A couple of additional notes, which I will try to work into the top post at some point.
- This ethernet gadget, or indeed any USB-connected ethernet interface, may have issues when used in conjunction with hardware NAT offloading enabled on a compatible platform, e.g. on mt7621-based routers. This is only anecdotal, but I found that under high query load conditions, TCP connections to upstream TLS servers started hanging, until hundreds were open and remaining open. AdGuard Home would stop responding when the number equaled the goroutines limit (default 300) set in AdGuardHome.yaml. Sometimes it would recover, sometimes AdGuard Home needed to be restarted, and even then you'd have to wait a minute or so for TIME_WAIT to expire on the connections.
I have moved this device to another router -- one which I use only as an AP and managed switch, ipq4019-based which doesn't support hw NAT offloading (or need it in this role); and I can no longer reproduce the problem. I also never had this problem when attached to an x86_64 system, though that isn't a conclusive negative.
- It isn't necessary to create a separate address, subnet and firewall zone for this host side of this device, it works fine if you add it (e.g. eth1 or whatever it registers as on the router) to a lan bridge (e.g. the conventional br-lan) and give the gadget client side an address in the LAN subnet. This is a convenient simplification.