Features
AdGuard Home : Block ads on all your devices( compared to Pi-Hole )
WireGuard : VPN server at home accessible from any outside network(IPv4 & IPv6)
Unbound with Stubby : A validating, recursive, caching DNS resolver
Cloudflare : Better performance & security when browsing websites(DoT & DoH)
All software are free, open-source and self-hosted
About
BIND'S dig Tool ๐งช
DNS query speed with Results from google.com in milliseconds:
- AdGuard default DNS resolvers -
60-70 msec
- Public Cloudflare/Quad9/Google DNS Resolvers -
50-70 msec
- This set up/configuration -
5-10 msec
Preview๐ฅ
AdGuard default DNS vs this set up
vid.mp4
Public Cloudflare/Quad9/Google DNS resolvers :
vid2.mp4
Last Checked
Projects | Status |
---|---|
AdGuard Home | |
Unbound | |
Cloudflare | |
Stubby | |
WireGuard |
Table of contents
- Requirements
- Install Raspberry Pi OS
- Install AdGuard Home
- Install Unbound
- Install Cloudflare
- Install WireGuard or OpenVPN(slower)
- Test Vpn
- Auto update Pi
- Install Log2ram
- Turn Off Pi LEDs
- Secure your Raspberry Pi
- Repository Resources
- F.A.Q
Requirements
This tutorial is based on Raspberry Pi, but you can use any Linux operating system(๐น๐ธ/๐ผ๐บbit), any hardware or a VPS.
(Raspberry Pi OS is most simple and recommended for Pi or for more experience users, DietPi OS is also recommended)
- A Raspberry Pi 3 or 4 version
- A router that supports port forwarding(Most Can)
- MicroSD USB card reader
- MicroSD card (8GB or bigger, at least Class 4)
- Ethernet cable
- (Optional if using monitor) MicroHDMI-(RPi 4) or HDMI-(RPi 3)
Install Raspberry Pi OS
Raspberry Pi OS comes in desktop and lite versions(use lite for headless mode). You can access a Raspberry Pi with a monitor/keyboard/mouse or connect via SSH from a terminal.
Install balenEtcher and download Pi image to write on the microSD card.
-
Download Raspberry Pi OS: https://www.raspberrypi.org/software/operating-systems/
-
Download balenaEtcher: https://www.balena.io/etcher/
After you have Etcher
installed and Raspberry Pi OS
file downloaded, you can now insert the SD card with microSD USB card reader into your computer.
- Launch Etcher and choose the Raspberry Pi OS image that you downloaded, select your microSD card and click
Flash
.
After flashing is done, look in "This PCโ for a disk name โboot or USB driveโ (re-plug USB card reader if not seen). Go to that disk, create a new text file called ssh without 'txt' extension
. Disable โHide extensions for known file typesโ in the file explorer options if you don't see it.
Place SD card into the Raspberry Pi, plug in Ethernet cable and boot up
Access Pi OS with SSH
-
Wait for a minute for Pi's first boot up
-
Open browser and log in your router's panel page
-
Find list of all devices connected to your network and copy the IP address of the Raspberry Pi (it will most likely have the hostname
raspberrypi
) -
Open terminal on your host machine. You can use powerShell on Windows or RaspController for android.
Type the following command:
ssh pi@pi's IP address
You can use right mouse button to paste text in Windows powerShell.
Type โyesโ for fingerprint question, and type "raspberry" for default password(passwords will be invisible in command line). You can type sudo passwd pi
to change password.
Run in terminal:
sudo apt update -y && sudo apt upgrade -y
Reboot when finished
sudo reboot
Install AdGuard Home
This installation script is from AdGuard Home main project. Follow to keep updated.
Run the following command in your terminal:
curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v
-
When installation is finished, a window will pop up in terminal showing
links
to your AdGuard home page(Get Started) -
IMPORTANT:
In Listen Interfaces option chooseEth0
and select next
-
Set up username & password and login into admin panel
-
IMPORTANT:
In general settings, set "Query logs retention" to24 hours
. (I read that for some people logs fill up which slows down Pi and needing a reboot)
Set up your devices to work with AdGuard
- For Android/Apple, go to WiFi advanced settings and select static option. In
DNS 1
field enter "Pi's IP" address
-
For PC/Windows
- IPv4
Go to network settings / change adapter options and right click in properties then select "Internet Protocol Version 4(TCP/IPv4)". Enter Pi's IP address in
Preferred DNS
server.- IPv6 (needed for
DoH
&DoT
to work later on in guide if using IPv6 on your router)
Go to "Internet Protocol Version 6(TCP/IPv6)" Enter
::1
OPTIONAL:
You can add a backup DNS in the alternative fields
BE AWARE:
In android, adding a public DNS in second field breaks AdGuard ad blocking
Setting up AdGuard blocklist
In AdGuard homepage under filters, select DNS blocklist section for adding URLs.
You can search Google for different blocklist. Here is my custom blocklist[click here] with my URLs or build your own from these sources[click here].
IMPORTANT:
Some blocklist can block some important contents or websites. To unblock go "Query Log" section and will see unblock option when cursor is hovered over a query, putting unblocked websites it in "Custom filtering rules" example: @@||bitly.com^$important
. Look for client IP & time.
Add/Remove multiple URLs
You can only add one by one URL in DNS blocklist with AdGuard for now but there is a python script to add multiple URLs at once.
Open new py file(bulkurls.py) :
nano bulkurls.py
Then copy and paste script configurations[click here]. Set your AdGuard credentials
and save (control+x then y then enter).
If using DietPi install sudo apt-get install python3-pip -y && pip install requests
for its not install by default.
To run : sudo python3 bulkurls.py
To remove you need to change add
in second of last line to remove
in bulkurls.py file.
Go to https://d3ward.github.io/toolz/adblock.html to test if ads are blocking
Install Unbound
Run the following command in your terminal:
sudo apt install unbound -y
For recursively querying a host that is not cached as an address, the resolver needs to start at the top of the server tree and query the root servers, to know where to go for the top level domain for the address being queried. Unbound comes with default builtin hints.
wget -O root.hints https://www.internic.net/domain/named.root && sudo mv root.hints /var/lib/unbound/
IMPORTANT:
This needs to update every 6 months. To auto update root.hints every 6 months you need to create a cron job.
Enter in command line crontab -e
, it will ask select an editor(choose 1) and paste these lines at the bottom of crontab and save (control+x then y then enter):
1 0 1 */6 * wget -O root.hints https://www.internic.net/domain/named.root
2 0 1 */6 * sudo mv root.hints /var/lib/unbound/
If using DietPi you need to install resolvconf and restart unbound-resolvconf.service to set unbound nameserver to 127.0.0.1 :
sudo apt-get install resolvconf -y && sudo systemctl restart unbound-resolvconf.service
Install Cloudflare
(DoH)
Setup for Cloudflared
(DoT)
on Unbound
Configure Cloudflare Create unbound configuration file by entering in command prompt:
sudo nano /etc/unbound/unbound.conf.d/unbound.conf
And copy and paste all the text from this unbound.conf file[click here] and save (control+x then y then enter).
Configure Stubby for Unbound
Use Unbound for caching and stubby as a TLS forwarder. Install stubby:
sudo apt install stubby -y
Remove and re-create stubby.yaml file:
cd /etc/stubby/ && sudo rm stubby.yml && sudo nano stubby.yml
And copy and paste all the text from this stubby config file[click here] and save. (cd
to return to home folder when finish).
- Restart unbound & stubby and check status:
sudo systemctl restart unbound stubby ; systemctl status unbound stubby -l
Cloudflare(DoH&DoT)
Configure AdGuard with -
In AdGuard homepage under settings select "DNS settings"
-
Delete everything from "Upstream" and "Bootstrap DNS" server options and enter:
- For
DNS over TLS(DoT)
add127.0.0.1:53
in both "Upstream" and "Bootstrap DNS" server fields - For
DNS over HTTPS(DoH)
add127.0.0.1:5053
in both "Upstream" and "Bootstrap DNS" server fields - For
TLS forwarder(stubby)
add127.0.0.1:8053
in both "Upstream" and "Bootstrap DNS" server fields
- For
-
IMPORTANT:
You need to check "Parallel Request" option for DNS resolvers to work simultaneously.
- Then in DNS setting look for DNS cache configuration section and set cache size to
0
(caching is already handled by the Unbound) and click apply.
Click apply and test upstreams(might get a error in the first testing only).
IMPORTANT:
Windows system & Android browsers need some tweaking to stabilize
DNS resolvers..Linux works fine(tested on mint)
Windows
-
Install Acrylic DNS Proxy: https://mayakron.altervista.org/support/acrylic/Home.htm
-
Go to
C:\Program Files (x86)\Acrylic DNS Proxy
and openAcrylicConfiguration.ini
file. Delete everything and copy these settings[click here], only change PrimaryServerAddres to your Pi's address. -
In same folder run
RestartAcrylicService.bat
&PurgeAcrylicCacheData.bat
TIP:
Troubleshoot IP/DNS Commands
ipconfig /release
ipconfig /renew
ipconfig /flushdns
Android
-
In whatever browser you use, turn off
Use Secure DNS
option. -
Be aware conflicts can occur with custom rooted roms&kernels with build.prop DNS tweaks or apps/Magisk module.
https://1.1.1.1/help in browser and you should see these options output 'Yes'.
Thats it. Now go to- Connected to 1.1.1.1
- DNS over HTTPS(DoH)
- DNS over TLS(DoT)
- DNS over WARP
Other sites to check security
https://browserleaks.com/dns - should show all connected to "Cloudflare"
https://www.cloudflare.com/ssl/encrypted-sni/ - "Secure DNS / DNSSEC / TLS 1.3" should all be a green tick
https://dnssec.vs.uni-due.de/ - should say "Yes, your DNS resolver validates DNSSEC signatures"
Install WireGuard
Before installing WireGuard, if you do not have a static IP you need to get a free Dynamic DNS Subdomain
or else your external IP address changes dynamically from your ISP so you'll need to set up a dynamic DNS service[click here]. Or else skip the step.
You also need to set up port forwarding on your router so you can access WireGuard outside of our network like in a coffee shop hotspot or your mobile data.
TYPE | VALUE |
---|---|
Device | Raspberry Pi's hostname or IP |
Protocol | UDP |
Port range | 51820-51820 |
Outgoing port | 51820 |
Permit Internet access(if have) | yes |
My
Run in terminal
wget https://git.io/wireguard -O wireguard-install.sh && sudo bash wireguard-install.sh
-
The script is going to ask you for Public IPv4/hostname for the VPN. If you have static IP then continue or else type the dynamic DNS domain that you created from the instructions. For example:trinibvpn.freeddns.org
-
For port option
press enter
for default 51820. For client name, just put any name you want, and for DNS use option 3 (1.1.1.1
) for now. You will configureAdGuard/Unbound/Cloudflare
with the VPN after its finished installed.
- Wait until the installation is finished and QR code to show, don't close. But if you do, to
regenerate qrcode
, enter in terminal but replacing just the nameyourclientname.conf
file to yours:
sudo cp /root/yourclientname.conf /home/pi && sudo qrencode -t ansiutf8 < yourclientname.conf
IMPORTANT:
You will need to add a new user/client for each device you use with the VPN. To add a new user, simply re-run the script and create user with different client name.
Use OpenVPN[click here]
Connecting VPN To Android/IOS Phone
Install the WireGuard app from Google Play or App Store:
WireGuard (Google Play): https://play.google.com/store/apps/details?id=com.wireguard.android
WireGuard (App Store): https://apps.apple.com/us/app/wireguard/id1441195209
You need to scan the QR code shown in the terminal with WireGuard app, select the + button
and use the option Scan from QR code
to install configuration.
IMPORTANT
: Enable kernel module backend in settings
Connecting VPN to Windows
WireGuard for windows: https://download.wireguard.com/windows-client/wireguard-installer.exe
-
Create a
new text document
with any name on PV to copy&paste the text from WireGuard client configuration file. -
To see text in client config file, type in terminal:
sudo cat /root/yourclientname.conf
-
Highlight all the text, copy and paste it in the txt file on PC and save. Then rename the extension from
txt
toconf
. Now you have config file for that WireGuard client. -
You can now import the config file to WireGuard (import from file option).
Adguard/Unbound/Cloudflare
Configure WireGuard with Remember this is for when you are connected to WireGuard VPN on an outside network or at home 24/7 cause you already have AdGuard/Unbound/Cloudflare set up and running on your devices manually. (no issue having both set up fro my experience)
-
In WireGuard app, select your tunnel and select edit (pencil on top right)
-
Under DNS servers enter
Pi's IP
and save (IPv4 & IPv6)
Limit traffic
With WireGuard you will lose about 50% of internet speed cause the process of tunneling through Pi to router to devices**
Delete in allowed IPs "0.0.0.0/0, ::/0" option because it routes all traffic to your home network which will be slow. You need send traffic through your addresses only.
- First you need to replace it with your network gateway but setting the last number to a zero and prefix length to 24. For example:
192.168.1.1/24
to192.168.1.0/24
or like my ISP router192.168.100.1/24
to192.168.100.0/24
.Now I only lose 25% speed๐ (PS. using 5g network)
UPDATE:
After a WireGuard update I do not get a faster speed doing this"0.0.0.0/0, ::/0
with WiFi. If anyone knows any tweaks to get a boost, let me know.
PLEASE READ !! , BE AWARE !!
IMPORTANT
: If your network has IP addresses for devices that ends with a 3 digit number (more than 24), for example: 192.168.100.254
, you will not be able to route properly from outside network because applying 24 only allows numbers 1 through 24. You need to instead put 0
to route out of the 24 range, for example : 192.168.100.0/0
.
Or you can change IP range on your router (in my experience you might get a tiny bit better speeds cause it will not route unnecessary allowed IP addresses over the 24 range).
IPv6
If you are using IPv6, when connected to WiFi you need to enter in WireGuard allowed IPs fe80::1/0
as well. For example 192.168.100.0/0, fe80::1/0
When connected to Ethernet cable on a windows PC, you need to enter ::1
in IPv6 address in "Internet Protocol Version 6(TCP/IPv6)" preferred DNS server.
Then go to https://ipv6leak.com/ and you should see "Your IPv6 is not leaking".
Disable all IPv6
click here]. In result if you have weak internet, disabling IPv6 can speed up dns request but have less security.
Disable IPv6 if you don't have it or don't want it[Test VPN
How do you know if WireGuard VPN is really working?
For windows download Wireshark: https://www.wireshark.org/#download
Once downloaded you can use the application to inspect your data packets where the protocol is set to the one used by WireGuard VPN. When a packet traffic is encrypted
, it can be read like this for example:
For android you can use PCAPdroid: https://play.google.com/store/apps/details?id=com.emanuelef.remote_capture&hl=en&gl=US
You should see all connections closed
and status showing all DNS and not any TLS connections in all apps. (open and use apps for PCAPdroid to scan)
Auto Update Pi
- Open new sh file called update and copy&paste script[click here]
sudo nano update.sh
- Set permission
sudo chmod 700 update.sh
- Open cron file by entering in command line
crontab -e
, copy&paste job command line below at the bottom of cron file and save.
0 3 * * WED sudo ./update.sh 2>&1 >/home/pi/updatelog
Pi will now update every Wednesday at 3am. Or you can go to https://crontab.guru/ and set your own time schedule.
Adjust Pi's date/timezone enter in terminal:
sudo dpkg-reconfigure tzdata
or set manually
sudo date -s "25 DEC 2012 11:14:00"
Install Log2Ram
One of the most significant advantages of offloading your RAM is that it improves your SD Cardโs potential lifespan. Log files are one of the things written to most by the various pieces of software you install. By pushing the files to your RAM, you can control how often they are written to the SD Card. You will still be able to access these files on the RAM as if they sat on your SD Card.
Copy and paste this line in terminal:
Manually
wget https://git.io/log2ram -O Log2Ram-Script.sh && sudo chmod +x Log2Ram-Script.sh && sudo ./Log2Ram-Script.sh
or
Add repo source(auto update)
echo "deb [signed-by=/usr/share/keyrings/azlux-archive-keyring.gpg] http://packages.azlux.fr/debian/ bullseye main" | sudo tee /etc/apt/sources.list.d/azlux.list
sudo wget -O /usr/share/keyrings/azlux-archive-keyring.gpg https://azlux.fr/repo.gpg
sudo apt update
sudo apt install log2ram
Turn off Pi LED lights
I guess power to LEDs will impact unnecessary electricity and heat crontab -e
, copy&paste job command line below at the bottom of cron file and save.
Green
@reboot echo none | sudo tee /sys/class/leds/led0/trigger
Red
@reboot echo none | sudo tee /sys/class/leds/led1/trigger
Reboot Pi.
Secure your Raspberry Pi
( I just use Fail2Ban and change SSH port )
ANY ISSUES, FIXES OR TIPS TO MAKE THESE PROJECTS BETTER PLEASE CONTRIBUTE
Repository Resources
https://github.com/AdguardTeam/AdGuardHome/wiki/Getting-Started
https://developers.cloudflare.com/
https://docs.pi-hole.net/guides/dns/cloudflared/
https://docs.pi-hole.net/guides/dns/unbound/
https://nlnetlabs.nl/documentation/unbound/unbound.conf/
https://dnsprivacy.org/dns_privacy_clients/
https://github.com/anudeepND/pihole-unbound
https://github.com/stong/unbound.conf.d
https://github.com/Nyr/wireguard-install
https://github.com/azlux/log2ram
F.A.Q
Frequently ask questions[click here]