enable DOH/DOQ using Let's Encrypt certs out of the box

[OniriCorpe]

Problem

• for now, using the Let's Encrypt certificate for DOH/DOQ use is tedious
• port 53 is exposed on Internet by default, see #135

Solution

• implementing the @mh4ckt3mh4ckt1c4s's solution and some improvements
• apply the same logic as DoH/DoQ ports to port 53 (opened if it's the user's choice, else closed)

is someone OK to test this?

PR Status

• [x] Code finished and ready to be reviewed/tested
• [x] The fix/enhancement were manually tested (if applicable)

TODO

• [x] Test package itself
  • [x] scripts: all good
  • [x] Test the config panel
  • [x] enable/disable port 53 exposure
  • [x] enable/disable doh doq ports
  • [x] new password tool
• [x] Test DoH (reverse proxied by nginx)
• [x] WIP: Test DoT
• [x] WIP: Test DoQ
• [x] WIP: Docs
  • [x] Port 53 (to be rewritten as port 53 MUST be opened, see below)
  • [x] DoH & DoQ ports
  • [x] Explain how to filter requests using AGH's allowlist and CIDR (and maybe rate limiting)
  • [x] French translation
• [x] Remove public IPs of the config file in the port 53 is not exposed on Internet (else: crash)
  • [x] adapt opened ports according to user's choice
  • [x] declare needs_exposed_ports according to real user need (so the ynh diagnostic doesn't cry about ports not reachable on internet)
• [x] Add public IPs when port 53 is exposed

Current state

For the package

• all scripts are fully functional 🎉

For AdGuard Home itself

A screenshot of the AdGuard Home front-end, showing the "Encryption settings", with all things validated

• the AGH "Encryption settings" (where DoH / DoQ is activated) is fully configured and validated
• DoH: fully functional 🎉
• DoT: fully functional 🎉
• DoQ: fully functional 🎉
• classic DNS: fully functional 🎉

[yunohost-bot]

:v:

[yunohost-bot]

:v:

[yunohost-bot]

Alrighty!

[yunohost-bot]

:carousel_horse:

[yunohost-bot]

:sunflower:

[OniriCorpe]

Dec 26 17:32:39 AdGuardHome[6139]: 2023/12/26 17:32:39.360985 [fatal] web: https: listen tcp 0.0.0.0:443: bind: address already in use

siiiiggghhhhhh 🙃

[yunohost-bot]

:stuck_out_tongue_winking_eye:

[yunohost-bot]

May the CI gods be with you!

[yunohost-bot]

May the CI gods be with you!

[yunohost-bot]

:sunflower:

[yunohost-bot]

:v:

[OniriCorpe]

I feel like Hal changing a light bulb 😓

[yunohost-bot]

Meow :cat2:

[OniriCorpe]

about https://github.com/YunoHost-Apps/adguardhome_ynh/pull/154/commits/f65fc16f3f8c6bec7665cb46f4d9696155743d2f: dnsmasq uses port 53 on localhost and AGH uses port 53 on outsides IP (local or public ones if needed) (you can see this with netstat -tulpn | grep ":53 ")

and that's OK

except for YNH, as dnsmasq uses port 53 on localhost, the port is used and YNH refuses to give it to AGH for outsides IP: WARNING Failed to provision ports : Port 53 is already used by another process or app.

so I had to remove the port from the manifest.toml and hardcode it in config and scripts it's OK since port 53 for DNS stuff is mandatory, so it would never change tho

[yunohost-bot]

:rocket:

[OniriCorpe]

as for now:

• installation without exposed port 53 is functional
• the "Encryption settings" (where DoH / DoQ is activated) is fully configured and validated
• using https://adguard.example.com:13120/dns-query returns NS_ERROR_UNKNOWN_HOST
• using https://adguard.example.com/dns-query returns TRR_RECODE_FAILS
• using tls://adguard.emelyne.eu:853 returns TRR_BAD_URL
• using quic://adguard.emelyne.eu:853 returns TRR_BAD_URL too

so DoH & DoQ are not working and needs more testing

[yunohost-bot]

:carousel_horse:

[yunohost-bot]

Meow :cat2:

[OniriCorpe]

!testme

and time to sleep Zzz

[yunohost-bot]

Meow :cat2:

[yunohost-bot]

Alrighty!

[yunohost-bot]

Fingers crossed!

results:

[yunohost-bot]

Alrighty!

results:

[yunohost-bot]

:v:

[yunohost-bot]

Alrighty!

[yunohost-bot]

May the CI gods be with you!

[yunohost-bot]

Meow :cat2:

[yunohost-bot]

:stuck_out_tongue_winking_eye:

[yunohost-bot]

Meow :cat2:

[Ddataa]

I have to find time to test this, hopefully this week

[OniriCorpe]

I have to find time to test this, hopefully this week

it will be really appreciated! ^w^

I have to finish the reverse proxy part, but for now I need a break :)

[OniriCorpe]

also, sorry this PR has become gigantic, it wasn't supposed to /o\

[yunohost-bot]

:bug:

[OniriCorpe]

DoT is working 🎉

[yunohost-bot]

Fingers crossed!

[yunohost-bot]

Living in the future, are we?

[OniriCorpe]

as for now

DoH is working:

└─▶ q example.com MX @https://adguard..example.com
example.com. 23h52m10s MX 0 .

DoT is working:

└─▶ q example.com MX @tls://adguard.example.com:853
example.com. 23h52m5s MX 0 .

DoQ is working:

└─▶ q example.com MX @quic://adguard.example.com:784
example.com. 23h55m53s MX 0 .

[yunohost-bot]

Meow :cat2:

[yunohost-bot]

:book:

[OniriCorpe]

@Ddataa the PR is now ready for review and I asked for testers on the forum: https://forum.yunohost.org/t/adguard-adguard-home-package-for-yunohost/9075/11?u=oniricorpe

[yunohost-bot]

Fingers crossed!

[yunohost-bot]

Living in the future, are we?

[yunohost-bot]

May the CI gods be with you!

[yunohost-bot]

Living in the future, are we?

[OniriCorpe]

during my tests, i found that even if DoH is deactivated, AGH still reply to DoH requests

i opened an upstream issue: https://github.com/AdguardTeam/AdGuardHome/issues/6994

[tituspijean]

Works well on Firefox desktop.

Does not work on Android with the Private DNS setting (only accepts the domain name, as no slash or colon are accepted): the connection is lost after setting it up.

[OniriCorpe]

Does not work on Android with the Private DNS setting (only accepts the domain name, as no slash or colon are accepted): the connection is lost after setting it up.

I don’t understand your issue 😅

[tituspijean]

Pictures will be more understandable :)

[OniriCorpe]

did it used to work before this update?

i cannot find any info on this option... does it use standard DNS (port 53)? DoH? anything else? uh

edit: hmmm okay that seems to be the issue: https://github.com/AdguardTeam/AdGuardHome/issues/5123 so i can't do anything, bad luck

[tituspijean]

Found the issue! Somehow upon upgrading, the DoQ and DoT port got reassigned. In my YunoHost settings I actually have remnants of the old parameters (listed first):

adguard_DoQ_port: '784'
adguard_DoT_port: '853'
...
port_dns_over_quic: 785
port_dns_over_tls: 854

The latter are the ones put in /var/www/adguardhome/AdGuardHome.yaml now. If I revert them to default ports 784 and 853, restart the service, make sure the ports are redirected from my router... the Android Private DNS setting works. The queries are confirmed to be DoT by Adguard.