Introduction
After using AdGuard-DNS 1 for a while, I decided to switch back to a self-hosted setup for better control and privacy. I upgraded from an old Raspberry Pi to the new Raspberry Pi 5 and installed AdGuard Home.
What attracted me to AdGuard Home was its support for secure protocols like DNS over HTTPS/TLS and QUIC. The recent partnership 2 between Tailscale and Mullvad VPN also caught my attention, offering a perfect fit for my privacy goals: local DNS filtering with AdGuard Home and online encryption with Mullvad VPN.
This setup is new to me, so there might be room for optimization along the way.
Raspberry Pi OS
For the operating system, I used Raspberry Pi OS Lite 64-bit 3 for optimal performance. For an easy installation process, I used the Raspberry Pi Imager to install Raspberry Pi OS Lite 64Bit
onto a Micro-SD card.
Once the installation was completed; I booted up the Raspberry Pi and used PowerShell on Windows to connect to the Raspberry Pi by using SSH. Once I logged in, the first thing I did was updating the system to the latest packages.
Optional Configuration (via raspi-config
):
I also done the following.
Once I have done that I rebooted the Raspberry Pi with the command:
sudo shutdown -r now
AdGuard Home
Installing AdGuard Home was straightforward with a curl
command, followed by configuring it through the installation wizard.
|
|
|
|
Accessing http://192.168.2.155:3000
led me to the installation wizard, guiding me through the setup process.
With AdGuard Home up and running, I had the choice to either configure my local network devices to use the Raspberry Pi’s IP address (like 192.168.2.155
) as the custom DNS server or set it directly within my internet router settings for network-wide ad-blocking and tracking protection. However, I choose not to as I had plans to employ DNS-over-HTTPS/TLS on my devices.
Tailscale networking
To extend AdGuard Home DNS filtering beyond my local home network, traditional methods involve complex port forwarding on routers, posing security risks. That’s where Tailscale comes in. Tailscale simplifies the setup with just a few steps:
- Login to the Tailscale website 4.
- Install Tailscale using a curl command.
curl -fsSL https://tailscale.com/install.sh | sh
- Start the Tailscale process.
sudo tailscale up --accept-dns=false
- Authenticate the device at the provided URL.
- Obtain the Tailscale IP address.
tailscale ip
- Note the
100.xxx.xxx.xxx
IP address.
- Configure Tailscale DNS settings 5 to use AdGuard Home.
- Add
100.xxx.xxx.xxx
atGlobal Nameservers
. - Enable
Override local DNS
.
- Add
Tailnet Name, HTTPS/TLS Certificates
As I’ve mentioned earlier, my plan involves using DNS-over-HTTPS/TLS on my devices. Typically, obtaining free TLS certificates involves using Certbot (LetsEncrypt) 6. However, I encountered an issue: this method requires linking an external domain name to my external IP address. Additionally, using DNS-over-HTTPS requires configuring clients to communicate via this external domain. However, since I intentionally keep the AdGuard Home setup on the Raspberry Pi isolated from external access, this approach doesn’t work.
There’s a workaround; generating TLS certificates on the Tailnet name and using the Tailscale client on the Raspberry Pi to produce these certificates. The Tailnet name is accessible only within the Tailnet private network.
Generating TLS certificates
To generate TLS certificates, I configured specific settings on the Tailscale admin console, enabling Tailnet name
and HTTPS Certificates
in the DNS settings, and activating MagicDNS
for added convenience.
On the Raspberry Pi, I used the following command to generate the TLS certificates:
sudo tailscale cert <yourmachinename.tailnetname.ts.net>
This command produces two files with the extensions .crt
and .key
.
AdGuard Home: Enabling DNS-over-HTTPS/TLS
To enable DNS-over-HTTPS/TLS in AdGuard Home:
- Access the local AdGuard Home website using the internal IP or Tailnet name of the Raspberry Pi and log in.
- Navigate to the
Encryption settings
page. Enable Encryption
and specify the Tailnet name of the Raspberry Pi underServer name
.- Check
Redirect to HTTPS automatically
. - Enter the file locations for the TLS certificates under
Certificates
(.crt
) andPrivate key
(.key
).
After configuring these settings, DNS-over-HTTPS/TLS becomes operational. You can find the addresses to use in the Setup Guide
, such as:
https://yourmachinename.tailnetname.ts.net/dns-query
Tailscale VPN client
Activating DNS-over-TLS
To activate DNS-over-TLS on your Android mobile device:
- Go to
Network & Internet
settings. - Look for
Private DNS
. - Choose
Private DNS provider hostname
. - Enter your Raspberry Pi Tailnet name.
- Save the settings.
After enabling DNS-over-TLS: When connected to your local home network, using this Tailnet name prompts a notification indicating a lack of internet access, despite being connected. Also, you may see an exclamation mark over the internet signal logo. However, as long as you’re connected with the Tailscale client, both internet and local home network access remain functional.
It’s worth noting that these notifications and exclamation mark disappear when not connected to the local home network. However, the reason for these notifications only occurring when connected to the local home network is unclear.
In the Adguard Home logs, I can verify that DNS-over-TLS is working on my phone.
Activating DNS-over-HTTPS on Your Computer (Windows 11)
To activate DNS-over-HTTPS on your Windows 11 computer:
- Navigate to
Network & Internet
settings. - Select
Edit network DNS settings
and input the DNS-over-HTTPS URL.
In your browser, Librewolf or any Firefox based browser:
- Navigate to
Privacy & Security
settings. - Navigate to
DNS-over-HTTPS
. - Choose
Max Protection
and enter the same DNS-over-HTTPS URL.
For other browsers, locate the privacy settings to configure DNS-over-HTTPS.
You can verify if it is working the same way as before, in the AdGuard Home logs.
Mullvad VPN Endpoints as Exit Nodes
So I want to hide my IP on the open internet, this is why I use Mullvad VPN but due to the inability to run two VPN clients simultaneously, we can use Mullvad VPN exit nodes, thanks to their partnership with Tailscale. This partnership is one of the reasons why I prefer this setup.
Using Mullvad VPN exit points is not free; it requires a subscription fee. However, the cost is lower through Tailscale compared to directly purchasing from Mullvad. Mullvad charges 5 Euros per month, while through Tailscale, it’s slightly over 3 Euros, depending on the current Dollar to Euro conversion rates. This subscription allows connection for up to 5 Tailscale clients, which is more than sufficient for me (mobile phone, tablet and my computer).
To purchase and configure Mullvad VPN, navigate to the settings page 7 on the Tailscale website. Once you’ve made the purchase, open the Tailscale app on your mobile phone, for example. In the app menu, select “Use exit node…” and then choose the Mullvad server you prefer. Don’t forget to check the box labeled “Allow LAN access”.
Final Thoughts
With this setup in place, I’ve gained full control over my DNS filtering and data privacy, all while fortifying my internet security via a VPN. Plus, I can now access my local home network remotely, adding an extra layer of convenience.
However, it’s essential to note that with DNS-over-HTTPS and DNS-over-TLS configured, disconnecting from Tailscale will result in loss of internet connectivity. So I have to stay connected! Because the configured Tailnet name isn’t reachable from outside the Tailscale private network.
Currently, I’ve set up AdGuard Home to use an external DNS server for lookups, namely quic://dns.adguard-dns.com
. However, this means that ultimately, my DNS traffic is still directed to an external party. As a result, I’m considering of deploying my own DNS server using the Unbound software in the future.
Webmention
Comments
If you're using a platform that supports ActivityPub, feel free to respond to this thread.