Create and run

nano vpn-health.sh
chmod +x vpn-health.sh
./vpn-health.sh

#!/bin/bash

echo “=========================================”
echo “🔍 VPN HEALTH CHECK – $(date)”
echo “=========================================”

WG_IF=”wg0″

# — SYSTEM —
echo -e “\n🖥️ SYSTEM STATUS”
uptime
free -m | awk ‘NR==2{printf “RAM Usage: %s/%s MB (%.2f%%)\n”, $3,$2,$3*100/$2 }’
df -h / | awk ‘NR==2{print “Disk Usage:”, $5, “used”}’

# — NETWORK —
echo -e “\n🌐 NETWORK”
ip a show $WG_IF 2>/dev/null | grep inet || echo “❌ wg0 interface not found”
ip route | grep default

PUBLIC_IP=$(curl -s ifconfig.me)
echo “Public IP: $PUBLIC_IP”

# — WIREGUARD STATUS —
echo -e “\n🔐 WIREGUARD STATUS”
if sudo wg show $WG_IF >/dev/null 2>&1; then
sudo wg show $WG_IF
else
echo “❌ WireGuard interface $WG_IF is DOWN”
fi

# — SERVICE STATUS —
echo -e “\n⚙️ SERVICE STATUS”
sudo systemctl is-active wg-quick@$WG_IF

# — CONNECTED CLIENTS —
echo -e “\n👥 CONNECTED CLIENTS (PiVPN)”
if command -v pivpn >/dev/null; then
sudo pivpn -c
else
echo “PiVPN not installed”
fi

# — FIREWALL —
echo -e “\n🔥 FIREWALL (Top DROP rules)”
sudo iptables -L -n -v | grep DROP | head -10

# — PORT CHECK —
echo -e “\n📡 LISTENING PORTS (wg)”
sudo ss -tunap | grep $WG_IF || echo “No wg sockets found”

# — RECENT LOGS —
echo -e “\n📜 RECENT WIREGUARD LOGS”
sudo journalctl -u wg-quick@$WG_IF –since “10 min ago” | tail -20

# — FAILED LOGINS —
echo -e “\n🚨 FAILED LOGIN ATTEMPTS”
sudo grep “Failed password” /var/log/auth.log 2>/dev/null | tail -5

echo -e “\n=========================================”
echo “✅ HEALTH CHECK COMPLETE”
echo “=========================================”

Part 1 — The Foundation

By @jrvanschie

---

🔍 What You’ll Learn in This Series

This is a step-by-step blog series where I show how I built a secure home server using a Raspberry Pi.

In this first part:

• Install and configure DietPi
• Set up Pi-hole (network-wide ad blocking)
• Configure WireGuard VPN
• Secure access with firewall + 2FA

👉 Upcoming parts:

• Health check
• You’re feedbacks/ideas

 

---

Why I Built This

I wanted:

• Secure remote access to my home network
• No reliance on cloud providers
• Full control over privacy and traffic

What I ended up with is:

• A fast WireGuard VPN server
• A powerful Pi-hole DNS blocker
• Secure SSH access with 2FA

All running on a Raspberry Pi.

---

🧰 Tech Stack

• DietPi OS
• Pi-hole
• WireGuard (via PiVPN)
• Google Authenticator

---

Step 1 — Installing DietPi

Download DietPi from the official website and verify the checksum.
shasum -a 256 (downloaded_filename>

Then flash it using Raspberry Pi Imager (https://www.raspberrypi.com/software/) and boot your device.

Find your IP:

ip a

Connect via SSH (e.g. Termius).
And note you Local setup, for example
LAN_NET="192.168.1.0/24"

(You need this info in script 1 in the steps below)

---

Step 2 — Initial Configuration

Run:

dietpi-config

Configure:

• Timezone/keyboard
• Passwords/hostname
• Static IP

Then install OpenSSH:

dietpi-software

Change SSH Dropbear to OPENSSH and choose install
👉 Required for 2FA later.

---

Step 3 — Pi-hole (Network-Wide Ad Blocking)

Install Pi-hole:

dietpi-software

Select:

• Pi-hole
• Quad9 DNS (filtered)

Set password:

pihole setpassword

Open the dashboard:

https://<your-ip>:8489/admin

(Example screenshots)

 

 

 

 

👉 Set your router DNS to your Pi’s IP.

Now every device in your home benefits from ad blocking.

---

Step 4 — WireGuard VPN Setup

Install:

dietpi-software

Choose:

• PiVPN → WireGuard
• Note down the network that is chosen for your VPN
  For example VPN_NET="10.129.217.0/24"(You need this info in script 1 in the steps below)

Create a profile:

pivpn add

Show QR code:

pivpn -qr

 

(Example result in terminal)

Scan it with your phone.

Choose in your App on your phone:

 

You now have secure access to your home network from anywhere.

---

Step 5 — Router Configuration

Forward this port:

• UDP 51820 → Raspberry Pi IP
  Need help? check: https://www.noip.com/support/knowledgebase/general-port-forwarding-guide

Now your VPN is reachable externally.

---

Step 6 — Create a Safer User

adduser adminshark
usermod -aG sudo adminshark

Use:

• adminshark → remote access
• root → local only

Switch:

su adminshark

---

Step 7 — Firewall (Script 1)

Create and run as root:./script1.sh

(You need the LAN and VPN_NET from step 1 and 4 in order to let this work.)

nano script1.sh

chmod +x script1.sh

#!/bin/bash

echo “🔧 BASE SETUP + FIREWALL (OPTIMIZED)”

LAN_NET=”192.168.1.0/24″
VPN_NET=”10.129.217.0/24″

LAN_IF=”eth0″
WG_IF=”wg0″

# Update system packages
sudo apt update && sudo apt upgrade -y

# Enable IP forwarding (turns your Raspberry Pi into a router)
echo “net.ipv4.ip_forward=1” | sudo tee /etc/sysctl.d/99-ipforward.conf
sudo sysctl –system

# Reset firewall
sudo iptables -F
sudo iptables -t nat -F
sudo iptables -X

# Default policies
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

# 🔁 Loopback allows the system to communicate with itself
sudo iptables -A INPUT -i lo -j ACCEPT

# 🔁 Allow established traffic (responses to already initiated connections)
sudo iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

# 🔑 SSH (LAN + VPN)
sudo iptables -A INPUT -p tcp -s $LAN_NET –dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp -s $VPN_NET –dport 22 -j ACCEPT

# 🌐 HTTP (Pi-hole UI)
sudo iptables -A INPUT -p tcp -s $LAN_NET –dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp -s $VPN_NET –dport 80 -j ACCEPT

# 🧱 Pi-hole DNS
sudo iptables -A INPUT -p udp -s $LAN_NET –dport 53 -j ACCEPT
sudo iptables -A INPUT -p tcp -s $LAN_NET –dport 53 -j ACCEPT

sudo iptables -A INPUT -p udp -s $VPN_NET –dport 53 -j ACCEPT
sudo iptables -A INPUT -p tcp -s $VPN_NET –dport 53 -j ACCEPT

# 🔧 Pi-hole admin (port 8489)
sudo iptables -A INPUT -p tcp -s $LAN_NET –dport 8489 -j ACCEPT
sudo iptables -A INPUT -p tcp -s $VPN_NET –dport 8489 -j ACCEPT

# 🌐 WireGuard incoming (via router port forwarding)
sudo iptables -A INPUT -i $LAN_IF -p udp –dport 51820 -j ACCEPT

# 🔁 FORWARD rules
# VPN → LAN (and via router to the internet)
sudo iptables -A FORWARD -i $WG_IF -o $LAN_IF -s $VPN_NET -j ACCEPT

# LAN → VPN (return traffic)
sudo iptables -A FORWARD -i $LAN_IF -o $WG_IF -d $VPN_NET -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT

# 🌍 NAT (VPN → LAN → router → internet)
sudo iptables -t nat -A POSTROUTING -s $VPN_NET -o $LAN_IF -j MASQUERADE

# Save rules
sudo apt install -y iptables-persistent
sudo netfilter-persistent save

echo “✅ Firewall + NAT + VPN routing OK (optimized)”


---

Step 8 — SSH + 2FA (Script 2)

⚠️ Run this as adminshark (not root) ./script2.sh

nano script2.sh
chmod +x script2.sh

 

#!/bin/bash

echo “🔐 SSH + 2FA setup”

sudo apt install -y libpam-google-authenticator

# PAM aanpassen

if ! grep -q “pam_google_authenticator.so” /etc/pam.d/sshd; then

echo “auth required pam_google_authenticator.so” | sudo tee -a /etc/pam.d/sshd

fi

# SSH config

sudo sed -i ‘s/^#KbdInteractiveAuthentication no/ KbdInteractiveAuthentication yes/’ /etc/ssh/sshd_config

sudo sed -i ‘s/^KbdInteractiveAuthentication no/ KbdInteractiveAuthentication yes/’ /etc/ssh/sshd_config

sudo systemctl restart ssh

echo “⚠️ Run nu: google-authenticator”

 

Then run:
google-authenticator

---

Final Result

You now have:

• ✅ Secure VPN access (WireGuard)
• ✅ Network-wide ad blocking (Pi-hole)
• ✅ Firewall-protected system
• ✅ SSH secured with 2FA

All on a Raspberry Pi.

---