waldek
/
linux_course_doc
1
0
Fork 0
Code Issues 2 Pull Requests Projects Releases Wiki Activity

updates pihole exercise

This commit is contained in:
waldek 2021-05-04 22:25:24 +02:00
parent 00596550e3
commit 54e3931921
1 changed files with 48 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
modules/resources/exercise_pihole.md
View File

@ -2,72 +2,86 @@
What you'll need to get started: What you'll need to get started:
* essentials
* a raspberry pi * a raspberry pi
* a USB power supply * a USB power supply
* an SD card you can erase * an SD card you can erase
* a keyboard * an Ethernet cable
* an HDMI cable * optional
* a keyboard and mouse
* an HDMI cable and screen
## Your current situation ## Your current situation
Your current situation looks probably *very* similar to the image below. Your current situation at home looks probably *very* similar to the image below.
You have some sort of router/modem/switch/wirelessAP combination box sitting somewhere in your house. You have some sort of router/modem/switch/wireless access point combination box sitting somewhere in your house.
To this device you have your PC's, printer, phone's connected either with a cable or over WiFi. To this device you have your PC's, printer, phone's connected either with a cable or over WiFi.
![without pihole](./network_home_without_pihole.png) ![without pihole](./network_home_without_pihole.png)
I advise you to take some notes on your network settings *before* starting to mess around. I advise you to take some notes on your network settings *before* starting to mess around with the pihole.
Your `nameserver` is probably the IP address of your router and the `DHCP` server for both your wired LAN and wireless WLAN is probably the same IP address. Your DNS resolution is probably done by your router and the `DHCP` server for both your wired LAN and wireless WLAN is probably also done by that same box.
This means your *bbox* does a few different things: This means your *bbox* does a few different things:
* it's a modem that gives you a public IP address (from your ISP) * it's a modem that gives you a public IP address (from your ISP)
* it does NAT so that your LAN devices can access the internet * it does NAT so that your LAN devices can access the internet
* it has a builtin DHCP and DNS server * it has a builtin DHCP and DNS server
* it creates a wireless access point so you can connect your phone * it creates a wireless access point so you can connect your phone over WiFi
* it has a builtin hardware switch so you can connect multiple PC's * it has a builtin hardware switch so you can connect multiple PC's as a LAN
As you found out during our exercises, a Linux machine can do all of these things if you configure it properly. As you found out during our previous exercises, a Linux machine can do all of these things if you configure it for it.
We'll try and replace two, or for the brave ones three, of those *features* with a raspberry pi. We'll try and replace two, or for the brave ones three, of those *features* with a raspberry pi.
This will be done **step by step** but it's worth pointing out that a basic pihole installation is not invasive at all. This will be done **step by step** but it's worth pointing out that a basic pihole installation is **not invasive** at all.
You won't break the internet by just installing the pihole package on your raspberry pi. You won't break the internet by just installing the pihole package onto your raspberry pi.
Throughout the full installation it is however possible you'll have some downtime. Throughout the full installation it is however possible you'll have some downtime.
If there are people in your household depending on the internet to work it might be best to schedule your installation with them. If there are people in your household depending on the internet for work it might be best to schedule your installation with them.
## Hardware installation ## Hardware installation
It's probably easiest, and recommended, to do the installation with the raspberry pi connected to your network over Ethernet. It's probably easiest, and recommended, to do the installation with the raspberry pi connected to your network over Ethernet.
You can connect the raspberry pi over WiFi but I discourage it because of the inherent latency of wireless connections.
You can perform the installation over `ssh` or with a screen and keyboard connected, it's fully your choice. You can perform the installation over `ssh` or with a screen and keyboard connected, it's fully your choice.
You don't need an extra LAN adaptor, just plugging in the raspberry pi into the switch suffices. Do whatever feels best/easiest to you.
Contrary to the setup in class you don't need an extra LAN adaptor, just plugging in the raspberry pi into the switch suffices.
You won't be replacing the NAT part of your home network today, just the DNS and DHCP part.
Once plugged in your network layout will look similar to the image below. Once plugged in your network layout will look similar to the image below.
![with raspberry pi](./network_home_with_pihole.png) ![with raspberry pi](./network_home_with_pihole.png)
I recommend you start from a fresh Raspberry PI OS installation, either with or without desktop environment. I recommend you start from a fresh Raspberry PI OS installation, either with or without desktop environment.
The raspberry pi should receive an IP address from your *bbox* and you should be able to `ping` devices in your LAN and out on the internet. The raspberry pi should receive an IP address from your *bbox* and you should be able to `ping` devices in your LAN and out onto the internet.
## Installing pihole ## Installing pihole
I won't explain this as it's part of the exercise but there are a lot of tutorials around. I won't explain this as it's part of the exercise but there are a lot of tutorials around.
First you should **only** use the DNS feature of the pihole. I encourage you to read up before you start the installation so you get an idea of the steps ahead of you.
At first you should **only** use the DNS feature of the pihole.
This is completely **non invasive** to your network, nor towards the other computers in your home network. This is completely **non invasive** to your network, nor towards the other computers in your home network.
Check the installation by logging into the web interface of your fresh pihole install! Once installed, check the installation by logging into the web interface of your fresh pihole install!
## Testing the DNS aspect of the pihole ## Testing the DNS aspect of the pihole
Your pihole is now a DNS server! Your pihole is now a DNS server!
You can try it out by changing the DNS settings of a PC that's connected to your network. You can try it out by changing the DNS settings of a PC that's connected to your network.
focus on one PC at first.
Once you'll add the DHCP part to the pihole, all devices on your network will use the pihole as DNS.
Depending on your OS it will be done in a different way. Depending on your OS it will be done in a different way.
On Linux you'll find the `nameserver` you're using in `/etc/resolv.conf`. On Linux you'll find the `nameserver` you're using in `/etc/resolv.conf`.
If you did it right, you should see a client connected in the web interface of the pihole. If you did it right, you should see a client connected in the web interface of the pihole.
Try to go to some websites you know have a lot of advertisements and see if the pihole blocks them properly. Try to go to some websites you know have a lot of advertisements and see if the pihole blocks them properly.
You can inspect the log to see which DNS queries are blocked and which pass right thru.
## Time to take over the DHCP role ## Time to take over the DHCP role
The pihole can also be in charge of the IP addresses on your LAN. The pihole can also be in charge of the IP addresses on your LAN.
This way the pihole pushes itself as nameserver to be used by your clients.
This is the **invasive** part of the setup. This is the **invasive** part of the setup.
First you should turn off the DHCP server that is currently running on you network. First you should turn off the DHCP server that is currently running on you network.
As mentioned before, this is *probably* your *bbox*. As mentioned before, this is *probably* your *bbox*.
Log into it and figure our how to deactive it. Log into it and figure our how to deactivate it.
Once this is done you can enable the DHCP server on the pihole. Once this is done you can enable the DHCP server on the pihole.
This is done via the web interface. This is done via the web interface.
Try disconnecting and reconnecting a PC from the network and see if it comes up in the leases list. Try disconnecting and reconnecting a PC from the network and see if it comes up in the leases list.
@ -78,8 +92,8 @@ If it does, bravo!
If you want to revert back to your original network layout the main thing you have to do is turn the DHCP server in your *bbox* back on. If you want to revert back to your original network layout the main thing you have to do is turn the DHCP server in your *bbox* back on.
Do keep in mind you can't have two DHCP servers on your network. Do keep in mind you can't have two DHCP servers on your network.
You can either turn off the raspberry pi completely or just stop the pihole service via `systemctl`. You can either turn off the raspberry pi completely or just stop the pihole service via `systemctl`.
Try to disconnect and reconnect one PC first to see if it get's back the normal settings from before. Try to disconnect and reconnect one PC first to see if it gets back the normal settings you noted down before.
If it does you successfully removed the pihole from your network! If it does, you successfully removed the pihole from your network!
## For the brave ## For the brave
@ -93,4 +107,16 @@ The package that turns your pi into a wireless access point is called [hostapd](
We'll set up a VPN in an upcoming class but the pihole is often used together with [pivpn](https://pivpn.io/). We'll set up a VPN in an upcoming class but the pihole is often used together with [pivpn](https://pivpn.io/).
If you decide to try this out keep in mind that you'll have to add a port forward from your router to the pi and that this **will expose** the VPN service to the internet! If you decide to try this out keep in mind that you'll have to add a port forward from your router to the pi and that this **will expose** the VPN service to the internet!
There is nothing inherently *wrong* with that but you'll see hacking attempts almost immediately. There is nothing inherently *wrong* with that but you'll see hacking attempts almost immediately.
**Use good passwords or preferably encryption keys.** **Use good passwords or preferably encryption keys.**
## Some hints
* The configuration for the pihole is fully done via the web interface but in case you want to have a browse on the pi itself, these are some of the interesting files and folders to look at:
* `/etc/dnsmasq.d/`
* `/etc/dnsmasq.d/01-pihole.conf`
* `/etc/dnsmasq.d/02-pihole-dhcp.conf`
* `/etc/dhcpcd.conf` is named a bit confusingly but it configures your network interfaces (like `/etc/network/interdaces` on Debian)
* `/etc/pihole`
* Even though the pihole uses `dnsmasq` as a backend for DHCP and DNS the services themselves are controlled by `pihole-FTL.service`.
* The pihole comes with a command line program called `pihole` which you can use to restart, tweak and inspect the running service as well.