You’ll need to replace anything in <> with your own specific requirements/file names/et cetera.
Pre-guide (before install):
Port Forward the Port we will be using for Wireguard in our router (Port: 51820)
Set up your Raspberry Pi 4 following the guide with default settings (or at least know what you are doing when you set it up) and disable IPv6 because it’s stupid.
Recommended to use Ethernet for better performance and speeds and for external storage use at the very least a USB 3.0 HDD or USB-SSD.
NB! Keep a SEPARATE USB of at least 4GB in size which will be used for backups and which will be formatted as > ext4 > which will be > UNREADABLE > in Windows unless you use e.g. > ext2fsd > but then make sure to NEVER write files to the USB from Windows or you risk serious issues! (Reading and copying FROM is okay). Saving backups to the Micro SD or External HDD is NOT a good idea. > You have been warned!
After RPi 4 Dietpi first installation, you can now follow these steps:
Upgrade any packages that have updates
Remove any unneeded/unused packages
> NB! To back up everything (and not have to do all the below s* again) run this after each steps success
You can run this command later with a > 1 > at the end to quickly run the backup with your last used config**
> # Configure your backup location to an EMPTY directory on a SEPARATE USB formatted as > **[u]ext4[/u]** > using the above command
> # Then run the backup after each fill stage has been completed or you risk having to do everything all over from the beginning
# Install ufw "Uncomplicated Firewall" (it's better than fail2ban, don't install fail2ban)
# Make sure we also allow SSH (duhh, so we don't get locked out) and Wireguard to pass through
apt install ufw
ufw allow 22/tcp
ufw allow 51820/udp
Use the drive manager to automatically set up your external drive and automatically install any necessary and missing drivers (don’t attempt to edit fstab directly)
Pick the options and mount location you want yourself and format as necessary
Check the drive mounted and contents (if any) are available
Set up Samba
Add the following entry to Samba, called ‘storage’ in Windows file system
Requires username (root) and your password to open
If having issues, access the share with the direct IP from windows → mine is: \192.168.2.130
then map it to Z:\ (or what-ever drive letter you wish)
comment = USB HDD
path = /mnt/<external_hdd_drive_directory>
browseable = yes
create mask = 0775
directory mask = 0775
valid users = root
public = no
writeable = yes
Restart Samba and check in Windows that that you can write/delete etc.
service smbd restart
Set up Wireguard (use this over OpenVPN if you want less resource usage and better speeds)
Use the Mullvad Wireguard config creator to make a conf to a server you wish to use. Don’t use the killswitch option because it isn’t supported in the Dietpi kernel. If you want to play with that, do it at your own risk. Also uncheck IPv6 (because it sucks) or at the very least if you are stupid enough to use that, make sure you are actually using IPv6 and have it enabled on your device and router lol… otherwise errors.
Copy the Mullvad config file from Network storage to Wireguard folder
Set Pi-Hole DNS to 18.104.22.168 (don’t be stupid and use Google’s, Quad-9 is also okay (22.214.171.124))
Enable the Pi-Hole by setting your router’s DNS as the dietpi’s I.P. address (check your router manual or Youtube for help)
Go to some sites with loads of ads and verify that it’s working. Then spend a few hours tweaking your blacklist as you see fit, but make sure to whitelist important domains or you WILL face a bad experience
16/09/19 - v1.1 Updated and made a lot of the steps easier and reduced the chance you’ll run into errors when setting up.
15/12/19 - v1.2 Fixed some typos, made very minor edits. My install ran fine for 3 months exactly without getting any errors. For some reason Wireguard stopped working but with a new Wireguard config file and private key and using a server it’s up and running again after a single reboot.
As of 15/12/19 This thread has received over 1000 views. If it helped you, please consider letting me know in a comment below.
Edits to be made in the future:
Add optional steps to change file permissions on external drive and in Samba
This tutorial seems to cover everything I want to achieve but unfortunately i’m stuck at the very beginning! You seem to have left out any instructions on how to configure network settings (I suppose due to everyone’s setup being different, but i;m pretty sure the majority of people will have as i do which is: local network connected to eth0 onboard ethernet (I have a wifi AP attached which is how i’m getting ssh into the dietpi) and then I hope to use TP-LInk USB adapter to get internet access from my ISP’s cable modem. The trouble is that Idon’t know how to get this working without what I would think is reasonably complicated setup? I initially thought to add the interface as eth1 in the /etc/network/interfaces but there is a warning there not to edit this file directly but instead use dietpi-config, however I can only see a way to alter the onboard eth and wifi under that config menu sytem. I wonder if its therefore becessary to depart from the Dietpi workflow and simply hardcode the interfaces file anyway. From what I’ve been reading, i;d then need to bridge the interfaces and forward ip ports as additional steps wouldn’t I? Any guidance on the initial network config would be extremely appreciated. I can’t wait to move onto the rest of the tutorial as the rest looks too be very thorough and complete, I just thought it is a shame not to have included this as part of your writeup? Thanks!
thank you for the guide, help me a lot when I first learn about dietpi OS, I have set it and forget until now.
I just make a fresh install bullseye from buster and I have two issue wonder if anyone can figure it out.
First it none of the dietpi program can read or write from NFS file server, can’t really move file through CLI either, the server do set rw & no_root_squash and available to all local interface, the problem is really the program, if I uninstall and install qbitt from XFCE it read and write to server fine.
Second problem is the WireGuard will fail to connect to server if it loose connection more than few hours, the server probably deleted the config, so it really hard to set and forget and wonder anyone have a solution?
So you fail to mount the share from your NFS server in DietPi? How did you try to mount it? Do you get some error messages? And on other devices it works, or what do you mean with “if I uninstall and install qbitt from XFCE it read and write to server fine”? So it’s mounted but only qbitt can see and write/read to the mounted share?
If you are unable to mount it, some helpfull information would be the /etc/exports from your NFS server
and the output of showmount -e executed from your client.
So when you didn’t use the VPN connection for a while, you are unable to connect to it again? This is strange. How often does your public IP change and do you use some sort of DDNS to reach it?
And did you check if the VPN server is still up and running, when this happens?
No mount is fine, that why if I access from GUI XFCE everything is good the server also enable v2/v3 and v4
root@DietPi4:~# showmount -e 192.168.18.11
Export list for 192.168.18.11:
This is kinda provider issue, they recently change to flush it config if it see client no longer connect to it. Some people like it because it privacy, but for people like me set and forget, it suck. For access the Pi I always able to access it because I use ZeroTier ( and I’m not sure if this mess the NFS up, multi server NFS, remote and local )
If the NFS share mounts fine and you can access it from desktop, I guess qBittorrent simply has insufficient permissions to access it? It runs as user “qbittorrent” which is added to group “dietpi”. Check owner/group/modes of the files/directories qBittorrent tries to write to. Usually: