How to Install AdGuard Home on a VPS for Private DNS, DoH, and DoT
If you care about your privacy online, your DNS traffic is one of the first things you should lock down. Every website you visit, every app you open, they all start with a DNS query. By default, those queries go to your ISP’s servers, completely unencrypted. Running an AdGuard Home private DNS server on a VPS changes that.
With AdGuard Home private DNS server, you get full control over your DNS, ad, and tracker blocking across all your devices, and the ability to serve encrypted DNS (DoH and DoT). This guide will show you how to install AdGuard Home, configure upstream resolvers, get a TLS certificate, enable DoH and DoT, and connect your devices.
If you need a server to get started, a reliable Linux VPS from PerLod gives you a clean Ubuntu server with a dedicated IP.
Table of Contents
What You Need To Set up AdGuard Home Private DNS Server
Before you begin to set up the AdGuard Home private DNS server, make sure you have:
- A Linux VPS running Ubuntu 22.04 or 24.04 with a public IP address.
- A domain name you control.
- Root or sudo access to the server.
If you don’t have a domain yet, you can register one with PerLod Domains and point it directly to your VPS IP address.
Once you are done, proceed with the following steps to set up your AdGuard Home private DNS server.
Step 1. Free Port 53 From systemd-resolved
On Ubuntu 22.04 and 24.04, systemd-resolved runs a stub DNS listener that takes port 53 by default. AdGuard Home needs port 53 to serve standard DNS queries, so you have to free it up first.
Check what is using port 53:
sudo ss -tulnp | grep :53
If systemd-resolved shows up, run these commands:
# Create a drop-in config directory
sudo mkdir -p /etc/systemd/resolved.conf.d
# Create a new config file
sudo nano /etc/systemd/resolved.conf.d/adguardhome.conf
Add the following content:
[Resolve]
DNS=127.0.0.1
DNSStubListener=no
Save the file, then update the symlink so the server still resolves DNS correctly:
sudo mv /etc/resolv.conf /etc/resolv.conf.backup
sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
sudo systemctl restart systemd-resolved
Then, verify port 53 is free:
sudo lsof -i :53
No output means port 53 is available.
Step 2. Configure the Firewall for AdGuard Home
You must open the ports AdGuard Home needs before you start the service. To do this, run the following commands:
sudo ufw allow 53 # Standard DNS (UDP and TCP)
sudo ufw allow 80/tcp # HTTP (web UI and certificate verification)
sudo ufw allow 443/tcp # HTTPS and DNS-over-HTTPS (DoH)
sudo ufw allow 853/tcp # DNS-over-TLS (DoT)
sudo ufw allow 853/udp # DNS-over-QUIC (optional)
sudo ufw allow 3000/tcp # Initial setup UI (close this after setup)
sudo ufw reload
Security tip: After you finish the initial web setup, remove the 3000 port rule with:
sudo ufw delete allow 3000/tcp
You do not need it after setup is done.
Step 3. Install AdGuard Home
The easiest way to install AdGuard Home is to use the official install script. It downloads the binary, sets it up as a systemd service, and starts it automatically.
sudo apt update
curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v
The script installs AdGuard Home to /opt/AdGuardHome/. Once done, check that the service is running:
sudo /opt/AdGuardHome/AdGuardHome -s status
You should see running in the output. Now, create a directory for your certificates:
sudo mkdir -p /opt/AdGuardHome/certs
Step 4. Run the Initial AdGuard Home Setup Wizard
Open your browser and go to:
http://YOUR_VPS_IP:3000
The setup wizard will guide you through a few steps. Click Get Started:

Under Admin Web Interface, set the listen interface to All interfaces and port to 80, and under DNS Server, set the listen interface to All interfaces and keep port 53. Click Next:

Then, create an admin username and a strong password:

In the device configuration, simply click Next:

Now click on Open Dashboard:

Sign in with your admin account you have just created:

Your AdGuard Home private DNS server is now running, but it is not yet encrypted. The next steps add TLS so you can use DoH and DoT.
Step 5. Get a Free TLS Certificate with Certbot for AdGuard Home
Both DoH and DoT require a valid TLS certificate. For this purpose, you can use free certificates from Let’s Encrypt.
Install Certbot with:
sudo apt install certbot -y
If port 80 is being used by AdGuard Home itself, Certbot standalone cannot start until you stop AdGuard Home.
Stop the service:
sudo systemctl stop AdGuardHome.service
sudo ss -tulpn | grep :80
If the second command shows no output, port 80 is free, and you can run Certbot:
sudo certbot certonly --standalone \
-d dns.yourdomain.com \
--agree-tos \
--no-eff-email \
--email ad***@********in.com
After Certbot succeeds, start AdGuard Home again:
sudo systemctl start AdGuardHome.service
Certbot saves your certificate files at:
Certificate: /etc/letsencrypt/live/dns.yourdomain.com/fullchain.pem
Private key: /etc/letsencrypt/live/dns.yourdomain.com/privkey.pem
Now copy those certificates to AdGuard Home’s directory so it can read them:
sudo cp /etc/letsencrypt/live/dns.yourdomain.com/fullchain.pem /opt/AdGuardHome/certs/cert.pem
sudo cp /etc/letsencrypt/live/dns.yourdomain.com/privkey.pem /opt/AdGuardHome/certs/key.pem
sudo chmod 644 /opt/AdGuardHome/certs/cert.pem
sudo chmod 600 /opt/AdGuardHome/certs/key.pem
Let’s Encrypt certificates expire every 90 days. You can set up automatic renewal by creating a deploy hook:
sudo nano /etc/letsencrypt/renewal-hooks/deploy/adguard-renewal.sh
Add:
#!/bin/bash
cp /etc/letsencrypt/live/dns.yourdomain.com/fullchain.pem /opt/AdGuardHome/certs/cert.pem
cp /etc/letsencrypt/live/dns.yourdomain.com/privkey.pem /opt/AdGuardHome/certs/key.pem
chmod 644 /opt/AdGuardHome/certs/cert.pem
chmod 600 /opt/AdGuardHome/certs/key.pem
/opt/AdGuardHome/AdGuardHome -s restart
Make it executable and test:
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/adguard-renewal.sh
sudo certbot renew --dry-run
Step 6. Enable Encryption in AdGuard Home | DoH and DoT
From your AdGuard Home dashboard, navigate to Settings > Encryption settings and configure:
- Enable Encryption: checked
- Enable plain DNS: leave checked for now, you can disable it later after DoH/DoT works.
- Server name:
dns.yourdomain.com - Redirect to HTTPS automatically: checked
- HTTPS port: 443
- DNS-over-TLS port: 853
- DNS-over-QUIC port: leave empty for now, or use 853 only if you also want DoQ and have UDP 853 open.
Under the certificate section, choose Set a certificate file path and enter:
- Certificates path:
/opt/AdGuardHome/certs/cert.pem - Private key path:
/opt/AdGuardHome/certs/key.pem
Click Save. AdGuard Home will validate the certificate. If it shows green checkmarks next to the paths, the TLS setup is working.


From this point, your AdGuard Home private DNS server is accessible at:
DoH: https://dns.yourdomain.com/dns-query
DoT: tls://dns.yourdomain.com (port 853)
Step 7. Choose Your Upstream DNS Resolvers
Your AdGuard Home private DNS server needs to forward queries to upstream resolvers. These are the servers that actually look up domain names on the Internet. You must pick resolvers that also use encryption.
Go to Settings > DNS Settings and add your upstream servers.

Good encrypted upstream options include:
https://dns.cloudflare.com/dns-query
https://dns.quad9.net/dns-query
https://dns.google/dns-query
tls://1.1.1.1
tls://9.9.9.9
For Bootstrap DNS servers, which are used to resolve the upstream hostnames themselves, you can add:
1.1.1.1
8.8.8.8
9.9.9.9
Also, you can enable these options for better performance and security:
- Parallel requests: queries all upstreams at once, uses the fastest response.
- Enable DNSSEC: validates DNS response signatures.
- Enable EDNS client subnet: improves CDN routing accuracy.
Finally, click Save.
Step 8. Add Blocklists in AdGuard Home
To add the blocklists for AdGuard Home private DNS server, go to Filters > DNS Blocklists and click Add blocklist > Choose from the list.

Recommended blocklists to enable:
- AdGuard DNS filter: the main built-in list.
- AdGuard DNS Popup Hosts filter: blocks pop-up domains.
- Steven Black’s Hosts: well-maintained community list.
- OISD Basic: broad coverage without false positives.
Enable the ones you want and click Save. AdGuard Home downloads and applies the lists. You will see the total number of blocked domains displayed on the dashboard.
Configure Devices for AdGuard Home Private DNS Server
Once your AdGuard Home private DNS server is running with DoH and DoT enabled, connect your devices to it. The built-in Setup Guide in the dashboard shows you the exact configuration for each platform.

Android (Native Private DNS)
Android 9 and later support DoT natively.
- Go to Settings > Network & internet > Advanced > Private DNS
- Select the Private DNS provider hostname
- Enter:
dns.yourdomain.com
iOS and macOS
iOS 14+ and macOS Big Sur+ support DoH and DoT via configuration profiles.
AdGuard Home generates these profiles for you automatically. Go to Setup Guide > DNS Privacy > iOS in the dashboard, then download and install the profile on your device.
Windows
Windows 10 Build 19628 and later support DoH natively.
- Go to Settings > Network & Internet > Wi-Fi (or Ethernet) > DNS server assignment
- Set to Manual and enter your VPS IP
- Enable DNS over HTTPS (DoH) and set the DoH template to:
https://dns.yourdomain.com/dns-query
Linux (systemd-resolved)
Edit /etc/systemd/resolved.conf and add:
[Resolve]
DNS=dns.yourdomain.com
DNSOverTLS=yes
Restart with:
sudo systemctl restart systemd-resolved
Restrict Access in AdGuard Home
By default, your AdGuard Home private DNS server accepts plain DNS queries from anyone. That is fine if you only use DoH/DoT, but you may want to lock down port 53 to your own IPs only.
Go to Settings > DNS settings > Access settings. You can add an “Allowed clients” list using individual IPs or CIDR ranges. For example, only allow your home IP and VPN IP to use plain port-53 DNS. Everyone else must use DoH or DoT, which requires no allowlisting because your TLS certificate is the authentication.
You can also restrict the admin web UI with a firewall rule:
# Block port 80/443 from public, allow only your IP
sudo ufw delete allow 80/tcp
sudo ufw delete allow 443/tcp
sudo ufw allow from YOUR_HOME_IP to any port 80
sudo ufw allow from YOUR_HOME_IP to any port 443
sudo ufw reload
Testing Your Setup
After everything is configured, test your AdGuard Home private DNS server is working correctly.
Test plain DNS:
dig google.com @YOUR_VPS_IP
Test DoH:
curl -s "https://dns.yourdomain.com/dns-query?name=google.com&type=A" \
-H "accept: application/dns-json"
Test DoT:
kdig -d @dns.yourdomain.com +tls-ca +tls-host=dns.yourdomain.com google.com
If the plain DNS test returns answers, DoH returns JSON with IP addresses, and DoT resolves without errors, your setup is complete.
Also, check the AdGuard Home dashboard query log. You should see queries coming in from your devices.
Conclusion
Setting up an AdGuard Home private DNS server on a VPS is one of the most impactful things you can do for your network privacy. Unlike home setups, a VPS-based deployment works everywhere, on mobile data, at hotels, at the office, because your DNS endpoint is on the public internet with a real domain and a valid TLS certificate.
We hope you enjoy this guide. For more detailed encryption details, check the AdGuard Home Official Documentation.
FAQs
Do I need a powerful VPS for AdGuard Home?
No. AdGuard Home is very lightweight. Even a 1 vCPU / 512MB RAM VPS handles hundreds of clients without issues.
What is the difference between DoH and DoT?
Both encrypt your DNS. DoH uses port 443 and looks like normal HTTPS traffic. DoT uses port 853 and is easier to identify as DNS traffic. DoH is harder to block.
Can I use AdGuard Home as my DHCP server too?
Yes, AdGuard Home has a built-in DHCP server. On a VPS, this is usually not needed, but it is useful for home setups.