Installing pi-hole on Turris Omnia

I use a Turris Omnia as my internet router and after having some spare time due to the current Covid-19 induced situation I like to try out a pi-hole on the Turris.

I have found only a Czech version on the Turris wiki, this is a short capture what I had done to get pi-hole running on my Turris.

Prerequisites

A Turris Omnia in a 2 GB memory version and a Mini SATA Card, in my case a Intel 30GB SSD. The external storage is important to avoid the wear out of the internal flash memory.

All installation is done via ssh, most of the time I avoid to make changes on luci of foris, therefore all config fiddling is done using uci.

Install lxc container

echo -e Debian\\nStretch\\narmv7l | lxc-create -t download -n pitest
lxc-start -n pitest
lxc-attach -n pitest

For whatever reason the installed container is named LXC_NAME, let's fix that:

lxc-attach -n pitest
sed -i.bak 's/LXC_NAME/pitest/' /etc/hosts /etc/hostname
exit
lxc-stop -n pitest -k
lxc-start -n pitest
lxc-attach -n pitest

So lets install pi-hole using the famous curl|bash way:

apt install curl
curl -sSL https://install.pi-hole.net | bash -xv

The setup bails out somewhere mid installation and you have to install some packages by hand und restart the installation afterwards..

apt-get --yes --no-install-recommends install cron dnsutils iputils-ping lsof netcat sudo unzip wget idn2 sqlite3 libcap2-bin dns-root-data lighttpd php-common php-cgi php-sqlite3
curl -sSL https://install.pi-hole.net | bash -xv

After that the installation will present the IP Address and the password of the pi-hole. you can now visit the admin interface with your webbrowser.

Setting up network to use the pi-hole

The Turris is the DHCP Server for the subnet and therefore lets setup a fixed ip address to the pi-hole. The actual mac address used by the lxc container is configured in the config in this case at /srv/lxc/pitest/config. The static ip configuration can be added to the turris config using the uci command:

uci add dhcp host
uci set dhcp.@host[-1]=host
uci set dhcp.@host[-1].name=pitest
uci set dhcp.@host[-1].mac=`grep hwaddr /srv/lxc/pitest/config |sed 's/.*= //'`
uci set dhcp.@host[-1].ip=192.168.111.2

The DNS to use is distributed in two ways on the Turris, first as DNS Server to use in the DHCP Response and second as part of the IPv6 Router Announcements. The dns server address in the IPv6 RA should be the ULA address of the container since the global routable IPv6 address tend to change day (at least here in germany). afterwards restart dnsmasq and odhcpd

Lets set them to pi-hole:

uci set dhcp.lan.dhcp_option='6,192.168.111.2'
uci add_list dhcp.lan.dhcp_option=`lxc-info -n pitest|grep "IP.* f[cd]"|sed "s/IP: *//"`

/etc/init.d/odhcpd restart
/etc/init.d/dnsmasq restart

Setting up the turris to use the pi-hole

To catch the last clients which are using the turris directly and let also the turris itself use the pi-hole, I use the forwarding build into the kresd Resolver Daemon.

Add the following to the file /etc/kresd/custom.conf:

table.insert(policy.special_names, { count = 0, cb = policy.all(
policy.FORWARD(
{'192.168.111.2@53'
}))})

And add an include statement to the resolver and rewstart it:

uci set resolver.kresd.include_config='/etc/kresd/custom.conf'
/etc/init.d/kresd restart

Conclusion

Using lxc on a turris omni it is quite easy to deploy some network ad- and tracker blocking.