Table of contents

• Requirements
• Install Raspberry Pi OS
  • Access Pi OS with SSH
• Install AdGuard Home
  • Set up your devices to work with Adguard
  • Setting up AdGuard blocklist
    • Add/Remove multiple URLs
• Install Unbound
• Install Cloudflare
  • Setup for Cloudflared (DoH)
  • Configure Cloudflare (DoT) on Unbound
    • Configure Stubby for Unbound
  • Configure AdGuard with Cloudflare (DoH&DoT)
• Install WireGuard or OpenVPN(slower)
  • Connecting VPN to Android/IOS Phone
  • Connecting VPN to Windows
  • Configure Wireguard with AdGuard/Unbound/Cloudflare
    • Limit traffic
    • IPv6
    • Disable all IPv6
• Test Vpn
• Auto update Pi
• Install Log2ram
• Turn Off Pi LEDs
• Secure your Raspberry Pi
• Repository Resources
• F.A.Q

Requirements

This tutorial is based on Raspberry Pi, but you can use any Linux operating system(𝟹𝟸/𝟼𝟺bit), any hardware or a VPS.
(Raspberry Pi OS is most simple and recommended for Pi or for more experience users, DietPi OS is also recommended)

• A Raspberry Pi 3 or 4 version
• A router that supports port forwarding(Most Can)
• MicroSD USB card reader
• MicroSD card (8GB or bigger, at least Class 4)
• Ethernet cable
• (Optional if using monitor) MicroHDMI-(RPi 4) or HDMI-(RPi 3)

Install Raspberry Pi OS

Raspberry Pi OS comes in desktop and lite versions(use lite for headless mode). You can access a Raspberry Pi with a monitor/keyboard/mouse or connect via SSH from a terminal.

Install balenEtcher and download Pi image to write on the microSD card.

• Download Raspberry Pi OS: https://www.raspberrypi.org/software/operating-systems/

• Download balenaEtcher: https://www.balena.io/etcher/

After you have Etcher installed and Raspberry Pi OS file downloaded, you can now insert the SD card with microSD USB card reader into your computer.

• Launch Etcher and choose the Raspberry Pi OS image that you downloaded, select your microSD card and click Flash.

After flashing is done, look in "This PC” for a disk name “boot or USB drive” (re-plug USB card reader if not seen). Go to that disk, create a new text file called ssh without 'txt' extension. Disable “Hide extensions for known file types” in the file explorer options if you don't see it.

Place SD card into the Raspberry Pi, plug in Ethernet cable and boot up

Access Pi OS with SSH

• Wait for a minute for Pi's first boot up

• Open browser and log in your router's panel page

• Find list of all devices connected to your network and copy the IP address of the Raspberry Pi (it will most likely have the hostname raspberrypi)

• Open terminal on your host machine. You can use powerShell on Windows or RaspController for android.

Type the following command:

ssh pi@pi's IP address

You can use right mouse button to paste text in Windows powerShell.

Type “yes” for fingerprint question, and type "raspberry" for default password(passwords will be invisible in command line). You can type sudo passwd pi to change password.

Run in terminal:

sudo apt update -y && sudo apt upgrade -y

Reboot when finished

sudo reboot

⬆ Return to contents ⬆

Install AdGuard Home

This installation script is from AdGuard Home main project. Follow to keep updated.

Run the following command in your terminal:

curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v

• When installation is finished, a window will pop up in terminal showing links to your AdGuard home page(Get Started)

• IMPORTANT: In Listen Interfaces option choose Eth0 and select next

• Set up username & password and login into admin panel

• IMPORTANT: In general settings, set "Query logs retention" to 24 hours. (I read that for some people logs fill up which slows down Pi and needing a reboot)

Set up your devices to work with AdGuard

• For Android/Apple, go to WiFi advanced settings and select static option. In DNS 1 field enter "Pi's IP" address

• For PC/Windows

  • IPv4

  Go to network settings / change adapter options and right click in properties then select "Internet Protocol Version 4(TCP/IPv4)". Enter Pi's IP address in Preferred DNS server.

  • IPv6 (needed for DoH & DoT to work later on in guide if using IPv6 on your router)

  Go to "Internet Protocol Version 6(TCP/IPv6)" Enter ::1

OPTIONAL: You can add a backup DNS in the alternative fields

BE AWARE: In android, adding a public DNS in second field breaks AdGuard ad blocking

Setting up AdGuard blocklist

In AdGuard homepage under filters, select DNS blocklist section for adding URLs.

You can search Google for different blocklist. Here is my custom blocklist[click here] with my URLs or build your own from these sources[click here].

IMPORTANT: Some blocklist can block some important contents or websites. To unblock go "Query Log" section and will see unblock option when cursor is hovered over a query, putting unblocked websites it in "Custom filtering rules" example: @@||bitly.com^$important. Look for client IP & time.

Add/Remove multiple URLs

You can only add one by one URL in DNS blocklist with AdGuard for now but there is a python script to add multiple URLs at once.

Open new py file(bulkurls.py) :

nano bulkurls.py

Then copy and paste script configurations[click here]. Set your AdGuard credentials and save (control+x then y then enter).

If using DietPi install sudo apt-get install python3-pip -y && pip install requests for its not install by default.

To run : sudo python3 bulkurls.py

To remove you need to change add in second of last line to remove in bulkurls.py file.

Go to https://d3ward.github.io/toolz/adblock.html to test if ads are blocking

⬆ Return to contents ⬆

Install Unbound

Run the following command in your terminal:

sudo apt install unbound -y

For recursively querying a host that is not cached as an address, the resolver needs to start at the top of the server tree and query the root servers, to know where to go for the top level domain for the address being queried. Unbound comes with default builtin hints.

wget -O root.hints https://www.internic.net/domain/named.root && sudo mv root.hints /var/lib/unbound/

IMPORTANT: This needs to update every 6 months. To auto update root.hints every 6 months you need to create a cron job.

Enter in command line crontab -e, it will ask select an editor(choose 1) and paste these lines at the bottom of crontab and save (control+x then y then enter):

1 0 1 */6 * wget -O root.hints https://www.internic.net/domain/named.root
2 0 1 */6 * sudo mv root.hints /var/lib/unbound/

If using DietPi you need to install resolvconf and restart unbound-resolvconf.service to set unbound nameserver to 127.0.0.1 :

sudo apt-get install resolvconf -y && sudo systemctl restart unbound-resolvconf.service

⬆ Return to contents ⬆

Install Cloudflare

Setup for Cloudflared (DoH)

[click here]

Configure Cloudflare (DoT) on Unbound

Create unbound configuration file by entering in command prompt:

sudo nano /etc/unbound/unbound.conf.d/unbound.conf

And copy and paste all the text from this unbound.conf file[click here] and save (control+x then y then enter).

Configure Stubby for Unbound

Use Unbound for caching and stubby as a TLS forwarder. Install stubby:

sudo apt install stubby -y

Remove and re-create stubby.yaml file:

cd /etc/stubby/ && sudo rm stubby.yml && sudo nano stubby.yml

And copy and paste all the text from this stubby config file[click here] and save. (cd to return to home folder when finish).

• Restart unbound & stubby and check status:

sudo systemctl restart unbound stubby ; systemctl status unbound stubby -l

Configure AdGuard with Cloudflare(DoH&DoT)

• In AdGuard homepage under settings select "DNS settings"

• Delete everything from "Upstream" and "Bootstrap DNS" server options and enter:

  • For DNS over TLS(DoT) add 127.0.0.1:53 in both "Upstream" and "Bootstrap DNS" server fields
  • For DNS over HTTPS(DoH) add 127.0.0.1:5053 in both "Upstream" and "Bootstrap DNS" server fields
  • For TLS forwarder(stubby) add 127.0.0.1:8053 in both "Upstream" and "Bootstrap DNS" server fields

• IMPORTANT: You need to check "Parallel Request" option for DNS resolvers to work simultaneously.

• Then in DNS setting look for DNS cache configuration section and set cache size to 0 (caching is already handled by the Unbound) and click apply.

Click apply and test upstreams(might get a error in the first testing only).

IMPORTANT: Windows system & Android browsers need some tweaking to stabilize DNS resolvers..Linux works fine(tested on mint)

Windows

• Install Acrylic DNS Proxy: https://mayakron.altervista.org/support/acrylic/Home.htm

• Go to C:\Program Files (x86)\Acrylic DNS Proxy and open AcrylicConfiguration.ini file. Delete everything and copy these settings[click here], only change PrimaryServerAddres to your Pi's address.

• In same folder run RestartAcrylicService.bat & PurgeAcrylicCacheData.bat

TIP: Troubleshoot IP/DNS Commands

ipconfig /release
ipconfig /renew
ipconfig /flushdns

Android

• In whatever browser you use, turn off Use Secure DNS option.

• Be aware conflicts can occur with custom rooted roms&kernels with build.prop DNS tweaks or apps/Magisk module.

Thats it. Now go to https://1.1.1.1/help in browser and you should see these options output 'Yes'.

• Connected to 1.1.1.1
• DNS over HTTPS(DoH)
• DNS over TLS(DoT)
• DNS over WARP

Other sites to check security

https://browserleaks.com/dns - should show all connected to "Cloudflare"

https://www.cloudflare.com/ssl/encrypted-sni/ - "Secure DNS / DNSSEC / TLS 1.3" should all be a green tick

https://dnssec.vs.uni-due.de/ - should say "Yes, your DNS resolver validates DNSSEC signatures"

⬆ Return to contents ⬆

Install WireGuard

Before installing WireGuard, if you do not have a static IP you need to get a free Dynamic DNS Subdomain or else your external IP address changes dynamically from your ISP so you'll need to set up a dynamic DNS service[click here]. Or else skip the step.

You also need to set up port forwarding on your router so you can access WireGuard outside of our network like in a coffee shop hotspot or your mobile data.

My 👇router👇 port setting. Yours maybe different but you'll get it. Remember Google 🔍search engine🔎 is your friend. If you cannot connect from a outside network that means ISP has blocked outgoing connections, you can call them and ask nicely to get it working.

👊BIG THANKS👊 for this installation script from Nyr. Follow to keep updated.

Run in terminal

wget https://git.io/wireguard -O wireguard-install.sh && sudo bash wireguard-install.sh

• The script is going to ask you for Public IPv4/hostname for the VPN. If you have static IP then continue or else type the dynamic DNS domain that you created from the instructions. For example:trinibvpn.freeddns.org

• For port option press enter for default 51820. For client name, just put any name you want, and for DNS use option 3 (1.1.1.1) for now. You will configure AdGuard/Unbound/Cloudflare with the VPN after its finished installed.

• Wait until the installation is finished and QR code to show, don't close. But if you do, to regenerate qrcode, enter in terminal but replacing just the name yourclientname.conf file to yours:

sudo cp /root/yourclientname.conf /home/pi && sudo qrencode -t ansiutf8 < yourclientname.conf

IMPORTANT: You will need to add a new user/client for each device you use with the VPN. To add a new user, simply re-run the script and create user with different client name.

Use OpenVPN[click here]

Connecting VPN To Android/IOS Phone

Install the WireGuard app from Google Play or App Store:

WireGuard (Google Play): https://play.google.com/store/apps/details?id=com.wireguard.android

WireGuard (App Store): https://apps.apple.com/us/app/wireguard/id1441195209

You need to scan the QR code shown in the terminal with WireGuard app, select the + button and use the option Scan from QR code to install configuration.

IMPORTANT: Enable kernel module backend in settings

Connecting VPN to Windows

WireGuard for windows: https://download.wireguard.com/windows-client/wireguard-installer.exe

• Create a new text document with any name on PV to copy&paste the text from WireGuard client configuration file.

• To see text in client config file, type in terminal:

sudo cat /root/yourclientname.conf

• Highlight all the text, copy and paste it in the txt file on PC and save. Then rename the extension from txt to conf. Now you have config file for that WireGuard client.

• You can now import the config file to WireGuard (import from file option).

Configure WireGuard with Adguard/Unbound/Cloudflare

Remember this is for when you are connected to WireGuard VPN on an outside network or at home 24/7 cause you already have AdGuard/Unbound/Cloudflare set up and running on your devices manually. (no issue having both set up fro my experience)

• In WireGuard app, select your tunnel and select edit (pencil on top right)

• Under DNS servers enter Pi's IP and save (IPv4 & IPv6)

Limit traffic

With WireGuard you will lose about 50% of internet speed cause the process of tunneling through Pi to router to devices**

Delete in allowed IPs "0.0.0.0/0, ::/0" option because it routes all traffic to your home network which will be slow. You need send traffic through your addresses only.

• First you need to replace it with your network gateway but setting the last number to a zero and prefix length to 24. For example: 192.168.1.1/24 to 192.168.1.0/24 or like my ISP router 192.168.100.1/24 to 192.168.100.0/24. Now I only lose 25% speed😁 (PS. using 5g network)

UPDATE: After a WireGuard update I do not get a faster speed doing this😞 .. but it still makes sense not to use "0.0.0.0/0, ::/0 with WiFi. If anyone knows any tweaks to get a boost, let me know.

PLEASE READ !! , BE AWARE !!

IMPORTANT: If your network has IP addresses for devices that ends with a 3 digit number (more than 24), for example: 192.168.100.254, you will not be able to route properly from outside network because applying 24 only allows numbers 1 through 24. You need to instead put 0 to route out of the 24 range, for example : 192.168.100.0/0.

Or you can change IP range on your router (in my experience you might get a tiny bit better speeds cause it will not route unnecessary allowed IP addresses over the 24 range).

IPv6

If you are using IPv6, when connected to WiFi you need to enter in WireGuard allowed IPs fe80::1/0 as well. For example 192.168.100.0/0, fe80::1/0

When connected to Ethernet cable on a windows PC, you need to enter ::1 in IPv6 address in "Internet Protocol Version 6(TCP/IPv6)" preferred DNS server.

Then go to https://ipv6leak.com/ and you should see "Your IPv6 is not leaking".

Disable all IPv6

Disable IPv6 if you don't have it or don't want it[click here]. In result if you have weak internet, disabling IPv6 can speed up dns request but have less security.

Test VPN

How do you know if WireGuard VPN is really working?

For windows download Wireshark: https://www.wireshark.org/#download

Once downloaded you can use the application to inspect your data packets where the protocol is set to the one used by WireGuard VPN. When a packet traffic is encrypted, it can be read like this for example:

For android you can use PCAPdroid: https://play.google.com/store/apps/details?id=com.emanuelef.remote_capture&hl=en&gl=US

You should see all connections closed and status showing all DNS and not any TLS connections in all apps. (open and use apps for PCAPdroid to scan)

⬆ Return to contents ⬆

Auto Update Pi

• Open new sh file called update and copy&paste script[click here]

sudo nano update.sh

• Set permission

sudo chmod 700 update.sh

• Open cron file by entering in command line crontab -e, copy&paste job command line below at the bottom of cron file and save.

0 3 * * WED sudo ./update.sh 2>&1 >/home/pi/updatelog

Pi will now update every Wednesday at 3am. Or you can go to https://crontab.guru/ and set your own time schedule.

Adjust Pi's date/timezone enter in terminal:

sudo dpkg-reconfigure tzdata

or set manually

sudo date -s "25 DEC 2012 11:14:00"

Install Log2Ram

One of the most significant advantages of offloading your RAM is that it improves your SD Card’s potential lifespan. Log files are one of the things written to most by the various pieces of software you install. By pushing the files to your RAM, you can control how often they are written to the SD Card. You will still be able to access these files on the RAM as if they sat on your SD Card.

Copy and paste this line in terminal:

Manually

wget https://git.io/log2ram -O Log2Ram-Script.sh && sudo chmod +x Log2Ram-Script.sh && sudo ./Log2Ram-Script.sh

or

Add repo source(auto update)

echo "deb [signed-by=/usr/share/keyrings/azlux-archive-keyring.gpg] http://packages.azlux.fr/debian/ bullseye main" | sudo tee /etc/apt/sources.list.d/azlux.list
sudo wget -O /usr/share/keyrings/azlux-archive-keyring.gpg  https://azlux.fr/repo.gpg
sudo apt update
sudo apt install log2ram

Turn off Pi LED lights

I guess power to LEDs will impact unnecessary electricity and heat 🤷😅. No need for it anyways if just using it as a network server. Open cron file by entering in command line crontab -e, copy&paste job command line below at the bottom of cron file and save.

Green

@reboot echo none | sudo tee /sys/class/leds/led0/trigger

Red

@reboot echo none | sudo tee /sys/class/leds/led1/trigger

Reboot Pi.

Secure your Raspberry Pi

[click here]

( I just use Fail2Ban and change SSH port )

⬆ Return to contents ⬆

ANY ISSUES, FIXES OR TIPS TO MAKE THESE PROJECTS BETTER PLEASE CONTRIBUTE🤖

Repository Resources

https://github.com/AdguardTeam/AdGuardHome/wiki/Getting-Started

https://developers.cloudflare.com/

https://docs.pi-hole.net/guides/dns/cloudflared/

https://docs.pi-hole.net/guides/dns/unbound/

https://nlnetlabs.nl/documentation/unbound/unbound.conf/

https://dnsprivacy.org/dns_privacy_clients/

https://github.com/anudeepND/pihole-unbound

https://github.com/stong/unbound.conf.d

https://github.com/Nyr/wireguard-install

https://github.com/azlux/log2ram

---

F.A.Q

Frequently ask questions[click here]