I have been researching how to access my AdGuard Home and Unbound Server (RPi 4B - Diet Pi) remotely using a personal Domain Name that I own.
Most articles / forum posts that I came across were for accessing a server locally using a domain name, however I did come across some that illustrated this through Wireguard - but this is now what I am looking to accomplish. Others mentioned using Cloudflare (free account) to accomplish this but I do not see that Diet Pi offers this as a pre-boxed software package (and I would like to stay within Diet Piâs available software packages).
Simply put, I would like to be able to access AdGuard Home (including the web stats and the actual DNS services that AGH and Unbound supply) via a domain name (such as spicylimes.com) while I am out and about. I am already using Tailscale as a secure way to access my home network (and my AdGuard Home/Unbound services) but I have other reasons why I want to do this - specifically for when I am traveling with my Travel Router by adding the domain name to the custom DNS it.
Can someone enlighten me as to how I can accomplish this using the Diet Pi software? I would prefer not to port forward or use a VPN (ex: PiVPN) connection since I found that this can be done without using those methods.
Just to avoid a misunderstanding. You like to use DNS of AGH from outside of your network? But you donât like to use a VPN?
But why not using Tailscale to connect from outside to AGH?
Another option is to use a VPN on your mobile router and just tunnel DNS request through the tunnel. This would be the most secure way.
Other than that, you would need to open port 53 towards the internet to allow to connect DNS request to arrive from external. But this is a security risks as port 53 is a default DNS port and will be found by scanners quite soon. Something I donât recommend at all.
Just to avoid a misunderstanding. You like to use DNS of AGH from outside of your network? But you donât like to use a VPN?
That is correct,
But why not using Tailscale to connect from outside to AGH?
I do use this quite often, however there are certain situations where I would prefer to use a domain name (ex: SpicyLimes.com) within my Travel Router, or a device (when I am remote). I wonât go into details because itâs too long to explain, but basically I have a GL.iNet Mango Router that I travel with (ie: my Travel Router) and because of itâs limited DNS-changing capabilities, I would need a DNS server that is not local to the routers network - meaning I would need to use an external DNS service like Quad 9âs 9.9.9.9, but I do not want to use this - instead I would like to expose my AdGuard Home/Unbound device to the outside world via something like Cloudflare.
I even tried installing Tailscale on the GL.iNet Mango Router but due to itâs limited processing power and storage capacity, it is not a viable option.
Another option is to use a VPN on your mobile router and just tunnel DNS request through the tunnel. This would be the most secure way.
This is definitely an option, however I would prefer to not have to use a VPN. I do have my Surfshark VPN setup on the Mango Router JUST IN CASE I want to use it, but I have it disabled by default since (as I mentioned above) the Mango Router has very limited processing power (and it tends to be very spotty).
Other than that, you would need to open port 53 towards the internet to allow to connect DNS request to arrive from external. But this is a security risks as port 53 is a default DNS port and will be found by scanners quite soon. Something I donât recommend at all.
Correct - which is why I would prefer to not port forward at all on my home router.
Maybe I read the articles wrong, but from what I understood there is an option by using a service like Cloudflare to accomplish this. Maybe DDNS, but I just donât know enough about this to know if DDNS does something like this.
I guess you misunderstood what DDNS is. Because this is not a DNS service resolving your DNS queries. It is a service providing your with a Domain Name that could be updated dynamically depending on your public IP address of your broadband internet connection. Means you personal Domain will stay available even if your external public IP address is changing. DNS and DDNS are 2 completely different thinks. Basically you could use a DDNS name to point pack to your home network. This is just a name that will be resolved in your current external IP address.
However, what Iâm not sure about, if you are able to add a Domain Name as DNS address on your Mango Router. Usually DNS server are added by an IP address
I guess you misunderstood what DDNS is. Because this is not a DNS service resolving your DNS queries. It is a service providing your with a Domain Name that could be updated dynamically depending on your public IP address of your broadband internet connection. Means you personal Domain will stay available even if your external public IP address is changing. DNS and DDNS are 2 completely different thinks. Basically you could use a DDNS name to point pack to your home network. This is just a name that will be resolved in your current external IP address.
Right - I do know this, however I do not believe that DDNS would be a solution that I am looking for because it would still require me to port forward on my router so that I could access my AGH/Unbound device. Unless I am wrong. I should note that I am pretty proficient with web related things as I was a web designer back in the day and have a bunch of domain names that I use - however I do NOT know much about getting a local server (such as AGH/Unbound Server, or even a Jellyfin server) connected to one of the domain names that I own.
However, what Iâm not sure about, if you are able to add a Domain Name as DNS address on your Mango Router. Usually DNS server are added by an IP address.
It is definitely possible through OpenWRTâs LuCi admin settings (although it is an absolute nightmare knowing where to input the DNS settings since there are 6-7 places that allow you to change DNS options - but that is a topic for another day).
If you know of any other solution for this, please do let me know. I will continue to research Cloudflare and the Cloudflared Tunnel option. I included a forum topic that I came across that kind of explains how to do this, but again, I am new to this and the guide doesnât really apply to my goals (the guide is for using Cloudflare to access Home Assistant remotely).
Keep in mind that if you expose the server to the internet in the way you describe, anyone will be able to access it and it will be a matter of time until someone finds out about it and begins to exploit it.
I guess Cloudflared Tunnel is not something you could use. Looks like it did not support something like DNS/port 53 to be forward into the tunnel. It is more designed to proxy https.
Keep in mind that if you expose the server to the internet in the way you describe, anyone will be able to access it and it will be a matter of time until someone finds out about it and begins to exploit it.
That is a good point. And I am currently unaware of any software or process that would secure/password-protect this. So I guess that is out of the question.
I guess Cloudflared Tunnel is not something you could use. Looks like it did not support something like DNS/port 53 to be forward into the tunnel. It is more designed to proxy https.
Yup - I came to the same conclusion after reading that exact document.
So, what would be the best option? I am not currently using my router or any device on my network as a VPN, so I suppose setting up a VPN to access the AGH/Unbound Pi Server would be the best option.
I know there are a ton of guides out there for something like this, but since I have your attention, what would be the simplest way (using a VPN Server behind my local router) to accomplish this? PiVPN?
Personally I use native WireGuard as I donât need the overhead of PiVPN to access my local network. Using native WireGuard might looks more complicated to setup a new client. But we have a good documentation on our online docs and how often you do that? Even there are already broadband router on the market supporting WireGuard build-in. As well using the WireGuard app, you could define wich traffic to pass into the tunnel. Means you could pass all traffic to your local network into the VPN tunnel but keep the internet access away. Basically DNS request would go to the VPN but not the whole traffic.
Ok - so native Wireguard is option 1. And just to confirm, this will allow me to setup a VPN Server on my local HOME network so that I can use Pi-Hole + Unbound while I am AWAY from my local HOME network.
Here are my thoughts on a setupâŚ
Install DietPi on Raspberry Pi Zero (1).
Install Pi-Hole and Unbound on the Pi.
Install either Wireguard or PiVPN (depending on my use case).
Setup VPN Server within my Home Local Network.
Setup a VPN Client on my GL.iNet Mango Router with the above VPN Server details.
Done - Now I can access the Pi Zeroâs Pi-Hole and Unbound device on the Mango Router, and all devices connected to the Mango Router.
Does that sound right? Am I missing anything? Any tips or tricks, or things to watch out for?
As far as setting up an additional DNS server instance⌠the reason is because I have Tailscale already setup on my AdGuard Home Pi 4B as an exit node and subnet router, and I do not believe adding a VPN Server to that will work. And since I have an extra Pi Zero laying around, it just makes sense to dedicate it to being the remote DNS resolver via the VPN.
So after some additional research on setting up a Wireguard VPN Server on a Pi, I found that it requires a bit of setup and maintenance (not so much maintenance) so I am going to use the VPN Server feature/function on my ASUS Router (using ASUS-WRT Merlin) so I can simply access the Routerâs DNS settings (AdGuard Home on my Raspberry Pi 4B) instead of dedicating a Pi Zero to it.
Side note: Running a DNS server open for the web without a VPN is strongly discouraged: Bots will quickly find it and misuse it for attacks on 3rd parties, destabilising the global DNS infrastructure itself. Do using a VPN or Tailscale or similar to access it remotely is mandatory. Never forward port 53 from you router.
WireGuard should be the best solution indeed. Check out the /etc/wireguard/wg-client1.conf (or similar, not sure about the exact name currently ), it can be configured to tunnel requests to the VPN/AGH server only, while all other network requests are bypassing the VPN. Perfect for a home Pi-hole or AGH server.
Something to try But at least you could point the WireGuard VPN client to use AGH as DNS server. It should be possible even if AGH is running on a different device.
Yes some efforts are needed to set it up. But thatâs just a one-time effort. Usually there is nothing that needs to be maintained. My WireGuard installation is running for years now, and I basically did nothing on it since the installation.
Of course I would never do that. Put it this way, if I had the knowledge to do this, I would have gotten all the way to the end and then realized to myself⌠âUh, this is public - canât do this!â It would have been funny but in the end I would have realized it. As mentioned above, I am using Tailscale quite a bit, and it works very very well for handling general traffic and using my local DNS Server, however it does not work with my Travel Router - I might just buy myself a better router to travel with so I can use Tailscale on it.
I am going to spend a few hours today on this today - even if I donât go this route, it will be a learning experience.
All good to know - I wasnât sure on the maintenance aspect. Like I said before, IF ONLY I could get Tailscale installed on the router itself, I would be good to go. Oh well!
Oh, and my home router doesnât support Wireguard VPN Server setups (only OpenVPN) so I will most likely go with a Wireguard Server on an extra Pi (not Pi Zero) or Linux PC.
My âNetwork Piâ has AdGuard Home and Unbound setup on it, however when I do a âWhatâs My DNS?â test online (ex: DNS leak test - Surfshark), it is still showing my ISPâs IP address. Is this correct?
I know that once Unbound finishes itâs job, the DNS traffic then heads for the my home routerâs WAN DNS IP address (which is set to Quad 9), but I would have thought that I would be seeing something other than my ISPâs IP address when doing one of those âWhatâs My DNS?â tests. Thoughts?
Ok, so I happened to stumble upon this article from AdGuard relating to setting up a VPS to use AGH on. This seems similar to what I was trying to accomplish but using a VPS instead of a local home network.
Usually Unbound is communicating with root DNS directly and is not going to use your DNS server that has been configured in your router. At least as long as you donât configure Unbound different way.
And itâs expected that the AGH server system itself is still using an upstream DNS instead of AGH/Unbound itself. Itâs generally advised to leave it like that, so maintenance tasks, which includes shutting down AGH/Unbound, or an issue with them, do not break the systems own network resolution. And of course a server usually is not used to browse the web where ad blocking would be required.
), it can be configured to tunnel requests to the VPN/AGH server only, while all other network requests are bypassing the VPN. Perfect for a home Pi-hole or AGH server.
But at least you could point the WireGuard VPN client to use AGH as DNS server. It should be possible even if AGH is running on a different device.