Prologue Link to heading
I travel a lot due to work, which forces me to use mobile network with limited data usage. Thanks to recent mobile network infrastructure outage/issues as well, created a need for a solution to lower the network usage, above all this i needed a solution in case I am connecting to an unknown Wi-Fi network. Above of all this I like to self-host some of my services for myself, and this was another factor which lead me to this solution.
The infrastructure overall Link to heading
This is the solution I eventually use. In this case I have a RPi4 connected to my ISP router. I have a combination of services on RPi:
- pihole (adblock and DNS resolution inside my own network)
- Wireguard VPN
- Web server/Reverse Proxy
- SSH (as failsafe)
- dynamic DNS service of your choice
With this setup the neat thing that you have a strong stable connection with the RPi, similar to any VPS or cloud service. So our client devices could connect to the VPN anywhere and still it would be picked as the device is home. The pihole would filter the DNS requests, which by the way saves me half of my mobile data, hence it does not loads most of the trackers and extra advertisement content. There are a few services behind the Web server/reverse proxy, which needs to be accessible from outside, just like from the inside. I use let’s encrypt to get valid certification on this reverse proxy and to have a valid cert even within the VPN i just have to add the specific public domain which is on the cert to the pihole custom DNS entry, with the IP address of the internal interface to the RPi. This way even inside the VPN our devices have valid TLS cert without any extra steps. However to save more wasted mobile data there is some extra services I have spin up on my spare laptop as a secondary non-essential server which then i choose to serve only inside the VPN. As these services will only accessible within VPN I had to use Self-signed certs and then i had to add the root cert on the devices as shown in the linked blog post. The services on my homelab server:
-
Searx: Scriptable search engine which uses multiple search engine.
-
Morty: Web content sanitizer proxy (If you are uncertain in some shady urls, with this you can check them, of course your IP address will be the public IP of the service)
-
Open source frontend for services which renders the pages as static websites. Without any extra trackers or unnecessary javascripts.(These services response time may vary due to rendering static site, but overall saves more data in the long run.)
- Teddit (Reddit frontend)
- Invidious (Youtube frontend)
- Nitter (Twitter frontend)
- Bibliogram (Instagram frontend)
Dirty details Link to heading
RPi Link to heading
In my case the RaspberryPi 4 2GB working as a gateway. It does checks/renews Dynamic DNS record with just a cronjob, and have a wireguard installed as server with iptables set to forward all connection from the wireguard interface to local network. Of course there is a SSH server as a fallback service protected by fail2ban and few restriction in sshd_config. This way it’s always as I would be home. Above all this everything runs in docker lets see services one by one.
Pihole Link to heading
Reverse-proxy Link to heading
Thelounge Link to heading
Conclusion Link to heading
With these combination of services I am able to filter out most of the unwanted advertisement and malicious content of the internet and to serve services that waste less mobile data for multiple devices in the household. This setup uptime of the RPi with some forced restart on kernel update is 1+ year, while the non-essential services had been my homelab for testing out services that would make it into my permanent infrastructure. The neat part was that recently we had a huge power outage for a few days, after power came back five minutes later the infrastructure was up and running without any issue. Recently I started fiddling with HomeAssistant and hopefully i will be able to build a safe secure environment to manage some insecure IoT devices on a separated network and some CCTV.