Remote & local Access

Access your home services via a secure URL from anywhere in the world. This guide covers setting up AdGuard Home for custom DNS, Nginx Proxy Manager for wildcard SSL certificates via Cloudflare and Tailscale for a zero-config VPN mesh.

References

• AdGuard Home (GitHub)
• Nginx Proxy Manager (GitHub)
• Tailscale (Docs)

---

1. Tailscale

   Install and configure the Tailscale client to establish a secure mesh network and manage node connectivity.

   1. Install

      curl -fsSL https://tailscale.com/install.sh | sh

   2. Optimizations for subnet routers and exit nodes (optional)

      Enable IP forwarding and adjust network interface offloading to maximize throughput for routed traffic.

      Network performance

      NETDEV=$(ip -o route get 1.1.1.1 | cut -f 5 -d " ")
      sudo ethtool -K $NETDEV rx-udp-gro-forwarding on rx-gro-list off

      Persist on reboot

      printf '#!/bin/sh
      
      ethtool -K %s rx-udp-gro-forwarding on rx-gro-list off
      ' "$(ip -o route get 1.1.1.1 | cut -f 5 -d " ")" | sudo tee /etc/networkd-dispatcher/routable.d/50-tailscale
      sudo chmod 755 /etc/networkd-dispatcher/routable.d/50-tailscale

      Enable IP forwarding

      echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
      echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
      sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

   3. Start

      sudo tailscale up --advertise-routes=192.168.100.0/24 --accept-dns=false --advertise-exit-node

   4. Admin console

      • Go to https://login.tailscale.com/admin/machines.
      • Approve exit node and subnet routes for your device.
      • Go to DNS > Nameservers.
      • Add Nameserver: Select Custom.
      • IP address: Enter your Tailscale IP (100.x.y.z).
      • Override Local DNS: toggle to ON.
   
   

2. Docker

   Deploy AdGuard Home and Nginx Proxy Manager as containerized services for network filtering and reverse proxying.

   1. Make directory

      mkdir -p {{DOCKER_PATH_VAR}}/dns-proxy && cd {{DOCKER_PATH_VAR}}/dns-proxy

   2. compose.yml

      nano compose.yml

      compose.yml

      services:
        adguard:
          image: adguard/adguardhome
          container_name: adguard
          restart: unless-stopped
          volumes:
            - ./adguard/work:/opt/adguardhome/work
            - ./adguard/conf:/opt/adguardhome/conf
          network_mode: host
      
        adguardhome-sync:
          image: ghcr.io/bakito/adguardhome-sync:latest
          container_name: adguardhome-sync
          command: run
          environment:
            ORIGIN_URL: ${ORIGIN_URL}
            ORIGIN_USERNAME: ${ORIGIN_USERNAME}
            ORIGIN_PASSWORD: ${ORIGIN_PASSWORD}
            REPLICA_URL: ${REPLICA_URL}
            REPLICA_USERNAME: ${REPLICA_USERNAME}
            REPLICA_PASSWORD: ${REPLICA_PASSWORD}
            CRON: "*/10 * * * *"
            RUN_ON_START: "true"
      
        npm:
          image: "jc21/nginx-proxy-manager:latest"
          container_name: npm
          restart: unless-stopped
          ports:
            - "80:80"
            - "81:81"
            - "443:443"
          volumes:
            - ./npm/data:/data
            - ./npm/letsencrypt:/etc/letsencrypt
          environment:
            - DB_SQLITE_FILE=/data/database.sqlite

   3. .env

      nano .env

      .env

      ORIGIN_URL=http://192.168.100.10:8080
      ORIGIN_USERNAME=admin
      ORIGIN_PASSWORD=password
      REPLICA_URL=http://192.168.100.11:8080
      REPLICA_USERNAME=admin
      REPLICA_PASSWORD=password

   4. Fix port conflict (53)

      Disable the stub listener

      sudo nano /etc/systemd/resolved.conf

      Set DNSStubListener=no

      Restart systemd-resolved

      sudo systemctl restart systemd-resolved

   5. Start container

      docker compose up -d

3. Cloudflare

   Generate a scoped API token to automate DNS record management and SSL certificate validation.

   • Go to Dashboard > My Profile > API Tokens.
   • Create Token: Use the Edit zone DNS template.
   • Permissions: Select Zone | DNS | Edit.
   • Zone Resources: Select Include | Specific zone | your-domain.tld.
   
   

4. AdGuard Home

   Complete the initial web setup to manage network-wide DNS filtering and security rules.

   1. Initial setup

      • Go to http://localhost:3000 or http://{{SERVER_IP_VAR}}:3000
      • Admin Web Interface
      • Listen interface: Select All interfaces.
      • Port: Change to 8080.

   2. DNS rewrites

      • Go to http://localhost:8080 or http://{{SERVER_IP_VAR}}:8080
      • Go to Filters > DNS Rewrites.
      • Click Add DNS rewrite.
      • Domain name: *.lan.your-domain.tld.
      • IP address: Enter your device IP {{SERVER_IP_VAR}}.

   3. Blocklists (optional)

      • Go to Filters > DNS Blocklists > Add Blocklist: Choose from the list.
        • AdGuard DNS filter
        • AdAway Default Blocklist
        • HaGeZi’s Pro++ Blocklist
        • OISD Blocklist Small
        • OISD Blocklist Big
        • HaGeZi’s Samsung Tracker Blocklist

   4. General settings (optional)

      • Go to Settings > General Settings.
        • Use AdGuard browsing security web service.
        • Use AdGuard parental control web service.
        • Use Safe Search.

   5. DNS settings (optional)

      • Go to Settings > DNS Settings.

        • Upstream DNS servers.

          https://dns.quad9.net/dns-query
          https://dns.cloudflare.com/dns-query
          https://dns.adguard-dns.com/dns-query

          • Enter the DNS providers above.
          • Click apply.
          
          

        • DNS server configuration.

          • Enable DNSSEC.
          • Click save.
          
          

        • Access Settings > Allowed clients.

          100.64.0.0/10
          192.168.100.0/24

          • Add Tailscale and device IP ranges above.
          • Leave blank to allow all.
          • Click Save configuration.
   
   

5. Nginx Proxy Manager

   Access the administrative dashboard to route incoming traffic and manage SSL certificates for your services.

   1. Certificate

      • Go to http://localhost:81 or http://{{SERVER_IP_VAR}}:81
      • Go to Certificates > Add Certificate > Let’s Encrypt via DNS.
      • Domain Names: Enter *.lan.your-domain.tld.
      • DNS Provider: Select Cloudflare.
      • Credentials File Content: Replace dns_cloudflare_api_token=YOUR_CLOUDFLARE_API_KEY.
      • Agree to terms and click Save.

   2. Proxy host

      • In NPM, go to Hosts > Proxy Hosts > Add Proxy Host.
      • Domain Names: adguard.lan.your-domain.tld.
      • Scheme: http.
      • Forward IP: {{SERVER_IP_VAR}}.
      • Forward Port: 8080.
      • Block common exploits and Websockets support: toggle to ON.
      • SSL Tab: Select the certificate you created.
      • Force SSL and HTTP/2 Support: toggle to ON.
      • Click Save.
   
   

6. Router config

   Update the Primary DNS, often located under LAN, DHCP or DNS Settings.

   • Primary DNS: {{SERVER_IP_VAR}} (Your device’s Local LAN IP, not the Tailscale one).
   • Secondary DNS: 1.1.1.1 (Fail-safe so your internet still works if your device is turned off).