gistfile1.txt

Turn your SBC into a VPN Router with DietPI, PiHole, Wireguard on Mullvad.net
-----------------------------------------------------------------------------

[WireGuard](https://www.wireguard.com)

This is an **advanced** guide to your turn SBC into an Ip4/Ip6 VPN router 
with the [Mullvad](https://www.mullvad.net) service. 

** Install DietPi

https://dietpi.com

** Set static "LAN" ipv4 and ipv6 address 

    vim /etc/network/interfaces
    # Ethernet
    allow-hotplug eth0
    iface eth0 inet static
    address 192.168.2.10
    netmask 24
    gateway 192.168.2.1 # Home Router's IP
    dns-nameservers 127.0.0.1 193.138.219.228

    # Set to a ULA address
    iface eth0 inet6 static
    address fc00::1
    netmask 64

Reboot

** Run ifconfig to verify static ethernet addresses are correct

    root@dietpi:~# ifconfig
    eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.10  netmask 255.255.255.0  broadcast 192.168.2.255
        inet6 fc00::1  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::XXXX:XXXX:XXXX:XXXX  prefixlen 64  scopeid 0x20<link>
        ether XX:XX:XX:XX:XX:XX txqueuelen 1000  (Ethernet) 
        RX packets 89  bytes 15938 (15.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 83  bytes 11643 (11.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 40

    lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 3  bytes 288 (288.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 288 (288.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

** Finish DietPI Installation

** Install Wireguard 

*** Install Kernel Headers

    # apt install linux-headers-$(uname -r) 

This is required **in some cases** to ensure modules are built correctly when installing wireguard package

    # ln -s /usr/src/linux-headers-$(uname -r)  /lib/modules/$(uname -r)/build


https://www.wireguard.com/install/

*** Install required packages from Debian distribution packages

    # echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable-wireguard.list
    # printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' > /etc/apt/preferences.d/limit-unstable
    # apt update
    # apt install wireguard jq iptables

You must see something like: 

    **Building for 3.16.56+
    Building initial module for 3.16.56+
    Done.

    wireguard:
    Running module version sanity check.
    - Original module
    - No original module exists within this kernel
    - Installation
    - Installing to /lib/modules/3.16.56+/kernel/net/

    depmod...

    DKMS: install completed.
    Setting up wireguard (0.0.20180519-1) ...**


*** Run Mullvad configuration script, turn on WireGuard and Verify Connection

https://www.mullvad.net/en/guides/wireguard-and-mullvad-vpn/

** Install PI-Hole

    # dietpi-software

Select PIHole (93) and install

** Configure home router

Turn off IPV4 DHCP server. If your router supports IPV6, turn off Router Advertisements. We will install PiHole DHCP ipv4/6 server on SBC as alternative.

** Turn on IP4 forwarding

    # vim /etc/sysctl.conf
    # Uncomment the next line to enable packet forwarding for IPv4
    net.ipv4.ip_forward=1

** Turn on IP6 forwarding

    sed 's/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=1/g' /etc/sysctl.conf | sudo tee /etc/sysctl.conf 
    sudo sysctl -p 

** Edit Wireguard Endpoint

    vim /etc/wireguard/mullvad-us1.conf
    PrivateKey = <PRIVATE_KEY>
    Address = 10.XX.XX.XX/32,fc00:xxxx:xxxx:xxxx::xxx/128
    DNS = 193.138.219.228
    PostUp = iptables -A FORWARD -i mullvad-us1 -j ACCEPT; iptables -A FORWARD -o mullvad-us1 -j ACCEPT; iptables -t nat -A POSTROUTING -o mullvad-us1 -j MASQUERADE; ip6tables -t nat -A POSTROUTING -s fc00::/64 -o mullvad-us1 -j SNAT --to-source fc00:xxxx:xxxx:xxxx::xxx
    [Peer]
    PublicKey = <PUBLIC_KEY>
    Endpoint = us1-wireguard.mullvad.net:51820
    AllowedIPs = 0.0.0.0/0, ::/0

** Start wireguard on boot

    # vim /etc/rc.local

    wg-quick up mullvad-us1

    exit 0 

** Install PiHole

*** Configure PIHole Ipv4 and IPv6 DHCP Servers
    vim /etc/pihole/setupVars.conf

    root@vpnpi:/etc/pihole# cat setupVars.conf 
    PIHOLE_INTERFACE=eth0
    IPV4_ADDRESS=192.168.2.10/32
    #IPV6_ADDRESS=fc00:bbbb:bbbb:bb01::b4d
    IPV6_ADDRESS=fc00::1/64
    QUERY_LOGGING=true      
    INSTALL_WEB=true
    LIGHTTPD_ENABLED=1
    WEBPASSWORD=xxxx
    DNSMASQ_LISTENING=local
    PIHOLE_DNS_1=193.138.219.228
    DNS_FQDN_REQUIRED=true
    DNS_BOGUS_PRIV=true
    DNSSEC=false
    CONDITIONAL_FORWARDING=false
    DHCP_ACTIVE=true
    DHCP_START=192.168.2.30
    DHCP_END=192.168.2.254
    DHCP_ROUTER=192.168.2.10
    DHCP_LEASETIME=24
    PIHOLE_DOMAIN=lan
    DHCP_IPv6=true

    cd /etc/dnsmasq.d

    vim 02-pihole-dhcp.conf
    dhcp-authoritative
    dhcp-range=192.168.2.30,192.168.2.254,24h
    dhcp-option=option:router,192.168.2.10
    dhcp-leasefile=/etc/pihole/dhcp.leases
    #quiet-dhcp

    domain=lan
    #quiet-dhcp6
    enable-ra
    dhcp-option=option6:dns-server,[::]
    dhcp-range=::100,::1ff,constructor:eth0,ra-names,slaac,24h
    ra-param=eth0,60