Try adguard home with docker-compose to deploy it.
i am a newbie if you could guide me step by step please…
I went down this rabbit hole yesterday. I documented the steps used to create a Adguard Home container in Vyos 1.4:
I went a little further and used the Vyos forwarder listening on a different port as a recursive DNS server that Adguard uses to avoid using public DNS servers but that’s not reflected in this guide. Adguard not supporting this out of the box is a little silly but there are workarounds.
Let me report back after checking ur a saviour
Thank you so much for sharing the steps to create an AdGuard Home container in VyOS 1.4! Your documentation and insights are incredibly valuable to our community. We really appreciates your contribution. Thanks again!
I describe my implemention of PiHole and using Cloudflare DoH (DNS over HTTPS) in this post if you are curious.
If you don’t want to use DoH you can use the normal PiHole docker image instead of the one I use, or create your own.
ok got it working
thanks a ton u saved my weeks time but please make small correction two lines are incomplete
volume adguard-work source ‘/config/adguard/work’(adguardhome/work)
just to save time of some one else
you guys rock i feel like we are all one family helping out each other im slowly removing **sense from all my 5 installations once i have full command over vyos…
Good catch. I’m actually using /config/adguard for my setup and just messed up the instructions. Updated!
I’ve been running almost exactly this setup for about a year, thought it would be a pretty rare config. Many people would run the container on another server, but I like it being in vyos for simplicity. My only two differences to your config were:
- I had “cap-add net-raw”, you’ve made me realise I could narrow that down to net-bind-service, of course!
- I haven’t done the same as you with /etc/hosts, but it makes sense. I haven’t found a need to with my setup, I think because I also use Adguard Home for DHCP I don’t have anything special in the vyos hosts file anyway.
In Adguard Home I’m using DoH and DNSSEC to connect to a few upstreams, and I find setting parallel requests and optimistic caching makes it very fast, with average processing time being ~1ms. I’m not too worried about it not being recursive, and I prefer Adguard Home currently over PiHole because of the ease of setting different filters and upstreams for my kids’ devices. Haven’t tried PiHole for a few years though, it may have caught up.
Oh boy, nope I definitely needed “cap-add net-raw” for my setup. Without it my devices weren’t being given IP addresses from Adguard Home’s DHCP server.
Just out of curiosity: why are you using Adguard DHCP server over VyOS DHCP server? I am not saying you are doing anything wrong here, I am just curious
No problem. Firstly I’m only using this in a home network, and acknowledge it’s probably not best practice. The short answer is that it just comes down to what I do rarely vs what I do often.
I prefer repeatable text based configuration. I use VyOS for the same reason I use NixOS, I like that (given the same hardware and image version) the same config file will give me an identical environment, and I can quickly roll back any changes. Sometimes I see people asking for GUI features in VyOS and I understand that, but if I wanted that myself there are other firewalls that provide it. I just want a stable router/firewall that rarely changes, and when it does I can commit the config into git.
Except for DHCP/DNS! I’m constantly messing with individual devices. I have different subnets defined in VyOS to use different VPNs, for example, and I often add or move devices between subnets to switch those. With Adblock Home I don’t have to get on my computer, I can pop out my phone and do it very quickly, it has an easy and intuitive interface.
So for me using ABH with VyOS is the best of both worlds. Pihole and other systems would offer a similar experience. There are probably significant risks to stability having my network rely on a podman container inside the router, but it has been bulletproof for my limited use case (until the tiny change I made and reverted today ) so, I’m happy.
since you seem to be working with adguard a lot if i have ipv6 on my wan and lan do we have to specify ipv6 dns server in upstream or is it automatic
I don’t know, I disable ipv6 everywhere on my network.
(I know that’s frowned upon in IT circles, but shrug it’s just my home network and it makes my life simpler.)
Same to me! Ipv4 will be easier.
Thanks for the explaination! I think it is great that you have found a convient way that suits your use case and makes it easier for yourself. I think that is the beatiful aspect of VyOS, and is also why they are adding a web based interface to cater to the people that prefer a web based interface over CLI which is completly fine too.
I am also only using VyOS for home use, and I would say the container is as stable as your router (as long as you don’t mess with it and configure it according to the documentation and best practices)
I just converted from PiHole to Adblock Home just to test it out, however I have my PiHole container still spinning for easy fallback if needed. I have not used Adguard Home before, however I have to say the experience of setting it up and then configuring it has been really easy. I especially like that it defaults to DoH upstream(I did change to my prefered upstream servers though) which I did not know previously that it did.
I also had issues with the new configuration syntax with the transition to Netfilter. It did perform the syntax migration, however nothing worked after. I am not familiar enough with the new syntax to troubleshoot so I reverted back to my old zone based syntax.
To tell the truth, I prefer to Install proxmox ve on the hardware server. Then build a vyos vm on it as the gateway. At the same time, I install docker and docker-compose on proxmox ve server to deploy adguard . If the vyos upgrade failed and it will not take down dns server service.
I prefer to install my VyOS instance on physical hardware, even though I have a few HPE servers running ESXi and vCenter I still prefer hardware for VyOS because I want to be able to power off my server fleet when I do not want to use it. This way I still have DNS available because I run it on VyOS on hardware. This is just my prefence and I fully support your approach too @echowings.
I run other VMs and containers in proxmox and I have considered moving VyOS there, too. It’s currently running on its own bare metal box, and I like that it provides physical network separation, and that I can bring down my proxmox nodes (either accidentally or on purpose) and not affect others in the house!
That’s not an insurmountable problem, though, and I will be looking to virtualise VyOS at some point. Will certainly make testing easier.