How does AdGuard work?

Hi, I wanted to ask if AdGuard works by checking IPs of incoming requests against a list held by the router so its all done client side or does it forward traffic through some external list held elsewhere? Also does this checking reduce speeds of encryption and decryption for a VPN if in use? Thanks

AdGuardHome uses DNS blocking and assumes the role of the local DNS server to query your webpage/site requests against DNS blocklists.

If you ask for http://google.com, AGH will see if the domain is on a blocklist and (for example) return 0.0.0.0 for the IP address instead of the actual IP address needed to load the page if it is blocked.

BanIP and luci-app-banip block IP addresses using IPSet blocklists and is available only on OpenWRT 19.x and 21.x (no fw4 support at this time). It blocks IP addresses traversing the router using iptables, so every connection in and out.

I use BanIP to block malicious IP’s using Firehol and other IP blacklists and use AGH mainly for its ad-blocking DNS blacklists, but there is a little overlap when using both, with very good blocklists available for each.

1 Like

The blocklists in AdGuardHome contain lists of domains to block. If a DNS request is on any of the blocklists, then it stops domain name resolution. If a DNS request is not on any of the blocklists, then the request is forwarded to the DNS servers that you have set up for domain name resolution.

I do not work for and I do not have formal association with GL.iNet

1 Like

The VPN I use also covers DNS traffic and encrypts it, would AdGuard still work with VPN enabled? It all sounds a bit overly complicated for my derp level

Yes. AdGuard should still be resolving your client DNS and also should be configured with encrypted DNS services for the upstream servers using DNS over TLS, DNS over https, etc.

You can also go into Luci>Network>Interfaces and change your WAN and tun0 (VPN) interfaces to use your AGH DNS instead of your ISP or VPN services DNS under Edit>Advanced Settings and uncheck “Use DNS servers advertised by peer” and populate your DNS IP under custom servers.

And you can look at the Luci status page to see if VPN and/or AGH is causing high loads or using too much memory if you are concerned about resources.

Depending on your model router (storage, mem and cpu resources), you can install luci-app-statistics and collectD mods to monitor resources. My AGH and VPN usually run at a leisurely pace (using the processes collectD mod to monitor)


VPN policies do not work with AdGuardHome. VPN without policies should work.

I’ve read several topics on VPN policies but do not use them. Having a spare AR150/router for legacy wifi (wpa3 network and wpa/wpa2 network) and/or dedicated VPN portals sound like an easy workaround though if AGH is needed. I had actually read about someone configuring an RPI-W on the USB to run AGH while keeping the router config clean as well.

That sounds a bit overly complicated for me personally and I trust my VPN provider with handling DNS and encrypting it better than AGH. I don’t know but doesn’t TLS with DNS send all your DNS data to cloudflair?
I’ve also no idea how to access Luci, I just use the gl inet interface.

If you find the time to explore, AGH lists their servers under the Menu> Settings>DNS settings>Upstream Servers, providing an easy setup to get you started.

Examples:

tls://unfiltered.adguard-dns.com: encrypted DNS-over-TLS;

https://unfiltered.adguard-dns.com/dns-query: encrypted DNS-over-HTTPS;

h3://unfiltered.adguard-dns.com/dns-query: encrypted DNS-over-HTTPS with forced HTTP/3 and no fallback to HTTP/2 or below;

quic://unfiltered.adguard-dns.com: encrypted DNS-over-QUIC;

Just using those in your upstream servers encrypts your DNS. AGH makes it that easy. You can find dozens of other DNS providers to use with a little more searching. Just copy-and-paste and you’re done (using the correct prefix tls://, h3://, etc).

I currently only own a MangoV2 which doesn’t have AdGuard. Would AdGuard provide any better protection than what you would get with an adblocker or browser with ads disabled (like Brave). It might be useful to get past advertisement rolls embedded in the biggest on demand/catch up services but I wouldn’t be surprised if it breaks things meaning you’re stuck waiting to pass an ad which can’t even load

AGH likes memory, so getting a GL approved router will probably net you better results. I’m not familiar with the Mango, but my Spitz and Opal run very light configs well enough for travel router use over cellular (and I don’t see ads on my laptops, tablets or phones without having to duplicate adblock settings on each).

If you have an $89 budget for a router, the latest preorder offering from Gl.Inet includes AGH, with 512mb of memory giving you a much better user experience.

That doesn’t really answer the question.
what does AGH do that a adblocker or anti ad browser couldn’t?
The Mango is GL approved as they manufacture it.

I do not have to duplicate settings on each device for ad-blocking services. I use several laptops, tablets and phones and get a consistent experience with each.