Safe Internet with Adguard Home, Unbound and WireGuard

Naz F
7 min readJun 19, 2021

--

One of the key issues I find with ever evolving internet is the amount of tracking and malicious content reaching household devices without full knowledge of the user, it oftens ends up being very intrusive. I often wonder how to make internet safe for my family and block at source.

Thanks to the large like minded community who are working really hard to deal with issues like these. We are talking about DNS filtering and AdBlocking technologies, and Pihole and AdGuard Home are the tools which are completely open source and free to use and are community lead, kudos to them for all the hard work.

This post is inspired by stoXe’s post , except that I have opted for AdGuard so I can leverage Google/Bing and Youtube Safe Search and additional features , here is a bit taken from AdGuard Home’s git page, although I must say both PiHole and AdGuard are really good products.

What is DNS Content Filtering

You can read about DNS Content filtering here , its a good starter to understand what is whitelist/blocklist/etc

For familes we have a good set of family filters provided for free by CleanBrowsing and OpenDNS Family Shield , you can set them on your routers , this is a good step to start, but hey ensure to do a dns leak test to ensure its picking up the dns servers you’ve set it up.

Pre-requisites

Oracle Cloud

I’ve been a great fan of Oracle OCI and with free tier it gives a perfect oppurtunity to taste the fastest and most trending cloud provider. Here are some blog posts you can read to get you started:

Running the stack

You have two options you can either run the docker services in existing cloud compute vm or deploy the fully terraform stack.

Terraform Stack

This is fully automate solution which will:

  • Create Compartment — “adguard”
  • Create buckets ADGUARD_BUCKET and ADGUARD_ARCHIVE_BUCKET for storage
  • Create policies and dynamic groups to allow stream of log files from compute to ADGUARD_BUCKET based on auth_principal
  • Create Networking resources, VCN/Subnet/etc
  • Launch the VM — Ubuntu OS
  • Install all the all required packages and bring up docker services.

Head to https://github.com/fnazz/oracle-freetier-tf-adguard-unbound-wireguard follow the instructions from README

Using Docker Services

Once you have the compute instance up and running. Just clone the repo and run docker instances as below:

git clone https://github.com/fnazz/docker-adguard-unbound-wireguard.gitcd docker-adguard-unbound-wireguard
docker-compose up -d

Get the QR Code , run

ubuntu@adguard-wireguard:~$ sudo docker logs wireguard
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...
-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/
Brought to you by linuxserver.io
-------------------------------------
To support the app dev(s) visit:
WireGuard: https://www.wireguard.com/donations/
To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------
User uid: 1000
User gid: 1000
-------------------------------------
[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 30-config: executing...
Uname info: Linux 97777476d4d1 5.4.0-1037-oracle #40-Ubuntu SMP Thu Jan 14 09:19:02 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
**** Server mode is selected ****
**** SERVERURL var is either not set or is set to "auto", setting external IP to auto detected value of 129.213.60.161 ****
**** External server port is set to 51820. Make sure that port is properly forwarded to port 51820 inside this container ****
**** Internal subnet is set to 10.6.0.0 ****
**** AllowedIPs for peers 0.0.0.0/0, ::/0 ****
**** Peer DNS servers will be set to 10.2.0.100 ****
**** No wg0.conf found (maybe an initial install), generating 1 server and 1 peer/client confs ****
grep: /config/peer*/*.conf: No such file or directory
PEER 1 QR code:
█████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████
████ ▄▄▄▄▄ █▀ █▄▀▀▀███ ▀▄▄ ▄▀█▄█ ██▄▀█ ▄▀▄█▄ █▀█▄ ██ ▄▄▄▄▄ ████
████ █ █ █▀██ ▄▄█▀██▀ █ ██▀██▀▄▀▄▀▄ ▀ ▀▀▄▀▄▀ ▄▄▄ ██ █ █ ████
████ █▄▄▄█ █▀██ █▀▀▀ ▀ ▀█ █▄██ ▄▄▄ ▄ ▀██ █▄ ▀▄▄▄ ▀▄██ █▄▄▄█ ████
████▄▄▄▄▄▄▄█▄▀ ▀ ▀▄█ █ █▄█ ▀▄█ █▄█ ▀▄▀▄█▄█▄▀ █▄▀▄▀ ▀ █▄▄▄▄▄▄▄████
████▄ ▄▄▄▀▄ ▄ ▄█▄█▀▀▄ ▄▀▄▀▀ ▄▄ ▄ ▄█▄█▄ ▀▀ ▀▄▄ █▄▀ █▄▀▄█ █████
████▀█▀█▄▀▄ ▀▄▀▄▀▀█ █▄█▀ ▄██▀ █ █▄▄██▀█ █▀▄▄▀▄ ▀▀▀▀█ ▀█▀▀ ▀▀▀████
█████▄█▀▀ ▄▄▄ ▀███▄▀██▄██▄ ▀▀█▀ ▄▀▄▄▀▄█▄██▄▀██▄▄█ █▀▀▀▄█▀████
████ █▄ ▀▄▀▀▀▀▀██ ▄▀▀▀▀█▀█ ▄█ ▀▀ ▀▀▄ ██▀▄▄ ▀▀ █▄█ ▄ ▄▄█▀▀ █████
████▀▀▀▀█ ▄▀██ █▀█▄▄▄▀█▀█ ▀▄▀▀ █▀▀██ ██▀▄ ▄▀███▄▄█ █▄▀▄█████
████ ▀ ▀▄▄▄▄▀▄ █▀███▀██▀█ ▄▀ ▄███▄▄ █ ▀▄█ ▀▄ █▄▀█ ▀▀▀▄█████
██████▀ █▀▄▀ █▀▄▄▄▄▀█ ▀▀▀█▄ █▀█▀▀ ███▄▄▀█ █▀ ███▀ ▀▄█▀▀█▀█████
████▄▄█ ▄▄ █▄ ▀█▀▀██ ▀ ▀ ▄ ██ █ ▄▀▄▀▀▀ ▄▄███▄█▀▄█ █ ▀ █████
████ ▀▄▀▄▄▄ █▀▄█▄▄█ ▄▄▄▀▄██▀▀██▄▀▀▀▄▀▄█▄ ▀▄ ▄▀▄█▄ █ ▀█▀▀████████
████▄█▀ ▄▄▄ █ ▀▀▄█▄█▀ █▀ ▀▀█ ▄▄▄ ▄▄ █▄▀▀▄ ▄ ▀ █▄ ▄▄▄ █████
████ ▄▄ █▄█ ██ ▀▀ █▄▀ ▀█▀▄ ▀ █▄█ ▀██ ▄ ██ ▄▀██▄ █▄█ ▀▀ ▀████
████▀ ▄▄▄▄ █▀ █ ▄██████▄▄▄ ▄▄ ▄ ▀▀▀▄ ▄ █▀ █▄█ ▄▄▄▄▄ █ ▄█████
████▀▄▄▀█ ▄ ▀█ ▄▀▄█▄█▄ ▄▀▀▀ ██ ▄█ ██ █▄▄▀▄██▄ ▀████▀▄█▄ █▀█████
████▄▀█ █▀▄▀▄██▄▄▀▄▀▄▀█▄█ █▄▄▀▀█▀ ▄█ ▀ █ █▄ ▀▄▄ ▄▄▀▀█▀██▀ ▀████
█████ ▀██▄█▄ ▀██▀█▄▀ ▄█▄ ▀▄█▀██▀▀▄█ ▄█▄▀█▄██▀▄▀▀█▀ ▀▀ ▀▀▀▀████
████▄▄ ▄█▄▄████ ▀▄▀▄ █▄█▄▄▀█▀ ▄██▄ █▀▄█▄█▄ █ █▀█▀ ▀ ▀▀█▀█ ▄█████
█████ █▀▄▀▄▄ ▄▄ ▄ ▄█▄▄▄▀█▄▀▀▀ ▄██▄ ▄█▄█▄ ▀█▀ ▀███ ███▀█▄█▀▄▀█████
████▄▀▄▀▀█▄▀█▄█▀▀▄▄▄ ▄██ ▄█▀██▄▄▄▄ ▀▀██▀▄▄▄▄ ▀█ ▄█▄█▄▀▀▄▀▀▀ ████
████▄▄█▀ ▄▀██▀█ ▄▄▄▀██▄█▀ ▄▄██ ▄▄▀▄▄█▄██▀▀▄ ▀▄███▀ ▄█ ▀▀▄████
████ ▀ ▀▀▄▄▀▄▄▀█ ▀███▄█▀█▄▀ █ ▄ ▀▄▀▀▄▄▀▄█▄ ▀██▄█ ▄ ▄▄█▄█▀▀▄▀████
██████████▄▄▀▄▀█▀ ▀▀▄ ▄▄▄█▀ ▄▄▄ ▀█▀█ ▄▀█▀█▀▀ ▀█▄▀ ▄▄▄ ▄█▀▄████
████ ▄▄▄▄▄ █▄ ▄▄█▀ ██ █▀▀█ ▀ █▄█ ▀▀▀▄ ██▄█ █ ▀▀ ▄ █▄█ ▀████
████ █ █ █ █▄▀ ▀▀█▄▄▀▀ █▄ ▀▄▄ ████▄ ▄ █▀ ▄█▀█▀▄▄▄ ▀▀█▄████
████ █▄▄▄█ █ ▀█▄▀██▀█▀▀▀ █▄▄ ▀█ █▀ █▀▄▀▄▀▄▀ █▀█ ▀▀▄█▀██▀██▀██████
████▄▄▄▄▄▄▄█▄██▄█▄▄▄▄▄▄██▄███▄█▄█▄█▄█▄█▄▄█▄█▄████▄██▄▄▄██▄▄▄█████
█████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████
[cont-init.d] 30-config: exited 0.
[cont-init.d] 99-custom-scripts: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-scripts: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.6.0.1 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -4 route add 10.6.0.2/32 dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
.:53
CoreDNS-1.8.4
linux/amd64, go1.16.4, 053c4d5

Mobile Device Setup

The process is same for both Android or IOS devices

Download WireGuard VPN Client

Google Play Store

Apple Store

Configure the client

Click the “+” icon, selec QR code option

Scan the “QR Code” and give a name

  • Name the connection once QR code scans
  • Proceed with the prompts to add VPN Configuration
  • Edit the connection, you can make it on-demand for cellular, that will force each time when you connected to cellular network, WireGuard VPN gets connected automatically, so you don’t have to worry when you are on the go.

Access AdGuard Home

While connected to WireGuard, First setup Adguard at :

http://10.2.0.100:3000 , once done you can navigate to http://10.2.0.100/admin manage the console

The password (unless you set it in docker-compose.yml) is blank.

Full Automated Solution

I’ve got full automated deployment using terraform which creates all the required resources, follow instructions at https://github.com/fnazz/oracle-freetier-tf-adguard-unbound-wireguard

Closing Note

That was a short walkthrough on setting up a way to have a more peaceful internet, however it does’nt end there. The default settings take care of basic stuff, but you definitely want to enable more features and add more blacklists:

Good place to look for the hosts/blacklists/whitelists

Hope you find this useful.

--

--

Naz F
Naz F

Written by Naz F

I am Devops Consultant/enthusiast with experience in wide range of IT and Cloud technologies.