Let me guide you through my journey for a simple homelab.
Introduction#
The idea of this article is to document how I did things and why, and to help me remember how to setup X and Y if needed.
Plans#
We want to go from a basic setup to something simple:
| Before | After |
|---|---|
flowchart TD
A[Internet] --> B[IAP box]
B --> C[LAN] | flowchart TD
A[Internet] --> B[IAP box]
B --> C[pi-hole]
C --> D[LAN] |
Doing so will allow us to manage and customize our network using our pi-hole, it will be the authority for many core services such as DNS or DHCP.
In the future I will show different setups and how I did them.
Setup your IAP box#
In order to setup our network, we will need to do some tweaks:
- Force a static IP for our pi-hole
- Set the DNS to our pi-hole
- Disable the DHCP to let our pi-hole do it
Depending on your model and provider those steps will be different, google is your friend.
Install pi-hole#
First, assing a static IP on your machine if you can’t set a static lease on your internet box.
I installed pi-hole on a RPI4 using pip install pi-hole (depending on your setup you will want to RTFM instead).
Setup pi-hole#
The setup wizard is very easy to use and understand, once again if stuck, go check the doc.
Once all setup you will want to manage your DHCP: change the IP range, set the local domain, set static leases… Don’t forget to set your gateway to your internet box.
You can then add new DNS blacklist to block more ads domains.
You should be ready to go by now, all your connected devices will use the pi-hole, once their previous DHCP lease expire.
Setup wireguard#
Now that your local devices are safer from ads, you want to be able to block those from anywhere, and manage your local network remotely.
apt install wireguard
Server#
1# generate keys
2wg genkey > wg.key
3cat wg.key | wg pubkey > wg.pub
4
5# create conf
6cat <<EOF > /etc/wireguard/wg.conf
7[Interface]
8Address = 10.0.0.1/24
9SaveConfig = true
10ListenPort = 51820
11PrivateKey = <priv key in wg.key>
12
13[Peer]
14PublicKey = <peer pub key in home.pub>
15AllowedIPs = 10.0.0.2/24
16EOF
17
18# allow forwarding
19cat 'net.ipv4.ip_forward = 1' > /etc/sysctl.conf
20
21# enable wg
22systemctl enable --now wg-quick@wg
23
24# check for service
25wg show
Client#
1# generate keys
2wg genkey > home.key
3cat home.key | wg pubkey > home.pub
4
5# create conf
6cat <<EOF > /etc/wireguard/home.conf
7[Interface]
8PrivateKey = <priv key in home.key>
9Address = 10.0.0.2/24 # same as Peer.AllowedIPs in server's config
10DNS = 10.0.0.1 # use pi-hole
11
12[Peer]
13PublicKey = <server pub key in wg.pub>
14AllowedIPs = 10.0.0.0/24
15Endpoint = <your box IP>:<forwarded port>
16EOF
Internet box#
- Put your pi-hole in DMZ
- Create NAT/PAT rule for a port forwarding
- From your box to pi-hole’s wireguard port
Once everything is setup, on your client: wg-quick up home should connect you to your local network.
Also, you should be able to manage your local machines: firefox http://pi.lan/admin should lead you to your pi-hole interface.