Raspberry Pi 4 - justinknguyen/PiGuide Wiki

Table of Contents

Guide for Raspberry Pi Zero 2 W


Getting Started

The following model was purchased from CanaKit: https://www.canakit.com/raspberry-pi-4-starter-kit.html

  • Raspberry Pi 4 Model B with 1.5GHz 64-bit quad-core ARMv8 CPU
  • 4GB RAM
  • CanaKit 3.5A USB-C Power Supply with Noise Filter (UL Listed) specially designed for the Raspberry Pi 4 (5-foot cable)
  • CanaKit Premium Black Case (High Gloss), Set of 3 Aluminum Heat Sinks
  • CanaKit Fan
  • Micro HDMI to HDMI Cable (6-foot cable)
  • 32 GB Samsung EVO+ MicroSD Card
  • USB Card Reader Dongle

Building the Raspberry Pi 4

A good YouTube video for building and setting it up: https://www.youtube.com/watch?v=7rcNjgVgc-I

Modifying the Case Fan

The provided case fan outputs too much noise running at 100% constantly.
Installing a 30 Ohm resistor in series between the power pin of the Pi and the case fan lowers the noise output to a quiet level while providing enough cooling. I then wrapped the resistor with electrical tape. Make sure the wires are tucked away from the fan.

Setting up the Raspberry Pi 4

Option 1: Setup with Monitor (Recommended)

The above YouTube link shows how to setup the Pi 4, however, this assumes you bought from CanaKit. CanaKit pre-installs "Noobs" on the provided MicroSD card; it provides a GUI to install the Raspberry Pi OS without an additional computer. You still require a monitor to setup the Pi.

If you rather use your computer to install Raspberry Pi OS directly, or have your own MicroSD card, download the Raspberry Pi Imager from https://www.raspberrypi.com/software/. In the Imager, choose "Raspberry Pi OS (64-bit)".

Once imaged onto the MicroSD card, insert it in the Pi and then connect your mouse, keyboard, and HDMI cable (connect to the port closest to the power port) to continue setup using a monitor and the Pi desktop. Once done, enable SSH under Preferences > Raspberry Pi Configuration > Interfaces.

Recommendations
It’s best to connect the Pi by ethernet as the WiFi card is a little slow. If you do so, I recommend to disable WiFi on the Pi by following the guides on this website https://pimylifeup.com/raspberry-pi-disable-wifi/.

You should also set a static IP address for the Pi in your router settings so it doesn’t change. Having the IP address static is essential to keep all your programs working.

Troubleshooting
In rare cases, connecting to the monitor won't display anything. If so, try Setup Headless or follow this website https://windowsreport.com/raspberry-pi-hdmi-not-working/ by uncommenting the following lines in boot/config.txt of the MicroSD card:

  • hdmi_force_hotplug=1
  • hdmi_drive=2

Option 2: Setup Headless

If you want to setup the Pi headless (via SSH terminal instead of a monitor and Pi desktop), in the Raspberry Pi Imager, choose "Raspberry Pi OS Lite (64-bit)". Then in the Advanced options page, enable SSH and Internet.

You could also manually enable SSH and Internet. This website provides a good guide on how to enable SSH and Internet headless https://pimylifeup.com/headless-raspberry-pi-setup/.

You can download the required files for SSH and Internet here:

Recommendations
It’s best to connect the Pi by ethernet as the WiFi card is a little slow. If you do so, I recommend to disable WiFi on the Pi by following the guides on this website https://pimylifeup.com/raspberry-pi-disable-wifi/.

You should also set a static IP address for the Pi in your router settings so it doesn’t change. Having the IP address static is essential to keep all your programs working.


Once you enable SSH through either of the above methods, download a terminal to SSH into the Pi, such as PuTTY https://www.putty.org/. This is how we’ll manage the Raspberry Pi from now on instead of using the Pi desktop.


Optional: Change Password

If you setup the Pi with a monitor or headless with the Advanced options, you would have been presented with the option to change your password. If you setup the Pi headless manually, you will need to SSH into the Pi using PuTTY with the Pi's IP address. The IP address of the Pi can be found under your router settings.

The default username is pi and the password is raspberry.
Once you SSH in, type the following to change your password: passwd

Optional: Change Hostname

This could’ve been set in the Advanced options page of the Imager. The steps to change the hostname after the fact is listed below.

  1. SSH into Pi, and open the following file by entering:
sudo nano /etc/hosts
  1. At the bottom, change raspberrypi to whatever name you want for the Pi.
  2. To save the file, press Ctrl+X then Y then Enter.
  3. Next, open another file by entering:
sudo nano /etc/hostname
  1. Change raspberrypi to whatever name you want for the Pi.
  2. To save the file, press Ctrl+X then Y then Enter.
  3. Reboot:
sudo reboot

Installed Programs

The following programs should be installed and configured in the order listed. PuTTY will be used to SSH into the Pi and install everything. Again, when you SSH into the Pi, the default username is pi and the password is raspberry.

Watchdog

Reboot the Pi when there is a hardware failure. The Raspberry Pi has a hardware watchdog built in that will power cycle it if the chip is not refreshed within a certain interval.

Configuration

  1. Check if you have /dev/watchdog by entering:
ls -al /dev/watchdog*

You should see something similar below:

[email protected]:~ $ ls -al /dev/watchdog*
crw------- 1 root root  10, 130 Feb  9 23:22 /dev/watchdog
crw------- 1 root root 250,   0 Feb  9 23:22 /dev/watchdog0
  1. Enter:
sudo nano /etc/systemd/system.conf

Then uncomment and set the following lines to:

RuntimeWatchdogSec=10
ShutdownWatchdogSec=10min

What the lines above say is:

  • Refresh the hardware watchdog every 10 seconds. If for some reason the refresh fails (I believe after 3 intervals; i.e. 30s) power cycle the system.
  • On shutdown, if the system takes more than 10 minutes to reboot, power cycle the system.
  1. Reboot:
sudo reboot

Testing

Optional: run a "fork bomb" on your shell:

:(){ :|:& };:

Running this code will render your Raspberry Pi inaccessible until it’s reset by the watchdog. The Pi should be back up and running after a few minutes. If you notice your Pi is a little slow try rebooting it again with sudo reboot.

Sources


XRDP

Remote desktop. Everything can be done via SSH terminal, but the option to remote desktop in is nice.

Pre-install

  1. Enter:
sudo raspi-config
  1. Go to (1) System Options -> S5 Boot/Auto Login -> select "B3 Desktop GUI - requiring user to login".
  2. Exit back to the terminal and run the following commands:
sudo apt update
sudo apt-get install raspberrypi-ui-mods xinit xserver-xorg
  1. Reboot:
sudo reboot

Installation

  1. Install XRDP:
sudo apt install xrdp
  1. When the installation process is complete, the XRDP service will automatically start. You can verify that XRDP is running by typing:
systemctl show -p SubState --value xrdp
  1. By default XRDP uses the /etc/ssl/private/ssl-cert-snakeoil.key file which is readable only by users that are members of the “ssl-cert” group. You’ll need to add the user that runs the XRDP server to the ssl-cert group by entering:
sudo adduser pi ssl-cert

Note: replace "pi" with the name of your login username if you changed it.

Testing

Type "rdp" into your Windows search bar and open "Remote Desktop Connection". Once opened, you can enter the IP address of the Pi to login and view the desktop.

Troubleshooting

If you get a blue screen and cannot connect to the RDP, just create a second user by:

  1. Entering:
sudo adduser <username>
  1. Choose and confirm password.
  2. Hit enter for defaults.
  3. Try RDP again with that login.
  4. Add user to ssl-cert group:
sudo adduser <username> ssl-cert

Sources


Docker

Containerize certain programs for easy removal. Finding guides for docker container programs are harder than finding guides to normally install programs. The benefit for docker is being able to quickly and easily remove the entire program, which is much harder than normally installed programs. Installing docker containers can also be easier as there is a less chance of it conflicting with other programs.

Installation

  1. Update and Upgrade:
sudo apt-get update && sudo apt-get upgrade
  1. Install Docker:
curl -sSL https://get.docker.com | sh
  1. Add a Non-Root User to the Docker Group:
sudo usermod -aG docker pi
  1. Then add permissions to the current user:
sudo usermod -aG docker ${USER}
  1. Check it running with:
groups ${USER}
  1. Reboot:
sudo reboot
  1. Install Docker-Compose:
sudo apt-get install libffi-dev libssl-dev
sudo apt install python3-dev
sudo apt-get install -y python3 python3-pip
  1. Once python3 and pip3 are installed, run:
sudo pip3 install docker-compose
  1. Enable the Docker system service to start your containers on boot:
sudo systemctl enable docker

Testing

Test by running the Hello World container:

docker run hello-world

Sources


Portainer

Provides GUI for docker containers to easily manage.

Installation

  1. Update and Upgrade:
sudo apt update
sudo apt upgrade
  1. Install Portainer
sudo docker pull portainer/portainer-ce:latest
  1. Run Portainer
sudo docker run -d -p 9000:9000 --name=portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest

A few of the big things we do here is first define the ports we want Portainer to have access to. In our case, this will be port 9000. We assign this docker container the name “portainer” so we can quickly identify it if we ever needed. Additionally, we also tell the Docker manager that we want it to restart this Docker if it is ever unintentionally offline.

Testing

You can now access the WebUI by typing [PIIPADDRESS]:9000 into your search bar. Follow the link under Sources to learn how to use Portainer.

Sources


Home Assistant

Can connect anything "smart" into one single app for a unified Smart Home. Main benefit is being able to integrate into Apple HomeKit.

Installation

  1. Create a docker-compose.yml file by typing:
sudo nano docker-compose.yml
  1. Inside the nano editor, copy and paste the following:
version: '3'
services:
  homeassistant:
    container_name: homeassistant
    image: "ghcr.io/home-assistant/home-assistant:stable"
    volumes:
      - /home/pi/homeassistant:/config
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
    privileged: true
    network_mode: host
  1. To save the file, press Ctrl+X then Y then Enter.
  2. Install Home Assistant:
docker-compose up -d

Testing

You can now access the WebUI by typing [PIIPADDRESS]:8123 into your search bar. Follow the second link under Sources to learn how to use Home Assistant.

Backing up Home Assistant

  1. Stop the Home Assistant service by logging into Portainer.
  2. Create a .tar file of the Home Assistant folder (mine is located at /home/pi/homeassistant):
sudo tar -cf ha-backup.tar homeassistant/
  1. Download WinSCP from https://winscp.net/eng/download.php. This is to easily transfer files between your computer and the Pi.
  2. Transfer the ha-backup.tar file to your computer using WinSCP.
  3. You can start up Home Assistant again with Portainer.

To restore from a backup:

  1. On your new Pi install, use WinSCP to transfer the .tar file from your computer to the Pi /home/pi directory, then unpack the .tar with (ensure Home Assistant is not running on the new Pi):
sudo tar -xvf ha-backup.tar
  1. Extracting the .tar should automatically overwrite the Home Assistant config folder. Now, start Home Assistant back up.

Sources


Rclone

Rclone is to backup anything to any cloud service.

Installation

  1. Update and Upgrade:
sudo apt update
sudo apt upgrade
  1. Install Rclone:
sudo apt install rclone

Configuration

  1. Setup Google Drive as remote:
rclone config
  1. Type in n for New remote.
  2. Type in a name for the remote (e.g., gdrive).
  3. Type in 13 for Google Drive.
  4. Leave application client id and secret empty.
  5. Type in 1 for Full access, or to your preference.
  6. Leave the next couple steps empty.
  7. Choose default config and enter N to auto config.
  8. Copy the link given and paste in your web browser. Then paste this verification code back into your terminal.
  9. Verify that the configuration is correct and Quit.
  10. Backup a folder:
rclone copy [FOLDERDIRECTORY] "gdrive:backups"
  1. Optional: Automate backups everyday at midnight:
crontab -e
  1. Add the following line:
0 0 * * * rclone copy [FOLDERDIRECTORY] "gdrive:backups"

Sources


Grafana

Monitor the Pi hardware. Most important information to me are CPU temp/load and storage.

Installation

  1. Run everything as sudo:
sudo su
  1. Install Node Exporter:
docker run -d  --net="host"  --pid="host"  -v "/:/host:ro,rslave"  quay.io/prometheus/node-exporter:latest  --path.rootfs=/host
  1. You can test if Node Exporter is running by entering [PIIPADDRESS]:9100 into your search bar.
  2. Make a directory for Prometheus:
mkdir Prometheus
  1. cd into Prometheus:
cd Prometheus/
  1. Create a prometheus.yml file by entering:
nano prometheus.yml
  1. Copy and paste the following in then replace PIIPADDRESS:
global:
  scrape_interval: 5s
  external_labels:
    monitor: 'node'
scrape_configs:
  - job_name: 'prometheus'
    static_configs:
      - targets: ['PIIPADDRESS:9090'] ## IP Address of the localhost. Match the port to your container port
  - job_name: 'node-exporter'
    static_configs:
      - targets: ['PIIPADDRESS:9100'] ## IP Address of the localhost
  1. To save the file, press Ctrl+X then Y then Enter.
  2. Install Prometheus:
docker run -d --name prometheus -p 9090:9090 -v /home/pi/Prometheus/prometheus.yml:/etc/prometheus/prometheus.yml prom/prometheus
  1. Install Grafana:
docker run -d --name=grafana -p 3000:3000 grafana/grafana

Configuration

  1. Login to Grafana by typing [PIIPADDRESS]:3000 into your search bar. The default username and password is admin. Click on "Add your first data source" then select "Prometheus".
  2. In the "URL" box, type in http://[PIIPADDRESS]:9090 then click "Save & Test".
  3. Google "Node Exporter Grafana Dashboards" and choose one (e.g., https://grafana.com/grafana/dashboards/11074).
  4. Copy the ID (in this case, 11074).
  5. Go back to Grafana, hover over the "+" icon on the left, and click "Import".
  6. Paste in the ID and click "Load".
  7. Under "VictoriaMetrics", select "Prometheus" and then import.
  8. IMPORTANT: login to Portainer and click on your "Local" environment then "Containers". You should see node exporter, prometheus, and grafana installed. Click on each one and scroll down until you see "RESTART POLICIES" then set each to "Always". They will now start on their own whenever the Pi is rebooted.

Testing

Gathering data metrics will take some time, so check back later and see if the data metrics are registering in your dashboard.

Sources


Pi-Hole

Network-wide ad-blocking with recursive DNS (Unbound) and full IPv4/IPv6 support. The Pi 4 acts as the master server, while the Pi Zero 2 W acts as the slave server (i.e., when the master is down, internet traffic will be redirected to the slave).

Disclaimer
This Pi-Hole guide will not show how to configure with a second Pi. Detailed instructions on how to do that will be here, Pi Zero 2 W: Pi-Hole, Gravity Sync, and keepalived.

Installation

  1. Install Pi-Hole:
sudo curl -sSL https://install.pi-hole.net | bash
  1. Go through the install wizard using default settings (just keep pressing Enter/Yes).
  2. Once installed, take note of the IPv4 and (if enabled) IPv6 address. This will be used in your router settings.
  3. Change the Pi-Hole login password by entering:
pihole -a -p [NEWPASSWORD]

Configuration

Router Settings
Using an Asus router,

  1. Under "WAN" and "WAN DNS Setting", ensure "Connect to DNS Server automatically" is set to Yes.
  2. For IPv4:
    Under "LAN" and "DHCP Server", enter the IPv4 address you took note of earlier under "DNS Server 1" and disable Router advertisement, then hit "Apply".
  3. For IPv6:
    Under "IPv6", enter the IPv6 address you took note of earlier under "IPv6 DNS Server 1", then hit "Apply".

Pi-Hole DNS Settings
Login to Pi-Hole by typing [PIIPADDRESS]/admin into your search bar. Head to "Settings" then "DNS". Here you'll see the upstream DNS server you're using. I recommend using "Quad9 (filtered, DNSSEC)". Ensure you check both boxes under the "IPv4" column. Same applies to IPv6 if you have it enabled.

For "Interface settings", I have "Allow only local requests" checked, but if you notice any devices not being ad-blocked, select "Permit all origins".

For "Advanced DNS settings", I enabled the first two check boxes and also enabled conditional forwarding. Conditional forwarding allows me to view the name of devices in the client list of Pi-Hole. Depending on your router, your IP address will look a little different, but it should be similar to something like this:

  • Local network in CIDR notation: 192.168.50.0/24
    • the format is your router's IP address but with a 0 as the last digit, then add /24.
  • IP address of your DHCP server (router): 192.168.50.1
    • the format is just your router's IP address.
  • Local domain name (optional): router.asus.com
    • the format is the domain you use to sign into your router's settings.

Adding Adlists
Click on "Group Management" then "Adlists" and add any adlist you want. I recommend adding the links in green here, https://firebog.net/. You can copy and paste multiple links at a time.

Once added, either enter pihole -g into PuTTY or within the WebUI, go to "Tools" then "Update Gravity". Finally, click on "Update".

Adding Whitelists

  1. Install python3:
sudo apt install python3
  1. Install whitelist:
git clone https://github.com/anudeepND/whitelist.git
sudo python3 whitelist/scripts/whitelist.py

An important whitelist you need to add manually within the WebUI is codeload.github.com. This is to prevent future program installs from being blocked.

Multiple Upstream DNS Servers
If you wish to use multiple DNS servers but have the second one only as backup incase the primary server is unresponsive, follow the steps below:

  1. Select the two upstream providers you want in Pi-Hole's settings.
  2. Create a file and enter strict-order in it here:
sudo nano /etc/dnsmasq.d/99-custom.conf
  1. /etc/resolv.conf should still only be nameserver 127.0.0.1:
sudo nano /etc/resolv.conf
  1. Ensure that the primary DNS server you want to use is listed first under:
sudo nano /etc/dnsmasq.d/01-pihole.conf
  1. Restart the DNS:
pihole restartdns
  • Doing this results in odd behaviour if you were to restart the Pi or update Pi-Hole using pihole -up (possibly).
  • Upon restarting, Pi-Hole will create a new config file named 01-pihole.conf.save and DNS will not start. This happened on my Pi 4, but did not on my Pi Zero 2 W.
  • To fix this, delete everything within the original 01-pihole.conf file and it will work from now on. Restarting the Pi should no longer create more config files.
  • Upon attempting to update Pi-Hole, update fails as it repopulates 01-pihole.conf again. This happened on my Pi 4, but did not on my Pi Zero 2 W.
  • To fix this, delete the contents again and attempt to update. (Note: successful update will rearrange/repopulate 01-pihole.conf once again.)

Testing

Go to any site you know with ads and check if they're blocked. Make sure you turn off any ad-blocking extensions you may have. A site I recommend is https://www.speedtest.net/.

If you have IPv6 enabled, you can test if IPv6 is working by going to https://test-ipv6.com/, then making sure ad-block works.

Troubleshooting

If you're getting "Rate Limit" errors in Pi-Hole, perform the following:

  1. Enter:
sudo nano /etc/pihole/pihole-FTL.conf
  1. Type the following line in:
RATE_LIMIT=0/0

This will uncap the Rate Limit, however, it's better to simply raise the limit. I have mine at 2000/600. To find a limit tailored to you, login to Pi-Hole and hover over the highest bar under “Client activity over last 24 hours”. Take note of the highest number then add +25% to it. This number will be your first number, and 600 should be your second number representing 10 mins.

**------------------------------------------------------------
If you have an Asus router and you suspect IPv6 is breaking Pi-Hole, perform the second half of the steps outlined here, Getting IPv6 to Work with Unbound.

**------------------------------------------------------------
If your ad-blocking does not work in the future, try updating Pi-Hole with pihole -up or changing Interface settings to "Permit all origins".

Sources


Unbound

Recursive DNS for Pi-Hole. Tends to resolve faster than iterative queries and also provides privacy by getting rid of the third party, such as Google, Cloudflare, OpenDNS, etc.

Installation

  1. Update:
sudo apt update
  1. Install Unbound:
sudo apt install unbound
  1. Download the current root hints file:
wget https://www.internic.net/domain/named.root -qO- | sudo tee /var/lib/unbound/root.hints

Configuration

  1. Create the unbound config file:
sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf
  1. Paste the following in (IMPORTANT: if you have IPv6 for your network change line below to do-ip6: yes. Also, if you’re configuring this for a second Pi, you should change the port to 5353 to avoid conflict.):
server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # IP fragmentation is unreliable on the Internet today, and can cause
    # transmission failures when large DNS messages are sent via UDP. Even
    # when fragmentation does work, it may not be secure; it is theoretically
    # possible to spoof parts of a fragmented DNS message, without easy
    # detection at the receiving end. Recently, there was an excellent study
    # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
    # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
    # in collaboration with NLnet Labs explored DNS using real world data from the
    # the RIPE Atlas probes and the researchers suggested different values for
    # IPv4 and IPv6 and in different scenarios. They advise that servers should
    # be configured to limit DNS messages sent over UDP to a size that will not
    # trigger fragmentation on typical network links. DNS servers can switch
    # from UDP to TCP when a DNS response is too big to fit in this limited
    # buffer size. This value has also been suggested in DNS Flag Day 2020.
    edns-buffer-size: 1232

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10
  1. To save the file, press Ctrl+X then Y then Enter.
  2. Restart Unbound:
sudo service unbound restart
  1. Go to the WebUI for Pi-Hole and head to "Settings" then "DNS", and uncheck whatever is checked under "Upstream DNS Servers".
  2. Under "Custom 1 (IPv4)" enter:
127.0.0.1#5335
  1. If you have IPv6, under "Custom 3 (IPv6)" enter:
::1#5335

Testing

  1. Query the following:
dig pi-hole.net @127.0.0.1 -p 5335
  1. You should see something similar below (look for status: NOERROR). If you have IPv6 enabled, it's likely this will fail and you'll get SERVFAIL. The solution to fix that is provided in the next section.

[email protected]:~ $ dig pi-hole.net @127.0.0.1 -p 5335

; <<>> DiG 9.16.22-Raspbian <<>> pi-hole.net @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25728
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pi-hole.net.                   IN      A

;; ANSWER SECTION:
pi-hole.net.            300     IN      A       3.18.136.52

;; Query time: 59 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sat Feb 12 17:42:12 MST 2022
;; MSG SIZE  rcvd: 56
  1. You can test DNSSEC validation using the commands below. The first command should give a status report of SERVFAIL and no IP address. The second should give NOERROR plus an IP address.
dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335
dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335

Getting IPv6 to Work with Unbound

IPv6 is tricky to get working with Unbound, with an Asus router at least. If your IPv6 is breaking Pi-Hole and Unbound, then perform the following:

  1. Edit file resolvconf.conf and comment out the last line which should read, unbound_conf=/etc/unbound/unbound.conf.d/resolvconf_resolvers.conf.
sudo nano /etc/resolvconf.conf
  1. Delete the unwanted unbound configuration file:
sudo rm /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf
  1. Restart unbound:
sudo service unbound restart

This MAY Help
If the above steps still do not work, the below can be performed on an Asus router, however, if you have keepalived installed, you will want to put in the IPv6 vrrp address instead of your two Pi’s addresses.

  1. SSH into your router (for an Asus router, enable SSH and SSH Port Forwarding by going to "Administration" then "System". Set "Enable JFFS custom scripts and configs" also.) and enter:
nano /jffs/scripts/dnsmasq.postconf 
  1. Paste the following in. Make sure you enter your IPv6 address within the square brackets below. You can get rid of ,[IPv6 address of second Pi] if you don't have a second Pi.
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "dhcp-option=lan,option6:23,[::]" "dhcp-option=lan,option6:23,[IPv6 address of first Pi],[IPv6 address of second Pi]" $CONFIG
  1. Enter:
chmod 755 /jffs/scripts/dnsmasq.postconf
  1. Reboot the router.
  2. SSH into Pi and enter:
sudo nano /etc/dhcpcd.conf
  1. Scroll down to the bottom and you should set the lines similar to below.
interface eth0
	static ip_address= [IPv4 Address of the Pihole]/24
	static ip6_address= [IPv6 Address of the Pihole]/64
	static routers=[IP Address of the router]
	static domain_name_servers=[IP Address of the router] [LAN IPv6 Address of the router]
  1. Restart services:
sudo service pihole-FTL restart 
sudo systemctl restart dhcpcd 
sudo service unbound restart

Sources


PiVPN

Turn the Pi into a VPN server. When connected to any public network, being able to VPN to the Pi at home provides you with security/privacy and all access to your home network (i.e., essentially connected to your home WiFi network while away from home).

Installation

  1. Update and Upgrade:
sudo apt update
sudo apt full-upgrade
  1. Install curl:
sudo apt install curl -y
  1. Install PiVPN:
sudo curl -L https://install.pivpn.io | bash
  1. Go through the install wizard and make sure you select WireGuard. If you have Pi-Hole, make sure you select Yes when it asks to use Pi-Hole's DNS server for the VPN.

Configuration

  1. In your router settings, port forward the port 51820 to your Pi's IP address.
  2. Create your WireGuard profile:
sudo pivpn add

To connect to the VPN from your Windows computer
Install WireGuard on your computer from https://www.wireguard.com/install/. Next, enter the following into your SSH terminal. Remember to replace the section below with the profile name you created:

sudo nano /home/pi/configs/[PROFILENAME].conf

Copy everything in this config file and make the same .conf file on your Windows computer by pasting everything in it. Now open WireGuard and open this .conf that you just created. You can now connect to the VPN.

To connect to the VPN from your phone
Install the WireGuard app. Next, enter the following into your SSH terminal:

pivpn -qr PROFILENAME

Then scan the QR code with your phone. You can now connect to the VPN.

Testing

Once activating the VPN, you should have internet access. If you are on a public WiFi network, go to https://www.dnsleaktest.com/ and take note of the IP address. Next, activate the VPN and run the test again. You should now see your home network's public IP address.

I recommend setting up a dynamicDNS for your router so your public IP address doesn't change.

Troubleshooting

If you are able to connect to WiFi but unable to access devices on the LAN, you need to disable "Block untunneled traffic" within Wireguard client settings if you are on Windows.
If on your phone, you need to manually edit the "Allowed IPs" to 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1. This broke the WiFi connection later on, so I changed it back to 0.0.0.0/0, ::/0 and it worked again, including accessing devices on LAN. If it still does not work, you might want to try enabling “Exlude private IPs” within Wireguard app settings.

Sources

diyHue

Turn the Raspberry Pi into another Hue Bridge for multiple entertainment areas/hue sync instances.

Pre-Installation

If you have Pi-Hole installed, you will need to change the port as diyHue will now need to use the default port (80).

  1. Go to:
sudo nano /etc/lighttpd/lighttpd.conf
  1. Change the line that says server.port = 80 to server.port = 8080.
  2. Restart the service:
sudo service lighttpd restart
  1. You can test and access Pi-Hole's webui using [PIIPADDRESS]:8080.

Installation

  1. Enter the below and replace the X's with the Pi's MAC address:
docker run -d --name diyHue --restart=always --network=host -e MAC=XX:XX:XX:XX:XX:XX -v /mnt/hue-emulator/config:/opt/hue-emulator/config diyhue/core:latest
  1. Check the container is running using Portainer.

Configuration

  1. Access the webui using [PIIPADDRESS].
  2. Open up the Hue App on your phone, and go to Settings > My Hue System, and then add your diyHue bridge. When it prompts to press the link button, go to the diyHue webui and click on Link Button tab and press Link App.
  3. If the Hue App says the bridge needs to be updated, go back to the webui and click on Bridge tab, and from there, you can emulate the diyHue bridge's software version to trick the Hue App.
  4. Once the diyHue bridge is setup in the app, go back to the webui and click on Hue Bridge tab, and enter the official Hue Bridge's IP Address, then pair it.
  5. Once paired, you can then click on the Lights tab and scan for lights. Once it's able to search for all of your lights connected to the official Hue Bridge, you can finally go back to the Hue App, and scan for lights to make your rooms/entertainment areas.

Sources


Potential Programs

These programs are interesting, but I have no use for them right now.

NGINX

Create your own website hosted on your Pi.

Sources

CUPS

Turn any wired printer into wireless.

Sources


Guide for Raspberry Pi Zero 2 W

⚠️ **GitHub.com Fallback** ⚠️