Integrating AdGuard Home with a GL-iNet Router via Nginx

Introduction
Efficient network management often requires combining robust tools like AdGuard Home (for DNS filtering) with reliable hardware such as GL-iNet routers. This guide demonstrates how to integrate these components using Nginx as a reverse proxy, enabling secure DNS-over-HTTPS, centralized logging, and streamlined local domain management. Or basically, the case when you have GL-iNet router -one of the best for hobbyists- and you need to avoid Ads at all costs.

1. DNS Configuration

Some GL-iNet routers comes with Adguard Home integrated (but disabled by default). Usually AdGuard Home is configured to operate on the standard DNS port (53), replacing the default port 3053. This eliminates the need for DNS redirection rules, allowing the service to handle requests natively. The web interface remains accessible via port 3000 for administrative purposes.

But in case when we want to avoid having to enter ip:port everytime we want to access the web interface, we can use Nginx to proxy the requests to the AdGuard Home interface. This is also useful when we want to have a DNS-over-HTTPS endpoint. Lets talk about the nginx setup.

2. Nginx Reverse Proxy Setup

Nginx serves as the backbone for secure access and routing. Below is the critical configuration (/etc/nginx/conf.d/gl.conf):

server {
    server_name router.local;
    listen 80;
    listen 443 ssl;
    
    # SSL Configuration
    ssl_certificate /etc/nginx/nginx.cer;
    ssl_certificate_key /etc/nginx/nginx.key;
    
    # AdGuard Home Proxy
    location /adguard/ {
        proxy_pass http://192.168.1.1:3000/;
        proxy_redirect / /adguard/;
        proxy_cookie_path / /adguard/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    # DNS-over-HTTPS endpoint
    location /dns-query {
        proxy_pass http://192.168.1.1:3000/dns-query;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

This configuration:

• Use router.local as the server name (can be anything but try to avoid using actual TLDs)
• Proxies AdGuard Home’s interface via /adguard/
• Exposes a DNS-over-HTTPS (DoH) endpoint at /dns-query
• Enforces HTTPS with a self-signed certificate

This is standard Nginx configuration, but it is worth mentioning that the proxy_set_header directives are important to preserve the original client IP address when forwarding requests to AdGuard Home. DNS-over-HTTPS is not required here but I always use that because there is no reason why to encrypt your DNS requests. But to actually use DoH we will need a TLS certificate. It doesn’t have to be issued by a CA, but it has to be a valid certificate. So one obvious option is to use self-signed certificate. This is easy to trust on your own devices but it is not a good option for public use.

3. SSL Certificate Generation

A self-signed certificate can be created for router.local to enable encrypted communication. We can use openssl to generate the certificate.

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
-keyout /etc/nginx/nginx.key \
-out /etc/nginx/nginx.cer \
-subj "/CN=router.local"

Now we have a certificate that is valid for 10 years. This is more than enough for a home network. But remember that this is a self-signed certificate and it is not trusted by any CA. So you will need to manually trust it on your devices.

4. Local DNS Resolution

Now we have configured Adguard Home to resolve router.local to the router’s IP (192.168.1.1), enabling intuitive access to local services. Nothing is required to be done here. We can access the router using router.local and the DNS resolution will be done by AdGuard Home. Also we can access the AdGuard Home interface using router.local/adguard. Just remember that you will need to trust the certificate on your devices. Firefox for example will complain about the certificate and you will need to add an exception.

There is one last step which is to make sure that we forcing DNS routing through AdGuard Home. This is important to make sure that all DNS requests are filtered by AdGuard Home. This is done by configuring the system DNS resolver to use AdGuard Home as the DNS server. This is done by creating a configuration file for systemd-resolved.

5. Client DNS Configuration (Linux Example)

To enforce DNS routing through AdGuard Home:

1. Create a systemd-resolved configuration file:

   sudo mkdir -p /etc/systemd/resolved.conf.d
   sudo nano /etc/systemd/resolved.conf.d/adguardhome.conf
   

2. Add the following content:

   [Resolve]
   DNS=192.168.1.1
   DNSStubListener=no
   

3. Update the resolv.conf linkage:

   sudo rm /etc/resolv.conf
   sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
   sudo systemctl restart systemd-resolved
   

We need to do some adjustments to the AdGuard Home configuration to make sure that it is listening on port 53. This is important to make sure that the DNS requests are handled by AdGuard Home.

6. AdGuard Home Configuration Adjustments

Lets update the file in /etc/adguardhome/AdGuardHome.yaml to

• Bind DNS to port 53
• Trust the local Nginx proxy:

This can be done by changing/adding the following values in the configuration file:

http:
  port: 3000
  trusted_proxies:
    - 127.0.0.1
dns:
  bind_port: 53

Now we have a complete setup. We have AdGuard Home running on port 53 and Nginx proxying the requests to the AdGuard Home interface. We have a DNS-over-HTTPS endpoint and we have a local domain resolution. We have also enforced the DNS requests to go through AdGuard Home.

To test this setup and confirm functionality, we can do that with these commands:

# Verify DNS resolution
nslookup router.local
nslookup google.com

# Test web interface accessibility
curl -k https://router.local/adguard/

# Inspect DNS settings
resolvectl status

7. Important locations

As a summary, these are the important locations and endpoints that we have configured. It is good in case you need to troubleshoot or make changes in the future. Also these are the places where you would want to backup in case of problems. Or better you can use GL-iNet’s backup feature to backup the whole configuration. But this will not backup the Nginx configuration.

7.1 Access Endpoints

• AdGuard Home Dashboard: https://router.local/adguard/
• DNS-over-HTTPS: https://router.local/dns-query
• Standard DNS: 192.168.1.1:53

7.2 Key File Locations