DoT support with client ID

Reply to DoT support with client ID on Sat, 15 Apr 2023 14:46:29 GMT

girish — Sat, 15 Apr 2023 14:46:29 GMT

@lukas let's follow up at https://forum.cloudron.io/topic/9033/adguard-home-wildcard-aliases

Reply to DoT support with client ID on Sat, 15 Apr 2023 06:54:10 GMT

lukas — Sat, 15 Apr 2023 06:54:10 GMT

@nichu42 said in DoT support with client ID:

What have you tried so far? Which Cloudron version are you running?

Added Client ID, like lukas-android to allow list, and added an alias lukas-android.agh.mydomain.tld to AdGuard Cloudron App. I'm running Cloudron 7.4

Regards,
Lukas

Reply to DoT support with client ID on Sat, 15 Apr 2023 06:44:12 GMT

nichu42 — Sat, 15 Apr 2023 06:44:12 GMT

@lukas said in DoT support with client ID:

is it already working? Trying to get it running but I have no success

Yes, it is. I have DoH and DoT enabled and restricted access to my clients. It's working great.
What have you tried so far? Which Cloudron version are you running?

Reply to DoT support with client ID on Fri, 14 Apr 2023 22:07:03 GMT

lukas — Fri, 14 Apr 2023 22:07:03 GMT

@girish said in DoT support with client ID:

Android only supports DoT (the 'private DNS' feature). It requires a change in platform and thus will only work in next release.

is it already working? Trying to get it running but I have no success

Reply to DoT support with client ID on Wed, 12 Apr 2023 15:02:48 GMT

7dowWilkes — Wed, 12 Apr 2023 15:02:48 GMT

@girish
also a big thank you from my side - the solution of software-version and adguard works like a charm

Reply to DoT support with client ID on Sun, 02 Apr 2023 16:05:37 GMT

luckow — Sun, 02 Apr 2023 16:05:37 GMT

@girish mh. is there anything to do if there is already a previous version of adguard & cloudron? The moment I updated both to the latest version and added an alias for the wildcard certificate, there is a mismatch between sub third and third level domain.

dog cloudron.io --tls @phone.adg.example.org
Error [tls]: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889: (hostname mismatch)

dog cloudron.io --tls @adg.example.org
A cloudron.io. 5m00s 165.227.67.76

Forget about this question. I tested it with the wrong instance with v7.3

Reply to DoT support with client ID on Fri, 31 Mar 2023 14:33:41 GMT

nichu42 — Fri, 31 Mar 2023 14:33:41 GMT

@girish

I just wanted to leave a big thank-you!
DoT works perfectly with Cloudron 7.4, so I can cancel my NextDNS subscription now.

Reply to DoT support with client ID on Sun, 26 Feb 2023 11:01:58 GMT

nichu42 — Sun, 26 Feb 2023 11:01:58 GMT

@girish
OK, thanks. I was a bit confused by the AdGuard changelog you posted that said "Add ClientID support with DoT".
So we're not waiting for an AdGuard Home release, but for the next Cloudron release.

Reply to DoT support with client ID on Sun, 26 Feb 2023 09:53:08 GMT

girish — Sun, 26 Feb 2023 09:53:08 GMT

@nichu42 It will only work with next cloudron release - 7.4.

AdGuard supports ClientID in both DoH and DoT.

DoH client id works already right now. You can use this in firefox, for example, like this (in about:config). Screenshot below is from desktop but maybe the mobile client supports it:

Android only supports DoT (the 'private DNS' feature). It requires a change in platform and thus will only work in next release.

Reply to DoT support with client ID on Sun, 26 Feb 2023 09:36:54 GMT

nichu42 — Sun, 26 Feb 2023 09:36:54 GMT

@girish
Is this supposed to work now?
I installed the latest AdGuard Home version with Cloudron and set a wildcard alias (*.thirdlevel).
But my Android phone is still unable to connect to device.thirdlevel.domain.com

Is there still something that has to be implemented on Cloudron's side or am I missing something?

Reply to DoT support with client ID on Mon, 30 May 2022 19:46:53 GMT

girish — Mon, 30 May 2022 19:46:53 GMT

@7dowWilkes said in DoT support with client ID:

Why can't this wildcard certificate be used for the AdGuard app?

The wildcard cert does not cover the bare domain cert, because of the way certs work. AdGuard also only supports one cert at a time. This means that we have to get a cert which combines the bare domain (foo.com) and the wildcard (*.foo.com). Have to fix Cloudron's tls addon logic to support such an app. It's on my list.

Reply to DoT support with client ID on Thu, 26 May 2022 12:01:28 GMT

7dowWilkes — Thu, 26 May 2022 12:01:28 GMT

@girish Hi, I just had the same problem as "orangetech" and the same wish to use the client id as access restriction. What I don't understand:
I use my domain via netcup API and it was created for me by cloudron (probably) a wildcard certificate.
Why can't this wildcard certificate be used for the AdGuard app? When I check the certificate in the AdGuard web interface, it shows me that the certificate used is only valid for the main domain.
It would be nice if the client ID filtering option becomes possible.

Reply to DoT support with client ID on Wed, 13 Apr 2022 16:59:04 GMT

girish — Wed, 13 Apr 2022 16:59:04 GMT

It could also be that in ClientID mode, DoH with adguard.example.com is not supposed to work. Only client.adguard.example.com is supposed to work.

In any case, apart from the certs, we also need to set up wildcard DNS.

Reply to DoT support with client ID on Wed, 13 Apr 2022 16:52:59 GMT

girish — Wed, 13 Apr 2022 16:52:59 GMT

From what I could make out from the AdGuard home config, only one TLS cert can be provided. This means that the cert for *.adguard.example.com and adguard.example.com need to be combined into one cert. We have to add support for such a cert in Cloudron since we don't request combined certs.

Reply to DoT support with client ID on Mon, 11 Apr 2022 21:18:59 GMT

robi — Mon, 11 Apr 2022 21:18:59 GMT

There are apps like DNS66 and others that can set your DNS server explicitly (root) or implicitly via VPN to lock down DNS requests.

Check on Fdroid.