Notes: Private Pi Server

2025-06-08

Quick step by step on setting up a local, private Pi server.

Step 1: install the OS

I use Raspberry Pi imager for this. It lets me pick and choose from a range of OS' and it's super easy to use.

My projects are usually web based so the Pi itself can be headless (no screen) therefore I go for the 64 bit Raspberry Pi OS lite, its based off of the latest Debian stable release and it doesn't have any desktop environment, purely cli based. Reason I go for that rather than pure Debian is because its ported by Raspberry Pi themselves and has adjustments specifically for running on Pis. There's plenty of others to choose from though, I did consider Ubuntu, due to previous experience but wanted something simpler.

Theres optional configuration you can add before flashing the sd card such as user password etc.

My Pi is wired in via ethernet but it doesn't have to be, it can be connected to wifi, configuration that can be added via the Pi imager.

Once flashed boot up the Pi and its time to adjust some security settings.

Step 2: Configuring SSH

Once the Pi has booted login and run the following to edit the SSH service's settings. There's two main things to do here, disable logging in as root over SSH, and disable normal password based logins over SSH, preferring public/private key based authentication instead.

# run the following
sudo nano /etc/ssh/sshd_config

# ensure the following rules are set:

PermitRootLogin no
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys .ssh/authorized_keys2
PasswordAuthentication no
PermitEmptyPasswords no
X11Forwarding no

# then once saved run the following to restart the SSH service

sudo systemctl restart ssh.service

Step 3: Tailscale

Tailscale built on top of Wireguard creates a private mesh VPN amongst your devices allowing you to connect devices together securely regardless of the actual network you're currently in. Home network, mobile data connection, hotel wifi, to your Tailscale devices it makes no difference, they can always see each other. Perfect for running and accessing private servers / self hosted services.

Follow the docs below to install Tailscale on your Pi.

As the Pi will be acting as a server you'll probably want to go to the Tailscale admin area and "disable key expiry" to ensure the Pi won't have to re-authenticate every so often.

https://tailscale.com/kb/1031/install-linux

Once installed you can check the IP of all your Tailnet devices with the tailscale status command, they should start with 100.

Make a note of the Pi's Tailscale IP address.

Step 4: Firewall

To enhance the security even further you can ensure that only devices within your Tailnet can access the Pi. This allows your Pi to treat even your home network as potentially hostile.

# Install UFW, its a nice CLI for setting firewall rules
sudo apt install ufw

# Then check the status of the firewall
sudo ufw status

# It should be disabled by default so enable it
sudo ufw enable

# Then allow incoming connections from tailscale only
sudo ufw allow in on tailscale0

# Then check the status of the firewall again to ensure its setup correctly
sudo ufw status

# Should show the following:
Status: active

To                             Action      From
--                             ------      ----
Anywhere on tailscale0         ALLOW       Anywhere                  
Anywhere (v6) on tailscale0    ALLOW       Anywhere (v6)

Now your Pi will only accept connections from devices within your Tailnet.

Step 5: Run you application

Install and run your application on the Pi, with Tailscale providing a secure tunnel between each device your application can (in this specific situation) ignore HTTPS/TLS and simply run over plain HTTP.

Step 6: Install Tailscale on your devices

Install Tailscale on devices you want to access your Pi services.

https://tailscale.com/download

Once installed hit your Pi's services using its fixed Tailscale IP address.