Created
May 23, 2018 06:11
-
-
Save allenwalker3/07984ba72c6777f41c27c04640a6283c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Turn your SBC into a VPN Router with DietPI, PiHole, Wireguard on Mullvad.net | |
----------------------------------------------------------------------------- | |
[WireGuard](https://www.wireguard.com) | |
This is an **advanced** guide to your turn SBC into an Ip4/Ip6 VPN router | |
with the [Mullvad](https://www.mullvad.net) service. | |
** Install DietPi | |
https://dietpi.com | |
** Set static "LAN" ipv4 and ipv6 address | |
vim /etc/network/interfaces | |
# Ethernet | |
allow-hotplug eth0 | |
iface eth0 inet static | |
address 192.168.2.10 | |
netmask 24 | |
gateway 192.168.2.1 # Home Router's IP | |
dns-nameservers 127.0.0.1 193.138.219.228 | |
# Set to a ULA address | |
iface eth0 inet6 static | |
address fc00::1 | |
netmask 64 | |
Reboot | |
** Run ifconfig to verify static ethernet addresses are correct | |
root@dietpi:~# ifconfig | |
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 | |
inet 192.168.2.10 netmask 255.255.255.0 broadcast 192.168.2.255 | |
inet6 fc00::1 prefixlen 64 scopeid 0x0<global> | |
inet6 fe80::XXXX:XXXX:XXXX:XXXX prefixlen 64 scopeid 0x20<link> | |
ether XX:XX:XX:XX:XX:XX txqueuelen 1000 (Ethernet) | |
RX packets 89 bytes 15938 (15.5 KiB) | |
RX errors 0 dropped 0 overruns 0 frame 0 | |
TX packets 83 bytes 11643 (11.3 KiB) | |
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 | |
device interrupt 40 | |
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 | |
inet 127.0.0.1 netmask 255.0.0.0 | |
inet6 ::1 prefixlen 128 scopeid 0x10<host> | |
loop txqueuelen 0 (Local Loopback) | |
RX packets 3 bytes 288 (288.0 B) | |
RX errors 0 dropped 0 overruns 0 frame 0 | |
TX packets 3 bytes 288 (288.0 B) | |
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 | |
** Finish DietPI Installation | |
** Install Wireguard | |
*** Install Kernel Headers | |
# apt install linux-headers-$(uname -r) | |
This is required **in some cases** to ensure modules are built correctly when installing wireguard package | |
# ln -s /usr/src/linux-headers-$(uname -r) /lib/modules/$(uname -r)/build | |
https://www.wireguard.com/install/ | |
*** Install required packages from Debian distribution packages | |
# echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable-wireguard.list | |
# printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' > /etc/apt/preferences.d/limit-unstable | |
# apt update | |
# apt install wireguard jq iptables | |
You must see something like: | |
**Building for 3.16.56+ | |
Building initial module for 3.16.56+ | |
Done. | |
wireguard: | |
Running module version sanity check. | |
- Original module | |
- No original module exists within this kernel | |
- Installation | |
- Installing to /lib/modules/3.16.56+/kernel/net/ | |
depmod... | |
DKMS: install completed. | |
Setting up wireguard (0.0.20180519-1) ...** | |
*** Run Mullvad configuration script, turn on WireGuard and Verify Connection | |
https://www.mullvad.net/en/guides/wireguard-and-mullvad-vpn/ | |
** Install PI-Hole | |
# dietpi-software | |
Select PIHole (93) and install | |
** Configure home router | |
Turn off IPV4 DHCP server. If your router supports IPV6, turn off Router Advertisements. We will install PiHole DHCP ipv4/6 server on SBC as alternative. | |
** Turn on IP4 forwarding | |
# vim /etc/sysctl.conf | |
# Uncomment the next line to enable packet forwarding for IPv4 | |
net.ipv4.ip_forward=1 | |
** Turn on IP6 forwarding | |
sed 's/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=1/g' /etc/sysctl.conf | sudo tee /etc/sysctl.conf | |
sudo sysctl -p | |
** Edit Wireguard Endpoint | |
vim /etc/wireguard/mullvad-us1.conf | |
PrivateKey = <PRIVATE_KEY> | |
Address = 10.XX.XX.XX/32,fc00:xxxx:xxxx:xxxx::xxx/128 | |
DNS = 193.138.219.228 | |
PostUp = iptables -A FORWARD -i mullvad-us1 -j ACCEPT; iptables -A FORWARD -o mullvad-us1 -j ACCEPT; iptables -t nat -A POSTROUTING -o mullvad-us1 -j MASQUERADE; ip6tables -t nat -A POSTROUTING -s fc00::/64 -o mullvad-us1 -j SNAT --to-source fc00:xxxx:xxxx:xxxx::xxx | |
[Peer] | |
PublicKey = <PUBLIC_KEY> | |
Endpoint = us1-wireguard.mullvad.net:51820 | |
AllowedIPs = 0.0.0.0/0, ::/0 | |
** Start wireguard on boot | |
# vim /etc/rc.local | |
wg-quick up mullvad-us1 | |
exit 0 | |
** Install PiHole | |
*** Configure PIHole Ipv4 and IPv6 DHCP Servers | |
vim /etc/pihole/setupVars.conf | |
root@vpnpi:/etc/pihole# cat setupVars.conf | |
PIHOLE_INTERFACE=eth0 | |
IPV4_ADDRESS=192.168.2.10/32 | |
#IPV6_ADDRESS=fc00:bbbb:bbbb:bb01::b4d | |
IPV6_ADDRESS=fc00::1/64 | |
QUERY_LOGGING=true | |
INSTALL_WEB=true | |
LIGHTTPD_ENABLED=1 | |
WEBPASSWORD=xxxx | |
DNSMASQ_LISTENING=local | |
PIHOLE_DNS_1=193.138.219.228 | |
DNS_FQDN_REQUIRED=true | |
DNS_BOGUS_PRIV=true | |
DNSSEC=false | |
CONDITIONAL_FORWARDING=false | |
DHCP_ACTIVE=true | |
DHCP_START=192.168.2.30 | |
DHCP_END=192.168.2.254 | |
DHCP_ROUTER=192.168.2.10 | |
DHCP_LEASETIME=24 | |
PIHOLE_DOMAIN=lan | |
DHCP_IPv6=true | |
cd /etc/dnsmasq.d | |
vim 02-pihole-dhcp.conf | |
dhcp-authoritative | |
dhcp-range=192.168.2.30,192.168.2.254,24h | |
dhcp-option=option:router,192.168.2.10 | |
dhcp-leasefile=/etc/pihole/dhcp.leases | |
#quiet-dhcp | |
domain=lan | |
#quiet-dhcp6 | |
enable-ra | |
dhcp-option=option6:dns-server,[::] | |
dhcp-range=::100,::1ff,constructor:eth0,ra-names,slaac,24h | |
ra-param=eth0,60 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment