Flint 2: Is SSL for AdGuard needed?

Hello!
Adguard in flint2 router. If anyone understands…

  1. Do I need to configure an SSL certificate in the adguard interface and have a static IP address from the rights provider? Or does ssl adguard use the settings of the flint 2 router itself and do without uploading the ssl certificate to the adguard panel?
  2. Is it possible to use flint2 adguard+vpn in a router?
  3. If an ssl certificate is still needed for adguard in the router, will you have to update it yourself and control the validity period (letsencrtpt)?

thanks

Hi, :wave:

you can just ignore the SSL setting there - it does not make sense to take care of it.
VPN and AdGuard is fine, yes.

1 Like

Hello!
I would be grateful if you could tell me which settings I need to change for the best performance and maximum efficiency.
I will be very grateful to you for your detailed answers and discussions.

Do on-premises clients need to be encrypted?

Is it normal that 127.0.0.1 is displayed?

Which clients do I need to enter in Persistent clients?

No encryption needed, default settings are totally fine. You don’t need to touch anything besides the upstream DNS servers.

127.0.0.1 is by design.

When you turn on adguard home there is an option to use adguard for all client devices. Pls turn that on.

:warning: Only turn this on, if you don’t need VPN Policies :warning:
While this is turned on, VPN Policies (besides “All”) will stop working.

Thank you for taking the time to answer, but I want to make it clear in the clear and maximum solution of the settings both for myself and maybe it will help other users

Thanks for the answers. A little confused. As far as I understand, the best solution for adguard settings for maximum efficiency and security of router clients is:

Adguard settings

  1. Settings->General settings->Logs configuration->enable log OFF
  2. Settings->DNS settings->Upstream DNS servers
    https://dns.adguard-dns.com/dns-query
    tls://dns.adguard-dns.com
    quic://dns.adguard-dns.com
    sdns://AQMAAAAAAAAAETk0LjE0MC4xNC4xNDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20
    or other DNS
  3. Settings->Client settings->Persistent clients
    It’s empty and you don’t need to enter anything here
  4. Filters->DNS blocklists and Select lists for filters
    Everything else is left untouched.

Admin Panel Gl.Inet flint2

  1. Aplications->Adguard Home->Enable AdGuard Home ON
    AdGuard Home Handle Client Requests OFF
  2. Network->DNS->Override DNS Settings for All Clients ON

Are these the best settings in security? Did I understand you correctly?

Best setting always depends on your needs and your understanding.

Here is a link to the AdGuard Home wiki. Make sure to read it to understand what options are required for your needs and if they are “secure” or not:

Nobody can tell you if your settings are “best” spoken of security because no one knows about your idea of security in general.

You can always choose the best from any option, that’s why I’m asking. Maybe who knows, aaa?:slight_smile:

You can use upstream as @admon advised for public dns server. If you want specific control Adguard dns server then create new account in website and put upstream in your AdGuard Home and private dns on your mobile :wink:. Remember limited queries per month for free user, should be enough for you. Paid user from Adguard vpn for extra queries.

About ssl in your AdGuard Home is not recomend, you can use local. This about make your ssl dns resolver. Your isp will be warning letter or email for dangerous thing to do if you open port forward.

Do you mean to leave the “Certificates” page in adguard home blank and not fill in anything here? And just fill in Upstream DNS servers with Adguard personal DNS from your personal account? Will my ISP or someone else be able to come in and see my requests? Will it be encrypted? Thank you for taking the time to answer my questions.

I bought the paid version of Adguard. There I created separate devices for DNS control.

Exactly.

Yep.

Not on the internet, no. But on your local network, yes. But this is mostly not a real issue.

If the upstream server supports it, yes. So if you copied the URI of the DNS server (like https://xxxxxx) it will be encrypted.

Now you have really helped me. That’s what I’ll do. My network is: MT-2500 +Adguard—>Tp-link Omada —> flint 2 VPN + Adguard. I mixed so many things)))

Not sure if this is a useful configuration - but this is another topic.

Yes, another topic.

This is your main local DNS server (Adguard Home), right?

That second area for LAN and second local DNS server (Adguard Home) plus VPN.
Overall, you have two LAN area ranges?