Phaselockedloopable- PLL's continued exploration of networking, self-hosting and decoupling from big tech

All 4 servers are up… (mainframe - pi - pi - Linode) moving along nicely towards the wireguard nginx proxy


Alright guys linode is now the front end and secure… No 80 and 443 exposed at home… No traffic outbound unencrypted due to wireguard with nginx reverse (tunneled) proxy

WG setup tutorial and reverse proxy tutorial coming soon maybe?

I need to get vouch functional first

Nanna and Baldr functionally operational. Today was productive. Huge heatsinks because 2.1 GHZ overclock lol



It is done!

Try Https://

HeimAuth is officially operational!

I have full control of the whitelist if you want access I need the username and email of the github account to whitelist ya :wink:



Pretty dope.


Write coming soon ™

Allah give me the energy to go through my terminal less history oooooffffffff :sob:


Okay now that I got most of it up I might be ready to start sorting what I (as well as novasty) did

More descriptive names


Clean d up the wire mess and power cable routing. Ethernet out the front (in case I need to do stuff)… power out the back. Way more convenient


Will get this hooked up soon

Courtesy of sarge


Alright so a few wanted to know or wanted a reference on how to get a pi-hole properly setup with DoH behind a firewall and having the proper redirects so that the pi-hole filters all the traffic and doesnt get redirected to itself.

First things first start out with the pi-hole. Make sure it is working properly. A good way to test this is to go ahead and make sure it is setup with Quad 9 DNS and your firewall is vanilla without DNS rules.

My system setup: (relevant devices)
OPNSense Firewall (Protectli Core Boot) (see table of contents)
RPI 4 - 8GB

(no its not hosted in canada thats a proxy load balancer)

Also don’t try logging in to my url. Its behind a vouch proxy and 2fa … there will be 0 luck lol. Only @Novasty has the extra perms as it stands.

Make sure you have the correct IP addresses set. These are static.

In my OPNsense I assign them to the DUID of the device for IP6 and the MAC for IP4. This is just in case the pihole loses its settings. It will never have another IP Address set.
IPv4: (DHCPv4 - NAT)

IPv6: (DHCPv6 Native - Track Interface of ISP) (true full public IPv6)

Make sure those IPs are set as the DNS for the pihole to get some initial filtering going.

This wont catch all of it so we need to set rules so that there is a forced 53 reroute for devices such as apple devices, google android devices and samsung TVs

First go to your LAN rules. I wont get specific since interfaces change but this should give you a general idea. If someone wants OPNsense specifics… ask but thats only going to come if asked for

Now you want two rules for IPv6 and IPv4 of your pi-hole ONLY to be let out on 53 so you can obviously grab the DNS queries. (later you can setup DNS over HTTPS like I did and its less necessary)

The second rule is to block all traffic… IPv4 and IPv6 port 53 from traversing LAN to WAN. Done simple its all going to your pi-hole now. Not to bad huh?

@Buffy you specifically asked about my DNSoHTTPS configuration at one point. Here you go. So IF anybody wants to do this with pi-hole you need to first grab the cloudflared argo tunnel program. We are going to modify it slightly as I dont like cloudflare being a single point of failure and I much prefer to use OpenNIC. (you may configure it for whichever DoH server you like)

Firstly on the pi-hole go ahead and execute the commands as follows

Proceed to make the directory and configuration file:

sudo mkdir /etc/cloudflared/
sudo nano /etc/cloudflared/config.yml

This is my configuration. I chose a trusted and reliable server I know doesnt take logs with opennic and supports DNS over HTTPS.

proxy-dns: true
proxy-dns-port: 5053
  # IPv6 Native Stack DoH - OpenNIC - LOCATION - MONTREAL QC, CA
  - https://[2607:5300:60:be0::1]/dns-query

You can replace this configuration how you need. I have native 6 so I enabled native 6. If you dont. Dont bother. You also dont necessarily need to as AAAA served over A doesnt affect your native stack since its up to the client to route from itself to the AAAA address. Your various favorite DNS servers should have documentation on what you need to enter here. Or you may use mine. I like uncensored unlogged untamperable DNS logs tbch.

Now install the service via cloudflared 's service command:

sudo cloudflared service install --legacy

Start the systemd service and check its status:

sudo systemctl start cloudflared
sudo systemctl status cloudflared

Verify 4 is working

[email protected]:~# dig @ -p 5053 -t A

; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> @ -p 5053 -t A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46625
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;                    IN      A

;; ANSWER SECTION:             177     IN      A

;; Query time: 152 msec
;; WHEN: Fri Jan 15 01:36:06 MST 2021
;; MSG SIZE  rcvd: 65

Verify 6 is working

[email protected]:~# dig @ -p 5053 -t AAAA

; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> @ -p 5053 -t AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48397
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;                    IN      AAAA

;; ANSWER SECTION:             201     IN      AAAA    2607:f8b0:4009:805::200e

;; Query time: 153 msec
;; WHEN: Fri Jan 15 01:36:10 MST 2021
;; MSG SIZE  rcvd: 77

[email protected]:~# 

There I know both are working before I configure the pi-hole to accept this.

The configuration is easy. Point it to theres not place like ::1 lol and the port and save

What I do after this you dont have to. I hit these buttons in this order

Then I wait until its up. I login via ssh and make sure systemctl status cloudflared gives me an OK and I check if I am getting queries from both on my machine by digging my pi-holes address and for A and AAAA records on google.

If that goes off perfectly its working set and forget.

Now cloudflares tunnel needs an update here and there. It wont update via package management. Add to your cron week or a cron task the following commands: (I leave this up to you)

sudo cloudflared update
sudo systemctl restart cloudflared

Make sure those are ran as root :slight_smile: probably about once a week and you are golden!

Any questions ask below.

Word to the wise. Keep the tunnel fresh by putting the last three commands in the root crontab -e

This updates the tunnel software
It keeps it fresh by restarting it and then restarts the pi-holes DNS Masq resolver so it sees it properly


Nice! :slight_smile:

So your own DNS for your PCs is being run on OPNsense? DHCP (static) too? Or just not using DHCP at all?

Our internal network is just a .local and on a private IP range, so our local DNS and DHCP are run on one of our Synology servers, even though all of our DHCP leases are static except for a few left for ad-hoc adding of things to test etc.

Have you tried out Ansible for configuring and maintaining all the different services? I’m learning about that now; it looks pretty handy. Plus the playbooks etc are easy to put into gitlab. :slight_smile:

I’m kind of wondering if threads like this and even @wendell’s Home Automation series would be good ones to have in more of a wiki format to be easier to follow? IDK if there is interest in a Level1Tech wiki and who could help maintain it? (I’d help :slight_smile: )


No my DNS is ran on an RPI4 8 GB model (OC to 2.1 GHz lol)

My OPNSENSE is the DHCP Authority. It hands out DHCP pools and it assigns subnets and it assigns static leases…


@wendell hate to bug I know you are busy. Do you want threads like this split into wikis? Or maybe like a linked wiki… where its drafted in this post and linked to it… individually? What do you see as best for your forum?


I’d highly recommend making multiple wikis for each topic. Something is coming :wink:

Soon ™


How are you accomplishing the traffic forwards from your homelab services through the RPi and on to the linode? I have a similar setup but I run OpenWRT in a VM and have all my services terminate to that which goes through wireguard out my VPS. Similar but a different approach. This way I only use one tunnel interface instead of each container/VM having their own certs and connections.

Gotta hand it to you on VouchProxy. I just ran across it today when I was working on another project and now I want to look into getting it setup myself.

1 Like

wait what…? and I will… its just a lot to sort through in here. this is kind of an unsorted continuous build blog


@Buffy @SgtAwesomesauce

IEEE 802.15-4 + Open Z-wave Smart AI home assistant mycroft build soon ™

Highly recommend both these sticks. They are both open. They have open drivers. They are much easier to work with.


Hell yes permanent floating root zsh when I swipe right … Man I think i got all the tools i need now on android

Lineage OS
Encrypted + password on boot
Full busybox
Cloudflared aarch64 Argo tunnel tied to rmnet so I can DoH on android
AFwall+ iptables firewall
AHN V3 Labs antimalware

I literally have the toolset I need on the go


At our house, I’m the home assistant… :smiley:


@wendell gonna need your brain here a bit if you don’t mind.

So AX. We both know an openwrt standard base for it is a bit off

However when I do upgrade to it. I’m likely to upgrade all wired to 10gbe

Also will likely upgrade fiber or cable modem to do so.

Now I’ve seen Linus tech tips affordable home 10gbe. He talks about a microtik switch. If someone wanted to build an affordable to spec or to the standard 10 GBE. What devices ate around. (I’m fine with expensive cables) … I’m also fine considering fiber instead of Ethernet.

1 Like