[How-To-Updated 2021] Installing AdGuardHome on OpenWrt [Manual and opkg method]

I can confirm that on 23.05, we don't need to specify -c edge to have Adguard installed in /opt. It's better if you prefer to stay with stable release. Maybe it could be great to indicate it in the first post.

Hi,

AGH Edge was working fine on linksys 1900acs v2 openwrt 22 but after upgrading to Openwrt 23, neither the Edge nor the stable opkg is working now.

Issue: ping is working fine but webpage are not opening

Hi I have some questions installing Adguard Home for Openwrt.

I have a powerful x86 router (ssd, ram, cpu are plenty). Is it better to install from Adguard's website using their automated curl install script? Or is it still recommended to use the official Openwrt adguard opkg package?

When I follow the wiki and this post to install Adguard Home, Openwrt can no longer run opkg update, it cannot resolve DNS. After looking at the comments here this seems to be resolved by adding 127.0.0.1 adguardhome.yaml file to bind_hosts. Good but is missing from guide?

I had same issue as here:

but mercygroundabyss writes:

Everything the router does goes via Adguard. I can see all opkg updates, traceroutes and pings the router is doing in Adguard's logs. If I understand right, @mercygroundabyss says it should not be like this. Router should use dnsmasq port 54 for own routes, not go to Adguard that is set to port 53?

I have set WAN DNS manually and I have also tried with the default peer setting on because my ISP is fine. But it does not matter what WAN DNS I have set, because all traffic from router goes via Adguard and router do not use the set WAN DNS. It has no effect what server is there.

Discussion seems to end because user was happy that Adguard works, but I don't see proper solution. If there indeed is loop back to Adguard when there should not be and router should do DNS lookups by itself.

Same as with andretoniolo, doing diagnostic nslookup from Openwrt:

Server:		127.0.0.1
Address:	127.0.0.1:53

According to mercygroundabyss this should go to dnsmasq port 54 so it routes it by itself and not directed to Adguard port 53?
Is there any solution? I could not find any going up and down this thread.

Could you post your yaml file?

Hi let me repeat that in sense Adguard and Openwrt "works" but not the intended way according to mercygroundabyss. That the router should be capable of resolving without Adguard.
I don't know if problem is more in Openwrt settings or yaml file but feels like router, if router should be able to resolve by itself without Adguard.

yaml file:

http:
  pprof:
    port: 6060
    enabled: false
  address: 192.168.1.1:33339
  session_ttl: 720h
users:
  - name: 
    password: 
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: en
theme: auto
dns:
  bind_hosts:
    - 192.168.1.1
    - 127.0.0.1
  port: 53
  anonymize_client_ip: false
  ratelimit: 40
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
    - tls://dns.quad9.net
    - '[/lan/]127.0.0.1:54'
    - '[//]127.0.0.1:54'
    - '#[/pool.ntp.org/]1.1.1.1'
  upstream_dns_file: ""
  bootstrap_dns:
    - 9.9.9.10
    - 149.112.112.10
    - 2620:fe::10
    - 2620:fe::fe:10
  fallback_dns: []
  all_servers: false
  fastest_addr: false
  fastest_timeout: 1s
  allowed_clients: []
  disallowed_clients: []
  blocked_hosts:
    - version.bind
    - id.server
    - hostname.bind
  trusted_proxies:
    - 127.0.0.0/8
    - ::1/128
  cache_size: 4194304
  cache_ttl_min: 0
  cache_ttl_max: 0
  cache_optimistic: false
  bogus_nxdomain: []
  aaaa_disabled: false
  enable_dnssec: false
  edns_client_subnet:
    custom_ip: ""
    enabled: false
    use_custom: false
  max_goroutines: 300
  handle_ddr: true
  ipset: []
  ipset_file: ""
  bootstrap_prefer_ipv6: false
  upstream_timeout: 10s
  private_networks: []
  use_private_ptr_resolvers: true
  local_ptr_upstreams:
    - 192.168.1.1:54
  use_dns64: false
  dns64_prefixes: []
  serve_http3: false
  use_http3_upstreams: false
tls:
  enabled: false
  server_name: ""
  force_https: false
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 853
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: false
  certificate_chain: ""
  private_key: ""
  certificate_path: ""
  private_key_path: ""
  strict_sni_check: false
querylog:
  ignored: []
  interval: 168h
  size_memory: 1000
  enabled: true
  file_enabled: true
statistics:
  ignored: []
  interval: 720h
  enabled: true
filters:
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
    name: AdGuard DNS filter
    id: 1
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_27.txt
    name: OISD Blocklist Big
    id: 1698335893
whitelist_filters: []
user_rules:
  - ""
dhcp:
  enabled: false
  interface_name: ""
  local_domain_name: lan
  dhcpv4:
    gateway_ip: ""
    subnet_mask: ""
    range_start: ""
    range_end: ""
    lease_duration: 86400
    icmp_timeout_msec: 1000
    options: []
  dhcpv6:
    range_start: ""
    lease_duration: 86400
    ra_slaac_only: false
    ra_allow_slaac: false
filtering:
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_services:
    schedule:
      time_zone: UTC
    ids: []
  protection_disabled_until: null
  safe_search:
    enabled: false
    bing: true
    duckduckgo: true
    google: true
    pixabay: true
    yandex: true
    youtube: true
  blocking_mode: default
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  rewrites: []
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  filters_update_interval: 24
  blocked_response_ttl: 10
  filtering_enabled: true
  parental_enabled: false
  safebrowsing_enabled: false
  protection_enabled: true
clients:
  runtime_sources:
    whois: true
    arp: true
    rdns: true
    dhcp: true
    hosts: true
  persistent:
    - safe_search:
        enabled: false
        bing: true
        duckduckgo: true
        google: true
        pixabay: true
        yandex: true
        youtube: true
      blocked_services:
log:
  file: ""
  max_backups: 0
  max_size: 100
  max_age: 3
  compress: false
  local_time: false
  verbose: false
os:
  group: ""
  user: ""
  rlimit_nofile: 0
schema_version: 27

If you want router to resolve all your DNS queries then let openwrt to have default DNS server port i.e., 53 and DNS forwarding to 192.168.1.1#54
Where 54 DNS port is for your adguard. But from my experience you just let adguatd has DNS port 53.

This is my yaml file:

http:
  address: 192.168.1.1:8080
  session_ttl: 720h
users:
  - name:
    password: 
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
theme: auto
debug_pprof: false
dns:
  bind_hosts:
    - 192.168.1.1
    - 127.0.0.1
  port: 53
  anonymize_client_ip: false
  protection_enabled: true
  blocking_mode: default
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_response_ttl: 10
  protection_disabled_until: null
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  ratelimit: 20
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
    - '[/lan/]127.0.0.1:54'
    - '[//]127.0.0.1:54'
    - '[/pool.ntp.org/]1.1.1.1'
    - '[/pool.ntp.org/]1.0.0.1'
    - '[/pool.ntp.org/]8.8.8.8'
    - '[/pool.ntp.org/]8.8.4.4'
    - https://dns.cloudflare.com/dns-query
    - https://dns.google/dns-query
  upstream_dns_file: ""
  bootstrap_dns:
    - 1.1.1.1
    - 1.0.0.1
    - 8.8.8.8
    - 8.8.4.4
  all_servers: true
  fastest_addr: false
  fastest_timeout: 1s
  allowed_clients: []
  disallowed_clients: []
  blocked_hosts:
    - version.bind
    - id.server
    - hostname.bind
  trusted_proxies:
    - 127.0.0.0/8
    - ::1/128
  cache_size: 4194304
  cache_ttl_min: 3600
  cache_ttl_max: 86400
  cache_optimistic: true
  bogus_nxdomain: []
  aaaa_disabled: false
  enable_dnssec: true
  edns_client_subnet:
    custom_ip: ""
    enabled: true
    use_custom: false
  max_goroutines: 300
  handle_ddr: true
  ipset: []
  ipset_file: ""
  bootstrap_prefer_ipv6: false
  filtering_enabled: true
  filters_update_interval: 24
  parental_enabled: false
  safebrowsing_enabled: false
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  safe_search:
    enabled: false
    bing: true
    duckduckgo: true
    google: true
    pixabay: true
    yandex: true
    youtube: true
  rewrites: []
  blocked_services:
    schedule:
      time_zone: UTC
    ids: []
  upstream_timeout: 10s
  private_networks: []
  use_private_ptr_resolvers: true
  local_ptr_upstreams:
    - 192.168.1.1:54
  use_dns64: false
  dns64_prefixes: []
  serve_http3: false
  use_http3_upstreams: false
tls:
  enabled: false
  server_name: ""
  force_https: false
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 853
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: false
  certificate_chain: ""
  private_key: ""
  certificate_path: ""
  private_key_path: ""
  strict_sni_check: false
querylog:
  ignored: []
  interval: 2160h
  size_memory: 1000
  enabled: true
  file_enabled: true
statistics:
  ignored: []
  interval: 24h
  enabled: true
filters:
  - enabled: true
    url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
    name: AdGuard DNS filter
    id: 1
  - enabled: true
    url: https://adaway.org/hosts.txt
    name: AdAway Default Blocklist
    id: 2
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_27.txt
    name: OISD Blocklist Full
    id: 1678555417
  - enabled: false
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_5.txt
    name: OISD Blocklist Basic
    id: 1678555418
  - enabled: true
    url: https://easylist.to/easylist/easylist.txt
    name: EasyList
    id: 1681390426
  - enabled: true
    url: https://easylist.to/easylist/easyprivacy.txt
    name: EasyPrivacy
    id: 1681390427
  - enabled: true
    url: https://secure.fanboy.co.nz/fanboy-annoyance.txt
    name: Fanboy's Annoyance List
    id: 1681390428
whitelist_filters: []
user_rules: []
dhcp:
  enabled: false
  interface_name: ""
  local_domain_name: lan
  dhcpv4:
    gateway_ip: ""
    subnet_mask: ""
    range_start: ""
    range_end: ""
    lease_duration: 86400
    icmp_timeout_msec: 1000
    options: []
  dhcpv6:
    range_start: ""
    lease_duration: 86400
    ra_slaac_only: false
    ra_allow_slaac: false
clients:
  runtime_sources:
    whois: true
    arp: true
    rdns: true
    dhcp: true
    hosts: true
  persistent: []
log:
  file: ""
  max_backups: 0
  max_size: 100
  max_age: 3
  compress: false
  local_time: false
  verbose: false
os:
  group: ""
  user: ""
  rlimit_nofile: 0
schema_version: 24

DHCP:


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '0'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option port '54'
	option sequential_ip '1'
	option noresolv '0'
	list server '192.168.1.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,192.168.1.1'
	list dhcp_option '3,192.168.1.1'
	list dns 'fd33:fbba:198c::1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '3'

In firewall file don't forget to add:

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'lan'
	option src_dport '53'
	option name 'AdGuardHome DNS Interception'
	option src_ip '!192.168.1.1'
	option dest_ip '192.168.1.1'
	option dest_port '53'

config nat
	option name 'Prevent hardcoded DNS'
	list proto 'tcp'
	list proto 'udp'
	option src 'lan'
	option dest_ip '192.168.1.1'
	option dest_port '53'
	option target 'MASQUERADE'

As per guide.

they are two separate commands, the 2nd starting with ip

Same issue for me resulting in random failures to start on [re]boot for AdGuard Home (opkg verson). Quite annoying since there is no DNS failover when AGH is not up and running.

My workaround was to add service adguardhome restart line to the Local Startup, forcing AGH to restart at the end of the boot process. Tweaking Start and Stop values in /etc/init.d/adguardhome is a possibility, too, but the forced restart seems more bulletproof to me.

Seems to be working so far. Hope this helps if anyone faces the same issue.

As I added some complexity to the network (more interfaces with VLANs), restarting AGH from rc.local was no longer bulletproof. AGH failed again with logs showing yet another error:

couldn't start forwarding DNS server: starting listeners: listening on udp addr 127.0.0.1:53: listening to udp socket: listen udp 127.0.0.1:53: bind: cannot assign requested address

Adding sleep xx might have been another workaround.

But ultimately, I added

procd_set_param respawn ${respawn_threshold:-3600} ${respawn_timeout:-5} ${respawn_retry:-5}

to the original /etc/init.d/adguardhome file , as described in procd init scripts guide.

The default value of 5 retries allows AdGuardHome to fail 5 times and be restarted automatically after waiting for 5 seconds. No need to set delays, or change priority of the original init file. Hopefully, will be more bulletproof this time :slight_smile:

1 Like

Thank you for this information, I appreciate it. I will give this a try as well. It seems like a much smarter method.

1 Like

Hi all,

I would like to upgrade from 22.03 to 23.05. How can I make sure, that AdguardHome is running after the upgrade? It's my only DNS resolver in the network.

Is it better to use the AdguardHome pkg from the repo or the binary from Github? The Github releases are far more up to date.

Thanks for the great guide!

As after the last OpenWRT update I was missing AGH and my GL-B1300 has only 32Mb flash, so I had to add a USB stick as extroot.

A few things I'd like to suggest:

  1. In the case AGH service goes down (I had to restore from backup and I didn't save its huge binary into a backup, only yaml config, see below) your opkg won't work as it uses dnsmasq and you won't be able to reinstall all the packages as they are not saved either, so important things to start this manual with, as well as a rerun/terdown of this guide to restore DNS (simple change of nameserver to 1.1.1.1 in /etc/resolv.conf will not help opkg, it needs SSL):
  2. [How-To-Updated 2021] Installing AdGuardHome on OpenWrt [Manual and opkg method] - #597 by AlanDias17 used 'AdGuardHome DNS Interception' and 'Prevent hardcoded DNS' firewall configs (thanks @AlanDias17 )
  3. Installing edge and beta (didn't try stable) had my router oom'ing every 15 minutes, so first I preserved opkg lists and added a swap file, I had to edit /etc/init.d/AdGuardHome
    start_service() {
    ...
      procd_set_param env GOMEMLIMIT=100MiB GOGC=40
      procd_set_param command /opt/AdGuardHome/AdGuardHome -c /opt/AdGuardHome/AdGuardHome.yaml
    ...
    }
    
    as described in https://github.com/AdguardTeam/AdGuardHome/issues/5606
  4. It makes sense to have these hard-earned non-default configs backed up, so at the end of the guide I'd add: "For extroot setups your AGH configs will not be backed up automatically, so go to https://192.168.1.1/cgi-bin/luci/admin/system/flash -> Configuration and add
    /opt/AdGuardHome/AdGuardHome.yaml
    /etc/init.d/AdGuardHome
    
    then download the backup."
1 Like

I recently upgraded to 23.05 and installed AGH pkg from repo (due to space considerations mostly). But then overwrote the /usr/bin/AdGuardHome with the newer version from Github. No side effects for now :slight_smile:

I did not use the option to preserve settings when upgrading, but had all my configs saved as uci scripts, so had to re-run them after upgrading. For AGH though I kept the yaml file. Just my approach... Probably, not the fastest one.

Do you have a good approach on how to this after a clean install? How did you obtain all the required UCI commands to perform after a clean install.

I took most of the UCI commands from LuCI :slight_smile: You make a change through LuCI interface, and get those unsaved commands, which can be saved and re-used in the future.

I found UCI system guide to be very useful for the general understanding of the uci configs, e.g. how to index sections, how to name sections (replacing those LuCI generated autogenerated IDS, like cfg073777).

@brokenpipe
I also have AGH as my only DNS resolver. I installed the pkg from repo but then I overwrote the repo's binary with edge version, no problem with that. I can even upgrade AGH from its web interface "update" button.
I do occasional openwrt upgrades with "attended sysupgrade" in Lucy's interface and I do preserve settings, no issues there either. My backups do save the current binary, had it included in the "backup list".

@TriplEight When AGH service goes down it can be automatically restarted with "respawn" parameter (as @route66 mentioned). My /etc/init.d/AdGuardHome file has this:

procd_set_param env GOGC=30 GOMEMLIMIT=100MiB
procd_set_param command /usr/bin/AdGuardHome -c /etc/adguardhome.yaml -w /opt/AdGuardHome -s run
procd_set_param respawn 3600 60 0

The above line waits 60 seconds to restart and tries forever...
To preserve all this I have in the "save list":

/usr/bin/AdGuardHome
/etc/adguardhome.yaml
/etc/init.d/adguardhome

In my case, to avoid having AGH crashing I disabled automatic updating the blocklists, and scheduled a script that is running once a week and stops AGH, downloads my selected lists and restart AGH. Because AGH is very memory hungry depending on the selected lists, you may need to do several tests to find how many lists you can have without "out-of-RAM problems".

So im trying to update my r4s router to latest 23.05, but when i do, Adgaurd seems to be no longer installed web page isnt available and nothing can access the internet.

So i have reverted back to 22 which was working fine, adgaurd then said there was a update which i ran, but now no nothing has internet again

is it worth keeping this setup, or removing it, running upgrade image to 23.05, then installing the opkg version of adgaurd?

From my end it's working great. Install latest openwrt version and then adguardhome. Check your yaml file.

yeah I think before it was because adgaurd was installed when upgrade was done

so im thinking
remove this adgaurd
run upgrade on openwrt

then do i install this or adgaurd via opkg?

1 Like

That's exactly what I did

1 Like