The Raspberry Pi

When first entering cybersecurity, I started doing a number of upgrades to my physical network to simplify parts of my life and introduce changes to it to allow some security research to be conducted. This required a system I could have permanently on, and I preferred a system that sipped power.

Hence, the subject of this webpage, the Raspberry Pi. This was my first experience working with a non-x86-based system, so I took the time to mess around with the platform as a whole. Aand immediately broke two installs. (I keep doing that. I don't know why.)

It took me a few days to stop messing about and actually try installing something.

Project RC1 - PiHole

I started with PiHole for obvious reasons - who doesn't want to reduce the amount of ads in their life?

Installation and configuration

The initial setup of my PiHole configuration was along default lines - Install as a DHCP static lease, add a whole bunch of adlists to PiHole and do a bit of setup. The nightmare came about a month later, when I decided to go down the DNS over HTTPS (DoH) route.

The configuration was using cloudflared as listed under the instructions available in the PiHole documentation using the manual configuration. Most of this wasn't particularly difficult, other than getting all of the fiddly parameters set up properly.

Most of the configuration issues were around getting PiHole to connect with Cloudflared and then keeping itself online for as long as possible. The issue actually ended up being internet instability knocking Cloudflared's tunnel offline, which means all of the queries are dropped at Cloudflared. Most of it was handled by simply restarting Cloudflared manually, but stability did end up proving interesting with brownouts and occasional internet dropouts.

Ad-lists

As a reminder - This is not an exhaustive list of ad-lists. There are going to be domains not on these adlists that spit out ads or phishing that will slip past - these are one layer of a layered ad-blocking regime.

To make this easier, I'll just link to a static list of active adlists. LINK NOT FUNCTIONING CURRENTLY Most of these I picked up early on and have just stuck it in, but having this many adlists will cause Gravity to take ~10 minutes to load all of the adlists.

Configuration changes

March 2023

As part of an experiment, I decided to set up a Cloudflare Zero Trust instance for the Yubikey promotion and poked around parts of what is available there. Unfortunately I didn't mess around enough to get a set of Yubikeys, but the experience and upgraded effort is well worth the time.

The upgraded configuration is a DNS Location (listed under Gateway), which provides a distinct DoH endpoint. This replaces the https://1.1.1.1/dns-query with a https://[Unique Identifier].cloudflare-gateway.com/dns-query. The only issue I've been encountering is the unique domain name requires a initial IP to send the request to - but if the entire system restarts due to a brownout, the IP to send this request to is replaced with itself. I think the issue originates with my pfSense configuration, but I will need to conduct further checks to validate this.

Project R2 - PiVPN

When running around in the outside (Go and touch some grass) I noted a significant difference on my mobile devices from when I was at home. The obvious solution was to implement a VPN endpoint. Oh lordy this caused interesting side-effects.

TBC