🛡️ AdGuard Home + Tailscale Deployment (Docker Compose)

This guide helps you deploy AdGuard Home — a self-hosted, network-wide ad blocker and DNS server — behind Tailscale for secure access.

This setup allows you to:

Run AdGuard securely behind your private Tailscale network.
Optionally expose it via Tailscale Funnel (with HTTPS and no reverse proxy).
Access the web UI anywhere in your tailnet — even behind NAT or CGNAT.

🧩 Overview

Services included:

Tailscale – Provides secure, private networking and HTTPS via Tailscale Serve.
AdGuard Home – Blocks ads, trackers, and unwanted domains across your network.

AdGuard will not expose any ports publicly.
It will be reachable only through your Tailscale domain, e.g.:

https://adguard.tailnet-name.ts.net

📁 Project Structure

yaml

adguard-tailscale/
│
├── docker-compose.yml
├── .env
├── tailscale_state/
├── adguard_config/
└── adguard_data/

⚙️ Environment Variables (`.env`)

Create a .env file next to your docker-compose.yml:

env

# ---------------------------
# General Settings
# ---------------------------
SERVICE=adguard
TZ=Asia/Kolkata

# ---------------------------
# Tailscale Configuration
# ---------------------------
TS_VERSION=latest
TS_AUTHKEY=tskey-xxxxxxxxxxxxxxxxxxxx   # Generate from https://login.tailscale.com/admin/settings/keys

# ---------------------------
# AdGuard Configuration
# ---------------------------
ADGUARD_VERSION=latest
ADGUARD_PORT=3000   # AdGuard web interface port
TAILNET_DOMAIN=tailnet-name.ts.net

🚀 Setup Instructions

Install Docker & Docker Compose If not installed:

bash

sudo apt update
sudo apt install docker.io docker-compose -y
sudo systemctl enable --now docker

Create Directory Structure

bash

mkdir -p ~/adguard-tailscale/{tailscale_state,adguard_config,adguard_data}
cd ~/adguard-tailscale

Create .env File Use the example above and fill in your TS_AUTHKEY and TAILNET_DOMAIN.
Start the Stack

bash

sudo docker compose up -d

Check Status

bash

sudo docker compose ps
sudo docker compose logs -f

You should see:

nginx

AdGuard detected, setting up Tailscale Serve...
Serving https://adguard.tailnet-name.ts.net → http://127.0.0.1:3000
Funnel enabled: https://adguard.tailnet-name.ts.net

🌐 Access Your AdGuard Home

Once running, access the admin interface at:

https://adguard.tailnet-name.ts.net

During the initial setup, AdGuard Home will be available on port 3000. After you create an account, you can change the port to 80 or any other desired port.

If using Tailscale Funnel, this can even be publicly accessible (if you enable it in your Tailscale admin console).

⚡ Useful Commands

Command	Description
`docker compose up -d`	Start the containers
`docker compose down`	Stop the containers
`docker exec -it tailscale-adguard tailscale status`	Check Tailscale connection
`docker exec -it tailscale-adguard tailscale serve status`	Check Serve/Funnel status
`docker compose logs -f`	View logs live

🔧 Configuration Notes

The first time AdGuard starts, it will initialize and create config files in ./adguard_config.

Access the setup wizard at https://adguard.tailnet-name.ts.net and complete configuration.

You can set AdGuard as your DNS on any Tailscale-connected device using:

bash

100.x.x.x  # (Your Tailscale IP for AdGuard container)

To get the Tailscale IP:

bash

docker exec -it tailscale-adguard tailscale ip -4

🧠 Optional: Changing the AdGuard Home Port

After the initial setup, you can change the AdGuard Home web interface port.

Stop the AdGuard Home container:
bash
```
sudo docker compose down
```
Edit the AdGuard Home configuration:
Open the adguard_config/AdGuardHome.yaml file and change the bind_port to your desired port (e.g., 8080).
yaml
```
http:
  address: 0.0.0.0:8080 # Change this to your desired port
```
Update the .env file:
Change the ADGUARD_PORT variable in your .env file to match the new port.
env
```
ADGUARD_PORT=8080
```
Restart the stack:
bash
```
sudo docker compose up -d
```

🧠 Optional: Disable Funnel for Private Access Only

If you want AdGuard to be private (accessible only inside Tailnet), remove this line from the Tailscale command:

yaml

tailscale funnel --bg http://127.0.0.1:${ADGUARD_PORT}

This will make the dashboard accessible only to devices in your Tailscale network.

🛡️ Benefits of Running AdGuard via Tailscale

✅ Private, encrypted access from anywhere ✅ Works behind CGNAT / firewalls ✅ Zero port forwarding ✅ Optional HTTPS via Tailscale Serve ✅ Optional public access via Funnel ✅ Simplifies DNS routing between remote devices

🛡️ AdGuard Home + Tailscale Deployment (Docker Compose) ​

🧩 Overview ​

📁 Project Structure ​

⚙️ Environment Variables (.env) ​

🚀 Setup Instructions ​

🌐 Access Your AdGuard Home ​

⚡ Useful Commands ​

🔧 Configuration Notes ​

🧠 Optional: Changing the AdGuard Home Port ​

🧠 Optional: Disable Funnel for Private Access Only ​

🛡️ Benefits of Running AdGuard via Tailscale ​

🧾 References ​

🛡️ AdGuard Home + Tailscale Deployment (Docker Compose)

🧩 Overview

📁 Project Structure

⚙️ Environment Variables (`.env`)

🚀 Setup Instructions

🌐 Access Your AdGuard Home

⚡ Useful Commands

🔧 Configuration Notes

🧠 Optional: Changing the AdGuard Home Port

🧠 Optional: Disable Funnel for Private Access Only

🛡️ Benefits of Running AdGuard via Tailscale

🧾 References