Block Ads on All Your Devices with AdGuard Home and WireGuard

Most ad blockers work per-app or per-browser. That means ads still slip through in other apps, games, and system-level telemetry. A better approach is to block ads and trackers at the DNS level — before the connection is even established.

This post explains how to set up AdGuard Home as a DNS server on a VPS, accessible only through a WireGuard VPN tunnel. The result: every device connected to your VPN gets network-wide ad blocking with zero client-side configuration beyond changing the DNS server.

Why DNS-Level Blocking?

When an app tries to load ads.tracker.com, it first asks a DNS server to resolve the domain to an IP address. A DNS-level blocker intercepts this request and returns 0.0.0.0 — the connection never happens.

Advantages over browser-based ad blockers:

  • Works across all apps, not just the browser
  • Blocks telemetry and tracking from the operating system itself
  • No performance impact on the device — filtering happens on the server
  • One configuration protects all connected devices

Architecture

The setup uses three components:

  • VPS (e.g., Hetzner) running WireGuard and AdGuard Home
  • WireGuard VPN in full-tunnel mode — all client traffic routes through the server
  • AdGuard Home configured to bind to the WireGuard interface only — so only VPN clients can use it

Traffic flow:

Phone/Laptop → WireGuard Tunnel → VPS → AdGuard Home (DNS)
                                      → Internet (everything else)

By default, AdGuard Home binds to all interfaces (0.0.0.0), which would expose it to the public internet. In this setup, we explicitly bind it to the server’s WireGuard IP so it is only reachable through the VPN tunnel. This prevents it from being abused as an open DNS resolver.

Prerequisites

You need a working WireGuard VPN server with at least one client configured.

Required:

  • Ubuntu 22.04 VPS with root access
  • WireGuard running with at least one client configured
  • UFW firewall active

Note: This guide uses 10.96.96.1 as the WireGuard server IP. Replace it with your own WireGuard IP throughout if yours is different (check with ip addr show wg0).

Step 1: Install AdGuard Home

AdGuard Home provides an official install script that downloads the binary and sets up a systemd service:

curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v

This installs to /opt/AdGuardHome/ and creates the AdGuardHome systemd service.

Step 2: Configure DNS and Web Interface

Stop the service before editing the config:

sudo systemctl stop AdGuardHome

Edit /opt/AdGuardHome/AdGuardHome.yaml and change the bind addresses from the default (0.0.0.0) to your WireGuard IP:

dns:
  bind_hosts:
    - 10.96.96.1
  port: 53

http:
  address: 10.96.96.1:3000

This is the key security step — it ensures AdGuard Home is only reachable through the VPN, not from the public internet. The web dashboard runs on port 3000.

For upstream DNS, use DNS-over-HTTPS to encrypt your DNS queries to the upstream provider:

dns:
  upstream_dns:
    - https://dns.cloudflare.com/dns-query
    - https://dns.google/dns-query
  bootstrap_dns:
    - 1.1.1.1
    - 1.0.0.1

The bootstrap_dns entries are needed to resolve the DoH hostnames themselves.

Step 3: Avoid Conflicts with systemd-resolved

On Ubuntu 22.04, systemd-resolved listens on 127.0.0.53:53 by default. Since we configured AdGuard Home to bind to 10.96.96.1:53, there is no port conflict. Both can run side by side:

ServiceBind AddressPurpose
systemd-resolved127.0.0.53:53Server’s own DNS
AdGuard Home10.96.96.1:53VPN client DNS

No need to disable systemd-resolved.

Step 4: Firewall Rules

Allow DNS and the web interface only on the WireGuard interface:

sudo ufw allow in on wg0 to any port 53 proto udp comment "AdGuard DNS (UDP)"
sudo ufw allow in on wg0 to any port 53 proto tcp comment "AdGuard DNS (TCP)"
sudo ufw allow in on wg0 to any port 3000 proto tcp comment "AdGuard Web-UI"

These rules ensure that ports 53 and 3000 are not reachable from the public internet — only through the VPN tunnel.

Step 5: Start and Enable the Service

sudo systemctl start AdGuardHome
sudo systemctl enable AdGuardHome

Verify it is running:

sudo systemctl status AdGuardHome

Step 6: Update WireGuard Client DNS

On each VPN client, change the DNS server from your previous provider to the AdGuard Home instance:

In the WireGuard app (iOS, Android, macOS, Windows):

  1. Edit your tunnel configuration
  2. Change DNS from 1.1.1.1, 1.0.0.1 to 10.96.96.1
  3. Save and reconnect

Or in the config file directly:

[Interface]
DNS = 10.96.96.1

Step 7: Verify

Test DNS resolution through AdGuard Home:

dig @10.96.96.1 example.com

You should get a valid response. Now test ad blocking:

dig @10.96.96.1 ads.google.com

This should return 0.0.0.0 — the domain is blocked.

Open the dashboard at http://10.96.96.1:3000 (VPN must be active) to see query statistics, blocked domains, and filtering settings.

Quick Checklist

  • AdGuard Home installed at /opt/AdGuardHome/
  • DNS bound to WireGuard IP only (10.96.96.1:53)
  • Web interface bound to WireGuard IP only (10.96.96.1:3000)
  • Upstream DNS uses DNS-over-HTTPS
  • UFW rules restrict ports 53 and 3000 to wg0 interface
  • systemd-resolved still handles the server’s own DNS
  • WireGuard clients updated to use 10.96.96.1 as DNS
  • AdGuard Home service enabled for automatic start on boot
  • Config included in server backups

Further Reading