XTRM-Unraid
62450fdc7a
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
3.4 KiB
3.4 KiB
MikroTik AdGuard Home with DoT/DoH
Status: Completed
Started: 2026-01-25
Completed: 2026-01-25
Objective
Single DNS endpoint with failover:
- External: dns.xtrm-lab.org (DoT 853, DoH 8443)
- Internal: 192.168.31.1 (all LAN clients)
- Failover: Unraid AdGuard (192.168.31.4) as upstream backup
Architecture
External ──► dns.xtrm-lab.org ──► NAT ──┐
(DoT 853, DoH 8443) │
▼
Internal ──► 192.168.31.1:53 ────► MikroTik AdGuard
(LAN clients) (172.17.0.2)
│
▼
Upstreams:
- 192.168.31.4 (Unraid AdGuard)
- 8.8.8.8 (Google)
- 1.1.1.1 (Cloudflare)
Implementation Steps
- 1. Install AdGuard container on MikroTik
- 2. Configure veth interface with IP (172.17.0.2/24)
- 3. Configure AdGuard upstreams (192.168.31.4, 8.8.8.8, 1.1.1.1)
- 4. Enable DoT/DoH in AdGuard
- 5. Configure TLS certificates (dns.xtrm-lab.org, Let's Encrypt)
- 6. Update NAT rules (DoT/DoH → container)
- 7. Update DNS redirect rules (LAN → container)
- 8. Test internal DNS (working)
- 9. Test external DoT/DoH (pending external test)
- 10. Update documentation
Container Configuration
- Image: adguard/adguardhome:latest
- Version: v0.107.71
- Root dir: usb1/adguard/root
- Interface: veth-adguard (172.17.0.2/24)
- Gateway: 172.17.0.1
- Mounts: agh-config, agh-work
Network Configuration
| Service | External Port | Internal Target |
|---|---|---|
| DNS (UDP/TCP) | 53 | 172.17.0.2:53 |
| DoT (TCP) | 853 | 172.17.0.2:853 |
| DoH (TCP) | 8443 | 172.17.0.2:443 |
| Web UI | 3000 | 172.17.0.2:80 |
NAT Rules
# DNS redirect for LAN
chain=dstnat action=dst-nat to-addresses=172.17.0.2 to-ports=53 protocol=udp/tcp src-address=192.168.31.0/24 dst-port=53
# DoT external access
chain=dstnat action=dst-nat to-addresses=172.17.0.2 to-ports=853 protocol=tcp in-interface=eth1_WAN dst-port=853
# DoH external access (using port 8443 to avoid Traefik conflict)
chain=dstnat action=dst-nat to-addresses=172.17.0.2 to-ports=443 protocol=tcp in-interface=eth1_WAN dst-port=8443
# Web UI access
chain=dstnat action=dst-nat to-addresses=172.17.0.2 to-ports=80 protocol=tcp dst-address=192.168.31.1 dst-port=3000
TLS Configuration
- Server name: dns.xtrm-lab.org
- Certificate: Let's Encrypt (valid until 2026-03-10)
- DoT port: 853
- DoH port: 443 (internal) / 8443 (external)
- Certificate location: /mnt/user/appdata/claude-code/certbot/config/live/dns.xtrm-lab.org/
AdGuard Credentials
- Username: admin
- Password: admin123
- Web UI: http://192.168.31.1:3000
Usage
Internal (LAN clients)
Clients automatically use 192.168.31.1:53 via DHCP/NAT redirect.
External DoT (Android/iOS Private DNS)
dns.xtrm-lab.org
External DoH
https://dns.xtrm-lab.org:8443/dns-query
Notes
- Old docker-bridge removed (was causing routing conflict)
- Container network 172.17.0.0/24 conflicts with standard Docker on Unraid
- Unraid AdGuard (192.168.31.4) used as primary upstream for ad filtering
- Container starts on boot automatically