1. Introduction
2. Initial Setup
3. System Configuration
   • Package Management
   • Kernel and Firmware
   • CPU Fan Configuration
4. Network Configuration
   • Wi-Fi Setup
5. System Optimization
   • Localization
   • Security Enhancements
6. Remote Access
   • SSH Configuration
   • VNC Server Setup
   • Tailscale VPN Installation
7. NAS Functionality
   • CasaOS Installation
   • HTTPS Configuration with Tailscale and Caddy
8. Advanced Topics
   • Custom DNS Configuration
9. Troubleshooting
10. Additional Resources

The FriendlyElec CM3588 Single Board Computer (SBC) with NAS Kit is a versatile platform for creating a powerful Network Attached Storage (NAS) solution. This comprehensive guide covers the setup process, including installation of Debian Desktop (Bullseye), essential service configurations, and system optimizations for NAS functionality.

1. Download the latest Debian Desktop (Bullseye) image for CM3588 from the FriendlyElec website.
2. Use BalenaEtcher to create a bootable SD card with the image.
3. Insert the SD card into the CM3588 and power on the device.
4. Allow the system to complete the initial boot process and flash the eMMC.
5. Remove the SD card and reboot the device.

Update the package sources to ensure access to the latest software:

1. SSH into the device using the default credentials (username: pi, password: pi).
2. Update the package sources:

sudo mv /etc/apt/sources.list /etc/apt/sources.list.old
sudo nano /etc/apt/sources.list

3. Add the following content to the new sources.list file:

deb http://deb.debian.org/debian bookworm main non-free-firmware
deb-src http://deb.debian.org/debian bookworm main non-free-firmware
deb http://deb.debian.org/debian-security/ bookworm-security main non-free-firmware
deb-src http://deb.debian.org/debian-security/ bookworm-security main non-free-firmware
deb http://deb.debian.org/debian bookworm-updates main non-free-firmware
deb-src http://deb.debian.org/debian bookworm-updates main non-free-firmware
deb http://deb.debian.org/debian bookworm-backports main non-free-firmware
deb-src http://deb.debian.org/debian bookworm-backports main non-free-firmware

4. Update the package lists:

sudo apt-get update

Install necessary kernel headers and proprietary firmware:

1. Install kernel headers:

sudo -i
dpkg -i /opt/archives/linux-headers-6.1.57_6.1.57-13_arm64.deb

2. Install and update USB Wi-Fi driver firmware:

sudo apt update
sudo apt install firmware-realtek
sudo apt upgrade firmware-realtek
sudo modprobe -r r8188eu
sudo modprobe r8188eu
dmesg | grep r8188eu
sudo reboot

To address potential CPU fan issues, follow these steps:

1. Open the GPIO configuration file:

sudo nano /boot/rk3588.dtb

2. Locate the fan section and modify it as follows:

fan: pwm-fan {
    compatible = "pwm-fan";
    #cooling-cells = <2>;
    pwms = <&pwm14 0 50000 0>;
    cooling-levels = <0 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 255>;
    status = "okay";
};

3. Save the file and reboot the system:

sudo reboot

For more details on this fix, refer to the FriendlyElec forum thread.

Configure Wi-Fi for network connectivity:

1. List available Wi-Fi access points:

nmcli device wifi list

2. Connect to a Wi-Fi network:

sudo nmcli device wifi connect "SSID" password "PASSWORD"

3. Set auto-connect for the Wi-Fi network:

sudo nmcli connection modify "SSID" connection.autoconnect yes

4. Set connection priority (optional):

sudo nmcli connection modify "SSID" connection.autoconnect-priority 1

Set the correct timezone and locale for your region:

1. Set timezone:

sudo timedatectl set-timezone Your/Timezone

2. Configure locale:

sudo dpkg-reconfigure locales

3. Add locale environment variables to .bashrc:

echo "export LC_ALL=en_US.UTF-8" >> ~/.bashrc
echo "export LANG=en_US.UTF-8" >> ~/.bashrc
echo "export LANGUAGE=en_US.UTF-8" >> ~/.bashrc

4. Reboot the system:

sudo reboot

Configure UFW (Uncomplicated Firewall) to enhance system security:

1. Install UFW:

sudo apt install ufw

2. Set default policies:

sudo ufw default deny incoming
sudo ufw default allow outgoing

3. Allow SSH access:

sudo ufw allow 22/tcp

4. Allow VNC access (if needed):

sudo ufw allow 5900/tcp

5. Enable the firewall:

sudo ufw enable

6. Check the status:

sudo ufw status verbose

SSH is enabled by default. Ensure you change the default password for security reasons.

Install and configure x11vnc for remote desktop access:

1. Install x11vnc:

sudo apt-get install x11vnc

2. Set VNC password:

sudo x11vnc -storepasswd /etc/x11vnc.pwd

3. Create a systemd service file:

sudo nano /lib/systemd/system/x11vnc.service

4. Add the following content:

[Unit]
Description=Start x11vnc at startup.
After=multi-user.target

[Service]
Type=simple
ExecStart=/usr/bin/x11vnc -display :0 -auth /home/pi/.Xauthority -forever -loop -noxdamage -repeat -rfbauth /etc/x11vnc.pwd -rfbport 5900 -shared -listen 0.0.0.0 -verbose
Restart=on-failure
RestartSec=2

[Install]
WantedBy=multi-user.target

5. Enable and start the x11vnc service:

sudo systemctl daemon-reload
sudo systemctl enable x11vnc.service
sudo systemctl start x11vnc

Install Tailscale for secure remote access:

1. Install Tailscale:

curl -fsSL https://tailscale.com/install.sh | sh

2. Start Tailscale and authenticate:

sudo tailscale up

3. Follow the provided link to authenticate your device with your Tailscale account.

CasaOS is a user-friendly, open-source home cloud system that enhances CM3588 NAS capabilities:

1. Install CasaOS:

curl -fsSL https://get.casaos.io | sudo bash

2. Access the CasaOS web interface by navigating to http://your-cm3588-ip:80 in a web browser.

3. Follow the on-screen instructions to complete the CasaOS setup.

Secure your CasaOS interface with HTTPS using Tailscale's certificates and Caddy as a reverse proxy:

1. Install Caddy:

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

2. Change CasaOS to listen on port 81:

sudo sed -i 's/80/81/g' /etc/casaos/gateway.ini
sudo systemctl restart casaos-gateway

3. Generate a Tailscale certificate:

tailscale cert your-device-name.your-tailnet.ts.net

4. Configure Caddy:

sudo nano /etc/caddy/Caddyfile

Add the following content:

{
    auto_https off
}

:443 {
    tls /etc/caddy/ssl/your-device-name.your-tailnet.ts.net.crt /etc/caddy/ssl/your-device-name.your-tailnet.ts.net.key
    reverse_proxy 127.0.0.1:81
}

5. Set correct permissions for certificate files:

sudo chown caddy:caddy /etc/caddy/ssl/your-device-name.your-tailnet.ts.net.crt /etc/caddy/ssl/your-device-name.your-tailnet.ts.net.key
sudo chmod 600 /etc/caddy/ssl/your-device-name.your-tailnet.ts.net.key

6. Configure Tailscale to allow Caddy to use the certificate:

echo "TS_PERMIT_CERT_UID=caddy" | sudo tee -a /etc/default/tailscaled

7. Restart Tailscale and Caddy:

sudo systemctl restart tailscaled
sudo systemctl restart caddy

You can now access your CasaOS interface securely via HTTPS using your Tailscale hostname:

https://your-device-name.your-tailnet.ts.net

To ensure the Tailscale certificate remains valid, set up an automatic renewal process:

1. Create a renewal script (/usr/local/bin/renew_tailscale_cert.sh):

   #!/bin/bash
   
   TAILSCALE_HOSTNAME="your-device-name.your-tailnet.ts.net"
   CERT_DIR="/etc/caddy/ssl"
   LOG_FILE="/var/log/tailscale_cert_renewal.log"
   
   sudo mkdir -p $CERT_DIR
   
   if tailscale cert $TAILSCALE_HOSTNAME; then
       sudo mv $TAILSCALE_HOSTNAME.crt $CERT_DIR/
       sudo mv $TAILSCALE_HOSTNAME.key $CERT_DIR/
       sudo chown caddy:caddy $CERT_DIR/$TAILSCALE_HOSTNAME.crt $CERT_DIR/$TAILSCALE_HOSTNAME.key
       sudo chmod 644 $CERT_DIR/$TAILSCALE_HOSTNAME.crt
       sudo chmod 600 $CERT_DIR/$TAILSCALE_HOSTNAME.key
       sudo systemctl restart caddy
       echo "Tailscale certificate renewed successfully on $(date)" >> $LOG_FILE
       echo "Next scheduled renewal: $(date -d "+83 days" "+%Y-%m-%d")" >> $LOG_FILE
   else
       echo "Failed to renew Tailscale certificate on $(date)" >> $LOG_FILE
   fi

2. Make the script executable:

   sudo chmod +x /usr/local/bin/renew_tailscale_cert.sh

3. Set up a cron job to run every 83 days:

   sudo crontab -e

   Add the following line:

   0 0 */83 * * /usr/local/bin/renew_tailscale_cert.sh
   

This setup ensures that the CasaOS interface remains accessible securely via HTTPS through the Tailscale network, with automatic certificate renewal occurring approximately one week before the 90-day expiration, maintaining continuous functionality.

If using custom DNS services, ensure they're configured to properly resolve Tailscale's .ts.net domains. In some cases, using your system's default DNS settings may be necessary for proper resolution of Tailscale domains.

For common issues and their solutions, refer to the FriendlyElec CM3588 Wiki Troubleshooting section.

• Official FriendlyElec CM3588 Documentation
• FriendlyElec Forum - CM3588 Section
• Tailscale Documentation
• CasaOS Documentation