Sharing a solution for DNS leak with AdGuard Home handling client requests + connecting to VPN client

Integritas · May 6, 2025, 11:15pm

This experience is completely expected with the solution I posted earlier. My solution aims to use the VPN DNS when the VPN is active and AdGuard Home DNS when VPN is not active. This places information security, control, privacy, and relative ease of configuration as the the items to ensure and optimize above all else (including ad blocking). So, "AGH is not working anymore" and "the AGH query log doesn't show entries" is completely expected when connected to a VPN client and using my solution, because the AdGuard Home DNS functionality is completely out of the loop when connected to a VPN client in my earlier solution. I thought this was apparent in my post, particularly via my description of the port forwarding rules being processed in order and my swap of the order, but I apologize if that wasn't clear enough.

If this is how you favor doing it, that is totally fine! But realize you lose a lot of additional functionality within AdGuard Home if you do it this way. See my reply to teleney for details (e.g., you cannot control things by individual clients or by CIDR and you cannot see client-specific logs; I've included a snippet of my reply to @teleney below). But as with most things in life and as alluded to above, it's about tradeoffs and what value functions you're trying to optimize.

Integritas:

Yes, toggling off "AdGuard Home Handle Client Requests" in the GL.iNet UI (as shown in your first screenshot) avoids DNS leaks, but that's a workaround rather than a resolution to the problem I've raised. The approach you suggest completely removes key functionality within AdGuard that's enabled when you have that option toggled on. For example, with that option toggled off, I lose both (1) the ability to have client-specific rules configured within AdGuard and (2) client-specific query logging, because toggling off "AdGuard Home Handle Client Requests" results in everything being resolved through "localhost" with a static IP address instead of the actual client IP addresses. (1) and (2) are huge parts of AdGuard's functionality, particularly (1). Moreover, in my view, it is a serious issue that users will experience DNS leaks (perhaps unbeknownst to them) if that option is turned on and they also try to connect devices to a VPN client on the router. In the world of "features and bugs", that's definitely a bug.

My original post is specifically centered on when users are using AdGuard Home to handle client requests directly. So, what seems to be your desired use doesn't apply to what I'm raising with GL.iNet and sharing with others who want to use AdGuard Home to handle client requests directly. That's not to say you can't still raise your use case in this thread, just trying to draw a clear distinction / point out the differences to avoid any confusion. On that note, in your reply to teleney, you state:

If you want to: (1) maintain AdGuard Home filtering (2) while using a VPN client and (3) while being able to tap into that additional functionality of AdGuard Home I mention above where AdGuard Home handles client requests directly, you would tweak my solution a bit:

Leave the port forwarding rules (in Network > Firewall > Port Forwards) alone / leave them as set by GL.iNet in their default setup. No changes in LuCi!
Toggle on AdGuard Home to handle client requests directly
Use the upstream server specification within AdGuard Home to specify the DNS of your VPN provider. Note you can do this in more than one way, depending on what you're trying to accomplish. For global, always-on VPN, go to 4. For client-specific VPN (whether one client, a few, or anything coming from within a specified CIDR or multiple CIDRs), go to 5.
Global, always-on VPN: If you're planning to route all traffic through your VPN provider and leave it on all the time, then:
- Enter your VPN's DNS in Settings > DNS Settings > Upstream DNS Servers
- Leave Settings > DNS Settings > Fallback DNS servers blank
Client-specific VPN (whether one client, a few, or anything coming from within a specified CIDR or multiple CIDRs): If you're planning on routing traffic from 1 or more clients through your VPN, then:
- Configure whatever you want to configure for upstream DNS servers globally in Settings > DNS Settings > Upstream DNS Servers (e.g., Google, Quad9, Cloudflare, etc.). These will be active when not connected to your VPN.
- Configure a "Persistent client" record via Settings > Client Settings and clicking the Add Client button.
  - Enter a name for the client or client group in the box prompting for such.
  - Enter an appropriate identifier (e.g., the relevant IP address(es) of the client(s), or the CIDR(s) if defining a range or ranges).
  - Click the Save button (which will save the settings and close the window).
  - (The above is really just to facilitate the next step while still using the globally-defined rules when not connected to the VPN. If you'd rather wait to do this until the time of connecting to the VPN, you don't strictly have to do this ahead of time.)
- When you want to connect that client/those clients to the VPN, edit that "Persistent client" record created in the previous step (or create a new one following the directions in the previous step if you didn't create one ahead of time).
  - Now, instead of using the globally-defined upstream DNS servers, you'll edit the upstream DNS server to point to the VPN's DNS.
  - Note you may need to tweak the IP address specification if the IP address(es) for the client(s) in question changed for some reason between originally creation of the "Persistent client" record and when you edit it to connect to the VPN.
- When you're done with the VPN connection, delete the VPN DNS specified as the upstream DNS server in the "Persistent client" record. This will result in the client(s) specified by that record starting to use the globally-defined DNS servers again.

I hope this helps!