Pi Shield

Introduction: Pi Shield

What it does: once setup, your Pi will broadcast a WiFi network. Any devices, such as phone/tablet/laptop, that connects to this WiFi will be shielded from inappropriate content. You can customize what will be filtered out based on banned site name, banned words, banned extension. The Pi will also enforce safe-search on Google and YouTube.
===> kid-friendly surfing

What we'll need:

  • Raspberry Pi with usual SD card and power supply
  • USB wifi dongle with Access Point (AP) functionality, consider one with external antenna to get longer range

What we'll do:

  • Install the required packages on a fresh image
  • Set up the Access Point
  • Set up the Web Filtering: force Google SafeSearch
  • Set up the Web Filtering: block Blacklisted sites

Optional: Automatic Installation Script
If you are more interested by the end result than the way to get there and you're eager to fire it up, just download this Automatic Installation Script.

  1. load a fresh Raspbian image on your SD card and connect to it through SSH
  2. download the script with: wget http://www.fasyl.com/rpi/bake_PiShield.sh
  3. make the file executable: chmod +x bake_PiShield.sh
  4. run the script with root privilege: sudo ./bake_PiShield.sh
  5. input the name, password and sub-network parameters when prompted
  6. you should now have the Pi broadcasting a new wifi network to which you can connect with your laptop, cell phone, tablet, etc. Any device connected to the wifi network will enjoy web-browsing shielded from 'adult' content.

Should you run into any trouble, drop a line in the comments below.

Teacher Notes

Teachers! Did you use this instructable in your classroom?
Add a Teacher Note to share how you incorporated it into your lesson.

Step 1: Install Packages on a Fresh Image

When starting this project, I wanted a solution that will

  1. ban access to blacklisted sites
  2. enforce safe search on Google and Youtube
  3. not require any set-up on the end-user device

There are many options out there but I could not find one meeting all these criteria.

The sketch above outlines the typical network configuration for this project. The PiShield is wired to your router and acts as wifi access-point. Any devices connected to this wifi network will be shielded. Other devices connected directly to the router will not. Once connected to the PiShield wifi, there is no need for specific configuration on the laptop/table/phone; they will be protected right away. This means that visiting friends will also enjoy protection transparently.

Let's get into it. Grab an SD card and install your favorite image. The info in this post were based on a Raspbian-based distribution but should work on other with some tuning.

I picked the Raspian Jessie Lite as there is no need for a desktop environment on this project.

You may want to change the default password and expand the SD card before we install the required packages at the command prompt:

sudo apt-get install hostapd dnsmasq iptables squid3 dansguardian

hostapd is the daemon that will handle the wireless Access Point (ie allow devices to connect to your Pi through wifi)
dnsmasq and iptables will allow routign of the web traffic so that the devices can reach the Internet through your Pi
squid3 and dansguardian will filter out any web content unsafe for young eyes

Step 2: Set Up the Access Point

Consider getting a wifi dongle with an external antenna so that you get better range for your wifi network.
I am running a TP-LINK TL-WN722N. Works like a charm.

Please going any further, run two checks on your wifi dongle:

/!\ : ensure that your wifi dongle offers Access Point. Some do not.
To check this run iw list | grep -A 8 modes:at the command line. If AP does not show up in the supported modes, you are out of luck and will need another dongle.

/!\: ensure that your wifi dongle runs on a 80211 driver.
To check this run dmesg | grep -i 80211 at the command line. If nothing shows up, you are on your own... There is still hope but you will probably need to download other version of hostapd; this tutorial may help.

OK, let's fire up the wifi. To do so, we need to edit these files:

  1. in /etc/default/hostapd, type:
  2. in /etc/hostapd/hostapd.conf, type:
  3. in /etc/network/interfaces, type:
    source-directory /etc/network/interfaces.d
    auto lo iface
    lo inet loopback
    iface eth0
    inet manual auto wlan0
    allow-hotplug wlan0
    iface wlan0 inet static
    up iptables-restore < /etc/iptables.ipv4.nat
  4. in /etc/dnsmasq.conf, type:

Of course, change the ssid (wifi network name) and passphrase (password) from /etc/hostapd/hostapd.conf to your liking.

At this point, if you restart hostapd with sudo service hostapd restart; sudo service dnsmasq restart, you should see the newly created wifi, connect to it and get an IP... but not yet be able to access the Internet.

To get to the Web, we need to route the traffic between the wired and wireless networks. To do so:

  1. in /etc/sysctl.conf, add:
  2. at the command line, run:
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    iptables -A INPUT -i wlan0 -j ACCEPT
    iptables -A OUTPUT -o wlan0 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 8080
    iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
    iptables -A FORWARD -i wlan0 -j ACCEPT
    iptables-save > /etc/iptables.ipv4.nat
    sysctl -p

Alright! Open a browser from your phone/tablet and you should now be able to access the Web :)

Step 3: Set Up the Web Filtering: Force Google SafeSearch

Now that we can access the web, let's filter it to make it kids friendly.

First, we will enforce Google Safe Search by re-routing any Google and YouTube search to the forcesafesearch server per this tip from Google.

We simply need to go back to /etc/dnsmasq.conf and add:


Then restart the daemon at the comand line: sudo service dnsmasq restart

You should add the google and youtube extension for your country. Note that search directed to other google domains will not be filtered.

Step 4: Set Up the Web Filtering: Block Blacklisted Sites and Offensive Content

In our second step to filtering out inappropriate web content, we will rely on the great software DansGuardian.
This software will let you ban visit to pages based on site name (blacklist) and site content (weighted phrase).
This means that it not only locks out site like other blacklist system but also analyzes the actual text on the page, each inadequate words gets assign a score and if the total score is too high, the page gets banned.

DansGuardian comes with blacklist filtering capability but no blacklist. This can easily be added by downloading from free repositories. They are several alternatives out there. We will use the one maintained by University de Toulouse:

  1. download the blacklist with:
    wget http://cri.univ-tlse1.fr/blacklists/download/blac...
  2. extract the blacklists with:
    sudo tar -C "/etc/dansguardian/list" -zxf blacklists.tar.gz

Now have a look at the blacklist content with ls /etc/dansguardian/lists. The banned sites are grouped by "theme": adult content, gambling, etc. Note down the names of the ones you would like to enable.

DansGuardian allows a lot of customization; here are the key configurations to set:

  1. comment out UNCONFIGURED in /etc/dansguardian/dansguardian.conf by adding a # in front:
    #UNCONFIGURED - Please remove this line after configuration
  2. add blacklist filtering for the lists you selected by uncommenting them in /etc/dansguardian/lists/bannedsitelist: eg, to filter out adult content, remove the # on the line with /etc/dansguardian/lists/blacklists/adult/domains
  3. remove the content filtering based on Japanese and Chinese language as these can get confused and filter out non Asian sites. In /etc/dansguardian/lists/weightedphraselist, add a # in front of the lines with japanese and chinese.
  4. remove the filtering based on extensions as this will ban access to any .mp3 or .avi. In /etc/dansguardian/lists/bannedmimetypelist and /etc/dansguardian/lists/bannedextensionlist, add a # in front of the lines you whish to allow
  5. reload DansGuardian by running at the command line: sudo dansguardian -r

There is much more to customize in DansGuardian; for example, you can customize the page displayed when ones try to access a rejected page, you can filter extension types or filter with regex. Plenty of useful info can be found on:

Step 5: Enjoy a Clean Web

That was a rather long process but we are set. You should now have your Pi offering an Internet wifi access that will protect kids and grown-ups from 'bad' content.

Let's take it on a test drive ! Connect to the Pi's wifi and open your browser to visit:

  • wikipedia: access granted, surfing as ususal
  • google: access granted, search results will point you to safe content; for example, the first hits on tits will point you to birds, while image results will be reasonable naked.
  • youtube: access granted, search results will indicate that access to some content has been banned by the administrator.
  • tits.com or other site mentioned on one of the enabled blacklist: access banned

I hope you found this useful. If so, drop a quick line at: http://fasyl.com/rpi/pilog/PiLog.php

1 Person Made This Project!


  • Trash to Treasure Contest

    Trash to Treasure Contest
  • Raspberry Pi Contest 2020

    Raspberry Pi Contest 2020
  • Wearables Contest

    Wearables Contest

11 Discussions


Question 1 year ago

So wikipedia lists dansguardian as having been discontinued/out of development for 5 years. Has anyone tried this with another more up to date software like e2guardian?


1 year ago

Does this have a documentation? Can I set up time restrictions?


Reply 1 year ago

Hi, I did not implement time restrictions but you can achieve this either through:
- DansGuardian module (simply google it) or,
- iptables (you can setup a cronjob to drop the connection for all or for a certain set of IP)


1 year ago


When I use your script, it work just one time.

If I reboot, eth0 is down and I can't use my rbp.

When I ifconfig eth0 up, it work but no internet connection and I don't know why...

If I ping google, it say network is not available.

If I put my mouse on network icon (top right), it say "No wireless interface found"

I have to reset my rpb to correct this bug...


Reply 1 year ago

Hi TimothéeD5,
Few questions to help understand the issue:
1) Which PI are you using?
2) Are you using an external USB wifi dongle? If so, which one?
3) Which OS are you using? This Instructable was written under Raspbian Jessie Lite.
4) Did you install through the bash script (bake_PiShild.sh) or following the step by step description? If using the script, it logs installation info in the file: /boot/bake_log.* There may be some errors/warnings there.


2 years ago

I would like to use this with a pi zero w. The obvious problem is lack of ethernet. I could add a port via the gpo pins or is there a way of using an additional usb wifi adapter? I want to keep it as cheap and simple as possible. Any suggestions?


Reply 2 years ago

Hi si2009,

You will need two independent interfaces, so USB dongle is required (ie the onboard wifi alone is not sufficient); you could either use a ethernet or wifi dongle. If using a USB wifi dongle, you will have to update the command lines accordingly by using wlan1.


3 years ago

It just works. Thanks for a great script.


3 years ago

This is even simpler if you are using the Raspberry Pi 3 - it's onboard WiFi is inherently Access-point capable.


Reply 3 years ago

Does anyone have information regarding the RF range of the built-in RPi3 WiFi module?


3 years ago

thanks. I even like it that you made an auto install script for us people that are not that techy