Table of Contents
After I cut short my last beginner guide, which introduced some of the concepts of this hobby, it’s time we get “hands-on”. As promised. And so, this document has the objective of fully installing and configuring your very own “home lab” so that you can experiment and actually use many of the software and protocols we have available that make our lives much better.
Here’s what you’ll need:
- A Raspberry Pi
I will be using a Raspberry Pi 3B, but I highly recommend purchasing a Raspberry Pi 4 with at least 4GB of RAM.
- A good quality MicroSD
I am using a 32GB MicroSD from Samsung. I recommend them. Don’t get anything smaller than 8GB, please. It just doesn’t make sense. They are cheap.
A USB MicroSD card reader (or integrated equivalent on your PC)
A registered domain name
An Ethernet cable
A Raspberry Pi compatible power supply
An internet connection
Something to snack on while you read (I am snacking on some hazelnuts)
Something to drink while you read (I am drinking a cocoa and coconut tea blend)
Ok, here we go.
Homework before you begin⌗
I will touch on some key concepts that I assume you know already. If you don’t, here’s your homework:
If that’s too long and if you’re one of the bad ““self-hosters”” I mentioned in that document then you must read this: The Windows Slave Workflow
Everything else will be explained. So if you skip chapters, suggestions or stray further from God (in this case, me), you are on your own.
Prepare your Raspberry Pi⌗
For this chapter, our main objective is to have a fully working and configured DietPi installation on your Raspberry Pi (
The reason is pretty simple. As this document is aimed at beginners, DietPi is the easiest choice. I could definitely recommend Ubuntu Server for ARM, or Raspbian for that matter, but it would only complicate things. We don’t want that right now. If you’re so good, then be my guest. Go on.
1. Download DietPi⌗
2. Flash DietPi on your MicroSD⌗
Install Etcher — If you followed my previous guide, remember to install it from Chocolatey
Open Etcher —
Extract the archive containing DietPi that you downloaded earlier
Flash from fileand pick the
DietPi_RPi-ARMv8-Bullseye.imgfile you just extracted
Connect your MicroSD of choice to your computer
Select targetoption, pick the MicroSD you just connected
Once it’s done,
Etcherwill automatically safely remove the MicroSD from your system
Place the MicroSD in your
3. Install DietPi⌗
You are now ready to finally plug in your
RPi, right? Wrong. That was a booby trap.
Before you can plug it in, I must tell you about some things, here they all are neatly ordered:
At first boot, your Raspberry Pi will likely receive its IP address from your DHCP
You shouldn’t leave it like this
I will assume that you know how to use your router/modem so that you can set up a static DHCP lease for the
RPi's MAC Address, which should begin with
b8:27:eb. Otherwise, the next best step is to set up a
Static IP configuration once
DietPi is up and running. Either way, you should make sure you don’t use any
IP that are within your
DHCP assignable IP range. Or, if you have a spare monitor and keyboard, you can plug those in. Got it? Ok, good.
But Wise, why is this part so generic?
Well, another simple answer for you. There are 1000000000000000… different brands that make routers and modems and firewalls and whatnot. I cannot possibly guide you in all of those. You should know how to work this. You’ve probably done it already if you’re a gamer, or if you already exposed something to the internet. Me explaining the entire involved process would be as generic and even more confusing than it is to just mention it.
Plug in the Ethernet cable (which is hopefully connected to an internet-connected router/switch port) to your
Plug-in power to your
At this point, your
RPi should turn on. It will take a while for it to boot. While you wait, you have to consider two options:
Plugin the keyboard and monitor and use them until you set up your
Static IPlater if you haven’t from your
Go look for what IP address your
If you already have the IP, or you found it, then you can:
ping rpi_ip_address_hereon your terminal to see when it’s connectable
Once you get
ping replies, you can continue further.
Connect to the
SSHusing the command
ssh root@ip_goes_hereand use password
Accept license terms (You can navigate with arrow keys and tab to move prompt selection)
DietPiwill update itself
DietPiwill ask if you want to change the
Global software password. You should change this to something strong. It will be used by many software as a default password for things like control panels. We will make use of this later. Otherwise, it’ll remain
dietpi. Which isn’t advisable.
DietPiwill ask if you want to change the default password. We say no because we’re gonna remove them later.
DietPiwill ask if you want to disable Serial Console. Do so if you don’t plan on using it.
You are now in the
dietpi-software utility. From here, you could now go to
DietPi-Config and in the
7th option, you have the
Network Adapters settings, from here you can change your ethernet connection type to
DHCP and select your
Netmask and your
DNS servers. As I said before, this is all up to you.
Just know these things:
Your netmask is probably
Your gateway is probably
Once you apply, it will restart networking. This means you will be booted off
SSHuntil it is restarted and you will have to connect to the new
IP(and new passwords if you didn’t listen to me and changed them)
If you didn’t enable WiFi, it will ask you to remove the packages. You can if you don’t need it. You WILL require an internet connection to reinstall them.
Once you’re back in the shell, if you’re not on the
DietPi Softwareutility anymore, you can go back to it from
rootwith the command
dietpiwith the command
Now that that’s done, let’s continue from
Change the default browser to
Noneunless you want to cripple your
RPiwith a Desktop Environment. Yuck.
Go down to
Installand press “tab” to end up on
OKand press enter on your keyboard.
DietPiwill ask if you want to opt out of statistics collection. I usually say yes.
This will begin the installation scripts. And it could restart your
RPi. If it doesn’t, you will go back to the shell and you can continue.
Help, I am stuck Wise-senpai.
If by some miracle you managed to close your terminal, and suddenly you can’t go back in again, I suggest you try to SSH into your
RPi from another shell, like
powershell if you weren’t using that before. Changing
SSH demon will change host keys and so you might have to remove them, plus if you get
too many authentications fails it means your
SSH client is trying
ssh keys you have installed so you might have to connect via SSH with the following argument to force password usage:
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no
OPTIONAL (But highly recommended) is to install
apt install vim.
OPTIONAL forcing yourself to use
vimwill make you learn the best editor on a terminal (cause it mostly applies to
viwhich is everywhere) so do
update-alternatives --config editorand pick the number with
vim.basic. Otherwise, stick to
dietpiuser should already be in the
sudoersgroup, which means it can do anything with
sudo. Test it out by going from
sudo su - dietpiand testing from
sudo apt updateand exit to back to
If the previous point worked, go forward
I assume you have done your homework
SSHpublic key inside
/home/dietpi/.ssh/authorized_keysif the folder or the file don’t exist, create them
chown -R dietpi:dietpi /home/dietpi/.ssh
chmod 700 /home/dietpi/.ssh/
chmod 600 /home/dietpi/.ssh/authorized_keys
Test if you can access
SSHusing your private key on another shell tab
If the previous point worked, go forward
passwd -d root
passwd -d dietpi
Congratulations you now have a fully functioning
DietPi installation on your Raspberry Pi. You can now proceed to the new chapter.
Install and configure ADGuard Home⌗
Let us proceed with the DNS installation. ADGuard Home will function both as your network-wide AD blocking solution, and your internal DNS resolver.
Search Softwarelook up
Press the spacebar to select the software
Press tab and enter to confirm
DietPiwill ask if you want to install
Unbound. We say
Ok. But read the message.
DietPiwill inform us that we require a
Static IPfor server installations. If you didn’t set this up already, this is your last chance. If you did, just say
Go down to
Install, tab and press enter and confirm again, to begin the installation
Wait for the installation to finish
You can make use of this Software options - DietPi.com Docs to find information on all the software
DietPi's scripts will install.
ADGuard is installed, we can proceed with its configuration:
http://your_pi_IP:8083from your browser of choice
global software password
You should be greeted by something similar to this:
It is, once again, that time of this guide where I tell you to do things I cannot explain to you step-by-step!
RPi LOCAL IP address is now your local
That means you should deliver it via your
DHCP (Or manually set) anywhere you want to:
Resolve local domain names that point to local services in your network
Anywhere you want to filter ads or custom things from working
For the purpose of this guide, you should at least change your PC’s main
DNS to this
IP address, so you can test out it works. And also because later on, we will need to use it to resolve domain records we will set up on
ADGuard’s configuration should be at your discretion, as it touches things like how statistics are handled. Suffice it to say that I have been using it for months and I didn’t touch anything, because the default configuration is enough. What you should do instead, is follow these steps:
Filtersmenu on top, enter
Add DNS rewrite
In the first box write
In the second box write
your RPi local IP address
What this does is tell every client (whose DNS is configured to be the
RPi) that the address
pi.yourowndomain.com is actually
your RPi local IP address within your local network. And now do the following:
Click once again on
Add DNS rewrite
In the first box write
In the second box write
What this does is basically the same, only that
rp.yourowndomain.com will actually resolve with
pi.yourowndomain.com which in turn will resolve with
your RPi local IP address. We will use this often later when we configure
NGINX Proxy Manager.
This configuration is done because you now can write, for example:
nextcloud.yourowndomain.com instead of writing
192.168.1.6:80 in your browser, to reach Nextcloud’s web-UI.
ADGuard Home also handles
DHCP, so if you want, you could make your clients use it as a
DHCP server which I don’t recommend. But for this software, we are pretty much done, unless you want to tinker yourself. As I said, the default configuration is pretty much ok, and anything else would be too advanced for this guide. Enjoy your statistics. In my network, over 40% of queries get blocked by anti-AD filters.
Install and configure NGINX Proxy Manager⌗
The easiest way to get hands-on a reverse proxy is to use NGINX Proxy Manager. Normally I wouldn’t recommend something like this. That applies only to people who I know have enough knowledge and actually want to learn the trade, for a possible professional environment. So if you’re one of those people, actually learn NGINX and do it yourself; everyone else - please feel free to follow these instructions:
dietpi-softwaresearch and install
docker-compose. This is where
NGINXwill run, as will the
Managerthat will allow you to handle your reverse proxy, via a nice web GUI.
docker-composeare installed (it will take a long time), from the
dietpiuser, launch this command
sudo usermod -aG docker $USER
Close this shell and go into a new one so the changes have an effect
In the new shell, go to
/optand create the folder named
docker, inside it a folder named
rp(for reverse proxy)
/opt/docker/rpcreate the file
docker-compose.ymlwith the following contents:
version: "3" services: app: image: "jc21/nginx-proxy-manager:latest" restart: unless-stopped ports: - "80:80" - "81:81" - "443:443" volumes: - ./data:/data - ./letsencrypt:/etc/letsencrypt
version: 3is a
docker-composerequirement. It defines the version of the
docker-composeservice we are writing.
imagedefines which docker image it should use
restart: unless-stoppedtells it to always restart the docker container, unless we stop it manually
portsdefines which ports should be available OUTSIDE of the docker container (number on the left) and which ports those are to be forwarded to (number on the right)
volumessame logic as
ports, this is for paths OUTSIDE of the container, and linked to paths INSIDE of the container
here. So it will be
Now that you have the
docker-compose.yml follow these steps:
/opt/docker/rplaunch the command
docker-compose up -d
docker-composeto pull the images and build the container
Once it’s done, go on
http://your_rpi_ip:81and log-in with
As you log in, NPM will ask you to change the administrator information, do so
Change your password
Example service configuration⌗
Now, we have AD Guard Home and NGINX Proxy Manager installed. But they can only be reached via their IP and Port. So let’s make use of them.
On NGINX Proxy Manager:
Proxy hosts, this is where you will add your services
As an example press
Add proxy host(the big green button)
As domain name add
As scheme leave
Forward Hostname/IPput in
8083which is the ADGuard Home web-UI port
Block Common Exploitsand
Webstockets Supportare all situational. For this example, we will not use them.
Now, we have
dns.yourdomain.com to the final IP address of
rp.yourdomain.com which in turn is the
RPi itself. So on ADGuard Home, just like we did before, follow these steps:
On Filters -> DNS Rewrites, press
Add DNS rewrite
In the first box write
In the second box we write
Once that’s done, if your PC is using the
RPi DNS as its main
DNS, you should be able to go on
http://dns.yourdomain.com and actually reach the AD Guard Home’s web interface.
This process needs to be done for every single service you add to your network, or that you already have. And it can work with any IP really. For example:
Imagine that you have your NAS’s web page that is reachable at
192.168.1.43:80, and you want a nice
nas.yourdomain.com instead. The process is the same, and it goes generically like this:
DNS Rewritethat points
Proxy hostso that
And you should be done.
NGINX Proxy Manager actually also handles SSL certificates for
https connection and you could use it to expose things to the internet. While I could technically explain you how to do that, I wouldn’t feel comfortable doing so in this guide. This is supposed to be more of a very quick and safe guide for beginners. This way everything is locked in your local network.
Now, if you want to expose things to the internet, I would recommend you look into these things:
Move your authoritative
nameserverfrom your domain registrar to Cloudflare where you can add your public DNS records
Create an API key on Cloudflare so that on NGINX Proxy Manager you can generate
SSLcertificates using the DNS challenge method
443from your router’s firewall to the
RPilocal IP address
If you happen to have a dynamic public IP from your ISP, you can make use of ddclient with another Cloudflare API key, so that it will automatically update your
Aroot record on Cloudflare when your IP changes.
Hey! You’ve made it here. If everything’s worked correctly, you should now be able to add any service in your network and easily configure your Raspberry Pi to handle its
DNS records and
Reverse Proxy capabilities, so you won’t have to use and remember those ugly ports and IP numbers.
I hope this guide has been informative and most of all inspiring. This should open up a new way of working with things in your own network, and hopefully give you more drive to test out things and be more proactive with your self-hosting.
Want to support me?⌗
Find all information right here
You can also support me here:
- My mom