A simple how-to guide on installing and configuring a Raspberry Pi 4 to make your internet connection more safe and private by installing Pi-Hole network-wide adblocker, OpenVPN to encrypt your internet data and DNSCrypt to secure your DNS queries.
Be sure to follow it step by step to avoid possible errors or mistakes.
Using Raspbian, the official operating system for the Raspberry Pi, you can be sure that it is well optimized and supported for the Raspberry Pi.
Download Raspberry Pi Imager for an easy way to install Raspbian to a MicroSD card.
It is always good practice to keep the system updated so once you have installed Raspbian, update it.
sudo apt update
sudo apt -y upgrade
sudo apt install -y unattended-upgrades
Optional: Tweak Raspbian
1 Change User Password
3 Boot Options->
B1 Desktop / CLI->
B2 Console Autologin
4 Localisation Options->
I2 Change Timezone
4 Localisation Options->
I4 Change Wi-Fi Country
7 Advanced Options->
A1 Expand filesystem
7 Advanced Options->
A3 Memory Split-> Enter
Find your IP addresses which will be required for OpenVPN.
- External IP
- Local IP
VPN stands for Virtual Private Network. A VPN creates an encrypted tunnel between you and a VPN server. All your internet data is routed through this tunnel, so your data is secure from any MITM, middle in the man, attacks.
Another benefit of a VPN is, is that it allows you to access your local network securely.
wget https://git.io/vpn -O openvpn-install.sh chmod 755 openvpn-install.sh sudo ./openvpn-install.sh
Example settings at setup:
- Public IPv4 address / hostname :
- Protocol :
- Port :
- DNS :
Current system resolvers
- Client name [client]:
Press enter once the correct settings have been chosen. The script will then install OpenVPN with your configured settings.
The generated opvn file you can use with an OpenVPN client on e.g. your mobile phone. It can be found inside the
/root directory, in my case
/root/yinchie-phone.ovpn. I copy this over to my home directory
~/ for easy transferring it off the Raspberry Pi using SFTP.
First, find out the
tun0 interface IP address which is what OpenVPN uses using the command
ifconfig tun0 | grep 'inet'. In my case, it is
[email protected]:~ $ ifconfig tun0 | grep 'inet' inet 10.8.0.1 netmask 255.255.255.0 destination 10.8.0.1 inet6 fe80::32f5:3e61:b36e:b29b prefixlen 64 scopeid 0x20<link>
- Edit OpenVPN server config.
sudo nano /etc/openvpn/server/server.conf
- Add the tun0 interface IP address, PiHole will be using it.
push "dhcp-option DNS 10.8.0.1"
- Comment out other
dhcp-optionreferences by adding a
#in front of it.
#push "dhcp-option DNS 192.168.1.1"
- Restart OpenVPN server.
sudo systemctl restart openvpn
It is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered with.
We shall be installing DNSCrypt Proxy into the
/opt directory which is for installation of add-on application software packages.
cd /opt sudo wget https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.0.42/dnscrypt-proxy-linux_arm-2.0.42.tar.gz sudo tar xf dnscrypt-proxy-linux_arm-2.0.42.tar.gz sudo rm dnscrypt-proxy-linux_arm-2.0.42.tar.gz sudo mv linux-arm dnscrypt-proxy cd dnscrypt-proxy sudo cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml
- Go to the installation directory.
- Download DNSCrypt-Proxy.
The latest releases can be found at the official release website.
Use the command
sudo wget https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.0.42/dnscrypt-proxy-linux_arm-2.0.42.tar.gz
- Unpack the archive.
sudo tar xf dnscrypt-proxy-linux_arm-2.0.42.tar.gz
- Remove the archive.
sudo rm dnscrypt-proxy-linux_arm-2.0.42.tar.gz
- Rename the unpacked archive.
sudo mv linux-arm dnscrypt-proxy
- Go to the renamed directory.
- Create a copy of the configuration file.
sudo cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml
For DNSCrypt to work correctly alongside Pi-Hole we have to make some changes to the configuration file
dnscrypt-proxy.toml by running the command
sudo nano dnscrypt-proxy.toml while still in
- Change port, since
53is already being used by Pi-Hole.
This is the
Change it to
listen_addresses = ['127.0.0.1:54','[::1]:54']
require_dnssec = falseto
require_dnssec = true
- Install the dnscrypt-proxy service.
sudo ./dnscrypt-proxy -service install
- Start the dnscrypt-proxy service.
sudo ./dnscrypt-proxy -service start
- Check the service status.
sudo systemctl status dnscrypt-proxy
Feel free to change additional options inside the configuration file to suit your needs as I have done.
It is a network-wide ad blocker that protects your devices from unwanted content, without installing any client-side software.
At the installation pick whatever upstream DNS server. We will modify it later on.
Take note of the login password once the installation is complete.
Add the DNSCrypt Proxy server to Pi-Hole on the Pi-Hole admin page.
Configure your clients
Configure your clients to use your Pi-Hole IP address as the DNS server or enter it into your router so every client on your local network will be using Pi-Hole filtering while being DNSCrypt secured.