2FA/MFA for Adguard Home

[jackspiering]

Hi Everyone,

How does everyone think about adding 2FA/MFA to Adguard Home?
It will drastically improve security. Besides that it will be a feature that other DNS application don't have.

[whyisthisbroken]

If you're hosting it locally, this shouldn't be a security improvement. (maybe, but useless) Perhaps there are other alternatives to protect your home network...

[jackspiering]

Thank you for responding. It should definitely improve the security, especially for internet facing situations, for example: hosting your own domain with DoH or DoT. Many different open source product have 2FA as an option: Proxmox, Uptime-kuma etc.

I think the information/data on Adguard home can be very sensitive if one is concerned about privacy, 2FA would let those people sleep a bit better :)

[ishanjain28]

It seems a bit overkill? I don't know..

Come to think of it, I am in favor of adding web authentication(fido2+ctap2) based login. With that, I can login much more quickly without having to enter any username/passwords but just adding a form of 2FA(totps or u2f/fido key based) feels overkill.

[jackspiering]

Thank you for responding. Considering the data that is on the Adguard Home, it would be much safer to add 2FA ( fido2, ctap2 or totps) as an option. If one is having an internet facing setup it would drastically improve the security.

If AGH is internet-facing it could potentially be bruteforced, maybe it would be good to add a feature that blocks IP's after some failed attempts. How do you think about that?

[fate8383]

oauth or 2fa/mfa is necessary, can be optional of course it should exist, tons of information in the dns queries and just username/password is not enough. especially for cloud setups

[jackspiering]

Thank you for responding. I agree with you! What kind of MFA would you suggest?

[fate8383]

Thank you for responding. I agree with you! What kind of MFA would you suggest?

App based 2fa and possibility to create app password for those dashboards we use like widgets need that app passes for the api. But general UI with 2Fa with Authenticator.

[jackspiering]

Great idea! I think both key and app 2FA would be best.

[ghost]

I agree. I am concerned about session ID riding/hijacking even with a strong TLS encryption + strong B-Crypt password hash. I think AdGuard team would have to integrate some kind of key generation mechanism that can generate a key we can add to Authy. I am not entirely sure other cloud services do this...

[foegra]

Any news on this?

[gordon15969]

Any word on when MFA or Webauth will be enabled for Adguard Home? I do host it at home, but it's accessible to the web for DoH, so I would like to get extra protection to my login prompt.

[matmielke]

Same here, AGH is running on a vServer to serve the mobile devices I have. I'd like to have some security for the login page ...

[hmntsharma]

anything which helps in integrating it with authentik would be helpful. so +1

Thanks!

[S0UK]

+1

[Isaaker]

+1

[songochain]

+1

[heyobravo]

+1

[kairusds]

2 years and still no news? Really need it as I'm hosting my instance on a public IP.

[foegra]

Reserve proxy gives you valid certificate, not 2FA

[Noschvie]

For example, you can implement two-factor authentication (2FA) using Nginx-Proxy-Manager and Authelia.

[kairusds]

nginx proxy manager is very buggy and hard to use and authelia is too bloated for a simple totp middleware for a single container/service

[Noschvie]

2FA is somewhat complex, that's in the nature of the thing. Nevertheless, you can have it up and running within a few minutes.

[kairusds]

there's already various libraries like otp that handles that, they could've just integrated it into their existing auth system

[vdias]

My solution...

Web-UI behind nginx, and only allow access from my home...

[songochain]

Another workaround would be separate DOH and Web UI port, so we can only just expose the DOH port on the internet.

[vdias]

Tried that, but when using different port for DoH and UI, just gave me errors...

/etc/nginx/conf.d/dns-admin.conf

server {
    listen 443 ssl;
    http2 on;
    server_name dns-admin.xxxxx.com;
    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/xxxxxxxxxx/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/xxxxxxxxxx/privkey.pem;

    # Security headers (optional but recommended)
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options DENY;
    add_header X-XSS-Protection "1; mode=block";

    # Restrict access to specific IPs
    allow xxxxxxxxxxxx;        # WORK
    allow xxxxxxxxxxxx;         # HOME
    deny all;

    # Replace default 403 page with silent drop
    error_page 403 =444;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    access_log /var/log/nginx/adguard-webui.access.log;
    error_log  /var/log/nginx/adguard-webui.error.log;
}

cat /etc/nginx/conf.d/dns.conf

server {
    listen 443 ssl;
    http2 on;
    listen [::]:443 ssl;
    server_name dns.xxxxxx.com *.dns.xxxxxx.com;  #Wildcard for DoT

    ssl_certificate /etc/letsencrypt/live/dns.xxxxx.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/dns.xxxxxx.com/privkey.pem;

    # Basic SSL security settings
    ssl_session_cache shared:SSL:10m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers on;

    # DoH endpoint path for root /
    location / {
        # Rewrite the root URL to /dns-query internally ***
        rewrite ^/$ /dns-query break;

        # Proxy to the internal **HTTP** DoH port (8090)
        proxy_pass http://127.0.0.1:8080;

        # Pass headers for correct client IP logging in AdGuard Home
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https; # Inform AGH that the connection was secure

        # DNS specific tuning
        proxy_buffers 16 16k;
        proxy_buffer_size 16k;
        client_max_body_size 0;
        proxy_buffering off;
    }

    access_log /var/log/nginx/dns.access.log;
    error_log  /var/log/nginx/dns.error.log;
}

[songochain]

Yes, I tried with nginx and DOH didn't work on 443. I meant the devs maybe should add the feature to separate both ports. So you can have nginx plus some 2FA like Authelia working with the WEB UI (or just not expose that port on internet) and DOH working at the same time with a different port.

[vdias]

I have both as http and leave https to nginx...

[songochain]

Is your DOH and TLS working on internet, outside your home network? I tried with nginx and the web ui was working fine with the proxy but I still needed the DOH original port because the 443 wasn´t working, chrome and android didn´t recognize the url with 443. Of course, the certificate was working fine with nginx.

[vdias]

Yes.

WebUI + DoH - Behind Nginx (posted the nginx conf some post up)
DoT - directly from internet (nginx was a pain in the ass on this)

Use DoT wherever possible, leveraging DNS CNAMEs for client identification. For LAN traffic and older clients, use DoH over a proxy (without client identification). I really miss the NextDNS functionality for LAN client identification via the NextDNS CLI, but the AdGuard development team has been slow on this front. AdGuard seems to lack active development and is falling behind other paid solutions.

As an additional security layer, all external traffic and any sources flagged by Threat Intelligence Feeds (TIF) are blocked, allowing only traffic originating from my home country (Europe)...

/opt/AdGuardHome/AdGuardHome.yaml (The parts related to this)

http:
  address: 127.0.0.1:8080
  session_ttl: 720h
tls:
  enabled: true
  server_name: dns.XXXXX.com
  force_https: false
  port_https: 0
  port_dns_over_tls: 853
  port_dns_over_quic: 0
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: true
  certificate_chain: ""
  private_key: ""
  certificate_path: /etc/letsencrypt/live/dns.xxxxxxx.com/fullchain.pem
  private_key_path: /etc/letsencrypt/live/dns.xxxxxxxx.com/privkey.pem
  strict_sni_check: false

[songochain]

Ok, THX for the config. I will try again doh plus nginx. I was using the UI to configure the proxy in nginx, I will try to translate your config to include in the UI.

[songochain]

Ok, finally I got working Nginx and DOH. My fault was i didn't have the wildcard certificate in nginx but yes in adguard home.
Now, the adguard home web isn't exposed on internet, thx!

Edit: TLS isn´t saving the stats for my phone, it works with phone.domain.com (i had this config before put nginx). Now the domain should be dns.domain.com so in my phone i put phone.dns.domain.com and it doesn´t work but if put only dns.domain.com, it works but no stats too.
nginx and adguard have wildcard certificate. (domain.com and *.domain.com). The difference is for nginx i did it with the WEB and for adguard i did it with acme, like always.
Maybe can you shed some light on this issue.
BR.

Edit again
I think the problem is the free domain I have. It's up to four free third-level domains. I will register another one only for adguard.