Part 1 — The Foundation
By @jrvanschie
🔍 What You’ll Learn in This Series
This is a step-by-step blog series where I show how I built a secure home server using a Raspberry Pi.
In this first part:
- Install and configure DietPi
- Set up Pi-hole (network-wide ad blocking)
- Configure WireGuard VPN
- Secure access with firewall + 2FA
👉 Upcoming parts:
- Health check
- You’re feedbacks/ideas
Why I Built This
I wanted:
- Secure remote access to my home network
- No reliance on cloud providers
- Full control over privacy and traffic
What I ended up with is:
- A fast WireGuard VPN server
- A powerful Pi-hole DNS blocker
- Secure SSH access with 2FA
All running on a Raspberry Pi.
🧰 Tech Stack
- DietPi OS
- Pi-hole
- WireGuard (via PiVPN)
- Google Authenticator
Step 1 — Installing DietPi
Download DietPi from the official website and verify the checksum.
shasum -a 256 (downloaded_filename>
Then flash it using Raspberry Pi Imager (https://www.raspberrypi.com/software/) and boot your device.
Find your IP:
ip a
Connect via SSH (e.g. Termius).
And note you Local setup, for example
LAN_NET="192.168.1.0/24"
(You need this info in script 1 in the steps below)
Step 2 — Initial Configuration
Run:
dietpi-config
Configure:
- Timezone/keyboard
- Passwords/hostname
- Static IP
Then install OpenSSH:
dietpi-software
Change SSH Dropbear to OPENSSH and choose install
👉 Required for 2FA later.
Step 3 — Pi-hole (Network-Wide Ad Blocking)
Install Pi-hole:
dietpi-software
Select:
- Pi-hole
- Quad9 DNS (filtered)
Set password:
pihole setpassword
Open the dashboard:
https://<your-ip>:8489/admin
(Example screenshots)
👉 Set your router DNS to your Pi’s IP.
Now every device in your home benefits from ad blocking.
Step 4 — WireGuard VPN Setup
Install:
dietpi-software
Choose:
- PiVPN → WireGuard
- Note down the network that is chosen for your VPN
For example VPN_NET="10.129.217.0/24"(You need this info in script 1 in the steps below)
Create a profile:
pivpn add
Show QR code:
pivpn -qr
(Example result in terminal)
Scan it with your phone.
Choose in your App on your phone:
You now have secure access to your home network from anywhere.
Step 5 — Router Configuration
Forward this port:
- UDP 51820 → Raspberry Pi IP
Need help? check: https://www.noip.com/support/knowledgebase/general-port-forwarding-guide
Now your VPN is reachable externally.
Step 6 — Create a Safer User
adduser adminshark
usermod -aG sudo adminshark
Use:
adminshark → remote accessroot → local only
Switch:
su adminshark
Step 7 — Firewall (Script 1)
Create and run as root:./script1.sh
(You need the LAN and VPN_NET from step 1 and 4 in order to let this work.)
nano script1.sh
chmod +x script1.sh
#!/bin/bash
echo “🔧 BASE SETUP + FIREWALL (OPTIMIZED)”
LAN_NET=”192.168.1.0/24″
VPN_NET=”10.129.217.0/24″
LAN_IF=”eth0″
WG_IF=”wg0″
# Update system packages
sudo apt update && sudo apt upgrade -y
# Enable IP forwarding (turns your Raspberry Pi into a router)
echo “net.ipv4.ip_forward=1” | sudo tee /etc/sysctl.d/99-ipforward.conf
sudo sysctl –system
# Reset firewall
sudo iptables -F
sudo iptables -t nat -F
sudo iptables -X
# Default policies
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
# 🔁 Loopback allows the system to communicate with itself
sudo iptables -A INPUT -i lo -j ACCEPT
# 🔁 Allow established traffic (responses to already initiated connections)
sudo iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
# 🔑 SSH (LAN + VPN)
sudo iptables -A INPUT -p tcp -s $LAN_NET –dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp -s $VPN_NET –dport 22 -j ACCEPT
# 🌐 HTTP (Pi-hole UI)
sudo iptables -A INPUT -p tcp -s $LAN_NET –dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp -s $VPN_NET –dport 80 -j ACCEPT
# 🧱 Pi-hole DNS
sudo iptables -A INPUT -p udp -s $LAN_NET –dport 53 -j ACCEPT
sudo iptables -A INPUT -p tcp -s $LAN_NET –dport 53 -j ACCEPT
sudo iptables -A INPUT -p udp -s $VPN_NET –dport 53 -j ACCEPT
sudo iptables -A INPUT -p tcp -s $VPN_NET –dport 53 -j ACCEPT
# 🔧 Pi-hole admin (port 8489)
sudo iptables -A INPUT -p tcp -s $LAN_NET –dport 8489 -j ACCEPT
sudo iptables -A INPUT -p tcp -s $VPN_NET –dport 8489 -j ACCEPT
# 🌐 WireGuard incoming (via router port forwarding)
sudo iptables -A INPUT -i $LAN_IF -p udp –dport 51820 -j ACCEPT
# 🔁 FORWARD rules
# VPN → LAN (and via router to the internet)
sudo iptables -A FORWARD -i $WG_IF -o $LAN_IF -s $VPN_NET -j ACCEPT
# LAN → VPN (return traffic)
sudo iptables -A FORWARD -i $LAN_IF -o $WG_IF -d $VPN_NET -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT
# 🌍 NAT (VPN → LAN → router → internet)
sudo iptables -t nat -A POSTROUTING -s $VPN_NET -o $LAN_IF -j MASQUERADE
# Save rules
sudo apt install -y iptables-persistent
sudo netfilter-persistent save
echo “✅ Firewall + NAT + VPN routing OK (optimized)”
Step 8 — SSH + 2FA (Script 2)
⚠️ Run this as adminshark (not root) ./script2.sh
nano script2.sh
chmod +x script2.sh
#!/bin/bash
echo “🔐 SSH + 2FA setup”
sudo apt install -y libpam-google-authenticator
# PAM aanpassen
if ! grep -q “pam_google_authenticator.so” /etc/pam.d/sshd; then
echo “auth required pam_google_authenticator.so” | sudo tee -a /etc/pam.d/sshd
fi
# SSH config
sudo sed -i ‘s/^#KbdInteractiveAuthentication no/ KbdInteractiveAuthentication yes/’ /etc/ssh/sshd_config
sudo sed -i ‘s/^KbdInteractiveAuthentication no/ KbdInteractiveAuthentication yes/’ /etc/ssh/sshd_config
sudo systemctl restart ssh
echo “⚠️ Run nu: google-authenticator”
Then run:
google-authenticator
Final Result
You now have:
- ✅ Secure VPN access (WireGuard)
- ✅ Network-wide ad blocking (Pi-hole)
- ✅ Firewall-protected system
- ✅ SSH secured with 2FA
All on a Raspberry Pi.
OK now what?
Please do not use root:
sudo passwd -l root
Need root again?: sudo passwd root
Consider start using unbound:
https://docs.pi-hole.net/guides/dns/unbound/
