Pi-hole + Unbound DNS + PiVPN
Pi-Hole, Unbound, PiVPN A docker stack securing and caching DNS and hiding your data for extra security and privacy. A VPN for remote control. Pi-Hole is a nice Add Blocker. The GUI is very intuitive and easy to use. The traditional systems are usually very confusing with to may thighs on one page.
Securing and caching DNS and hiding your data for extra security and privacy.
A basic base setup for DNS (DHCP) Add Blocking , and a road warrior port. Also Dozzer for reading the logs and we have Fail2ban on the VM. Just add a reverse proxy to the stack: like Nginx or Nginx PM and for more security add Authelia. And your Interface-Stack is ready
Add Blocking - network wide!
Pi-hole is a nice Add Blocker. The GUI is very intuitive and easy to use. The traditional systems are usually very confusing with to may thighs on one page. Why, memory is cheap and servers are full of them.
By adding Unbound the experience is much better, its recursive caching and safe.
Things to setup to start
π» This stack need some skill to set up but I will guide you. Use the 1-docker.sh script and then 2-insrtall,sh to set up the base (Docker, Docker-compose, Portainer, fail2ban, Dozzer).
The design
π₯ The average user do not see much of this.
DevOp reeds the logs and checks fail2ban by ssh, add blocking by GUI.Use Dozzer as your log reader in the stack. Unbound keeps DNS records and speeds up the net by cashing. PI-hole is used for blocking adds (200 blocks on one page - crazy π). And what a good job it does. The list of bad sites is extensive and you can add or remove DNS records from the list. No more personal data to google or the ISP! π
Pi-VPN is a very easy install and I will test it. For my use, occasional and small, itβs a good fit. In professional installations we used OpenVpn, itβs has power to run site to site network connections but itβs also good for sites with just a few road warriors.
I recommend to also install Whoogle Search. See article
A basic base setup for DNS (DHCP) add blocking and a road warrior port.
Just add a reverse proxy to the stack: Nginx or Nginx PM and for more security add Authelia.
Unbound DNS
Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards.
"Unbound is designed as a set of modular components that incorporate modern features, such as enhanced security (DNSSEC) validation, Internet Protocol Version 6 (IPv6), and a client resolver application programming interface library as an integral part of the architecture. Originally written for POSIX-compatible Unix-like operating system, it runs on FreeBSD, OpenBSD, NetBSD, OS X, and Linux, as well as Microsoft Windows.
Unbound has supplanted the BIND as the default, base-system name server in FreeBSD and OpenBSD, where it is perceived as smaller, more modern, and more secure for most applications.
We need to add the basic set of DNS records for Unbound
And download root.hints to /home/docker-stack/pi/unbound/
touch ~/docker-stack/pi/unbound/root.hints /
wget https://www.internic.net/domain/named.root -O ~/docker-stack/pi/unbound/root.hints
Unbound initial configuration is done.
You need to update the named.root every 4-6 moths. You could set up a cron job or just do it manually. See the crontab section
Pi-hole
Pi-hole is probably known by everyone true the raspberry pi project. It's super light weight and has an easy to use GUI.
Network-wide protection
Instead of browser plugins or other software on each computer, install Pi-hole in one place and your entire network is protected.
Block in-app advertisements
Network-level blocking allows you to block ads in non-traditional places such as mobile apps and smart TVs, regardless of hardware or OS. (Not YouTube)
Improve network performance
Since advertisements are blocked before they are downloaded, network performance is improved and will feel faster. It monitor statistics.
PiVPN
PiVPN the light weight VPN for our HomeLab or HomeServer.
Preferably enable ssh access and then begin. You need to open a port on your router. There is an outdated guided walk through of the install available here.
More information is also available on the PiVPN GitHub.
You also need a client app for your PC. There are a range of OpenVPN clients you can use . My favorite you can find at openvpn.net. Then you need to get your key to the PC by a USB stick or SFTP.
FLEXIBLE
Allow you to customize your VPN port, key encryption strength, client DNS server, and more. Options presented within are a foundation for any openvpn server installation in the future.
SECURE
The configuration will use the latest TLS protocol. Both the data and control channels use upgraded AES and SHA256 encryption. Options are pre-configured to verify your server certificate to battle MITM attack vectors.
You will need to forward UDP port 1194 (or rather a custom port) Enabling SSH on your Pi is also recommended.
Install the stack on a CT/VM
The code can be downloaded from my GitHub or by copy-paste
cd ~/docker-stack
mkdir pi
wget https://raw.githubusercontent.com/nallej/MyJourney/main/unboundpi.yml -O ~/docker-stack/pi/docker-compose.yml
First spin up a Ubuntu 20.04 LTS server VM or CT.
- Run the base scripts 1-install.sh and 2-install.sh See post the-docker-stack
- Make a directory pi.
- Download and edit the docker-compose.yml script in ~/docker-stack/pi
- Run the script and do final steps
The example codes
pihole:
container_name: pihole
hostname: pihole
image: pihole/pihole:latest
networks:
kadulla:
ipv4_address: 172.18.0.250
ports:
- "53:53/tcp"
- "53:53/udp"
- "80:80/tcp"
- "443:443/tcp"
environment:
- 'TZ=Europe/Helsinki'
- 'WEBPASSWORD=Pa$$word'
- 'DNS1=172.18.0.251#5053'
- 'DNS2=no'
volumes:
- './etc-pihole/:/etc/pihole/'
- './etc-dnsmasq.d/:/etc/dnsmasq.d/'
restart: unless-stopped
depends_on:
unbound:
container_name: piunbound
image: mvance/unbound:latest
networks:
kadulla:
ipv4_address: 172.18.0.251
volumes:
- ./unbound:/opt/unbound/etc/unbound
- ./unbound/a-records.conf:/opt/unbound/etc/unbound/a-records.conf:ro
ports:
- "5053:5053/tcp"
- "5053:5053/udp"
healthcheck:
disable: true
restart: unless-stopped
pivpn:
container_name: pivpn
image: pivpn/pivpn.io
image: archef2000/pivpn
hostname: pivpn
volumes:
- ./ovpns:/home/pivpn/ovpns
- ./openvpn:/etc/openvpn
- ./pivpn:/etc/pivpn/openvpn
environment:
- HOST=myserver.lan
- PROTO=udp # or tcp
- VPN=openvpn
- PORT=1194 # change
# optionals
- CLIENT_NAME=pivpn
- NET=10.8.0.0
- TWO_POINT_FOUR=1 # or 0
- DNS1=1.1.1.1 # Client DNS
- DNS2=9.9.9.9 # Client DNS
- INTERFACE=eth0 # your Interface
- ENCRYPT=521 # 256, 384, or 521
# if TWO_POINT_FOUR=0 then ENCRYPT needs to be 2048, 3072, or 4096
privileged: true # True to run Openvpn
restart: unless-stopped
networks:
kadulla:
ipv4_address: 172.18.0.254
See more info at DockerHub
Crontab
To edit the crontab you type crontab -e and create this script and condition or edit the /etc/crontab file for running as root.
Run the script, update_root.sh, every 4 months on the 1st morning at 4:00 and report possible errors into the cron.log.
cd ~/docker-stack/pi
nano update_root.sh
insert: 'wget https://www.internic.net/domain/named.root -O /home/USER-ID/docker-stack/pi/unbound/root.hints'
chmod +x update_root.sh
crontab -e
0 4 1 */4 * USER-ID /home/USER-ID/docker-stack/pi/root_update.sh >> /home/USER-ID/docker-stack/pi/cron.log
**EDIT** USER-ID and location of files