Block ads and access your data everywhere: self-hosted DNS+VPN+FTP+CLOUD server

I used to rely on cloud services offered by 'powerful, centralized, privately-owned companies' to store and share data between my personal devices. Not happy with their valuing of privacy, I decided to host myself a server. It should fulfill the following requirements:

• [ ] 'network firewall' or 'DNS sinkhole' to block ads and trackers.
• [ ] file server (ftp)
• [ ] cloud server (http)
• [ ] store data on a separate drive
• [ ] accessible on the go
• [ ] rely as much as possible on open source products
• [ ] low cost
• [ ] headless: no keyboard, mouse or screen, controlled remotely via ssh connection
• [ ] secure

...a DNS+FTP+CLOUD+VPN server.

1. The Single Board Computer: Raspberry Pi 3B+

The Raspberry Pi is the name of a popular series of single board computer made by the eponymous Foundation. They provide low-cost (35$, high-performance coputer, outreach and education to help more people access computing and digital making.

The Raspberry Pi operates in the open source ecosystem: it runs Linux and its schematics are released (board itself is not open hardware though).
Costs: 55.39€ (board + case + power supply + SD card)

• [x] open source
• [x] low cost

2. The OS: DietPi: Raspberry Pi on diet

DietPi describes itself as lightweight justice for your single board computer. It is an extremely lightweight Debian based OS. Think of a stripped version of 'Raspbian lite'.

It moreover offers a catalogue of popular 'ready to use' and optimized softwares (desktop, media, ssh, cloud, web/file servers...).
So it is optimized for minimal CPU and RAM usage and includes pimped versions of the softwares I plan to use. DietPi sounds like the perfect OS for my RaspberryPi.

• [x] open source

Installation

1. Flash SD Card with latest version of DietPi using Etcher
   

Optional: Pre configure dietpi for wifi

Locate and edit dietpi-wifi.txt:

aWIFI_SSID[0]='MySSID'`, `aWIFI_KEY[0]='MyWifiKey'

1. Check Router interface to find IP of raspberry or use nmap: e.g nmap -sP '192.168.178.*'
2. Connect via SSH to rasberry PI: ssh root@i.p.add.ress.
   
   • Standard password: dietpi

3. [x] headless

4. Go through throught the installation

5. Set up static IP address (required for pi-hole to work):
   Dietpi Config > 7: Network options: adapters: select your adapter > change DHCP setting to static and apply

2. The DNS server: Pi-hole

Pi-hole describes itself as a black hole for Internet advertisements.

Pi-hole basically blocks queries using lists of blaclisted hostnames. Acting as a DNS server makes it an ad blocking application much more powerful than e.g brower plugins:

• All your home devices (including smart TV) benefit from the network-level blocking. Especially in blocks
• Network-level blocking allows to block ads in non-traditional places such as in-apps ads

Installation

1. dietpi-software > Pi-hole
   • Select upstream DNS provider > Custom: 46.182.19.48 (digitalcourage.de), 80.241.218.68 (dismail.de)
   • Select default for all other configuration options
2. Automatic reboot. Relog.
3. Configure your router: add Raspberry Pi IP as local DNS server
4. Redefine pihole admin password: pihole -a -p
5. Last settings:
   
   • Log to http://diepi.ip.address/admin
   • Settings > DNS
     • Interface listening behaviour: should be "interface tun0"
     • Advanced DNS settings:
       • [x] Never forward non-FQDNs
       • [x] Never forward reverse lookups for private IP ranges
       • Conditional Forwarding
         • [x] Use conditional forwarding: provide your router's IP and domain name

Automatic updates

Edit sudo nano /etc/cron.d/pihole. Add at the end:

# Pi-hole: Auto-Update Pi-hole!
30 2    * * 7    root    PATH="$PATH:/usr/local/bin/" pihole updatePihole

Note: it may be necessary that you reboot your devices before they actually start using the pi-hole DNS server and that their queries get blocked.

• [x] open source
• [x] DNS server / sinkhole

3. The storage: mount a usb drive

1. Plug your usb drive into the raspberry pi
2. dietpi-software
   • User Data Location >Drive: Launch Dietpi-Drive_Manager
     
   • Select drive
   • Ensure it is formatted as ext4. If not use the dietpi formatting feature.
   • Mount and rename
   • [x] User data: Select to transfer DietPi user data to this drive
   • Exit

Check in dietpi-software that 'User Data Location' now indicates: mnt/yourdrive/dietpi_userdata

• [x] store data on a separate drive

4. The cloud server: Nextcloud

1. dietpi-software > software optmised > 114 Nextcloud
2. Check access
   • go to http://your.raspberry.static.ip/nextcloud
   • username = admin, password = dietpi
   • Adjust settings such as new users, apps...

3. Add the hostname set for your RaspBerry Pi (I personally use dynv6 as a provider) and/or your static IP address to the list of trusted domains:
   Edit /var/www/nextcloud/config/config.php

   'trusted_domains =>
   array (
   0 => 'rasp.berry.pi.ip',
   1 => 'new.dom.ain.ip'
   )
   

   1. Increase max upload and php memory size Edit /etc/php/7.3/cli/php.ini and /etc/php/7.3/fpm/php.ini and increase post_max_size, upload_max_size, memory_size

• [x] Cloud server
• [x] open source

5. The FTP server: ProFTP

1. dietpi-software > File Server > ProFTP
2. go to ftp://username:pwd@your.raspberrypi.ip.address (port 21)

Change the destination directory

Replace /Path/To/Directory to your target directory.

systemctl stop proftpd
sed -i '/DefaultRoot /c\DefaultRoot /Path/To/Directory' /etc/proftpd/proftpd.conf
systemctl start proftpd

Enable "jailing" (lock users to their home folders)

systemctl stop proftpd
sed -i "/DefaultRoot /c\DefaultRoot ~" /etc/proftpd/proftpd.conf
systemctl restart proftpd

• [x] FTP server
• [x] open source (GPL licensed)

6. The VPN server: openVPN

After setting a VPN we will benefit from:

• access to pi-hole on any of your connected devices even outside of your home LAN
• more security as your connection will be encrypted ("tunnelled") while on e.g a public wi-fi network

1. Get a hostname for your dynamic (router) IPv4 address (I personally use dynv6 as a provider).
2. dietpi-software > PiVPN
3. Use dietpi user
4. Local DNS: enter domain of your dynamic DNS address: this will secure that your client can connect to your piVPN server even after an IP address change. Your router will have to be configure accordingly too (see further below).
5. Change default port for more security: ex 3456
6. DNS Provider for VPN clients: custom > address: 10.8.0.1
7. No custom search domain
8. Accept other default options
9. Reboot and relog

Now we want to define the IP address of the VPN interface (tun0) as the DNS server for the VPN clients. That way we reroute all DNS queries of the clients to our local DNS server, which is pi-hole!

1. nano /etc/openvpn/server.conf
2. comment out push "block-outside-dns" (windows specific)
   • Check line push "dhcp-option xxx". Should be: push "dhcp-option DNS 10.8.0.1" If something else is defined, delete/comment out/replace.

Finally the dnsmasq configuration must be extended so that Pi-Hole allows DNS name resolution for the IP address of the VPN interface.

1. nano /etc/dnsmasq.d/02-pivpn.conf Write line: interface=tun0
2. nano /etc/pihole/setupVars.conf. Add line: PIHOLE_INTERFACE=tun0
3. Enable IP forwarding
   • sudo nano /etc/sysctl.d/01-ip_forward.conf: add line net.ipv4.ip_forward=1
4. Restart services
   • /etc/init.d/openvpn restart
   • /etc/init.d/pihole-FTL restart

Configure router:

• Set the dynDNS settings
• Forward port defined for the VPN sever (UDP) to secure that data packets from outside can reach it

Connect client

• Add user: pivpn add
• Copy .ovpn config file to client (e.g using proFTP)

• Set up client with this config file
  Start VPN session on linux
  sudo openvpn --config path/to/.ovpn file

• [x] VPN server

• [x] open source

• [x] accessible on the go

7. Security

1. Change ssh port and forbid root login:
   • Edit sudo nano /etc/default/dropbear DROPBEAR_EXTRA_ARGS="-w -g" DROPBEAR_PORT=2200
   • service dropbear restart
2. Exit
3. Copy public key to Raspberry Pi to avoid entering ssh password every time: ssh-copy-id <USERNAME>@<IP-ADDRESS>
4. Relog with new user: ssh username@i.p.add.ress -p 2200
5. Install Fail2Ban: dietpi-software > Fail2Ban
6. Enable HTTPS
   • dietpi-software > CertBot
   • certbot -d your.domain --manual --preferred-challenges dns certonly
   • Follow instructions and deploy the DNS TXT record _acme-challenge.... and its value
   • Renewal: for the moment manual --> to be improved

• [x] secure

Conclusion

• [x] 'network firewall' or 'DNS sinkhole' to block ads and trackers.
• [x] file server (ftp)
• [x] cloud server (http)
• [x] store data on a separate drive
• [x] accessible on the go
• [x] rely as much as possible on open source products
• [x] low cost
• [x] headless: no keyboard, mouse or screen, controlled remotely via ssh connection
• [x] secure