A simple how-to guide on installing and configuring a Raspberry Pi 4 to make your internet connection more safe and private by installing Pi-Hole network-wide adblocker, OpenVPN to encrypt your internet data and DNSCrypt to secure your DNS queries.

Raspberry Pi OS

Using Raspberry Pi OS, the official operating system for the Raspberry Pi, you can be sure that it is well optimized and supported for the Raspberry Pi.

Download Raspberry Pi Imager for an effortless way to install onto a MicroSD card.

Update the system once the installation has been completed.

sudo apt uptdate && sudo apt -y upgrade

sudo apt install -y unattended-upgrades

Optional: Tweak Raspbian

sudo raspi-config

Select 1 Change User Password

Select 3 Boot Options -> B1 Desktop / CLI -> B2 Console Autologin

-> -> Select 4 Localisation Options -> I2 Change Timezone

-> Select 4 Localisation Options -> I4 Change Wi-Fi Country

-> Select 7 Advanced Options -> A1 Expand filesystem

-> Select 7 Advanced Options -> A3 Memory Split -> Enter 16

-> -> Enter Reboot

Prep Work

Find the required IP addresses which will be needed for OpenVPN.

External IP

curl ifconfig.me

Local IP

hostname -I

OpenVPN

VPN stands for Virtual Private Network. A VPN creates an encrypted tunnel between the client and a VPN server. All the internet data is routed through this tunnel, so the data is secure from any man in the middle attacks.

Another benefit of a VPN is, is that it allows clients to remotely access the local network securely.

Install

wget https://git.io/vpn -O openvpn-install.sh chmod 755 openvpn-install.sh sudo ./openvpn-install.sh

Example settings at setup:

Public IPv4 address / hostname []:

123.456.789.000

Protocol [1]:

UDP

Port [1194]:

11948

DNS [1]:

Current system resolvers

Client name [client]:

yinchie-phone

Press enter once the correct settings have been chosen. The script will then install OpenVPN with the configured settings.

The generated opvn file can be used with an OpenVPN client on e.g. a cell phone. It can be found inside the /root directory, in my case /root/yinchie-phone.ovpn . I copy this over to the home directory ~/ for easy transferring it off the Raspberry Pi using SFTP.

Configure OpenVPN

First, find out the tun0 interface IP address which is what OpenVPN uses using the command ifconfig tun0 | grep 'inet' . In my case, it is 10.8.0.1 .

[email protected]:~ $ ifconfig tun0 | grep 'inet' inet 10.8.0.1 netmask 255.255.255.0 destination 10.8.0.1 inet6 fe80::32f5:3e61:b36e:b29b prefixlen 64 scopeid 0x20<link>

Edit OpenVPN server config. ‌

sudo nano /etc/openvpn/server/server.conf

Add the tun0 interface IP address, PiHole will be using it. ‌

push "dhcp-option DNS 10.8.0.1"

Comment out other dhcp-option references by adding a # in front of it. ‌

#push "dhcp-option DNS 192.168.1.1"

references by adding a in front of it. ‌ Restart OpenVPN server. ‌

sudo systemctl restart openvpn

DNSCrypt

It is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered with.

Install

Install DNSCrypt-Proxy into the directory /opt , which is for installation of add-on application software packages.

cd /opt sudo wget https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.0.44/dnscrypt-proxy-linux_arm-2.0.44.tar.gz sudo tar xf dnscrypt-proxy-linux_arm-2.0.44.tar.gz sudo rm dnscrypt-proxy-linux_arm-2.0.44.tar.gz sudo mv linux-arm dnscrypt-proxy cd dnscrypt-proxy sudo cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml

Detailed installation:

Go to the installation directory. ‌

cd /opt

Download DNSCrypt-Proxy. ‌

sudo wget https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.0.44/dnscrypt-proxy-linux_arm-2.0.44.tar.gz

Unpack the archive. ‌

sudo tar xf dnscrypt-proxy-linux_arm-2.0.44.tar.gz

Remove the archive. ‌

sudo rm dnscrypt-proxy-linux_arm-2.0.44.tar.gz

Rename the unpacked archive. ‌

sudo mv linux-arm dnscrypt-proxy

Go to the renamed directory. ‌

cd dnscrypt-proxy

Create a copy of the configuration file. ‌

sudo cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml

Configure DNSCrypt

For DNSCrypt-proxy to work correctly alongside Pi-Hole some changes must be made to the configuration file dnscrypt-proxy.toml .

Open dnscrypt-proxy.toml by running the command

sudo nano dnscrypt-proxy.toml while still in /opt/dnscrypt-proxy .

Change port, since 53 is already being used by Pi-Hole.

This is the listen_addresses line. ‌

Change it to listen_addresses = ['127.0.0.1:54','[::1]:54']

is already being used by Pi-Hole. This is the line. ‌ Change it to Change require_dnssec = false to require_dnssec = true

to Install the dnscrypt-proxy service. ‌

sudo ./dnscrypt-proxy -service install

Start the dnscrypt-proxy service. ‌

sudo ./dnscrypt-proxy -service start

Check the service status. ‌

sudo systemctl status dnscrypt-proxy

Feel free to change additional options inside the configuration file to suit your needs as I have done.

DNSCrypt-Proxy service is running successfully. Screenshot shows a different configuration.

Pi-Hole

It is a network-wide ad blocker that protects your devices from unwanted content, without installing any client-side software.

Install

At the installation pick whatever upstream DNS server. Modify it later in the configuration file.

wget -O basic-install.sh https://install.pi-hole.net sudo bash basic-install.sh Commands to install Pi-Hole using an automated script.

Take note of the login password once the installation is complete.

Configure Pi-Hole

Add the DNSCrypt-Proxy server to Pi-Hole on the Pi-Hole admin page.

Pi-Hole DNS settings page configured to use a custom upstream DNS server.

Configure clients

Configure clients to use the Pi-Hole IP address as the DNS server or configure the router so that every client on the local network will be using Pi-Hole filtering while being DNSCrypt secured.