Raspberry Pi
- Raspberry Pi 3 B+
- MicroSD card
- Ethernet connection
- Stable power supply
- Home router
NETWORK SECURITY • RASPBERRY PI
A Raspberry Pi-based network security platform providing DNS filtering, recursive DNS resolution, encrypted remote access, and centralized control of home-network DNS traffic.
PROJECT OVERVIEW
This project transformed a Raspberry Pi into a centralized network-security and remote-access platform for a home network.
Pi-hole was installed to block advertising, tracking, and unwanted domains at the DNS level. Unbound was then added as a local recursive DNS resolver, reducing dependence on public DNS providers.
WireGuard VPN was configured through PiVPN to provide encrypted remote access to the home network. This made it possible to use Pi-hole filtering while away from home and securely access internal services.
OBJECTIVES
Block advertising, tracking, malicious domains, and unwanted content across the network.
Use Unbound to resolve DNS requests directly rather than relying only on third-party DNS providers.
Securely access the home network from mobile devices using WireGuard VPN.
Monitor DNS requests, blocked domains, active clients, and network behavior from one dashboard.
SYSTEM ARCHITECTURE
Phones, computers, tablets, smart TVs, and other devices.
Filters DNS requests using blocklists and custom rules.
Performs recursive DNS resolution.
Root, top-level-domain, and authoritative DNS servers.
A remote phone, tablet, or laptop connects through WireGuard. VPN traffic enters the Raspberry Pi, receives Pi-hole DNS filtering, and can securely access permitted home-network resources.
COMPONENTS
BUILD PROCESS
Installed Raspberry Pi OS, completed system updates, enabled SSH, and connected the Pi to the router using Ethernet.
sudo apt update
sudo apt full-upgrade -y
sudo reboot
Configured the router to reserve a consistent local IP address for the Raspberry Pi. This prevents DNS clients from losing access after a DHCP address change.
Installed Pi-hole and configured the Raspberry Pi as the primary DNS server for the network.
curl -sSL https://install.pi-hole.net | bash
Updated the router's LAN DNS settings so client devices use Pi-hole for DNS requests.
Private addresses and public IP information are intentionally omitted from public documentation.
Installed Unbound and configured it as a local recursive DNS resolver.
sudo apt install unbound -y
Pi-hole was then configured to forward permitted DNS requests to the local Unbound service.
Installed PiVPN, selected WireGuard, created VPN clients, and imported client configurations into mobile devices.
curl -L https://install.pivpn.io | bash
Configured router port forwarding and dynamic DNS to support remote WireGuard connections when the public IP address changes.
Verified DNS filtering, recursive resolution, VPN handshakes, remote internet access, and access to approved internal services.
TROUBLESHOOTING
The VPN client initially failed to establish a connection.
A successful handshake did not always result in working internet access.
Unbound encountered a permissions issue while accessing root-hints information.
The dynamic DNS update script initially returned a permissions error.
VALIDATION
| Test | Purpose | Result |
|---|---|---|
| Pi-hole Dashboard | Confirm client DNS requests are visible. | Passed |
| Blocked Domain Test | Verify Pi-hole blocks listed domains. | Passed |
| Unbound Resolution | Confirm recursive DNS queries work. | Passed |
| WireGuard Handshake | Verify encrypted remote connection. | Passed |
| Remote DNS Filtering | Confirm VPN clients use Pi-hole. | Passed |
| Remote Internet Access | Confirm VPN clients can reach the internet. | Passed |
SECURITY
Only the required VPN port should be exposed through the router.
WireGuard private keys and client configuration files should never be published.
The operating system and installed services should be patched regularly.
Pi-hole configuration, blocklists, and important service files should be backed up.
Public IP addresses, private network ranges, keys, passwords, and QR codes are excluded from this page.
IoT and guest devices should be isolated where router capabilities permit.
LESSONS LEARNED
This project strengthened my understanding of DNS, routing, Linux services, VPN configuration, network address translation, firewall behavior, and structured troubleshooting.
One of the most important lessons was that a successful VPN handshake does not automatically mean the entire connection is working. DNS resolution, packet forwarding, NAT, firewall rules, and routing must all work together.
Troubleshooting was most effective when each layer was tested separately:
The project also demonstrated the value of documentation, consistent file permissions, backups, and controlled configuration changes.
SKILLS DEVELOPED
Package management, services, permissions, logs, and command-line troubleshooting.
DNS, DHCP reservations, routing, NAT, port forwarding, and private addressing.
WireGuard clients, keys, endpoints, tunnels, and remote access testing.
Service verification, packet-level testing, logs, and evidence-based diagnosis.
FUTURE IMPROVEMENTS
Separate trusted devices, IoT equipment, guests, and lab systems into controlled network groups.
Add service-health monitoring and notifications for DNS or VPN failures.
Back up important Pi-hole, Unbound, WireGuard, and system configuration files.
Add dashboards for system performance, DNS behavior, and service availability.
PROJECT RESOURCES
Documentation and supporting resources will be expanded as the project develops.