Flint 2: Is SSL for AdGuard needed?

Mary · 2024-02-02T10:51:17.207Z

Hello!
Adguard in flint2 router. If anyone understands…

Do I need to configure an SSL certificate in the adguard interface and have a static IP address from the rights provider? Or does ssl adguard use the settings of the flint 2 router itself and do without uploading the ssl certificate to the adguard panel?
Is it possible to use flint2 adguard+vpn in a router?
If an ssl certificate is still needed for adguard in the router, will you have to update it yourself and control the validity period (letsencrtpt)?

thanks

admon · 2024-02-02T10:51:38.938Z

Hi,

you can just ignore the SSL setting there - it does not make sense to take care of it.
VPN and AdGuard is fine, yes.

Mary · 2024-02-08T22:43:00.847Z

Hello!
I would be grateful if you could tell me which settings I need to change for the best performance and maximum efficiency.
I will be very grateful to you for your detailed answers and discussions.

Do on-premises clients need to be encrypted?

Снимок экрана 2024-02-08 2322082109×1190 132 KB

Mary · 2024-02-08T22:43:35.855Z

Is it normal that 127.0.0.1 is displayed?

Снимок экрана 2024-02-08 2337121102×686 50.8 KB

Mary · 2024-02-08T22:44:26.543Z

Which clients do I need to enter in Persistent clients?

Снимок экрана 2024-02-08 2325081264×1057 38.1 KB

admon · 2024-02-09T06:28:07.317Z

No encryption needed, default settings are totally fine. You don’t need to touch anything besides the upstream DNS servers.

127.0.0.1 is by design.

alzhao · 2024-02-09T07:55:03.168Z

When you turn on adguard home there is an option to use adguard for all client devices. Pls turn that on.

admon · 2024-02-09T08:00:14.576Z

Only turn this on, if you don’t need VPN Policies
While this is turned on, VPN Policies (besides “All”) will stop working.

Mary · 2024-02-09T10:38:38.930Z

Thank you for taking the time to answer, but I want to make it clear in the clear and maximum solution of the settings both for myself and maybe it will help other users

Thanks for the answers. A little confused. As far as I understand, the best solution for adguard settings for maximum efficiency and security of router clients is:

Adguard settings

Settings->General settings->Logs configuration->enable log OFF
Settings->DNS settings->Upstream DNS servers
https://dns.adguard-dns.com/dns-query
tls://dns.adguard-dns.com
quic://dns.adguard-dns.com
sdns://AQMAAAAAAAAAETk0LjE0MC4xNC4xNDo1NDQzINErR_JS3PLCu_iZEIbq95zkSV2LFsigxDIuUso_OQhzIjIuZG5zY3J5cHQuZGVmYXVsdC5uczEuYWRndWFyZC5jb20
or other DNS
Settings->Client settings->Persistent clients
It’s empty and you don’t need to enter anything here
Filters->DNS blocklists and Select lists for filters
Everything else is left untouched.

Admin Panel Gl.Inet flint2

Aplications->Adguard Home->Enable AdGuard Home ON
AdGuard Home Handle Client Requests OFF
Network->DNS->Override DNS Settings for All Clients ON

Are these the best settings in security? Did I understand you correctly?

admon · 2024-02-09T11:15:19.148Z

Mary:

Are these the best settings in security?

Best setting always depends on your needs and your understanding.

Here is a link to the AdGuard Home wiki. Make sure to read it to understand what options are required for your needs and if they are “secure” or not:

GitHub

Home

Network-wide ads & trackers blocking DNS server. Contribute to AdguardTeam/AdGuardHome development by creating an account on GitHub.

Nobody can tell you if your settings are “best” spoken of security because no one knows about your idea of security in general.

Mary · 2024-02-09T11:58:10.161Z

You can always choose the best from any option, that’s why I’m asking. Maybe who knows, aaa?

slesar · 2024-02-10T12:28:43.858Z

You can use upstream as @admon advised for public dns server. If you want specific control Adguard dns server then create new account in website and put upstream in your AdGuard Home and private dns on your mobile . Remember limited queries per month for free user, should be enough for you. Paid user from Adguard vpn for extra queries.

About ssl in your AdGuard Home is not recomend, you can use local. This about make your ssl dns resolver. Your isp will be warning letter or email for dangerous thing to do if you open port forward.

Mary · 2024-02-10T20:29:33.132Z

slesar:

About ssl in your AdGuard Home is not recomend, you can use local. This about make your ssl dns resolver. Your isp will be warning letter or email for dangerous thing to do if you open port forward.

Do you mean to leave the “Certificates” page in adguard home blank and not fill in anything here? And just fill in Upstream DNS servers with Adguard personal DNS from your personal account? Will my ISP or someone else be able to come in and see my requests? Will it be encrypted? Thank you for taking the time to answer my questions.

I bought the paid version of Adguard. There I created separate devices for DNS control.

admon · 2024-02-10T20:32:02.017Z

Mary:

Do you mean to leave the “Certificates” page in adguard home blank and not fill in anything here?

Exactly.

Mary:

And just fill in Upstream DNS servers with Adguard personal DNS from your personal account?

Yep.

Mary:

Will my ISP or someone else be able to come in and see my requests?

Not on the internet, no. But on your local network, yes. But this is mostly not a real issue.

Mary:

Will it be encrypted?

If the upstream server supports it, yes. So if you copied the URI of the DNS server (like https://xxxxxx) it will be encrypted.

Mary · 2024-02-10T20:36:59.877Z

Now you have really helped me. That’s what I’ll do. My network is: MT-2500 +Adguard—>Tp-link Omada —> flint 2 VPN + Adguard. I mixed so many things)))

admon · 2024-02-10T20:50:27.966Z

Mary:

MT-2500 +Adguard—>Tp-link Omada —> flint 2 VPN + Adguard. I mixed so many things)))

Not sure if this is a useful configuration - but this is another topic.

slesar · 2024-02-11T18:29:02.317Z

Yes, another topic.

Mary:

MT-2500 +Adguard

This is your main local DNS server (Adguard Home), right?

Mary:

flint 2 VPN + Adguard.

That second area for LAN and second local DNS server (Adguard Home) plus VPN.
Overall, you have two LAN area ranges?