• About
• Discussions/F.A.Q
• Requirements
• Installing Pi operating system
  • Logging into Pi system [Headlessly]
• Installing AdGuard
  • Set up your devices to work with Adguard
  • Setting up AdGuard blocklist
    • Add/Remove multiple URLs to blocklist at once
• Installing Unbound
• Installing Cloudflare
  • Install Cloudflare (DoH)
  • Configure Cloudflare on Unbound (DoT)
  • Configure Stubby (TLS Forwarder)
  • Configure AdGuard with Cloudflare (DoH&DoT)
• Installing WireGuard or OpenVPN(slower)
  • Connecting to the VPN to Android/IOS Phone
  • Connecting to the VPN from a PC (Windows)
  • Configure Wireguard with AdGuard/Unbound/Cloudflare
    • Limit traffic
    • IPv6 setup
• Disable all IPv6
• Test Vpn
• Auto update your Pi
• Improving your SD Card’s potential lifespan
• Turn Off Pi LEDs
• Securing your Raspberry Pi
• Repository Resources

• A Raspberry Pi 3 or 4 version
• A router that supports port forwarding(Most Can)
• MicroSD USB card reader
• MicroSD card (8GB or bigger, at least Class 4)
• Ethernet cable
• (Optional if using monitor) MicroHDMI-(RPi 4) or HDMI-(RPi 3)

This tutorial is based on Raspberry Pi OS, but you can use any linux operating system(32bit or 64bit) and hardware you prefer with some tweaking if you know what you are doing! (Raspberry Pi OS is most simple and recommended for Pi or for more experience users, DietPi OS is also recommended).

Raspberry Pi OS comes in Desktop and Lite versions(use lite for headless mode only). You can set Raspberry Pi up with a monitor/keyboard/mouse, or set it up “headlessly” from a terminal.

Install balenEtcher and download pi image to write on the microSD card.

• Download Raspberry Pi OS: https://www.raspberrypi.org/software/operating-systems/

• Download balenaEtcher: https://www.balena.io/etcher/

After you have Etcher installed and Raspberry Pi OS file downloaded on your computer, you can now insert the SD card with microSD USB card reader into your computer.

Launch Etcher and choose the Raspberry Pi OS image that you downloaded, select your microSD card and click “Flash”.

After flashing is done, look in "This PC” for a disk name “boot or usb drive” (replug usb card reader if not seen). Go to that disk, create a new text file called ssh without 'txt' extention. BE CAREFUL, it's not “ssh.txt”, it's “ssh” without the extension. You need to disabled “Hide extensions for known file types” option in the File Explorer Options if you don't see them.

Now put the SD card into the Raspberry Pi, plug your Ethernet cable and boot up.

• Now you need to wait for a minute for pi's first boot up

• Open browser and log in your router's panel page

• Find list of all devices connected to your network and copy the IP address of the Raspberry Pi (it will most likely have the hostname raspberrypi)

• Open Terminal on your host machine. You can use PowerShell on Windows or RaspController for Android

Type the following command:

ssh pi@pi's ip address

You can use right mouse button to paste text in Windows PowerShell.

Type “yes” for fingerprint question, and type "raspberry" for a password. The passwords will be invisible when typing in linux interface. You can type sudo passwd pi to change password.

Run in terminal:

sudo apt update -y && sudo apt upgrade -y

WAIT FOR UPDATE TO FINISH & RESTART PI. THEN CONTINUE TO NEXT STEP.....

sudo reboot

⬆ BACK TO TOP ⬆

This installation script is from AdGuard Home main project. Follow to keep updated.

Run the following command in your terminal:

curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v

• When installation is finished a window will pop up in terminal showing the different links to YOUR Adguard home page(Get Started)

• IMPORTANT: In Listen Interfaces option choose Eth0 and select next

• Set up username and password

• You should now be in Adguard home panel

• IMPORTANT: In general settings, set "Query logs retention" to 24 hours (I read that for some people logs fill up and slow down pi and needing a restart everytime)

• For Android/Apple, go to wifi advanced settings and select static option. In DNS 1 field enter "pi's ip" address

• For PC/Windows

  • IPV4

  Go to network settings / change adapater options and right click in properties then select "Internet Protocol Version 4(TCP/IPv4)". Enter pi's ip address in Preferred DNS server

  • IPV6 (needed for DoH & DoT to work later on in guide if using ipv6 on your router)

  Go to "Internet Protocol Version 6(TCP/IPv6)" Enter ::1

OPTIONAL: You can add a backup dns in the alternative fields

BE AWARE: In android, adding a public dns in second field breaks Adguard adblocking

In AdGuard homepage under filters, select DNS blocklist section for adding urls.

You can search Google for different blocklist.Here is my custom blocklist with my urls or build your own from these sources.

IMPORTANT: Some blocklist can block some important contents or websites. To unblock go "Query Log" section and will see unblock option when cursor is hovered over a query, putting unblocked wesites it in "Custom filtering rules" example: @@||bitly.com^$important. Look for client ip & time.

You can only add one by one url in dns blocklist in adguard for now but there is a python script to add multiple urls together.

Open new py file(bulkurls.py) :

nano bulkurls.py

Then copy and past text from bulkurls.py file and save (control+x then y then enter) NEED TO CONFIGURE YOUR ADGUARD CREDENTIALS IN FILE.

If using DietPi install sudo apt-get install python3-pip -y && pip install requests for its not install by default.

To run : sudo python3 bulkurls.py

To remove you need to change add in second of last line to remove in bulkurls.py file.

Go to https://d3ward.github.io/toolz/adblock.html to test if ads are blocking

⬆ BACK TO TOP ⬆

Run the following command in your terminal:

sudo apt install unbound -y

For recursively querying a host that is not cached as an address, the resolver needs to start at the top of the server tree and query the root servers, to know where to go for the top level domain for the address being queried. Unbound comes with default builtin hints.

wget -O root.hints https://www.internic.net/domain/named.root && sudo mv root.hints /var/lib/unbound/

IMPORTANT: This needs to update every 6 months. To auto update root.hints every 6 months you need to create a cron job.

Enter in command line crontab -e, it will ask Select an editor(choose 1) and paste these lines at the bottom of crontab and save (control+x then y then enter):

1 0 1 */6 * wget -O root.hints https://www.internic.net/domain/named.root
2 0 1 */6 * sudo mv root.hints /var/lib/unbound/

If using DietPi you need to install resolvconf and restart unbound-resolvconf.service to set unbound nameserver to 127.0.0.1 :

sudo apt-get install resolvconf -y && sudo systemctl restart unbound-resolvconf.service

⬆ BACK TO TOP ⬆

STEP 4

Install cloudflare with DNS over HTTPS(DoH), follow these 👉 INSTRUCTIONS 👈.

Create unbound configuration file by entering in command prompt:

sudo nano /etc/unbound/unbound.conf.d/unbound.conf

And copy and paste all the text from unbound.conf file and save (control+x then y then enter).

Use Unbound for caching and stubby for TLS forwarder. Install stubby:

sudo apt install stubby -y

Remove and re-create stubby.yaml file and copy/paste all the text from 👉 this stubby config 👈 and save. (cd $h to return to home folder when finish).

cd /etc/stubby/ && sudo rm stubby.yml && sudo nano stubby.yml

• Restart unbound & stubby and check status:

sudo systemctl restart unbound stubby ; systemctl status unbound stubby -l

• In AdGuard homepage under settings select "Dns settings"

• Delete everything from "Upstream" and "Bootstrap DNS" server options and:

  • For DNS over TLS(DoT) add 127.0.0.1:53 in both "Upstream" and "Bootstrap DNS" server fields
  • For DNS over HTTPS(DoH) add 127.0.0.1:5053 in both "Upstream" and "Bootstrap DNS" server fields
  • For TLS forwarder(stubby) add 127.0.0.1:8053 in both "Upstream" and "Bootstrap DNS" server fields

• IMPORTANT: You need to check "Parallel Request" option for dns resolvers to work simultaneously.

Click apply and test upstreams(might get a error in the first testing only).

• Then in DNS setting look for DNS cache configuration section and set cache size to 0 (caching is already handled by the Unbound) and click apply.

• Install Acrylic DNS Proxy

• Go to C:\Program Files (x86)\Acrylic DNS Proxy and open AcrylicConfiguration.ini file. Delete everything and copy these 👉SETTINGS👈 only change PrimaryServerAddres to your pi's address.

• In same folder run RestartAcrylicService.bat & PurgeAcrylicCacheData.bat

TIP: Troubleshoot IP/DNS Commands

ipconfig /release
ipconfig /renew
ipconfig /flushdns

• In whatever browser you use, turn off Use Secure DNS option.

• Be aware conflicts can occur with custom rooted roms&kernels with build.prop dns tweaks or apps/Magisk module.

• Connected to 1.1.1.1
• DNS over HTTPS(DoH)
• DNS over TLS(DoT)
• DNS over WARP

https://browserleaks.com/dns - should show all connected to "Cloudflare"

https://www.cloudflare.com/ssl/encrypted-sni/ - "Secure DNS / DNSSEC / TLS 1.3" should all be a green tick

https://dnssec.vs.uni-due.de/ - should say "Yes, your DNS resolver validates DNSSEC signatures"

⬆ BACK TO TOP ⬆

Before installing WireGuard, if you do not have a static ip you need to get a free Dynamic DNS Subdomain or else your external IP address most likely changes dynamically from your ISP ever so often and for that reason you'll need to set up a dynamic DNS service. 👉👉 ▓▒░Use this INSTRUCTION HERE░▒▓ 👈👈. Or else skip the step.

We also need to set up port forwarding on your router so we can access wireguard outside of our network like in a coffee shop hotspot or your mobile data

My 👇router👇 port setting. Yours maybe different but you'll get it. Remember Google 🔍search engine🔎 is your friend. If you cannot connect from a outside network that means isp has blocked outcoming connections, you can call them and ask nicely to get it working.

👊BIG THANKS👊 for this installation script from Nyr. Follow to keep updated.

Run in terminal

wget https://git.io/wireguard -O wireguard-install.sh && sudo bash wireguard-install.sh

• The script is going to ask you for Public IPv4/hostname for the VPN. If you have static ip then continue or else type the dynamic DNS domain that you created from the instructions. For example:trinibvpn.freeddns.org

• For port option press enter for default 51820. For client name, just put any name you want, and for DNS use option 3 (1.1.1.1) for now. We will configure adguard/unbound/cloudflare with the vpn after its finished installed

• Wait until the installation is finished and QR code to show, don't close. But if you do, to regenerate qrcode, enter in terminal but replacing just the name yourclientname.conf file to yours:

sudo cp /root/yourclientname.conf /home/pi && sudo qrencode -t ansiutf8 < yourclientname.conf

IMPORTANT: You will need to add a new user/client for each device you use with the VPN. To add a new user, simply re-run the script and create user with different client name.

Install the WireGuard app from Google Play or App Store

Wireguard (Google Play): https://play.google.com/store/apps/details?id=com.wireguard.android

Wireguard (App Store): https://apps.apple.com/us/app/wireguard/id1441195209

You need to scan the QR code shown in the terminal with Wireguard app, select the + button and use the option Scan from QR code to install configuration.

IMPORTANT: Enable kernel module backend in settings

WireGuard for windows: https://download.wireguard.com/windows-client/wireguard-installer.exe

• Create a new text document with any name on pc to copy&paste the text from wireguard client configuration file.

• To see text in client config file, type in terminal:

sudo cat /root/yourclientname.conf

• Highlight all the text, copy and paste it in the txt file on pc and save. Then rename the extension from txt to conf. Now you have config file for that wireguard client.

• You can now import the config file to wireguard (import from file option).

Remember this is for when you are connected to WireGuard VPN on an outside network or at home 24/7 cause you already have AdGuard/Unbound/Cloudflare set up and running on your devices manually. (no issue having both set up fro my experience).

• In wireguard app, select your tunnel and select edit (pencil on top right)

• Under Dns servers enter pi's ip and save (IPv4 & IPv6)

With WireGuard you will lose about 50% of internet speed cause the process of tunneling through pi to router to devices**

Delete in allowed IPs "0.0.0.0/0, ::/0" option because it routes all traffic to your home network which will be slow. You need send traffic through your addresses only.

• First you need to replace it with your network gateway but setting the last number to a zero and prefix lenght to 24. For example: 192.168.1.1/24 to 192.168.1.0/24 or like my isp router 192.168.100.1/24 to 192.168.100.0/24. Now I only lose 25% speed😁 (ps. using 5g network)

UPDATE: After a Wireguard update I do not get a faster speed doing this :( .. but it still makes sense not to use "0.0.0.0/0, ::/0 with wifi. If anyone knows any tweaks to get a boost, let me know.

IMPORTANT: If your network has ip addresses for devices that ends with a 3 digit number (more than 24), for example: 192.168.100.999, you will not be able to route properly from outside network because applying 24 only allows numbers 1 through 24. You need to instead put 0 to route out of the 24 range, for example : 192.168.100.0/0.

Or you can change ip range on your router (in my experience you might get a tiny bit better speeds cause it will not route unnecessary allowed ip addresses over the 24 range).

If you are using IPv6, when connected to wifi you need to enter in WireGuard allowed IPs fe80::1/0 as well. For example 192.168.100.0/0, fe80::1/0

When connected to ethernet cable on a windows pc, you need to enter ::1 in IPv6 address in "Internet Protocol Version 6(TCP/IPv6)" preferred DNS server.

Then go to https://ipv6leak.com/ and you should see "Your IPv6 is not leaking".

For windows download Wireshark

Once downloaded you can use the application to inspect your data packets where the protocol is set to the one used by Wireguard VPN. When a packet traffic is encrypted, it can be read like this for example:

For android you can use PCAPdroid. You should see all connections closed and status showing all DNS and not any TLS connections in all apps (open and use apps for PCAPdroid to scan).

⬆ BACK TO TOP ⬆

• Open new sh file called update and copy&paste text from 👉here👈

sudo nano update.sh

• Set permission

sudo chmod 700 update.sh

• Open cron file by entering in command line crontab -e, copy&paste job command line below at the bottom of cron file and save.

0 3 * * WED sudo ./update.sh 2>&1 >/home/pi/updatelog

Pi will now update every Wednesday at 3am. Or you can go to https://crontab.guru/ and set your own time schedule.

Adjust pi's date/timezone enter in terminal:

sudo dpkg-reconfigure tzdata

or set manually

sudo date -s "25 DEC 2012 11:14:00"

One of the most significant advantages of offloading your RAM is that it improves your SD Card’s potential lifespan. Log files are one of the things written to most by the various pieces of software you install. By pushing the files to your RAM, you can control how often they are written to the SD Card. You will still be able to access these files on the RAM as if they sat on your SD Card.

Copy and paste this line in terminal:

Manually

wget https://git.io/log2ram -O Log2Ram-Script.sh && sudo chmod +x Log2Ram-Script.sh && sudo ./Log2Ram-Script.sh

or

Add repo source(auto update)

echo "deb [signed-by=/usr/share/keyrings/azlux-archive-keyring.gpg] http://packages.azlux.fr/debian/ bullseye main" | sudo tee /etc/apt/sources.list.d/azlux.list
sudo wget -O /usr/share/keyrings/azlux-archive-keyring.gpg  https://azlux.fr/repo.gpg
sudo apt update
sudo apt install log2ram

I guess power to LEDs will impact unnecessary electricty and heat 🤷😅. No need for it anyways if just using it as a network server. Open cron file by entering in command line crontab -e, copy&paste job command line below at the bottom of cron file and save.

Green

@reboot echo none | sudo tee /sys/class/leds/led0/trigger

Red

@reboot echo none | sudo tee /sys/class/leds/led1/trigger

Reboot pi.

LINK

( I just use Fail2Ban and change SSH port )

⬆ BACK TO TOP ⬆

🎉🎉 THAT'S IT !! 🎉🎉 YOUR FINISH 👌👌

ANY ISSUES, FIXES OR TIPS TO MAKE THESE PROJECTS BETTER PLEASE CONTRIBUTE🤖