Privacy + Router Pi: VPN Gateway/Tunnel + Ad-Block DNS Server


I know this topic has been discussed many time, and I assure you I have found and tested close to 100 tutorials, forum topics and posts, articles, and more on this topic - however, I have yet to find anything that has worked for my specific situation (specifically with my current ISP gateway/router being a PITA to customize). They either didn’t work due to my hardware limitations, their hardware limitations (specifically the use of a USB-to-Ethernet Adapter), or because I just didn’t understand what was being done in the background which would have allowed me to change metrics to fit my needs. With that said, I need some help: Below you will find more information regarding my specific situation, including what I have already attempted to use - I would greatly appreciate any instruction, feedback, and/or resources to assist me in setting up my network using the Pi in the way that I have illustrated in the attached diagram below (i.e.; using the Pi has a VPN Tunnel/Gateway + AdGuard Home Server + Firewall). Now, on to the specifics…

Due to the fact that I am using Surfshark VPN, a lot of the tutorials don’t offer the ability to customize the actual VPN provider. With that said, I will need to use the standard OpenVPN software so I can using Surfshark’s OPVN file and certificates.

Some might say, “Why don’t you just use your current ISP’s router/gateway to add your AdGuard Home’s DNS entries and Surfshark’s VPN configuration, or put the ISP’s router/gateway into bridge mode and use your Apple AirPort Extreme as the router?” Well that is a long winded response, but here is the short answer: I am using AT&T’s fiber connection that utilizes the Arris BGW210-700 gateway/router which has no options for bridge mode (which is why you will see all the modified settings in the image below that I had to incorporate to create a pseudo “bridge mode”), nor does it allow me to change the DNS. Additionally, the Apple AirPort devices are simply old, out-of-date (the Extreme has a USB port for network HDD/SSD connections but it uses SMB1 which is no longer secure and my Windows computers won’t connect to it), and are also more locked down than current router offerings. These reasons are why I’d like to use the Pi as as a router, and the AirPort devices as a bridged wireless and wired access point.

Below you will find some of the more common solutions that I have tested without full success:

  • OpenWRT: Includes ability to add VPN and Ad Block Apps once the software is setup on the Pi, but the only available firmware available for the Pi 4 is their “snapshot” (which makes updating a big mess) or their community builds (which also requires an extended and messy update process). Once they release their newest version (20 something), this option will be used unless someone here can provide me with a rock-solid method of setting up the Pi with my desired requirements.

  • RaspAP: Includes OpenVPN + Built-in Ad Blocking (both customizable), but no support for USB-to-Ethernet Adapters. This setup seemed to be one of the better options, but again, it was only intended to be a HotSpot or AP Bridge. I followed their instructions and also found another good tutorial about how to set it up with NordVPN instead of Surfshark, but the instructions seem to be missing some steps and its meant to be used as a Wi-Fi HotSpot.

  • Pantacore One: Includes Remote Access to Router via their website Hub + Wireguard and Tailscail VPN Apps + NextCloud App + Cloudfare Warp + Home Assistant App, but no support for USB-to-Ethernet Adapters (again, I don’t want to use the Pi as a HotSpot because the Pi’s Wi-Fi antenna is very weak and only broadcasts one band). I also didn’t like the fact that this system is somewhat “locked-down” and I am not able to see the coding of where my data is being sent.

  • Mr. Canoehead - VPN Client Gateway

  • Pi-Hole with PiVPN (They have tutorials for using OpenVPN or Wireguard as a Gateway/Tunnel rather than a Server) - It is hit-or-miss as to how well it’s documented - it also isn’t that easy to understand what they are saying since most of their documentation is community submitted.

  • ShVerni - Raspberry Pi VPN Gateway

  • Custom Setup using DietPi’s HotSpot + OpenVPN (via Surfshark’s OPVN Config Files) + Modifying IP Tables and IP Forwarding - I attempted to incorporate multiple tutorials/guides that I’ve seen (along with some knowledge that I’ve gain from reading all of these guides) to incorporate my Surfshark VPN requirements, and use my USB-to-Ethernet adapter to pass the Pi’s router responsibilities to the Apple Airport Extreme.

  • Raspberry Pi Foundations Routed Access Point Guide

  • Docker Containers / Virtual Machines: I have tried to play around with Docker and Portainer to see what it’s all about, but unfortunately I still do not know how it works or how to set one up - with that said, I did see some folks using OpenWRT, pFSense, OPNSense, etc. within a Virtual Container or Virtual Machine. Again, I understand the concept of routing traffic through the virtual network connections, but still do not understand how to do it (same goes for running a VPN Gateway/Tunnel through it).

  • Many, many, many other Tutorials found through hours of Google Searching

So, now you might ask, “What exactly are your goals?” - see list below, and the attached network configuration image:

  • VPN Gateway

  • AdGuard Home Ad-Blocking

  • Firewall (I know the Raspberry Pi’s have their own, but I was interested in what others are using and would recommend)

  • File & Media Server (Optional because I currently have a dedicated Pi running a simple Samba and Jellyfin Server)

Now that you have seen how I would like this to work and what devices I would like to use (or at least an estimate based on my current knowledge of how these things should work), below are the available “extra” devices that I can use in additional to the above devices shown in the picture:

  • TP-Link USB 3.0-to-Ethernet Adapter (UE300)

  • TP-Link R370K + AC1200 (Extender + Smart Plug)

  • TP-Link N300 (Travel Router)

  • Raspberry Pi 4B - 2GB RAM (2x)

  • Raspberry Pi 400

My only other option to incorporate the above listed requirements is to buy a cheap (relatively speaking) router that has multiple ethernet ports, at least one USB 3.0 port to setup my File and Media Server on, and allows me to flash the OpenWRT (or ASUS-WRT for ASUS Routers) firmware to it for VPN and Ad-Blocking functionality. I’d rather now spend the money ($100 or less) on a new or used router to accomplish this type of setup since it really seems these Pi’s are fully capable of handling the tasks I mentioned above.

Additional Questions:

  • I used to be a web designer in my previous life, however I have decided to keep my reseller hosting account and my 100+ domain names. How can I better utilize my hosting server and domain names to access certain parts of my home network (such as my File and Media Server, Home Assistant, potentially an Ad Block Server to connect to when away from home, etc.)?

  • Generally speaking, what is the best way to secure the setup I mentioned above, and all other Pi’s on my network? I have heard of Unbound, No-IP, Let’s Encrypt, DoH, QoS, etc. but since my knowledge of remote access networking is more limited that my knowledge of Linux/Raspberry Pi (which I would consider to be a little higher than beginner), I would rather hear from others as to what they prefer and how they are implementing it.

  • I am looking to start a Pi project that uses a dedicated Pi within my network that is to be used as a centralized and remote web browser so that I can, for example, use Chrome or Firefox on multiple computers via a remote desktop app that have all of my current tabs open (rather than having to bookmark all open tabs and reopen when using a different computer). This may sound pointless to some, but I have many laptops (most are stationary and are docked) that I use around my home (inside and outside) and I am tired of having to save bookmarks or sync tabs to re-open when I stop working on one computer to go have a smoke outside (and use a different laptop on the patio). I’d rather simply open up a remote desktop app, connect to the Pi, and continue from where I left off. Since remote desktops have gotten better over the years, I figure this is a good option, but I would like to inquire as to what software people prefer. DietPi has multiple offerings, including NoMachine,, and others. I have also researched other options like ZeroTier. Thoughts?

Hopefully this all makes sense. I apologize for the length of the post, but I needed to ensure that I explained everything.

Any help is greatly appreciated!

Here is how I setup my redneckish home network…

I used a very old PC for my firewall as it is an appliance that should be a dedicated unit, it runs PFSense (I did have to get the proper intel NIC card for it because it’s very picky about the devices it will use)

I don’t use an external VPN to route all my traffic thru however.

Very interesting! Appreciate the diagram. Any ideas on how I might be able to accomplish turning my RouterPi into a VPN + Ad-Block + Firewall Gateway?

just a little comment from my side. Personally my prod RPi is hosting PiHole + Unbound (DoT) + WireGuard Server. This way I’m able to connect my mobile devices back home to use PiHole while away from home.

Firewall/gateway will have to be manual thru IPTABLES, there isn’t a gui to just set one up

Now the VPN and Pihole behind a dedicated router is easy
dietpi has both of those services ready to go, you will just need to port forward the VPN port thru the firewall and all is well

To setup a firewall/gateway/router appliance you will need two ethernet devices, one for WAN, one for LAN, then use IPTABLES to route traffice between the two

Only ones I see that have a gui or whatnot are
Vuurmuur is an iptables manager with a Ncurses GUI for easy management over SSH
or a more manual config
Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces

Firewallbuilder is another…but not sure how it works

There is also webmin, but it’s a resource hog
Creating A Linux Firewall using webmin

Usually finding a dedicated build on an antiquated machine is best…better support, and it’s a dedicated appliance…

This is usually the easiest and best route to go :wink:

With that said…there are ways to set it up…but it is beyond the scope of dietpi unfortunately
OpenWrt does have OpenVPN and adblock (similar to pihole)

Google RPi as a router and there are tons of howto’s out there

Setting it up as a router, you would then need to manually install the services for Pihole and PiVPN (wireguard)
Pretty easy…but will no longer be a dietpi build or script controllable

well you could use DietPi as well. At the end it is nothing else than a Debian. But it would require more manuell configuration as not all require software title are available.

Thanks for the information, however I have actually already reviewed and bookmarked those during my initial attempts - unfortunately they don’t solve my particular needs. I am comfortable with setting this up without a GUI since I have tested so many systems already; I seem to be getting the hang of it (although the specifics are the issue). I have successfully setup Pi-Hole with PiVPN in the past but as I mentioned in my initial post, I am looking for a gateway/tunnel rather than a VPN Server to access my network remotely.

Again, after reading close to 100 tutorials and guides on this subject from various sources, I believe I understand what needs to be done, however the issue is “how do I implement the code to accomplish my desired outcome”. Below are the steps that I believe need to be executed (I have put a “?” next to the steps that I am not sure on):

  1. Install Diet Pi OS: Add LXDE Desktop for Ease of Install and Configuration (then disable)
  2. Install OpenVPN Client (Surfshark)
  3. Configure the VPN to Start on Boot via DietPi-AutoStart Script
  4. Install AdGuard Home
  5. ? - Configure TP-Link UE300 as “eth1” to allow physical passing of traffic from the Router Pi to the AirPort Extreme.
  6. ? - Configure Firewall (UFW or Firewalld) to allow the passthrough of traffic from “eth0” through “tun”, and finally through “eth1” (and back again).
  7. ? - Configure IP Forwarding via “net.ipv4.ip_forward = 1” to allow the passthrough of traffic/packets.
  8. ? - What else am I missing?
  9. Arris BGW210-700: Configure IP Passthrough to Router Pi
  10. Apple AirPort Extreme: Configure Bridge Mode from Router Pi
  11. DietPi-AutoStart: CLI (instead of DE)
  12. Profit?


OpenWRT is going to be the best solution, but as I mentioned above, the only available solution is their “Snapshot” firmware which (if you read their forums on the community build) has caused many individuals problems and headaches. Once they release v.20+, I will be switching my setup to that (or I’ll keep the current setup and give it to a friend/parent to use).

I believe he is referring to the OpenWRT firmware - which is not using DietPi, but I understand what you’re saying. If possible, I’d like to stick with DietPi with this project since it has pretty much everything I need, but the hard part comes in tying it all together.

? Configure TP-Link UE300 as “eth1” to allow physical passing of traffic from the Router Pi to the AirPort Extreme.

echo -e 'allow-hotplug eth1\niface eth1 inet static\naddress <ip_address>/<CIDR>' > /etc/network/interfaces.d/eth1.conf

? Configure Firewall (UFW or Firewalld) to allow the passthrough of traffic from “eth0” through “tun”, and finally through “eth1” (and back again).

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
# The below only when not using iptables-persistent already:
iptables-save > /etc/
echo 'up iptables-restore < /etc/' > /etc/network/interfaces.d/iptables.conf

Not quite sure if I understood the whole setup yet :smiley:, but the above stack should help to understand the aimed iptables commands: masquerading output to www, respectively the VPN provider, as NAT step, allow forwarding traffic from local clients to www, but from www to local clients only if the connection was established already. The same would need to be done for IPv6, in case, via iptables6 command.

? Configure IP Forwarding via “net.ipv4.ip_forward = 1” to allow the passthrough of traffic/packets.

echo -e 'net.ipv4.ip_forward=1\nnet.ipv6.conf.all.forwarding=1\nnet.ipv6.conf.default.forwarding=1' > /etc/sysctl.d/dietpi-wifihotspot.conf
sysctl net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1 net.ipv6.conf.default.forwarding=1

This includes IPv6.

? What else am I missing?

Do not try to configure everything at once, setup things step by step and test each added component/feature first. Else it’s extremely hard to debug issues, especially when you followed 100 guides which may have little differences making step A from guide A incompatible with step B from guide C etc.

@MichaIng - This is what I was looking for! Thank you, thank you, thank you. I do have additional info for you relating to what I want to accomplish as well as a few follow up questions though. Please see below.

To confirm, this will allow the use of the TP-Link UE300 USB-to-Ethernet adapter? Also before I run this code, “niface” and “naddress” are accurate, correct? Not second guessing you at all, it’s just that I have seen similar code to this to active the device, but never with those “variables”.

What about “eth1”? Do I need to add an additional line to include “eth1” as well?

I intend to use the “IPTables-Persistent” script to permanently save this configuration so that upon reboot, I won’t have to worry about setting all of this back up. HOWEVER, if you are suggesting that I can simply run the code above rather than use the persistent script, I will do so. Thoughts?

I have no intention of using IPv6 since, from what I have read, it tends to cause more trouble than benefits. In fact, I have already turned off IPv6 on the ISP Gateway.

The flowchart diagram below is what I am looking to accomplish with this Pi (“Router Pi”, if you will). As a written description of my goals, I would describe it as:

  1. Setup my AT&T Fiber Gateway/Router in a way that only passes the external IP Address to my Router Pi (this I already know how to do since I have done this when I initially setup AdGuard Home a few months ago - it basically put the Router function into a “dirty” bridge-mode).
  2. Router Pi acts as a Router for all in/out traffic but is also routing that traffic under the umbrella of a VPN (to ensure encryption of all data sent/received) as well as an Ad-Blocker (to block ads and other malicious web items). Note: The Router Pi will not be broadcasting a Wi-Fi signal; instead it will simply pass the traffic to the Apple AirPort Extreme (which will act as a Wireless Access Point and a Wired Access Point).
  3. Router Pi then passes the traffic to my Apple AirPort Extreme, which acts as a Wired and Wireless Access Point.
  4. The AirPort Extreme has 3 LAN Ethernet Ports, of which two of those ports will be connected directly to an 8-Port and 5-Port Unmanaged Ethernet Switch (the third LAN Ethernet Port will remain empty).
  5. The Ethernet Switches will be connected to various Raspberry Pi’s, laptops, and media devices. The AirPort Extreme Wireless AP function will connect to two additional Apple AirPort Expresses to help with dead spots around my home as well as to connect to all of my IoT devices (around 60+ devices currently in use) and other laptops and media devices.

This whole project’s aim is to run allllll of these devices through the Router Pi so that they alllll are covered by a VPN (not a VPN server - I do not care to have remote access) as well as an Ad-Block “umbrella”. Hopefully this helps clarify my goals. Thoughts?

(This image is more a accurate portrayal of the devices that will be connected to the Apple AirPort Extreme compared to the first image.)

So, within this above code example, I noticed “dietpi-wifihotspot.conf” - since I have no intention of making the “Router Pi” a Wi-Fi HotSpot, do I need to include this? Or does it need to be pointed to the “eth1” since the USB-to-Ethernet Adapter is going to be pushing the traffic to the Apple AirPort Extreme? If yes, how do I need to alter this code? Also, since I am not going to be using IPv6, is it safe to remove the code segments that mention it?

Understood - this was my intention. IRL, I am an auditor for a Brokerage Firm (I basically make sure that the Associates of the Firm are following compliance laws and regulations; not in the “IRA Auditor” sense, ha!), and my mind works in that sort of manner… Install, test. Install, test. Install, test. Combine and connect, test.

Again, thank you for your continued assistance (and to those who also contributed above). I apologize for such long posts, but as I mentioned above (regarding the 100+ tutorials that I have already reviewed), the better I can describe my situation and goals, the better off the next person will be who wants to accomplish the same. When I have some free time (granted that this project succeeds), I will do a tutorial write-up with images so you guys can post it to that section of the forum.

When echo is called with the -e flag, \n is interpreted as newline character. So it will be:

allow-hotplug eth1
iface eth1 inet static
address <ip_address>/24

That will automatically assign a static IPv4 address to the eth1 interface, which will most likely be the USB adapter, while eth0 will be the onboard adapter. I changed to 24 as this is pretty much the subnet you want. So if <ip_address> is replaced with, then all 192.168.1.* addresses belong to this network, or more precisely, ifup will create a route to have all packets addressed to 192.168.1.* IPs sent through this adapter automatically, to make it become effectively used.

Ah wait, eth0 is connected to the gateway, tun0 is the VPN interface and eth1 is connected to the LAN. So you want forward traffic from eth1 to tun0 vice versa and nothing forwarded through eth0 directly. The following should work then:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT

OpenVPN takes care about the VPN routes, so that all packets not addressed to 192.168.1.* IPs will be routed through tun0 automatically. Let me know if that works, since I have not tested it yet but it would be a good resource to direct other to and finally implement into DietPi as (VPN) router setup steps :smiley:.

iptables-persistent will be fine.

Sadly even in 2021, yes.

Thanks for clarifying!

Ah, ok. So just to verify my understanding of this, the prefix to the <ip_address> (e.g.; x.x.x.) needs to be what the DCHP Server is using as the IP Address prefix? Meaning that if the DCHP Server is assigning 10.0.1., I would input in the code above?

You mention that “all packets not addressed to the 192.168.1.* IPs will be routed through tun0 automatically” - what about all packets that ARE addressed to the 192.168.1.* IP’s? I assume OpenVPN will route those through the VPN (tun0) as well?

Excellent - thank you. I will look through some tutorials online to see if I can find the proper commands to use this, and then execute it. In the meantime, might you have the needed commands to install and activate this?

This begs the question of, where does the DCHP functionality coming into play? I do not think I took this into account. I assume that I will need to install a DCHP server as well…?

Pihole as well as AdGuard are able to act as DHCP server. There is no need to install one in addition

Doh! Forgot about that. I was overthinking this and forgot about the AdGuard Home aspect. Thanks for the reminder! :sunglasses:

I think I am about an inch away from attempting this - just need some final clarification on the questions in my last post. Once I have those answers, I will pull-the-trigger on this project. Fingers-crossed, but if it does work, I will put together a tutorial on this.

<ip_address> in /etc/network/interfaces.d/eth1.conf should be the exact IP address of the DietPi device, e.g. The CIDR suffix /24 equals a separate netmask line, but that would be the legacy style. Arg, dietpi-config still uses this legacy style :roll_eyes:. Rework in progress…

About the routes:

  • The gateway entry in /etc/network/interfaces for the eth0 interface will create the default route, which is the absolute fallback. Note the CIDR 0 which means a network mask of, hence really all IPs.
  • OpenVPN will setup two routes for tun0, and, which together cover all IPs as well. But since each is more specific than the default route (just half of the complete network range), they have a higher priority and hence override the default route practically. The little trick that VPN clients use :wink:.
  • Each interface (including tun0) will have again a specific route created, according the CIDR respectively netmask of usually 24/, which are due to higher CIDR/stricter mask again more specific and hence again override the OpenVPN routes. This of course is wanted to correctly answer LAN requests back to LAN etc.

Excellent! Thank you all for your support on this. Since the day is coming to a close, I will probably make an attempt at this project next weekend when I can wake up fresh and focus on this for a few hours. I will report back (hopefully with success) once I have gotten everything setup. I will then consolidate all of the required guidance/steps/instructions from this thread, and make a nice and clean tutorial.

Thanks again! Till the attempt…

dwr Did you ever manage to get your setup working? I’m looking to do nearly exactly the same as you so I was eagerly awaiting your tutorial writeup but since you haven’t posted again, I fear that you had to abandon the project! :thinking:

Wow this brings me back! Even though it wasn’t long ago that I posted this, I have learned a great deal since and have found other options to accomplish this. However I will admit that I ended up purchasing an ASUS Router and am running ASUS-WRT Merlin firmware. Below I’ll list what I ended up using to accomplish each of my initial requirements in the first post.

Router: As mentioned above, I decided to scrap the idea of using a Raspberry Pi and Apple AirPort Extreme as a functional Wi-Fi router and go with an ASUS Router. The main reason behind this was due to lack of security options within the AirPort Extreme as well as the fact that the Pi would require constant maintenance. So I did some research and found that the ASUS-WRT Firmware has a great GUI but also just as powerful as other solutions such as OpenWRT.

VPN Client: This function is built into the ASUS-WRT Merlin software by default and works very well, however I decided to discontinue my pursuit in setting up a network-wide VPN Client as it was killing up/down speeds, and was also causing a ton of issues with my streaming services due to using the VPN’s geo-location with a local DNS Server. Instead I simply use the Surfshark VPN app when needed. As a side note, ASUS-WRT Merlin just came out with a feature to simplify VPN Routing Policies called ‘VPN Director’ - I have not tried this yet, but it looks very promising.

Firewall: The ASUS-WRT Merlin firmware has an add-on app store where I installed something called ‘SkyNet’ which provides a router-based firewall. That, combined with individual device firewalls that I’ve setup, satisfies the firewall need.

DNS Server: While the ASUS Router also has the ability to block ads like Pi-Hole and AdGuard Home via an add-on called ‘Diversion’, I ended up going with a Raspberry Pi 4B running AdGuard Home as the ad-blocker, and Unbound as a recursive DNS Server/Resolver. I did try Diversion at one point, but after running a few ad-block tests I found that both Pi-Hole and AdGuard Home were working slightly better - additionally, the load that Diversion was putting on my router was causing a decrease in DNS resolution times, and overall speed.

File Server: I went with a dedicated Raspberry Pi 4B as a main File Server for my home. I use Diet Pi with Samba and FTP setup - the Samba Server is used on a dedicated SSD to house files and media that are not sensitive, and need to be accessed quickly on multiple OS types. Since the FTP Server is a bit more secure (relatively), I use that to house some sensitive items. I have been exploring Docker recently and will be moving some of the items listed above to Docker Containers due to simplicity, efficiency, and security - I highly recommend using Docker as much as possible.

A couple things to note since my original post:

  • OpenWRT is now available for the Raspberry Pi 4B as a rolling release instead of a snapshot. I have used OpenWRT a bunch over the last year (mainly while using a few GL.iNet routers which have a front-end GUI on top of OpenWRT) and I was not a huge fan of the massive amount of customization. It is very powerful and can well suit many out there, but for me it was too much.
  • RaspAP has added a few features (and improved upon some) to their software to incorporate Ad Blocking and a VPN Client feature. One of the main issues I had with RaspAP when I originally posted was the inability to setup a second USB Wi-Fi adapter, but I found a script that automatically identifies any attached Wi-Fi adapters and sets it up for you - I then would install RaspAP and be on my way. I actually built this exact setup when I was traveling recently, and because it worked so well I ended up replacement my Mother’s crappy Belkin router with the Pi.
  • If you are looking for an all-in-one solution, I suggest purchasing a router that can utilize OpenWRT or some variant (such as ASUS-WRT Merlin) - when searching for a router that is compatible with custom firmware, make sure that the firmware will support your hardware for a few years. I almost made the mistake of buying an ASUS Router that was able to be unsupported by ASUS-WRT Merlin. Additionally, depending on the size of your home, the GL.iNet router product line is a great option - I have purchased two of their ‘Mango’ Routers and one of their ‘Slate’ routers for traveling, but they can absolutely be used as stationary home routers too (and they are cheap).

Can you tell me what exactly your looking to accomplish, and what type of hardware you currently have? How many connected Clients do you plan on having? I might be able to point you to a few solutions.

I marked your last post as solution for this topic. Hope it’s fine.

Yessir, no problem at all!