AdGuard Home - DoH & DoT - External nginx reverse proxy

Configuration
5

You need to export the cert and private key you are using for your nginx reverse proxy (on Unraid) to import it into AdGuard.
While those certs are not very important for DoH, as the TLS termination will be your reverse HTTPS proxy, it is crucial for DoT, as the TLS termination is AdGuard itself.

If you don’t certs, you can use the “let’s encrypt HA plugin” to create and update those.
Personally I use “Nginx Proxy Manager” plugin on my HA that takes care of both the certificate generation and renewal, and the management of the integrated reverse proxy.

However you must know that there is a limitation with AdGuard Home on HA.
While the DoT port will be accessible from you local network, the HTTPS port that you configure in Adguard interface, will only listen on 127.0.0.1 .
This is a problem, because Nginx Proxy Manager is not able to redirect traffic to 127.0.0.1 as it runs in hass.io network, while AdGuard runs on the host network.
There is two solution for that:

  1. Run AdGuard Home outside of HA.
  2. Keep AdGuard Home on HA, and use simpleproxy in a new container on your HAos.

One day I might make a plugin for HA that does that just, but for now you’ll have to get your hand dirty:

  1. Get access to the HAos: Debugging the Home Assistant Operating System | Home Assistant Developer Docs
  2. install Nginx Proxy Manager HA plugin, as we need to proxy traffic from within the HA host.
  3. what you want is a TCP proxy that listen at 172.30.32.1:444 and forwards traffic to he HTTPS port of AdGuard, which is running at 127.0.0.1:441 (441 being the HTTPS port you have configured in AdGuard UI)
    To that end, I slapped simpleproxy on a raspbian container. So you can directly do :
    docker run -d --name doh-tcp-proxy --restart unless-stopped --network=host fclem/raspbian-bullseye simpleproxy -L 172.30.32.1:444 -R 127.0.0.1:441
    (replace 441 by the port you used for HTTPS in AdGuard Home)
  4. finally create an host in Nginx Proxy Manager, but put something boggus in forward IP / Port (see figure 1)
    as otherwise you would give public open access to your AdGuard Home web interface to the internet, which would be absolutely terrible for you;
    and then in custom locations put:
location: /dns-query
scheme: https
forward hostname: 172.30.32.1/dns-query
forward port : 444

like seen in figure 2:

all
all1048×573 45.8 KB

With this setup I get access to my DoH and DoT on my public ip with my own domain. Super sweet !
For example in android you can setup your private DNS as : domain.tld (you need to NAT TCP port 853)
and for DoH, in chrome for example : https://domain.tld/dns-query

2 Likes