Raspberry Pi OS
Using Raspberry Pi OS, the official operating system for the Raspberry Pi, you can be sure that it is well optimized and supported for the Raspberry Pi.
Download Raspberry Pi Imager for an effortless way to install onto a Micro-SD card.
Update the system once the installation has been completed.
sudo apt uptdate && sudo apt -y upgrade
sudo apt install -y unattended-upgradesOptional: Tweak Raspberry Pi OS
sudo raspi-config1 Change User Password3 Boot Options-B1 Desktop / CLI-B2 Console Autologin4 Localisation Options-I2 Change Timezone4 Localisation Options-I4 Change Wi-Fi Country7 Advanced Options-A1 Expand filesystem7 Advanced Options-A3 Memory Split16sudo shutdown -r now
Prep Work
Find the required IP addresses which will be needed for OpenVPN.
- External IP:
curl ifconfig.me - Internal IP:
hostname -I
OpenVPN
VPN stands for Virtual Private Network. A VPN creates an encrypted tunnel between the client and a VPN server. All the internet data is routed through this tunnel, so the data is secure from any man in the middle attacks.
Another benefit of a VPN is, is that it allows clients to remotely access the local network securely.
Install
wget https://git.io/vpn -O openvpn-install.sh
chmod 755 openvpn-install.sh
sudo ./openvpn-install.shExample Install Settings
- Public IPv4 address / hostname []:
123.456.789.000 - Protocol [1]:
UDP - Port [1194]:
11948 - DNS [1]:
Current system resolvers - Client name [client]:
my-phone
The generated opvn file can be used with an OpenVPN client on e.g. a cell phone. It can be found inside the /root directory, in my case /root/my-phone.ovpn. I copy this over to the home directory ~/ for easy transferring it off the Raspberry Pi using SFTP.
Configure OpenVPN
First, find out the tun0 interface IP address which is what OpenVPN uses using the command ifconfig tun0 | grep 'inet'. In my case, it is 10.8.0.1.
- Edit OpenVPN server config:
sudo nano /etc/openvpn/server/server.conf - Add the tun0 interface IP address, PiHole will be using it:
push "dhcp-option DNS 10.8.0.1" - Comment out other
dhcp-optionreferences by adding a#in front of it:#push "dhcp-option DNS 192.168.1.1" - Restart OpenVPN server:
sudo systemctl restart openvpn
DNSCrypt
It is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven’t been tampered with.
Install
Install DNSCrypt-Proxy into the directory /opt, which is for installation of add-on application software packages.
cd /opt
sudo wget https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.1.2/dnscrypt-proxy-linux_arm-2.1.2.tar.gz
sudo tar xf dnscrypt-proxy-linux_arm-2.1.2.tar.gz
sudo rm dnscrypt-proxy-linux_arm-2.1.2.tar.gz
sudo mv linux-arm dnscrypt-proxy
cd dnscrypt-proxy
sudo cp example-dnscrypt-proxy.toml dnscrypt-proxy.tomlConfigure DNSCrypt
For DNSCrypt-proxy to work correctly alongside Pi-Hole some changes must be made to the configuration file dnscrypt-proxy.toml.
Open dnscrypt-proxy.toml by running the command
sudo nano dnscrypt-proxy.toml while still in /opt/dnscrypt-proxy.
- Change port, since
53is already being used by Pi-Hole.
This is thelisten_addressesline.
Change it tolisten_addresses = ['127.0.0.1:54','[::1]:54'] - Change
require_dnssec = falsetorequire_dnssec = true - Install the dnscrypt-proxy service.
sudo ./dnscrypt-proxy -service install - Start the dnscrypt-proxy service.
sudo ./dnscrypt-proxy -service start - Check the service status.
sudo systemctl status dnscrypt-proxy
Feel free to change additional options inside the configuration file to suit your needs as I have done.
Pi-Hole
At the installation pick whatever upstream DNS server. Modify it later in the configuration file.
wget -O basic-install.sh https://install.pi-hole.net
sudo bash basic-install.shTake note of the login password once the installation is complete.
Configure Pi-Hole
Add the DNSCrypt-Proxy server to Pi-Hole on the Pi-Hole admin page.
Configure Clients
Configure clients to use the Pi-Hole IP address as the DNS server or configure the router so that every client on the local network will be using Pi-Hole filtering while being DNSCrypt secured.