Initial setup
Update, install base packages, set up ssh key authentication, change shell to zsh and copy configs, change passwords
Editing sshd config
edit config file
sanity check and restart sshd service
Configuring static ip
reboot
Installing pihole
- go to 10.0.0.5/admin in web browser
- go to Settings → Teleporter and import backed up settings file
If you don’t have a settings file:
Adlists:
- Developer Dan (github) Agressive Tracking blacklist
- Developer Dan (github) Facebook Extended blacklist
- Developer Dan (github) Ads and Tracking Extended blacklist
Regex blacklists:
I take zero credit for this wizardry. I grabbed these a long time ago and forgot to document where I got them from. I’ll have to locate them again later.
The final two rules,self.events.data.microsoft.com
and dns.msftncsi.com
I believe are to block absurd levels of Windows DNS requests. I created those so long ago I don’t even know if I tested them.
^(.+[_.-])?adse?rv(er?|ice)?s?[0-9]*[_.-]
^(.+[_.-])?telemetry[_.-]
^ad([sxv]?[0-9]*|system)[_.-]([^.[:space:]]+\.){1,}|[_.-]ad([sxv]?[0-9]*|system)[_.-]
^adim(age|g)s?[0-9]*[_.-]
^adtrack(er|ing)?[0-9]*[_.-]
^advert(s|is(ing|ements?))?[0-9]*[_.-]
^aff(iliat(es?|ion))?[_.-]
^analytics?[_.-]
^banners?[_.-]
^beacons?[0-9]*[_.-]
^count(ers?)?[0-9]*[_.-]
^mads\.
^pixels?[-.]
^stat(s|istics)?[0-9]*[_.-]
self.events.data.microsoft.com
dns.msftncsi.com
Settings:
DNS → enable IPv6DNS → use DNSSECRest at defaults
Edit: the previous settings assumed pi-hole as the endpoint DNS which would then forward to upstream DNS. In my finished configuration, I’m using the router as the upstream DNS which then points to further upstream public DNS servers. For complete pi-hole configuration, see Pi-hole with OpenWRT.
Setting up wireguard
Previous documentation: Setting up WireGuard P2P VPN
The above works for connection to a remote server. However, the last time I did this for remote access to my home network, or in other words for remote access to a subnet instead of just a single device, I did so with openmediavault which handles a couple things on the down low that I didn’t realize.
I could have done this with openmediavault again but I really have no reason to install it on my pi as it’s really only for wireguard, and I used that as an excuse to learn how to do all the configuration via the CLI. (I didn’t need much of an excuse, though.)
Initially I got it running with point-to-point configuration but could not access any other devices in the LAN, and I had cross-referenced with my currently functioning raspi 4B running wireguard configured via openmediavault. I was lost for quite a while here. Some helpful links that put me on the right track:
- homenetworkguy wg on opnsense
- github pirate wireguard docs
- archwiki wireguard
- opnsense forum wireguard can’t access LAN
- bash-prompt.net wireguard setup
- laroberto remote LAN access with wg
And the thread that solved it all…
Enabling forwarding in sysctl.conf
The main thing to fix remote LAN access is uncommenting this line from /etc/sysctl.conf
:
Edit: to get this functional with my Android device, I also had to uncomment the following line:
This enables both access to the subnet and access to the WAN on your client while connected to the VPN. Without this line, you will only have access to your VPN server.
Note that you’ll need to reload the sysctl variables for this to take effect after editing the config file:
Generating client config QR codes
The other helpful thing that openmediavault handled was the automatic generation of client configs and QR codes to transfer to a different device - especially helpful to transfer to your phone, to avoid having to type in 25+ character public and preshared keys manually.
You can do this with qrencode
and X11 forwarding. Note that you do need a GUI image display which installs a lot of fluff dependencies. (I purged this afterwards.)
I figured learning how to generate the QR code would take about as much time as typing in those keys manually (not to mention far more engaging)…and what do you know, I was right. Ended up being fairly easy.
Note I ran into a brief issue with X11 forwarding, you can’t do it as root. (I’m sure there’s a way, but I’m sure it’s not a good idea, so I didn’t try.) All the config files are set to -rw------
permissions (or 600
) because they all contain private keys. So after generating the png file, I copied it out to my home directory and edited the permissions to be able to view it in sxiv
.
You’ll also need to make sure the following line is uncommented from your /etc/ssh/sshd_config
:
I want to figure this out later, but displaying it in the terminal didn’t work for the android wireguard app. Config was invalid. (This was the command: qrencode -t ansiutf8 peer.conf
). Wouldn’t have to install sxiv
and mess around with X11 forwarding if you could display on the terminal.
Edit: I am so dumb. This is the correct command:
Good ol redirection. This actually takes the contents of peer.conf
and generates a QR code from it. The other command encodes the literal text “peer.conf”. So ignore needing to install sxiv
.
No wonder I was getting “Unknown section in Config”…
Anyway I’ve left the commands in below, just for posterity. And a couple bonus commands: sudo apt purge sxiv; sudo apt autoremove
And for future reference, here’s what the process for my configs ended up looking like:
generate private and public key pair:
create server config file:
I’ll be honest I couldn’t tell you 100% what those iptables rules do, but openmediavault had them there and I’ll be damned if I’ll leave them out. I have at least a vague idea. If everything else had worked without a hitch I would probably have investigated them, but I’m tired of troubleshooting and want to get this documented before it leaks out my ears. They were actually a red herring for a while, I was convinced the problem was there, but nothing worked even with my firewall disabled.
create peer keypair and psk:
create peer config file:
add peer config to server config:
This is the one that actually matters. Generating the keys for peer.conf
on your server is way easier than writing it by hand, but the peer.conf
does nothing on its own, it’s meant to be transferred (via QR or copy paste) to your end device. You must add the following to wg0.conf
for the peer to be able to connect.
Do this for every peer you configure.
UFW rules
I enabled the firewall without first adding a rule for port 53 to allow DNS requests. Duh.
This includes explicit allows for wireguard (51820/udp), my ssh port, access from the subnet 10.0.10.0/28 (the wireguard subnet, which I’m not 100% sure is necessary?), and 53 (note BOTH tcp and udp)
Edit 2024-11-11: also need to run sudo ufw allow 80/tcp
in order to access the web interface.
EOF