In my first post, I talked about my love for Free and Open Source Software (FOSS) and my general disdain for the “Big Tech” data-harvesting machine. Today, I want to get into the weeds of how I actually protect my network and my family’s privacy. It isn’t just about blocking a few annoying banners; it’s about taking back control of the “Unknown Universe” of data leaving my house.
My solution? A triple-layered AdGuard Home setup that covers me at home, provides redundancy, and protects my mobile devices when I’m out and about.
The hardware provided by the ISP is, frankly, garbage. It is extremely locked down—you can’t even change the DNS servers away from the ISP’s own tracking-heavy defaults.
The “Garbage” ISP Problem
Before we get into the layers, we have to talk about the bottleneck: the ISP router. I’m on a 1Gbps Fibre To The Property (FTTP) connection, which is fantastic for speed, but the hardware provided by the ISP is, frankly, garbage. It is extremely locked down—you can’t even change the Domain Name System (DNS) servers away from the ISP’s own tracking-heavy defaults.
Because of the nature of the connection, I can’t replace the ISP router entirely with a third-party one. My only option is to run it in Modem Mode and let my own hardware handle the “intelligence” of the network. Even in Modem Mode, the ISP router remains a “black box”—a proprietary device I can’t audit or fully control. By placing my own router behind it, I finally have a device that lets me see the actual traffic logs and know exactly what is trying to phone home.
The Evolution: From Standalone Pi to OpenWrt
My journey into self-hosting started with a Raspberry Pi running AdGuard Home on its own. At the time, it was just a DNS sinkhole sitting on my network. It worked, but it didn’t solve the underlying routing issues I was having with my TP-Link Deco X20 mesh system, which required frequent reboots and offered zero granular control over my FTTP traffic.
I’ve since flipped the script. I wiped the Pi and installed OpenWrt, a Linux-based operating system for routers. Now, the Pi sits directly behind the ISP modem and handles the heavy lifting of the network routing, with AdGuard Home running as a dedicated add-on. This gave me the stability the Deco lacked and the “pro-sumer” features I actually need to manage a home lab.
The “Before vs. After” Reality: Before this setup, my smart TV was phoning home to tracking servers every 30 seconds. Now, I can see those thousands of blocked requests in the AdGuard Query Log—silently killed before they ever leave my network.
Layer 2: The Proxmox Safety Net
You might wonder: if the Pi reboots, isn’t the whole network down anyway? True. But the second instance, running in a Linux Container (LXC) on my main Proxmox server, isn’t for when the power goes out; it’s for when software fails.
If the AdGuard service on the Pi hangs or a filter list update goes rogue, the Proxmox LXC picks up the slack instantly. It also means I can perform maintenance on my Proxmox host—kernel updates or hardware tweaks—without the “tech support” shouting from the living room because the DNS stopped resolving. It’s about ensuring that a failure in one part of the lab doesn’t break the internet for the whole house.
I wanted my privacy to follow me outside my front door… I get the same ad-blocking and tracking protection on 5G as I do on my home Wi-Fi, with zero impact on my battery life.
Layer 3: Privacy on the Go (The VPS Bridge)
I wanted my privacy to follow me outside my front door. I have a Debian Virtual Private Server (VPS) running a third AdGuard instance.
Why not just use a Virtual Private Network (VPN)? I use Tailscale (with a dedicated PC at home acting as an exit node), but keeping a VPN active on a phone 24/7 is a battery killer. By having a public-facing AdGuard instance on my VPS, I can set a “Private DNS” provider on my phone. I get the same ad-blocking and tracking protection on 5G as I do on my home Wi-Fi, with zero impact on my battery life.
To keep this secure, I use AdGuard’s Client Settings to lock down access. Even though the instance is technically public-facing, I’ve restricted it to a specific set of IPs so only my devices can use it.
Joining the Dots: The Hardware Backbone
The VPS isn’t just a lone island; it’s part of the ecosystem. It hosts AdGuard, RustDesk for remote support, and Nginx Proxy Manager to keep everything routed correctly. It stays connected to my home network via Tailscale, creating a seamless bridge between my local lab and the cloud.
Back at home, the Decos are still the backbone of my Wi-Fi, but I’ve demoted them to Access Point (AP) mode. I’ve also recently overhauled the physical connection between them, running a Cat 6 cable between the two main nodes for a solid backhaul.
Crucially, I didn’t just plug the Decos into each other. I set up a star topology using a switch at each end of the cable before connecting the Decos. This future-proofs the house; if I want to add a wired PC or another Proxmox node in either room, I can just plug it into the switch rather than messing with the Decos or relying on their limited ports.
Technical Deep Dive: The Data Flow
For those wanting to replicate this, here is how the traffic actually flows:
- Device queries a domain (e.g.,
google-analytics.com). - OpenWrt (Pi) intercepts the request.
- AdGuard (Local) checks its blocklists. If it’s a match, it returns
0.0.0.0. - Failover: If the Pi is busy or the service is down, the Proxmox LXC responds.
- Upstream: Clean queries are sent to Quad9 via DNS-over-TLS (DoT) (
tls://dns.quad9.net), ensuring the ISP cannot sniff the traffic even in Modem Mode.
What I’ve learned:
If you’re still relying on your ISP’s locked-down router, you’re missing out. Moving to a dedicated OpenWrt/AdGuard setup isn’t just about speed—it’s about knowing exactly what is happening on your network. Since moving the Decos to AP mode and wiring the backhaul, the network has been rock solid. No more reboots, no more ISP tracking, and total control.
Your Next Steps:
- Check your hardware: Does your ISP router have a “Modem Mode”? If so, you’re halfway there.
- Get a Pi: Start with a standalone AdGuard instance to see what’s leaving your network.
- Go Encrypted: Switch your upstream DNS to a provider like Quad9 using DoT or DoH to bypass ISP snooping.