Introduction

After using AdGuard-DNS 1 for a while, I decided to switch back to a self-hosted setup for better control and privacy. I upgraded from an old Raspberry Pi to the new Raspberry Pi 5 and installed AdGuard Home.

What attracted me to AdGuard Home was its support for secure protocols like DNS over HTTPS/TLS and QUIC. The recent partnership 2 between Tailscale and Mullvad VPN also caught my attention, offering a perfect fit for my privacy goals: local DNS filtering with AdGuard Home and online encryption with Mullvad VPN.

This setup is new to me, so there might be room for optimization along the way.

Raspberry Pi OS

For the operating system, I used Raspberry Pi OS Lite 64-bit 3 for optimal performance. For an easy installation process, I used the Raspberry Pi Imager to install Raspberry Pi OS Lite 64Bit onto a Micro-SD card.

Raspberry Pi Imager 01

Once the installation was completed; I booted up the Raspberry Pi and used PowerShell on Windows to connect to the Raspberry Pi by using SSH. Once I logged in, the first thing I did was updating the system to the latest packages.

1
2

sudo apt update && sudo apt -y upgrade
sudo apt install -y unattended-upgrades

Optional Configuration (via raspi-config):

I also done the following.

1
2
3

sudo raspi-config
# 1 System Options - S5 Boot / Auto Login - B2 Console Autologin
# 6 Advanced Options - A1 Expand Filesystem

Once I have done that I rebooted the Raspberry Pi with the command:

sudo shutdown -r now

AdGuard Home

Installing AdGuard Home was straightforward with a curl command, followed by configuring it through the installation wizard.

1

curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v

1
2
3
4
5
6
7

AdGuard Home is successfully installed and will automatically start on boot.
There are a few more things that must be configured before you can use it.
Click on the link below and follow the Installation Wizard steps to finish setup.
AdGuard Home is now available at the following addresses:
2024/02/10 20:10:39 [info] go to http://127.0.0.1:3000
2024/02/10 20:10:39 [info] go to http://[::1]:3000
2024/02/10 20:10:39 [info] go to http://192.168.2.155:3000

Accessing http://192.168.2.155:3000 led me to the installation wizard, guiding me through the setup process.

AdGuard Home getting started wizard

With AdGuard Home up and running, I had the choice to either configure my local network devices to use the Raspberry Pi’s IP address (like 192.168.2.155) as the custom DNS server or set it directly within my internet router settings for network-wide ad-blocking and tracking protection. However, I choose not to as I had plans to employ DNS-over-HTTPS/TLS on my devices.

Tailscale networking

To extend AdGuard Home DNS filtering beyond my local home network, traditional methods involve complex port forwarding on routers, posing security risks. That’s where Tailscale comes in. Tailscale simplifies the setup with just a few steps:

  1. Login to the Tailscale website 4.
  2. Install Tailscale using a curl command.
    • curl -fsSL https://tailscale.com/install.sh | sh
  3. Start the Tailscale process.
    • sudo tailscale up --accept-dns=false
  4. Authenticate the device at the provided URL.
  5. Obtain the Tailscale IP address.
    • tailscale ip
    • Note the 100.xxx.xxx.xxx IP address.
  6. Configure Tailscale DNS settings 5 to use AdGuard Home.
    • Add 100.xxx.xxx.xxx at Global Nameservers.
    • Enable Override local DNS.

Tailscale Global Nameservers

Tailnet Name, HTTPS/TLS Certificates

As I’ve mentioned earlier, my plan involves using DNS-over-HTTPS/TLS on my devices. Typically, obtaining free TLS certificates involves using Certbot (LetsEncrypt) 6. However, I encountered an issue: this method requires linking an external domain name to my external IP address. Additionally, using DNS-over-HTTPS requires configuring clients to communicate via this external domain. However, since I intentionally keep the AdGuard Home setup on the Raspberry Pi isolated from external access, this approach doesn’t work.

There’s a workaround; generating TLS certificates on the Tailnet name and using the Tailscale client on the Raspberry Pi to produce these certificates. The Tailnet name is accessible only within the Tailnet private network.

Generating TLS certificates

To generate TLS certificates, I configured specific settings on the Tailscale admin console, enabling Tailnet name and HTTPS Certificates in the DNS settings, and activating MagicDNS for added convenience.

On the Raspberry Pi, I used the following command to generate the TLS certificates:

sudo tailscale cert <yourmachinename.tailnetname.ts.net>

This command produces two files with the extensions .crt and .key.

AdGuard Home: Enabling DNS-over-HTTPS/TLS

To enable DNS-over-HTTPS/TLS in AdGuard Home:

  1. Access the local AdGuard Home website using the internal IP or Tailnet name of the Raspberry Pi and log in.
  2. Navigate to the Encryption settings page.
  3. Enable Encryption and specify the Tailnet name of the Raspberry Pi under Server name.
  4. Check Redirect to HTTPS automatically.
  5. Enter the file locations for the TLS certificates under Certificates (.crt) and Private key (.key).

After configuring these settings, DNS-over-HTTPS/TLS becomes operational. You can find the addresses to use in the Setup Guide, such as:

https://yourmachinename.tailnetname.ts.net/dns-query

Tailscale VPN client

Activating DNS-over-TLS

To activate DNS-over-TLS on your Android mobile device:

  1. Go to Network & Internet settings.
  2. Look for Private DNS.
  3. Choose Private DNS provider hostname.
  4. Enter your Raspberry Pi Tailnet name.
  5. Save the settings.

Private DNS

After enabling DNS-over-TLS: When connected to your local home network, using this Tailnet name prompts a notification indicating a lack of internet access, despite being connected. Also, you may see an exclamation mark over the internet signal logo. However, as long as you’re connected with the Tailscale client, both internet and local home network access remain functional.

No internet access warning

It’s worth noting that these notifications and exclamation mark disappear when not connected to the local home network. However, the reason for these notifications only occurring when connected to the local home network is unclear.

In the Adguard Home logs, I can verify that DNS-over-TLS is working on my phone.

Working DNS-over-TLS

Activating DNS-over-HTTPS on Your Computer (Windows 11)

To activate DNS-over-HTTPS on your Windows 11 computer:

  1. Navigate to Network & Internet settings.
  2. Select Edit network DNS settings and input the DNS-over-HTTPS URL.

Windows DNS Settings

In your browser, Librewolf or any Firefox based browser:

  1. Navigate to Privacy & Security settings.
  2. Navigate to DNS-over-HTTPS.
  3. Choose Max Protection and enter the same DNS-over-HTTPS URL.

For other browsers, locate the privacy settings to configure DNS-over-HTTPS.

Browser DNS Settings

You can verify if it is working the same way as before, in the AdGuard Home logs.

Mullvad VPN Endpoints as Exit Nodes

So I want to hide my IP on the open internet, this is why I use Mullvad VPN but due to the inability to run two VPN clients simultaneously, we can use Mullvad VPN exit nodes, thanks to their partnership with Tailscale. This partnership is one of the reasons why I prefer this setup.

Using Mullvad VPN exit points is not free; it requires a subscription fee. However, the cost is lower through Tailscale compared to directly purchasing from Mullvad. Mullvad charges 5 Euros per month, while through Tailscale, it’s slightly over 3 Euros, depending on the current Dollar to Euro conversion rates. This subscription allows connection for up to 5 Tailscale clients, which is more than sufficient for me (mobile phone, tablet and my computer).

To purchase and configure Mullvad VPN, navigate to the settings page 7 on the Tailscale website. Once you’ve made the purchase, open the Tailscale app on your mobile phone, for example. In the app menu, select “Use exit node…” and then choose the Mullvad server you prefer. Don’t forget to check the box labeled “Allow LAN access”.

Mobile VPN Exit node

Windows VPN Exit node

Final Thoughts

With this setup in place, I’ve gained full control over my DNS filtering and data privacy, all while fortifying my internet security via a VPN. Plus, I can now access my local home network remotely, adding an extra layer of convenience.

However, it’s essential to note that with DNS-over-HTTPS and DNS-over-TLS configured, disconnecting from Tailscale will result in loss of internet connectivity. So I have to stay connected! Because the configured Tailnet name isn’t reachable from outside the Tailscale private network.

Currently, I’ve set up AdGuard Home to use an external DNS server for lookups, namely quic://dns.adguard-dns.com. However, this means that ultimately, my DNS traffic is still directed to an external party. As a result, I’m considering of deploying my own DNS server using the Unbound software in the future.

  1. https://adguard-dns.io/ ↩︎

  2. https://mullvad.net/en/blog/tailscale-has-partnered-with-mullvad ↩︎

  3. https://www.raspberrypi.com/software/ ↩︎

  4. https://login.tailscale.com/login?next_url=%2Fwelcome ↩︎

  5. https://login.tailscale.com/admin/dns ↩︎

  6. https://certbot.eff.org/ ↩︎

  7. https://mullvad.net/ ↩︎

Webmention

Comments

If you're using a platform that supports ActivityPub, feel free to respond to this thread.