# Pihole and Cloudflare Gateway Event
# Pre-work Guide

*Revisions*

* *07/19/2021 Minor revisions - clarification of steps on DNS requirements*

* *07/17/2021 First Version Published*

## Overview

Hello and thanks for signing up for the Pi-hole and Cloudflare Gateway Event!

## Why do we need to do prework?

To ensure we can get straight to the task-at-hand, we ask that you take a few minutes to do a few steps before the event.

The following is a summary of the steps required during the pre-work exercise:

1. Create a Cloudflare account
2. Select an existing domain or register a new domain
3. Add a Site to Cloudflare - Making Cloudflare Authoritative for your Domain
4. Assemble your Raspberry Pi
5. Download and install Raspberry Pi OS
6. Configure Network Settings
7. Update Raspberry Pi OS

Not too bad, right?

*If you do not already have a domain you are willing to bring over to Cloudflare, we ask that you please register one. We wish it wasn’t the case, but there is typically a fee associated with domain registration (\$12 to \$20) however there are free domain registrars available. More information is available in the Domain Registration and Authoritative DNS section.*

## HELP!

At any point, if you run into any issues or have questions, please contact us at:

[cloudflare-gateway-pihole-support@cloudflare.com](mailto:cloudflare-gateway-pihole-support@cloudflare.com)

*Please right-click and choose Open in New Tab when selecting any of the embedded links*

## Cloudflare Account (Required)

The first step along the way is creating a Cloudflare account. How exciting!!! Really...it’s pretty incredible what you get for free!


[Creating a Cloudflare account and adding a website](https://support.cloudflare.com/hc/en-us/articles/201720164-Creating-a-Cloudflare-account-and-adding-a-website)

NOTE - The title of the link above includes “adding a website” is a little confusing. You will not be hosting a website on Cloudflare. In fact, aside from our JAMstack platform [Cloudflare Pages](https://pages.cloudflare.com/), Cloudflare does not host websites. Cloudflare is a CDN and provides performance, security, and reliability for web applications, but we are not a hosting provider.

Some additional background information:

[How does Cloudflare work? – Cloudflare Help Center](https://support.cloudflare.com/hc/en-us/articles/205177068-How-does-Cloudflare-work-)

### How to Create an Account on Cloudflare

The process of creating an account on Cloudflare couldn’t be easier!

1. Navigate to [https://dash.cloudflare.com/sign-up](https://dash.cloudflare.com/signup)
2. Provide an email address and password
3. Confirm the email you received

***Don’t proceed through the ‘Add a Site’. We’ll get to that part soon!***





## DNS

As DNS resolution is at the core of this exercise, we need to ensure that Cloudflare is your authoritative DNS provider.

You have one of two options:

1. If you already have a domain, you can use it with Cloudflare simply by updating the NS records with your current registrar
2. If you do not have a domain, or if you do not want to transfer an existing domain to Cloudflare, you will need to register a new domain

Keep in mind that there are two aspects to domain management:

* Domain Registration - the organization that is responsible for helping you select and register your domain name

* DNS Resolution - in order to resolve hostnames to IP addresses, a DNS server must be authoritative for your domain


### Cloudflare as your Authoritative DNS

Since you’ll be using Cloudflare’s **Free Plan** for this exercise, Cloudflare needs to be the authoritative DNS provider.

[Cloudflare Plans](https://www.cloudflare.com/plans/)

*Customers on our Business and Enterprise plans have another option known as a Partial Setup (a.k.a. CNAME setup), but topic is outside the scope of this exercise.*





### Adding a Site to Cloudflare - Making Cloudflare Authoritative for an Existing Domain (Required)

As mentioned earler, since we will be using Cloudflare's Free plan for this exercise, this requires that Cloudflare is Authoritative for domain. 

The required steps are:

1. Add a Site (DNS Zone) to Cloudflare via the Cloudflare Dashboard
2. Add DNS records to Cloudflare
3. Update the nameserver records via your current registrar to reflect the Cloudflare assigned nameservers

[Changing your Domain Nameservers to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/205195708-Changing-domain-nameservers-to-Cloudflare)

Head back to the [Creating a Cloudflare account and adding a website](https://support.cloudflare.com/hc/en-us/articles/201720164)  documentation and follow the instructions in the *Add a Domain to Cloudflare* section.

When you get to the page where you are asked to select a plan, please choose the FREE plan (below Pro/Business/Enterprise).

### Disable Cloudflare Proxy Services (Required)

If you opt to bring an existing domain to Cloudflare, **we want to ensure that you don't break any of your existing applications**.

You'll hear a couple of terms during the event:

* Orange Clouding (Proxied) - the process of enabling Cloudflare's proxy services

* Grey Clouding (DNS Only) - standard DNS resolution - traffic bypasses Cloudflare's proxy services

During the **Add a Site** wizard, Cloudflare will automatically import existing DNS records from your current provider. The default behavior is to enable **Proxied** status for the following record types:

* A
* AAAA
* CNAME

Simply click on any of the Proxied (Orange Cloud icons) records in the **Proxy Status** column to revert to **DNS Only**.

### Cloudflare Registrar (Optional)

Not only does Cloudflare provide domain resolution, we’ve recently become a Registrar! The prices are very competitive and simply cover administrative costs. You pay what we pay! There are no mark-ups, surprise renewal fees, or any hidden charges!

[Cloudflare Registrar | New Domain Registration Info](https://www.cloudflare.com/products/registrar/)

Cloudflare offers domain registration with very attractive pricing! We encourage you to use us to register your domain, but it is not a requirement!

[Cloudflare Registrar | Documentation](https://developers.cloudflare.com/registrar/)

Cloudflare supports registration of over a hundred Top-Level Domains (TLDs):

[Cloudflare TLD Policies](https://www.cloudflare.com/tld-policies/)

#### Free Domain Registration

If you do not want to incur any expenses in this process, there are several registrars that offer free domain registration. The catch is they do not offer the more popular top-level-domains. 

Freenom provides free domain registration services!


[Freenom](https://www.freenom.com/en/index.html?lang=en)



#### Transfer In to Cloudflare (Optional)

It is possible to transfer the registration for an existing domain to Cloudflare in addition to making Cloudflare your authoritative DNS provider, but it is not required.

If you are interested in using Cloudflare's Registrar services, take a look at the following documentation:

[Transferring and Renewing Domains | Cloudflare Registrar](https://support.cloudflare.com/hc/en-us/articles/360019910671-Transferring-and-renewing-domains-with-Cloudflare-Registrar)

[Step-by-Step Instructions | Transferring Your Domain to Cloudflare](https://developers.cloudflare.com/registrar/domain-transfers/transfer-to-cloudflare)


#### Transfer Out from Current DNS Provider (Optional)

Go to your existing domain registrar and search for their instructions on the “transfer out” process. Here are links for several providers:

* GoDaddy | Transfer My Domain Away from GoDaddy
[https://www.godaddy.com/help/transfer-my-domain-away-from-godaddy-3560](https://www.godaddy.com/help/transfer-my-domain-away-from-godaddy-3560)

* Google Domains | Transfer a Domain to Another Registrar
[https://support.google.com/domains/answer/3251178?hl=en](https://support.google.com/domains/answer/3251178?hl=en)

* Name.com | Transfer Away from name.com
[https://www.name.com/support/articles/205188898-Transfer-away-from-name-com](https://www.name.com/support/articles/205188898-Transfer-away-from-name-com)

* DynDNS | Transfer a Domain Away from Dyn
[https://help.dyn.com/domain-registration/transfer-a-domain-registration/](https://help.dyn.com/domain-registration/transfer-a-domain-registration/)

* Amazon Route 53 | Transferring a Domain from Amazon Route 53 to Another Registrar
[https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-transfer-from-route-53.html](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-transfer-from-route-53.html)



## Assemble Raspberry Pi

Hopefully you received a package from Cloudflare! You should have received one of each of the following:

* Raspberry Pi 3B+
* 32 GB SD Card
* Raspberry Pi Case/Enclosure
* Power Supply

If you have not received any/all of the aforementioned items, or they were damaged in transit, **TIME OUT**!

Send an email to [cloudflare-gateway-pihole-support@cloudflare.com](mailto:cloudflare-gateway-pihole-support@cloudflare.com) and let us know! Our team will make our best effort to ensure that you receive any missing items in time for the event!

Go ahead and mount the Raspberry Pi in the case and ensure that it powers on when you connect it with the power supply.

*You may be tempted to use an alternative method for powering the Raspberry Pi. We strongly encourage you to use the included power supply as it meets the requirements as laid out by the Raspberry Pi Foundation. One of the most common reasons for instability with Raspberry Pi devices is inadequate power. Using the included power supply will go a long way to ensure that power is not a contributing factor to any instability you may experience.*



## Install and Configure Raspberry Pi OS

There are a couple of options for installing Raspberry Pi OS:

Use the official [Raspberry Pi Imager](https://www.raspberrypi.org/software/) - this is the easiest method!
Manually download a [Raspberry Pi OS image](https://www.raspberrypi.org/software/operating-systems/) and write it to the SD card with Balena Etcher (or equivalent)

### Which version do I install?

For this exercise, the best option is to use the [Raspberry Pi OS Lite image](https://downloads.raspberrypi.org/raspios_lite_armhf/images/raspios_lite_armhf-2021-05-28/2021-05-07-raspios-buster-armhf-lite.zip). It provides the most simplistic, streamlined installation. Note that it does not include a graphical user interface. If you would prefer to install Raspberry Pi OS with a GUI, you can download the [Raspberry Pi OS with Desktop image](https://downloads.raspberrypi.org/raspios_armhf/images/raspios_armhf-2021-05-28/2021-05-07-raspios-buster-armhf.zip).

### Do Not Pass Go!

***Don’t remove the MicroSD card from your computer quite yet!*** 

Once the image is successfully written to the SD card, since the Raspberry Pi will run “headless” (no display, keyboard, or mouse), we need to make sure that you are able to access the device across the network. Otherwise this will be a very short exercise! 

Before ejecting the MicroSD card from your computer and booting the Raspberry Pi, there are a few steps we still need to complete:

* Establish Network Connectivity
* SSH Access



### Network Connectivity

The Raspberry Pi 3B+ supports Ethernet and Wi-Fi connectivity (2.4 & 5 GHz). If you prefer Ethernet, then simply connect the Raspberry Pi to your network via an Ethernet cable.

#### SSH Access

The SSH server does not start by default. There’s a little trick to making sure that it does!

The process of writing the Raspberry Pi OS image to the MicroSD card creates two partitions on the MicroSD card:

* / [root] (this will only be visible if you're using a Linux-based computer as Windows & macOS are unable to recognize the ext4 filesystem)
* /boot - (this is the partition that is visible in Windows Explorer, macOS Finder, and Linux and is the one we care about)

Create a file with the name **ssh** (no file extension) in the boot partition. 

Raspberry Pi OS will check for the presence of the **ssh** file in the **/boot** directory (boot partition) which will ensure the SSH server starts automatically.

Pretty cool, huh?

#### Wi-Fi

 The easiest way connect to your Wi-Fi network, is to create the configuration file and save it to the boot partition. There are some web-based tools available that will allow you to generate the file, but it's simple enough to create one with a text editor.

Create a file named wpa_supplicant.conf and save it in the boot partition. Ensure that the file contains the SSID and password for your wireless network. 

You can even copy and paste the example below and update the *ssid* and *psk* values with your SSID and pre-shared key respectively:

> 		ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
> 		update_config=1
> 		country=US
>      
> 		network={
> 			ssid="YOUR SSID"
> 			psk="YOURPASSWORD"
>			scan_ssid=1
> 		}


*NOTE: once the Raspberry Pi boots, the file will be copied automatically from /boot/wpa_supplicant.conf to /etc/wpa_supplicant/wpa_supplicant.conf.*


#### Disable IPv6 (Optional)

Cloudflare and Pihole both support IPv6, however you may experience some connectivity issues with your Internet Service Provider due to IPv6 addressing issues. 

If you’re savvy with IPv6, ROCK ON! We salute you! Feel free to keep it enabled.

If IPv6 isn’t your thing, you may want to disable IPv6 altogether. This is a simple process!

First, let’s take a look at what the IP address configuration looks like with both IPv4 and IPv6 enabled:

>             pi@pihole:/etc $ ip a

>		1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
>			link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>			inet 127.0.0.1/8 scope host lo
>				valid_lft forever preferred_lft forever
>			inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
>		2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
>			link/ether b8:27:eb:dd:eb:5d brd ff:ff:ff:ff:ff:ff
>			inet 192.168.20.109/24 brd 192.168.20.255 scope global eth0
>				valid_lft forever preferred_lft forever
>			inet6 2600:1700:c4e0:50a0::49/128 scope global noprefixroute dynamic 
>				valid_lft 3351sec preferred_lft 3351sec
>			inet6 2600:1700:c4e0:50a0:9472:a1d8:b0a7:c62d/64 scope global mngtmpaddr noprefixroute dynamic 
>				valid_lft 3375sec preferred_lft 3375sec
>			inet6 fe80::47ad:5aaf:88ad:3dd3/64 scope link 
>				valid_lft forever preferred_lft forever
>		3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
>			link/ether b8:27:eb:88:be:08 brd ff:ff:ff:ff:ff:ff


Make a backup copy of sysctl.conf before proceeding:

>		sudo cp /etc/sysctl.conf /etc/sysctl.conf.orig

Using your favorite text editor, edit sysctl.conf:

>		sudo nano /etc/sysctl.conf

Add the following three lines to the bottom of the sysctl.conf file:
 
>		net.ipv6.conf.all.disable_ipv6 = 1
>		net.ipv6.conf.default.disable_ipv6 = 1
>		net.ipv6.conf.lo.disable_ipv6 = 1
 

Then save the file. You can confirm the changes:

>		sudo sysctl -p

This should print the above values to the terminal. 

>		pi@pihole: $ sudo sysctl -p

>		net.ipv6.conf.all.disable_ipv6 = 1
>		net.ipv6.conf.default.disable_ipv6 = 1
>		net.ipv6.conf.lo.disable_ipv6 = 1

If you see these values, you're in great shape! If not, go back and double-check your work.

Reboot the device!

>		sudo reboot

Once the Raspberry Pi finishes rebooting, SSH back into the terminal and verify that you no longer see any IPv6 addresses bound to the network interface(s):

>		pi@pihole: $ ip a

>		1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
>		    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>		    inet 127.0.0.1/8 scope host lo
>				valid_lft forever preferred_lft forever
>		2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
>			link/ether b8:27:eb:dd:eb:5d brd ff:ff:ff:ff:ff:ff
>			inet 192.168.20.109/24 brd 192.168.20.255 scope global eth0
>				valid_lft forever preferred_lft forever
>		3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
>			link/ether b8:27:eb:88:be:08 brd ff:ff:ff:ff:ff:ff






#### Static IP Address (Required)

Once the Raspberry Pi boots, log into your Internet router (or whatever you are using as your DHCP server), and check the active DHCP leases - look for a device with the hostname **raspberrypi**.

That’s the IP address we’re going to need to use for the rest of the exercise.

Since the idea is to make this Raspberry Pi the DNS server on your home network, it is ***highly*** recommended that you configure the device with a static IP address. 

This can be accomplished in a couple of different ways:

* Create a DHCP reservation in your router *(not ideal)*
* Configure a static IP address *(preferred)*

It's always a good idea to back up the original config files before making changes:

> 		sudo cp /etc/dhcpcd.conf /etc/dhcpcd.conf.orig
>		sudo nano /etc/dhcpcd.conf

If you opted for Ethernet connectivity, the default interface name is most likely eth0. If you opted for Wi-Fi connectivity, the interface name is most likely wlan0.

You can either uncomment the static IP address entries and modify the example IP addresses or you can simply add the following lines to the end of the configuration file:

Ethernet:
>		interface eth0
>		ipv4only
>		static ip_address=192.168.20.10/24
>		static routers=192.168.20.1
>		static domain_name_servers=127.0.0.1 1.1.1.1

Wi-Fi:
>		interface wlan0
>		ipv4only
>		static ip_address=192.168.20.10/24
>		static routers=192.168.20.1
>		static domain_name_servers=127.0.0.1 1.1.1.1

*NOTE: Don’t forget to SSH in via the static IP from now on - especially if you picked an IP address outside your DHCP scope!*




## Update System Settings

There are several system-wide settings we can quickly and easily configure using the Raspberry Pi Software Configuration Tool (**raspi-config**).

>		sudo raspi-config

### Change Default Password

First things first - change the password! We’re all security conscious, right?

Don’t let your Raspberry Pi get pwn3d!

Select **Option 1 - Change User Password**

Next, set a hostname. This is accomplished by choosing **Option 2 -> then N1 Hostname**. I used *pihole* for mine. Original, huh?

### Change the localization settings (Recommended)

Raspberry Pi OS defaults to EN_GB (Great Britain). We can update this so the Raspberry Pi displays date, time, temperature, and other parameters based on US English.

Go back to the main menu, then choose **Option 4 - Localization Options**

Select **I1 - Change Locale** - scroll down to *EN_US.UTF-8* and tap the spacebar to select it. Then tab to **OK** and hit *Enter*. You can leave **EN_GB.UTF-8** enabled - it won’t hurt anything.

When prompted to select the default locale, arrow down to **EN_US.UTF-8**, Tab to **OK**, then let it do its thing. This may take a minute or two. 

### Update the Timezone

Back at the main menu, choose **Option 4 - Localization Options**, -> **I2 - Change Timezone** - we’ll assume you know what to choose here.

### Wi-Fi Country Code

Lastly, choose **Option 4 - Localization Options** -> **I4 - Change Wi-Fi Country**, then scroll down to **US**, tab to **OK**, and hit *Enter*.

*Tip - if you press ‘U’ it will quickly advance you to the first ‘U’ value.*

You should be back at the main menu. Tab to **Finish** and reboot when prompted.



### Update Raspberry Pi OS

OK - we’re in the home stretch! Let’s update Raspberry Pi OS so we have all the latest updates!

>		sudo apt update
>		sudo apt upgrade -y
>		sudo reboot


## Thank You and Next Steps

And...WE ARE DONE!  Nice work!

Thank you so much for taking the time to do this ahead of the event! With these steps behind us, we can jump right into the exercise on the day of the event.

You will receive another link at the beginning of the event on July 22. See you in class!

In the meantime, feel free to familiarize yourself with the Cloudflare Dashboard.

If you are interested in reviewing any of the Cloudflare documentation, this is the best place to start:

[Cloudflare Developers](https://developers.cloudflare.com/)

This is only a test