How to Install AdGuard Home on a Synology NAS!

Today we are going to look at how to install AdGuard Home on a Synology NAS.

AdGuard Home is a network-wide ad-blocker and a competitor to Pi-hole. I have a few tutorials on how you can setup Pi-hole on a Raspberry Pi and Synology NAS, but this tutorial will focus on installing AdGuard Home on a Synology NAS.

Synology NAS: AdGuard Home versus Pi-hole

The first and logical question will be “which is better?”, as both AdGuard Home and Pi-hole are network-wide ad blockers. This is a completely subjective question and I’d be wary of anyone who tells you one is better than the other. If you look at the AdGuard Home website, you’d believe that AdGuard Home is the clear winner, but after further inspection, Pi-Hole is a lot closer than it might first appear.

So here’s my completely subjective answer as someone who has used Pi-hole for a long time: I like Pi-hole and will continue to use it, but if I was interested in setting up encrypted DNS (DNS-over-HTTPS), I’d probably spring for AdGuard Home. You can setup DNS-over-HTTPS on Pi-hole as well, but it isn’t nearly as simple. Whether this is necessary can be debated, but in my opinion, it’s a lot easier to setup on AdGuard Home.

Docker Installation Instructions

1. Install Docker from Synology’s Package Center.

2. We need to create two folders that we will map our Docker image to. By default, Docker will create a folder named docker after it’s finished installing. Inside of this folder, we are going to create a folder named adguard. Inside of that folder, we are going to create two subfolders. Create one folder named conf and another folder named data.

Before we proceed, there are two different ways to set this up. The first is using your host network device, which means that all traffic will be sent to the IP address of your NAS. The second is by creating a macvlan network interface in Docker. I prefer creating a macvlan network interface because it sets a separate IP address for the DNS server and avoids port conflicts. If you use the host network interface, you will need to use your NAS’s IP address as your DNS server. You also might run into conflicts with existing services using this method, so I will not be going over it in this tutorial. However, you’d pretty much skip all of the networking steps and check the “use the same network as Docker Host” checkbox when configuring the network interface.

Instructions - Synology NAS AdGuard Home

1. Ensure you can SSH into your Synology NAS. Open Control Panel, select Terminal & SNMP, and Enable SSH service. If you are using Synology’s Firewall, ensure that you allow port 22 traffic. I created a video on how to SSH into your Synology NAS if you have any problems.

2. SSH into your Synology NAS using your favorite SSH tool.

3. We need to create a Docker macvlan network interface. First, we need to determine what network interfaces currently exist (on your Synology NAS) and note down the adapter name. To do this, run the command below and note down the network interface name that has your Synology NAS’s IP address (in this example, mine is eth0).

ifconfig

4. Next, you need to run the command below while substituting the correct subnet (most are 192.168.1.0/24 or 192.168.0.0/24 by default). You also need to pick an IP address that you’d like to use that’s not currently in use. I will be using 192.168.1.198. NOTE: ag_network will be the name of the network (you can substitute this as you’d like).

sudo docker network create -d macvlan -o parent=eth0 --subnet=192.168.1.0/24 --gateway=192.168.1.1 --ip-range=192.168.1.198/32 ag_network

Our network is now created. We can then exit our SSH session and disable it in DSM (if you won’t be using it). If you are disabling it and created a firewall rule for it, you should inactivate the firewall rule as well.

Firewall Setup

Not everyone will be using Synology’s Firewall, but if you are, you need to open port 3000, 80, and 53. 3000 is used for the initial setup process, 80 is used after the setup process is complete, and 53 is used for DNS querying. NOTE: after the setup process is complete, you can close port 3000 if you’d like.

5. Next, we need to create a bridge network. This is what will allow our host (NAS) to communicate with our Pi-hole container. Open Docker and navigate to the Network section. Select Add and enter a subnet that’s not currently in use. The IP address of the bridge I am creating will be 192.168.10.2.

6. Open Docker, navigate to the Registry and search for AdGuard. Double click adguard/adguardhome image to download it. Select latest when the popup appears.

synology nas adguard home

7. Double-click the AdGuard image to create a new instance.

synology nas adguard home

8. Give the container a name and select Advanced Settings.

synology nas adguard home

9. We now need to configure the Advanced Settings.

  • Check off Enable auto-restart.
  • In the Volume section, we need to map the folders we created to the internal Docker Pi-hole locations. Select Add Folder and add the conf folder and type the mount path as /opt/adguardhome/conf. Do the same for the data folder with the mount path as opt/adguardhome/work/data.

synology nas adguard home

  • In the network section, add the ag_network and ag_bridge networks that we created earlier. Remove the default bridge network.

synology nas adguard home

The rest of the settings can stay as default. Select Next and then Apply to create the container.

10. You should now be able to access AdGuard Home using this web address:

http://[IP_ADDRESS]:3000

11. Select Get Started to start the configuration process.

12. Specify the macvlan connection to be default for the admin interface and DNS server.

13. Specify a username and password.

14. The next screen will show you how to configure different devices. In the next section, I will go over my preferred approach which is setting AdGuard Home to be my router’s DNS server. If you aren’t interested in doing that, this is a great section to learn how to set up the DNS server on your local device.

15. Select Next and then Open Dashboard. Sign in when prompted.

16. AdGuard Home is now set up and installed. Please note that you will no longer use port 3000 when navigating to the web portal. After the setup process is complete, you will be able to access to management portal using the macvlan IP address only (as it uses port 80).

https://[IP_ADDRESS]

Synology NAS AdGuard Home Settings

I’m not going to go into specifics as far as settings go because they’re mostly personal preference, but here are a few things you might want to check right after installation:

  • Settings – DNS Settings: These are your upstream DNS servers. By default, the upstream DNS server will be listed as quad9 which is encrypted DNS-over-HTTPS. If you don’t configure a certificate, you will not get the benefits of DNS-over-HTTPS.
  • Settings – Encryption Settings: This is where you will configure your certificate if you’d like to enable DNS-over-HTTPS. The AdGuard team has a pretty good tutorial here that will show you how to configure it if you’re interested.
  • Settings – General Settings: The majority of settings are somewhat self-explanatory on this page but this is where you can configure logging and query retention.
  • Filters – DNS Blocklists: This is where you can add new blocklists (if you’d like to add any).
  • Filters – Blocked Service: Quickly block an entire service.
  • Filters – DNS Allowlists: Define domains that should not be blocked.

There are plenty of options that you can play around with but these are some of the most important ones right after installation.

DNS Configuration - Synology NAS AdGuard Home

Now that the setup of AdGuard Home is complete, we need to determine a way to point our clients to our DNS server. There are two main ways to do this:

  • Point your router’s DNS server to your AdGuard Home server IP address. This will ensure that any device connected will use AdGuard Home as its DNS server.
  • Point each client to your DNS server. This is beneficial if you only want certain clients to use AdGuard Home as a DNS server.

I point my routers DNS servers to my AdGuard Home server as I want to ensure every device connects to it.\

NOTE: The 192.168.1.197 IP address below is the IP address of my Raspberry Pi, as I am using two DNS servers for redundancy. If you are only using your Synology NAS, you will only add 192.168.1.198 here.

Conclusion

I’ve been using AdGuard home for a few weeks and I’m pretty impressed with it. It’s impossible to not talk about Pi-hole when discussing AdGuard Home, so it’s important to do some research and pick the best option for you. I think that ultimately, you can’t go wrong with either and you’ll be happy one way or the other!

Thanks for reading the tutorial. If you have any questions, please leave them in the comments!

This Post Has 7 Comments

  1. Thanks for the great write-up! I’ve attempted similar builds before, but finally learned from you that I was missing the additional bridge network. Q: Is there a way to create a macvlan network that has more than 1 IP address, and use this network for multiple containers? Would this approach work if each one had a different bridge network configured in DSM/Docker’s network setup?

    1. I’m glad to hear that it worked! Thank you for reading!

      You can’t use this macvlan network we created for AdGuard on multiple containers (well, you can, but only one can be started at a time). I haven’t personally tested this out, but I assume that you can run the exact command that we used “sudo docker network create -d macvlan…” and replace the “192.168.1.198/32” with “192.168.1.0/24”. This will define the IP range as an actual range as opposed to an individual IP address.

      The same is true for the bridge, since we defined one specific IP address for the bridge. Instead of setting the IP range as 192.168.10.2/32 (which is only one IP address), you can try setting it as 192.168.10.0/24. This should allow it to hand out IP addresses from that range which would do what you’re looking for.

      This issue with this is that you won’t know the IP address that is being assigned to your containers (which is very important for things like DNS servers and a lot of other services). You also might be in a position where the container restarts and gets a different IP address (unless you do a DHCP reservation in your router).

      I guess if I had to give a suggestion, I’d create multiple macvlan/bridge networks for the specific services that you’d like to have unique IP addresses. Since most Docker containers run perfectly fine using the host network interface, you’re generally creating macvlan/bridge networks for containers that might have port conflicts (DNS servers, for example).

      I realize that this is a very long answer for your fairly simple question, but I wanted to ensure that I covered all bases. If you have any additional questions, please let me know! Thanks again for reading!

      1. Thanks for replying! It definitely makes sense that the /32 network can only be used by one container at a time (never hurts to restate the obvious). However, if I understand macvlan correctly, each container on this network would be given its own virtual MAC address, which could allow the use of DHCP reservations to assign known IP addresses, right?

        I did try the idea of creating multiple /32 macvlan networks via the shell, but ran into the error response “failed to allocate gateway (192.168.1.1): Address already in use” after the first one. The same type of error unsurprisingly occurred when trying to make a second bridge with the same gateway via the DSM web interface.

        To recap, and to make sure I am following correctly, it is the IP address of the container itself on our macvlan network, and not the IP address of the bridge that we need to know about, correct? Would you say that the following is accurate?
        * The bridge network could be a /24 with the full IP range enabled.
        * The macvlan network could be expanded; let’s use a /28 for example, with 16 IPs (14 usable).
        * Use the –ip parameter when starting the container to set its IP address.

      2. I guess my lingering question revolves around not knowing exactly how the bridge network functions. Does the bridge network need a 1:1 IP address for each container’s IP address, or is the bridge more of a network level…bridge…that only needs one IP of its own in order to perform its function?

  2. Thanks for your detailed walktrough! Work perfect, only I cannot use the safe browsing functionality. I checked all firewall settings but cannot find the answer. Also I can’t find a setting to let Adguard use a differend network interface for outgoing DNS checks.

    My macvlan is 192.168.0.200
    and my bridge is 192.168.100.2

    This is what the adguard log shows:
    [info] SafeBrowsing: failed: couldn’t initialize HTTP client or transport, cause: couldn’t initialize HTTP transport, cause: couldn’t bootstrap https://dns-family.adguard.com:443/dns-query, cause: failed to lookup dns-family.adguard.com, cause: synthetic.wrap: all resolvers failed to lookup, cause: read udp 192.168.0.200:57840->176.103.130.131:53: i/o timeout (hidden: read udp 192.168.0.200:49494->176.103.130.130:53: i/o timeout)

    1. When exactly are you getting the error? When I enable it, I don’t receive an error and everything appears be working properly. Are you receiving it as soon as you enable it and try and save it?

      Sorry for the basic question, but hopefully we can continue trying to troubleshoot it after that!

    2. I encountered the same error and found out that adding tcp 443 to the synology firewall fixed it.

      Thnx for your great guides! Would love a in-depth guide on adguard settings and https over dns!

Leave a Reply

Close Menu