Raspberry Pi OS
Raspberry Pi OS is the official operating system for the Raspberry Pi, ensuring optimal performance and support for your device.
For an easy installation process, use the Raspberry Pi Imager to install the OS onto your Micro-SD card.
Once the installation is complete, be sure to update the system for the latest features and security updates.
sudo apt uptdate && sudo apt -y upgrade
sudo apt install -y unattended-upgrades
Optional: Tweak Raspberry Pi OS
sudo raspi-config
1 Change User Password
3 Boot Options
-B1 Desktop / CLI
-B2 Console Autologin
4 Localisation Options
-I2 Change Timezone
4 Localisation Options
-I4 Change Wi-Fi Country
7 Advanced Options
-A1 Expand filesystem
7 Advanced Options
-A3 Memory Split
16
sudo shutdown -r now
Prep Work
Find the required IP addresses which will be needed for OpenVPN.
- External IP:
curl ifconfig.me
- Internal IP:
hostname -I
OpenVPN
VPN, or Virtual Private Network, creates an encrypted connection between a client and a VPN server. This ensures that all internet data is secure from man-in-the-middle attacks as it is routed through the encrypted tunnel.
In addition to enhanced security, a VPN also enables clients to remotely access local networks securely, making it a valuable tool for remote work and access to resources on other networks.
Install
wget https://git.io/vpn -O openvpn-install.sh
chmod 755 openvpn-install.sh
sudo ./openvpn-install.sh
Example Install Settings
- Public IPv4 address / hostname []:
123.456.789.000
- Protocol [1]:
UDP
- Port [1194]:
11948
- DNS [1]:
Current system resolvers
- Client name [client]:
my-phone
The OpenVPN file, generated by the process, can be utilized with an OpenVPN client on devices such as smartphones. It can be located inside the /root
directory, in this case, /root/my-phone.ovpn
. To facilitate the transfer of the file off the Raspberry Pi, it is recommended to copy it to the home directory, ~/
, and use SFTP (Secure File Transfer Protocol) for the transfer.
Configure OpenVPN
To begin, use the command ifconfig tun0 | grep 'inet'
to determine the IP address of the tun0
interface, which is utilized by OpenVPN. In the example given, the IP address is 10.8.0.1
.
- Edit OpenVPN server config:
sudo nano /etc/openvpn/server/server.conf
- Add the tun0 interface IP address, PiHole will be using it:
push "dhcp-option DNS 10.8.0.1"
- Comment out other
dhcp-option
references by adding a#
in front of it:#push "dhcp-option DNS 192.168.1.1"
- Restart OpenVPN server:
sudo systemctl restart openvpn
DNSCrypt
DNSCrypt is a protocol that ensures the authenticity of communications between a DNS client and a DNS resolver. It protects against DNS spoofing by using cryptographic signatures to verify that responses are coming from the chosen DNS resolver and that they have not been tampered with. In other words, it helps to secure and validate the DNS queries to protect user’s privacy and security.
Install
DNSCrypt-Proxy can be installed into the directory /opt
, which is commonly used for the installation of additional application software packages.
cd /opt
sudo wget https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.1.4/dnscrypt-proxy-linux_arm-2.1.4.tar.gz
sudo tar xf dnscrypt-proxy-linux_arm-2.1.4.tar.gz
sudo rm dnscrypt-proxy-linux_arm-2.1.4.tar.gz
sudo mv linux-arm dnscrypt-proxy
cd dnscrypt-proxy
sudo cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml
Configure DNSCrypt
For DNSCrypt-proxy to work correctly alongside Pi-Hole some changes must be made to the configuration file dnscrypt-proxy.toml
.
Open dnscrypt-proxy.toml
by running the command
sudo nano dnscrypt-proxy.toml
while still in /opt/dnscrypt-proxy
.
- Change port, since
53
is already being used by Pi-Hole.
This is thelisten_addresses
line.
Change it tolisten_addresses = ['127.0.0.1:54','[::1]:54']
- Change
require_dnssec = false
torequire_dnssec = true
- Install the dnscrypt-proxy service.
sudo ./dnscrypt-proxy -service install
- Start the dnscrypt-proxy service.
sudo ./dnscrypt-proxy -service start
- Check the service status.
sudo systemctl status dnscrypt-proxy
Feel free to change additional options inside the configuration file to suit your needs as I have done.
Pi-Hole
During the installation process, you can select any upstream DNS server. The selected server can be modified later in the configuration file if needed.
wget -O basic-install.sh https://install.pi-hole.net
sudo bash basic-install.sh
Take note of the login password once the installation is complete.
Configure Pi-Hole
Add the DNSCrypt-Proxy server to Pi-Hole on the Pi-Hole admin page.
Configure Clients
To configure clients to use Pi-Hole as the DNS server, set the Pi-Hole IP address as the DNS server on each client device. Alternatively, configure the router so that all clients on the local network will automatically use Pi-Hole filtering and DNSCrypt security. This way, all devices connected to the network will benefit from the enhanced security and ad-blocking provided by Pi-Hole and DNSCrypt.