Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test exposing adguard to the internet #11

Open
yuha0 opened this issue May 24, 2024 · 0 comments
Open

Test exposing adguard to the internet #11

yuha0 opened this issue May 24, 2024 · 0 comments
Assignees
@yuha0

Comments

@yuha0
Copy link
Owner

yuha0 commented May 24, 2024
edited
Loading

Use tailscale to connect remote devices back to DoH (adguard home) hosted at home works ok. There have been a few gotchas:

  • To establish VPN in the first place, tailscale needs to talk to its control plane, which needs DNS resolution.
  • Looks like the system needs to temporarily disconnect VPN while updating tailscale iOS app. But iOS seems to need to make a few calls during the update process. Sometimes it gets into a weird lock.
  • When disconnecting from home Wi-Fi, it takes a few seconds for the on-demand VPN to kick in. All queries made during this time will fail. This can be extremely annoying as I am driving out of the garage, when I need internet the most to setup route in navigation app.
  • Tailscale is just not that reliable. Sometimes I have to re-open the app and re-authenticate to get the connection back on.

The best DoH experience for me would be if the DNS server is reachable from anywhere with internet. There are some concerns indeed, but screw it, this sounds like fun:

  1. only expose DoH (http API) via external ingress. No vanilla UDP path
  2. network policy to prevent compromised AdGuard Home from doing weird stuff:
    • block AdGuard Home egress to anywhere in homelab.
      • except for local ptr queries to router
    • block AdGuard Home egress to internet
      • except for listed filter URLs and upstream DNS servers
      • not possible since adguardhome pod can't use cluster DNS(coredns) as upstream. (coredns has home router as upstream, and of course I need the home router to point to adguardhome...)
  3. Use static client IDs in DoH queries. Then put these IDs onto allowed_clients list since I don't want to be a public resolver
    • This feels like a hack -- basically using client ID as authentication credential, in the format of a URL subpath in an HTTP call. But probably can work.
    • The allowed_clients also need to have homelab local IP ranges.
      • This is the fun part: gotta make sure that adguard has correct trusted_proxies configuration so that it can parses source IP header from ingress-nginx, which comes from cloud flare proxied internet request.
@yuha0 yuha0 self-assigned this May 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yuha0 yuha0

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

When branches are created from issues, their pull requests are automatically linked.

11-test-exposing-adguard-to-the-internet yuha0/home-infra
1 participant
@yuha0