AdGuard โซธ Adblocker for your devices at home ( AdGuard compared to Pi-Hole )
WireGuard โซธ A Vpn Server at home accessable from any outside network
Unbound โซธ A Validating, Recursive, Caching DNS Resolver
Cloudflare โซธ Better Performance & Security when browsing websites(DoT & DoH)
- About
- Requirements
- Installing Pi operating system
- Installing AdGuard
- Installing Unbound
- Installing Cloudflare
- Setting up dynamic DNS service
- Installing WireGuard or OpenVPN(slower)
- Auto update your Pi
- Improving your SD Cardโs potential lifespan
- Securing your Raspberry Pi
- A Raspberry Pi 3 or 4 version
- A router that supports port forwarding(Most Can)
- MicroSD USB card reader
- MicroSD card (8GB or bigger, at least Class 4)
- Ethernet cable
- (Optional if using monitor) MicroHDMI-(RPi 4) or HDMI-(RPi 3)
โน STEP 1 โน
This tutorial is based on Raspberry Pi OS (32bit or 64bit), but you can use any linux operating system you prefer if you know what you are doing.
Raspberry Pi OS comes in Desktop and Lite versions(I use lite). You can set Raspberry Pi up with a monitor/keyboard/mouse, or set it up โheadlesslyโ from a terminal.
Install balenEtcher and download pi image to write on the microSD card.
-
Download Raspberry Pi OS: https://www.raspberrypi.org/software/operating-systems/
-
Download balenaEtcher: https://www.balena.io/etcher/
After you have Etcher
installed and Raspberry Pi OS
file downloaded on your computer, you can now insert the SD card with microSD USB card reader into your computer.
Launch Etcher and choose the Raspberry Pi OS image that you downloaded, select your microSD card and click โFlashโ.
After flashing is done, look in "This PCโ for a disk name โboot or usb driveโ (replug usb card reader if not seen). Go to that disk, create a new text file called ssh without 'txt' extention
. BE CAREFUL, it's not โssh.txtโ, it's โsshโ without the extension. You need to disabled โHide extensions for known file typesโ option in the File Exporer Options if you don't see them.
Now put the SD card into the Raspberry Pi, plug your Ethernet cable and boot up.
-
Now you need to wait for a couple of minutes for your pi first boot up
-
Open browser and log in your router's panel page
-
Find list all of the devices connected to the network and copy the IP address of the Raspberry Pi (it will most likely have the hostname
raspberrypi
) -
Open Terminal on your host machine. You can use PowerShell on Windows or JuiceSSH for Android
Type the following command:
ssh pi@pi's ip address
You can use right mouse button to paste text in Windows PowerShell.
Type โyesโ for fingerprint question, and type "raspberry" for a password. The passwords will be invisible when typing in linux interface. You can type sudo passwd pi
to change password.
Run in terminal:
sudo apt update -y && sudo apt upgrade -y
WAIT FOR UPDATE TO FINISH & RESTART PI. THEN CONTINUE TO NEXT STEP.....
sudo reboot
โน STEP 2 โน
This installation script is from AdGuard Home main project. Follow to keep updated.
Run the following command in your terminal:
curl -sSL https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh
-
When installation is finished a window will pop up showing the links to YOUR Adguard home page(Get Started)
-
In Listen Interfaces option choose
Eth0
and select next
-
Set up username and password
-
You should now be in Adguard home panel
-
IMPORTANT:
In general settings, set "Query logs retention" to24 hours
(I read that for some people logs fill up and slow down pi and needing a restart everytime)
- For Android/Apple, go to wifi advanced settings and select static option. In
DNS 1
field enter "pi's ip" address andDNS 2
to 1.1.1.1
- For PC go to network settings / change adpater options and right click in properties then select "Internet Protocol Version 4(TCP/IPv4)". Enter pi's ip address in preferred DNS server and
Alternitive DNS
to 1.1.1.1
In AdGuard homepage under filters select blocklist section for adding and updating your urls.
You can search Google for different blocklist.Here is my custom blocklist with my urls.
IMPORTANT:
Some blocklist can block some important contents. If you cross that issue it can be viewed in "Blocked by filters" under general statistics(click the amount) and can be simply unblocked, putting it in "Custom filtering rules". Just look for client ip & time.
You can only add one by one url to blocklist in adguard for now but there is a python script to add multiple urls.
Open new py file and call it bulkurls.py:
nano /home/pi/bulkurls.py
Then copy and past text from bulkurls.py file and save (control+x then y then enter) DON'T FORGET TO READ INSTRUCTIONS FROM TEXT IN IT.
To remove blocklist in bulk you need to change add
in second of last line (..../control/filtering/add
_url", data = filterObj, headers=headers) in bulkurls.py to remove
โน STEP 3 โน
Run the following command in your terminal:
sudo apt install unbound -y
For recursively querying a host that is not cached as an address, the resolver needs to start at the top of the server tree and query the root servers, to know where to go for the top level domain for the address being queried. Unbound comes with default builtin hints.
wget -O root.hints https://www.internic.net/domain/named.root && sudo mv root.hints /var/lib/unbound/
IMPORTANT:
This needs to update every 6 months. To autoupdate root.hints every 6 months you need to create a cron job.
Enter in command line crontab -e
, it will ask Select an editor(choose 1) and paste these lines at the bottom of crontab and save (control+x then y then enter):
1 0 1 */6 * wget -O root.hints https://www.internic.net/domain/named.root
2 0 1 */6 * sudo mv root.hints /var/lib/unbound/
โน STEP 4 โน
Install cloudflare with DNS over HTTPS(DoH), follow this ๐ INSTRUCTION ๐. We can set up DNS over TLS(DoT) with unbound next.
Create unbound configuration file by entering in command prompt:
sudo nano /etc/unbound/unbound.conf.d/unbound.conf
And copy and paste all the text from unbound.conf file and save (control+x then y then enter).
IMPORTANT:
If you have IPv6 , change line 18 do-ip6
to 'yes'
-
In AdGuard homepage under settings select "Dns settings"
-
Delete everything from "Upstream" and "Bootstrap DNS" server options and:
- For
DNS over TLS(DoT)
add127.0.0.1:53
in both "Upstream" and "Bootstrap DNS" server fields - For
DNS over HTTPS(DoH)
add127.0.0.1:5053
in both "Upstream" and "Bootstrap DNS" server fields
- For
-
IMPORTANT:
For both to work together you need to check "Fastest Ip Address" option
- Then in DNS setting look for DNS cache configuration section and set cache size to
0
(caching is already handled by the Unbound)
-
You need to restart unbound:
sudo service unbound restart
Thats it. Now go to https://1.1.1.1/help in browser and you should see Connected to 1.1.1.1
/DNS over HTTPS(DoH)
/Using DNS over TLS(DoT)
saying "Yes".
https://browserleaks.com/dns - should show all connected to "Cloudflare"
https://www.cloudflare.com/ssl/encrypted-sni/ - "Secure DNS / DNSSEC / TLS 1.3" should all be a green tick
https://dnssec.vs.uni-due.de/ - should say "Yes, your DNS resolver validates DNSSEC signatures"
If you do not see things correct check your browser dns
and proxy
settings
โน STEP 5 โน
Before installing WireGuard, if you do not have a static ip you need to get a free Dynamic DNS Subdomain
or else your external IP address most likely changes dynamically from your ISP ever so often and for that reason you'll need to set up a dynamic DNS service. ๐๐ โโโUse this INSTRUCTION HEREโโโ ๐๐. Or else skip the step.
We also need to set up port fowarding on your router so we can access wireguard outside of our network like in a coffee shop hotspot or your mobile data
TYPE | VALUE |
---|---|
Device | Raspberry Pi's hostname or IP |
Protocol | UDP |
Port range | 51820-51820 |
Outgoing port | 51820 |
Permit Internet acces(if have) | yes |
My ๐router๐ port setting. Yours maybe different but you'll get it. Remember Google ๐search engine๐ is your friend. If you cannot connect from a outside network that means isp has blocked outcoming connections, you can call them and ask nicely to get it working..
โน STEP 6 โน
๐BIG THANKS๐ for this installation script from Nyr. Follow to keep updated.
Run in terminal
wget https://git.io/wireguard -O wireguard-install.sh && sudo bash wireguard-install.sh
-
The script is going to ask you for the hostname that you want to use for the VPN. If you have static ip then continue or else type the dynamic DNS domain that you created from the instructions. For example:trinibvpn.freeddns.org
-
For port option
press enter
for default 51820. For client name, just put any name you want, and for DNS use option 3 (1.1.1.1
) for now. We will configureadguard/unbound/cloudflare
with the vpn after its finished installed
-
Wait until the installation is finished and QR code to show, don't close. But if you do, to
regenerate qrcode
, enter in terminal but replacing just the nameyourclientname.conf
file to yours:sudo cp /root/yourclientname.conf /home/pi && sudo qrencode -t ansiutf8 < yourclientname.conf
IMPORTANT:
You will need to add a new user/client for each device you use with the VPN. To add a new user, simply re-run the script and create user with different client name.
If you want to use OpenVPN instructions are ๐here๐
Install the WireGuard app from Google Play or App Store
Wireguard (Google Play): https://play.google.com/store/apps/details?id=com.wireguard.android
Wireguard (App Store): https://apps.apple.com/us/app/wireguard/id1441195209
You need to scan the QR code shown in the terminal with Wireguard app, select the + button
and use the option Scan from QR code
to install configuration.
WireGuard for windows: https://download.wireguard.com/windows-client/wireguard-installer.exe
Tunsafe (getting far faster speed with Tunsafe beta than wireguard on windows): https://tunsafe.com/downloads/TunSafe-1.5-rc2.exe
-
Create
new text document
with any name on pc to copy&paste the text from wireguard client configuration file. -
To see text in client config file, type in terminal:
sudo cat /root/yourclientname.conf
-
Highlight all the text, copy and paste it in the txt file on pc and save. Then rename the extention from
txt
toconf
. Now you have config file for that wireguard client. -
You can now import the config file to wireguard or tunsafe windows app (import from file option).
Remember this is for when you are connected to WireGuard VPN on an outside network or at home 24/7 cause you already have AdGuard/Unbound/Cloudflare set up and running on your devices manually. (no issue having both set up. Just remember with wireguard you will lose about 50% of wifi(not cable) internet speed cause the process of tunneling through pi to router to devices)
-
In wireguard app, select your tunnel and select edit (pencil on top right)
-
Under Dns servers enter
pi's ip
and save
-
IMPORTANT
: Delete in allowed IPs "0.0.0.0/0, ::/0" option because it routes all traffic to your home network which will be slow. You need send traffic through your addresses only. (Only when connected directly with ethernet cable leave in allowed ip0.0.0.0/0, ::/0
cause i don't seem to lose any speed) -
First you need to replace it with your network gateway but setting the last number to a zero and prefix lenght to 24. For example:
192.168.1.1/24
to192.168.1.0/24
or like my isp router192.168.100.1/24
to192.168.100.0/24
. Now I only lose 25% speed๐
IMPORTANT
: If your network has ip addresses for devices that ends with a number more than 24 for example: 192.168.100.999
you will not be able to route properly from outside network because applying 24 only allows numbers 1 through 24. You need to instead put 0
to route out of the 24 range, for example : 192.168.100.0/0
.
Or you can change ip range on your router (in my experience you might geta tiny bit better speeds cause it will not route unnecessary allowed ips over the 24 range).
If you are using ipv6, when connected to wifi you need to enter in allowed IPs fe80::1/0
as well. For example 192.168.100.0/0, fe80::1/0
When connected to ethernet cable on pc, you need to enter pi's ipv6 address in "Internet Protocol Version 6(TCP/IPv6)" preferred DNS server. To get pi ipv6 address, enter in terminal ifconfig
under eth0:inet6. If you see two inet6(public&local), enter local not public. Go to https://ipv6leak.com/ and you should see "Your IPv6 is not leaking".
For windows download Wireshark
Once downloaded you can use the application to inspect your data packets where the protocol is set to the one used by Wireguard VPN. When a packet traffic is encrypted
, it can be read like this for example:
For android you can use PCAPdroid. You should see all connections closed and status showing all DNS and not any TLS connections in all apps (open and use apps for PCAPdroid to scan).
-
Open new sh file called update and copy&paste text from ๐here๐
sudo nano update.sh
-
Set permission
sudo chmod 700 update.sh
-
Open cron file by entering in command line
crontab -e
, copy&paste job command line below at the bottom of cron file and save.0 3 * * 3 sudo ./update.sh > /home/pi/update.log 2>&1
Pi will now update every Wednesday at 3am. Or you can go to https://crontab.guru/ and set your own time schedule.
One of the most significant advantages of offloading your RAM is that it improves your SD Cardโs potential lifespan. Log files are one of the things written to most by the various pieces of software you install. By pushing the files to your RAM, you can control how often they are written to the SD Card. You will still be able to access these files on the RAM as if they sat on your SD Card.
Copy and paste this line in terminal:
wget https://git.io/log2ram -O Log2Ram-Script.sh && sudo chmod +x Log2Ram-Script.sh && sudo ./Log2Ram-Script.sh
For Pi-Hole
lovers you can use instead of Adguard but change these option:
-
Use 127.0.0.1#53 for DoT or 127.0.0.1#5053 for DoH in upstream DNS server custom ipv4 option and untick cloudfare or what ever dns you choose during pi installion. Don't know how to make two work simultaneously on pihole. Let me know if you do.
-
Open the configuration file /etc/dnsmasq.d/01-pihole.conf and make sure that cache size is zero by setting cache-size=0. This step is important because the caching is already handled by the Unbound Please note that the changes made to this file will be overwritten once you update/modify Pi-hole.
๐๐ THAT'S IT !! ๐๐ YOUR FINISH ๐๐
ANY ISSUES, FIXES OR TIPS TO MAKE THESE PROJECTS BETTER PLEASE CONTRIBUTE๐ค