How to Install AdGuard Home on a Synology NAS!

Today we are going to look at how to install AdGuard Home on a Synology NAS.

AdGuard Home is a network-wide ad-blocker and a competitor to Pi-hole. I have a few tutorials on how you can setup Pi-hole on a Raspberry Pi and Synology NAS, but this tutorial will focus on installing AdGuard Home on a Synology NAS.

Synology NAS: AdGuard Home versus Pi-hole

The first and logical question will be “which is better?”, as both AdGuard Home and Pi-hole are network-wide ad blockers. This is a completely subjective question and I’d be wary of anyone who tells you one is better than the other. If you look at the AdGuard Home website, you’d believe that AdGuard Home is the clear winner, but after further inspection, Pi-Hole is a lot closer than it might first appear.

So here’s my completely subjective answer as someone who has used Pi-hole for a long time: I like Pi-hole and will continue to use it, but if I was interested in setting up encrypted DNS (DNS-over-HTTPS), I’d probably spring for AdGuard Home. You can setup DNS-over-HTTPS on Pi-hole as well, but it isn’t nearly as simple. Whether this is necessary can be debated, but in my opinion, it’s a lot easier to setup on AdGuard Home.

Docker Installation Instructions

1. Install Docker from Synology’s Package Center.

2. We need to create two folders that we will map our Docker image to. By default, Docker will create a folder named docker after it’s finished installing. Inside of this folder, we are going to create a folder named adguard. Inside of that folder, we are going to create two subfolders. Create one folder named conf and another folder named data.

adguard folders in dsm

Before we proceed, there are two different ways to set this up. The first is using your host network device, which means that all traffic will be sent to the IP address of your NAS. The second is by creating a macvlan network interface in Docker. I prefer creating a macvlan network interface because it sets a separate IP address for the DNS server and avoids port conflicts. If you use the host network interface, you will need to use your NAS’s IP address as your DNS server. You also might run into conflicts with existing services using this method, so I will not be going over it in this tutorial. However, you’d pretty much skip all of the networking steps and check the “use the same network as Docker Host” checkbox when configuring the network interface.

Instructions – Synology NAS AdGuard Home

1. Ensure you can SSH into your Synology NAS. Open Control Panel, select Terminal & SNMP, and Enable SSH service. If you are using Synology’s Firewall, ensure that you allow port 22 traffic. I created a video on how to SSH into your Synology NAS if you have any problems.

2. SSH into your Synology NAS using your favorite SSH tool.

3. We need to create a Docker macvlan network interface. First, we need to determine what network interfaces currently exist (on your Synology NAS) and note down the adapter name. To do this, run the command below and note down the network interface name that has your Synology NAS’s IP address (in this example, mine is eth0).

ifconfig
ip addresses for synology nas running ifconfig command

4. Next, you need to run the command below while substituting the correct subnet (most are 192.168.1.0/24 or 192.168.0.0/24 by default). You also need to pick an IP address that you’d like to use that’s not currently in use. I will be using 192.168.1.198. NOTE: ag_network will be the name of the network (you can substitute this as you’d like).

sudo docker network create -d macvlan -o parent=eth0 --subnet=192.168.1.0/24 --gateway=192.168.1.1 --ip-range=192.168.1.198/32 ag_network
creating maclan network interface using a command

Our network is now created. We can then exit our SSH session and disable it in DSM (if you won’t be using it). If you are disabling it and created a firewall rule for it, you should inactivate the firewall rule as well.

Firewall Setup

Not everyone will be using Synology’s Firewall, but if you are, you need to open port 3000, 80, and 53. 3000 is used for the initial setup process, 80 is used after the setup process is complete, and 53 is used for DNS querying. NOTE: after the setup process is complete, you can close port 3000 if you’d like.

firewall rules in synology dsm for adguard home

5. Next, we need to create a bridge network. This is what will allow our host (NAS) to communicate with our Pi-hole container. Open Docker and navigate to the Network section. Select Add and enter a subnet that’s not currently in use. The IP address of the bridge I am creating will be 192.168.10.2.

creating adguard home bridge network

6. Open Docker, navigate to the Registry and search for AdGuard. Double click adguard/adguardhome image to download it. Select latest when the popup appears.

synology nas adguard home - downloading container from registry

7. Double-click the AdGuard image to create a new instance.

synology nas adguard home - creating container from image

8. Give the container a name and select Advanced Settings.

synology nas adguard home - giving container a name

9. We now need to configure the Advanced Settings.

  • Check off Enable auto-restart.
  • In the Volume section, we need to map the folders we created to the internal Docker Pi-hole locations. Select Add Folder and add the conf folder and type the mount path as /opt/adguardhome/conf. Do the same for the data folder with the mount path as opt/adguardhome/work/data.
synology nas adguard home - setting up volume mounts
  • In the network section, add the ag_network and ag_bridge networks that we created earlier. Remove the default bridge network.
synology nas adguard home - adding adguard networks

The rest of the settings can stay as default. Select Next and then Apply to create the container.

10. You should now be able to access AdGuard Home using this web address:

http://[IP_ADDRESS]:3000

11. Select Get Started to start the configuration process.

connecting to adguard home web interface

12. Specify the macvlan connection to be default for the admin interface and DNS server.

selecting the correct interfaces in adguard home

13. Specify a username and password.

authenticating to adguard home

14. The next screen will show you how to configure different devices. In the next section, I will go over my preferred approach which is setting AdGuard Home to be my router’s DNS server. If you aren’t interested in doing that, this is a great section to learn how to set up the DNS server on your local device.

device configuration section

15. Select Next and then Open Dashboard. Sign in when prompted.

16. AdGuard Home is now set up and installed. Please note that you will no longer use port 3000 when navigating to the web portal. After the setup process is complete, you will be able to access to management portal using the macvlan IP address only (as it uses port 80).

https://[IP_ADDRESS]

Synology NAS AdGuard Home Settings

I’m not going to go into specifics as far as settings go because they’re mostly personal preference, but here are a few things you might want to check right after installation:

  • Settings – DNS Settings: These are your upstream DNS servers. By default, the upstream DNS server will be listed as quad9 which is encrypted DNS-over-HTTPS. If you don’t configure a certificate, you will not get the benefits of DNS-over-HTTPS.
  • Settings – Encryption Settings: This is where you will configure your certificate if you’d like to enable DNS-over-HTTPS. The AdGuard team has a pretty good tutorial here that will show you how to configure it if you’re interested.
  • Settings – General Settings: The majority of settings are somewhat self-explanatory on this page but this is where you can configure logging and query retention.
  • Filters – DNS Blocklists: This is where you can add new blocklists (if you’d like to add any).
  • Filters – Blocked Service: Quickly block an entire service.
  • Filters – DNS Allowlists: Define domains that should not be blocked.

There are plenty of options that you can play around with but these are some of the most important ones right after installation.

DNS Configuration – Synology NAS AdGuard Home

Now that the setup of AdGuard Home is complete, we need to determine a way to point our clients to our DNS server. There are two main ways to do this:

  • Point your router’s DNS server to your AdGuard Home server IP address. This will ensure that any device connected will use AdGuard Home as its DNS server.
  • Point each client to your DNS server. This is beneficial if you only want certain clients to use AdGuard Home as a DNS server.

I point my routers DNS servers to my AdGuard Home server as I want to ensure every device connects to it.

NOTE: The 192.168.1.197 IP address below is the IP address of my Raspberry Pi, as I am using two DNS servers for redundancy. If you are only using your Synology NAS, you will only add 192.168.1.198 here.

dns server settings on router

Conclusion

I’ve been using AdGuard home for a few weeks and I’m pretty impressed with it. It’s impossible to not talk about Pi-hole when discussing AdGuard Home, so it’s important to do some research and pick the best option for you. I think that ultimately, you can’t go wrong with either and you’ll be happy one way or the other!

Thanks for reading the tutorial. If you have any questions, please leave them in the comments!

This Post Has 86 Comments

  1. John Williams

    Great article! I set it up on two Synology boxes for primary and secondary.

    One question – why do you check off auto-restart? Wouldn’t you want it to restart if it dies?

    1. WunderTech

      Thank you! The auto-restart checkbox will just ensure that the container starts when the NAS is rebooted.

  2. Olli

    Is there any chance to activate IPv6 ? For me it looks like my system is going to take the IPv6 DNS of my Fritz!Box. And somehow I don’t want to deactivate IPv6 support.

    1. WunderTech

      AdGuard Home does support IPv6. I don’t personally use it so I can’t give any personal recommendations, but if you google “AdGuard Home IPv6”, there are a ton of different explanations on it. Sorry for the lack of help, I just don’t have experience with it.

  3. Sam Lowry

    AdGuard Home is still working great. Questions: Does it automatically update? If not, what do you recommend as the best (easiest) way? How to determine what version I’m on? Thanks!

  4. A Bloke

    Firwewall rule should allow UDP 53. It didn’t work until I did this.

    1. WunderTech

      Great input, thank you for sharing!

  5. JA NYC

    Thanks so much for this!

    It’s finally up and running and works amazingly well even with minimal tweaking. I love how you can serve so many different flavors of DNS to different devices. Combined with the with Brave ad/tracker blocking it’s lightning fast and the ad whitespaces disappear completely. Web pages load almost instantaneously now!

    I had an issue trying to make 192.168.1.198 the primary custom DNS server on the TP-link router modem/internet configuration page (it showed a popup message that it wouldn’t allow a DNS server with the same subnet).

    I tried using the 192.168.10.2 bridge server (which it accepted) but it wasn’t pingable except by the NAS. So I tried the static routing trick from your VPN tutorial (In this case I set destination as 192.168.10.0, mask 255.255.255.0 and used the IP address of my NAS as the gateway). This made 192.168.19.2 pingable by all devices and the router didn’t squawk when I entered it in as primary custom DNS.

    Only it didn’t work. No DNS connectivity for clients even though the AdGuard log showed the router itself was actively sending and receiving some DNS queries.

    I finally noticed that the router DHCP server tab (which I’ve rarely used since I usually configure IPs manually from the client side) also had an option to add custom DNS servers and even accepted servers on the same subnet without squawking!

    So I made a table of all the network device MAC addresses and existing associated IPs (10 in total) and copypasted the data into the DHCP address reservation area (which I hadn’t used before). When I finally activated the entries in the reservation table after switching all the client adapters to DHCP the problem was solved with no issues even though the iP addresses were not in the specified DHCP auto-assignment range!

    I thought I would share this fix if anybody else had similar issues.

    DNS blocking is definitely one of the cooler things you can do with a NAS. I just ordered a raspberry pi for a backup server.

    So far your excellent tutorials have got me up and running with Plex/Docker, OpenVPN server and now Adguard/Docker.

    Thanks again, I really appreciate it!

    1. WunderTech

      Really great info, thank you very much for sharing!

  6. JA NYC

    “192.168.19.2” above should read “192.168.10.2” (before someone thinks “No wonder it didn’t work!” 😉

  7. Henry

    I tried multiple times inputting your command in Putty. And i keep getting this message

    $ sudo docker network create -d macvlan -o parent=eth0 –subnet=192.168.0.0/24 –gateway=192.168.0.1 –ip-range=192.168.0.198/32 ag_network
    Error response from daemon: plugin not found

    1. WunderTech

      That’s a strange error to get – what NAS device are you using?

      1. Henry

        I’m experimenting on a custom build PC running Xpenology. Emulating DSM 6.0.2 ds3615xs.

        1. WunderTech

          How do you have Xpenology installed? That’s almost certainly the issue – are you positive the NIC in the device you’re using supports macvlan network interfaces?

  8. Henry

    So I put this code in through SSH. And get a no plugin found error.

    sudo docker network create -d macvlan -o parent=eth0 –subnet=192.168.0.0/24 –gateway=192.168.0.1 –ip-range=192.168.0.198/32 ag_network
    Error response from daemon: No plug in found.

  9. Ryan

    WunderTech, Thank for for doing this, very useful information and it is appreciated! I’m having a small issues everything works however when I use the following command:sudo docker network create -d macvlan -o parent=bond0 –subnet=10.1.3.0/24 –gateway=10.1.3.1 –ip-range=10.1.3.55/24 ag_network AdGuard is always still found at 10.1.3.2 never the .55?

    My ag_bridge
    10.1.12.0/24
    10.1.12.2/32
    10.1.12.1

    Thank you,
    Ryan

    1. WunderTech

      Are you using /24 for any reason in specific? That will give a range as opposed to a single IP address. If you change that to /32, it should work properly.

  10. OP

    Hi WunderTech, I might have overlooked something, maybe you have an idea.
    Setup went fine. I adjusted your settings to my network setup (using bond0 as network adapter). After all AdGuard comes up with only infos in protocol. It also shows 3 addresses with port 3000 where I should be able to reach setup… except I can’t. Firewall was opened as suggested. What did I miss?

    1. WunderTech

      I haven’t tried to create it with a bond network, but do you have a single IP address for that bond network? Are you receiving any errors in Docker?

Comments are closed.