[How-To-Updated 2021] Installing AdGuardHome on OpenWrt [Manual and opkg method]

That should not happen. Where did you get to on the setup and what options did you choose?

Here's what I did:

  1. Reset OpenWrt via Luci.
  2. Set WiFi SSID and password.
  3. Configure automount for the USB drive.
  4. Install all the necessary packages you listed in the instructions.
  5. Run routerDNS.sh.
  6. Run installAGH.sh.
  7. Open 192.168.1.1.3000 and set 8080 as the AGH port.
  8. Set a bunch of upstream and bootstrap DNS servers, made sure they work.
  9. Set a few custom filter rules to block “suspicious” TLDs like .ru or .cn.
  10. Try opening regular websites, works fine on different devices.
  11. Try opening .ru websites, doesn't work (as expected), and AGH says the DNS requests were blocked, just as intended.
  12. Enable five filter lists in total with approximately 190,000 domains.
  13. Reload AGH page, doesn't load.
  14. Open 192.168.1.1, doesn't load either.
  15. Opening any website fails with ERR_NAME_NOT_RESOLVED.
  16. Can't even type into SSH console anymore, also won't re-connect.

you are using the edge build not the opkg install yes?

I'm guessing you have run out of space somewhere along the line and your router crashed.

Redo your steps until you get to the filters. Enable only one set and check your disk space again.

make sure it is saving the filters to your /opt folder and you still have space space.

Yes, I used the edge build. I think the problem is the filter lists being downloaded onto unsufficient storoage. I calculated that 200,000 domains à ~20 characters and 4 Byte per character could be about 200,000 × 20 × 4 Byte = 16,000,000 Byte = 16 MB in size, which is most likely simply too much for the Archer A7.

Thus, I've decided not to run the adblocker on the OpenWrt router at all but on a Raspberry Pi instead. I don't want to use only one or two filter lists just to prevent AdGuard Home from constantly crashing.

Thank you very much for all your advice, it's highly appreciated! :heart:

1 Like

check where they are being downloaded to. If you have properly installed it then the edge build should save its filters into the /opt/AdGuardHome/data/filters folder. Your usb stick has 8gb and should easily cope with this. I was wondering if you had installed the opkg version that saves its filters/data into the /tmp folder and that's what was crashing your router.

If free disk space isn't the issue, then it may be your memory is running out and services are being killed (which would explain why luci and ssh die).

Try adding filters one at a time and check your free disk space and your free memory. My old BT hub 5 only had 128mb of RAM and I had to be fairly careful about how many filters I added.

Its another reason why I got the R4S. 4Gb of ram and only 2gb used means I rarely have issues.

How much memory does your archer have?

Well, I've successfully installed AdGuard Home on my Raspberry Pi and added firewall and NAT rules to redirect all DNS requests to AdGuard, so I'm quite happy with my current setup now. By the way, if anyone is interested in this, I simply followed these instructions for the OpenWrt setup.

Thanks again for your help :blush:

4 Likes

If anyone is using the recent enough AGH on OpenWrt which supports ipset_file option and is using said option, please let me know.

Hi mercygroundabyss, hoping you can help with something please !
I'm trying to set up openwrt+unbound+AdguardHome. Yes, I know AGH is itself a DNS but I have reasons for wanting to use unbound as the actual resolving server.

so in effect i have 3 DNS services.

  1. dnsmasq, changed to port 1053 as in the parallel dnsmasq shown here: unbound integration with DHCP-openwrt
  2. unbound running on port 53
  3. AGH running on DNS port 5355

What I have currently is unbound_ext.conf pointing to 127.0.0.1@5355 so that unbound forwards to AGH.
Then in AGH I have upstream server as 127.0.0.1:53 so unbound can query the root servers for resolution.
Is this going to cause a DNS lookup loop ?
I need unbound to do recursive querying the root servers and AGH just used for the GUI interface since unbound doesn't seem to have one.

Any help appreciated.
thanks.

I'd question the reasons behind wanting unbound in the equation. It was the old way to improve DNS to use unbound/stubby for secure dns as dnsmasq couldn't do it alone. You are making life more complicated by having unbound in the equation. Also you will introduce latency as you have an extra "hop" in the chain.

AGH has a gui and you can pick any upstream secure dns service you want for it. It replaces the need for unbound/stubby completely.

That being said, if you really want it that way, you will have to lay it out like this.

dnsmasq as your downstream PTR source. That will do your internal ip > name lookups from openwrts dhcp service.

unbound as your upstream dns for AGH while unbound talks to the upstream dns you have set.

That way your dns will be laid out like this.

Upstream provider dns > unbound > AGH > dnsmasq

Do remember you will have to set your router dns to use your ISP or other upstream and don't loop it into unbound as you will have an issue where your dns will not be up in time to do NTP checks.

don't do that. that will create a loop.

Thanks for the info.
My understanding is AGH is NOT a recursive dns but a forwarded so if i want to run my own recursive dns then AGH cannot give me that, is that not right?
Regarding ntp, i run my own ntp server with a rtc and then point router to that, so ntp sync for me is never an issue.
I have to give this some further thought. My current setup is just openwrt with AGH installed following your excellent tut, thanks for that BTW. That runs great and edge updates come through fine.
Thanks again.

1 Like

correct. However there are plenty of secure and well maintained dns servers out there like cloud flare, opendns, quad9 etc. Going back to the root servers and doing it yourself is one way to do it but if your purpose is just to do secured dnssec queries so your lookups cannot be snooped on? just use a forwarder to a provider you trust. Your queries will be encrypted and its far quicker.

https://1.1.1.1/dns/

We will never log your IP address (the way other companies identify you). And we’re not just saying that. We’ve retained a big 4 accounting firm to audit our assertions about our systems annually to ensure that we're doing what we say.

Frankly, we don’t want to know what you do on the Internet—it’s none of our business—and we’ve taken the technical steps to ensure we can’t.

We’ve built 1.1.1.1 to be the Internet’s fastest DNS directory. Don’t take our word for it. The independent DNS monitor DNSPerf ranks 1.1.1.1 the fastest DNS service in the world.

Thanks, good to know i had the concepts right. I ping and monitor dns servers every 1mt, my isp dns is always best followed by quad9, for me 1.1.1.1 always gives the highest latency.
I think I'll stick with current setup of WRT and AGH for now until i can do some further tests with different configs.
Thanks for now and have a good day.

1 Like

this seems to have solved the problem of not showing client addresses on the VLAN :+1: Thanks for the advice :grinning: P.S. I've only changed destination port according to my current setup. I have AdGuard running on port 54 because I'm using Openwrt DHCP.

I was wondering is there a way to retain adguardhome "dns cache" after router reboot?

That's something you should ask the AGH team.
However caches are designed to be refilled. Just let it do its thing.

1 Like

@mercygroundabyss
Thanks for this tutorial, I just installed it on my Archer C7 router (Extroot USB Storage).
I have a question about how to update AGH, from the "update now" button you can't get the error message.

translate the error please?

is it asking you to manually update?

It asks me to update, and when I click on update the following error appears, sorry I'm a bit of a noob

ok. it has failed to update and is asking you to follow the manual update method.

check the openwrt syslog to see if there is more errors there. See if it cannot get the update, or another reason.

I would check your disk space to ensure there is space to download to. remember you need double the binary space (35mb so at least 70mb spare. It backs up your original AGH binary and then updates to the new version).

check how much space you have in /tmp as well as it downloads the update there before unpacking it.

Revisiting filters.

I originally listed filters with this thread and took them out in the end once AGH updated their primary lists. I figure its time to lay out why I choose the lists I do and also publicise them for others to use or explore.

AdGuard DNS List - https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt

This is included and is the primary list built in to AGH. I leave this one enabled. This is a default filter for AdGuard Home and for the public AdGuard DNS servers.

Adaway block list - https://adaway.org/hosts.txt - disabled by default. I don't use this list.

Perflyst and Dandelion Sprout's Smart-TV Blocklist - https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV-AGH.txt
This list prevents smart tvs from monitoring/reporting back on you. He also has blocklists for other devices like Amazon fires and Android blocking.

Scam Blocklist by DurableNapkin - https://raw.githubusercontent.com/durablenapkin/scamblocklist/master/adguard.txt
This is now included in the osid blocklists but I leave it in as it wasn't included at first.

https://github.com/StevenBlack/hosts - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
My primary blocklist after the default AGH list.

Latest Domain list - https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt
These are recently registered lists that serve malware. Part of the https://osint.digitalside.it/ threat groups.

EasyPrivacy List - https://v.firebog.net/hosts/Easyprivacy.txt
Part of the firebog lists. I've previously used this list with AdBlock Pro in my browser.

https://www.github.developerdan.com/hosts/ - https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
Adblock list from developer dan. He has a selection of other lists as well.

Phishing Army List - https://phishing.army/download/phishing_army_blocklist.txt
AntiPhishing lists.

NoCoin Filter List - https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt
stops in browser-based crypto mining.

The Big List of Hacked Malware Web Sites - https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hosts

Online Malicious URL Blocklist - https://malware-filter.gitlab.io/malware-filter/urlhaus-filter.txt
A blocklist of malicious websites that are being used for malware distribution, based on the Database dump (CSV) of Abuse.ch URLhaus

Reference sites:

How AGH builds its default lists.

1 Like