Note : These instructions have been tested for the Raspberry Pi 3B+ and Raspberry Pi 4B. You can try these on older versions, but I have no guarantee that these instructions will work correctly.
To enable SSH in your Raspberry pi before actually booting it up, simply create a file named ssh (with no extension) in the boot partition of your card.
Ref : https://www.raspberrypi.org/documentation/configuration/wireless/headless.md
Before proceeding, please connect your Raspberry Pi to an Ethernet port. This will save you much trouble trying to connect to a Wi-Fi network and will make most of these enhancements much simpler to execute. You actually won't even need to setup internet, as it will be served automatically!
The first thing I do on a headless Raspberry Pi is change the default pi user to give more security once the device will be online.
sudo adduser USERNAMEfor GROUP in $(groups pi | sed 's/.*:\spi//'); do sudo adduser USERNAME $GROUP; done- Add new user
USERNAMEto sudoers to prevent entering the sudo password each session by replacing thepisudoer's file :sudo mv /etc/sudoers.d/010_pi-nopasswd /etc/sudoers.d/010_USERNAME-nopasswdsudo nano /etc/sudoers.d/010_ved-nopasswd- Rename the
piuser in this file to theUSERNAMEyou have created.
- Rename the
sudo userdel -r pi
- https://raspberrypi.stackexchange.com/a/36177
- https://www.bennettnotes.com/delete-pi-user-on-raspberry-pi
When login in the raspberry pi via SSH, alot of text is printed and this might be annoying. To remove those messages, simply login to your user account, and use this command :
touch ~/.hushloginThis creates an empty file named .hushlogin at the root of your home directory, and this files tells the SSH session to not show the login message when connecting to your user.
Ref : https://www.raspberrypi.org/forums/viewtopic.php?t=124986
This section explains how to mount an external USB drive automatically on boot for having a NAS, for example.
Most of the explanations can be found here, this is mostly a wrap up.
- Plug the usb device
- List all disk partitions :
sudo lsblk -o UUID,NAME,FSTYPE,SIZE,MOUNTPOINT,LABEL,MODEL- You should see your device, most probably with the name
sda1 - Take note of the
UUIDshown for your device, it will be used later!
- You should see your device, most probably with the name
- This part assumes your drive is of type NTFS : make sure the packages are present on the pi (they should be, but check to make sure) :
sudo apt updatesudo apt install ntfs-3g
- Use
sudo blkidto find the location of the disk partition- It will probably be
/dev/sda1(or/dev/sdaN, replacing theNwith a number) - It will have the same
UUIDof the device you found at step 2
- It will probably be
- Create a mounting directory for your device :
sudo mkdir /mnt/nasYou can renamenasto anything, I named it that way to call it a Network Attached Storage
- (optional) Mount your device using the command
sudo mount /dev/sda1 /mnt/nas(replace the/dev/sda1 /mnt/nasvalues with those tailored for you found in the previous steps)- Verify if you can access your drive :
ls /mnt/nas
- Verify if you can access your drive :
- Edit your
fstabfile to mount your drive automaticallysudo nano /etc/fstab- Add
UUID=YOUR_DEVICE_UUID /mnt/nas ntfs defaults,auto,users,rw,nofail,umask=000,x-systemd.device-timeout=30 0 0at the end of the file Mine looks like this :
proc /proc proc defaults 0 0 PARTUUID=6c586e13-01 /boot vfat defaults 0 2 PARTUUID=6c586e13-02 / ext4 defaults,noatime 0 1 # a swapfile is not a swap partition, no line here # use dphys-swapfile swap[on|off] for that UUID=MY_UUID /mnt/nas ntfs defaults,auto,users,rw,nofail,umask=000,x-systemd.device-timeout=30 0 0 - Reboot (
sudo reboot) and verify after reboot if your external USB drive is accessible usingls /mnt/nas - (optional) Create a symlink to easily access your device from your home directory :
ln -s /mnt/nas[/... folders] ~/nas- This will create a symlink in your home directory named
nasthat you can treat as a folder (ex. :cd ~/nas/[...]) - You can select a subfolder for your drive to be your default location for when you go into your home
nas"folder" (symlink) by changing the[/... folders]part this command
- This will create a symlink in your home directory named
- https://www.raspberrypi.org/documentation/configuration/external-storage.md
- https://www.raspberrypi.org/forums/viewtopic.php?t=24487#p226140
This is mostly for me, but it gives a nice little terminal prompt that shows the current Git branch if you are in a git repository, shows the current time (useful to know when a previous command was entered!) and few color goodies.
Within a git repository :
- make sure Git is installed :
sudo apt-get install git - Follow one of the two options below
- Open your
.bashrcfile :nano ~/.bashrc - Find the line that starts with
PS1=' - Edit the
PS1line directly or simply add this line right under to overwrite the variable which tweaks the visuals of the prompt# Customized bash prompt PS1='\[\033[35m\][\A] \[\033[01;32m\]\u\[\033[01;35m\] @ \[\033[01;32m\]\h\[\033[0;36m\] \w\[\e[37m\]$(__git_ps1)\n\[\e[36m\]└─\[\e[36m\] \$\[\e[36m\] ▶\[\033[0m\] '
You can find my own .bashrc file in this gist. You simply have to copy it all in your own .bashrc and my prompt should now work for you.
Another way would be to download it and set it automatically via this command :
wget -O .bashrc https://gist.githubusercontent.com/V-ed/161c3dac9db058e2aab65ed6b5b2feaf/raw/13bbf798a0c4c332fb910f79c141a9b774d65a64/.bashrcSetting up aliases lets you quickly do complex commands with a smaller alias or simply making common commands smaller to more quickly get around towhat you wanted to do.
The Raspbian .bashrc file loads up a file named .bash_aliases automatically on login if it exists. This file could then be used to setup the aliases for your prompt.
- Open your
.bashrcfile :nano ~/.bash_aliases- This command will also create the file if it didn't exist before
- Add your own aliases here using the following notation :
alias [ALIAS NAME]="[COMMAND TO EXECUTE]"
- ???
- Profit!
You can find my own .bash_aliases file in this gist. You simply have to copy it all in your own .bash_aliases and aliases should now work for you.
Another way would be to download it and set it automatically via this command :
wget -O .bash_aliases https://gist.githubusercontent.com/V-ed/161c3dac9db058e2aab65ed6b5b2feaf/raw/13bbf798a0c4c332fb910f79c141a9b774d65a64/.bash_aliasescl: Shorter way of typingclear, which lets you clear your terminal. You can also do this viaCtrl+L, but some application that embeds terminals might not fully clear it using theCtrl+Lshortcut.update-packages: A quick and dirty way of doing asudo apt-get updateandsudo apt-get upgradeto update most if not all programs in your raspberry pi.
This helps as your pi will always be on the same address, which prevents your router from changing its IP address and prevents you from searching in your router's DHCP table which address your pi is at every time it changes (which can be really whenever your router wants to).
sudo nano /etc/dhcpcd.conf- Find the lines that starts with
# Example static IP configuration:, this is an example that we will use to make our IP address static - Remove the
#at the start of the following lines and edit thestatic ip_address=line to your own ip of choice - It should look like this in the end :
# Example static IP configuration: interface eth0 static ip_address=192.168.0.51/24 static ip6_address=fd51:42f8:caae:d92e::ff/64 static routers=192.168.0.1 static domain_name_servers=192.168.0.1 8.8.8.8 fd51:42f8:caae:d92e::1 - Make sure that your
routersline matches the address used to connect to your router in a web browser (it might be192.168.0.0, so in that case, use that instead!)- The static ip_address you used should not be in the range of allowed addresses that your router provides : check your router information for this, as otherwise, your router might give the address to another device, and you can't have two devices on your network with the same address as one will not have internet access!
- For example, if the range allowed in your router is
192.168.0.100to192.168.0.200, it would be safe to use192.168.0.75. Just change the last digits (192.168.0.XXX) to a number you want between0and255that is not in the range of your router.
- For example, if the range allowed in your router is
- The static ip_address you used should not be in the range of allowed addresses that your router provides : check your router information for this, as otherwise, your router might give the address to another device, and you can't have two devices on your network with the same address as one will not have internet access!
- Reboot your device using
sudo reboot. If it was successfull, trying to ssh into your device should now work using the number you used for thestatic ip_addressline : in my case, I can access it usingssh ved@192.168.0.51.
This will allow you to easily connect to your raspberry pi anywhere in the world by using your public IP address without having to remember the actual IP address that might even change based on your Internet Service Provider.
I am using DynuDNS to host my free DNS name. This DNS provider is amazing since you don't need to confirm that you are using it every month, for example (looking at you, No-IP...).
Once you have created an account at DynuDNS, and als created a DNS of your choice, make sure that your IP Update Password is set in your DynuDNS account. To do so, go to this page (it should go to your own accountif you were logged in your account when going to this link) and enter a password in the New IP Update Password field. Enter the same password in the Confirm New IP Update Password field, enter nothing in the remaining fields, and click on Save. Remember this password, as you will need it later on.
Once this is done, we need to let DynuDNS know what is the public IP address that will be available for this DNS. To do so, follow these steps :
mkdir ~/dynudnsnano ~/dynudns/dynu.sh- In this file, write this :
curl "https://api.dynu.com/nic/update?username=[USERNAME]&password=[IP_UPDATE_PASSWORD]" echo
- Replace the
[USERNAME]and the[IP_UPDATE_PASSWORD]with your own values.
- Replace the
chmod 700 ~/dynudns/dynu.shcrontab -e- In this crontab, add the line
0 * * * * /home/[YOUR_USER]/dynudns/dynu.sh >/dev/null 2>&1at the very bottom- Make sure to replace
[YOUR_USER]with your user! - This will run the script every hour automatically to update the public IP address if required.
- Make sure to replace
- In this crontab, add the line
- To update DynuDNS and test the script at the same time, you can run the script manually whenever you want :
cd ~ && ./dynudns/dynu.sh.- I forgot what it says on a successfull update, but if it hasn't changed, you will see
nochg, which is good news.
- I forgot what it says on a successfull update, but if it hasn't changed, you will see
You can now use your new DNS to SSH into your pi from wherever your are in the world!
Make sure your port for SSH are open in your router and pointing to your raspberry pi though, as your router will prevent access otherwise. This step is so different for every router that you will need to look up how to do so in your own router. A general tip however is that the port 22 is the default one for SSH, so this is the port to open to access your raspberry pi over SSH anywhere in the world.
Opening a port on your router is a security risk however. Please read the answers on this page to know more about the risks associated with opening ports on your router.
Pi-hole is a tool that lets you block alot of ads for every single device in your network before they are even downloaded, making your network generally faster and providing you with the ability to view a log of your network usage via their web server.
The installation is pretty simple, but I recommend you following setting up a static IP address beforehand, since a step during installation uses it.
The command is simple : curl -sSL https://install.pi-hole.net | bash, then follow the instructions on screen.
Here are some details that may be useful during installation :
- When asking for which Interface to use, assuming you are using an Ethernet port for your internet access on your Raspberry Pi, select
eth0 - For the
Upstream DNS Provider, I recommend usingCloudFlare. Their DNS is pretty solid - You can keep most
Third party listsenabled. This helps removing most ads found on the internet by default - Keep both
Protocolsselected - Assuming you followed the steps to make your IP static, simply answer
Yeswhen asked if you want to use your current network settings as static address - Do install the
web admin interface, it is very useful to monitor your Pi-hole (and even your pi) status - Yes, also install the
lighttpdweb server - For the question about
loggingtraffic, I personnaly answer yes since it is nice to see which request have been sent to what address from which device. You can tailor your own customization for this step (the next question, if answered Yes, will be at which level the logging needs to be done) - After the installer finishes, a password is shown for you to login to your Pi-hole web admin page. You can change it by using the command
pihole -a -pand entering your new password as asked.
Note : If you use the Cancel option on any page (even those that are technically "sub-menus"), the whole installation will cancel. Simply run curl -sSL https://install.pi-hole.net | bash again and follow the same steps to try again.
You should now be able to enter the address of your pi (mine is 192.168.0.51, for example), followed by /admin in your web browser (example of full address : 192.168.0.51/admin) and you will be able to use your Pi-hole web admin interface!
Learn more about Pi-hole here :
Installing OpenVPN will allow you to use your own network wherever you are in the world. This also means that networks that blocks certain domains will not be able to block them, as you will be using your own network (example : gaming at school). This of course means that your network speed will be capped at the lowest maximum speed between your current Wifi / Cellular network speed and your home speed.
The installation of OpenVPN and its user management is fairly simple thanks to pivpn, which automates the installation and the usage of the OpenVPN server that will run on your raspberry pi.
Simply use the command curl -L https://install.pivpn.dev | bash which will run the installer using on-screen prompts. Here are some details about this installation :
- When asked about using the
DHCP Reservation on your Router, assuming you followed the steps to make your IP static, you can simply enterNo, thenYesfor using yourcurrent network settings. - Select your
userthat will manage your OpenVPN resources- This will probably show only one user, which is fine, just enter yes
- PiVPN will now ask you whether you want to install
WireguardorOpenVPN. In my experience,OpenVPNis better as there is more documentation available, the clients are more diversified and more beautiful (IMO) and it just works. This however might change, as Wireguard seems to still be in development and might actually be better than OpenVPN in term of performances, but was more of an hassle in my own testing than something better.- I will check from time to time if Wireguard gets better support than OpenVPN, but until then, I will assume that OpenVPN is better for my needs.
- When asked about the
Protocol, selectUDP - You can keep the default
OpenVPN port. Keep this number (default is1194) somewhere, as it will need to be opened up later in your router - The installer should detect your Pi-hole installation if you followed the steps to install Pi-hole beforehand. If so, answer
Yesto allow PiVPN to use Pi-hole as your DNS to get adblocking wherever you are in the world. - When asked about a
custom search domain, simply answerNo - The question about
Will clients use a Public IP or DNS name, that is up to you : I already setup a DNS for pi network, so I used the optionDNS entry, but you could use your public IP address instead. Keep in mind that it might change when your Internet Service Provider decides to if you select that option! Using a DNS for your network will allow you to not think about updating your IP tables for this (I never did that, so I can't help much on this). - When asked about the
Installation mode(in other words, you should see somewhereIf your clients do run OpenVPN 2.4 or later), simply answerYes - You can keep the default
desired size of your certificates. A bigger number might introduce bigger latency when using your VPN, but will be more secure. It's up to you to make that decision! - When asked about enabling
unattended upgrades, I strongly recommend answeringYes. - The installation should now be finished. A prompt is shown that tells you that it is recommended to reboot : I also strongly recommend rebooting your raspberry pi after this point : Answer
Yesto the question or, when in the terminal prompt, typesudo reboot.
If no problem occured, you should now have OpenVPN installed and running on your Raspberry Pi! You will now need to create profiles for the devices you want to allow to join your VPN. These profiles will automate the connection details, which will make connecting to your VNP a breeze.
To add a new user that will have access to your OpenVPN server, simply use the command pivpn -a. You will need to use this command for each new device that will connect to your server, as a single profile cannot be used on two devices at the same time. When run, thiscommand will then ask you for few details for this profile. Here are some details that might be useful :
- The name of the client should have some sort of easily recognizable property to it. For example, if I wanted to create a profile for my phone, I could name the "Client"
vedPhone. - The numbers of days that the certificate lasts is up to you. The default
1080days is about 3 years after all, which isn't bad, but I prefer to bump it to2080. 6 years is better IMO, I won't have to think about it too much. - The password is the one that will be entered on the device that will use the profile. Either let the person which will use this profile create its own password, or remember it well.
After few moemnts, a profile will be created, usually in the directory ~/ovpns. You can safely move this file around, and it is recommended to not copy this file, as only one device can use it anyway. Transfer this file to the device you wish to use it on and voilà!
As discussed in the section about setting up a DNS, accessing your OpenVPN server from outside your network will require you to open up your OpenVPN server port to the open world.
The port to open is by default 1194, but if you changed it at the step 5 of "Installing OpenVPN using PiVPN", you will need to open up that port instead. This is up to you to figure it out, and to search online your router model to see if a guide is there to open your ports.
This step is so different for every router that you will need to look up how to do so in your own router.
Opening a port on your router is a security risk however. Please read the answers on this page to know more about the risks associated with opening ports on your router.
As for the software used to connect to your server, you can use anything that connects to an OpenVPN server using a profile : I recommend the official application of OpenVPN :
- Windows : https://openvpn.net/client-connect-vpn-for-windows
- Android : https://play.google.com/store/apps/details?id=net.openvpn.openvpn
Here are some links for untested clients on other devices types :
- iOS : https://apps.apple.com/ca/app/openvpn-connect/id590379981
- macOS : https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-macos
- Linux : https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-linux
Simply transfer the [client name].ovpn file created previously to the device you want and follow your device's app settings to import the profile from a file / URL. For further informations about this, search online for your own device, as there is too many to cover them all in this Gist.
You might be wondering "well, what can I do with this VPN?". Here's a little list of things you can do when connected to your own VPN :
- Access sites / online games that your current network is blocking (example : school blocking online games)
- Access your Pi-hole admin page to monitor it anywhere in the world
- Access your other device at your own when using Smart devices
- Secure your public Wi-Fi usage by using your home network instead
- Stop using free VPN as there is no guarantee that your data isn't being used against you in these free VPN (when using your own server, you know that YOU have your own data)
- Any other suggestions? :)
Samba is a protocol that allows an easy access for Windows machines to a Linux file system with the appropriate permissions control. Such protocol can laos be used on different devices, such as Android devices, that implements this protocol.
It is useful to have access to a Smaba share since it is generally faster than an SFTP transfer (less overhead) and can be integrated directly as a Network Drive in Windows, making the access to the drive attached to the raspberry pi feels native in a Windoows machine.
To install Samba, you can follow these steps :
sudo apt-get install samba samba-common-bin- When asked about
If your computer gets IP address from a DHCP server on the network, assuming you followed the steps to make your IP static, simply sayNoto the question during installation sudo nano /etc/samba/smb.conf- Edit the file by going to the very bottom and adding these lines :
[RaspberryPiNAS] path = /mnt/nas/share writeable = Yes create mask = 0777 directory mask = 0777 public = no sudo smbpasswd -a [USERNAME]- You can set any username here, this will be the username required for connecting to the samba machine. I personally used the same as my linux username.
- Set the password for the user.
sudo systemctl restart smbd
Voilà! A share should now be available to connect to using a Windows machine or any other device that comply to the SAMBA protocol.
You can use the command hostname -I to know what is the address that you will need to use to connect to this share.
More explanations can be found on this site.