Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Unsolved DoT support with client ID

    AdGuard Home
    4
    6
    369
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      orangetech last edited by

      According to Adguard wiki https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid, the users client ID can be set based on the url used for DoT.

      I'm trying to connect to my adguard instance with clientID.adguard.example.com but there is a certificate mismatch because *.adguard.example.com certificates aren't being generated. See the error message below:

      dog google.com --tls @clientid.adguard.example.com
      Error [tls]: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1914: (Hostname mismatch)

      The main reason I want to do this is to limit DNS requests to certain clientIDs so I can use the private dns function on android. I can't use my cell IP address because it's dynamic, so that is the only way I see to have a locked down DNS server. I believe all that needs to be done is to issue certs for the adguard instance (as is already done) and then a wildcard cert for *.adguard.example.com.

      1 Reply Last reply Reply Quote 2
      • robi
        robi last edited by

        There are apps like DNS66 and others that can set your DNS server explicitly (root) or implicitly via VPN to lock down DNS requests.

        Check on Fdroid.

        Life of Advanced Technology

        1 Reply Last reply Reply Quote 0
        • girish
          girish Staff last edited by

          From what I could make out from the AdGuard home config, only one TLS cert can be provided. This means that the cert for *.adguard.example.com and adguard.example.com need to be combined into one cert. We have to add support for such a cert in Cloudron since we don't request combined certs.

          1 Reply Last reply Reply Quote 0
          • girish
            girish Staff last edited by

            It could also be that in ClientID mode, DoH with adguard.example.com is not supposed to work. Only client.adguard.example.com is supposed to work.

            In any case, apart from the certs, we also need to set up wildcard DNS.

            7dowWilkes 1 Reply Last reply Reply Quote 0
            • Topic has been marked as a question  girish girish 
            • 7dowWilkes
              7dowWilkes @girish last edited by

              @girish Hi, I just had the same problem as "orangetech" and the same wish to use the client id as access restriction. What I don't understand:
              I use my domain via netcup API and it was created for me by cloudron (probably) a wildcard certificate.
              Why can't this wildcard certificate be used for the AdGuard app? When I check the certificate in the AdGuard web interface, it shows me that the certificate used is only valid for the main domain.
              It would be nice if the client ID filtering option becomes possible.

              girish 1 Reply Last reply Reply Quote 2
              • girish
                girish Staff @7dowWilkes last edited by

                @7dowWilkes said in DoT support with client ID:

                Why can't this wildcard certificate be used for the AdGuard app?

                The wildcard cert does not cover the bare domain cert, because of the way certs work. AdGuard also only supports one cert at a time. This means that we have to get a cert which combines the bare domain (foo.com) and the wildcard (*.foo.com). Have to fix Cloudron's tls addon logic to support such an app. It's on my list.

                1 Reply Last reply Reply Quote 3
                • First post
                  Last post
                Powered by NodeBB