A learning experience 😁
-
Devices Used
-
Pi Recommissioning
-
Pi-hole
-
Samba Setup
-
Router Addition
-
PiVPN WireGuard
-
Dockerizing Pihole
-
Proxmox
-
Up next
- Raspberry Pi OS Trixie (Debian-based) on a Raspberry Pi 4
- Windows 11 Home on a Lenovo Laptop AMD Ryzen 7 5800H 16 GB RAM 2 TB over 2 drives
- MacOS Sequoia on a Macbook Pro M1
- Xfinity Gateway bridged to TP-Link Archer AX4400 Router
sudo apt update
This command updated the package index files on my Raspberry Pi 4 which hadn’t been used for 3 years, but there were errors. My first attempt at resolution involved editing /etc/apt/sources.list. It originally tried updating using Buster, which is an old version of the Raspberry Pi OS. After switching it to Bullseye, “sudo apt update” ran successfully. Guide
sudo apt full-upgrade -y
Moving on, this command installed the available updates found when looking through the package index files. The parameter “full-upgrade” allowed the Pi to remove any packages when necessary to resolve dependency issues while installing the updates. “-y” told the Pi to automatically agree to any prompts. The error from this command mentioned “Breaks: libgcc-8-dev” and running “sudo apt install ggc-8-base” resolved this issue. Guide
Error: No wireless lan interfaces found
Once all the packages were updated, I then ran into another issue. This time it involved Wi-Fi connectivity, as the wireless LAN interface could not be found. Fix? After following the article for a fix, I kept seeing the same issue after restarting with the fix in place. I ended up flashing the OS again, and it ran like new with Trixie.
Pi-hole is an open-source software serving as a DNS sinkhole. Setting your computer’s DNS to the Pi-hole server causes the computer’s DNS requests to first route to Pi-hole. Then, Pi-hole uses its domain blacklist to see which requests are associated with common advertisement domains. Pi-hole tells your computer that nothing is at that domain by responding with 0.0.0.0, effectively stopping the ads from loading.
curl -sSL https://install.pi-hole.net | bash
CLI Installation Wizard
I had to reserve the Pi’s IP through the network’s admin tool to avoid temporary leases and IP changes. I could have set my router to advertise Pihole as the network’s DNS server, but I did not want to invade the privacy of my roommates’ browsing history. After setting it up, I just used it on one device for testing as it will have more utilization later with PiVPN.
Below is Pi-hole’s comprehensive dashboard. It provides query logging, real-time statistics, and management.
Samba is an open-source suite of programs that provide secure and stable file sharing services across operating systems using Server Message Block (SMB).
smb.conf
This file defines the runtime configuration for Samba services. I added extra configurations in addition to the regular setup to improve compatibility and security.
client min protocol = SMB2to enforce use of SMBv2 over SMBv1 for improved performance and security.vfs objects = streams_xattrprovides integrity and authenticity with Message Authentication Codes, using a secret key to show it’s from a trusted source and a hash to show the data did not change.server signing = mandatoryprovides integrity and authenticity with Message Authentication Codes, using a secret key to show it’s from a trusted source and a hash to show the data did not change.smb encrypt = mandatoryprovides confidentiality through end-to-end Advanced Encryption Standard (AES) encryption.
sudo useradd -M -s /sbin/nologin matt-user
Adds a new user account strictly for use with Samba and not logging into the Pi. Use ‘-M’ so that this account does not get a home directory. ‘-s /sbin/nologin’ means this user does not have the ability to log in. I set the password as well. I ended up making the mistake of trying to SSH to my Pi using ‘matt-user’ instead of ‘matt-pi’ before learning about no-login accounts.
sudo groupadd first-samba-group and sudo usermod -aG first-samba-group matt-user
Creates a group and adds ‘matt-user’ to it for local group management.
mkdir -p /srv/samba/matt-samba
Creates the directory to be shared across the network.
chown, chgrp, chmod
Associates the appropriate groups to the new share and provides them with the correct permissions.
smbclient //localhost/matt-samba -U matt-user
Opens the smb client terminal to access the share from the Pi. Accessing the share from my Mac and Windows computer was simple. Mac used Finder to connect to ‘smb://XXX.XXX.X.XXX/matt-samba’, while Windows mapped a network drive to ‘\XXX.XXX.X.XXX\matt-samba’ with each prompting for my username and password for Samba.
File share contents in SMB Client on Mac Terminal SSHed to Pi running Samba:
File share contents in Windows Explorer:
File share contents in macOS Finder:
File share contents in iOS Files:
My apartment’s new router enabled easier management and gave insights into each connected device's live bandwidth usage, which the Xfinity admin tool did not provide. Adding the router required enabling bridge mode on my Xfinity Gateway. This changed it from a modem + router combo to just a modem, providing internet access to the new external router. Adding IP reservation for Pi-hole through the TP-Link admin page was straightforward.
No-IP
No-IP was necessary as it provides Dynamic DNS services, which would map a static human-readable domain name to the IP address of my home router which my ISP occasionally changes. After setting up my free DDNS domain, I set up PiVPN to use WireGuard, my domain, and my Pi-hole, then ran it on my Pi. I had to download a Dynamic Update Client and run it on my Pi as well, which informs No-IP of any router IP changes.
With my new VPN set up, I was able to add clients to the VPN server running on my Pi. After activating the VPN, my devices were able to remotely connect to my home network and devices when outside of my apartment. Since the VPN uses the Pi-hole server as its primary DNS, I get to block the ads on Wordle on my phone regardless of where I am.
First, I set up the Docker repository and installed Docker Compose on my Pi using their instructions. Then, I used Pi-hole’s Docker example and customized the compose.yaml file to my preferences. I first uninstalled the native Pi-hole from the Pi, then ran the Pi-hole container, setting it to run on boot using systemctl. Running Pi-hole provides isolation and ease of management.
Proxmox: Enables the running of multiple OSes as virtual machines (VMs) on a single machine (which can be a VM itself).
Purpose: Get practice administering Active Directory from the ground up while prioritizing security with role-based GPOs and firewall rules.
Methodology: Nested virtualization with multiple Windows VMs running on a single Proxmox Linux VMware Workstation Pro VM running on my laptop running Windows 11 Home.
Created Proxmox Linux VM
Initially, I gave the Proxmox VM 250 GB of storage and 6 GB of RAM, thinking they were enough. After installing Windows on three of the VMs and shutting them down at the end of the day, I tried booting up the Proxmox VM the next day but kept running into the message “Failed to start virtual machine.” I ended up having to start from scratch and started a new Proxmox VM with 400 GB of storage and 10 GB of RAM. Afterwards, the setup went smoothly since I was already familiar with Proxmox’s UI and the various configuration steps for each VM.
Created VMs for Server, Matt, Steven, Christian
Created the MattAcademy.net domain on the Windows Server 2022 VM
Plan for users and accounts
Accounts and groups created in Active Directory (Guests in Builtin)
Created, customized, and linked GPOs
Plan for GPOs and Group Permissions
Created file shares and assigned group permissions
AdminDrive
EmployeeDrive
Joined the client devices to the MattAcademy.net domain
Installing Windows on each client device took around an hour each, but they were able to do so simultaneously. After installing the ethernet drivers, they were all able to join the domain after setting the DNS to be the IPv4 address of the Windows Server 2022 VM.
Able to log into any user account on AD (Matt, MattAdmin, Steven, Christian) from any client device
Tested the Proxmox VM firewall functionality
- Set the control variable: Youtube.com loaded before enabling the firewall rules
- Set firewall rules to drop packets going out of TCP 443, UDP 443, and UDP 80
Firewall rules
- Self-hosted Google Photos with Immich
- Upgrade my server from Raspberry Pi 4