Back to OpenWrt  

Some years ago, my network provider (O2 – Spain) installed a router for me (Mitrastar HGU GPT-2541GNAC) with much better specs than my old OpenWrt router (TP-Link TL-WDR4300). So, I ditched OpenWrt and started using the company’s router.

But the Mitrastar needed to be factory reset every 6 months because it had some problems with the DHCP in my network. Recently, I offloaded the DHCP to an OrangePi 3B, but now my home network was relying too much on the availability of this device. Also, the Mitrastar is starting to show its age without features like WiFi 6…

A couple of weeks ago I found on Aliexpress a new Xiaomi AX3000T router. It has an amazing set of specs:

  • 2 ARMv8 cores @ 1.3GHz (MediaTek MT7981B)
  • 128 MB ROM
  • 256 MB RAM
  • WiFi 6 (AX) in the 2.4 GHz and 5 GHz bands

And it’s compatible with the lastest snapshot of OpenWrt:

https://openwrt.org/inbox/toh/xiaomi/ax3000t

I was able to get it during the AliExpress ChoiceDay (this happens the first days of each month) for 26 EUR (including a 4 EUR coupon).

When it arrived, I found it a bit smaller than what I expected, and I liked its minimalist look. It has only one button for WPS (+ the reset pinhole), and one LED in the front panel (i.e. it does not have LEDs on the ethernet ports).

Everything was in Chinese, but it’s easy to read it using the Google Translate camera, only for the steps necessary to set up OpenWrt. I did a simple installation without the U-Boot boot loader.

So, I put again an OpenWrt router back in my home network moving the DHCP and WireGuard services to the router. I had forgotten the beauty and simplicity of OpenWrt.

I also tested adblock-lean and it works quite well on the router with big lists like https://oisd.nl/: It’s able to manage the 660K domains of both oisd big and osid nsfw lists. But at the moment I’ll continue using the Pi-hole on the OrangePi. I still need the OrangePi to run Home Assistant and the NAS.


CO2 sensor with LCD and ESP32-C3 Supermini  

I wanted to add an LCD screen to my CO2 sensor, so I bought a white LCD 1602 with an I2C controller. The I2C controller needs to be soldered to the LCD, but my basic soldering skills were sufficient for the task.

I also wanted to place it in a box, so I purchased this plastic enclosure but I cannot recommend it. It required a lot of glue from a glue gun to install the LCD and the ESP. I also had to use the soldering iron to create space for the ESP and a hole for the USB connector. I installed the plastic buttons but they are only decorative.

I made room for the sensors inside the box, but finally left them outside because they are more precise that way.

The ESP32-WROOM-32 was too large for the enclosure, so I used a ESP32-C3 Supermini with an expansion board. This is a really amazing board with a 32-bit RISC-V 160MHz microcontroller, WiFi, Bluetooh, I2C and UART. It’s not as powerful as the ESP32-WROOM-32 with a dual core 32-bit Xtensa 240Mhz, but it’s more than capable to control the sensors and the LCD.

This is the ESPHome configuration, which includes a switch to control the LCD backlight and a clock synchronizing the time with Home Assistant:

esphome:
  name: co2sensor
  friendly_name: CO2 Sensor

esp32:
  board: esp32-c3-devkitm-1
  framework:
    type: arduino

logger:
  level: ERROR

api:
  password: ""

ota:
  platform: esphome
  password: ""

wifi:
  ssid: !secret wifi_ssid
  password: !secret wifi_password
  reboot_timeout: 90s
  ap:
    ssid: ${friendly_name} Hotspot
    password: !secret wifi_password

captive_portal:

web_server:
  port: 80

debug:

time:
  - platform: homeassistant
    id: homeassistant_time
    timezone: "Europe/Madrid"

uart:
  rx_pin: GPIO20
  tx_pin: GPIO21
  baud_rate: 9600

i2c:
  sda: GPIO8
  scl: GPIO9

sensor:
  - platform: uptime
    name: Uptime
    filters:
      - lambda: return x / 60.0;
    unit_of_measurement: minutes

  - platform: wifi_signal
    name: "WiFi signal sensor"
    update_interval: 60s

  - platform: dht
    model: AM2302
    pin: GPIO10
    temperature:
      id: "dht22_temperature"
      name: "DHT22 Temperature"
    humidity:
      id: "dht22_humidity"
      name: "DHT22 Humidity"
    update_interval: 50s

  - platform: mhz19
    co2:
      id: "mhz19_co2"
      name: "MH-Z19 CO2"
    temperature:
      id: "mhz19_temperature"
      name: "MH-Z19 Temperature"
    update_interval: 60s
    automatic_baseline_calibration: false

display:
  - platform: lcd_pcf8574
    dimensions: 16x2
    address: 0x27
    update_interval: 1s
    lambda: |-
        auto time =  id(homeassistant_time).now();
        it.printf(11, 0, "%02d:%02d", time.hour, time.minute);
        it.printf(11, 1, "%02d/%02d", time.day_of_month, time.month);
        auto co2 = id(mhz19_co2).state;
        if (!isnan(co2)) {
          it.printf(0, 0, "%.0fppm", co2);
        }
        it.printf(0, 1, "%.1fC", id(dht22_temperature).state);
        it.printf(6, 1, "%.0f%%", id(dht22_humidity).state);

switch:
  - platform: gpio
    pin: GPIO7
    name: "LED Backlight"
    id: led_backlight
    restore_mode: ALWAYS_OFF

And the full BOM:


MH-Z19B CO2 sensor  

To keep a healthy environment at home or at the workplace, one of the important things to control is the carbon dioxide (CO2) level.

It’s measured in ppm (parts per million), indicating how many parts of CO2 there are in one million parts of air. As a reference:

  • Less than 1000 ppm are healthy levels
  • Between 1000 ppm and 2000 ppm, we need to reduce the CO2 levels
  • Levels greater than 2000 ppm are associated with headaches, sleepiness, poor concentration, loss of attention…

To reduce the CO2 level, we need to ventilate the room. It can be manually done (opening the windows) or it can be automated with a ventilation system.

To measure it we need a proper CO2 sensor, and one of the most reliables sensors is the MH-Z19B. It is not cheap for the Aliexpress standards (it costs around 20 EUR), but other cheap sensors announced as “air quality” sensors or “eCO2” sensors are not really measuring the CO2 level (i.e. the MQ135).

I bought this MH-Z19B from Aliexpress and hooked it to an ESP32-WROOM-32 board. This board is going to be also purposed as a temperature and humidity sensor, so I also attached a DHT22 sensor. I bought this DHT22 sensor but it is not an original one, and the measures do not seem very correct, so I ordered again an original AM2302 (=DHT22). The MH-Z19B includes a temperature sensor, but it’s mainly used for calibration and it lacks precision, as it does not report decimals. I’m also using an expansion board to simplify the connections.

The ESP32-WROOM-32 on the expansion board connected to the MH-Z19B (gold) and to the DHT22 (red)
  • The jumper in the expansion board needs to be set to 5V (because both of these sensors need 5V).
  • Connected VCC and GND of both sensors to the expansion board
  • Connected the RX and TX of the MH-Z19B to the TX and RX (GPIO1 and GPIO3) of the ESP
  • Connected GPIO16 to the DAT of the DHT22

Finally, I installed ESPHome to the board with this configuration:

substitutions:
devicename: co2sensor
friendly_name: CO2 sensor

esphome:
name: ${devicename}
friendly_name: ${friendly_name}
platform: ESP32
board: nodemcu-32s

logger:

api:
password: ""

ota:
password: ""

wifi:
ssid: !secret wifi_ssid
password: !secret wifi_password
reboot_timeout: 90s
ap:
ssid: ${friendly_name} Hotspot
password: !secret wifi_password

captive_portal:

web_server:
port: 80

debug:

time:
- platform: homeassistant
id: homeassistant_time

uart:
rx_pin: GPIO3
tx_pin: GPIO1
baud_rate: 9600

sensor:
- platform: uptime
name: Uptime
filters:
- lambda: return x / 60.0;
unit_of_measurement: minutes

- platform: wifi_signal
name: "WiFi signal sensor"
update_interval: 60s

- platform: dht
model: DHT22
pin: GPIO16
temperature:
id: "dht22_temperature"
name: "DHT22 Temperature"
humidity:
id: "dht22_humidity"
name: "DHT22 Humidity"
update_interval: 60s

- platform: mhz19
co2:
id: "mhz19_co2"
name: "MH-Z19 CO2"
temperature:
id: "mhz19_temperature"
name: "MH-Z19 Temperature"
update_interval: 60s
automatic_baseline_calibration: false

And It’s working nicely, this is the ESPHome web interface:

Keeping the CO2 levels under control is helping me create a healthier workplace environment and improve performance.


Improving WiFi reception with an ESP32-WROOM-32U

I’m using a ESP32 with ESPHome connected to my heating system for climate control, as expained in a previous post.

The heating system is in a different builng than the router and I was experiencing some WiFi coverage issues (the WiFi signal needs to cross two metallic window blinds…).

To diagnose the WiFi coverage is very useful the wifi_signal sensor in ESPHome:

sensor:
  - platform: wifi_signal
    name: Wifi Signal
    update_interval: 60s

It was showing a WiFi signal of -95 dBm in the board: This is very low, and it was experiencing some disconnections.

Usually the ESP32 boards have an antenna integrated in the board, but the ESP32-WROOM-32U has an IPEX connector for an external antenna:

So, I spent less than 10 EUR in Aliexpress buying (affiliate links):

And replaced the previous ESP32-WROOM-32 module with an ESP32-WROOM-32U, installing the external antenna. This is how it looks now:

ESP32-WROOM-32U mounted on an expasion board connected to the 4 relay module

The WiFi signal shown in ESPHome increased from -95 dBm to –75 dBm and it’s no longer experiencing any interruptions.


ESPHome in a RTL8710BX smart plug

I bought from a popular chinese store a generic Tuya smart plug with power monitoring. It was extrememly cheap, costing less than 4 EUR. And of course I bought it to play trying to flash ESPHome.

The first challenge was to open it without breaking it. I was able to open it by wrapping it in cardboard and gently tapping it with a hammer around the body.

You never know what chip you are going to find. In the past ESP8266 was very common but now they switched mainly to Beken chips. This smart switch has a T102_V1.1 board with a Realtek RTL8710BX chip:

Luckily the support for this chip was developed in the LibreTiny project:

https://github.com/libretiny-eu/libretiny

And now it’s integrated into ESPHome:

https://esphome.io/components/libretiny

This is the board:

https://fcc.report/FCC-ID/2AU7O-T102V11/4540736.pdf

And after investigating the outputs, I reached this conclusion about them:

IndexRTL8710BXConnection
1VDDConnected
3GNDConnected
5GPIO_A18/UART0_RXDConnected to the button
7GPIO_A23/UART0_TXDNot connected
9GPIO_A14/PWM0 Power Monitor SEL pin
11GPIO_A15/PWM1Connected to the relay
2 GPIO_A12/PWM3Power monitor CF1 pin
4GPIO_A0/PWM2Power monitor CF pin
6GPIO_A5/PWM4Status LED inverted (there is another LED connected to the relay)
8GPIO_A30/DEBUG_LOG_TXNot connected, I soldered a cable to the flasher RX
10GPIO_A29/DEBUG_LOG_RXNot connected, I soldered a cable to the flasher TX

ESPHome

I created one device this config in the ESPHome dashboard (without power monitoring, read below if you want to enable it):

substitutions:
  devicename: smartplug1
  friendly_name: Smart Plug 1

esphome:
  name: ${devicename}
  friendly_name: ${friendly_name}

rtl87xx:
  board: wr2
  framework:
    version: 1.5.1

logger:

api:
  password: ""

ota:
  password: ""

wifi:
  ssid: !secret wifi_ssid
  password: !secret wifi_password

  ap:
    ssid: ${friendly_name} Fallback Hotspot
    password: !secret wifi_password

captive_portal:

web_server:
  port: 80

status_led:
  pin:
    number: PA5
    inverted: true

text_sensor:
  - platform: libretiny
    version:
      name: LibreTiny Version

sensor:
  - platform: uptime
    name: Uptime
    filters:
      - lambda: return x / 60.0;
    unit_of_measurement: minutes

  - platform: wifi_signal
    name: Wifi Signal
    update_interval: 60s

binary_sensor:
  - platform: gpio
    device_class: power
    name: Button
    pin:
      number: PA18
      mode: INPUT_PULLUP
      inverted: true
    on_press:
      - switch.toggle: relay

switch:
  - platform: gpio
    id: relay
    name: ${friendly_name}
    pin: PA15
    restore_mode: RESTORE_DEFAULT_OFF

There is currently an open bug in LibreTiny and with the board t102-v1.1 the PA15 output does not work, so I needed to use the board wr2 on line 10.

I built it from the ESPHome dashboard and downloaded a .uf2 file.

Connecting an USB UART to the chip

I soldered four dupont cables to VDD, GND, GPIO_A29 and GPIO_A30 connecting them to an FTDI232 USB UART:

While connected to the FTDI232, the log from the chip can be viewed, i.e. with minicom (but remember to disable hardware flow control):

minicom -D /dev/ttyUSB0 -b 115200

Flashing

The official flashing guide does not recomment to power the chip with the USB flasher, but it worked for me:

https://docs.libretiny.eu/docs/platform/realtek-ambz/#flashing

You need the ltchiptool tool, I installed it in a Python virtualenv:

python3 -m venv .
source bin/activate
pip install ltchiptool zeroconf

The ltchiptool GUI caused some segmentation fault, so I used it from the commmand line.

To put the chip in flash mode, we need to power it with the TX pin connected to GND.

In flash mode, I created a backup of the previous firmware:

ltchiptool flash read realtek-ambz flash-backup.bin

And to write the ESPHome firmware:

ltchiptool flash write smartplug1.uf2


After the flashing, if I try to power it from USB the WiFi module did not start and it causes a boot loop, but It worked perfectly plugging it into the mains power. A new device appeared in the router and I can connect to the ESPHome web dashboard.

Adding power metering

The plug includes a power metering chip: the BL0936, that is supported by ESPHome:

https://esphome.io/components/sensor/hlw8012.html

However, after configuring and uploading the firmware with the power meter enabled to the board, the device enters a boot loop, displaying the following error:

[D][switch:016]: 'Smart Plug 1' Turning OFF.
[D][binary_sensor:034]: 'Button': Sending initial state OFF
[C][hlw8012:014]: Setting up HLW8012...
W [      0.109] CHANGE interrupts not supported

Luckily, after 10 reboots, the firmware enters in the “OTA safe mode”, disabling all the modules and connecting to the WiFi without the web dashboard but opening a port to allow remote flashing.

https://esphome.io/components/ota.html

It is a problem in the combination of the RTL8710 chip and the BL0936 module, there is an open issue about this:

https://github.com/libretiny-eu/libretiny/issues/155

It can be fixed with the workaround of SuperXL2023 modifying the .esphome/platformio/platforms/libretiny/cores/realtek-amb/arduino/src/wiring_irq.c file and adding the lines 64 and 65:

62: #if LT_RTL8720C
63:                        event = IRQ_FALL_RISE;
64: #elif LT_RTL8710B
65:                        event = IRQ_RISE;
66: #else
67:                        LT_W("CHANGE interrupts not supported !!!!!!");

In the ESPHome config I’m specifying the version of the framework to avoid losing this fix in an automatic update. It works perfectly after rebuilding the image with this fix and uploading it to the device.

This is the complete ESPHome configuration with power metering:

substitutions:
  devicename: smartplug1
  friendly_name: Smart Plug 1

  voltage_divider: "1400"
  current_resistor: "0.001"
  current_multiply: "1.0"

esphome:
  name: ${devicename}
  friendly_name: ${friendly_name}

rtl87xx:
  board: wr2
  framework:
    version: 1.5.1

logger:

api:
  password: ""

ota:
  password: ""

wifi:
  ssid: !secret wifi_ssid
  password: !secret wifi_password

  ap:
    ssid: ${friendly_name} Fallback Hotspot
    password: !secret wifi_password

captive_portal:

web_server:
  port: 80

status_led:
  pin:
    number: PA5
    inverted: true

text_sensor:
  - platform: libretiny
    version:
      name: LibreTiny Version

sensor:
  - platform: uptime
    name: Uptime
    filters:
      - lambda: return x / 60.0;
    unit_of_measurement: minutes

  - platform: wifi_signal
    name: Wifi Signal
    update_interval: 60s

  - platform: hlw8012
    model: BL0937
    sel_pin:
      number: PA14
      inverted: true
    cf_pin:
      number: PA0
    cf1_pin:
      number: PA12

    current:
      name: Current
      filters:
        - multiply: ${current_multiply}
    voltage:
      name: Voltage
    power:
      name: Power
    energy:
      name: Energy

    update_interval: 30s
    current_resistor: ${current_resistor}
    voltage_divider: ${voltage_divider}

binary_sensor:
  - platform: gpio
    device_class: power
    name: Button
    pin:
      number: PA18
      mode: INPUT_PULLUP
      inverted: true
    on_press:
      - switch.toggle: relay

switch:
  - platform: gpio
    id: relay
    name: ${friendly_name}
    pin: PA15
    restore_mode: RESTORE_DEFAULT_OFF

It needs to calibrate the sensor to obtain the proper values of voltage_divider, current_resistor and current_multiply. It can be done with a multimeter and entering the values in the hlw8012 page.


WireGuard

I always used OpenVPN in my servers, but now WireGuard is a better option:

https://www.wireguard.com/

  • It’s simpler
  • It’s more efficient
  • It’s faster
  • It uses modern cryptography algorithms

I’m using it to remotely access private services in my home server. I setup a star topology, where all the VPN clients connect to the home server and they can only see the server.

So I need a dynamic DNS and an open port in the router, I already have them for Home Assistant.

Eloy Coto recommended Tailscale, it is an amazing mesh VPN based in WireGuard. It’s much simpler to set up, and you do not need to open public ports, but it’s commercial and a bit overkill for my needs.

Generating the WireGuard configurations

The most tedious part of WireGuard is to generate the configurations, but there are some nice tools to ease that, like:

https://www.wireguardconfig.com/

The tool generates the configuration for the server and for the requested number of clients. It does everything in the frontend, so it is not leaking the VPN keys.

As I’m only acessing the server, I have removed the IP forwarding options in the Post-Up and Post-Down rules.

Installing and configuring the WireGuard server

WireGuard is in the official Ubuntu repos, so to install it in the server it’s enough to do:

sudo apt install wireguard

Then I needed to put the config in the /etc/wireguard/wg0.conf file and do:

sudo systemctl enable wg-quick@wg0.service
sudo systemctl start wg-quick@wg0.service

Installing and configuring the clients

WireGuard has clients for almost any OS:

https://www.wireguard.com/install/

To setup the client in the phones, the WireGuard Config web tool generates QR codes. In other devices you’ll need to create a file with it or paste the config contents.

Using Pi-hole from the VPN clients

To use the Pi-hole hosted in the same VPN server from the VPN clients, you can specify a DNS property in the client config, i.e. if the server is 100.100.1.1 and the client is 100.100.1.2:

[Interface]
PrivateKey = <client-private-key>
Address = 100.100.1.2/32
DNS = 100.100.1.1

[Peer]
PublicKey = <server-public-key>
PresharedKey = <preshared-key>
Endpoint = <my-home-server>:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

Every time that you connect the VPN, the DNS server in the client changes to 100.100.1.1 and it is reverted to the previous DNS server when the VPN is disconnected.

Additionally, Pi-hole needs to be listening in the wg0 interface, I explained how to make Pi-hole listen on multiple interfaces in the Pi-hole post.


The LLM revolution

I took this photo of three Llamas in Machu Picchu some years ago…

ChatGPT was launched in November 2022, and it changed our world as we knew it. Since then, Large Language Models (LLMs) have integrated into our daily workflows enhancing our productivity and the quality of our work.

Another interesting milestone happened in February 2023, when Meta released the Llama LLM under a noncommercial license:

https://llama.meta.com

This sparked the enthusiasm among numerous developers dedicated to advancing LLMs, leading to a increase in collaborative efforts and innovation within the field. A good example is the Hugging Face Model Hub where new models are constantly published:

https://huggingface.co/models

Developers started creating improved models and optimizing performance for local execution of LLMs on consumer-grade hardware.

Llama.cpp is a port of Llama to C++, started in March 2023 with a strong emphasis on performance and portability. It includes a web server and an API:

https://github.com/ggerganov/llama.cpp

Mistral 7B was released in October 2023, achieving better performance than larger Llama models and demonstrating the effectiveness of LLMs in compressing knowledge.:

https://huggingface.co/papers/2310.06825

And now it’s easier than ever to locally execute LLMs, especially since November 2023, with the Llamafile project that packs Llama.cpp and a full LLM into a multi-OS single executable file:

https://github.com/Mozilla-Ocho/llamafile

The llama.cpp web interface running Mistral 7B Instruct in local via a llamafile

It’s even possible to run LLMs in a Raspberry Pi 4, like the TinyLlama-1.1B used from a llamafile in this project:

https://github.com/nickbild/local_llm_assistant

And about using LLMs for code generation (Github’s Copilot has been available since 2021), there are IntelliJ plugins like CodeGPT (with its first release in February 2023) that now allows you to run the code generation against a local LLM (running under llama.cpp):

https://github.com/carlrobertoh/CodeGPT

Google is a bit late to the party. In December 2023 they announced Gemini. In February 2024, they launched the Gemma open models, based on the same technology than Gemini:

https://blog.google/technology/developers/gemma-open-models

They also released a gemma.cpp inference engine:

https://github.com/google/gemma.cpp

And finally, if you are lost among so many LLM models, an interesting resource is the Chatbot Arena, released in August 2023. It allows humans to compare the results from different LLMs, keeping a leaderboard with chess-like ELO ratings:

https://chat.lmsys.org

And according to this leaderboard, at the moment GPT-4 is still the king.


Opening Home Assistant to Internet

To make Google Assistant work with your Home Assistant, you need to provide a public URL with HTTPS access to HA. Here are the full instructions:

https://www.home-assistant.io/integrations/google_assistant/

But something that seems trivial, like publicly accessing services in your home server, has some complications, and you usually need to worry about dynamic IPs and security.

What do we need:

  • An ISP not using CG-NAT
  • Redirect ports in the router
  • A dynamic DNS provider and a client to update the IP (or a static IP)
  • An SSL certificate to securely access the HTTP services

ISP providers with CG-NAT

Some ISPs use CG-NAT (Carrier-Grade NAT), sharing the same IPv4 among multiple customers. In that case the only way to expose your services is using reverse proxy services such as ngrok.

Ngrok allows you to generate one static domain and it also automatically generates a SSL certificate, so most steps in this post do not apply.

My ISP (O2 Spain) assigns me a dynamic IP, and I prefer to not rely on these reverse proxy services, so I remotely access my home server redirecting ports in the router.

Dynamic DNS provider

Usually, and unless you have a static IP service (not very common, and not available in my ISP), you need to setup a dynamic DNS service.

I have been using the free Now-DNS service for years:

https://now-dns.com/

And to update the IP in my home server, I setup ddclient with this /etc/ddclient.conf file:

ssl=yes
protocol=dyndns2
daemon=60
mail=root                               # mail all msgs to root
mail-failure=root                       # mail failed update msgs to root
pid=/var/run/ddclient.pid               # record PID in file.
use=web, web=now-dns.com/ip             # get ip from server.
server=now-dns.com                      # default server
login=<your-login>
password=<your-password>
server=now-dns.com,<your-dynamic-domain>

Some of these dynamic DNS domains are blocked in the Pi-hole blocking lists, so, if you are using Pi-hole or other DNS blocking service, you’ll probably need to whitelist your domain.

SSL certificate

With the amazing Certbot you can obtain free SSL certificates:

https://certbot.eff.org/

There is extensive documentation in the Certbot site about how to use it. I simply install certbot from apt and do a:

certbot certonly --webroot -w /var/www/html/ -d <your-dynamic-domain> --email <my-email> --non-interactive --agree-tos

But in order to make that work, you need a domain name (available from the dynamic DNS provider in the previous section).

HTTP Server

And to verify that the domain points to your server, Certbot is going to do an HTTP request to that domain, so you also need to have an HTTP server in the port 80 and open the port 80 in the router. This is also needed for the certificate renewals.

You may encounter numerous attacks on this port, so it is crucial to have a reliable web server that is consistently updated and properly configured. I personally use nginx as my HTTP server, and it has never failed me so far.

Home Assistant

To use the SSL certificate from the HA container, we need to share the folder where certificates are stored passing a “-v /etc/letsencrypt:/etc/letsencrypt” to the docker command and setting in the HA configuration.yaml:

http:
  ssl_certificate: /etc/letsencrypt/live/<your-dynamic-domain>/fullchain.pem
  ssl_key: /etc/letsencrypt/live/<your-dynamic-domain>/privkey.pem

You can also use your public HA URL to remotely access it and to configure in the HA Android application.


Orange Pi 3B

I’ve never been a fan of the Raspberry Pi. In my opinion, it occupies an intermediate position where it is too underpowered for desktop use and too overpowered for IoT projects:

  • To use them as a desktop, there are great X86 alternatives available at about the same price than a RPi 5 but much more powerful, such as the Intel N100.
  • And for IoT projects, the ESP32 is the king, with amazing boards with Wifi, Bluetooth, etc., all at a price of less than 5 euros.

So it’s place may be TV boxes (where I prefer a Chromecast with Android) or small servers where the power consumtion is important because they are always on.

I bought an Orange Pi 3B: 4 cores, 4GB RAM, 64GB eMMC (~50 euros in Aliexpress) to replace my old X86 home server (Intel N450: 2 cores, 2 GB RAM, 64GB SSD):

http://www.orangepi.org/html/hardWare/computerAndMicrocontrollers/details/Orange-Pi-3B.html

The Orange Pi 3B shares the form factor with the Raspberry Pi 3B but it is almost as powerful as the Raspberry Pi 4. Notably, the Orange Pi 3B comes with several advantages over the RPi 4:

  • Support for eMMC (much faster and reliable than SD cards)
  • A power button
  • A full-size HDMI port
  • External antenna
  • And it’s cheaper

I installed the Ubuntu Jammy server image in the eMMC following the OPi manual. It needs to use a USB-A male to USB-A male cable and the RKDevTool (it’s in Chinese) that runs only in Windows.

And, as this machine is going to be exposed to internet, I hardened a bit the security:

  • Changed the APT repositories to ports.ubuntu.com
  • Regenerated SSH server keys
  • Removed SSH root access
  • Changed passwords
  • Renamed the orangepi user
  • Removed the local autologin

To remove the local autologin we need to edit:

  • /lib/systemd/system/getty@.service.d/override.conf: For the display console autologin
  • /lib/systemd/system/serial-getty@.service.d/override.conf: For the serial console autologin
[Service]
ExecStartPre=/bin/sh -c 'exec /bin/sleep 10'
ExecStart=
ExecStart=-/sbin/agetty --noissue --autologin orangepi %I $TERM
Type=idle

Removing the “–autologin orangepi”. If you rename the orangepiuser but you want to keep the autologin, you’ll also need to change the username here.

Then I moved the docker containers and other services from my old X86 server:

  • Home Assistant (docker container)
  • ESPHome dashboard (docker container)
  • Pi-hole (docker container)
  • nginx (for certbot and DNS DoT for Pihole)
  • certbot (to maintain the SSL certificate for Home Assistant)
  • ddclient (dynamic DNS updater)
  • NAS (do not expect anything fancy, I access a USB disk via SSH, it’s enough for Kodi & backups)

Everything seems to work smoothly now.


Pi-hole as home DNS and DHCP server

I encountered numerous issues with my network provider’s router DHCP. Since I haven’t yet decided to acquire another router, I opted to offload the DHCP server to another machine, which is currently running my Home Assistant and NAS.

I was in search of a DHCP server with a web UI. During my exploration, I came across Pi-hole, a DNS server specifically designed to block DNS queries to domains that serve ads and do tracking. Interestingly, Pi-hole also incorporates an integrated DHCP server (dnsmasqd) that can be configured through its admin UI.

https://pi-hole.net/

I presume the integration of the DHCP server aimed to simplify the setup of clients’ DNS servers, yet it proves highly convenient for home networks. And forget about the “Pi” in the name, it can be run in any linux server, not necessarily in a Raspberry Pi.

I’m still an addict to running everything in Docker containers. So I set up the Docker Pi-hole container (https://github.com/pi-hole/docker-pi-hole) using this script localed at /usr/local/pihole/docker.sh:

#!/bin/bash 
cd $(dirname $(readlink -f $0))
docker stop pihole
docker rm pihole
docker pull pihole/pihole:latest
docker run -d \
	--name pihole \
	--privileged \
	--restart=unless-stopped \
	--network=host \
	-e TZ=Europe/Madrid \
        -e FTLCONF_LOCAL_IPV4=192.168.1.2 \
        -e WEB_PORT=8081 \
	-e WEBPASSWORD=admin \
	-e INTERFACE=eth0 \
	-e DNSMASQ_USER=root \
	-v ./etc-pihole:/etc/pihole \
	-v ./etc-dnsmasq.d:/etc/dnsmasq.d \
	--cap-add=NET_ADMIN \
	pihole/pihole:latest
docker image prune --all
  • Every time that you run the script, it updates the container with the last Pi-hole version
  • It didn’t work without setting FTLCONF_LOCAL_IPV4 to the local IP
  • I needed to set up WEB_PORT to not override with the nginx running in that machine (for Certbot)
  • Setting WEBPASSWORD is the easiest way to initially setup an admin password
  • I couldn’t make the DHCP server work with port mappings, it needed a –network=host
  • There is an image prune at the end to save space by removing old docker images

I also had some problems because Ubunt’s systemd-resolved includes a DNS server, and I needed to disable it:

https://askubuntu.com/questions/907246/how-to-disable-systemd-resolved-in-ubuntu

And of course, you need to disable also the DHCP server on the router, it’s a very bad idea to have two DHCP servers working in the same network…

It is now functioning smoothly, and the included ad-blocking feature is a definite plus. Although it doesn’t currently block ads on YouTube and Twitch, its still great.

I’m also using it in my phone with a Wireguard VPN (it maybe a topic for another post). To make it listen in multiple interfaces like in the local and the VPN interfaces, I needed to create a /usr/local/pihole/etc-dnsmasq.d/99-interfaces.conf adding there:

interface=lo
interface=wg0

Another similar alternative worth exploring is AdGuard Home, but I haven’t had the time to test it yet:

https://adguard.com/en/adguard-home/overview.html