Tutorial to install a Network-wide ad blocking, DNS- and DHCP server on Raspberry Pi
🍺 Please support me: Although all my software is free, it is always appreciated if you can support my efforts on Github with a contribution via Paypal - this allows me to write cool projects like this in my personal time and hopefully help you or your business.
The Pi-hole is a DNS sinkhole that protects your devices from unwanted content, without installing any client-side software.
- Easy-to-install: our versatile installer walks you through the process, and takes less than ten minutes
- Resolute: content is blocked in non-browser locations, such as ad-laden mobile apps and smart TVs
- Responsive: seamlessly speeds up the feel of everyday browsing by caching DNS queries
- Lightweight: runs smoothly with minimal hardware and software requirements
- Robust: a command line interface that is quality assured for interoperability
- Insightful: a beautiful responsive Web Interface dashboard to view and control your Pi-hole
- Versatile: can optionally function as a DHCP server, ensuring all your devices are protected automatically
- Scalable: capable of handling hundreds of millions of queries when installed on server-grade hardware
- Modern: blocks ads over both IPv4 and IPv6
- Free: open source software which helps ensure you are the sole person in control of your privacy
For all my home-network projects I run Raspbian Debian Stretch Lite. The setup is trivial:
- Get yourself a Raspberry Pi and a SD-card
- Use Etcher to format and SD-card
sudo apt-get update && sudo apt-get upgrade
sudo apt-get dist-upgrade
sudo raspi-config
sudo rpi-update
This changes the login screen. Just copy it from this repository
sudo cp ~/motd.sh /etc/profile.d/motd.sh
sudo chown root:root /etc/profile.d/motd.sh
sudo chmod +x /etc/profile.d/motd.sh
sudo rm /etc/motd
Use sudo nano /etc/ssh/sshd_config
to change to PrintLastLog no
- Set a root password via
sudo passwd root
- Edit
sudo vi /etc/ssh/sshd_config
and setPermitRootLogin yes
- Restart SSHD
/etc/init.d/ssh restart
- Create the .ssh directory via
install -d -m 700 ~/.ssh
- Create a SSH key on your PC:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
- Install your public key for user 'pi'
cat ~/.ssh/id_rsa.pub | ssh pi@IPADDRESS 'cat >> .ssh/authorized_keys'
- Install your public key for user 'root'
cat ~/.ssh/id_rsa.pub | ssh root@IPADDRESS 'cat >> .ssh/authorized_keys'
sudo apt-get install -y sysstat vnstat screen
sudo apt-get purge apache2
sudo apt-get autoremove
timedatectl set-ntp true
timedatectl status
# Time will be in GMT/UTC, if you want to adjust, use the following:
echo "Africa/Johannesburg" | sudo tee /etc/timezone
sudo dpkg-reconfigure --frontend noninteractive tzdata
timedatectl set-timezone Africa/Johannesburg
Reboot your Pi before continuing the next step. Login as 'root' to complete the next steps.
We will use Cloudflare via Argo Tunnel as our DNS provider
cd ~
wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz
mkdir argo-tunnel
tar -xvzf cloudflared-stable-linux-arm.tgz -C ./argo-tunnel
rm cloudflared-stable-linux-arm.tgz
cd argo-tunnel
./cloudflared --version
To manually test it, run:
sudo ./cloudflared proxy-dns --port 54 --upstream https://1.1.1.1/.well-known/dns-query --upstream https://1.0.0.1/.well-known/dns-query
Let's install it as a system service by copying the service file and then starting it via sudo systemctl restart dnsproxy.service
We will use msmtp
for this and I use my Google Apps account to send out email:
apt-get install msmtp ca-certificates mailutils
rm /usr/sbin/sendmail
ln -s /usr/bin/msmtp /usr/sbin/sendmail
Adjust /etc/msmtprc
and /etc/msmtprc.aliases
accordingly.
This is really a one-liner via curl -sSL https://install.pi-hole.net | bash
- The
IPV4_ADDRESS
to the IP of your Pi - Comment out
PIHOLE_DNS_1
andPIHOLE_DNS_2
- Enable
DHCP_ACTIVE
and DHCP settings - Adjust the
PIHOLE_DOMAIN
-
Copy my whitelist.txt
-
Adjust
/etc/dnsmasq.d/
- In
01-pihole.conf
comment outserver
and adjustserver=127.0.0.1#54
so that it points to the local Cloudflare tunnel - Adjust
02-pihole-dhcp.conf
to match your IP-range - Adjust
04-pihole-static-dhcp.conf
to setup static IPs
- Adjust
/etc/hosts
to setup other hosts which should be resolved in your network
I am using DNS-01 authentication via Cloudflare DNS with acme.sh - this allows me to automatically renew SSL certificates without exposing services to the outside. Run the below as 'root'-user:
- Install acme.sh
curl https://get.acme.sh | sh
- Register with Let's Encrypt
acme.sh --upgrade --auto-upgrade --accountemail "youremail"
- Export your Cloudflare API-key and email:
export CF_Key="YOUR-API-KEY"
export CF_Email="YOUR-CLOUDFLARE-EMAIL"
-
Adjust your
/etc/lighthttpd/external.conf
(changepihole.example.com
to your own domain name) -
Issue your certificate and adjust the domain
pihole.example.com
according to your own settings
acme.sh --force --issue --dnssleep 30 --dns dns_cf -d pihole.example.com --reloadcmd "cat /root/.acme.sh/pihole.example.com/pihole.example.com.key /root/.acme.sh/pihole.example.com/pihole.example.com.cer | tee /root/.acme.sh/pihole.example.com/pihole.example.com.combined.pem && systemctl restart lighttpd.service"
You are done - just reboot one more time and you should be able to access Pi-Hole via https://pihole.example.com
Once you have completed the above steps, you will need to configure your router to have DHCP clients use Pi-hole as their DNS server which ensures that all devices connecting to your network will have content blocked without any further intervention.
If your router does not support setting the DNS server, you can use Pi-hole's built in DHCP server; just be sure to disable DHCP on your router first (if it has that feature available).
As a last resort, you can always manually set each device to use Pi-hole as their DNS server.
🍺 Please support me: If the above helped you in any way, then follow me on Twitter or send me some coins:
(CRO) 0xBAdB43af444055c4031B79a76F74895469BA0CD7 (Cronos)
(USDC) 0xBAdB43af444055c4031B79a76F74895469BA0CD7
(BTC) 3HHfNs25Gzfphh3s81rvqRrKysZqogW8B6
(ETH) 0xBAdB43af444055c4031B79a76F74895469BA0CD7
(Ripple) rKNwXQh9GMjaU8uTqKLECsqyib47g5dMvo (Tag: 2464166834)
(BNB) 0xfc316ba7d8dc325250f1adfafafc320ad75d87c0 (BEP20)
Crypto.com PayString: magicdude$paystring.crypto.com
Go to Curve.com to add your Crypto.com card to ApplePay and signup to Crypto.com for a staking and free Crypto debit card.
Use Binance Exchange to trade #altcoins. Sign up with Coinbase and instantly get $10 in BTC. I also accept old-school PayPal.
If you have no crypto, follow me at least on Twitter.