Requirements

Compute

Hardware requirements

AegisGate is designed for Raspberry Pi-class hardware, but also runs on regular Debian/Ubuntu/RHEL servers.

MinimumRaspberry Pi 4, 2 GB RAM
RecommendedRaspberry Pi 5 or x86 server, 4 GB+ RAM
Why it mattersSuricata, DNS blocklists and dashboard analytics need steady CPU and memory headroom.
Debian 11+ (Bullseye), Ubuntu 20.04+, Raspbian (Pi OS), RHEL / CentOS / Rocky / Alma 8+. The installer auto-detects your platform.

Quick Install

$ curl -sL https://aegisgate.io/install.sh | bash

The installer runs these steps in order:

  1. Packages — nftables, dnsmasq, WireGuard, Python 3, Flask, Gunicorn, Suricata, CrowdSec
  2. Network — disables NetworkManager, configures ifupdown static WAN/LAN, creates aegisgate-net-setup.service
  3. nftables — default firewall: input (drop), forward (drop), postrouting (NAT), blacklist/allowlist/CrowdSec/IPBL sets, Suricata NFQ rule
  4. dnsmasq — DNS/DHCP server with blocklist streaming config, per-list files, validates entries (strips CSS selectors, URL paths)
  5. Suricata — IPS mode (engine-mode: ips), NFQ queue 0, ct state new, local-bridge.rules with 5 drop + 6 alert rules
  6. WireGuard — VPN server interface with ACL system
  7. Dashboard — Flask + Gunicorn on :8080
  8. Systemd — all services enabled and started

First Login

Security — Change the default password immediately after first login: Settings → Change Password.
  1. Open http://gateway-ip:8080 in your browser
  2. Log in with the credentials printed at the end of the install script
  3. Go to Settings → Change Password and set a strong password
  4. Configure WAN/LAN roles in Network → Interfaces
  5. Start the VPN in VPN → Start
  6. Enable DNS blocklists in DNS → Blocklists

Architecture

AegisGate is a Python Flask application (app.py) served by Gunicorn, managing nftables, dnsmasq, WireGuard, Suricata, CrowdSec and QoS through dedicated modules.

Packet Flow (WAN → LAN)
Internet WAN (eth0) Suricata NFQ nft INPUT CrowdSec nft FORWARD LAN (eth1)
DNS Query Flow
Client :53 DNS Hijack dnsmasq Blocklists? 0.0.0.0 / NXDOMAIN or Upstream DNS

Boot Sequence

  1. networking.serviceBrings up interfaces with ifupdown static config
  2. aegisgate-net-setup.serviceSets interface roles (WAN/LAN/WiFi), VLANs, routes
  3. nftables.serviceApplies firewall rules: input, forward, postrouting chains + Suricata NFQ rule
  4. aegisgate-restore.serviceRestores saved state: security toggles, QoS, custom rules, IP sets, blocklists
  5. dnsmasq.serviceDNS/DHCP server starts with conf-file= chain, blocklists, per-client policies
  6. suricata.serviceIPS engine starts in NFQ mode (-q 0 --set engine-mode=ips)
  7. crowdsec + bouncerThreat intelligence feeds nft sets
  8. nft-dashboard.serviceGunicorn serves Flask dashboard on :8080

Config Files

All persistent state is stored under /opt/nft-dashboard/data/ and restored at boot by restore-state.py:

📄 config.json
{
  "wan_interface": "eth0",
  "lan_interface": "eth1",
  "wan_ip": "31.172.140.234",
  "lan_ip": "172.24.1.2",
  "listen_addr": "172.24.1.2",
  "listen_port": 8080
}
🔒 auth.json
{ "users": { "admin": { "password_hash": "pbkdf2:...", "role": "admin" } } }
📡 dns.db (SQLite)
-- dns_rules (blocklist entries, groups, policies, services)
-- dns_lists (blocklist sources, update timestamps)
-- dns_queries (query log, latency, client info)
-- dns_custom_services (service bundle definitions)

dnsmasq config chain:

# /etc/dnsmasq.conf
conf-file=/etc/dnsmasq.d/aegisgate.conf

# /etc/dnsmasq.d/aegisgate.conf
conf-file=/etc/dnsmasq.d/aegisgate-blocklist.conf
conf-file=/etc/dnsmasq.d/aegisgate-local.conf
conf-file=/etc/dnsmasq.d/aegisgate-upstream.conf
conf-file=/etc/dnsmasq.d/aegisgate-dhcp.conf
conf-file=/etc/dnsmasq.d/aegisgate-clients.conf
conf-dir=/etc/dnsmasq.d/aegisgate-blocklists

# Blocklist entries use 1 line per domain (null_ip mode):
address=/ads.example.com/0.0.0.0
# Invalid entries (CSS selectors, URL paths) are automatically stripped:
# address=/domain.com##div[class ← REJECTED
# address=/domain.com/path/script.js ← REJECTED

Systemd Services

ServiceDescriptionDepends On
aegisgate-net-setupInterface roles, VLANs, routesnetworking.service
nftablesFirewall rules (input, forward, postrouting)aegisgate-net-setup
aegisgate-restoreRestores saved state, IP sets, blocklistsnftables
dnsmasqDNS/DHCP server with ad-blockingaegisgate-net-setup
suricataIPS engine (NFQ queue 0, engine-mode: ips)aegisgate-net-setup
crowdsecThreat intelligence agentnftables
nft-dashboardFlask web dashboard (Gunicorn :8080)aegisgate-restore

Aegis DNS / AdBlock

Aegis DNS is a network-wide ad and malware blocker powered by dnsmasq. Every device on the network — phones, TVs, laptops, IoT — inherits the same filtering without any per-device configuration.

# Per-client DNS via DHCP tags
dhcp-host=AA:BB:CC:DD:EE:FF,set:Kids,kids-phone,192.168.1.50
dhcp-option=tag:Kids,option:dns-server,172.24.1.2

# Block mode null_ip (1 line per domain)
address=/ads.example.com/0.0.0.0

Blocklists

AegisGate ships with HaGeZi Ultimate (~660k domains) and supports custom lists. Lists are stored per-source in aegisgate-blocklists/ and streamed from the SQLite database to avoid memory spikes.

Client Groups & Policies

Assign devices to groups with different filtering levels. Each group can have its own blocked services, blocklists, and upstream DNS.

Service Bundles

One-click blocking of popular services. Each bundle contains domains, wildcards, and known alternate domains for the service.

YouTubeTikTokInstagramFacebookWhatsAppTelegramRobloxAdultGamblingDoH Bypass

DNS Hijack & DoH

DNS hijack redirects all port 53 traffic (TCP/UDP) on the LAN interface to the gateway dnsmasq. This prevents clients from bypassing filtering by manually setting a different DNS server.

DoH bypass protection blocks known DNS-over-HTTPS provider domains and IPs so clients cannot tunnel DNS queries over HTTPS.

Local Records & Rewrites

DNS Dashboard

Pi-hole-style dashboard with real-time KPIs: total queries, blocked count, block rate, unique clients, top blocked domains, top clients, query log with period filter (5m/1h/6h/12h/24h/7d/all).

nftables Firewall

The AegisGate firewall is built on nftables with a strict default-drop policy on both input and forward chains. All traffic passes through multiple security layers.

Critical: Suricata NFQ rule is first in the input chain using nft insert rule, not nft add rule. It uses ct state new to avoid dropping established connections.

IP Sets

SetTypePurposeSource
blacklist_ipv4/6interval, timeoutManual blacklistDashboard
crowdsec-blacklists/6interval, timeoutCrowdSec auto-banCrowdSec bouncer
ipbl_ipv4/6interval, timeout, auto-mergeIP blocklistsExternal lists
allowlist_ipv4/6intervalTrusted IPs (always pass)Dashboard
lan_trustedintervalTrusted LAN netsConfig

Hostname Firewall Rules

DNS Clients table includes a Track Hostname checkbox and a Firewall dropdown (Allow/Drop). When set to Drop, the hostname's resolved IPs are added to the forward chain as drop rules. This lets you block specific devices from accessing the internet while still allowing DNS.

Critical: Hostname firewall rules go in the FORWARD chain, never INPUT. The firewall_action="" (empty) is the safe default meaning DNS-only, no nft rules.

NAT, DNAT & Masquerade

Port forwarding (DNAT) publishes internal services to the WAN. VPN masquerade ensures VPN clients can reach the internet. All NAT rules are managed from the dashboard.

Security Rules

11 toggleable security rules with one-click enable/disable:

SSH Brute ForceHTTP/HTTPSDNS ProtectionPort ScanSYN FloodICMP FloodBogonBad TCPSuricata IPSCrowdSecIP Blocklists

Suricata IPS

AegisGate runs Suricata in IPS mode using NFQ (NetFilter Queue). This means Suricata doesn't just detect — it drops malicious packets before they reach the target.

Drop & Alert Rules

/etc/suricata/rules/local-bridge.rules:

SIDActionDescription
9000010DROPSSH brute force (threshold: 5/60s)
9000040DROPC2 pattern (sqlmap User-Agent)
9000050DROPDirectory traversal (../)
9000051DROPSQL injection (' OR)
9000052DROPXSS (<script)
9000001ALERTSYN flood (500/30s)
9000002ALERTICMP flood (100/10s)
9000003ALERTUDP flood (500/30s)
9000011ALERTHTTP scan (100/30s)
9000012ALERTHTTPS scan (100/30s)
9000020ALERTDNS amplification (100/10s)

Plus Emerging Threats rules (~49k alert rules) from the suricata-et package.

IPS Dashboard

The dashboard Suricata tab shows:

WireGuard VPN

Built-in WireGuard VPN server with per-peer ACL, QR provisioning, bandwidth tracking and connection events.

ACL Modes

ModeAllowed IPsDescription
Internet0.0.0.0/0Full internet + LAN + DMZ
LAN172.24.1.0/24, 10.0.0.0/24Local network only
DMZ172.24.1.204/32DMZ server only
Customuser-defined CIDRsSpecific networks

QR Provisioning

Each peer has a "QR" button that generates a scannable WireGuard config QR code. Scan it with the WireGuard mobile app (Android/iOS) to import the tunnel instantly — no manual config needed.

Download Client

Download the official WireGuard client for your platform:

wireguard.com/install

DHCP Server

Full dnsmasq DHCP server integrated with DNS policies. Leases, static assignments, and per-client DNS tags are all managed from the dashboard.

# Generated dnsmasq config:
dhcp-range=172.24.1.100,172.24.1.200,24h
dhcp-option=option:dns-server,172.24.1.2
# Per-client DNS override:
dhcp-host=AA:BB:CC:DD:EE:FF,set:Kids,kids-phone,172.24.1.50
dhcp-option=tag:Kids,option:dns-server,172.24.1.2

QoS / Traffic Shaping

Bandwidth management with pre-built profiles and manual rules. Supports CAKE, fq_codel, HTB and HFSC algorithms.

Network

Complete interface management with ifupdown static config, VLAN CRUD, static routes, and Multi-WAN.

Monitoring Dashboard

Real-time dashboard with period filter (5m/1h/6h/12h/24h/7d/all):

GeoIP

Geographic threat analysis using MaxMind GeoLite2 databases and CrowdSec blacklist data. Shows attack origins by country, ASN, and IP.

System Health

CPU usage, RAM, CPU temperature, conntrack table occupancy, disk usage, and per-interface bandwidth graphs with live updates.

Policy Modes

One-click security posture profiles that configure all security rules at once:

ModeDescriptionRules Enabled
BalancedRecommended default. Blocks known threats while allowing normal traffic.SSH bruteforce, port scan, bogon, bad TCP, CrowdSec, Suricata
StrictMaximum security. All 11 rules enabled plus DNS hijack.All + DNS hijack + ICMP restricted
PermissiveMinimal filtering. Only critical protections.Bogon, bad TCP
ParanoidLockdown. Everything in Strict plus aggressive SYN flood, full DNS hijack, no new inbound by default.All + aggressive thresholds

CrowdSec Integration

CrowdSec provides community-driven threat intelligence. When CrowdSec detects an attack pattern, it automatically adds the offending IP to the crowdsec-blacklists nft set. AegisGate then drops all packets from that IP in both input and forward chains.

# CrowdSec decision flow
Log → CrowdSec parser → scenario match?
  → YES: add IP to nft set crowdsec-blacklists
  → NO: log & continue
nftables checks CrowdSec set on every new packet

IP Blocklists

External IP blocklists are loaded into nft sets ipbl_ipv4 and ipbl_ipv6 with interval, timeout, auto-merge flags. These sets are checked in both input and forward chains.

GeoIP

Geographic threat analysis using MaxMind GeoLite2 databases (City + ASN). Shows attack origins by country and ASN. CrowdSec blacklist IPs are overlaid on the map.

Reports & Export

Export security reports in HTML format for auditing or compliance. Reports include:

Multi-WAN

Configure multiple WAN interfaces with failover and policy routing. Each WAN can have its own gateway, metric, and routing rules.

Cron Jobs

AegisGate sets up the following scheduled tasks:

ScheduleTaskDescription
Every 2 mindns_log_import.pyParse dnsmasq query log, insert into DB, cleanup old entries
Every 1 mindns_apply_schedules.pyApply time-based DNS blocking schedules
Every 5 mindns_apply_service_blocks.pyApply service-level blocking via nftables
Daily 04:17dns_update_lists.pyDownload and update remote blocklists, regenerate configs
Every 5 mincollect_bandwidth.pyCollect per-interface bandwidth samples
Every 30 minlog-truncate.shTruncate nft-drops.log to 50k lines, restart rsyslog

Troubleshooting

Critical: Never add After=network-online.target to service files. Use After=networking.service and After=aegisgate-net-setup.service instead. NetworkManager is removed — use ifupdown.