Trying to get AdGuard Home DNS-over-TLS to work

Help
1

1. The problem I’m having:

I want to use AdGuard Home as well as DNS-over-TLS using Caddy as the reverse proxy for adguard.example.com.

Everything is running on Proxmox. The webinterface runs fine by simply redirecting port 443 to 3000, which is where AdGuard home has its interface.
Though I can’t get DNS-over-TLS to work, which is on Port 853.

2. Error messages and/or full log output:

Client says it can’t connect to the server.

# I've temporarily enabled the access log and while the webinterface produces tons of logs, DNS-over-TLS does nothing

3. Caddy version:

v2.10.0

4. How I installed and ran Caddy:

Custom xcaddy:

xcaddy build --with github.com/mholt/caddy-l4

Then did the whole caddy.default, caddy.custom and update-alternatives thing from the official guide.

a. System environment:

Caddy in Debian in Proxmox LXC using the Proxmox Community Scripts

b. Command:

caddy run

c. Service/unit/compose file:

not relevant

d. My complete Caddy config:

homeassistant.example.com {
        reverse_proxy homeassistant.local:8123
}
adguard.example.com {
        @https protocol https
        handle @https {
                reverse_proxy adguard.local:3000
        }
        handle {
                reverse_proxy adguard.local
        }
}

Shouldn’t everything not https be straight forwared to adguard.local as is?

5. Links to relevant resources:

2

Your configuration doesn’t have anything for the layer4 app. You’ve only configured the HTTP server of Caddy. DNS-over-TLS is not HTTPS. It runs TLS on raw TCP connections without an HTTP layer. Here’s the possible config for it:

{
	layer4 {
		:853 {
			@dot sni adguard.example.com
			route @dot {
				tls
				proxy {
					upstream udp/adguard.local:53
				}
			}
		}
	}
}
homeassistant.example.com {
        reverse_proxy homeassistant.local:8123
}
adguard.example.com {
        @https protocol https
        handle @https {
                reverse_proxy adguard.local:3000
        }
        handle {
                reverse_proxy adguard.local
        }
}
3

I had to modify it a bit to make it work, though now it shows up in AdGuard as caddy.local instead of the clients IP.

Is there a way to use something like X-Forwarded-For in layer4 as well?

This is my current block:

{
        layer4 {
                :853 {
                        @dot tls sni adguard.example.com
                        route @dot {
                                proxy adguard.local:853
                        }
                }
        }
}

I’ve tried adding proxy_protocol v1 and v2 to proxy adguard.local:853, but then it won’t connect.

I’ve added Caddy to the trusted_proxies in AdGuard Home, so that should be good, must be something else.

4

Unfortunately, Adguard Home doesn’t support connections with the PROXY protocol, so Caddy cannot use that technology to deliver the original remote IP address.

There may be a way to manage it using iptables, but that’s beyond my knowledge.

5

Thank you, sir!

I’ve now switched to forwarding port 853 and 53 to my AdGuard Home machine directly and only forward port 80 to 80 (for certbot) and 443 to 3000 (for web interface) via Caddy.