AdGuard Home as Private DNS Server on Raspberry Pi

To access AGH outside network and to use it as a private DNS server, we need 3 things -

1. Domain
2. TLS Certificate
3. Port forwarding

Registering Domain

• You can register domain from any website, however, one of the free option is to use duckdns.org. Create account, add a sub-domain to your account.
• You need to attach your public IP address to the domain you have created. You can use whatismyip.com to find your public IP address.

Obtaining TLS Certificate

Encryption is based on TLS certificate and it is needed to use AGH as a private DNS server which is accessible outside your home network. We can obtain TLS certificate for free using letsencrypt.org.

Install Certbot

sudo apt update
sudo apt install certbot

Get a certificate using DNS challenge

1. Start issuing certificate
   

   sudo certbot certonly --manual --preferred-challenges=dns -- preferred-chain="ISRG Root X1"
   

2. Enter the domain you've registered on DuckDns.org. After this step -- DO NOT press continue until you add DNS challenge record to your domain.

3. Add DNS challenge to your domain by visiting the following URL -
   

   https://www.duckdns.org/update?domains={DOMAIN}&token={TOKEN}&txt={TXT_VALUE}
   

   Here, DOMAIN is your domain.duckdns.org. TOKEN you can find in home page of DuckDns. TXT_VALUE is the verification string in terminal generated using certbot command.

4. Press enter to continue and verify the ownership of the domain.

5. After successful verification, fullchain.pem and privkey.pem files will be generated for your domain. Please note down the path of both of these files.

Enable Encryption in AdGuard Home

1. Go to AGH > Settings > Encryption Settings
2. Enable Encryption checkbox
3. Enter your duckdns domain in Server Name
4. Set fullchain.pem file path in Certificate section. After adding status should be "Certificate chain is valid"
5. Set privkey.pem file path in Private key section. After adding status should be "This is a valid RSA private key"
6. Save Configuration

Port Forwarding

• Encrypted traffic needs reaches to AGH server and for that port needs to be forwarded. I recommend to forward all ports but you can forward the port based on your need. Forwarding different ports enables different "feature". Here's quick summary -
  • HTTPS port (443) - When you forward HTTPS port, you can access AGH Dashboard using https://{your-domain}.duckdns.org.
  • DNS-over-TLS port (853) - Forwarding this port enables you to use AGH as private DNS service in mobile devices outside your home network.
  • DNS-over-QUIC port (784) - Forwarding this port enables the devices to use DNS-over-QUIC as private DNS server.
• Forwarding port on Router
  • Login to router and find port forward / virtual servers settings
  • Depending on your router you will have combination of these probably with different names for External IP, External Port, Internal IP and Internal Port.
  • External IP is your public IP address, Internal IP is your Raspberry Pi address and internal/external port will be (443, 853 or 784). Save settings for each port to enable port forwarding.

Use as private DNS

If all steps are successful, you can use https://{your-domain}.duckdns.org to visit AGH server from any network. You can also configure {your-domain}.duckdns.org as private DNS on various devices.