Hi forum!
I have X3000 which comes with Adguard home.
So…
How secure to use something like that? What risks can I have (or don’t have?)?
What can it block? Can it filter DNS without external DNS?
Can it use my VPN’s DNS?
Can it block IP?
Do you recommend to use it?
All you get is benefits, it blocks ads, tracking and a bunch nonsense telemetry information, so it increases privacy, it also has DNS over HTTPS or encrypted DNS, also DoT which is nice. You can block services on any device, use custom DNS for each device and a lot of other things, so yes I recommend it.
Hi,
no need for a real discussion because it's pretty straight forward 
(Check What does AdGuard Home do? )
More secure than not using it.
Risk: If you configure it wrong, it will break VPN policies.
Only DNS can be blocked. So it won't block YouTube Ads or other embedded stuff in websites if they are not served by its own domain. External DNS is always used, that's how DNS works.
Yes, if you choose the same DNS server like your VPN.
No.
Totally.
@admon thanks for fast response!
What is “AdGuard Home Handle Client Requests”
Does it encrypt traffic between me and router (DNS)?
Admin panel of ADGH uses HTTP, it is bad. Is there any way to force it to use HTTPS?
No and it's nearly impossible to set up DoH in your private network since it requires TLS certificates which are not easy to handle. ADGH - embedded into GL.iNet - works a bit different, so I would simply accept that it's only plain DNS between you and your router.
Same reason and same answer: Not out of the box and not without changing a lot inside the GL config files.
It will make it possible for AdGuard Home to talk to each device directly which will enable you to block & log sites for specific devices. But it will break VPN policies based on DNS.
So it is vulnerable for interception attacks?
I have self-signed CA for my project. Can I use same one in this case?
But GL admin panel can be opened via HTTPS!
IN VPN or just config?
If someone inside (!) your LAN will attack your DNS stream - yep. But in that case, you have totally other problems...
The self-signed CA isn't the problem. The problem is that port 443/TCP is already in use by the GL GUI. You need to change the port before (or the port for AGH) - which will cause trouble while getting support for your device and updates.
AGH is 3rd party and runs using its own server, that's why the HTTPS for the GL GUI won't help here.
VPN policy breaks means that you can't use DNS based VPN policies. So no more exclusions based on DNS.
Like interceptiong HTTP? I blocked :80 on each device (client) nothing happened.
Correct me if I wrong but attacker does not have to be inside to do anything with unencrypted traffic. Everything unencrypted is just plain text…
Well, you are wrong.
See:
@admon but on your scheme (good one, how do you create such?) it speaks in encrypted format only in WAN. In LAN everyone who just near my router can do whatever they want with unencrypted traffic, right?
Yes but no.
Intercepting traffic isn't that easy. Of course, it is possible, but there will be other security methods in place which will try to fix this. For example, will TLS check if the domain name is the right one - you can't just forward someone to another server with the same domain.
So for a home network (where people trust each others, mostly) it's fine.
But what if I don’t trust my neighbour? He can just come to make him able to see my network and intercept?
If he can't connect to your Wi-Fi you will be safe. As long as you use at least WPA2
But he can just listen packets. No?
No. Wi-Fi is encrypted.