Remote & local Access

Access your home services via a secure URL from anywhere in the world. This guide covers setting up AdGuard Home for custom DNS, Nginx Proxy Manager for wildcard SSL certificates via Cloudflare and Tailscale for a zero-config VPN mesh.

References

• AdGuard Home (GitHub)
• Nginx Proxy Manager (GitHub)
• Tailscale (Docs)

---

1. Tailscale

   Install

   curl -fsSL https://tailscale.com/install.sh | sh

   Start

   sudo tailscale up --advertise-routes=192.168.100.0/24 --accept-dns=true --advertise-exit-node

   Admin console

   • Go to https://login.tailscale.com/admin/machines.
   • Approve exit node and subnet routes for your device.
   • Go to DNS > Nameservers.
   • Add Nameserver: Select Custom.
   • IP address: Enter your Tailscale IP (100.x.y.z).
   • Override Local DNS: toggle to ON.
   
   

2. Network configs (optional)

   networkd-dispatcher

   sudo apt install networkd-dispatcher
   sudo systemctl enable systemd-networkd.service
   sudo systemctl start systemd-networkd.service

   Enable IP forwarding

   echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
   echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
   sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

3. Docker

   Make directory

   mkdir -p {{DOCKER_PATH_VAR}}/dns-proxy && cd {{DOCKER_PATH_VAR}}/dns-proxy

   docker-compose.yml

   nano docker-compose.yml

   docker-compose.yml

   services:
     adguard:
       image: adguard/adguardhome
       container_name: adguard
       restart: unless-stopped
       volumes:
         - ./adguard/work:/opt/adguardhome/work
         - ./adguard/conf:/opt/adguardhome/conf
       network_mode: host
   
     npm:
       image: "jc21/nginx-proxy-manager:latest"
       container_name: npm
       restart: unless-stopped
       ports:
         - "80:80"
         - "81:81"
         - "443:443"
       volumes:
         - ./npm/data:/data
         - ./npm/letsencrypt:/etc/letsencrypt
       environment:
         - DB_SQLITE_FILE=/data/database.sqlite

   Start container

   docker compose up -d

4. Cloudflare

   • Go to Dashboard > My Profile > API Tokens.
   • Create Token: Use the Edit zone DNS template.
   • Permissions: Select Zone | DNS | Edit.
   • Zone Resources: Select Include | Specific zone | your-domain.tld.
   
   

5. AdGuard Home

   Initial setup

   • Go to http://localhost:3000 or http://{{SERVER_IP_VAR}}:3000
   • Admin Web Interface
     • Listen interface: Select All interfaces.
     • Port: Change to 8080.

   DNS rewrites

   • Go to http://localhost:8080 or http://{{SERVER_IP_VAR}}:8080
   • Go to Filters > DNS Rewrites.
   • Click Add DNS rewrite.
   • Domain name: *.lan.your-domain.tld.
   • IP address: Enter your device IP {{SERVER_IP_VAR}}.

   Blocklists (optional)

   • Go to Filters > DNS Blocklists > Add Blocklist: Choose from the list.
     • AdGuard DNS filter
     • AdAway Default Blocklist
     • HaGeZi’s Pro++ Blocklist
     • OISD Blocklist Small
     • OISD Blocklist Big
     • HaGeZi’s Samsung Tracker Blocklist

   General settings (optional)

   • Go to Settings > General Settings.
     • Use AdGuard browsing security web service.
     • Use AdGuard parental control web service.
     • Use Safe Search.

   DNS settings (optional)

   • Go to Settings > DNS Settings.

     • Upstream DNS servers.

       https://dns.quad9.net/dns-query
       https://dns.cloudflare.com/dns-query
       https://dns.adguard-dns.com/dns-query

       • Enter the DNS providers above.
       • Click apply.
       
       

     • DNS server configuration.

       • Enable DNSSEC.
       • Click save.
       
       

     • Access Settings > Allowed clients.

       100.64.0.0/10
       192.168.100.0/24

       • Add Tailscale and device IP ranges above.
       • Leave blank to allow all.
       • Click Save configuration.
   
   

6. Nginx Proxy Manager

   Certificate

   • Go to http://localhost:81 or http://{{SERVER_IP_VAR}}:81
   • Go to Certificates > Add Certificate > Let’s Encrypt via DNS.
   • Domain Names: Enter *.lan.your-domain.tld.
   • DNS Provider: Select Cloudflare.
   • Credentials File Content: Replace dns_cloudflare_api_token=YOUR_CLOUDFLARE_API_KEY.
   • Agree to terms and click Save.

   Proxy host

   • In NPM, go to Hosts > Proxy Hosts > Add Proxy Host.
   • Domain Names: adguard.lan.your-domain.tld.
   • Scheme: http.
   • Forward IP: {{SERVER_IP_VAR}}.
   • Forward Port: 8080.
   • Block common exploits and Websockets support: toggle to ON.
   • SSL Tab: Select the certificate you created.
   • Force SSL and HTTP/2 Support: toggle to ON.
   • Click Save.
   
   

7. Router config

   • Update the Primary DNS: (Often located under LAN, DHCP or DNS Settings).
   • Primary DNS: {{SERVER_IP_VAR}} (Your device’s Local LAN IP, not the Tailscale one).
   • Secondary DNS: 1.1.1.1 (Fail-safe so your internet still works if your device is turned off).