Introduction

After I cut short my last beginner guide, which introduced some of the concepts of this hobby, it’s time we get “hands-on”. As promised. And so, this document has the objective of fully installing and configuring your very own “home lab” so that you can experiment and actually use many of the software and protocols we have available that make our lives much better.

Requirements

Here’s what you’ll need:

  • A Raspberry Pi

I will be using a Raspberry Pi 3B, but I highly recommend purchasing a Raspberry Pi 4 with at least 4GB of RAM.

  • A good quality MicroSD

I am using a 32GB MicroSD from Samsung. I recommend them. Don’t get anything smaller than 8GB, please. It just doesn’t make sense. They are cheap.

  • A USB MicroSD card reader (or integrated equivalent on your PC)

  • A registered domain name

  • An Ethernet cable

  • A Raspberry Pi compatible power supply

  • An internet connection

  • Something to snack on while you read (I am snacking on some hazelnuts)

  • Something to drink while you read (I am drinking a cocoa and coconut tea blend)

  • My ♰ CYBERPUNK ♰, or my Brooding Spotify playlist. Anything Jazz works too but starts with Caravan - song by Charly Antolini, Jazz Power I recommend opening a radio from it.

Ok, here we go.

Homework before you begin

I will touch on some key concepts that I assume you know already. If you don’t, here’s your homework:

Everything else will be explained. So if you skip chapters, suggestions or stray further from God (in this case, me), you are on your own.

Prepare your Raspberry Pi

For this chapter, our main objective is to have a fully working and configured DietPi installation on your Raspberry Pi (RPi).

 

Why DietPi?

The reason is pretty simple. As this document is aimed at beginners, DietPi is the easiest choice. I could definitely recommend Ubuntu Server for ARM, or Raspbian for that matter, but it would only complicate things. We don’t want that right now. If you’re so good, then be my guest. Go on.

 

1. Download DietPi

2. Flash DietPi on your MicroSD

  • Download Etcher

  • Install EtcherIf you followed my previous guide, remember to install it from Chocolatey

  • Open EtcherbalenaEtcher

  • Extract the archive containing DietPi that you downloaded earlier

  • On Etcher select Flash from file and pick the DietPi_RPi-ARMv8-Bullseye.img file you just extracted

  • Connect your MicroSD of choice to your computer

  • On Etcher in the Select target option, pick the MicroSD you just connected

  • Now Flash!

  • Once it’s done, Etcher will automatically safely remove the MicroSD from your system

  • Place the MicroSD in your RPi

3. Install DietPi

You are now ready to finally plug in your RPi, right? Wrong. That was a booby trap.

Before you can plug it in, I must tell you about some things, here they all are neatly ordered:

  1. At first boot, your Raspberry Pi will likely receive its IP address from your DHCP

  2. You shouldn’t leave it like this

I will assume that you know how to use your router/modem so that you can set up a static DHCP lease for the RPi's MAC Address, which should begin with b8:27:eb. Otherwise, the next best step is to set up a Static IP configuration once DietPi is up and running. Either way, you should make sure you don’t use any IP that are within your DHCP assignable IP range. Or, if you have a spare monitor and keyboard, you can plug those in. Got it? Ok, good.

 

But Wise, why is this part so generic?

Well, another simple answer for you. There are 1000000000000000… different brands that make routers and modems and firewalls and whatnot. I cannot possibly guide you in all of those. You should know how to work this. You’ve probably done it already if you’re a gamer, or if you already exposed something to the internet. Me explaining the entire involved process would be as generic and even more confusing than it is to just mention it.

 

  1. Plug in the Ethernet cable (which is hopefully connected to an internet-connected router/switch port) to your RPi

  2. Plug-in power to your RPi

At this point, your RPi should turn on. It will take a while for it to boot. While you wait, you have to consider two options:

  1. Plugin the keyboard and monitor and use them until you set up your Static IP later if you haven’t from your DHCP already.

  2. Go look for what IP address your DHCP gave the RPi

If you already have the IP, or you found it, then you can:

  • ping rpi_ip_address_here on your terminal to see when it’s connectable

Once you get ping replies, you can continue further.

  1. Connect to the RPi via SSH using the command ssh root@ip_goes_here and use password dietpi

  2. Accept license terms (You can navigate with arrow keys and tab to move prompt selection)

  3. DietPi will update itself

  4. DietPi will ask if you want to change the Global software password. You should change this to something strong. It will be used by many software as a default password for things like control panels. We will make use of this later. Otherwise, it’ll remain dietpi. Which isn’t advisable.

  5. DietPi will ask if you want to change the default password. We say no because we’re gonna remove them later.

  6. DietPi will ask if you want to disable Serial Console. Do so if you don’t plan on using it.

You are now in the dietpi-software utility. From here, you could now go to DietPi-Config and in the 7th option, you have the Network Adapters settings, from here you can change your ethernet connection type to Static from DHCP and select your IP, your Netmask and your DNS servers. As I said before, this is all up to you.

Just know these things:

  • Your netmask is probably 255.255.255.0

  • Your gateway is probably 192.168.1.1

  • Once you apply, it will restart networking. This means you will be booted off SSH until it is restarted and you will have to connect to the new IP (and new passwords if you didn’t listen to me and changed them)

  • If you didn’t enable WiFi, it will ask you to remove the packages. You can if you don’t need it. You WILL require an internet connection to reinstall them.

  • Once you’re back in the shell, if you’re not on the DietPi Software utility anymore, you can go back to it from root with the command dietpi-software or from dietpi with the command sudo dietpi-software

Now that that’s done, let’s continue from Dietpi Software:

  1. Change the SSH server to OpenSSH

  2. Change the Webserver to NGINX

  3. Change the default browser to None unless you want to cripple your RPi with a Desktop Environment. Yuck.

  4. Go down to Install and press “tab” to end up on OK and press enter on your keyboard.

  5. DietPi will ask if you want to opt out of statistics collection. I usually say yes.

This will begin the installation scripts. And it could restart your RPi. If it doesn’t, you will go back to the shell and you can continue.

 

Help, I am stuck Wise-senpai.

If by some miracle you managed to close your terminal, and suddenly you can’t go back in again, I suggest you try to SSH into your RPi from another shell, like powershell if you weren’t using that before. Changing SSH demon will change host keys and so you might have to remove them, plus if you get too many authentications fails it means your SSH client is trying ssh keys you have installed so you might have to connect via SSH with the following argument to force password usage: ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no

 

  1. OPTIONAL (But highly recommended) is to install vim with apt install vim.

  2. OPTIONAL forcing yourself to use vim will make you learn the best editor on a terminal (cause it mostly applies to vi which is everywhere) so do update-alternatives --config editor and pick the number with vim.basic. Otherwise, stick to nano

  3. The dietpi user should already be in the sudoers group, which means it can do anything with sudo. Test it out by going from root to dietpi with sudo su - dietpi and testing from dietpi a sudo command, like sudo apt update and exit to back to root

  4. If the previous point worked, go forward

  5. I assume you have done your homework

  6. Place your SSH public key inside /home/dietpi/.ssh/authorized_keys if the folder or the file don’t exist, create them

  7. chown -R dietpi:dietpi /home/dietpi/.ssh

  8. chmod 700 /home/dietpi/.ssh/

  9. chmod 600 /home/dietpi/.ssh/authorized_keys

  10. Test if you can access dietpi via SSH using your private key on another shell tab

  11. If the previous point worked, go forward

  12. Remove root's password: passwd -d root

  13. Remove dietpi's password: passwd -d dietpi

Congratulations you now have a fully functioning DietPi installation on your Raspberry Pi. You can now proceed to the new chapter.

Install and configure ADGuard Home

Let us proceed with the DNS installation. ADGuard Home will function both as your network-wide AD blocking solution, and your internal DNS resolver.

  1. dietpi-software

  2. From Search Software look up adguard

  3. Press the spacebar to select the software

  4. Press tab and enter to confirm

  5. DietPi will ask if you want to install Unbound. We say Ok. But read the message.

  6. DietPi will inform us that we require a Static IP for server installations. If you didn’t set this up already, this is your last chance. If you did, just say Cancel

  7. Go down to Install, tab and press enter and confirm again, to begin the installation

  8. Wait for the installation to finish

 

You can make use of this Software options - DietPi.com Docs to find information on all the software DietPi's scripts will install.

Once ADGuard is installed, we can proceed with its configuration:

  1. Navigate to http://your_pi_IP:8083 from your browser of choice

  2. Log-in with admin and your global software password

You should be greeted by something similar to this:

ADGuard Homepage

 

It is, once again, that time of this guide where I tell you to do things I cannot explain to you step-by-step!

Your RPi LOCAL IP address is now your local DNS server!

That means you should deliver it via your DHCP (Or manually set) anywhere you want to:

  1. Resolve local domain names that point to local services in your network

  2. Anywhere you want to filter ads or custom things from working

For the purpose of this guide, you should at least change your PC’s main DNS to this IP address, so you can test out it works. And also because later on, we will need to use it to resolve domain records we will set up on ADGuard.

ADGuard’s configuration should be at your discretion, as it touches things like how statistics are handled. Suffice it to say that I have been using it for months and I didn’t touch anything, because the default configuration is enough. What you should do instead, is follow these steps:

  1. From the Filters menu on top, enter DNS Rewrites

  2. Click on Add DNS rewrite

  3. In the first box write pi.yourowndomain.com

  4. In the second box write your RPi local IP address

What this does is tell every client (whose DNS is configured to be the RPi) that the address pi.yourowndomain.com is actually your RPi local IP address within your local network. And now do the following:

  1. Click once again on Add DNS rewrite

  2. In the first box write rp.yourowndomain.com

  3. In the second box write pi.yourowndomain.com

What this does is basically the same, only that rp.yourowndomain.com will actually resolve with pi.yourowndomain.com which in turn will resolve with your RPi local IP address. We will use this often later when we configure NGINX Proxy Manager.

This configuration is done because you now can write, for example: nextcloud.yourowndomain.com instead of writing 192.168.1.6:80 in your browser, to reach Nextcloud’s web-UI.

ADGuard Home also handles DHCP, so if you want, you could make your clients use it as a DHCP server which I don’t recommend. But for this software, we are pretty much done, unless you want to tinker yourself. As I said, the default configuration is pretty much ok, and anything else would be too advanced for this guide. Enjoy your statistics. In my network, over 40% of queries get blocked by anti-AD filters.

Install and configure NGINX Proxy Manager

The easiest way to get hands-on a reverse proxy is to use NGINX Proxy Manager. Normally I wouldn’t recommend something like this. That applies only to people who I know have enough knowledge and actually want to learn the trade, for a possible professional environment. So if you’re one of those people, actually learn NGINX and do it yourself; everyone else - please feel free to follow these instructions:

  1. From dietpi-software search and install docker and docker-compose. This is where NGINX will run, as will the Manager that will allow you to handle your reverse proxy, via a nice web GUI.

  2. You can find NGINX Proxy Manager on here and the installation instructions I will provide will be taken from here. Make sure you also throw in a looksie.

  3. Once docker and docker-compose are installed (it will take a long time), from the dietpi user, launch this command sudo usermod -aG docker $USER

  4. Close this shell and go into a new one so the changes have an effect

  5. In the new shell, go to root with sudo -i

  6. Navigate to /opt and create the folder named docker, inside it a folder named rp (for reverse proxy)

  7. inside /opt/docker/rp create the file docker-compose.yml with the following contents:

version: "3"
services:
  app:
    image: "jc21/nginx-proxy-manager:latest"
    restart: unless-stopped
    ports:
      - "80:80"
      - "81:81"
      - "443:443"
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt

To summarize:

  • version: 3 is a docker-compose requirement. It defines the version of the docker-compose service we are writing.

  • image defines which docker image it should use

  • restart: unless-stopped tells it to always restart the docker container, unless we stop it manually

  • ports defines which ports should be available OUTSIDE of the docker container (number on the left) and which ports those are to be forwarded to (number on the right)

  • volumes same logic as ports, this is for paths OUTSIDE of the container, and linked to paths INSIDE of the container . means here. So it will be /opt/docker/rp/

Now that you have the docker-compose.yml follow these steps:

  1. Inside /opt/docker/rp launch the command docker-compose up -d

  2. Wait for docker-compose to pull the images and build the container

  3. Once it’s done, go on http://your_rpi_ip:81 and log-in with admin@example.com and changeme

  4. As you log in, NPM will ask you to change the administrator information, do so

  5. Change your password

Example service configuration

Now, we have AD Guard Home and NGINX Proxy Manager installed. But they can only be reached via their IP and Port. So let’s make use of them.

On NGINX Proxy Manager:

  • Go on Hosts and select Proxy hosts, this is where you will add your services

  • As an example press Add proxy host (the big green button)

  • As domain name add dns.yourdomain.com

  • As scheme leave http

  • As Forward Hostname/IP put in your_rpi_IP

  • As Forward Port use 8083 which is the ADGuard Home web-UI port

    Cache Assets, Block Common Exploits and Webstockets Support are all situational. For this example, we will not use them.

Now, we have dns.yourdomain.com to the final IP address of rp.yourdomain.com which in turn is the RPi itself. So on ADGuard Home, just like we did before, follow these steps:

  • On Filters -> DNS Rewrites, press Add DNS rewrite

  • In the first box write dns.yourdomain.com

  • In the second box we write rp.yourdomain.com

Once that’s done, if your PC is using the RPi DNS as its main DNS, you should be able to go on http://dns.yourdomain.com and actually reach the AD Guard Home’s web interface.

This process needs to be done for every single service you add to your network, or that you already have. And it can work with any IP really. For example:

Imagine that you have your NAS’s web page that is reachable at 192.168.1.43:80, and you want a nice nas.yourdomain.com instead. The process is the same, and it goes generically like this:

  1. Add the DNS Rewrite that points nas.yourdomain.com to rp.yourdomain.com

  2. Add the Proxy host so that nas.yourdomain.com points to 192.168.1.43 with port 80

And you should be done.

NGINX Proxy Manager actually also handles SSL certificates for https connection and you could use it to expose things to the internet. While I could technically explain you how to do that, I wouldn’t feel comfortable doing so in this guide. This is supposed to be more of a very quick and safe guide for beginners. This way everything is locked in your local network.

Now, if you want to expose things to the internet, I would recommend you look into these things:

  • Move your authoritative nameserver from your domain registrar to Cloudflare where you can add your public DNS records

  • Create an API key on Cloudflare so that on NGINX Proxy Manager you can generate SSL certificates using the DNS challenge method

  • Port forward 80 and 443 from your router’s firewall to the RPi local IP address

  • If you happen to have a dynamic public IP from your ISP, you can make use of ddclient with another Cloudflare API key, so that it will automatically update your A root record on Cloudflare when your IP changes.

Congratulations

Hey! You’ve made it here. If everything’s worked correctly, you should now be able to add any service in your network and easily configure your Raspberry Pi to handle its DNS records and Reverse Proxy capabilities, so you won’t have to use and remember those ugly ports and IP numbers.

I hope this guide has been informative and most of all inspiring. This should open up a new way of working with things in your own network, and hopefully give you more drive to test out things and be more proactive with your self-hosting.

Want to support me?

Find all information right here

You can also support me here:

Credits

  • My mom