- You have installed Raspberry Pi OS.
- You can connect to the raspberry-pi.
- The raspberry-pi can reach the Internet.
- You have configured a static IP address for your raspberry-pi.
- You have created an SSH key pair and copied the public key onto the rasberry-pi for a non-root user.
- You have Ansible installed or otherwise available.
- If you want to configure WireGuard, you have configured port-forwarding and dynamic DNS on your router.
- If you want to configure Mullvad, you have a Mullvad account and have downloaded a WireGuard configuration file locally.
- SSHD
- Basic secure measures like disabling password authentication and root login.
- Pi-hole
- dnscrypt-proxy (optional)
- Anonymous relays
- WireGuard (optional)
- Local devices accessible
- Tunnel all Internet traffic to the raspberry-pi
- Mullvad (optional, requires WireGuard)
- Tunnel all Internet traffic to Mullvad (instead of to the raspberry-pi)
Besides all of the assumptions, this does not configure WireGuard clients. Check the Pi-hole guide for that.
Aside from the documentation already linked, I borrowed the iptables configuration from u/Annonymoiuse on Reddit.
There are default variables in each role, you should explore those.
The following variables are in ./vars.yml and you must set them:
| Variable | Description | Example |
|---|---|---|
| net_interface | The interface the raspberry-pi is listening on. | "eth0" |
| fallback_ipv4_dns1 | DNS server to use in case the dnscrypt-proxy servers are unavailable or dnscrypt-proxy is not used. | "1.1.1.1" |
| fallback_ipv4_dns2 | DNS server to use in case the dnscrypt-proxy servers are unavailable or dnscrypt-proxy is not used. | "1.0.0.1" |
| pi_webpassword | Plaintext password for the Pi-hole web-ui. | "myReallyGoodPassword27" |
| pi_ipv4_addr | IPv4 address of the raspberry-pi with the mask. | "192.168.100.53/24" |
| pi_ipv6_addr | IPv6 address of the raspberry-pi. | "2345:0425:2CA1:0000:0000:0567:5673:23b5" |
| wg_local_cidr | Your local subnet. | "192.168.100.0/24" |
| wg_listen_endpoint | Dynamic DNS entry for the raspberry-pi. | "pi.example.com" |
| wg_mullvad_interface | Name you want to give the Mullvad interface. | "mullvad-us7" |
| wg_mullvad_conf | Path to the Mullvad config file you downloaded. | "~/Downloads/mullvad-us7.conf" |
| wg_peers | List of peers to create WireGuard configurations for. | (see ./vars.yml) |
The commands to generate the WireGuard secrets are not idempotent. If you lose one of the created files, new values will be generated when Ansible runs again and you will likely need to reconfigure your clients.
dnscrypt-proxy is configured to use all relays and all resolvers. This may not be optimal.
If you plan to connect a device within the LAN via WireGuard, you should edit the client config file to use the local IP instead of the dynamic DNS entry.
When the dynamic DNS entry changes you will need to disconnect and re-connect remote devices. Wireguard only resolves DNS enties once.
- Clone this repo.
- Update
./hostswith the local IP of the raspberry-pi. - Update
./vars.yml. - Run
make apply(and hope it works). - Test that you can resolve DNS entries.
dig google.com @<rapsberry-pi-addr>
- Update your router to use the rapsberry-pi.
- Connect clients to WireGuard.