How to Install AdGuard Home on a Synology NAS!

Today we are going to look at how to install AdGuard Home on a Synology NAS.

AdGuard Home is a network-wide ad-blocker and a competitor to Pi-hole. I have a few tutorials on how you can setup Pi-hole on a Raspberry Pi and Synology NAS, but this tutorial will focus on installing AdGuard Home on a Synology NAS.

Synology NAS: AdGuard Home versus Pi-hole

The first and logical question will be “which is better?”, as both AdGuard Home and Pi-hole are network-wide ad blockers. This is a completely subjective question and I’d be wary of anyone who tells you one is better than the other. If you look at the AdGuard Home website, you’d believe that AdGuard Home is the clear winner, but after further inspection, Pi-Hole is a lot closer than it might first appear.

So here’s my completely subjective answer as someone who has used Pi-hole for a long time: I like Pi-hole and will continue to use it, but if I was interested in setting up encrypted DNS (DNS-over-HTTPS), I’d probably spring for AdGuard Home. You can setup DNS-over-HTTPS on Pi-hole as well, but it isn’t nearly as simple. Whether this is necessary can be debated, but in my opinion, it’s a lot easier to setup on AdGuard Home.

Docker Installation Instructions

1. Install Docker from Synology’s Package Center.

2. We need to create two folders that we will map our Docker image to. By default, Docker will create a folder named docker after it’s finished installing. Inside of this folder, we are going to create a folder named adguard. Inside of that folder, we are going to create two subfolders. Create one folder named conf and another folder named data.

Before we proceed, there are two different ways to set this up. The first is using your host network device, which means that all traffic will be sent to the IP address of your NAS. The second is by creating a macvlan network interface in Docker. I prefer creating a macvlan network interface because it sets a separate IP address for the DNS server and avoids port conflicts. If you use the host network interface, you will need to use your NAS’s IP address as your DNS server. You also might run into conflicts with existing services using this method, so I will not be going over it in this tutorial. However, you’d pretty much skip all of the networking steps and check the “use the same network as Docker Host” checkbox when configuring the network interface.

Instructions - Synology NAS AdGuard Home

1. Ensure you can SSH into your Synology NAS. Open Control Panel, select Terminal & SNMP, and Enable SSH service. If you are using Synology’s Firewall, ensure that you allow port 22 traffic. I created a video on how to SSH into your Synology NAS if you have any problems.

2. SSH into your Synology NAS using your favorite SSH tool.

3. We need to create a Docker macvlan network interface. First, we need to determine what network interfaces currently exist (on your Synology NAS) and note down the adapter name. To do this, run the command below and note down the network interface name that has your Synology NAS’s IP address (in this example, mine is eth0).


4. Next, you need to run the command below while substituting the correct subnet (most are or by default). You also need to pick an IP address that you’d like to use that’s not currently in use. I will be using NOTE: ag_network will be the name of the network (you can substitute this as you’d like).

sudo docker network create -d macvlan -o parent=eth0 --subnet= --gateway= --ip-range= ag_network

Our network is now created. We can then exit our SSH session and disable it in DSM (if you won’t be using it). If you are disabling it and created a firewall rule for it, you should inactivate the firewall rule as well.

Firewall Setup

Not everyone will be using Synology’s Firewall, but if you are, you need to open port 3000, 80, and 53. 3000 is used for the initial setup process, 80 is used after the setup process is complete, and 53 is used for DNS querying. NOTE: after the setup process is complete, you can close port 3000 if you’d like.

5. Next, we need to create a bridge network. This is what will allow our host (NAS) to communicate with our Pi-hole container. Open Docker and navigate to the Network section. Select Add and enter a subnet that’s not currently in use. The IP address of the bridge I am creating will be

6. Open Docker, navigate to the Registry and search for AdGuard. Double click adguard/adguardhome image to download it. Select latest when the popup appears.

synology nas adguard home

7. Double-click the AdGuard image to create a new instance.

synology nas adguard home

8. Give the container a name and select Advanced Settings.

synology nas adguard home

9. We now need to configure the Advanced Settings.

  • Check off Enable auto-restart.
  • In the Volume section, we need to map the folders we created to the internal Docker Pi-hole locations. Select Add Folder and add the conf folder and type the mount path as /opt/adguardhome/conf. Do the same for the data folder with the mount path as opt/adguardhome/work/data.

synology nas adguard home

  • In the network section, add the ag_network and ag_bridge networks that we created earlier. Remove the default bridge network.

synology nas adguard home

The rest of the settings can stay as default. Select Next and then Apply to create the container.

10. You should now be able to access AdGuard Home using this web address:


11. Select Get Started to start the configuration process.

12. Specify the macvlan connection to be default for the admin interface and DNS server.

13. Specify a username and password.

14. The next screen will show you how to configure different devices. In the next section, I will go over my preferred approach which is setting AdGuard Home to be my router’s DNS server. If you aren’t interested in doing that, this is a great section to learn how to set up the DNS server on your local device.

15. Select Next and then Open Dashboard. Sign in when prompted.

16. AdGuard Home is now set up and installed. Please note that you will no longer use port 3000 when navigating to the web portal. After the setup process is complete, you will be able to access to management portal using the macvlan IP address only (as it uses port 80).


Synology NAS AdGuard Home Settings

I’m not going to go into specifics as far as settings go because they’re mostly personal preference, but here are a few things you might want to check right after installation:

  • Settings – DNS Settings: These are your upstream DNS servers. By default, the upstream DNS server will be listed as quad9 which is encrypted DNS-over-HTTPS. If you don’t configure a certificate, you will not get the benefits of DNS-over-HTTPS.
  • Settings – Encryption Settings: This is where you will configure your certificate if you’d like to enable DNS-over-HTTPS. The AdGuard team has a pretty good tutorial here that will show you how to configure it if you’re interested.
  • Settings – General Settings: The majority of settings are somewhat self-explanatory on this page but this is where you can configure logging and query retention.
  • Filters – DNS Blocklists: This is where you can add new blocklists (if you’d like to add any).
  • Filters – Blocked Service: Quickly block an entire service.
  • Filters – DNS Allowlists: Define domains that should not be blocked.

There are plenty of options that you can play around with but these are some of the most important ones right after installation.

DNS Configuration - Synology NAS AdGuard Home

Now that the setup of AdGuard Home is complete, we need to determine a way to point our clients to our DNS server. There are two main ways to do this:

  • Point your router’s DNS server to your AdGuard Home server IP address. This will ensure that any device connected will use AdGuard Home as its DNS server.
  • Point each client to your DNS server. This is beneficial if you only want certain clients to use AdGuard Home as a DNS server.

I point my routers DNS servers to my AdGuard Home server as I want to ensure every device connects to it.\

NOTE: The IP address below is the IP address of my Raspberry Pi, as I am using two DNS servers for redundancy. If you are only using your Synology NAS, you will only add here.


I’ve been using AdGuard home for a few weeks and I’m pretty impressed with it. It’s impossible to not talk about Pi-hole when discussing AdGuard Home, so it’s important to do some research and pick the best option for you. I think that ultimately, you can’t go wrong with either and you’ll be happy one way or the other!

Thanks for reading the tutorial. If you have any questions, please leave them in the comments!

This Post Has 16 Comments

  1. Thanks for the great write-up! I’ve attempted similar builds before, but finally learned from you that I was missing the additional bridge network. Q: Is there a way to create a macvlan network that has more than 1 IP address, and use this network for multiple containers? Would this approach work if each one had a different bridge network configured in DSM/Docker’s network setup?

    1. I’m glad to hear that it worked! Thank you for reading!

      You can’t use this macvlan network we created for AdGuard on multiple containers (well, you can, but only one can be started at a time). I haven’t personally tested this out, but I assume that you can run the exact command that we used “sudo docker network create -d macvlan…” and replace the “” with “”. This will define the IP range as an actual range as opposed to an individual IP address.

      The same is true for the bridge, since we defined one specific IP address for the bridge. Instead of setting the IP range as (which is only one IP address), you can try setting it as This should allow it to hand out IP addresses from that range which would do what you’re looking for.

      This issue with this is that you won’t know the IP address that is being assigned to your containers (which is very important for things like DNS servers and a lot of other services). You also might be in a position where the container restarts and gets a different IP address (unless you do a DHCP reservation in your router).

      I guess if I had to give a suggestion, I’d create multiple macvlan/bridge networks for the specific services that you’d like to have unique IP addresses. Since most Docker containers run perfectly fine using the host network interface, you’re generally creating macvlan/bridge networks for containers that might have port conflicts (DNS servers, for example).

      I realize that this is a very long answer for your fairly simple question, but I wanted to ensure that I covered all bases. If you have any additional questions, please let me know! Thanks again for reading!

      1. Thanks for replying! It definitely makes sense that the /32 network can only be used by one container at a time (never hurts to restate the obvious). However, if I understand macvlan correctly, each container on this network would be given its own virtual MAC address, which could allow the use of DHCP reservations to assign known IP addresses, right?

        I did try the idea of creating multiple /32 macvlan networks via the shell, but ran into the error response “failed to allocate gateway ( Address already in use” after the first one. The same type of error unsurprisingly occurred when trying to make a second bridge with the same gateway via the DSM web interface.

        To recap, and to make sure I am following correctly, it is the IP address of the container itself on our macvlan network, and not the IP address of the bridge that we need to know about, correct? Would you say that the following is accurate?
        * The bridge network could be a /24 with the full IP range enabled.
        * The macvlan network could be expanded; let’s use a /28 for example, with 16 IPs (14 usable).
        * Use the –ip parameter when starting the container to set its IP address.

      2. I guess my lingering question revolves around not knowing exactly how the bridge network functions. Does the bridge network need a 1:1 IP address for each container’s IP address, or is the bridge more of a network level…bridge…that only needs one IP of its own in order to perform its function?

  2. Thanks for your detailed walktrough! Work perfect, only I cannot use the safe browsing functionality. I checked all firewall settings but cannot find the answer. Also I can’t find a setting to let Adguard use a differend network interface for outgoing DNS checks.

    My macvlan is
    and my bridge is

    This is what the adguard log shows:
    [info] SafeBrowsing: failed: couldn’t initialize HTTP client or transport, cause: couldn’t initialize HTTP transport, cause: couldn’t bootstrap, cause: failed to lookup, cause: synthetic.wrap: all resolvers failed to lookup, cause: read udp> i/o timeout (hidden: read udp> i/o timeout)

    1. When exactly are you getting the error? When I enable it, I don’t receive an error and everything appears be working properly. Are you receiving it as soon as you enable it and try and save it?

      Sorry for the basic question, but hopefully we can continue trying to troubleshoot it after that!

    2. I encountered the same error and found out that adding tcp 443 to the synology firewall fixed it.

      Thnx for your great guides! Would love a in-depth guide on adguard settings and https over dns!

    3. Configure your Synology’s firewall to allow all communication from your bridge i.e.

  3. Thank you very much for the steps, this really helps!
    After updating the router my Synology of course also updated its DNS ( in your example). But the DNS requests fail on my Synology. That makes some sense, but I was hoping on a loopback.
    But also manually adjusting the DNS to the bridge IP is not working (

    From the Synology I cannot ping, and I can ping (and Is there something wrong in my setup?

    ps. Second use case is that I would also like to create a reverse proxy on my Synology to AGH. But that is not working due to the same issue.
    Thanks for your help!

    1. The thing that’s interesting is that your router should be pointed as the DNS server. So on your Synology NAS, should be configured as the DNS server and then the router should point back to the AdGuard Home server ( I haven’t had any issues with this configuration since the Synology NAS is technically using the router as the DNS server, not the container.

      You were correct in manually entering it as the bridge IP address, but that ALSO should work. As for the reverse proxy, any luck using the bridge IP address?

      In summary, can you double check to ensure that (or your router’s IP) is configured as the DNS server?

      Let me know how it goes and we can continue troubleshooting!

  4. I setup everything and it is working well. I‘m using VPN Server Package on my Synology NAS. When I connect over OpenVPN (different subnet) I‘m not able to make use or connect to adguard. Is there a way (maybe create another bridge) to solve this problem?

    1. Since you’re using OpenVPN (and it connects through your NAS, I assume), do you have the bridge IP address in the OpenVPN configuration file? If you don’t, that should fix the problem.

      Let me know and we can continue troubleshooting!

  5. Hi WunderTech
    thanks for your answer. Do you mean this point in the OpenVPN configuration file:
    dhcp-option DNS 192.168.xy.z

    If yes, then the answer is yes, I tried that already with the bridge IP address. But this doesnt work. I cant even ping that bridge IP address.

    I mean, I cant ping the bridge IP address as soon as I’m connected with VPN to my Synology NAS. But any other device or service in my home LAN is answering correctly on my requests via OpenVPN.

    1. Yes, that’s what I was hoping would work. One other thing to check – do you have the firewall enabled on your Synology NAS? If so, are you allowing traffic on port 53 to your VPN’s subnet? An easy way to check if it’s the firewall is to disable the firewall temporarily and see if it works.

      Let me know and we can continue troubleshooting!

  6. Greetings, thanks for the guide 🙂

    When using this approach compared to the “Use the same network as docker host” i only see 1 “Client” in Adguard Home, which is my router IP.

    With the other approach i was able to see the individual clients (Different pc’s etc) on the Adguard home screen.

    Is there a way to fix this, so make the clients “visible” again?

    Thanks in advance 🙂

    1. Unfortunately, I don’t believe that you can without setting each client’s DNS servers individually. Since the traffic is sent to the router and the router sends it to the AdGuard Home server, the traffic will all appear as if it’s coming from the router.

      I believe that your only option is to set the DNS server on the PC individually (so that it bypasses the router). I also believe that you might be able to get it to work if you use AdGuard Home as the DHCP server, but I believe that’s an experimental feature that you probably don’t want to use.

Leave a Reply

Close Menu