[Guide] Very basic Wireguard (Mullvad), qBittorrent, External Storage, Pi-Hole and Rpi Monitor setup

You’ll need to replace anything in <> with your own specific requirements/file names/et cetera.

Pre-guide (before install):

Port Forward the Port we will be using for Wireguard in our router (Port: 51820)

Set up your Raspberry Pi 4 following the guide with default settings (or at least know what you are doing when you set it up) and disable IPv6 because it’s stupid.

Recommended to use Ethernet for better performance and speeds and for external storage use at the very least a USB 3.0 HDD or USB-SSD.

NB! Keep a SEPARATE USB of at least 4GB in size which will be used for backups and which will be formatted as > ext4 > which will be > UNREADABLE > in Windows unless you use e.g. > ext2fsd > but then make sure to NEVER write files to the USB from Windows or you risk serious issues! (Reading and copying FROM is okay). Saving backups to the Micro SD or External HDD is NOT a good idea. > You have been warned!

After RPi 4 Dietpi first installation, you can now follow these steps:

Update repositories

apt update

Upgrade any packages that have updates

apt upgrade

Remove any unneeded/unused packages

apt autoremove

Reboot

reboot now



> NB! To back up everything (and not have to do all the below s* again) run this after each steps success

You can run this command later with a > 1 > at the end to quickly run the backup with your last used config**

dietpi-backup

>
> # Configure your backup location to an EMPTY directory on a SEPARATE USB formatted as > **[u]ext4[/u]** > using the above command
> # Then run the backup after each fill stage has been completed or you risk having to do everything all over from the beginning

----------------------------

# Install ufw "Uncomplicated Firewall" (it's better than fail2ban, don't install fail2ban)
# Make sure we also allow SSH (duhh, so we don't get locked out) and Wireguard to pass through

```text
apt install ufw
ufw allow 22/tcp
ufw allow 51820/udp
ufw enable

Use the drive manager to automatically set up your external drive and automatically install any necessary and missing drivers (don’t attempt to edit fstab directly)

Pick the options and mount location you want yourself and format as necessary

dietpi-drive_manager

Check the drive mounted and contents (if any) are available

cd /mnt/<yourdrive>

Reboot

reboot now

Set up Samba

nano /etc/samba/smb.conf

Add the following entry to Samba, called ‘storage’ in Windows file system

Requires username (root) and your password to open

If having issues, access the share with the direct IP from windows → mine is: \192.168.2.130

then map it to Z:\ (or what-ever drive letter you wish)

[storage]
	comment = USB HDD
	path = /mnt/<external_hdd_drive_directory>
	browseable = yes
	create mask = 0775
	directory mask = 0775
	valid users = root
	public = no
	writeable = yes

Restart Samba and check in Windows that that you can write/delete etc.

service smbd restart

Set up Wireguard (use this over OpenVPN if you want less resource usage and better speeds)

Use the Mullvad Wireguard config creator to make a conf to a server you wish to use. Don’t use the killswitch option because it isn’t supported in the Dietpi kernel. If you want to play with that, do it at your own risk. Also uncheck IPv6 (because it sucks) or at the very least if you are stupid enough to use that, make sure you are actually using IPv6 and have it enabled on your device and router lol… otherwise errors.

Copy the Mullvad config file from Network storage to Wireguard folder

cp /mnt/<yourdrive>/<yourconfig>.conf /etc/wireguard

Quickly test with

wg-quick up <yourconfig>.conf

Run also this to check your VPN is connected

wg show

Check your IP changed (exit with CTRL+C):

curl ifconfig.me

Enable the VPN on boot (make sure to run without the .conf at the end)

systemctl enable wg-quick@<yourconfig>

Reboot and check that it’s still working, and pray to the Linux gods you still have SSH access

reboot now

Seriously do a backup now… I’m not joking.


Install and set up qBittorrent with SOCKS5 for added security (this is also how we still get a working kill switch)

Install qBittorrent with the dietpi-software tool

dietpi-software

Follow instructions to properly configure qBittorrent here: https://mullvad.net/en/guides/socks5-proxy/

Remember to use 10.64.0.1 for SOCKS5 because we’re on Wireguard

Then test with the magnet link at (also can test with some others): https://torguard.net/checkmytorrentipaddress.php

Also test DL speeds with a good seedboxed torrent like from a private tracker with many seeds on seedboxes.

Do your own tests to make sure that you are ‘connectable’ for seeding

Probably also a good idea to use htop to check your average resource usage now and make sure everything looks normal or install a monitor like in the below stage

htop

Install R-Pi Monitor so we can easily check CPU usage and temps, RAM usage, storage usage and for newly available packages to update all from a browser

(Optional) Enable basic Network monitoring (total up/down) by uncommenting the entries with "#’ in

nano /etc/rpimonitor/template/network.conf

Restart the monitor with

service rpimonitor restart

Install Pi-Hole (use the dietpi-software tool for this)

Ensure your dietpi is on a static IP and in setup, set the default gateway as your router

Add these URLS to the Blacklist (only those green and with check mark unless you want lots of problems)

https://wally3k.github.io/

(IMPORTANT!!!) Add these (as needed) to the Whitelist: https://discourse.pi-hole.net/t/commonly-whitelisted-domains/212

Set Pi-Hole DNS to 1.1.1.1 (don’t be stupid and use Google’s, Quad-9 is also okay (9.9.9.9))

Enable the Pi-Hole by setting your router’s DNS as the dietpi’s I.P. address (check your router manual or Youtube for help)

Go to some sites with loads of ads and verify that it’s working. Then spend a few hours tweaking your blacklist as you see fit, but make sure to whitelist important domains or you WILL face a bad experience


Additional Stuffs

iptables commands: https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules

This is good for information om allowing things through ufw which is necessary for other services.

Speedtest command:

curl -s https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py | python -

Nice for knowing your speeds whilst VPN is on/off without needing a browser!

16/09/19 - v1.1 Updated and made a lot of the steps easier and reduced the chance you’ll run into errors when setting up.
15/12/19 - v1.2 Fixed some typos, made very minor edits. My install ran fine for 3 months exactly without getting any errors. For some reason Wireguard stopped working but with a new Wireguard config file and private key and using a server it’s up and running again after a single reboot.

As of 15/12/19 This thread has received over 1000 views. If it helped you, please consider letting me know in a comment below.


Edits to be made in the future:

  1. Add optional steps to change file permissions on external drive and in Samba
  2. Add additional links to helpful docs

nice one mate. thanks!

The guide looks good mate! I’ll give it a go with some of the stuff in here. Currently just running Pi-Hole and RPI-Monitor and will soon install an external drive and have a bit more fun :slight_smile:

Nice guide. I would suggest the following for the SMB Shares (for making the dietpi’s folders shareable on LAN):

  1. do not use “root” as a user for smb shares - it is a securty risk/password leak (windows stores the root password and easily extractable).

Instead either remove "valid users = root " and use “guest ok = no”, or just use “valid users = dietpi, , etc.”.

This will allow valid (non-root) users to access the dietpi share from a Windows machine.

  1. When using valid users (as above), ensure the dietpi user is added as a smb user with:

smbpasswd -a
eg smbpasswd -a dietpi

then entering the smb user password

Using the smb user and smb password with Windows will give access to the dietpi share folder/location.

This tutorial seems to cover everything I want to achieve but unfortunately i’m stuck at the very beginning! You seem to have left out any instructions on how to configure network settings (I suppose due to everyone’s setup being different, but i;m pretty sure the majority of people will have as i do which is: local network connected to eth0 onboard ethernet (I have a wifi AP attached which is how i’m getting ssh into the dietpi) and then I hope to use TP-LInk USB adapter to get internet access from my ISP’s cable modem. The trouble is that Idon’t know how to get this working without what I would think is reasonably complicated setup? I initially thought to add the interface as eth1 in the /etc/network/interfaces but there is a warning there not to edit this file directly but instead use dietpi-config, however I can only see a way to alter the onboard eth and wifi under that config menu sytem. I wonder if its therefore becessary to depart from the Dietpi workflow and simply hardcode the interfaces file anyway. From what I’ve been reading, i;d then need to bridge the interfaces and forward ip ports as additional steps wouldn’t I? Any guidance on the initial network config would be extremely appreciated. I can’t wait to move onto the rest of the tutorial as the rest looks too be very thorough and complete, I just thought it is a shame not to have included this as part of your writeup? Thanks!

Hi there,

Followed all the explanation, the VPN in working and connecting and I still have SSH - BUT - I loose internet connection on all my device connected to the Pi, I’m clueless here, can you help ?

Thanks !

Please use the WireGuard install option in dietpi-software, which sets up the server to allow Internet access for clients automatically :wink:.

I guess he use DietPi as client to connect to a Mullvad VPN server? Probably some kind of killswitch once connected.

Ah, makes sense. In this case, how does the Mullvad WireGuard config look like? Probably we can tweak it do disable the killswitch for LAN.

thank you for the guide, help me a lot when I first learn about dietpi OS, I have set it and forget until now.

I just make a fresh install bullseye from buster and I have two issue wonder if anyone can figure it out.

First it none of the dietpi program can read or write from NFS file server, can’t really move file through CLI either, the server do set rw & no_root_squash and available to all local interface, the problem is really the program, if I uninstall and install qbitt from XFCE it read and write to server fine.

Second problem is the WireGuard will fail to connect to server if it loose connection more than few hours, the server probably deleted the config, so it really hard to set and forget and wonder anyone have a solution?

So you fail to mount the share from your NFS server in DietPi? How did you try to mount it? Do you get some error messages? And on other devices it works, or what do you mean with “if I uninstall and install qbitt from XFCE it read and write to server fine”? So it’s mounted but only qbitt can see and write/read to the mounted share?

If you are unable to mount it, some helpfull information would be the /etc/exports from your NFS server
and the output of showmount -e executed from your client.


So when you didn’t use the VPN connection for a while, you are unable to connect to it again? This is strange. How often does your public IP change and do you use some sort of DDNS to reach it?
And did you check if the VPN server is still up and running, when this happens?

he is using WireGuard as client to connect to a server, means it should not matter if external IP changed :wink:

For the connection issues, I would recommend to contact Mullvad and ask for help. Maybe there is a timeout within the client config?

No mount is fine, that why if I access from GUI XFCE everything is good the server also enable v2/v3 and v4
root@DietPi4:~# showmount -e 192.168.18.11
Export list for 192.168.18.11:
/Web *
/Public *
/Multimedia *
/Download *

This is kinda provider issue, they recently change to flush it config if it see client no longer connect to it. Some people like it because it privacy, but for people like me set and forget, it suck. For access the Pi I always able to access it because I use ZeroTier ( and I’m not sure if this mess the NFS up, multi server NFS, remote and local )

ok it is a behaviour of the provider, we can’t do anything.

For the NFS issue, it would be good to open an own post and not mix it up with this guide.

If the NFS share mounts fine and you can access it from desktop, I guess qBittorrent simply has insufficient permissions to access it? It runs as user “qbittorrent” which is added to group “dietpi”. Check owner/group/modes of the files/directories qBittorrent tries to write to. Usually:

chgrp -R dietpi /mnt/NFS/downloads
chmod -R g+w /mnt/NFS/downloads

should work well to enable write access for the “dietpi” group, which is used by download- and media software installed via dietpi-software.

Thanks for this nice and easy guide.
I have set up a VPN connection by following parts of the guide.

I am using a Pi 3B+ for my VPN connection/tunnel. DNS is handled by a different Pi which has Pi-Hole installed.

I am using Transmission instead of qBittorent and I created this kill switch in the *.conf file:

[Interface]
PrivateKey = ****
Address = 10.65.186.57/32
DNS = 192.168.****
PostUp = systemctl start transmission-daemon
PreDown = systemctl stop transmission-daemon
[Peer]
PublicKey = ****
AllowedIPs = 0.0.0.0/0
Endpoint = 169.150.196.28:51820

Transmission will be stopped when there is no VPN connection. I have tested this by shutting down Mullvad manually.

My question:
Will this be sufficient? Or do I need to add iptables into my config?

I have tried adding this under [Interface]

[Interface]
PrivateKey = ****
Address = 10.65.186.57/32
DNS = 192.168.****
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show
%i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables
-I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype !
–dst-type LOCAL -j REJECT

PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i
fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D
OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype !
–dst-type LOCAL -j REJECT`

Source: WireGuard on Linux terminal (advanced) - Gidsen | Mullvad VPN

I couldn’t connect to my Pi after reboot.

I guess you are going to reject traffic from local network. Maybe @trendy could have a look.

Created a new topic, thought it would be easier.