Level Zero Networking

VyOS for Home Use: Part 4 – DNS filtering using AdGuard Home

Recap In parts 1-3 of this series, we fully configured VyOS as a home router. VyOS supports running containers directly within VyOS, which provides terrific extensibility. In this article, we’re going to add DNS filtering by installing AdGuard Home on VyOS for our clients to use. Why should you use DNS filtering? Many people hear…

R C
3–5 minutes
, , , , , , , ,

Recap

In parts 1-3 of this series, we fully configured VyOS as a home router. VyOS supports running containers directly within VyOS, which provides terrific extensibility. In this article, we’re going to add DNS filtering by installing AdGuard Home on VyOS for our clients to use.

Why should you use DNS filtering?

Many people hear “AdGuard” and think that it is solely a product for blocking ads. But really, AdGuard is just software that will filter DNS requests. While that does include Ads, it also includes blocked or hijacked advertisements. As well as blocking of stuff like Adult websites.

Install AdGuard as a container

VyOS allows us to install additional software using containers. This provides an excellent method to extend the capabilities of VyOS beyond a simple router and firewall, to a more complete solution for home users.

Adding the AdGuard container image

We first need to add the AdGuard Home container image to VyOS so that we can build a container with it. The process of adding the image is very simple. This is done from Op Mode.

admin@GK41:~$ add container image adguard/adguardhome:latest

Reminder: You can easily tell if you’re in Op Mode or Conf Mode based on the ending values of your prompt.

  • Op Mode – admin@GK41:~$
  • Conf Mode – admin@GK41#


We can verify that the image was pulled correctly with this Op Mode command:

admin@GK41:~$ show container image
REPOSITORY                     TAG         IMAGE ID      CREATED      SIZE
docker.io/adguard/adguardhome  latest      879554cce44b  10 days ago  74.8 MB


Next we need to make a directory that is permanent. Only the “/config” directory will survive when upgrading to new versions of VyOS, so that is where we want to put any volume mappings for containers. Let’s create a directory in there for AdGuard.

sudo mkdir -p /config/containers/adguard

NOTE: You can use ‘sudo’ from either Op Mode or Conf Mode to run commands in the linux shell like we did here.


Now we can actually configure the container. We start by saying we want the container to use host networking. This means that the container’s network will be the same as VyOSes network table.

set container name AdGuard allow-host-networks


We also need to say we want to use that container image that we just pulled.

set container name AdGuard image 'adguard/adguardhome:latest'


And finally, we need to map a container volume to a host volume. Destination is the container volume, and source is the host volume that we just created with ‘mkdir’.

set container name AdGuard volume work destination '/opt/adguardhome/conf'
set container name AdGuard volume work source '/config/containers/adguard'


Once we’ve verified everything looks good, we can commit our config.

admin@GK41# compare commands

set container name AdGuard allow-host-networks
set container name AdGuard image 'adguard/adguardhome:latest'
set container name AdGuard volume work destination '/opt/adguardhome/conf'
set container name AdGuard volume work source '/config/containers/adguard'

commit


We can see if our container is running correctly with the following Op Mode command.

admin@GK41# run show container
CONTAINER ID  IMAGE                                 COMMAND               CREATED         STATUS         PORTS       NAMES
f0469d822a6b  docker.io/adguard/adguardhome:latest  --no-check-update...  18 minutes ago  Up 18 minutes              AdGuard

Configuring AdGuard

Once the container is running, we can access the setup portal using “http://<IP on VyOS>:3000”. I’m going to use http://10.0.0.1:3000. If you recall from part 3, 10.0.0.1 was the dummy interface I created for SSH. Once you’ve reached the setup page, select the “Get Started” button


You’ll want to make sure you only listen on a single interface. I prefer to map this to a dummy interface.


Now you’ll create an admin account for AdGuard. I’m going to use “admin” as my username and “adminadmin” as my password. For your actual home router, make sure the user is an uncommon name, and that the password is strong. Don’t use usernames like “root”, “admin”, “superuser”, etc…


Now AdGuard tells us we need to configure our devices to use AdGuard. For us, that’s as simple as updating the DNS that we have in our DHCP pool.


Just delete the previous name-server for the DHCP pool, and add the IP that AdGuard is listening on. If everything looks good, you can commit it, and then hit “Next” in the AdGuard setup.

admin@GK41# compare commands
delete service dhcp-server shared-network-name Users subnet 10.0.10.0/24 option name-server '9.9.9.9'
set service dhcp-server shared-network-name Users subnet 10.0.10.0/24 option name-server '10.0.0.1'

commit


You’ll be presented with a screen saying setup is complete, and give you a link to access the AdGuard dashboard.


We can see in our dashboard that we don’t have any Queries.


For my setup, this is because while I updated the DNS in the DHCP pool, my device needs to pull a new lease from the router. Once I have a new lease, I can now see that I am blocking some requests.

Conclusion

Your VyOS can now block ads and malicious DNS at the network level. AdGuard has a lot of great features, and can be extended with additional block lists, but this configuration will get you up and running for most scenarios.


In Part 5 (the final part in this series), we’re going to be adding a traffic monitoring console using ntopng.

2 responses to “VyOS for Home Use: Part 4 – DNS filtering using AdGuard Home”

  1. Zeuss Avatar
    Zeuss

    i used commands as per this is it relevant

    https://www.tarball.ca/posts/vyos-adguard-container/
    mkdir /config/adguardhome
    mkdir /config/adguardhome/conf
    mkdir /config/adguardhome/work
    add container image docker.io/adguard/adguardhome:latest
    set container name adguardhome allow-host-networks
    set container name adguardhome capability ‘net-bind-service’
    set container name adguardhome image ‘docker.io/adguard/adguardhome:latest’
    set container name adguardhome restart ‘always’
    set container name adguardhome volume adguard-conf destination ‘/opt/adguardhome/conf’
    set container name adguardhome volume adguard-conf source ‘/config/adguardhome/conf’
    set container name adguardhome volume adguard-hosts destination ‘/etc/hosts’
    set container name adguardhome volume adguard-hosts mode ‘ro’
    set container name adguardhome volume adguard-hosts source ‘/etc/hosts’
    set container name adguardhome volume adguard-work destination ‘/opt/adguardhome/work’
    set container name adguardhome volume adguard-work source ‘/config/adguardhome/work’

    Reply
    1. R C Avatar
      R C

      The ‘net-bind-service’ capability isn’t needed since VyOS will run the container as root anyways.

      I don’t personally run “restart always’ with AdGuard, since if there’s a problem with the container, I’d rather it be down. I run multiple instances of AdGuard for redundancy however, so having the container restart on failure could be a good idea if you only have the single instance.

      I’ve never bothered mapping the actual ‘work’ directory, since the data in there is transient and I’ve never found a lot of value in making it persistent. There’s nothing wrong with doing it though.

      The mapping of the ‘hosts’ file can be useful so you don’t need to be able to recognize clients by IP alone when looking at DNS queries. If you want to use that, you’ll want to add this to your config:
      set service dhcp-server hostfile-update

      Reply

Leave a Reply

Trending

Discover more from Level Zero Networking

Subscribe now to keep reading and get access to the full archive.

Continue reading