Behavior, Content, Money – 3 Things you should never give away for free!!!

BCmoney MobileTV

Raspberry PI 2 – Complete Starter Kit unboxing & config (IP/DNS/SSH/FTP/VNC/VPN/HTTP)

Posted by bcmoney on January 17, 2016 in IoT with No Comments


No Gravatar
English: Extract from Raspberry Pi board at Tr...

English: Extract from Raspberry Pi board at TransferSummit 2011 (Photo credit: Wikipedia)

This blog post will summarize my recent Raspberry PI 2 – Canakit unboxing & configuration. I purchased the kit as a sort of “from-me-to-me” post-holiday gift as I have been thinking about doing so for quite some time and when the Raspberry PI 2 kits fell in price due to rumors of the pending release of the new Raspberry PI 3, I realized the time had finally come to dive into the world of PI.

The first thing you’ll notice if you’re looking to make the same sort of “pre-RPI3 release” purchase, is that this kit does not include the extra attachments required to do DIY electronics projects, and you would have to buy a separate components kit later or find the components piecemeal elsewhere. In hindsight, I would suggest to go with the full kit if you are even slightly thinking you might want to get into the electronics experiments. If you just need a really cheap computer or have a plan for a basic DIY Home Theater or DIY ROM/Emulator Gaming Console, then you can stick to the first cheaper starter kit and have pretty much everything you need (except possibly a few peripherals like console-specific USB controllers if you’re doing gaming).

I had no idea what I wanted to do, so I started out with the basic kit, which I got slightly cheaper on Amazon in a post-holiday sale than what the same kit is advertised for elsewhere.

Unboxing the Hardware

As soon as you take everything out of the box, ensure you have all the components needed. The official hardware guide shows you everything you need to begin (all of which should be included in your kit).

Ensure that you have:

  • Raspberry PI (any model will do, but I personally chose 2… with 3 Bluetooth & WiFi are onboard so don’t need to take up USB slots)
  • TV or Computer Monitor to hookup to initially (won’t need this later once we are done configuring)
  • HDMI cable to plug into both the Raspberry PI and the TV/Computer Monitor
  • USB Keyboard to type into the command-line (you’ll be typing alot initially!)
  • USB Mouse to navigate to the required applications (and check out the menus and various apps installed)
  • AC Adapter (power supply to turn it on)
  • 8+ GB MicroSD card or SD card (depending on the Raspberry PI model you chose)

 

OS Installation

Without an OS, the Raspberry PI is just a curious box of chips and hardware with so much potential waiting to be tapped, but largely nothing more than a fancy paper weight. The first thing you’ll want to do is pick an OS and install it onto an SD card (or MicroSD card) so you can begin experimenting.

As the instructions on the official Raspberry PI site state, your best bet as a beginner will be Raspian (a Linux distro derived from Debian but designed and streamlined specifically for the Raspberry PI). I had trouble with the Operating System that came with the Canakit “Complete Starter Kit” and had to flash (wipe out and reformat) the provided MicroSD card in order to put a later and greater version on to the card. Once I did that, I was finally able to get through the boot process and get it installed. After you follow the steps in the official Software guide you should have done the following:

  1. (optionally) Flashed the provided SD or MicroSD card to start fresh
  2. Downloaded the ZIP file for NOOBS “OS installer” (offline version, or files for your chosen OS directly)
  3. Extracted the ZIP file to your computer to make it available to card
  4. Setup the NOOBS OS installer (or chosen OS directly) to your card
  5. Connected all the Raspberry PI hardware
  6. Gone through the NOOBS installer wizard on your Raspberry PI
  7. CHANGED THE DEFAULT USERNAME & PASSWORD (can’t stress this enough, do this before you connect it to the internet or even before opening up your device to Bluetooth connections for the first time)
  8. Connected to your local (home/office) WiFi on the PI (if you have a WiFi dongle or PI model with built-in WiFi)
  9. Tested your Bluetooth connectivity (if you have a Bluetooth dongle or a PI model with built-in Bluetooth)
  10. Restarted your PI and ensure the OS comes up successfully and saved all your configuration changes (if not troubleshoot)

CAUTION: Many in the PI community online have mentioned they corrupted their SD card during poweroffs before the PI had completely halted. For that reason you also have to be extra careful if you’re thinking of doing “portable/mobility PI” projects where you’d use an external battery pack or power source to enable the PI to be used on-the-go. When this happens you’ll need to reinstall everything and potentially lose all your files, so be sure to only power down once you have fully shutdown your PI. Thanks to  it’s low power usage and heat radiance, most people just  leave it running 24×7 once setup, but you don’t need to do this, just take care with the shutdowns and reboots. If you have alot of time-consuming changes or important work you’re doing with the PI that you’d be devastated to lose, remember to back everything up to another device and/or on a file-hosting service. I use a combination of backing up indivudal key files to my laptop, backing up the whole image to an external hard-drive, and all my code changes go to a Git repository (i.e. local, GitHub, BitBucket, etc). I don’t do the files or image that often, but at least once a month or more when I’m particularly active with it and alot of changes are made. Code will be saved for every commit though.

Configuration

There are some things you’ll still want to configure, but you could stop here if you just wanted to make sure everything in your kit works correctly. Completely hooking up to your main TV or PC screen can be a little inconvenient if that screen gets shared with other members of your household, unless of course you have a dedicated screen to use just for your IoT/PI projects. Even so, for practical software and hardware/electronics development projects, you will probably want to proceed with the following useful configurations for remote access to your PI without needing to hookup a keyboard, mouse, screen, audio converter cables, etc:

  1. Dynamic IP address needs to be made static or have a DNS entry to make it easier to find your PI
  2. SSH can be setup (again, with something other than the default password please) to allow remote login via command-line terminal on another device
  3. VNC can be setup to have visual access to your Raspberry PI’s desktop (you’ll need to install a server on the PI and client on your desktop or other device you’re accessing it from)
  4. FTP is another convenient alternative to complex SSH file-copy commands and/or VNC slow responsiveness click-drag screens, to let you quickly drop files from other devices onto your PI, if that’s all you need
  5. VPN could be setup to allow remoting into the Raspberry PI from outside your home network (anywhere in the world really, but you may wish to skip this step if you are wary of security issues, or don’t already have a really good VPN solution in place you can piggyback off of… IoT devices are always in the tech news lately for their looming security holes, so don’t add your’s to the list of hackable devices!)
  6. HTTP can be setup if you want to test the PI’s ability to serve files remotely to other devices, the quickest way is with Apache (or writing your own Java, Node.JS, Perl, Python or C-based HTTP server/client solution… but that’s for another experiment, stick with Apache for now).
 

IP

Anytime you need to, you can resolve (figure out) the IP address of your Raspberry PI device using the following command:

hostname -I

It should show up in a dot-separated numerical format (i.e. 123.456.78.9) for an IPv4 address, or, in a colon-separated hexadecimal format (i.e. 2001:0db8:0000:0042:0000:8a2e:0370:7334) for an IPv6 address. Other methods such as ifconfig provide additional info but can’t be easily used to feed into other services/devices that just need to know your IP address). If any of this doesn’t work, you can get help connecting to WiFi and obtaining an IP by closely following the RPi official WiFi/Internet setup guide.

Once you get your IP initially, don’t get too attached to the number though, unless you’ve already paid for and setup a static IP specifically for your PI, then it will be changed dynamically every time you restart the PI. To make it easier to figure out how to access your PI from other devices, you will want to either setup a solution to announce it to your connecting devices, or, more simply, a third-party service that can map the constantly changing IPs to something easier to remember, which is where DNS comes in.

 

DNS

So as you likely already know, behind all the pretty names of websites on the internet is an IP address (i.e. YouTube.com = 172.217.2.14, flickr.com = 69.147.76.173, etc). The internet’s Domain Name System (DNS) is what makes this possible, and functions somewhat similarly to your Contacts/Address Book on your phone, where you can lookup someone by name and get their phone number. It’s alot easier for people to remember names than number combinations/series. You too can get a top-level or secondary-level domain which can map to your Raspberry PI’s assigned IP address (and even be updated in the background as that assigned IP changes).

To do this though, you’ll need a DNS routing/forwarding service. So, once you know the IP head over to your favourite DNS routing service, choose a domain, and enter the IP. In my case, I used the free No-IP which gives a complimentary 3 domains per account (for 30 days at a time but then you need to remember to manually “renew” each domain):
https://my.noip.com/#!/dynamic-dns

no-ip_dns

I like this service because it can be configured a number of ways, including by an official No-IP desktop client or by a public API call. Using the latter method, you can set a script to run on each boot of your PI which will “broadcast” or announce out the new IP address to the DNS routing service.

Here’s a sample Shell script which does just that “Pi-UpdateDNS-NoIP.sh”:

#!/bin/bash
PI_IP_ADDRESS="$(hostname -I | sed 's/^[ t]*//;s/[ t]*$//')"

if [ -n "$1" ]
then
	PI_HOST_NAME="$1"
else  
	echo "Expected 1st argument PI_HOST_NAME to be specified on command-line."
fi

if [ -n "$2" ]
then
	NOIP_USERNAME="$2"
else  
  echo "Expected 2nd argument NOIP_USERNAME to be specified on command-line."
fi

if [ -n "$3" ]
then
	NOIP_PASSWORD="$3"
else
  echo "Expected 3rd argument NOIP_PASSWORD to be specified on command-line."
fi


setNoIP=`curl -i --user ${NOIP_USERNAME}:${NOIP_PASSWORD} http://dynupdate.no-ip.com/nic/update?myip=${PI_IP_ADDRESS}&hostname=${PI_HOST_NAME}`
if [[ $? -ne 0 ]]; then 
  echo "Request to NoIP failed"
else
  echo "${setNoIP}" | tee /tmp/noip.log
fi


function __cleanup {
  echo "Removing /tmp/noip.log"
  rm  -r /tmp/noip.log
}

trap __cleanup EXIT

To keep your PI’s local IP up to date with the Dynamic DNS cloud service, you’ll need to configure this script to run automatically upon startup by adding this line to “/etc/rc.local“:

sh /home/pi/APPS/shell/noip/Pi-UpdateDNS-NoIP.sh "MyPI.ddns.net" "MyUsername" "MyPassword"

More details on how to integrate with the No-IP API are available on the No-IP developer docs page or in this tutorial on using the NoIP Linux client.

 

SSH

As soon as you have the IP figured out you should make sure you can SSH into your Raspberry PI from another device (such as a Windows or Mac laptop, your Phone using an SSH client app, etc). This will be the quickest way to get back into your Raspberry PI via command-line terminal. If you’re anything like me, it will also help avoid arguments with family members over hooking it up if the only screen you have to use with HDMI input also happens to be one of your primary TV screens (my computer monitors pre-date the widespread use of HDMI, that’s what you get when you’re living with hand-me-downs). Using the PI in this way from another system, without needing all the peripherals plugged in and/or a display to view it on, is also known as a “headless” configuration, and SSH is the fastest ticket to get there.

SSH should already be installed by default if you chose Raspian as your OS. To double-check this (and ensure its updated to the latest version), run:

sudo apt-get update

Then:

sudo apt-get upgrade

To set up SSH if the above command failed (probably would say something like “ssh not found”), run the following:

sudo apt-get install ssh

To configure SSH to run automatically each time the PI boots up and thus always be available for command-line login from another device, you can run the following:

sudo update-rc.d ssh defaults

Then reboot and try it out to ensure the settings were applied properly. As of the latest version of Raspian you can also do this all from the “Raspian Config” tool:

sudo raspi-config

Then change the value of “SSH” property to “Enable” then choose “Ok” and it should confirm that it was enabled:learn_raspberry_pi_raspi_config_ssh1.png

Lastly, try to login from your SSH client, for instance here’s what it looks like when logging into PI from the Putty SSH client for Windows:
PuTTY window

If you encounter a “connection reset by peer” error when trying to connect to your PI, there could be a problem with the SSH keys. You can ‘reset’ the keys with the following commands.

First, remove the old keys:

sudo rm /etc/ssh/ssh_host_*

Then regenerate them:

sudo dpkg-reconfigure openssh-server

By now you should be off to the races, everything else from here on is just bonus/convenience to make it even simpler to use your PI. If you had troubles and the above fix still didn’t work, then checkout the RPi official guide to SSH (via Windows).

 

FTP

FTP is an alternative to relying on the VNC screen-based control of your PI which can sometimes lag or freeze completely. This is frustrating if all you need to do is drag/copy over some files or directories. To start using FTP just setup an FTP server on the PI:

sudo apt-get install pure-ftpd

Then configure a group/user to set who can access your PI by FTP:

groupadd ftpGroupPI
useradd ftpUserPI -g ftpGroupPI -s /sbin/nologin -d /dev/null

From here just setup a file drop-point or choose an existing directory to permit updates to, because you don’t want to allow remote FTP control of your entire PI (in this case I’m just allowing reads/writes via FTP to the “Documents” directory/folder where code and other useful things that might need to be transfered can be dropped):

sudo chown -R ftpUserPI:ftpGroupPI /home/pi/Documents

Expose a virtual user “windowsPiUser” who maps to the local “ftpUserPI” user type, so you can quickly revoke access if necessary, then activate the local FTP user database:

sudo pure-pw useradd windowsPiUser -u ftpUserPI -g ftpGroupPI -d /home/pi/Documents -m
sudo pure-pw mkdb

The only other thing you’d need to do is set the auth method:

ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/60puredb

You should now be able to test the FTP connection by firing up an FTP client (i.e. Filezilla):pi_ftp

If you need more information consult the RPi official FTP guide.

 

VNC

Virtual Network Computing (VNC) allows you to login remotely to the actual desktop (as in screen-sharing with shared control), which comes in handy to use the actual applications on the PI (as in those with GUIs not just the command-line controllable ones, such as Scratch, Matlab, coding IDEs, browser, and anything else you may have added to the PI).

This is really convenient because there will be times where you just get frustrated with the command-line and constantly looking up commands to accomplish something which could be done in a few seconds with point-and-click (i.e. dragging a set of files between directories). Your first inclination may be to plug all your gear back into a physical screen and just get some stuff done that way, but with VNC you can avoid that hassle and continue to leave your inconspicuous box just sitting there innocently in the corner of the room, all the while enjoying a fullscreen point-and-click experience.

VNC is pre-installed on the latest version of Raspian OS, but for security purposes it is disabled by default, and should only be enabled if  you have a basic understanding and appreciation for the need of security. Even if you don’t plan on hosting sensitive data or valuable intellectual property on your PI, recent stories have surfaced of hackers getting into IoT devices, so activate this (and any connectivity) with caution, never using default logins/passwords on anything exposed to the internet.

The quick way to set VNC up is to navigate to “Menu > Preferences > Raspberry Pi Configuration > Interfaces” on a screen, however to enable it via the Raspian Config tool, try:

sudo raspi-config

Then navigate into “Advanced Options“:
raspi-config advanced options

And go to “VNC” then set it to yes. A common problem is that the VNC server didn’t activate correctly. If for whatever reason VNC didn’t startup on reboot of the RPi you can manually start it up with the following command once its enabled:

vncserver :1 -depth 16 -geometry 1024x768

This should run a VNC server instance with a basic configuration that should work with most device/OS/VNC-client combinations.

Ensure that a VNC server is now running correctly:

ps aux | grep vnc

If you’re sure your server is running, but still can’t connect from a VNC client (i.e. on your computer or mobile device) then you may have forgotten to configure a VNC user and password, run the following to set these:

adduser PiVNC

Then:

sudo vncpasswd

Lastly, the default port for VNC on Linux is usually either 1 or 5901, so the full address that you’ll need to use when connecting is of the form:

PiVNC@mypi.ddns.net:5901

Verify the port your VNC server is running on using:

netstat -l

Now via a VNC SmartPhone client you can login on your phone:
vnc_ios_app_config
Put the IP address you got in the first configuration step as well as the non-default Username/Password you setup when enabling VNC. When you hit OK, you should see your Raspian OS desktop and the menu to access all apps via their GUI:
iphone_vnc_raspberrypi
Or via your Desktop VNC client:
tight-vnc-portable.png
Again you should see the Raspberry PI desktop in glorious fullscreen on your PC/Mac/Linux computer’s screen:
Raspberry Pi over TightVNC

A final minor annoyance might be the default “X” character displayed for the cursor instead of the typical mouse “pointer” cursor, you can change this behavior by adding the following line to “./vnc/xstartup” in place of any existing settings for “xsetroot”:

xsetroot -solid grey -cursor_name left_ptr

There are many additional configurations which could improve your VNC client’s responsiveness and deal with various hardware inconsistencies. If you run into further trouble connecting via VNC, yet again you can fall back on the RPi official VNC setup guide or the Linux on PI guide to setting up VNC as a service.

 

VPN

Virtual Private Networking (VPN) is another little optional added bonus. Say you want to connect to your PI and check on your project while on the road during travel, from your office at work, or to show off something on it while you’re at someone else’s house? Maybe the whole purpose of getting the PI was to do device remote control or SmartHome monitoring types of projects? Then a VPN tunnel will enable you to connect to your PI from anywhere as long as you know the login details of the VPN endpoint.

sudo apt-get install openvpn 

Next, you’ll need port-forwarding setup on port 1194 (UDP traffic) within your Internet router to map to your Raspberry Pi’s internal IP address. Check the following site to find information on port-forwarding with your particular model of router: PortForwarding – list of routers. You could also another port or TCP rather than UDP, this is just the suggested configuration.

First things first, if you’re still using the default username/password, at this point definitely change that as you will now be exposing your Raspberry PI (previously somewhat safe behind your network’s internal router firewall) out to the public internet and the entire world’s endless supply of would-be hackers (from noble hacktivists to ignorant script-kiddies and everything in between). So if you haven’t change the defaults, do this now:

sudo passwd

To prevent those aforementioned hackers from gaining access to your system, generate keys against the VPN server address to enable just you (or anyone else you choose to create a username/keypair for) to connect securely. OpenVPN comes with a tool to help you do this called Easy_RSA. So first, let’s give ourselves superuser privileges. You’ll know it’s working when the command line prompt switches from “pi@raspberrypi” to “root@raspberrypi.”

sudo cp –r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa

Then go up one directory level and edit “/etc/openvpn/easy-rsa/vars“, changing the EASY_RSA export value to the following (changing from the example directory to the new one):


export EASY_RSA=”/etc/openvpn/easy-rsa” 

While in this file its optional but advised to also change the key size from 1024-bit to 2048-bit by replacing the KEY_SIZE export value as follows:


export KEY_SIZE=2048

You’re ready to generate the keys for your PI by running these three commands one after the other:


source ./vars
./clean-all
./build-ca

Fill out the details required to create the keys, then run this command to identify the server and generate the private key (where “MyPI” is whatever easy to remember but unique-to-your-network name you want to give your PI):


./build-key-server MyPI

Likewise generate the public key based on a particular user you’ll allow to connect (where “MyUsername” is the username you’d like to use to login remotely, and should already exist on the PI):


./build-key-pass MyUsername

Note that only one user/device combo can use this key at a time, but you can generate additional keys if needed.

Next use OpenSSL to sign the keys:


cd keys
openssl rsa -in MyUsername.key -des3 -out Client1.3des.key 

Next the actual key exchange that lets your public key be used with the private key held only on the server (in this case Diffie-Hellman as the exchange algorithm):


cd /etc/openvpn/easy-rsa/ 
./build-dh

To secure everything is to prevent DDOS attacks using an HMAC secret key on top of the public/private key pair:


openvpn –-genkey –-secret keys/ta.key

Now to wrap up the initial setup, setup a configuration file at “/etc/openvpn/server.conf” that lets the VPN server know what keys and IPs to use. Enter the following, changing IPs, ports and any DNS settings with those of your own:


local 192.168.2.0 # SWAP THIS NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
dev tun 
proto udp #Some people prefer to use tcp. Don't change it if you don't know.
port 1194 
ca /etc/openvpn/easy-rsa/keys/ca.crt 
cert /etc/openvpn/easy-rsa/keys/Server.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/keys/Server.key # SWAP WITH YOUR KEY NAME
dh /etc/openvpn/easy-rsa/keys/dh1024.pem # If you changed to 2048, change that here!
server 10.8.0.0 255.255.255.0 
# server and remote endpoints 
ifconfig 10.8.0.1 10.8.0.2 
# Add route to Client routing table for the OpenVPN Server 
push "route 10.8.0.1 255.255.255.255" 
# Add route to Client routing table for the OpenVPN Subnet 
push "route 10.8.0.0 255.255.255.0" 
# your local subnet 
push "route 192.168.2.0 255.255.255.0" # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
# Set primary domain name server address to the SOHO Router 
# If your router does not do DNS, you can use Google DNS 8.8.8.8 
push "dhcp-option DNS 192.168.2.1" # This should already match your router address and not need to be changed.
# Override the Client default gateway by using 0.0.0.0/1 and 
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of 
# overriding but not wiping out the original default gateway. 
push "redirect-gateway def1" 
client-to-client 
duplicate-cn 
keepalive 10 120 
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 
cipher AES-128-CBC 
comp-lzo 
user nobody 
group nogroup 
persist-key 
persist-tun 
status /var/log/openvpn-status.log 20 
log /var/log/openvpn.log 
verb 1

Source for this is Lauren Norsini’s GitHub gist.

Since the Raspbian OS does not forward Internet traffic by default, editing “/etc/sysctl.conf” will allow the Pi to handle the port-forwarding over VPN. Under the line “Uncomment the next line to enable packet forwarding for IPv4.” simply uncomment that following line. Apply these changes by running:


sysctl -p

You should now have a functioning server that can access the Internet, but it still won’t be accessible remotely due to Raspbian’s built-in firewall that will block incoming connections to protect your Raspberry Pi from unwanted intrusion. It’s not a good idea to just disable the firewall, it’s still needed to protect us from most incoming and outgoing network traffic. Instead we’ll open a small OpenVPN access point in the broader firewall, but keep in mind Raspbian’s firewall configuration resets by default when you reboot the Pi, so it’s also necessary to set it to remember the OpenVPN connection is always permitted (which can be done with a script that runs on device startup), for instance create a file named “/home/pi/APPS/shell/openvpn/firewall-rules.sh” with this script (changing the IP address to your own):


#!/bin/bash
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j

Switch “eth0” for “wan0” if you’re on a wi-fi.

Then change permissions to make the script runnable and owned by root:


chmod 700 /home/pi/APPS/shell/openvpn/firewall-rules.sh 
chown root /home/pi/APPS/shell/openvpn/firewall-rules.sh

The final step is to actually call this script once per system boot by adding a line to “/etc/network/interfaces” underneath the line “iface eth0 inet dhcp“:


pre-up /etc/firewall-openvpn-rules.sh

 

For more info see OpenVPN guide or this unofficial RPi VPN guide from which this abbreviated version was based.

 

HTTP

Running a web server lets you access your PI from the web. To do this, just install and start up the world’s most popular (and one of the easiest to use) lightweight servers, Apache:

sudo apt-get install apache2 -y

It will run on successful install, but you can restart it (and should anytime you make a major configuration change to the server) and also set it to automatically startup on boot of the Raspberry PI, so its always running as a service in the background as long as your PI is on and the server hasn’t crashed or been hard-stopped:

sudo service apache2 restart

You should now be able to access the server locally via the built-in Raspberry PI browser at:

http://localhost/

Or from a different device within the same local network (via WiFi or wired connection):

http://192.168.2.16/

If you’ve already done the IP & DNS configuration steps above, then you should also be able to access from its domain name:

http://MyPI.ddns.net/

Of course by default Apache uses the default port 80 to serve files, multimedia content and apps over HTTP. To make it even more secure you can add SSL.

To troubleshoot any problems, find more details in the RPi official guide to Apache Web Server setup, also this guide to Running  a script on start up can come in handy to understand how the boot process works and how services/daemons can get kicked off in the background.

 

Conclusion

That’s it, several more articles will be coming as I dig into several RPi experiments I have in mind, so stay tuned! The possibilities really seem endless, and its interesting that Raspian OS now includes all the major programming languages so anything you want is pretty much ready to go (C, C++, Java, Node.JS, Python, PHP, Perl, Ruby, Bash/Shell and more in the form of IDEs like Scratch, NodeRED I/O wiring tool, Mathematica/Wolfram statistical tools and a few others).