@Rainmaker I've been a Pi-hole user for years now, but fancied a change, based on your praise of AGH. So I have installed it, but need to ask you for a bit of help with the config, if I may?
I have it installed on my Pi and working fine, using the oisd.nl blocklist as recommended. However, what I'm failing with is the encryption config. I've tried following this guide
https://github.com/AdguardTeam/AdGuardHome/wiki/Encryption but am getting a certificate invalid error. I've registered a domain name, and have used CertBot to get an SSL certificate. I've then configured AGH using the given settings. However, I get this certificate invalid error. I'm wondering whether this is because I'm trying to access
https://192.168.1.100 and the certificate has been issued to my domain? I don't really understand the guide to be honest :/
As the others said, you need to connect to your domain for the TLS cert to work. To be able to secure connections to an IP address (eg as with 1.1.1.1 for Cloudflare) you need to own the IP address and have control of it (leasing it from your ISP doesn't count). It helps that they also control their own CA and can sign their own certs.
As AGH (or any server) is running on your home LAN, and therefore on a private IP behind NAT, you'll need to access the domain from the public side (i.e. using the domain name and coming in through WAN from the firewall's perspective).
Depending on your router and how it's set up, you may need to manually enable NAT reflection (aka 1:1 NAT, hairpin NAT) to allow yourself to connect back in on the WAN interface to the server IP. You may also need to add a firewall rule to account for this (again, depending on firewall and how it's set up, whether it's ACL or zone based, etc).
As said above, you may also simplify this by setting a local DNS server to redirect $yourdomain.com to $server_lanIP.
I have AGH running in Docker (listening on 10.100.0.5) behind nginx, so it serves both LAN and WAN. My LAN clients connect to $domain and the router is configured to redirect to the local server IP. That way, LAN clients get bounced off the router to 10.100.0.5 (i.e. don't leave the network, one hop) and WAN clients get directed via nginx as appropriate. TLS works in both cases, as I used the domain to connect, and all my local clients (Linux, BSD, macOS, Windows 11, iOS, iPadOS etc) are all set to use DNS over HTTPS directly.
It takes a minute to set up, but once it's done and you know how, it's seconds if you ever need to do it again and it 'just works' after the inital config. The one thing I did want to pull up separately, is your certs being shown as invalid in AGH. That shouldn't happen, and is a separate matter to how clients connect...
(1) Find the cert directory (eg /etc/letsencrypt/live/domain/).
(2) In AGH, under Settings > Encryption settings (top menu), enter the domain you want to serve encrypted traffic for ($dns.yourdomain.com). Don't forget
you'll need a wildcard cert from LetsEncrypt as you may wish to connect using (variously) $domain.com $dns.domain.com $doh.domain.com $dot.domain.com $quic.domain.com or whatever. You can leave the ports at default unless you have some local hackery going on (so 443/TCP for HTTPS, 853/TCP for TLS and 784/UDP for Quic). I had to set AGH to use 444/TCP for HTTPS but I don't 'really' use it. I have nginx running on the main machine and thus hogging 443/TCP (AGH is in Docker), and dns.oursecure.network hits the router > nginx > redirects to 10.100.0.5:444 for encrypted DNS. You likely can stick to 443 unless you're running a proxy or other services.
(3) Add the cert paths to the DNS > Encryption page. You *can* copy in the certs, but that's manual intervention every renewal. If you add the cert paths themselves, it'll auto-update when certbot (or Lego, or whatever) renews.
(4) If the certs error, check that AGH has permissions to access the directory. This may not be the case if they're in /etc/ (a root path). You may need to add permissions or copy them to a local (to that user) directory. Use fullchain.poem as the cert, and privkey.pem for the private key.
Any questions, hit me up. It's a nice app and works flawlessly once running.
Edit: Added pics and tidied up the explanation.