Clarify DoH support - configuration recommendations, if feasible

[nkm8]

Problem/Motivation

Based on my research, DoH doesn't currently work with this addon. The feature was added a while ago, but it looks like a recent change in AdGuardHome broke the default configuration in this addon. Specifically, this note was added to the AdGuard wiki: Since v0.107.0 AdGuard Home is able to restrict DNS-over-HTTPS requests which came from the proxy server not included into "trusted" list. By default, it's configured to accept requests from IPv4 and IPv6 loopback addresses.

I can confirm that even with an HTTPS port configured, I do not see AdGuard home listening on that port in the logs. As far as I can tell, this is because AGH only listens on the local loopback address.

Expected behavior

DoH is enabled and functional by setting an HTTPS port in AdGuard Home

Actual behavior

DoH works on the HTTPS port specified in AdGuard Home

Steps to reproduce

• Set an HTTPS port in AdGuard Home Settings -> Encryption Settings tab
• Observe that any DoH requests are rejected

Proposed changes

Based on the current implementation in AdGuard Home, DoH needs to be configured by adding the host IP address to the trusted_proxies list in the YAML configuration file

I am not sure what makes the most sense:

• Add a default addon configuration that adds the host IP to trusted_proxies automatically
• Add an addon configuration option for users to specify the trusted_proxies list manually

Related AGH feature request

If DoH configuration is not supported by this addon, then we should change the current docs to be accurate.

[github-actions[bot]]

There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!

[nkm8]

This is still an issue.

[regystro]

Same issue here. In my case running a reverse proxy and DoH no longer works because

"To enable AdGuard Home to handle DNS-over-HTTPS requests from a reverse proxy server, set the trusted_proxies setting in AdGuardHome.yaml to the IP address of the proxy server."

Is there any way we could use a custom AdGuardHome.yaml in the addon as @nkm8 suggested?

Thank you.

[github-actions[bot]]

There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!

[nkm8]

Not stale

[johnbubak]

Hi, same Problem here.

How to get forward?

[github-actions[bot]]

There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!

[nkm8]

Not stale

[GoetzGoerisch]

@frenck how can we help? Would be able to contribute, please point the direction.

[frenck]

It is a GitHub repo, feel free to suggest an improvement by contributing a pull request.

[GoetzGoerisch]

Sure, I would do this. If I'm understanding the config correctly one would just need to add a port mapping like for 53 to the DoH endpoint in AdGuardHome config.yaml?

Or do I miss something?

[frenck]

add a port mapping like for 53

That seems highly unlikely, as the container runs on the host network.

[johnbubak]

Hi all, In my case I want to use AdGuard to protect my smartphone while not at home.

To do so I thought it would be a good way to open needed Doh port or else needed to public, to be able to use my private dns from outside, encrypted. Now it seams that is not the proper way.

Propably there is an proper way to do so without changes in the plugin.

If so please give a direction to get this done properly.

Thanks and best

[frenck]

@johnbubak If it wasn't an issue... this issue wouldn't exist, wouldn't it? 🤷 So, your question doesn't make much sense to me.

[GoetzGoerisch]

@frenck thanks for the answer. Will look into the details.

[da-anda]

@johnbubak I VPN home (WireGuard) and use the DNS server via AdH that way. That's actually also the only way I access HA from mobile. Might be a workaround for you for the time being.

[github-actions[bot]]

There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!

[nkm8]

Still relevant

[patrikulus]

Hello, is there any update here? I also wanted to use DoH but the current config doesn't allow it :(

[GoetzGoerisch]

Haven't been able to fully figure it out.

The NGNIX Reverse-Proxy needs a route to /dns-query without authentication from the host network, which could be then access for DoH devices. For this you can add a portforward from the internet.

But I'm not proficient enough in NGNIX and Home Assistant add-ons for this to create a PR.

[github-actions[bot]]

There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!

[GoetzGoerisch]

Not stale

[github-actions[bot]]

There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!

[nkm8]

Not stale

[mxbchr]

Hey @nkm8 , @regystro , @johnbubak , I'm not 100 % sure if I understand the problem correctly, but I managed to set up DNS over HTTPS with both internal and external access using AdGuard Home and Nginx Proxy Manager Add-ons. Instructions are as follows.

1. Configure NPM For external access, set up a new proxy host in NPM. I'm assuming your NPM is already up and running, ports 80/443 are forwarded, you set up a dynamic DNS service etc. a) I chose dns.example.duckdns.org as subdomain, scheme http, point it at your HA IP address (10.0.2.8 in my case). Pick a random port that is not yet in use by your HA machine (i.e. 9877) (do not use 443!).

b) In "Custom locations" configure define location "/", scheme http, forward hostname "[ha-ip]/dns-query/" (slash at the end is crucial), and forward port same you picked earlier. We do this so only the DoH interface is accessible, otherwise dns.example.duckdns.org would point to the AdGuard config panel (with is secured with your HA credentials, but anyway).

c) In "SSL" pick "request a new SSL certificate", activate Force SSL, HTST, HTTP/2. Hit Save.

2. Configure Add-on in HA In HA, go to AdGuard Add-on page > Configuration. Uncheck ssl, save. Under Network > web interface, configure the port you picked earlier (i.e. 9877).

3. Configure AdGuard a) Open AdGuard Web UI via HA. Go to Settings > Encryption. Check "Enable Encryption", input your server name (dns.example.duckdns.org). Under HTTPS Port DO NOT(!) insert the port you configured earlier in NPM and the add-on configuration in HA. Choose another port, that is not already in use. I did just -1, and did input 9876 (do not use 443!). This seems counterintuitive and tbh I have no clue why it is like it is, but it doesn't work otherwise. HA seems to somehow map the two ports together. If you use the same Port instead Adguard becomes unreachable and you have to change the Port as in Step 2 to something else to be able to access it again.

b) Under "Certificates" paste the path to the .pem-files you created with NPM earlier. In my case, it was "/ssl/nginxproxymanager/live/npm-50/fullchain.pem" and "/ssl/nginxproxymanager/live/npm-50/privkey.pem". You can figure out the Certificate Number and thus Folder Number by going to NMP > SSL Certificates and clicking on the three dots next to the certificate. AdGuard needs the certificates configured to activate the DoH server. Don't mind any issues with the certificates, they are not even used by AdGuard for our configuration. SSL Termination is handled by NPM which forwards the traffic to AdGuard as http then (Should be possible to configure it so forwarding also happens via HTTPS, but since traffic stays basically within the same CPU I don't see the point there). Save configuration. If you are having issues with transferring/finding the certificate files, you can alternatively just open them with a text editor on your computer an paste the certificate text in AdGuard configuration.

4. Configure Clients. Due to the forward rules in NPM and the port mixup thingy, the config files you can download from AdGuard, as well as the shown URLs don't work for external access. In your clients, you simply configure your DoH server as the proxy host you configured earlier (dns.example.duckdns.org). Don't put a "…/dns-query" after it. If you have to specify protocol and/or port, use HTTPS and 443. And there you are. You should now be able to access your AdGuard DoH server under dns.example.duckdns.org from the web.

(5. Client-IDs) Configured like this, everyone can use the DoH service at dns.example.duckdns.org. You can set up client IDs in AdGuard and limit access, or do neat things like custom filtering etc. a) To do so, go to AdGuard Web UI > Settings > Clients settings > add client. Pick a client name, and specify a client ID, ideally one that is hard to guess. Save.

b) Go to Settings > DNS Settings > Access settings > Allowed clients Put your client IDs there. Save. Now only the whitelisted clients can access the DoH service. Note that this affects the port 53 DNS service as well. You can specify additional IPs and MAC addresses as ClientIDs. You have to reconfigure your clients to use the client ID. Use "dns.example.duckdns.org/[clientID]" as DoH server URL (again, not "dns.example.duckdns.org/dns-query/[clientID]" - as AdGuard Dashboard may suggest"). This is a security through obscurity approach, but was the best I could come up with.

Works for me on Home Assistant 2023.6.1, Supervisor 2023.06.1, Operating System 10.2, AdGuard Home 4.8.9, Nginx Proxy Manager 0.12.3. With a MacBook Pro (12.6) and Android 12 (using Intra App) set up as DoH Clients.

Hope this solves your Problem.

[mr12obot]

Hi @mxbchr

What upstream DNS servers you used in AdGuard setting?

and can you make simple network diagram / topology for your configuration?

Thanks.

[mxbchr]

Hey @mr12obot I use "https://dns.quad9.net/dns-query" and "https://cloudflare-dns.com/dns-query" as upstream DoH Servers and "1.1.1.1:53" as Bootstrap DNS Server in AdGuard.

Regarding the Network Diagram, you mean like so?

Can one of the users originally mentioning the issue check if they can reproduce my instructions and if the diverging Ports thing does actually solve their problem?

[mr12obot]

Hi @mxbchr

Yes, network diagram like that. Further question is below:

1. Is it external access using AGH and NPM Addons? How about if we need internal access DoH Client?
2. Is router 10.0.2.1 will have to put config to force pointing DNS to DoH Server 10.0.2.8?
3. Did you use cloudflared tunnel as well?

[mxbchr]

1. I can reach the DoH server under dns.example.duckdns.org both from within my network and from outside. To be able to reach it via the domain from inside of the network I had to configure a hostname in the router so that it would resolve DNS requests for dns.example.duckdns.org as 10.0.2.8 (I use OpenWRT, there is a settings called hostnames in the config interface). But you could always reach the doh server from inside the network just via 10.0.2.8 in my case. It was just a convenience thing since I didn't want to switch servers when leaving the house.

2. I'm not sure if I understand your question. But I guess it is already answered in 1.?

3. I do not use cloudflare tunnel. DoH clients contact AdGuard via HTTPS and AdGuard contacts the upstream DNS servers via HTTPS as well.

[mr12obot]

Hi @mxbchr

Have more question below:

1. if you don't use cloudflare tunnel then you access public ip via ddns services? is it use addons in HA as well?

2. Is it possible DoH Client contact AdGuard and AdGuard contacts the upstream dns servers via cloudflare tunnel as well?

[mxbchr]

@mr12obot

1. Exactly. As shown in the network diagram you requested. I use duckdns as ddns service (there is a add-on for that). Have forwarded ports 80/443 in my router to nginx proxy manager add-on, which does the SSL termination and (since I use other add-ons with external access the same way) sorts the request based on the Subdomain and forwards it to the specified host and port inside the network. There are some tutorials out there on how to achieve external access with duckdns and npm.

2. I am unfamiliar with cloudflare tunnel, so I don't know that. From as far as I understand it, it could work, since it's basically just another reverse proxy, just like npm. But I can't help you with that when it comes to the details.

[github-actions[bot]]

There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!

[nkm8]

Not stale - I use the nginx addon, not NPM, and it would still be best to have this officially documented in this addon.

[github-actions[bot]]

There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!

[nkm8]

Not stale

[github-actions[bot]]

There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!

[nkm8]

Don't make me say it again...

[github-actions[bot]]

There hasn't been any activity on this issue recently, so we clean up some of the older and inactive issues. Please make sure to update to the latest version and check if that solves the issue. Let us know if that works for you by leaving a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thanks!

[nkm8]

Not stale

[mxbchr]

Not stale - I use the nginx addon, not NPM, and it would still be best to have this officially documented in this addon.

@nkm8 NPM is just nginx with a gui for configuration. But under the hood its the same. I dug a little to find the .conf file for my DoH Proxy. Maybe this helps you. I'm not familiar with the configuration by file, so if you need any of the files that are referenced in this configuration just say something.

# ------------------------------------------------------------
# dns.example.org
# ------------------------------------------------------------

server {
  set $forward_scheme http;
  set $server         "10.0.2.8";
  set $port           9877;

  listen 80;
#listen [::]:80;

listen 443 ssl http2;
#listen [::]:443;

  server_name dns.example.org;

  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-74/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-74/privkey.pem;

  # Block Exploits
  include conf.d/include/block-exploits.conf;

  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
  add_header Strict-Transport-Security "max-age=63072000;includeSubDomains; preload" always;

    # Force SSL
    include conf.d/include/force-ssl.conf;

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;

  access_log /proc/1/fd/1 proxy;
  error_log /proc/1/fd/1 warn;

  location / {
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-For    $remote_addr;
    proxy_set_header X-Real-IP          $remote_addr;
    proxy_pass       http://10.0.2.8:9877/dns-query/;

  # Block Exploits
  include conf.d/include/block-exploits.conf;

    # Force SSL
    include conf.d/include/force-ssl.conf;

  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
  add_header Strict-Transport-Security "max-age=63072000;includeSubDomains; preload" always;

    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;

  }

  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

The "trusted_proxies" setting in AdguardHome.conf, that you are suspecting is not what prevents it from working. That is only for client identification. If unset it will work anyway, it will just not show the real client IP. As specified in: https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration trusted_proxies (since v0.107.0) – The list of IP addresses and CIDR prefixes of trusted HTTP proxy servers. If a DNS-over-HTTPS request comes from one of these addresses or networks, AdGuard Home uses the provided proxy headers, such as X-Real-IP, to get the real IP address of the client. Requests from HTTP proxies outside of these networks are considered to be requests from the proxy itself. That is, the proxy headers are ignored.

The problem is that the correct port for https/DoH Access is the one specified in the add-on configuration page in HomeAssistant and not the one specified in AdGuard / Encryption settings (see here https://github.com/hassio-addons/addon-adguard-home/issues/354#issuecomment-1586154636). Just use the port specified in HomeAssistant Add-on configuration page and it works. Please try at least and if it works I'll make a PR to update the official documentation of this add-on accordingly.

[spitfire]

I'm proxying it with nginxproxymanager add-on and DoH work fine for me. It is reporting nginxproxymanager's docker IP as client's though, but it seems to be responding to requests over https. Upon restart my nginxproxymanager didn't want to start, because something has reserved port 443 ). It was adguard (even though it was NOT set as exposed in add-on configuration UI, as this can't be set. asking it to use a different port and proxying it through nginxporbxymanger didn't help.

[mxbchr]

@spitfire Which https port did you set in AdGuard / Encryption Settings? Did you activate "ssl" in HomeAssistant Addon config ui?

[spitfire]

@spitfire Which https port did you set in AdGuard / Encryption Settings? Did you activate "ssl" in HomeAssistant Addon config ui?

443/yes. Afterwards I've changed the adgnard/encryption https port to something else

[mxbchr]

So the https port you did set in AdGuard / Encryption Settings is NOT 443 right now? And its still not working?

Try to uncheck the "ssl" in HomeAssistant Addon config ui and restart maybe.

[spitfire]

I've got SSL on and 8882 as web interface port in add-on settings

8881 for DoH

set up this way in Nginx Proxy Manager add-on for the web interface (that works)

and like this for /dns-query (which now doesn't work)

When I was setting this up first I left port 443 for DoH and somehow both Nginx Proxy Manager and AdGuard's DoH were working at the same time. when I rebooted my HA VM Nginx Proxy Manager wouldn't start (saying something else is listening on port 443), so I had hard time getting to Home Assistant and figuring out what it was.

Why does the AdGuard add-on expose the port not defined via add-on configuration is strange - I thought whatever is not set via UI remains internal to the add-on's docker container.

The only thing that the add-on config's ssl switch changes is whether the traffic on its web interface port (here 8882) is served via http or https with the supplied certs. It seems to have no influence on DoH.

DoH works (as in listens) on specified port (8881) as seen via browser (it refuses cause it didn't authenticate properly):

When proxied with Nginx Proxy Manager it fails (because of untrusted proxy)

but works for the web interface (with the same reverse proxy!)

[mxbchr]

@spitfire Ok several things:

First:

and like this for /dns-query (which now doesn't work)

That can't work. "Define location" and "Forward Hostname" are switched. "Define location" should be "/" and "Forward Hostname/IP" should be "[hostname/IP]/dns-query/" in your case "a0d7b954-adguard/dns-query/" (This will lead to the the adguard config ui not be reachable under the the domain you set. Which is desirable if you expose this to the web. To reach the adguard config interface you can either use the the "open web ui" feature in homeassistant addon page or you set up a seperate domain i.e. "adguard02.example.com" that just points to a0d7b954-adguard port 8882 in your case.)

Second: Also you put the wrong port forward port in "custom locations". You have to use the port you defined in HA Addon config UI, which is 8882 in your case. Do not use the port defined in AdGuard Encryption config UI. This will not work.

DoH works (as in listens) on specified port (8881) as seen via browser (it refuses cause it didn't authenticate properly): When proxied with Nginx Proxy Manager it fails (because of untrusted proxy)

This is neither a authentication nor a trusted_proxies problem, it is because you pointed it at 8881 instead of 8882. There is nothing listening there - hence the connection refuses/bad gateway. You have to use the port you defined in HA Addon config UI. Plus if you want to reach the DoH via the proxy you just use the https://adguard01.example.com (with port 443), the reverse proxy redirects it to 8882, domainname:8882 as you tried wont work.

Third: If it is still not working, consider following the guide I wrote exactly. See https://github.com/hassio-addons/addon-adguard-home/issues/354#issuecomment-1586154636 You are deviating in several points from it i.e. "ssl" in HA Addon config ui, "forward scheme" https instead of http, using container hostname instead of ip, which may work anyways but I dont know if it does and it is hard to troubleshoot if it doesnt.

[spitfire]

You seem to have missed this screenshot is showing "custom locations" tab - the screenshot prior to that ("details" tab) shows config for the UI, which works. The only thing that enabling ssl in add-on's configuration is whether it uses cert/serves page via https for the web ui port, so if I understand it correctly it only affects communication between Adguard and Nginx Proxy manager, and which scheme (http/https) you need to choose. Disabling it (and setting NPM to use http) didn't really help me What doesn't work (to your third point) is the /dns-query path - which you're right I've missed adding to the "Forward/hostname IP" field, but even after I did it doesn't work, and when I chose "/" for "location" field (as expected) it broke my Web UI access. I've tried doing adguard01.mydomain.com as a separate vhost without anything in "Custom locations" tab (which works for Web UI) and then doing just the DoH endpoint as a separate vhost (dns.adguard01.mydomain.com) but it still ends up with bad gateway, regardless of whether I'm using / or /dns-query for "location" field. Also it doesn't seem to matter if I'm using internal hostname (a0d7b954-adguard) or HA external IP address. the only time it does work is if I use the port specified in DoH settings directly from the client, which leads me to believe that DoH doesn't play nice with the proxy.

[mxbchr]

You seem to have missed this screenshot is showing "custom locations" tab - the screenshot prior to that ("details" tab) shows config for the UI, which works.

I dind't. The config UI works because you used port 8882 in the "details" tab. You have to use port 8882 in the "custom locations" tab as well, which you didnt. Which is my whole point all along. As per your screenshot you used 8881. Please put 8882 in "custom locations". please do that and post a screenshot of your custom locations tab.

Please use your webbrowser and go to: https://a0d7b954-adguard:8882/dns-query and http://a0d7b954-adguard:8882/dns-query and post the result.

The only thing that enabling ssl in add-on's configuration is whether it uses cert/serves page via https for the web ui port, so if I understand it correctly it only affects communication between Adguard and Nginx Proxy manager, and which scheme (http/https) you need to choose. Disabling it (and setting NPM to use http) didn't really help me.

Agreed. And I never said it wouldnt work. I just said its hard to troubleshoot if theres more than one thing deviating from a known working configuration.

[spitfire]

I dind't. The config UI works because you used port 8882 in the "details" tab. You have to use port 8882 in the "custom locations" tab as well, which you didnt. Which is my whole point all along. As per your screenshot you used 8881. Please put 8882 in "custom locations". please do that and post a screenshot of your custom locations tab.

Wow, that seems to work. I've been using 8881, because that's what I set on DoH page and it seemed to respond when called directly.

I can see it respond to DNS-over-HTTPS queries in the query log.

so the only thing I'm missing now is client IP address on the query page? IS there a way to make that work without messing with trusted_proxies?

I've tried adding

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $forward_scheme ;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Real-IP $remote_addr;

In the "Custom locations" tabs advanced settings, but all I'm getting is the container's internal IP address.

[mxbchr]

Wow, that seems to work. I've been using 8881, because that's what I set on DoH page and it seemed to respond when called directly.

Eureka! Nice. Yes I know, it is completely counterintuitive, it took me a whole weekend to figure it out and get it working.

so the only thing I'm missing now is client IP address on the query page? IS there a way to make that work without messing with trusted_proxies?

Unfortunately no, not even that helps. I've added "172.30.33.0/24" to the "trusted_proxies" setting in the AdGuardHome.yaml manually via portainer and the container cli, that doesnt change anything at all.

The problem seems to be Nginxproxymanager not passing along the real IP. I tried adding the proxy_set_headers you mentioned and the adguard wiki mentioned as well, in every possible combination in the "advanced" section, as well as in "custom locations". I cloudn't get it working.

AdGuard Wiki: https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration

trusted_proxies (since v0.107.0) – The list of IP addresses and CIDR prefixes of trusted HTTP proxy servers. 
If a DNS-over-HTTPS request comes from one of these addresses or networks, AdGuard Home uses the provided proxy headers, such as X-Real-IP, to get the real IP address of the client. 
Requests from HTTP proxies outside of these networks are considered to be requests from the proxy itself. That is, the proxy headers are ignored.

The full list of proxy headers, in the order AdGuard Home inspects them:

    CF-Connecting-IP
    True-Client-IP
    X-Real-IP
    X-Forwarded-For

If you figure it out, please share how!

You can use client-id based identification to identify your clients regardless of the IP address. See my Guide https://github.com/hassio-addons/addon-adguard-home/issues/354#issuecomment-1586154636 Step 5 If you just want to see which device is sending queries and do things like client specific filtering, restricting access, this works just as good. Be careful with the whitelisting feature though, as it will block any dns query not coming from whitelistet clients/IP Ranges. You can use the ID feature without restricting access by whitelisting for a start.

If you absolutely need to show the real IP addresses of your clients on the query page, the only way I could come up with, is to abandon DoH completely and use DoT instead. But that means starting all over again, so maybe try the client-ids first and see if that suits you.

When it comes to DoT, since you cannot proxy DoT traffic with NPM, so you have to set a port forwarding in your router to the DoT port you specified in the AdGuard Web UI - Encyption settings. And if you want to use client-ids with DoT you will need a wildcard certificate for your *.adguard01.example.com domain since identification is done via subdomains, ie. clientid.adguard01.example.com I got that up and running as well, and mostly use DoT instead of DoH now, because of the native android support for DoT. If you have questions on that just ask.