ZeroSentinel is your off site access point and DIY privacy node. A Pi Zero that becomes a private WireGuard server, a local recursive resolver, and a remote health sentinel you fully control. This hub collects every part of the build from OS install to Unbound, canary alerts, Nostr monitoring, and network hardening so you can deploy a clean, reliable, self hosted access doorway.
Want all the how to guides in one place? Join the SECURE CHANNEL
What ZeroSentinel Is
A pocket sized privacy node that:
- Builds a secure WireGuard tunnel home
- Runs Unbound as your personal recursive resolver
- Enforces DNSSEC and no fallback DNS
- Drops all traffic outside the tunnel
- Sends encrypted Nostr DM alerts on failure
- Works behind travel routers, carrier NAT, and hostile networks
Born from one idea: stop trusting other people’s infrastructure, build your own.
Why Build It
- ISPs rewrite DNS
- Phones leak the moment a VPN drops
- Travel networks inject ads and junk
- Cloud resolvers log everything
- Nobody warns you when something breaks
ZeroSentinel is the baseline that stops silent failures.
Who This Hub Is For
- Beginners who want a step by step DIY build
- Travelers who need reliable privacy
- Power users who want a Pi based home anchor
- Anyone who wants infrastructure they actually control
Equipment List
Minimalist setup:
- Raspberry Pi Zero (or Zero 2 W)
- 16–32 GB microSD
- 5V power supply or power bank
- USB Ethernet adapter or OTG cable
- Travel router (optional: Flint, Slate, Mango)
Realisistic Expectations
This is not the ultimate solution. It is a underpowered board and performance will reflect that. It does work. I have built it. I have tested it, but it is slow and boarderline unusable and you should expect that. Obviously higher end equipment would perform better such as a Raspberry Pi 5 or a mini computer. ZeroSentinel Version 1 bundles wireguard, unbound, and a canary which really pushes the humble Pi Zero to it’s limits. Version 2 will relocate wireguard to the router where it belongs, add AdGuard and free up the Pi device to handle DNS resolving and sentinel duties for the whole system.
I am always testing new equipment and pushing it to the limit to find out what it is actually capable of. This time I wanted to share that journey for the purpose to show you what options you really have. You do not have to buy off the shelf solutions from some corporate vendor that doesn’t actually do what you want. This project is intended to expand your mind and give you a low cost and low entry point to get your hands dirty and start building your own solutions.
The point is simple: you do not need corporate boxes or subscription privacy. You can build your own tools. Low cost. Low barrier. High control.
Many of the guides are still in the planning stages and will be linked and updated as they are released, so keep checking back for updates.
LAST UPDATED: Nov 2025
Related Master Guides
The master guides give you the system level defenses behind the tactical steps. Each of these expands the footprint work into system level defenses.
- Operational Privacy: From Setup to System
Build Guides (Main Sequence)
These are your core, linear build steps.
1. The ZeroSentinel Project: The Privacy Node You Build Yourself
What it is, why it exists, threat model overview, capabilities, limitations.
2. ZeroSentinel Part 1: WireGuard Server Setup Guide
- Flashing the Pi
- Configuring networking
- Installing WireGuard
- Creating keys
- Building the home endpoint
- Verifying tunnel routing
3. ZeroSentinel Part 2: Add Unbound as a Local Recursive Resolver
- Installing Unbound
- Enabling DNSSEC
- Root trust anchors
- Blocking fallback DNS
- Forcing all resolution through the tunnel
- Testing for leaks and rewrites
4. ZeroSentinel Part 3: Canary Scripts + Nostr Integration
- DNSSEC canary check
- WireGuard handshake monitor
- Resolver health check
- Upstream connectivity tests
- Encrypted Nostr DM alerts
- Logging + alert frequency
5. ZeroSentinel Part 4: Upgrading to Version 2
ZeroSentinel Version One shows you the lower bound of what’s possible. Version Two moves WireGuard to the router where it belongs, adds AdGuard on the router, and frees the Pi to handle recursive DNS and sentinel duties for the entire network.
6. ZeroSentinel Part 5: Fail Safe Routing Mode
- Killswitch rules
- nftables blocking defaults
- Tunnel enforcement
- Preventing fallback to LAN or ISP resolvers
Advanced Modules
These are optional but valuable expansions.
ZeroSentinel Project: Blocklist Integration
Adding filtered DNS through Unbound or external lists without breaking DNSSEC.
ZeroSentinel Project: Metrics + Health Dashboard
Pi status monitoring, Unbound stats, WG counters, uptime visibility.
ZeroSentinel Project: Running ZeroSentinel on a Pi 5
Higher speed setups, heavier load, multi-client support.
ZeroSentinel Project: Portable Privacy Kit
Turning ZeroSentinel into a complete travel bundle.
Related Support Hubs
- Digital Footprint Hub – Erase identifiers before hardening.
- Digital Lockdown Hub – Harden devices, browsers, and networks against surveillance.
- Network Privacy Hub – Kill DNS leaks, VPN failures, and ISP logging.
- Phone Privacy Hub – Mobile telemetry, OS residue cleanup, and location hardening.
- Crisis Mode Hub – Active threats, fast responses, and RF quieting.
- ZeroSentinel Hub – Your DIY privacy node
Build it. Run it. Trust yourself. ZeroSentinel is the first system in your stack that refuses to hand your privacy to someone else. Start with Part 1 and build your own off site sentinel today.