Privacy + Router Pi: VPN Gateway/Tunnel + Ad-Block DNS Server

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
User avatar
dwr
Posts: 39
Joined: Thu Feb 18, 2021 3:46 am

Privacy + Router Pi: VPN Gateway/Tunnel + Ad-Block DNS Server

Post by dwr »

Greetings,

I know this topic has been discussed many time, and I assure you I have found and tested close to 100 tutorials, forum topics and posts, articles, and more on this topic - however, I have yet to find anything that has worked for my specific situation (specifically with my current ISP gateway/router being a PITA to customize). They either didn't work due to my hardware limitations, their hardware limitations (specifically the use of a USB-to-Ethernet Adapter), or because I just didn't understand what was being done in the background which would have allowed me to change metrics to fit my needs. With that said, I need some help: Below you will find more information regarding my specific situation, including what I have already attempted to use - I would greatly appreciate any instruction, feedback, and/or resources to assist me in setting up my network using the Pi in the way that I have illustrated in the attached diagram below (i.e.; using the Pi has a VPN Tunnel/Gateway + AdGuard Home Server + Firewall). Now, on to the specifics...

Due to the fact that I am using Surfshark VPN, a lot of the tutorials don't offer the ability to customize the actual VPN provider. With that said, I will need to use the standard OpenVPN software so I can using Surfshark's OPVN file and certificates.

Some might say, “Why don’t you just use your current ISP’s router/gateway to add your AdGuard Home’s DNS entries and Surfshark’s VPN configuration, or put the ISP’s router/gateway into bridge mode and use your Apple AirPort Extreme as the router?” Well that is a long winded response, but here is the short answer: I am using AT&T’s fiber connection that utilizes the Arris BGW210-700 gateway/router which has no options for bridge mode (which is why you will see all the modified settings in the image below that I had to incorporate to create a pseudo “bridge mode”), nor does it allow me to change the DNS. Additionally, the Apple AirPort devices are simply old, out-of-date (the Extreme has a USB port for network HDD/SSD connections but it uses SMB1 which is no longer secure and my Windows computers won’t connect to it), and are also more locked down than current router offerings. These reasons are why I’d like to use the Pi as as a router, and the AirPort devices as a bridged wireless and wired access point.

Below you will find some of the more common solutions that I have tested without full success:
  • OpenWRT: Includes ability to add VPN and Ad Block Apps once the software is setup on the Pi, but the only available firmware available for the Pi 4 is their “snapshot” (which makes updating a big mess) or their community builds (which also requires an extended and messy update process). Once they release their newest version (20 something), this option will be used unless someone here can provide me with a rock-solid method of setting up the Pi with my desired requirements.
  • RaspAP: Includes OpenVPN + Built-in Ad Blocking (both customizable), but no support for USB-to-Ethernet Adapters. This setup seemed to be one of the better options, but again, it was only intended to be a HotSpot or AP Bridge. I followed their instructions and also found another good tutorial about how to set it up with NordVPN instead of Surfshark, but the instructions seem to be missing some steps and its meant to be used as a Wi-Fi HotSpot.
  • Pantacore One: Includes Remote Access to Router via their website Hub + Wireguard and Tailscail VPN Apps + NextCloud App + Cloudfare Warp + Home Assistant App, but no support for USB-to-Ethernet Adapters (again, I don’t want to use the Pi as a HotSpot because the Pi’s Wi-Fi antenna is very weak and only broadcasts one band). I also didn’t like the fact that this system is somewhat “locked-down” and I am not able to see the coding of where my data is being sent.
  • Pi-Hole with PiVPN (They have tutorials for using OpenVPN or Wireguard as a Gateway/Tunnel rather than a Server) - It is hit-or-miss as to how well it’s documented - it also isn’t that easy to understand what they are saying since most of their documentation is community submitted.
  • Custom Setup using DietPi's HotSpot + OpenVPN (via Surfshark's OPVN Config Files) + Modifying IP Tables and IP Forwarding - I attempted to incorporate multiple tutorials/guides that I’ve seen (along with some knowledge that I’ve gain from reading all of these guides) to incorporate my Surfshark VPN requirements, and use my USB-to-Ethernet adapter to pass the Pi’s router responsibilities to the Apple Airport Extreme.
  • Docker Containers / Virtual Machines: I have tried to play around with Docker and Portainer to see what it's all about, but unfortunately I still do not know how it works or how to set one up - with that said, I did see some folks using OpenWRT, pFSense, OPNSense, etc. within a Virtual Container or Virtual Machine. Again, I understand the concept of routing traffic through the virtual network connections, but still do not understand how to do it (same goes for running a VPN Gateway/Tunnel through it).
  • Many, many, many other Tutorials found through hours of Google Searching

So, now you might ask, "What exactly are your goals?" - see list below, and the attached network configuration image:
  • VPN Gateway
  • AdGuard Home Ad-Blocking
  • Firewall (I know the Raspberry Pi's have their own, but I was interested in what others are using and would recommend)
  • File & Media Server (Optional because I currently have a dedicated Pi running a simple Samba and Jellyfin Server)

Image

Now that you have seen how I would like this to work and what devices I would like to use (or at least an estimate based on my current knowledge of how these things should work), below are the available “extra” devices that I can use in additional to the above devices shown in the picture:
  • TP-Link USB 3.0-to-Ethernet Adapter (UE300)
  • TP-Link R370K + AC1200 (Extender + Smart Plug)
  • TP-Link N300 (Travel Router)
  • Raspberry Pi 4B - 2GB RAM (2x)
  • Raspberry Pi 400

My only other option to incorporate the above listed requirements is to buy a cheap (relatively speaking) router that has multiple ethernet ports, at least one USB 3.0 port to setup my File and Media Server on, and allows me to flash the OpenWRT (or ASUS-WRT for ASUS Routers) firmware to it for VPN and Ad-Blocking functionality. I’d rather now spend the money ($100 or less) on a new or used router to accomplish this type of setup since it really seems these Pi’s are fully capable of handling the tasks I mentioned above.

Additional Questions:
  • I used to be a web designer in my previous life, however I have decided to keep my reseller hosting account and my 100+ domain names. How can I better utilize my hosting server and domain names to access certain parts of my home network (such as my File and Media Server, Home Assistant, potentially an Ad Block Server to connect to when away from home, etc.)?
  • Generally speaking, what is the best way to secure the setup I mentioned above, and all other Pi’s on my network? I have heard of Unbound, No-IP, Let’s Encrypt, DoH, QoS, etc. but since my knowledge of remote access networking is more limited that my knowledge of Linux/Raspberry Pi (which I would consider to be a little higher than beginner), I would rather hear from others as to what they prefer and how they are implementing it.
  • I am looking to start a Pi project that uses a dedicated Pi within my network that is to be used as a centralized and remote web browser so that I can, for example, use Chrome or Firefox on multiple computers via a remote desktop app that have all of my current tabs open (rather than having to bookmark all open tabs and reopen when using a different computer). This may sound pointless to some, but I have many laptops (most are stationary and are docked) that I use around my home (inside and outside) and I am tired of having to save bookmarks or sync tabs to re-open when I stop working on one computer to go have a smoke outside (and use a different laptop on the patio). I’d rather simply open up a remote desktop app, connect to the Pi, and continue from where I left off. Since remote desktops have gotten better over the years, I figure this is a good option, but I would like to inquire as to what software people prefer. DietPi has multiple offerings, including NoMachine, remote.it, and others. I have also researched other options like ZeroTier. Thoughts?

Hopefully this all makes sense. I apologize for the length of the post, but I needed to ensure that I explained everything.

Any help is greatly appreciated!
Attachments
Network Configuration.png
Last edited by dwr on Wed Mar 10, 2021 5:22 pm, edited 1 time in total.
dwr - SpicyLimes.io
User avatar
WarHawk
Posts: 738
Joined: Thu Jul 20, 2017 8:55 am

Re: Privacy + Router Pi: VPN Gateway/Tunnel + Ad-Block DNS Server

Post by WarHawk »

Here is how I setup my redneckish home network...

I used a very old PC for my firewall as it is an appliance that should be a dedicated unit, it runs PFSense (I did have to get the proper intel NIC card for it because it's very picky about the devices it will use)

I don't use an external VPN to route all my traffic thru however.
redneck.png
User avatar
dwr
Posts: 39
Joined: Thu Feb 18, 2021 3:46 am

Re: Privacy + Router Pi: VPN Gateway/Tunnel + Ad-Block DNS Server

Post by dwr »

WarHawk wrote: Wed Mar 10, 2021 3:17 pm Here is how I setup my redneckish home network...

I used a very old PC for my firewall as it is an appliance that should be a dedicated unit, it runs PFSense (I did have to get the proper intel NIC card for it because it's very picky about the devices it will use)

I don't use an external VPN to route all my traffic thru however.
Very interesting! Appreciate the diagram. Any ideas on how I might be able to accomplish turning my RouterPi into a VPN + Ad-Block + Firewall Gateway?
dwr - SpicyLimes.io
User avatar
Joulinar
Posts: 5115
Joined: Sat Nov 16, 2019 12:49 am

Re: Privacy + Router Pi: VPN Gateway/Tunnel + Ad-Block DNS Server

Post by Joulinar »

just a little comment from my side. Personally my prod RPi is hosting PiHole + Unbound (DoT) + WireGuard Server. This way I'm able to connect my mobile devices back home to use PiHole while away from home.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
WarHawk
Posts: 738
Joined: Thu Jul 20, 2017 8:55 am

Re: Privacy + Router Pi: VPN Gateway/Tunnel + Ad-Block DNS Server

Post by WarHawk »

dwr wrote: Wed Mar 10, 2021 5:24 pm
WarHawk wrote: Wed Mar 10, 2021 3:17 pm Here is how I setup my redneckish home network...

I used a very old PC for my firewall as it is an appliance that should be a dedicated unit, it runs PFSense (I did have to get the proper intel NIC card for it because it's very picky about the devices it will use)

I don't use an external VPN to route all my traffic thru however.
Very interesting! Appreciate the diagram. Any ideas on how I might be able to accomplish turning my RouterPi into a VPN + Ad-Block + Firewall Gateway?
Firewall/gateway will have to be manual thru IPTABLES, there isn't a gui to just set one up

Now the VPN and Pihole behind a dedicated router is easy
dietpi has both of those services ready to go, you will just need to port forward the VPN port thru the firewall and all is well

To setup a firewall/gateway/router appliance you will need two ethernet devices, one for WAN, one for LAN, then use IPTABLES to route traffice between the two

Only ones I see that have a gui or whatnot are
Vuurmuur is an iptables manager with a Ncurses GUI for easy management over SSH
or a more manual config
Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces

Firewallbuilder is another...but not sure how it works
http://fwbuilder.sourceforge.net/4.0/screenshots.shtml

There is also webmin, but it's a resource hog
Creating A Linux Firewall using webmin

Usually finding a dedicated build on an antiquated machine is best...better support, and it's a dedicated appliance...
Joulinar wrote: Wed Mar 10, 2021 10:50 pm just a little comment from my side. Personally my prod RPi is hosting PiHole + Unbound (DoT) + WireGuard Server. This way I'm able to connect my mobile devices back home to use PiHole while away from home.
This is usually the easiest and best route to go ;)
User avatar
WarHawk
Posts: 738
Joined: Thu Jul 20, 2017 8:55 am

Re: Privacy + Router Pi: VPN Gateway/Tunnel + Ad-Block DNS Server

Post by WarHawk »

With that said..there are ways to set it up...but it is beyond the scope of dietpi unfortunately

https://www.zahradnik.io/raspberry-pi-as-a-home-router
OpenWrt does have OpenVPN and adblock (similar to pihole)

Google RPi as a router and there are tons of howto's out there

Setting it up as a router, you would then need to manually install the services for Pihole and PiVPN (wireguard)
Pretty easy...but will no longer be a dietpi build or script controllable
User avatar
Joulinar
Posts: 5115
Joined: Sat Nov 16, 2019 12:49 am

Re: Privacy + Router Pi: VPN Gateway/Tunnel + Ad-Block DNS Server

Post by Joulinar »

well you could use DietPi as well. At the end it is nothing else than a Debian. But it would require more manuell configuration as not all require software title are available.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
dwr
Posts: 39
Joined: Thu Feb 18, 2021 3:46 am

Re: Privacy + Router Pi: VPN Gateway/Tunnel + Ad-Block DNS Server

Post by dwr »

Thanks for the information, however I have actually already reviewed and bookmarked those during my initial attempts - unfortunately they don’t solve my particular needs. I am comfortable with setting this up without a GUI since I have tested so many systems already; I seem to be getting the hang of it (although the specifics are the issue). I have successfully setup Pi-Hole with PiVPN in the past but as I mentioned in my initial post, I am looking for a gateway/tunnel rather than a VPN Server to access my network remotely.

Again, after reading close to 100 tutorials and guides on this subject from various sources, I believe I understand what needs to be done, however the issue is “how do I implement the code to accomplish my desired outcome”. Below are the steps that I believe need to be executed (I have put a “?” next to the steps that I am not sure on):
  1. Install Diet Pi OS: Add LXDE Desktop for Ease of Install and Configuration (then disable)
  2. Install OpenVPN Client (Surfshark)
  3. Configure the VPN to Start on Boot via DietPi-AutoStart Script
  4. Install AdGuard Home
  5. ? - Configure TP-Link UE300 as “eth1” to allow physical passing of traffic from the Router Pi to the AirPort Extreme.
  6. ? - Configure Firewall (UFW or Firewalld) to allow the passthrough of traffic from “eth0” through “tun”, and finally through “eth1” (and back again).
  7. ? - Configure IP Forwarding via “net.ipv4.ip_forward = 1” to allow the passthrough of traffic/packets.
  8. ? - What else am I missing?
  9. Arris BGW210-700: Configure IP Passthrough to Router Pi
  10. Apple AirPort Extreme: Configure Bridge Mode from Router Pi
  11. DietPi-AutoStart: CLI (instead of DE)
  12. Profit?
Thoughts?

WarHawk wrote: Thu Mar 11, 2021 5:54 am With that said..there are ways to set it up...but it is beyond the scope of dietpi unfortunately

https://www.zahradnik.io/raspberry-pi-as-a-home-router
OpenWrt does have OpenVPN and adblock (similar to pihole)
OpenWRT is going to be the best solution, but as I mentioned above, the only available solution is their “Snapshot” firmware which (if you read their forums on the community build) has caused many individuals problems and headaches. Once they release v.20+, I will be switching my setup to that (or I’ll keep the current setup and give it to a friend/parent to use).
Joulinar wrote: Thu Mar 11, 2021 9:15 am well you could use DietPi as well. At the end it is nothing else than a Debian. But it would require more manuell configuration as not all require software title are available.
I believe he is referring to the OpenWRT firmware - which is not using DietPi, but I understand what you're saying. If possible, I'd like to stick with DietPi with this project since it has pretty much everything I need, but the hard part comes in tying it all together.
dwr - SpicyLimes.io
User avatar
MichaIng
Site Admin
Posts: 3097
Joined: Sat Nov 18, 2017 6:21 pm

Re: Privacy + Router Pi: VPN Gateway/Tunnel + Ad-Block DNS Server

Post by MichaIng »

? Configure TP-Link UE300 as “eth1” to allow physical passing of traffic from the Router Pi to the AirPort Extreme.

Code: Select all

echo -e 'allow-hotplug eth1\niface eth1 inet static\naddress <ip_address>/<CIDR>' > /etc/network/interfaces.d/eth1.conf
? Configure Firewall (UFW or Firewalld) to allow the passthrough of traffic from “eth0” through “tun”, and finally through “eth1” (and back again).

Code: Select all

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
...
# The below only when not using iptables-persistent already:
iptables-save > /etc/iptabes.store
echo 'up iptables-restore < /etc/iptables.store' > /etc/network/interfaces.d/iptables.conf
Not quite sure if I understood the whole setup yet :D, but the above stack should help to understand the aimed iptables commands: masquerading output to www, respectively the VPN provider, as NAT step, allow forwarding traffic from local clients to www, but from www to local clients only if the connection was established already. The same would need to be done for IPv6, in case, via iptables6 command.
? Configure IP Forwarding via “net.ipv4.ip_forward = 1” to allow the passthrough of traffic/packets.

Code: Select all

echo -e 'net.ipv4.ip_forward=1\nnet.ipv6.conf.all.forwarding=1\nnet.ipv6.conf.default.forwarding=1' > /etc/sysctl.d/dietpi-wifihotspot.conf
sysctl net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1 net.ipv6.conf.default.forwarding=1
This includes IPv6.
? What else am I missing?
Do not try to configure everything at once, setup things step by step and test each added component/feature first. Else it's extremely hard to debug issues, especially when you followed 100 guides which may have little differences making step A from guide A incompatible with step B from guide C etc.
User avatar
dwr
Posts: 39
Joined: Thu Feb 18, 2021 3:46 am

Re: Privacy + Router Pi: VPN Gateway/Tunnel + Ad-Block DNS Server

Post by dwr »

@MichaIng - This is what I was looking for! Thank you, thank you, thank you. I do have additional info for you relating to what I want to accomplish as well as a few follow up questions though. Please see below.
MichaIng wrote: Fri Mar 12, 2021 5:56 pm

Code: Select all

echo -e 'allow-hotplug eth1\niface eth1 inet static\naddress <ip_address>/<CIDR>' > /etc/network/interfaces.d/eth1.conf
To confirm, this will allow the use of the TP-Link UE300 USB-to-Ethernet adapter? Also before I run this code, “niface” and “naddress” are accurate, correct? Not second guessing you at all, it’s just that I have seen similar code to this to active the device, but never with those “variables”.

MichaIng wrote: Fri Mar 12, 2021 5:56 pm

Code: Select all

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
[/quote]

What about “eth1”? Do I need to add an additional line to include “eth1” as well? 


[quote=MichaIng post_id=32694 time=1615568189 user_id=3157]
# The below only when not using iptables-persistent already:
iptables-save > /etc/iptabes.store
echo 'up iptables-restore < /etc/iptables.store' > /etc/network/interfaces.d/iptables.conf
I intend to use the “IPTables-Persistent” script to permanently save this configuration so that upon reboot, I won’t have to worry about setting all of this back up. HOWEVER, if you are suggesting that I can simply run the code above rather than use the persistent script, I will do so. Thoughts?

MichaIng wrote: Fri Mar 12, 2021 5:56 pm Not quite sure if I understood the whole setup yet :D, but the above stack should help to understand the aimed iptables commands: masquerading output to www, respectively the VPN provider, as NAT step, allow forwarding traffic from local clients to www, but from www to local clients only if the connection was established already. The same would need to be done for IPv6, in case, via iptables6 command.
I have no intention of using IPv6 since, from what I have read, it tends to cause more trouble than benefits. In fact, I have already turned off IPv6 on the ISP Gateway.

The flowchart diagram below is what I am looking to accomplish with this Pi (“Router Pi”, if you will). As a written description of my goals, I would describe it as:
  1. Setup my AT&T Fiber Gateway/Router in a way that only passes the external IP Address to my Router Pi (this I already know how to do since I have done this when I initially setup AdGuard Home a few months ago - it basically put the Router function into a “dirty” bridge-mode).
  2. Router Pi acts as a Router for all in/out traffic but is also routing that traffic under the umbrella of a VPN (to ensure encryption of all data sent/received) as well as an Ad-Blocker (to block ads and other malicious web items). Note: The Router Pi will not be broadcasting a Wi-Fi signal; instead it will simply pass the traffic to the Apple AirPort Extreme (which will act as a Wireless Access Point and a Wired Access Point).
  3. Router Pi then passes the traffic to my Apple AirPort Extreme, which acts as a Wired and Wireless Access Point.
  4. The AirPort Extreme has 3 LAN Ethernet Ports, of which two of those ports will be connected directly to an 8-Port and 5-Port Unmanaged Ethernet Switch (the third LAN Ethernet Port will remain empty).
  5. The Ethernet Switches will be connected to various Raspberry Pi’s, laptops, and media devices. The AirPort Extreme Wireless AP function will connect to two additional Apple AirPort Expresses to help with dead spots around my home as well as to connect to all of my IoT devices (around 60+ devices currently in use) and other laptops and media devices.
This whole project’s aim is to run allllll of these devices through the Router Pi so that they alllll are covered by a VPN (not a VPN server - I do not care to have remote access) as well as an Ad-Block “umbrella”. Hopefully this helps clarify my goals. Thoughts?

Image

Image
(This image is more a accurate portrayal of the devices that will be connected to the Apple AirPort Extreme compared to the first image.)

MichaIng wrote: Fri Mar 12, 2021 5:56 pm

Code: Select all

echo -e 'net.ipv4.ip_forward=1\nnet.ipv6.conf.all.forwarding=1\nnet.ipv6.conf.default.forwarding=1' > /etc/sysctl.d/dietpi-wifihotspot.conf
sysctl net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1 net.ipv6.conf.default.forwarding=1
This includes IPv6.
So, within this above code example, I noticed “dietpi-wifihotspot.conf” - since I have no intention of making the “Router Pi” a Wi-Fi HotSpot, do I need to include this? Or does it need to be pointed to the “eth1” since the USB-to-Ethernet Adapter is going to be pushing the traffic to the Apple AirPort Extreme? If yes, how do I need to alter this code? Also, since I am not going to be using IPv6, is it safe to remove the code segments that mention it?

MichaIng wrote: Fri Mar 12, 2021 5:56 pm Do not try to configure everything at once, setup things step by step and test each added component/feature first. Else it's extremely hard to debug issues, especially when you followed 100 guides which may have little differences making step A from guide A incompatible with step B from guide C etc.
Understood - this was my intention. IRL, I am an auditor for a Brokerage Firm (I basically make sure that the Associates of the Firm are following compliance laws and regulations; not in the “IRA Auditor” sense, ha!), and my mind works in that sort of manner… Install, test. Install, test. Install, test. Combine and connect, test.

Again, thank you for your continued assistance (and to those who also contributed above). I apologize for such long posts, but as I mentioned above (regarding the 100+ tutorials that I have already reviewed), the better I can describe my situation and goals, the better off the next person will be who wants to accomplish the same. When I have some free time (granted that this project succeeds), I will do a tutorial write-up with images so you guys can post it to that section of the forum.
dwr - SpicyLimes.io
Post Reply