Setup OpenWRT on Raspberry Pi 3 B+ to avoid data trackers
Posted on Fri 18 September 2020 in security, IT, open source
Thanks to my local ISP for a shitty black-box running their proprietary vomit, but no thanks. I had a spare Raspberry Pi and the urge of having my home internet powered by open source software.
There are already lots of valuable resources on setting up OpenWRT on a Raspberry Pi as a home router. To cite some:
- Raspberry Pi as a home router
- OpenWrt Raspberry Pi 3 B+ page
- OpenWrt Raspberry Pi 3 B+ snapshots page (there is a stable compatible version, but does not support WiFi 2.4 Ghz, which makes the signal quite stronger)
- OpenWrt forum topic discussion on Raspberry Pi 3 B+
Upon first setup, I had issues connecting the Raspberry to my Ubuntu laptop and make the first setup. Only later did I learn that I could have simply edited the config file on the microSD and avoided the pain, but anyway, I was able to have it work through ethernet on my laptop by setting the ethernet interface to be unmanaged.
I found the wifi adapter of the Raspberry to be strong enough to cover a 3-room apartment, and also go outside. When all the confi was right, I just disable DHCP on my ISP router, enable DMZ to the Raspberry (which had a static address by then), and let the Raspberry be the only DHCP server in the network.
You can check if the Raspberry really is the only DHCP server by running the command udhcpc -n -q -s /bin/true -t 1
. You should get udhcpc: no lease, failing
as last line of output; if you don't, then there is still another DHCP server active in the network.
Ads and trackers blocking through dnsmasq
I then wanted to block ads and data trackers through a DNS filter. Starting from this, I eventually ended up using the first of these lists as DNS blacklist, with a handy bash script that would update the list on a regular basis. Note that data in /tmp
is lost on reboot, and data not in /etc
is lost on firmware re-flashing.
#!/bin/sh
set -e
mkdir -p /opt/dnsmasq-blocklist
curl -s --max-filesize 7242880 -o /opt/dnsmasq-blocklist/developerdan.hosts "https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt"
/etc/init.d/dnsmasq restart
If you use some custom DNS, like OpenDNS, make sure they are actually working. DNS based adblock using OpenWRT, OpenDNS and dnsmasq is another good resource.
VPN?
I first set out to set up a VPN tunnel through ProtonVPN at router level, but only later realized how much un-privacy safe this actually is, so I backtracked everything. What might instead be valuable is to host your own WireGuard VPN on the Raspberry to connect to your network from outside, and avoid insecure networks (and still escape tracking, if you use your home router DNS filtering). Some resources on that:
- How to Set Up WireGuard on a Raspberry Pi
- OpenWRT WireGuard VPN Server Tutorial
- WireGuard setup OpenWrt
After configuration, make sure the IP your devices appear to connect from really is your home's.
Sysupgrade
When running on the snapshot image, you'll often have to update (even just for the fact that otherwise it is not possible to install new packages). This will clear up installed packages, albeit their configs will be retained. All files within /lib/upgrade/keep.d
, paths listed inside /etc/sysupgrade.conf
and listed by command opkg list-changed-conffiles
will be retained; everything else deleted. To make it less of a pain, there is a nice script that will dump out a list of currently installed packages and easily reinstall it after upgrading. Here is the Snapshot upgrade URL for Raspberry 3B+.
The list of commands I ran is:
sh /opt/opkg-update-script.sh -v write
wget http://downloads.openwrt.org/snapshots/targets/bcm27xx/bcm2
710/openwrt-bcm27xx-bcm2710-rpi-3-ext4-sysupgrade.img.gz
sysupgrade -v openwrt-bcm27xx-bcm2710-rpi-3-ext4-sysupgrade.img.gz
### After upgrade ###
opkg update
sh /opt/opkg-update-script.sh -v install