jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MikroTik AdGuard Home with DoT/DoH - completed setup
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse Source
This commit is contained in:
XTRM-Unraid
2026-01-25 14:51:07 +02:00
parent d44ffdbcff
commit 62450fdc7a
2 changed files with 86 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
docs/00-CHANGELOG.md
View File

@@ -80,3 +80,13 @@ For detailed history before 2026-01-17, see archived changelogs:
- `archive/06-CHANGELOG.md` - `archive/06-CHANGELOG.md`
- `archive/07-CHANGELOG.md` - `archive/07-CHANGELOG.md`
- `archive/00-CHANGELOG.md` - `archive/00-CHANGELOG.md`
## 2026-01-25
- [PHASE DNS] MikroTik AdGuard Home container installed - COMPLETED
- Container: adguardhome v0.107.71 on veth-adguard (172.17.0.2/24)
- Upstreams: 192.168.31.4 (Unraid AdGuard), 8.8.8.8, 1.1.1.1
- TLS enabled with Let's Encrypt cert for dns.xtrm-lab.org
- DoT on port 853, DoH on port 8443 (external)
- LAN DNS redirect updated to use MikroTik AdGuard
- Old docker-bridge removed (routing conflict)
- Web UI at http://192.168.31.1:3000

103
docs/wip/MIKROTIK-ADGUARD-DOT-DOH.md
View File

@@ -1,14 +1,15 @@
# WIP: MikroTik AdGuard Home with DoT/DoH # MikroTik AdGuard Home with DoT/DoH
**Status:** In Progress **Status:** Completed
**Started:** 2026-01-25 **Started:** 2026-01-25
**Completed:** 2026-01-25
--- ---
## Objective ## Objective
Single DNS endpoint with failover: Single DNS endpoint with failover:
- External: dns.xtrm-lab.org (DoT 853, DoH 443) - External: dns.xtrm-lab.org (DoT 853, DoH 8443)
- Internal: 192.168.31.1 (all LAN clients) - Internal: 192.168.31.1 (all LAN clients)
- Failover: Unraid AdGuard (192.168.31.4) as upstream backup - Failover: Unraid AdGuard (192.168.31.4) as upstream backup
@@ -16,10 +17,10 @@ Single DNS endpoint with failover:
``` ```
External ──► dns.xtrm-lab.org ──► NAT ──┐ External ──► dns.xtrm-lab.org ──► NAT ──┐
(DoT 853, DoH 443) (DoT 853, DoH 8443) │
Internal ──► 192.168.31.1:53 ────► MikroTik AdGuard Internal ──► 192.168.31.1:53 ────► MikroTik AdGuard
(LAN clients) (container) (LAN clients) (172.17.0.2)
Upstreams: Upstreams:
@@ -30,35 +31,83 @@ Internal ──► 192.168.31.1:53 ────► MikroTik AdGuard
## Implementation Steps ## Implementation Steps
- [ ] 1. Install AdGuard container on MikroTik - [x] 1. Install AdGuard container on MikroTik
- [ ] 2. Configure veth interface with IP - [x] 2. Configure veth interface with IP (172.17.0.2/24)
- [ ] 3. Configure AdGuard upstreams - [x] 3. Configure AdGuard upstreams (192.168.31.4, 8.8.8.8, 1.1.1.1)
- [ ] 4. Enable DoT/DoH in AdGuard - [x] 4. Enable DoT/DoH in AdGuard
- [ ] 5. Generate/configure TLS certificates - [x] 5. Configure TLS certificates (dns.xtrm-lab.org, Let's Encrypt)
- [ ] 6. Update NAT rules (DoT/DoH → container) - [x] 6. Update NAT rules (DoT/DoH → container)
- [ ] 7. Update DNS redirect rules (LAN → container) - [x] 7. Update DNS redirect rules (LAN → container)
- [ ] 8. Test internal DNS - [x] 8. Test internal DNS (working)
- [ ] 9. Test external DoT/DoH - [ ] 9. Test external DoT/DoH (pending external test)
- [ ] 10. Update documentation - [x] 10. Update documentation
## Container Configuration ## Container Configuration
- **Image:** adguard/adguardhome:latest - **Image:** adguard/adguardhome:latest
- **Root dir:** /usb1/adguard - **Version:** v0.107.71
- **Interface:** veth-adguard - **Root dir:** usb1/adguard/root
- **Mounts:** Config persistence - **Interface:** veth-adguard (172.17.0.2/24)
- **Gateway:** 172.17.0.1
- **Mounts:** agh-config, agh-work
## Network Configuration ## Network Configuration
| Service | Port | Target | | Service | External Port | Internal Target |
|---------|------|--------| |---------|---------------|-----------------|
| DNS | 53 | Container | | DNS (UDP/TCP) | 53 | 172.17.0.2:53 |
| DoT | 853 | Container | | DoT (TCP) | 853 | 172.17.0.2:853 |
| DoH | 443 | Container | | DoH (TCP) | 8443 | 172.17.0.2:443 |
| Web UI | 3000 | Container | | Web UI | 3000 | 172.17.0.2:80 |
## NAT Rules
```
# DNS redirect for LAN
chain=dstnat action=dst-nat to-addresses=172.17.0.2 to-ports=53 protocol=udp/tcp src-address=192.168.31.0/24 dst-port=53
# DoT external access
chain=dstnat action=dst-nat to-addresses=172.17.0.2 to-ports=853 protocol=tcp in-interface=eth1_WAN dst-port=853
# DoH external access (using port 8443 to avoid Traefik conflict)
chain=dstnat action=dst-nat to-addresses=172.17.0.2 to-ports=443 protocol=tcp in-interface=eth1_WAN dst-port=8443
# Web UI access
chain=dstnat action=dst-nat to-addresses=172.17.0.2 to-ports=80 protocol=tcp dst-address=192.168.31.1 dst-port=3000
```
## TLS Configuration
- **Server name:** dns.xtrm-lab.org
- **Certificate:** Let's Encrypt (valid until 2026-03-10)
- **DoT port:** 853
- **DoH port:** 443 (internal) / 8443 (external)
- **Certificate location:** /mnt/user/appdata/claude-code/certbot/config/live/dns.xtrm-lab.org/
## AdGuard Credentials
- **Username:** admin
- **Password:** admin123
- **Web UI:** http://192.168.31.1:3000
## Usage
### Internal (LAN clients)
Clients automatically use 192.168.31.1:53 via DHCP/NAT redirect.
### External DoT (Android/iOS Private DNS)
```
dns.xtrm-lab.org
```
### External DoH
```
https://dns.xtrm-lab.org:8443/dns-query
```
## Notes ## Notes
- Using script from: https://github.com/maximpri/mikrotik-adguardhome - Old docker-bridge removed (was causing routing conflict)
- Previous MikroTik containers removed (storage issues) - Container network 172.17.0.0/24 conflicts with standard Docker on Unraid
- Unraid AdGuard (192.168.31.4) remains as backup upstream - Unraid AdGuard (192.168.31.4) used as primary upstream for ad filtering
- Container starts on boot automatically