Post

Build a Home Filter with NanoPi Neo2 & AdGuard

Learn how I moved my home filtering from NanoPi Neo2 to Linode, overcoming hardware limits. Explore the new setup, challenges, and benefits.

The basics

Scoping the project

This project started with a text from my dad about slow internet and wondering if there was anything we could do. Thinking about my setup I pondered what I could shrink down and pack into a smaller device to help with this. It did need to meet a few requirements:

  • Relatively small
  • Low power consumption
  • DNS filtering
  • Remote access(to support it)
  • Internet monitoring(not a requirement but still useful)
  • Hardware/OS monitoring(again not required but useful)

The hardware

For this project I used what I had on hand, a Raspberry Pi would’ve been preferable but as we all know those are expensive and had to find. However, I did have a NanoPi Neo2 with the OLED screen and metal case, it’d been sent for a different project that fizzled out and needed a new purpose. That being said you could use a Raspberry Pi if you can find one, or an Orange Pi, or a thin terminal you can repurpose. Scrounging up a USB wall-wart and a USB A to Micro USB cable and an ethernet cable we were set for hardware.

Getting started

Before getting started a note here, it took several attempts to integrate the monitoring before I found I needed a larger MicroSD card than the 8GB that came with the Nano Pi, 16GB is a minimum but 32GB is better. Hardware assembled it was time to get things loaded and running, here’s a summary of the steps to get the basic remote access and filtering installed.

  • Load OS, in my case and most Arm-based CPU’s it’ll be a Debian/Ubuntu-based OS
  • Change the default password

    1
    
    passwd
    
  • Change the root password to something random and long

    1
    2
    
    sudo su
    passwd
    
  • Update OS
    • In my case, the OS needed a tweak to set the time and enable systemd-timesynced and NTP to keep time and update

    • 1
      
      sudo apt update && sudo apt upgrade
      
  • Install a few supporting utilities

    • 1
      
      sudo apt install nano mc curl
      
  • Install Tailscale for remote ssh access, be sure to create an account if you don’t have one
  • (This step is optional) Install Crowdsec agent and bouncer
  • Install Adguard Home

    • 1
      
      curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v
      

Time to configure Adguard Home

Now that we have Adguard Home installed we’ll need to go through the setup, open a browser and go to http://insert-ip-here:3000 and follow the online instructions, if like me you run into an error Adguard setup provides a link to deal with the port 53 error. We’re not done though, now we’ll flesh out the filtering on Adguard a bit more.

  • Under the Settings menu
    • General settings
      • Check “Use AdGuard browsing security web service”
    • DNS settings
      • Add the following to “Upstream DNS servers”

        1
        2
        3
        
        https://dns.adguard.com/dns-query
        https://dns10.quad9.net/dns-query
        https://dns.cloudflare.com/dns-query
        
      • Add the following to “Bootstrap servers”

        1
        2
        3
        
        1.1.1.1:53
        9.9.9.9:53
        8.8.8.8:53
        
      • Add the IP of your router to “Private reverse DNS servers”
      • Click to enable
        • “Enable EDNS client subnet”
        • “Enable DNSSEC”
        • “Disable resolving of IPv6 addresses”
    • Filters
      • DNS blocklists | Name | URL| |:—–|:—| | AdGuard DNS filter | https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt | | AdAway Default Blocklist | https://adaway.org/hosts.txt | | MalwareDomainList.com Hosts List | https://www.malwaredomainlist.com/hostslist/hosts.txt | | Steven Black blocklist | https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | | Steven Black fakenews | https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts | | Blocklist Project abuse | https://blocklistproject.github.io/Lists/abuse.txt | | Blocklist Project ads | https://blocklistproject.github.io/Lists/ads.txt | | Blocklist Project crypto | https://blocklistproject.github.io/Lists/crypto.txt | | Blocklist Project malware | https://blocklistproject.github.io/Lists/malware.txt | | Blocklist Project ransomware | https://blocklistproject.github.io/Lists/ransomware.txt | | Blocklist Project scam | https://blocklistproject.github.io/Lists/scam.txt |
      • Custom filtering rules

        1
        2
        3
        4
        5
        6
        7
        8
        
        @@||redirector.gvt1.com^
        @@||schoolportal.jostenspix.com^
        @@||ads.play.cbsi.video^
        @@||cbsinteractive.hb.omtrdc.net^$important
        @@||saa.cbsi.com^$important
        @@||vod-gcs-cedexis.cbsaavideo.com^$important
        @@||graph.facebook.com^$important
        @@||uwmadison.co1.qualtrics.com^$important
        

Bringing the filter online

Now this will depend on what router you have so you’ll need to find the instructions. We need to change the DNS servers that are handed out by DHCP, this will probably be in the DHCP settings. Make sure that the only DNS is the IP of the machine we just set up. Then disconnect and reconnect any devices there were connected during this change and you’re good.

The extras

Install Docker

After setting a few machines with Docker I would strongly recommend following the directions here as they haven’t failed me yet, installing docker from the default install repo on the other hand has caused me a few headaches in certain situations. The TLDR is to copy the cli fields one by one and run the hello-world docker to make sure it all works and you’re good.

Monitoring

For this, I start with an article by Jeff Geerling titled Monitor your Internet with a Raspberry Pi, with a few modifications. I started with the GitHub repo, modified the docker-compose.yml, and added another dashboard after that, ymmv. Here’s what I did.

  • 1
    2
    3
    
    git clone https://github.com/geerlingguy/internet-monitoring`
    cd internet-monitoring
    nano docker-compose.yml
    
    • Change prom/prometheus:v2.25.2 to prom/prometheus
    • Under nodeexp/command change the –collector line and line below to - “–collector.filesystem.ignored-mount-points=’^/(sysprocdevhostetcrootfs/var/lib/docker/containersrootfs/var/lib/docker/overlay2rootfs/run/docker/netnsrootfs/var/lib/docker/aufs)($$/)’”
    • Above this line add - “–path.rootfs=/rootfs”
    • Hit control+x and then yes to save
  • run the following command

    • 1
      
      docker compose up -d
      
    • Note: if you’re doing this on a pi or other box that uses an SD/MicroSD card it will take a while to finish and start
  • Login to your new Grafana instance with http://machine-ip-here:3030
    • Default username and password are admin and wonka, be sure to change that after you login
  • Lastly, I imported another dashboard to monitor the system, Raspberry pi & Docker Monitoring
    • Some tweaks to queries may be needed

TLDR Version

If you’ve got some low-power hardware and some basic experience with Linux and Docker then you should be able to skim through the guides and commands above and build a decent little filter and monitor, it’s a nice project and can help friends and family and yourself. Let me know if this helps you or tweaks you have made or would make. Till the next one fair winds and following seas.

This post is licensed under CC BY 4.0 by the author.