One of the key issues I find with ever evolving internet is the amount of tracking and malicious content reaching household devices without full knowledge of the user, it oftens ends up being very intrusive. I often wonder how to make internet safe for my family and block at source.
Thanks to the large like minded community who are working really hard to deal with issues like these. We are talking about DNS filtering and AdBlocking technologies, and Pihole and AdGuard Home are the tools which are completely open source and free to use and are community lead, kudos to them for all the hard work.
This post is inspired by stoXe’s post , except that I have opted for AdGuard so I can leverage Google/Bing and Youtube Safe Search and additional features , here is a bit taken from AdGuard Home’s git page, although I must say both PiHole and AdGuard are really good products.
What is DNS Content Filtering
You can read about DNS Content filtering here , its a good starter to understand what is whitelist/blocklist/etc
For familes we have a good set of family filters provided for free by CleanBrowsing and OpenDNS Family Shield , you can set them on your routers , this is a good step to start, but hey ensure to do a dns leak test to ensure its picking up the dns servers you’ve set it up.
Pre-requisites
Oracle Cloud
I’ve been a great fan of Oracle OCI and with free tier it gives a perfect oppurtunity to taste the fastest and most trending cloud provider. Here are some blog posts you can read to get you started:
Running the stack
You have two options you can either run the docker services in existing cloud compute vm or deploy the fully terraform stack.
Terraform Stack
This is fully automate solution which will:
- Create Compartment — “adguard”
- Create buckets ADGUARD_BUCKET and ADGUARD_ARCHIVE_BUCKET for storage
- Create policies and dynamic groups to allow stream of log files from compute to ADGUARD_BUCKET based on auth_principal
- Create Networking resources, VCN/Subnet/etc
- Launch the VM — Ubuntu OS
- Install all the all required packages and bring up docker services.
Head to https://github.com/fnazz/oracle-freetier-tf-adguard-unbound-wireguard follow the instructions from README
Using Docker Services
Once you have the compute instance up and running. Just clone the repo and run docker instances as below:
git clone https://github.com/fnazz/docker-adguard-unbound-wireguard.gitcd docker-adguard-unbound-wireguard
docker-compose up -d
Get the QR Code , run
ubuntu@adguard-wireguard:~$ sudo docker logs wireguard
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/Brought to you by linuxserver.io
-------------------------------------To support the app dev(s) visit:
WireGuard: https://www.wireguard.com/donations/To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------User uid: 1000
User gid: 1000
-------------------------------------[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 30-config: executing...
Uname info: Linux 97777476d4d1 5.4.0-1037-oracle #40-Ubuntu SMP Thu Jan 14 09:19:02 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
**** Server mode is selected ****
**** SERVERURL var is either not set or is set to "auto", setting external IP to auto detected value of 129.213.60.161 ****
**** External server port is set to 51820. Make sure that port is properly forwarded to port 51820 inside this container ****
**** Internal subnet is set to 10.6.0.0 ****
**** AllowedIPs for peers 0.0.0.0/0, ::/0 ****
**** Peer DNS servers will be set to 10.2.0.100 ****
**** No wg0.conf found (maybe an initial install), generating 1 server and 1 peer/client confs ****
grep: /config/peer*/*.conf: No such file or directory
PEER 1 QR code:
█████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████
████ ▄▄▄▄▄ █▀ █▄▀▀▀███ ▀▄▄ ▄▀█▄█ ██▄▀█ ▄▀▄█▄ █▀█▄ ██ ▄▄▄▄▄ ████
████ █ █ █▀██ ▄▄█▀██▀ █ ██▀██▀▄▀▄▀▄ ▀ ▀▀▄▀▄▀ ▄▄▄ ██ █ █ ████
████ █▄▄▄█ █▀██ █▀▀▀ ▀ ▀█ █▄██ ▄▄▄ ▄ ▀██ █▄ ▀▄▄▄ ▀▄██ █▄▄▄█ ████
████▄▄▄▄▄▄▄█▄▀ ▀ ▀▄█ █ █▄█ ▀▄█ █▄█ ▀▄▀▄█▄█▄▀ █▄▀▄▀ ▀ █▄▄▄▄▄▄▄████
████▄ ▄▄▄▀▄ ▄ ▄█▄█▀▀▄ ▄▀▄▀▀ ▄▄ ▄ ▄█▄█▄ ▀▀ ▀▄▄ █▄▀ █▄▀▄█ █████
████▀█▀█▄▀▄ ▀▄▀▄▀▀█ █▄█▀ ▄██▀ █ █▄▄██▀█ █▀▄▄▀▄ ▀▀▀▀█ ▀█▀▀ ▀▀▀████
█████▄█▀▀ ▄▄▄ ▀███▄▀██▄██▄ ▀▀█▀ ▄▀▄▄▀▄█▄██▄▀██▄▄█ █▀▀▀▄█▀████
████ █▄ ▀▄▀▀▀▀▀██ ▄▀▀▀▀█▀█ ▄█ ▀▀ ▀▀▄ ██▀▄▄ ▀▀ █▄█ ▄ ▄▄█▀▀ █████
████▀▀▀▀█ ▄▀██ █▀█▄▄▄▀█▀█ ▀▄▀▀ █▀▀██ ██▀▄ ▄▀███▄▄█ █▄▀▄█████
████ ▀ ▀▄▄▄▄▀▄ █▀███▀██▀█ ▄▀ ▄███▄▄ █ ▀▄█ ▀▄ █▄▀█ ▀▀▀▄█████
██████▀ █▀▄▀ █▀▄▄▄▄▀█ ▀▀▀█▄ █▀█▀▀ ███▄▄▀█ █▀ ███▀ ▀▄█▀▀█▀█████
████▄▄█ ▄▄ █▄ ▀█▀▀██ ▀ ▀ ▄ ██ █ ▄▀▄▀▀▀ ▄▄███▄█▀▄█ █ ▀ █████
████ ▀▄▀▄▄▄ █▀▄█▄▄█ ▄▄▄▀▄██▀▀██▄▀▀▀▄▀▄█▄ ▀▄ ▄▀▄█▄ █ ▀█▀▀████████
████▄█▀ ▄▄▄ █ ▀▀▄█▄█▀ █▀ ▀▀█ ▄▄▄ ▄▄ █▄▀▀▄ ▄ ▀ █▄ ▄▄▄ █████
████ ▄▄ █▄█ ██ ▀▀ █▄▀ ▀█▀▄ ▀ █▄█ ▀██ ▄ ██ ▄▀██▄ █▄█ ▀▀ ▀████
████▀ ▄▄▄▄ █▀ █ ▄██████▄▄▄ ▄▄ ▄ ▀▀▀▄ ▄ █▀ █▄█ ▄▄▄▄▄ █ ▄█████
████▀▄▄▀█ ▄ ▀█ ▄▀▄█▄█▄ ▄▀▀▀ ██ ▄█ ██ █▄▄▀▄██▄ ▀████▀▄█▄ █▀█████
████▄▀█ █▀▄▀▄██▄▄▀▄▀▄▀█▄█ █▄▄▀▀█▀ ▄█ ▀ █ █▄ ▀▄▄ ▄▄▀▀█▀██▀ ▀████
█████ ▀██▄█▄ ▀██▀█▄▀ ▄█▄ ▀▄█▀██▀▀▄█ ▄█▄▀█▄██▀▄▀▀█▀ ▀▀ ▀▀▀▀████
████▄▄ ▄█▄▄████ ▀▄▀▄ █▄█▄▄▀█▀ ▄██▄ █▀▄█▄█▄ █ █▀█▀ ▀ ▀▀█▀█ ▄█████
█████ █▀▄▀▄▄ ▄▄ ▄ ▄█▄▄▄▀█▄▀▀▀ ▄██▄ ▄█▄█▄ ▀█▀ ▀███ ███▀█▄█▀▄▀█████
████▄▀▄▀▀█▄▀█▄█▀▀▄▄▄ ▄██ ▄█▀██▄▄▄▄ ▀▀██▀▄▄▄▄ ▀█ ▄█▄█▄▀▀▄▀▀▀ ████
████▄▄█▀ ▄▀██▀█ ▄▄▄▀██▄█▀ ▄▄██ ▄▄▀▄▄█▄██▀▀▄ ▀▄███▀ ▄█ ▀▀▄████
████ ▀ ▀▀▄▄▀▄▄▀█ ▀███▄█▀█▄▀ █ ▄ ▀▄▀▀▄▄▀▄█▄ ▀██▄█ ▄ ▄▄█▄█▀▀▄▀████
██████████▄▄▀▄▀█▀ ▀▀▄ ▄▄▄█▀ ▄▄▄ ▀█▀█ ▄▀█▀█▀▀ ▀█▄▀ ▄▄▄ ▄█▀▄████
████ ▄▄▄▄▄ █▄ ▄▄█▀ ██ █▀▀█ ▀ █▄█ ▀▀▀▄ ██▄█ █ ▀▀ ▄ █▄█ ▀████
████ █ █ █ █▄▀ ▀▀█▄▄▀▀ █▄ ▀▄▄ ████▄ ▄ █▀ ▄█▀█▀▄▄▄ ▀▀█▄████
████ █▄▄▄█ █ ▀█▄▀██▀█▀▀▀ █▄▄ ▀█ █▀ █▀▄▀▄▀▄▀ █▀█ ▀▀▄█▀██▀██▀██████
████▄▄▄▄▄▄▄█▄██▄█▄▄▄▄▄▄██▄███▄█▄█▄█▄█▄█▄▄█▄█▄████▄██▄▄▄██▄▄▄█████
█████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████
[cont-init.d] 30-config: exited 0.
[cont-init.d] 99-custom-scripts: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-scripts: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.6.0.1 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -4 route add 10.6.0.2/32 dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
.:53
CoreDNS-1.8.4
linux/amd64, go1.16.4, 053c4d5
Mobile Device Setup
The process is same for both Android or IOS devices
Download WireGuard VPN Client
Configure the client
Click the “+” icon, selec QR code option
Scan the “QR Code” and give a name
- Name the connection once QR code scans
- Proceed with the prompts to add VPN Configuration
- Edit the connection, you can make it on-demand for cellular, that will force each time when you connected to cellular network, WireGuard VPN gets connected automatically, so you don’t have to worry when you are on the go.
Access AdGuard Home
While connected to WireGuard, First setup Adguard at :
http://10.2.0.100:3000 , once done you can navigate to http://10.2.0.100/admin manage the console
The password (unless you set it in docker-compose.yml) is blank.
Full Automated Solution
I’ve got full automated deployment using terraform which creates all the required resources, follow instructions at https://github.com/fnazz/oracle-freetier-tf-adguard-unbound-wireguard
Closing Note
That was a short walkthrough on setting up a way to have a more peaceful internet, however it does’nt end there. The default settings take care of basic stuff, but you definitely want to enable more features and add more blacklists:
Good place to look for the hosts/blacklists/whitelists
Hope you find this useful.
