Raspberry Pi – Debian – Ad Block Service

This post may change a bit as I clean up the process, for now this is a working notepad.

Recently I had one of my Raspberry Pi die, at no fault to the Raspberry Pi itself, and I had to reload my secondary DNS filter.

The code below will assist you in replicating my process.

Equipment List:

  • 2 Raspberry Pi Microcomputers
  • 1 USB Keyboard and USB Mouse (At least for the setup of the Raspbian OS)
  • 1 Device to test the configuration (Laptop/Desktop/Phone/Tablet)
  • DD-WRT Capable Router (Optional)
    • Suggested but not required
  • Internet (Obvious yes?)

Software List:

  • Raspbian OS
  • Pi-Hole
    • Don’t let the name deter you as you can rename it later if you choose
    • While you could do much of what they do on your own it is really a nice package that makes it a lot cleaner and easier
  • SSH Client (PuTTY or Unix/Mac Terminal)
  • OpenVPN (Optional)
    • Optional but if you want to use this filter solution outside of your home this is suggested.
  • DD-WRT (Optional)
    • Optional but best solution for making it more difficult to get around the DNS filtering.

I like to build the Raspberry Pi and setup the Raspbian OS with the keyboard and mouse attached to the Pi only to the point of getting SSH available then doing the rest on my laptop or on my surface so that I can modify the configuration on more than one Pi at the same time. When you have the equipment you will need to start with the Raspberry Pi installation guide at https://www.raspberrypi.org/documentation/installation/installing-images/README.md If you choose to go with DD-WRT go to http://www.dd-wrt.com/wiki/index.php/Main_Page to get the basics setup

Setup SSH

  1. Assuming you have your Raspberry Pi setup make sure to go over to the menu and open up the Raspberry Pi Configuration from the Preferences menu
  2. Navigate to the Interfaces tab
  3. Select Enabled next to SSH
  4. Click OK

Get IP Address

  1. Open Terminal from the top left menu
  2. In Terminal run this code to get the IP address
    hostname -I


    ifconfig | grep 'inet' | grep -v inet6 | grep -v | cut -d ' ' -f10
    • ifconfig will provide your network interface information
    • The first two grep commands will filter the information to show IPv4 only
    • After the third grep you should be left with a valid IP address for your network (192.168.x.x is typical)
    • The cut with -d delimiter of space should remove the remaining information to leave you with only the IP

Connect Via PuTTy

  1. With PuTTY open, type the IP address in “Host Name (or IP Address)” text box
  2. Type a descriptive name (ex. My Pi) in “Saved Sessions” text box
  3. On the left side click on “Data” under “Connection” and type “pi” in the “Auto-login username” text box
  4. On the left side click on “Session” and click the “Save” button then click the “Open” button

Connect Via Unix/Mac Terminal

Depending on your Unix choice you may need to search for Terminal.
On Mac it’s easiest to hold down the Command+Space keys to do a “Spotlight Search” and type Terminal

  1. Type this into Terminal (Change ipaddress to the IP address you received above)
    ssh ipaddress -l pi
    • The -l in this code is to define the username that we want is the pi user

The first time you connect you should see something like this below, type yes followed by the enter/return key to add it to your known hosts and you shouldn’t receive this message again.

The authenticity of host 'ipaddress (ipaddress)' can't be established.
ECDSA key fingerprint is SHA256:7dNNX+60VcTn9QvJC8EI1044CLET5m5kMh1f7te3bGM.
Are you sure you want to continue connecting (yes/no)?

Raspbian Template

The code below will:

  • Update Raspbian/Debian
  • Install some basic tools
  • Set timezone, you may want to lookup your timezone name
    • Get timezone list
      ls /usr/share/zoneinfo/
      ls /usr/share/zoneinfo/America/
    • For example Detroit is the closest timezone name so the path is /usr/share/zoneinfo/America/Detroit so in the script below I use America/Detroit
    • If you live in Paris the path is /usr/share/zoneinfo/Europe/Paris so in the script below you’d use Europe/Paris
# Switch to root user

# Usually not needed but will help apt-get to work
dpkg --configure -a

# Update Ubuntu
apt-get update -y && apt-get check -y && apt-get autoremove -y && apt-get autoclean -y && apt-get clean -y

# Install JQ, IPCalc, NMAP, Network Manager (nmcli), curl
apt-get -y install jq ipcalc network-manager nmap curl net-tools

# Install NTP Client
apt-get --assume-yes install ntp -y

# Set Time Zone - Change as needed
timedatectl set-timezone America/Detroit

# Get OS Name and Version
OS=$(lsb_release -i | cut -d ":" -f2 | tr -d '[:space:]')
OSCode=$(lsb_release -c | cut -d ":" -f2 | tr -d '[:space:]')
OSVer=$(lsb_release -r | cut -d ":" -f2 | tr -d '[:space:]')
echo $OS $OSCode $OSVer

# Network Variables - Start
netAdapter=$(nmcli device status | grep en | cut -d " " -f1)
if [ -z "$netAdapter" ]; then
netAdapter=$(nmcli device status | grep eth | cut -d " " -f1)
echo $netAdapter

netIP=$(/sbin/ip -o -4 addr list $netAdapter | awk '{print $4}' | cut -d/ -f1)
echo $netIP

#declare netMask=$(ipcalc -m $netIP | cut -d '=' -f2)
#netMask=$(ifconfig "$netAdapter" | sed -rn '2s/ .*:(.*)$/\1/p') # Debian 8
netMask=$(ifconfig "$netAdapter" | grep netmask | cut -d ' ' -f13) # Debian 9
netCIDR=$(ipcalc $netIP/$netMask | grep "Netmask:" | cut -d "=" -f2 | cut -d " " -f2 | tr -d '[:space:]')
netWork=$(ipcalc $netIP/$netMask | grep "Network:" | cut -d "/" -f1 | cut -d " " -f4 | tr -d '[:space:]')

declare banner=$(cat <<EOF
$OS $OSCode $OSVer
     Hostname:        $(hostname)

     Network Information
          Adapter:    $netAdapter
          IP:         $netIP
          Netmask:    $netMask
          CIDR:       $netWork/$netCIDR

echo "$banner"

cp /etc/motd /etc/motd.original
echo -e "$banner"|tee  /etc/motd

rm -f /etc/banner
echo "Welcome to Raspberry Pi - Ad Filter" | tee /etc/banner

cat /etc/banner

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
sed -i "s|#Banner none|Banner /etc/banner|" /etc/ssh/sshd_config
sed -i "s|#Banner /etc/issue.net|Banner /etc/banner|" /etc/ssh/sshd_config
/etc/init.d/ssh restart

Get/Install Pi-Hole

Run the code below to start the installation of Pi-Hole, you will get some prompts in a Terminal User Interface (TUI)

curl -sSL https://install.pi-hole.net | bash
  1. The first three screens are informational, tap enter/return to go to the next screen
  2. On the 4th screen you are asked what DNS provider you’d like to use, I have a free account with OpenDNS so I choose OpenDNS
    • Side Note: If you haven’t tried OpenDNS you may want to as it filters far more than you can image.
  3. On the 5th screen you are asked the protocols you wish to use (IPv4 and/or IPv6), by default both are selected. Tap enter/return to keep this option.
  4. On the 6th screen you are asked if the IP address the Pi is currently using is the IP you’d like to setup as a static IP. Tap the right arrow to select <No> and tap enter/return.
    • Note: You should have a DHCP range that doesn’t include servers (i.e. The Raspberry Pi).
    • Suggested range for your DHCP is to start at a number at least 10 higher than you think you’ll need for servers/printers. In my case I start the DHCP rather high at 128
  5. On the 7th screen you are asked to input your desired IPv4 address. Type in the IP you want with the proper CIDR. Most home networks are /24 so you would type something like where the would be the IP you want for the Raspberry Pi. Tap enter/return to continue.
    • If you have 10 IP addresses for servers and printers choose an IP that is within that small range
  6. On the 8th screen you are asked to input your desired IPv4 default gateway. Typically the one on the screen is the correct IP, correct it and/or tap enter/return to continue
  7. On the 9th screen you are asked to confirm the settings, if correct tap enter/return to continue or tap the right arrow to select and go through the IP selection again.
  8. On the 10th screen you will see the IPv6 that will be used for the Raspberry Pi
  9. On the 10th screen you are asked if you want to install the web admin interface, this is recommended but not required. In most cases simply tap enter/return to continue.
  10. On the 11th screen you are asked if you want to log queries, this is recommended but not required. In most cases simply tap enter/return to continue.
  11. On the 12th screen (after it actually installs and configures) you are given completion information, it is suggested to copy all of this information but at least the password
    | Configure your devices to use the Pi-hole as their DNS server      │
    │ using:                                                             │ 
    │                                                                    │ 
    │ IPv4:                                           │ 
    │ IPv6:        fdb2:2c26:f4e4:0:21c:42ff:feb5:19bf                   │ 
    │                                                                    │ 
    │ If you set a new IP address, you should restart the Pi.            │ 
    │                                                                    │ 
    │ The install log is in /etc/pihole.                                 │ 
    │                                                                    │ 
    │ View the web interface at http://pi.hole/admin or                  │ 
    │                                           │ 
    │                                                                    │ 
    │ Your Admin Webpage login password is c-FNXvNE                      |
    • NOTE: If you fail to write the password for the web admin interface you can run this command and set a new password
      sudo pihole -a -p

At this point the basics are installed and ready to go.

Change/Modify Adlists

The filter is only as good as the lists that you feed it, as of this writing 118,348 are blocked with the preconfigured lists.
It is recommended that you only select lists that you trust, for your benefit and mine this is the list I use and how to get it.

sudo cp /etc/pihole/adlists.list /etc/pihole/adlists.list.original
cd ~/
wget https://gist.githubusercontent.com/dkittell/4646d0ba073c90e58c920b5730e0bf5e/raw/238adcd4e46a3b7f408099f21e51120fbf030040/adlists.list
wget https://gist.githubusercontent.com/dkittell/74dc56f832ea2b7da1c9cc9fcbb766ca/raw/9989b23784d7f2f32117893187e59f8a39197e49/filter_stats.sh
sudo mv adlists.list /etc/pihole/

pihole -up && pihole -g && sh filter_stats.sh

Get/Install OpenVPN

Similar to Pi-Hole PiVPN has put together a simple installer

curl -L https://install.pivpn.io | bash
  1. The first four screens are informational, tap enter/return to go to the next screen
  2. The fifth screen will ask you to select a user, in most cases you will only have one user. Select the user, tap enter/return to go to the next screen
  3. The sixth screen is informational, tap enter/return to go to the next screen
  4. The seventh screen asks if you want to enable unattended upgrades fo security patches, suggestion is to say yes, tap enter/return to go to the next screen
  5. The eighth screen asks if you want UDP or TCP, UDP is suggested, tap enter/return to go to the next screen
  6. The ninth screen will ask for a port number, suggestion is to keep the default port until you are more familiar with ports, tap enter/return to go to the next screen
  7. The tenth screen will ask you to confirm the port, tap enter/return to go to the next screen
  8. The eleventh screen will ask for encryption strength, suggestion is 2048 or 4096, tap enter/return to go to the next screen
  9. The twelfth screen will tell you to create the profile when done, tap enter/return to go to the next screen
  10. The thirteenth screen will suggest you reboot, it is suggested you reboot, tap enter/return to go to the next screen
  11. The fourteenth screen is information to say the machine will now reboot, tap enter/return to go to the next screen

When the Pi is done rebooting, run the PiVPN configuration to create the profile.

pivpn add
All information on this site is shared with the intention to help. Before any source code or program is ran on a production (non-development) system it is suggested you test it and fully understand what it is doing not just what it appears it is doing. I accept no responsibility for any damage you may do with this code.