Phaselockedloopable- PLL's continued exploration of networking, self-hosting and decoupling from big tech
Write coming soon ™
Allah give me the energy to go through my terminal less history oooooffffffff
Okay now that I got most of it up I might be ready to start sorting what I (as well as novasty) did
More descriptive names
Clean d up the wire mess and power cable routing. Ethernet out the front (in case I need to do stuff)… power out the back. Way more convenient
Alright so a few wanted to know or wanted a reference on how to get a pi-hole properly setup with DoH behind a firewall and having the proper redirects so that the pi-hole filters all the traffic and doesnt get redirected to itself.
First things first start out with the pi-hole. Make sure it is working properly. A good way to test this is to go ahead and make sure it is setup with Quad 9 DNS and your firewall is vanilla without DNS rules.
My system setup: (relevant devices)
OPNSense Firewall (Protectli Core Boot) (see table of contents)
RPI 4 - 8GB
(no its not hosted in canada thats a proxy load balancer)
Also don’t try logging in to my url. Its behind a vouch proxy and 2fa … there will be 0 luck lol. Only @Novasty has the extra perms as it stands.
Make sure you have the correct IP addresses set. These are static.
In my OPNsense I assign them to the DUID of the device for IP6 and the MAC for IP4. This is just in case the pihole loses its settings. It will never have another IP Address set.
IPv4: (DHCPv4 - NAT)
IPv6: (DHCPv6 Native - Track Interface of ISP) (true full public IPv6)
Make sure those IPs are set as the DNS for the pihole to get some initial filtering going.
This wont catch all of it so we need to set rules so that there is a forced 53 reroute for devices such as apple devices, google android devices and samsung TVs
First go to your LAN rules. I wont get specific since interfaces change but this should give you a general idea. If someone wants OPNsense specifics… ask but thats only going to come if asked for
Now you want two rules for IPv6 and IPv4 of your pi-hole ONLY to be let out on 53 so you can obviously grab the DNS queries. (later you can setup DNS over HTTPS like I did and its less necessary)
The second rule is to block all traffic… IPv4 and IPv6 port 53 from traversing LAN to WAN. Done simple its all going to your pi-hole now. Not to bad huh?
@Buffy you specifically asked about my DNSoHTTPS configuration at one point. Here you go. So IF anybody wants to do this with pi-hole you need to first grab the cloudflared argo tunnel program. We are going to modify it slightly as I dont like cloudflare being a single point of failure and I much prefer to use OpenNIC. (you may configure it for whichever DoH server you like)
Firstly on the pi-hole go ahead and execute the commands as follows
Proceed to make the directory and configuration file:
sudo mkdir /etc/cloudflared/ sudo nano /etc/cloudflared/config.yml
This is my configuration. I chose a trusted and reliable server I know doesnt take logs with opennic and supports DNS over HTTPS.
proxy-dns: true proxy-dns-port: 5053 proxy-dns-upstream: # USING OPEN NIC - LOCATION - MONTREAL QC, CA - https://188.8.131.52/dns-query - https://doh.boothlabs.me/dns-query # IPv6 Native Stack DoH - OpenNIC - LOCATION - MONTREAL QC, CA - https://[2607:5300:60:be0::1]/dns-query - https://doh.boothlabs.me/dns-query
You can replace this configuration how you need. I have native 6 so I enabled native 6. If you dont. Dont bother. You also dont necessarily need to as AAAA served over A doesnt affect your native stack since its up to the client to route from itself to the AAAA address. Your various favorite DNS servers should have documentation on what you need to enter here. Or you may use mine. I like uncensored unlogged untamperable DNS logs tbch.
Now install the service via
cloudflared 's service command:
sudo cloudflared service install --legacy
systemd service and check its status:
sudo systemctl start cloudflared sudo systemctl status cloudflared
Verify 4 is working
[email protected]:~# dig @127.0.0.1 -p 5053 google.com -t A ; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> @127.0.0.1 -p 5053 google.com -t A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46625 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 177 IN A 184.108.40.206 ;; Query time: 152 msec ;; SERVER: 127.0.0.1#5053(127.0.0.1) ;; WHEN: Fri Jan 15 01:36:06 MST 2021 ;; MSG SIZE rcvd: 65
Verify 6 is working
[email protected]:~# dig @127.0.0.1 -p 5053 google.com -t AAAA ; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> @127.0.0.1 -p 5053 google.com -t AAAA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48397 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;google.com. IN AAAA ;; ANSWER SECTION: google.com. 201 IN AAAA 2607:f8b0:4009:805::200e ;; Query time: 153 msec ;; SERVER: 127.0.0.1#5053(127.0.0.1) ;; WHEN: Fri Jan 15 01:36:10 MST 2021 ;; MSG SIZE rcvd: 77 [email protected]:~#
There I know both are working before I configure the pi-hole to accept this.
The configuration is easy. Point it to theres not place like ::1 lol and the port and save
What I do after this you dont have to. I hit these buttons in this order
Then I wait until its up. I login via ssh and make sure systemctl status cloudflared gives me an OK and I check if I am getting queries from both on my machine by digging my pi-holes address and for A and AAAA records on google.
If that goes off perfectly its working set and forget.
Now cloudflares tunnel needs an update here and there. It wont update via package management. Add to your cron week or a cron task the following commands: (I leave this up to you)
sudo cloudflared update sudo systemctl restart cloudflared
Make sure those are ran as root probably about once a week and you are golden!
Any questions ask below.
Word to the wise. Keep the tunnel fresh by putting the last three commands in the root crontab -e
This updates the tunnel software
It keeps it fresh by restarting it and then restarts the pi-holes DNS Masq resolver so it sees it properly
So your own DNS for your PCs is being run on OPNsense? DHCP (static) too? Or just not using DHCP at all?
Our internal network is just a .local and on a private IP range, so our local DNS and DHCP are run on one of our Synology servers, even though all of our DHCP leases are static except for a few left for ad-hoc adding of things to test etc.
Have you tried out Ansible for configuring and maintaining all the different services? I’m learning about that now; it looks pretty handy. Plus the playbooks etc are easy to put into gitlab.
I’m kind of wondering if threads like this and even @wendell’s Home Automation series would be good ones to have in more of a wiki format to be easier to follow? IDK if there is interest in a Level1Tech wiki and who could help maintain it? (I’d help )
No my DNS is ran on an RPI4 8 GB model (OC to 2.1 GHz lol)
My OPNSENSE is the DHCP Authority. It hands out DHCP pools and it assigns subnets and it assigns static leases…
@wendell hate to bug I know you are busy. Do you want threads like this split into wikis? Or maybe like a linked wiki… where its drafted in this post and linked to it… individually? What do you see as best for your forum?
I’d highly recommend making multiple wikis for each topic. Something is coming
How are you accomplishing the traffic forwards from your homelab services through the RPi and on to the linode? I have a similar setup but I run OpenWRT in a VM and have all my services terminate to that which goes through wireguard out my VPS. Similar but a different approach. This way I only use one tunnel interface instead of each container/VM having their own certs and connections.
Gotta hand it to you on VouchProxy. I just ran across it today when I was working on another project and now I want to look into getting it setup myself.
wait what…? and I will… its just a lot to sort through in here. this is kind of an unsorted continuous build blog
IEEE 802.15-4 + Open Z-wave Smart AI home assistant mycroft build soon ™
Highly recommend both these sticks. They are both open. They have open drivers. They are much easier to work with.
Hell yes permanent floating root zsh when I swipe right … Man I think i got all the tools i need now on android
Encrypted + password on boot
Cloudflared aarch64 Argo tunnel tied to rmnet so I can DoH on android
AFwall+ iptables firewall
AHN V3 Labs antimalware
I literally have the toolset I need on the go
At our house, I’m the home assistant…
@wendell gonna need your brain here a bit if you don’t mind.
So AX. We both know an openwrt standard base for it is a bit off
However when I do upgrade to it. I’m likely to upgrade all wired to 10gbe
Also will likely upgrade fiber or cable modem to do so.
Now I’ve seen Linus tech tips affordable home 10gbe. He talks about a microtik switch. If someone wanted to build an affordable to spec or to the standard 10 GBE. What devices ate around. (I’m fine with expensive cables) … I’m also fine considering fiber instead of Ethernet.
Cat6 don’t bother with sfp+ just do cat6 wires and jacks. You can do affordable 2/5gb switches for now then switch to 10gb later. The 12-24 port 10gb switches are under 1k now though which I think is reasonable
Full disclosure… an adobe datacenter closed near me and I got ridiculously high quality cables used for short runs between SANs… they can do about 20 gbps … so I think im pretty covered here
sweet. I guess in time it will all come down. I generally wait until OpenWRT is available for a router. While its not really scientific. Ive found its a good measure of development of the wireless generational chipsets. Right now for me AC is king and despite actually understanding the physical engineer layer improvements of AX … it wasnt worth my investment yet. Too much development. I mean wifi 6E (aka 802.11 ax wave 2)… is right here… and tbch theres going to be a lot of development as us military folk move off of the sub I nato bands … and it opens spectrum to commercial…
So yeah Im starting to think about the upgrade down the road. This one you see took about a year or so of planning and its still a mess lol. I have yet to plop my 24 1GBE switch in that I got from sarge. Ive got this giant amount of packaging and parts I gotta sort because of a joint project (between sarge and I) coming to the forum soon.
I was aware of 2.5 GBE but not 5GBE… thats a thing? My main motivation is when I move to AX the wires will become a limitation and nobody likes that. Especially as 10 gigabit fiber in my area is coming for a price thats ridiculously low… (state has some open infrastructure project going)
Max lazy mode chuck switch under router mode engaged
Thanks @SgtAwesomesauce switch worked flawlessly
It was unsuccessful. The pi4 OCd with my yuge heatsink running pihole with as many servers as I have in the resolver and as big of cache as I have was too robust
Results across multiple clients all doing this at once (10,000 queries a second each)
Statistics: Queries sent: 180957451 Queries completed: 177977352 (98.35%) Queries lost: 2880123 (1.59%) Queries interrupted: 10034 (0.06%) Response codes: NOERROR 13724982 (77.12%), SERVFAIL 188871 (1.06%), NXDOMAIN 3883865 (21.82%), REFUSED 2 (0.00%) Average packet size: request 38, response 77 Run time (s): 1492.196066 Queries per second: 121285.154825 Average Latency (s): 0.194975 (min 0.000163, max 4.966739) Latency StdDev (s): 0.348371
Like maybe I could spinup my own DoH server for when im out and about… No ads everywhere.
DoT as well for android private DNS?
Like as long as I don’t get cache evictions the server is performing correctly
Anyone know the dangers in doing what I’m saying above?