- Pi-hole for blocking (malicious) ad-services and malware infected sites.
- DNSSEC to validate DNS-responses for integrity.
- DHCP to make sure that every device gets the proper internal DNS-server.
- VPN (OpenVPN by PiVPN) to enable the possibility to have the same level of security and privacy with any of family’s devices when not at home.
That are the functional requirements in a sense. I have also some other requirements.
- DNS requests needs to be forwarded to Quad9 DNS-servers.
- Internal DNS capability.
- The VPN must behave the same as the internal LAN without any DNS-leaking.
- Modern encryption for the VPN-tunnel using TLS 1.2 with a strong key.
- The setup must be reasonable hardened.
- Important system events needs to be emailed to my email-address.
- Blocking brute-force login attempts with fail2ban.
- Fire-walling with iptables in a block everything and white-list specific ports manner.
- Disabling non-used hardware that enables wireless connectivity (WLAN and Bluetooth).
- IPv6 wherever possible (for the moment, not the VPN-tunnel).
- All vulnerabilities fixed that are found with a scan by Nessus Vulnerability Scanner, when the needed fix can be applied by myself (succeeded in that!).
- The entire setup needs to be updated automatically on at least a weekly basis.
I also have set some constraints to keep the project feasible.
- Apart from OpenVPN, there is nothing that can be reached from the outside world. I always assume that there is a network-firewall present between the Internet, and the actual Pi.
- The networking-services this device delivers are meant to enhance security of other network-connected devices in a non-intrusive manner.
- And although this device delivers services in a (reasonable) secure way, it is not meant to be a device that delivers security services by it self, such as network-scanning and vulnerability scans.
- It is meant for home or small-office use. Larger companies or institutions should look at other solutions to protect their people.
My wishlist consists of the following. Although not sure at the moment if all can be done.
- Full IPv6 VPN-tunneling.
- Implement either DNSCrypt or DNS-over-TLS.
- Two-factor authentication on the VPN-tunnel.
The hardware I used is listed below.
- Raspberry Pi 3 Model B 1GB
- SDHC card - 16GB
- Pi-Blox Case for Raspberry Pi – Black
- Costs: roughly € 70
The base image that is used to build this guide is the following:
- Image with desktop based on Debian Stretch
- Version: November 2017
- Release date: 2017-11-29
- Kernel version: 4.9
This guide was created using Debian Jessie first, but it is now adjusted to also work for Stretch.
A special word of thanks goes to Jacob Salmela with his up-to-date manual (PDF). This guide is inspired on his, although I go a step further in terms of features. Nevertheless, his contribution to (not only) this guide is worth my sincere gratitude. Thanks!
Any questions, remarks or suggestions? Please let me know!