, https:\/\/coneixement.info\/blog\/wp-content\/uploads\/2024\/03\/78-300x138.png 300w\" sizes=\"auto, (max-width: 486px) 100vw, 486px\" \/><\/a><\/p>\n<p id=\"ember1664\" class=\"ember-view reader-content-blocks__paragraph\">A fter making the changes, restart the Netdata service to activate temperature sensor monitoring:<\/p>\n<pre>$sudo systemctl restart netdata<\/pre>\n<p id=\"ember1665\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Increasing Historical Metrics Storage<\/strong><\/p>\n<p id=\"ember1666\" class=\"ember-view reader-content-blocks__paragraph\">Netdata recommends adjusting the data storage settings to accommodate more historical metrics. Utilize their <a class=\"app-aware-link \" href=\"https:\/\/learn.netdata.cloud\/docs\/store\/change-metrics-storage#calculate-the-system-resources-ram-disk-space-needed-to-store-metrics\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">database sizing calculator<\/a> and <a class=\"app-aware-link \" href=\"https:\/\/learn.netdata.cloud\/guides\/longer-metrics-storage\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">guide on storing historical metrics<\/a> your Raspberry Pi accordingly.<\/p>\n<h3 id=\"ember1667\" class=\"ember-view\">Cloud account and remote monitoring<\/h3>\n<p id=\"ember1668\" class=\"ember-view reader-content-blocks__paragraph\">Creating a cloud account provides a command to install an agent on your device for data collection and cloud transmission. Additionally, leveraging their mobile app is highly recommended for remote system monitoring.<\/p>\n<h3 id=\"ember1669\" class=\"ember-view\">Grafana Integration<\/h3>\n<p id=\"ember1670\" class=\"ember-view reader-content-blocks__paragraph\">For those interested in integrating with Grafana, detailed instructions on installing a Grafana agent on a <a class=\"app-aware-link \" href=\"https:\/\/grafana.com\/tutorials\/install-grafana-on-raspberry-pi\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">raspberry pi<\/a> are available on their website, providing step-by-step guidance for this process.<\/p>\n<h2 id=\"ember1671\" class=\"ember-view\">Enhancing the Raspberry security<\/h2>\n<p id=\"ember1672\" class=\"ember-view reader-content-blocks__paragraph\">In addition to the measures mentioned in the previous sections, such as enabling the firewall, installing fail2ban to protect against brute force attacks, securing SSH access, not using default ports, or disabling default users, we can take an additional step like disabling WiFi if we do not use it.<\/p>\n<h3 id=\"ember1673\" class=\"ember-view\">Disabling Wi-Fi<\/h3>\n<p id=\"ember1674\" class=\"ember-view reader-content-blocks__paragraph\">If your Raspberry Pi is equipped with a Wi-Fi interface that you do not use, disabling it can enhance security and reduce potential attack vectors. Here&#8217;s how to disable the onboard Wi-Fi:<\/p>\n<h3 id=\"ember1675\" class=\"ember-view\">Method 1: Disable Wi-Fi via \/boot\/config.txt<\/h3>\n<p id=\"ember1676\" class=\"ember-view reader-content-blocks__paragraph\">For Raspberry Pi 3 and Raspberry Pi 4, you can disable the onboard Wi-Fi directly through the firmware by modifying the \/boot\/config.txt file. This approach is recommended for a more permanent solution. Add the following lines to \/boot\/config.txt:<\/p>\n<ul>\n<li>For all models with onboard Wi-Fi:<\/li>\n<\/ul>\n<pre>dtoverlay=disable-wifi<\/pre>\n<ul>\n<li>Specifically for Raspberry Pi 3 (this line is not needed for Pi 4 as the above line covers all models):<\/li>\n<\/ul>\n<pre>dtoverlay=pi3-disable-wifi<\/pre>\n<p id=\"ember1679\" class=\"ember-view reader-content-blocks__paragraph\">This method disables the Wi-Fi hardware at the firmware level, preventing it from being activated by the operating system.<\/p>\n<h3 id=\"ember1680\" class=\"ember-view\">Method 2: Blacklisting Wi-Fi Modules<\/h3>\n<p id=\"ember1681\" class=\"ember-view reader-content-blocks__paragraph\">Alternatively, you can disable the Wi-Fi by blacklisting the kernel modules responsible for the Wi-Fi interface. This method effectively prevents the Wi-Fi drivers from being loaded during system startup, which disables the Wi-Fi interface. Add the following lines to a new blacklist file within \/etc\/modprobe.d\/:<\/p>\n<p id=\"ember1682\" class=\"ember-view reader-content-blocks__paragraph\">Open or create the blacklist configuration file:<\/p>\n<pre>$sudo nano \/etc\/modprobe.d\/raspi-blacklist.conf<\/pre>\n<p id=\"ember1683\" class=\"ember-view reader-content-blocks__paragraph\">Add these lines to the file to blacklist the Wi-Fi drivers:<\/p>\n<pre>blacklist brcmfmac\nblacklist brcmutil<\/pre>\n<p id=\"ember1684\" class=\"ember-view reader-content-blocks__paragraph\">Save and exit the editor (in nano, press CTRL+X, then Y to confirm, and Enter to save).<\/p>\n<p id=\"ember1685\" class=\"ember-view reader-content-blocks__paragraph\">After adding these lines, reboot your Raspberry Pi for the changes to take effect. This approach is useful if you might want to re-enable Wi-Fi in the future, as you can simply remove these lines or comment them out by prefixing with #.<\/p>\n<p id=\"ember1686\" class=\"ember-view reader-content-blocks__paragraph\">Both methods are effective in disabling the Wi-Fi interface on a Raspberry Pi. Choose the method that best suits your needs based on whether you prefer a firmware-level solution or a reversible kernel module blacklist approach.<\/p>\n<h2 id=\"ember1687\" class=\"ember-view\">Backup amp; restore strategies for Raspberry Pi<\/h2>\n<p id=\"ember1688\" class=\"ember-view reader-content-blocks__paragraph\">Backing up your Raspberry Pi is crucial for ensuring that your data, configurations, and the entire system can be restored to a previous state in case of failure, corruption, or before making significant changes. Here are detailed methods for backing up your Raspberry Pi:<\/p>\n<h3 id=\"ember1689\" class=\"ember-view\">Method 1: Copy the SD Card Image<\/h3>\n<p id=\"ember1690\" class=\"ember-view reader-content-blocks__paragraph\">Creating a direct image of your SD card or USB drive is a straightforward way to backup your entire system. This method clones the entire partition, including the operating system, applications, user data, and settings.<\/p>\n<p id=\"ember1691\" class=\"ember-view reader-content-blocks__paragraph\"><strong>To create an SD card image, use the <\/strong>dd<strong> command:<\/strong><\/p>\n<pre>$sudo dd bs=4M if=\/dev\/sdb of=raspbian_bck.img conv=fdatasync status=progress<\/pre>\n<ul>\n<li>bs=4M sets the block size to 4 megabytes to speed up the backup process.<\/li>\n<li>if=\/dev\/sdb specifies the input file (your SD card). Be sure to replace \/dev\/sdb with the correct device identifier for your SD card. Use the lsblk or fdisk -l command to identify your SD card.<\/li>\n<li>of=raspbian_bck.img defines the output file, the name of the disk image.<\/li>\n<li>conv=fdatasync ensures that the data is written and synchronized before the process completes.<\/li>\n<li>status=progress displays the progress of the backup as it happens.<\/li>\n<\/ul>\n<p id=\"ember1693\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Restoring from an SD card image:<\/strong><\/p>\n<p id=\"ember1694\" class=\"ember-view reader-content-blocks__paragraph\">To restore your Raspberry Pi from the backup image, use the dd command in reverse:<\/p>\n<pre>bash\nsudo dd bs=4M if=raspbian_bck.img of=\/dev\/sdb conv=fdatasync status=progress<\/pre>\n<p id=\"ember1695\" class=\"ember-view reader-content-blocks__paragraph\">Ensure you specify the correct output file (of=\/dev\/sdb), which should be your SD card.<\/p>\n<h3 id=\"ember1696\" class=\"ember-view\">Method 2: Zip the Home Directory<\/h3>\n<p id=\"ember1697\" class=\"ember-view reader-content-blocks__paragraph\">This method involves compressing and backing up the home directory or any specific directories you wish to backup. This is useful for backing up user data and configurations without cloning the entire system.<\/p>\n<p id=\"ember1698\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Backup the home directory:<\/strong><\/p>\n<pre>$sudo zip -r home_backup.zip \/home\/pi<\/pre>\n<ul>\n<li>zip -r home_backup.zip creates a compressed zip file named home_backup.zip.<\/li>\n<li>\/home\/pi specifies the directory to backup. Adjust the path according to your needs or to backup other directories.<\/li>\n<\/ul>\n<p id=\"ember1700\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Restoring from the zip file:<\/strong><\/p>\n<p id=\"ember1701\" class=\"ember-view reader-content-blocks__paragraph\">To restore, simply unzip the backup file to the desired location:<\/p>\n<pre>$sudo unzip home_backup.zip -d \/home\/pi<\/pre>\n<h3 id=\"ember1702\" class=\"ember-view\">Method 3: Scheduled Backups with rsync or cron<\/h3>\n<p id=\"ember1703\" class=\"ember-view reader-content-blocks__paragraph\">Scheduled backups can be set up using cron jobs and the rsync tool, allowing for incremental backups of specified directories to an external storage device or network location.<\/p>\n<p id=\"ember1704\" class=\"ember-view reader-content-blocks__paragraph\"><strong>Setup a <\/strong>cron<strong> job for regular backups:<\/strong><\/p>\n<ol>\n<li>Open the cron table for editing:<\/li>\n<\/ol>\n<pre>$sudo crontab -e<\/pre>\n<ol>\n<li>Add a line to schedule your backup. For example, to backup daily at midnight:<\/li>\n<\/ol>\n<pre>cron\n0 0 * * * \/usr\/bin\/rsync -a \/home\/pi \/path\/to\/backup\/location<\/pre>\n<ul>\n<li>\/usr\/bin\/rsync -a \/home\/pi \/path\/to\/backup\/location specifies the rsync command to perform the backup. Replace \/path\/to\/backup\/location with your actual backup destination.<\/li>\n<li>Adjust the cron schedule syntax as needed for your backup frequency.<\/li>\n<\/ul>\n<h2 id=\"ember1708\" class=\"ember-view\">Bonus track. Setting up Vaultwarden: a lightweight password manager<\/h2>\n<p id=\"ember1709\" class=\"ember-view reader-content-blocks__paragraph\">When it comes to managing passwords securely, the choice of tools can greatly influence both the security and ease of use. Initially, I opted for <a class=\"app-aware-link \" href=\"https:\/\/keepass.info\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">keePass<\/a>, a lightweight and open-source solution, and even shared <a class=\"app-aware-link \" href=\"https:\/\/coneixement.info\/blog\/how-to-set-and-use-passwords-in-a-safety-way\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">my setup and usage tips on my blog<\/a>. Over time, however, the landscape of password management tools has evolved, bringing more feature-rich options to the forefront, such as <a class=\"app-aware-link \" href=\"https:\/\/bitwarden.com\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">Bitwarden<\/a>. Despite Bitwarden&#8217;s robust offerings, its official server can be resource-intensive, making it less ideal for all users.<\/p>\n<p id=\"ember1710\" class=\"ember-view reader-content-blocks__paragraph\">This is where <a class=\"app-aware-link \" href=\"https:\/\/github.com\/dani-garcia\/vaultwarden\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">Vaultwarden<\/a> comes into play. Vaultwarden is an alternative implementation of the Bitwarden server&#8217;s API, written in Rust. It&#8217;s designed to be compatible with <a class=\"app-aware-link \" href=\"https:\/\/bitwarden.com\/download\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">Bitwarden clients<\/a> but is significantly more lightweight, making it an excellent choice for self-hosting, especially on less powerful hardware like a Raspberry Pi.<\/p>\n<h3 id=\"ember1711\" class=\"ember-view\">Basic Installation of Vaultwarden<\/h3>\n<p id=\"ember1712\" class=\"ember-view reader-content-blocks__paragraph\">The installation process for Vaultwarden is straightforward and can be followed from the <a class=\"app-aware-link \" href=\"https:\/\/www.wundertech.net\/how-to-self-host-bitwarden-on-a-raspberry-pi\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">official documentation<\/a>. Given my setup, where one Raspberry Pi is already dedicated to privacy filtering and serving as a VPN server, I opted to deploy Vaultwarden on a separate Raspberry Pi to avoid overloading a single device with multiple services.<\/p>\n<h3 id=\"ember1713\" class=\"ember-view\">Requirements for Accessing Vaultwarden<\/h3>\n<ul>\n<li><strong>Proxy Manager (Nginx):<\/strong> To access Vaultwarden securely, especially from outside your local network, you&#8217;ll need a reverse proxy. Nginx is a popular choice for this role, providing the necessary redirection and encryption for web traffic.<\/li>\n<li><strong>Container Manager (Portainer):<\/strong> Vaultwarden and Nginx will run inside containers, simplifying deployment, isolation, and management of these services. Portainer is an intuitive container management tool that facilitates the management of Docker containers.<\/li>\n<\/ul>\n<h3 id=\"ember1715\" class=\"ember-view\">Ensuring Secure Remote Access<\/h3>\n<ul>\n<li><strong>DDNS Service:<\/strong> If you plan to access your Vaultwarden server from the internet, a Dynamic Domain Name System (DDNS) service is crucial. DDNS ensures that your server can be reached at a consistent address, even if your home IP address changes.<\/li>\n<li><strong>Mandatory HTTPS:<\/strong> Given the sensitive nature of a password manager, ensuring secure access via HTTPS is non-negotiable. Accessing your password vault through an unencrypted HTTP connection is unsafe. The use of a reverse proxy like Nginx allows for the easy setup of SSL certificates, often through automated tools like Let&#8217;s Encrypt, to secure your connections.<\/li>\n<\/ul>\n<h3 id=\"ember1717\" class=\"ember-view\">Final Thoughts<\/h3>\n<p id=\"ember1718\" class=\"ember-view reader-content-blocks__paragraph\">Choosing Vaultwarden for self-hosted password management offers a balance between functionality and resource efficiency, making it an excellent choice for individuals looking to maintain control over their password data without requiring extensive server resources. The setup, while involving several steps, provides a robust and secure system for managing passwords across devices and from any location, ensuring your sensitive information remains protected.<\/p>\n<p id=\"ember1719\" class=\"ember-view reader-content-blocks__paragraph\">By following these guidelines, you can establish a secure, private, and self-hosted password management solution that respects your resources and privacy.<\/p>\n<p id=\"ember1720\" class=\"ember-view reader-content-blocks__paragraph\">Updating the software components on your Raspberry Pi, especially when using Docker containers, is crucial for security, performance improvements, and accessing new features. Here&#8217;s a streamlined guide on how to update key components like Portainer, individual Docker containers, and Nginx within your setup.<\/p>\n<h3 id=\"ember1721\" class=\"ember-view\">Updating Portainer<\/h3>\n<p id=\"ember1722\" class=\"ember-view reader-content-blocks__paragraph\">Portainer is an essential tool for managing your Docker environments. Follow these steps to update Portainer to the latest version:<\/p>\n<ol>\n<li>Stop the Portainer container:<\/li>\n<\/ol>\n<pre>$docker stop portainer<\/pre>\n<ol>\n<li>Remove the existing Portainer container<\/li>\n<\/ol>\n<pre>$docker rm portainer<\/pre>\n<ol>\n<li>Pull the latest Portainer image:<\/li>\n<\/ol>\n<pre>$docker pull portainer\/portainer-ce:latest<\/pre>\n<ol>\n<li>Run the new Portainer container:<\/li>\n<\/ol>\n<pre>$sudo docker run -d -p 9000:9000 --name=portainer --restart=always -v \/var\/run\/docker.sock:\/var\/run\/docker.sock -v portainer_data:\/data portainer\/portainer-ce:latest<\/pre>\n<h3 id=\"ember1727\" class=\"ember-view\">Updating Vaultwarden<\/h3>\n<p id=\"ember1728\" class=\"ember-view reader-content-blocks__paragraph\">Containers should be regularly checked for updates to ensure you&#8217;re running the most secure and efficient versions.<\/p>\n<h3 id=\"ember1729\" class=\"ember-view\">Updating through Portainer:<\/h3>\n<ol>\n<li><strong>Stop the container:<\/strong> Navigate to Containers in Portainer, then stop the container you wish to update.<\/li>\n<li><strong>Recreate the container:<\/strong> Select the container, then click on &#8220;Recreate&#8221;. Make sure to select &#8220;Pull latest image&#8221; before recreating.<\/li>\n<li><strong>Restart the container:<\/strong> Once recreated, start the container. It will now run the latest image version.<\/li>\n<\/ol>\n<h3 id=\"ember1731\" class=\"ember-view\">Updating via Command Line:<\/h3>\n<p id=\"ember1732\" class=\"ember-view reader-content-blocks__paragraph\">To update a specific container, such as Vaultwarden, follow these steps:<\/p>\n<ol>\n<li><strong>Pull the latest image:<\/strong><\/li>\n<\/ol>\n<pre>$docker pull vaultwarden\/server:latest<\/pre>\n<ol>\n<li><strong>Run the new container (example for Vaultwarden):<\/strong> Ensure to remove the previous container if necessary and adjust the volume mappings and port bindings as per your configuration.<\/li>\n<\/ol>\n<pre>$sudo docker run -d --name vaultwarden --restart=always -v \/bw-data\/:\/data\/ -p 127.0.0.1:8080:80 -p 127.0.0.1:3012:3012 vaultwarden\/server:latest<\/pre>\n<h3 id=\"ember1735\" class=\"ember-view\">Updating Nginx<\/h3>\n<p id=\"ember1736\" class=\"ember-view reader-content-blocks__paragraph\">For Nginx, which serves as a reverse proxy, it&#8217;s vital to keep both the application and its database containers up to date:<\/p>\n<ol>\n<li><strong>Update the Nginx application container:<\/strong><\/li>\n<\/ol>\n<pre>$sudo docker update --restart always nginx_app_1<\/pre>\n<ol>\n<li><strong>Update the Nginx database container:<\/strong><\/li>\n<\/ol>\n<pre>$sudo docker update --restart always nginx_db_1<\/pre>\n<h3 id=\"ember1739\" class=\"ember-view\">General tips for updating Docker containers:<\/h3>\n<ul>\n<li><strong>Backup first:<\/strong> Always backup your data before updating, especially for critical services like databases or personal data management systems.<\/li>\n<li><strong>Use tags wisely:<\/strong> When pulling new images, consider using specific version tags instead of always using :latest to ensure compatibility.<\/li>\n<li><strong>Clean Up:<\/strong> After updating, clean up old images and containers with docker system prune to free up space.<\/li>\n<\/ul>\n<h2 id=\"ember1741\" class=\"ember-view\">Bibliography<\/h2>\n<h3 id=\"ember1742\" class=\"ember-view\">Base<\/h3>\n<ol>\n<li><a class=\"app-aware-link \" href=\"https:\/\/www.forbes.com\/sites\/marketshare\/2012\/03\/05\/if-youre-not-paying-for-it-you-become-the-product\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/www.forbes.com\/sites\/marketshare\/2012\/03\/05\/if-youre-not-paying-for-it-you-become-the-product\/<\/a><\/li>\n<li><a class=\"app-aware-link \" href=\"https:\/\/medium.com\/change-your-mind\/if-you-are-not-paying-for-the-product-you-are-the-product-4dbc15b9a3f2\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/medium.com\/change-your-mind\/if-you-are-not-paying-for-the-product-you-are-the-product-4dbc15b9a3f2<\/a><\/li>\n<li><a class=\"app-aware-link \" href=\"https:\/\/clearcode.cc\/blog\/what-is-data-broker\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/clearcode.cc\/blog\/what-is-data-broker\/<\/a><\/li>\n<li><a class=\"app-aware-link \" href=\"https:\/\/www.peekyou.com\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/www.peekyou.com\/<\/a><\/li>\n<li><a class=\"app-aware-link \" href=\"https:\/\/www.toptenreviews.com\/best-people-search-services\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/www.toptenreviews.com\/best-people-search-services<\/a><\/li>\n<li><a class=\"app-aware-link \" href=\"https:\/\/thesmashy.medium.com\/building-a-pihole-for-privacy-and-performance-f762dbcb66e5\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/thesmashy.medium.com\/building-a-pihole-for-privacy-and-performance-f762dbcb66e5<\/a><\/li>\n<li><a class=\"app-aware-link \" href=\"https:\/\/www.thetechherald.com\/tech-news\/raspberry-pi-raspbian-os-gets-a-microsoft-repo-without-any-notification-heres-how-to-remove-concerns-of-telemetry-data-collection\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\"><strong>https:\/\/www.thetechherald.com\/tech-news\/raspberry-pi-raspbian-os-gets-a-microsoft-repo-without-any-notification-heres-how-to-remove-concerns-of-telemetry-data-collection\/<\/strong><\/a><\/li>\n<li><a class=\"app-aware-link \" href=\"https:\/\/arstechnica.com\/gadgets\/2021\/02\/raspberry-pi-os-added-a-microsoft-repo-no-its-not-an-evil-secret\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\"><strong>https:\/\/arstechnica.com\/gadgets\/2021\/02\/raspberry-pi-os-added-a-microsoft-repo-no-its-not-an-evil-secret\/<\/strong><\/a><\/li>\n<li><a class=\"app-aware-link \" href=\"https:\/\/betanews.com\/2021\/02\/08\/linux-based-raspberry-pi-os-secret-microsoft-repo\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\"><strong>https:\/\/betanews.com\/2021\/02\/08\/linux-based-raspberry-pi-os-secret-microsoft-repo\/<\/strong><\/a><\/li>\n<li><a class=\"app-aware-link \" href=\"https:\/\/www.raspberrypi.org\/documentation\/hardware\/raspberrypi\/bootmodes\/msd.md\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\"><strong>https:\/\/www.raspberrypi.org\/documentation\/hardware\/raspberrypi\/bootmodes\/msd.md<\/strong><\/a><\/li>\n<\/ol>\n<h3 id=\"ember1744\" class=\"ember-view\">Pi-hole<\/h3>\n<p id=\"ember1745\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/dev.to\/jldohmann\/the-ultimate-ad-blocker-configuring-pi-hole-with-unbound-dns-20eo\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/dev.to\/jldohmann\/the-ultimate-ad-blocker-configuring-pi-hole-with-unbound-dns-20eo<\/a><\/p>\n<p id=\"ember1746\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/www.bentasker.co.uk\/blog\/the-internet\/703-scaling-pihole-to-cope-with-huge-query-rates\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/www.bentasker.co.uk\/blog\/the-internet\/703-scaling-pihole-to-cope-with-huge-query-rates<\/a><\/p>\n<p id=\"ember1747\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/www.vcloudinfo.com\/2019\/02\/my-pi-hole-is-out-of-space-how-to-free-up-space-to-upgrade.html\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/www.vcloudinfo.com\/2019\/02\/my-pi-hole-is-out-of-space-how-to-free-up-space-to-upgrade.html<\/a><\/p>\n<p id=\"ember1748\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/firebog.net\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/firebog.net<\/a><\/p>\n<p id=\"ember1749\" class=\"ember-view reader-content-blocks__paragraph\">https:\/\/github.com\/topics\/pihole-ads-list<\/p>\n<p id=\"ember1750\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/blog.mandos.io\/p\/ultimate-guide-setup-raspberry-pi-hole-boost-privacy-browsing-speed\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/blog.mandos.io\/p\/ultimate-guide-setup-raspberry-pi-hole-boost-privacy-browsing-speed<\/a><\/p>\n<p id=\"ember1751\" class=\"ember-view reader-content-blocks__paragraph\">https:\/\/avoidthehack.com\/best-pihole-blocklists<\/p>\n<h3 id=\"ember1752\" class=\"ember-view\">Unbound<\/h3>\n<p id=\"ember1753\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/docs.pi-hole.net\/guides\/dns\/unbound\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/docs.pi-hole.net\/guides\/dns\/unbound\/<\/a><\/p>\n<p id=\"ember1754\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/github.com\/pi-hole\/docs\/issues\/207\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/github.com\/pi-hole\/docs\/issues\/207<\/a><\/p>\n<p id=\"ember1755\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/www.reddit.com\/r\/pihole\/comments\/d9j1z6\/unbound_as_recursive_dns_server_slow_performance\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/www.reddit.com\/r\/pihole\/comments\/d9j1z6\/unbound_as_recursive_dns_server_slow_performance\/<\/a><\/p>\n<h3 id=\"ember1756\" class=\"ember-view\">Fail2ban<\/h3>\n<p id=\"ember1757\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/www.niih.de\/how-to-upgrade-fail2ban-to-support-ipv6\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/www.niih.de\/how-to-upgrade-fail2ban-to-support-ipv6\/<\/a><\/p>\n<h3 id=\"ember1758\" class=\"ember-view\">Unattended-Upgrades<\/h3>\n<p id=\"ember1759\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/pimylifeup.com\/unattended-upgrades-debian-ubuntu\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/pimylifeup.com\/unattended-upgrades-debian-ubuntu\/<\/a><\/p>\n<p id=\"ember1760\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/www.zealfortechnology.com\/2018\/08\/configure-unattended-upgrades-on-raspberry-pi.html\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/www.zealfortechnology.com\/2018\/08\/configure-unattended-upgrades-on-raspberry-pi.html<\/a><\/p>\n<p id=\"ember1761\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/wiki.debian.org\/UnattendedUpgrades\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/wiki.debian.org\/UnattendedUpgrades<\/a><\/p>\n<p id=\"ember1762\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/kb.iu.edu\/d\/aews\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/kb.iu.edu\/d\/aews<\/a><\/p>\n<p id=\"ember1763\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/linux-audit.com\/upgrading-external-packages-with-unattended-upgrade\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/linux-audit.com\/upgrading-external-packages-with-unattended-upgrade\/<\/a><\/p>\n<p id=\"ember1764\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/pimylifeup.com\/unattended-upgrades-debian-ubuntu\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/pimylifeup.com\/unattended-upgrades-debian-ubuntu\/<\/a><\/p>\n<h3 id=\"ember1765\" class=\"ember-view\">Pi.Alert<\/h3>\n<p id=\"ember1766\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/github.com\/pucherot\/Pi.Alert\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/github.com\/pucherot\/Pi.Alert<\/a><\/p>\n<p id=\"ember1767\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/github.com\/jokob-sk\/Pi.Alert\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/github.com\/jokob-sk\/Pi.Alert<\/a><\/p>\n<p id=\"ember1768\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/github.com\/leiweibau\/Pi.Alert\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/github.com\/leiweibau\/Pi.Alert<\/a><\/p>\n<h3 id=\"ember1769\" class=\"ember-view\">Container<\/h3>\n<p id=\"ember1770\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/docs.docker.com\/engine\/install\/debian\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/docs.docker.com\/engine\/install\/debian\/<\/a><\/p>\n<p id=\"ember1771\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/www.youtube.com\/watch?v=XziNCmcxB_c\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/www.youtube.com\/watch?v=XziNCmcxB_c<\/a><\/p>\n<h3 id=\"ember1772\" class=\"ember-view\">WireGuard<\/h3>\n<p id=\"ember1773\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/wireguard.how\/server\/debian\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/wireguard.how\/server\/debian\/<\/a><\/p>\n<p id=\"ember1774\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/engineerworkshop.com\/blog\/how-to-set-up-wireguard-on-a-raspberry-pi\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/engineerworkshop.com\/blog\/how-to-set-up-wireguard-on-a-raspberry-pi\/<\/a><\/p>\n<p id=\"ember1775\" class=\"ember-view reader-content-blocks__paragraph\">https:\/\/www.cyberciti.biz\/faq\/debian-10-set-up-wireguard-vpn-server\/<\/p>\n<p id=\"ember1776\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/serversideup.net\/generating-wireguard-qr-codes-for-fast-mobile-deployments\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/serversideup.net\/generating-wireguard-qr-codes-for-fast-mobile-deployments\/<\/a><\/p>\n<p id=\"ember1777\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/serversideup.net\/courses\/gain-flexibility-and-increase-privacy-with-wireguard-vpn\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/serversideup.net\/courses\/gain-flexibility-and-increase-privacy-with-wireguard-vpn\/<\/a><\/p>\n<p id=\"ember1778\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/www.procustodibus.com\/blog\/2020\/12\/wireguard-site-to-site-config\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/www.procustodibus.com\/blog\/2020\/12\/wireguard-site-to-site-config\/<\/a><\/p>\n<p id=\"ember1779\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/wiki.debian.org\/SimplePrivateTunnelVPNWithWireGuard\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/wiki.debian.org\/SimplePrivateTunnelVPNWithWireGuard<\/a><\/p>\n<p id=\"ember1780\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/kirelos.com\/set-up-your-own-wireguard-vpn-server-on-debian\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/kirelos.com\/set-up-your-own-wireguard-vpn-server-on-debian\/<\/a><\/p>\n<h3 id=\"ember1781\" class=\"ember-view\">Monitoring tools<\/h3>\n<p id=\"ember1782\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/github.com\/XavierBerger\/RPi-Monitor\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/github.com\/XavierBerger\/RPi-Monitor<\/a><\/p>\n<p id=\"ember1783\" class=\"ember-view reader-content-blocks__paragraph\">https:\/\/learn.netdata.cloud\/guides\/monitor\/pi-hole-raspberry-pi<\/p>\n<p id=\"ember1784\" class=\"ember-view reader-content-blocks__paragraph\">https:\/\/grafana.com\/tutorials\/install-grafana-on-raspberry-pi\/<\/p>\n<h3 id=\"ember1785\" class=\"ember-view\">Backup<\/h3>\n<p id=\"ember1786\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/raspberryexpert.com\/how-to-backup-raspberry-pi\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/raspberryexpert.com\/how-to-backup-raspberry-pi\/<\/a><\/p>\n<h3 id=\"ember1787\" class=\"ember-view\">Vaultwarden<\/h3>\n<p id=\"ember1788\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/www.wundertech.net\/how-to-self-host-bitwarden-on-a-raspberry-pi\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/www.wundertech.net\/how-to-self-host-bitwarden-on-a-raspberry-pi\/<\/a><\/p>\n<p id=\"ember1789\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/medium.com\/codex\/complete-self-hosted-bitwarden-for-raspberry-pi-24b59c3b02df\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/medium.com\/codex\/complete-self-hosted-bitwarden-for-raspberry-pi-24b59c3b02df<\/a><\/p>\n<p id=\"ember1790\" class=\"ember-view reader-content-blocks__paragraph\">https:\/\/pimylifeup.com\/raspberry-pi-bitwarden\/<\/p>\n<p id=\"ember1791\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/phoenixnap.com\/kb\/update-docker-image-container\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/phoenixnap.com\/kb\/update-docker-image-container<\/a><\/p>\n<p id=\"ember1792\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/www.wundertech.net\/how-to-update-a-docker-container-using-portainer\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/www.wundertech.net\/how-to-update-a-docker-container-using-portainer\/<\/a><\/p>\n<p id=\"ember1793\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/github.com\/NginxProxyManager\/nginx-proxy-manager\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/github.com\/NginxProxyManager\/nginx-proxy-manager<\/a><\/p>\n<h3 id=\"ember1794\" class=\"ember-view\">Others<\/h3>\n<p id=\"ember1795\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/serverfault.com\/questions\/1006595\/cannot-setup-wireguard-vpn\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/serverfault.com\/questions\/1006595\/cannot-setup-wireguard-vpn<\/a><\/p>\n<p id=\"ember1796\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/wireguard.how\/server\/debian\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/wireguard.how\/server\/debian\/<\/a><\/p>\n<p id=\"ember1797\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/raspberrytips.com\/disable-wifi-raspberry-pi\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/raspberrytips.com\/disable-wifi-raspberry-pi\/<\/a><\/p>\n<p id=\"ember1798\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/www.raspberrypi.org\/forums\/viewtopic.php?t=290611\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/www.raspberrypi.org\/forums\/viewtopic.php?t=290611<\/a><\/p>\n<p id=\"ember1799\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/www.raspberrypi.org\/forums\/viewtopic.php?f=63&amp;t=138610\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/www.raspberrypi.org\/forums\/viewtopic.php?f=63&amp;t=138610<\/a><\/p>\n<p id=\"ember1800\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/www.simonpreston.dev\/2019\/03\/01\/using-the-raspberry-pi-as-a-dhcp-server\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/www.simonpreston.dev\/2019\/03\/01\/using-the-raspberry-pi-as-a-dhcp-server\/<\/a><\/p>\n<p id=\"ember1801\" class=\"ember-view reader-content-blocks__paragraph\"><a class=\"app-aware-link \" href=\"https:\/\/www.privacyguides.org\/\" target=\"_self\" rel=\"noopener\" data-test-app-aware-link=\"\">https:\/\/www.privacyguides.org\/<\/a><\/p>\n<div class=\"reader-image-block reader-image-block--resize\">\n<figure class=\"reader-image-block__figure\">\n<div class=\"ivm-image-view-model   \">\n<div class=\"ivm-view-attr__img-wrapper\n        display-flex\"><\/div>\n<\/div>\n<\/figure>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Privacy for you Internet access plus a monitor for your devices, a Wi-Fi\/LAN intruder detector and a VPN Server for remote access with a Raspberry Pi + bonus track: password manager. Now with containers!! Changelog 20230103 &#8211; Added Netdata as a monitoring solution recommended instead RPi-monitor 20240210 &#8211; Updated for Debian 12 (Bookworm), including instructions &hellip; <a href=\"https:\/\/coneixement.info\/blog\/enhanced-privacy-box-with-raspberry-pi-revamped-and-containerized\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Enhanced Privacy Box with Raspberry Pi: Revamped and Containerized<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-680","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/coneixement.info\/blog\/wp-json\/wp\/v2\/posts\/680","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/coneixement.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/coneixement.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/coneixement.info\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/coneixement.info\/blog\/wp-json\/wp\/v2\/comments?post=680"}],"version-history":[{"count":2,"href":"https:\/\/coneixement.info\/blog\/wp-json\/wp\/v2\/posts\/680\/revisions"}],"predecessor-version":[{"id":761,"href":"https:\/\/coneixement.info\/blog\/wp-json\/wp\/v2\/posts\/680\/revisions\/761"}],"wp:attachment":[{"href":"https:\/\/coneixement.info\/blog\/wp-json\/wp\/v2\/media?parent=680"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/coneixement.info\/blog\/wp-json\/wp\/v2\/categories?post=680"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/coneixement.info\/blog\/wp-json\/wp\/v2\/tags?post=680"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}