[How-To-Updated 2021] Installing AdGuardHome on OpenWrt [Manual and opkg method]

Yes, I used the edge build. I think the problem is the filter lists being downloaded onto unsufficient storoage. I calculated that 200,000 domains à ~20 characters and 4 Byte per character could be about 200,000 × 20 × 4 Byte = 16,000,000 Byte = 16 MB in size, which is most likely simply too much for the Archer A7.

Thus, I've decided not to run the adblocker on the OpenWrt router at all but on a Raspberry Pi instead. I don't want to use only one or two filter lists just to prevent AdGuard Home from constantly crashing.

Thank you very much for all your advice, it's highly appreciated! :heart:

1 Like

check where they are being downloaded to. If you have properly installed it then the edge build should save its filters into the /opt/AdGuardHome/data/filters folder. Your usb stick has 8gb and should easily cope with this. I was wondering if you had installed the opkg version that saves its filters/data into the /tmp folder and that's what was crashing your router.

If free disk space isn't the issue, then it may be your memory is running out and services are being killed (which would explain why luci and ssh die).

Try adding filters one at a time and check your free disk space and your free memory. My old BT hub 5 only had 128mb of RAM and I had to be fairly careful about how many filters I added.

Its another reason why I got the R4S. 4Gb of ram and only 2gb used means I rarely have issues.

How much memory does your archer have?

Well, I've successfully installed AdGuard Home on my Raspberry Pi and added firewall and NAT rules to redirect all DNS requests to AdGuard, so I'm quite happy with my current setup now. By the way, if anyone is interested in this, I simply followed these instructions for the OpenWrt setup.

Thanks again for your help :blush:

4 Likes

If anyone is using the recent enough AGH on OpenWrt which supports ipset_file option and is using said option, please let me know.

Hi mercygroundabyss, hoping you can help with something please !
I'm trying to set up openwrt+unbound+AdguardHome. Yes, I know AGH is itself a DNS but I have reasons for wanting to use unbound as the actual resolving server.

so in effect i have 3 DNS services.

  1. dnsmasq, changed to port 1053 as in the parallel dnsmasq shown here: unbound integration with DHCP-openwrt
  2. unbound running on port 53
  3. AGH running on DNS port 5355

What I have currently is unbound_ext.conf pointing to 127.0.0.1@5355 so that unbound forwards to AGH.
Then in AGH I have upstream server as 127.0.0.1:53 so unbound can query the root servers for resolution.
Is this going to cause a DNS lookup loop ?
I need unbound to do recursive querying the root servers and AGH just used for the GUI interface since unbound doesn't seem to have one.

Any help appreciated.
thanks.

I'd question the reasons behind wanting unbound in the equation. It was the old way to improve DNS to use unbound/stubby for secure dns as dnsmasq couldn't do it alone. You are making life more complicated by having unbound in the equation. Also you will introduce latency as you have an extra "hop" in the chain.

AGH has a gui and you can pick any upstream secure dns service you want for it. It replaces the need for unbound/stubby completely.

That being said, if you really want it that way, you will have to lay it out like this.

dnsmasq as your downstream PTR source. That will do your internal ip > name lookups from openwrts dhcp service.

unbound as your upstream dns for AGH while unbound talks to the upstream dns you have set.

That way your dns will be laid out like this.

Upstream provider dns > unbound > AGH > dnsmasq

Do remember you will have to set your router dns to use your ISP or other upstream and don't loop it into unbound as you will have an issue where your dns will not be up in time to do NTP checks.

don't do that. that will create a loop.

Thanks for the info.
My understanding is AGH is NOT a recursive dns but a forwarded so if i want to run my own recursive dns then AGH cannot give me that, is that not right?
Regarding ntp, i run my own ntp server with a rtc and then point router to that, so ntp sync for me is never an issue.
I have to give this some further thought. My current setup is just openwrt with AGH installed following your excellent tut, thanks for that BTW. That runs great and edge updates come through fine.
Thanks again.

1 Like

correct. However there are plenty of secure and well maintained dns servers out there like cloud flare, opendns, quad9 etc. Going back to the root servers and doing it yourself is one way to do it but if your purpose is just to do secured dnssec queries so your lookups cannot be snooped on? just use a forwarder to a provider you trust. Your queries will be encrypted and its far quicker.

https://1.1.1.1/dns/

We will never log your IP address (the way other companies identify you). And we’re not just saying that. We’ve retained a big 4 accounting firm to audit our assertions about our systems annually to ensure that we're doing what we say.

Frankly, we don’t want to know what you do on the Internet—it’s none of our business—and we’ve taken the technical steps to ensure we can’t.

We’ve built 1.1.1.1 to be the Internet’s fastest DNS directory. Don’t take our word for it. The independent DNS monitor DNSPerf ranks 1.1.1.1 the fastest DNS service in the world.

Thanks, good to know i had the concepts right. I ping and monitor dns servers every 1mt, my isp dns is always best followed by quad9, for me 1.1.1.1 always gives the highest latency.
I think I'll stick with current setup of WRT and AGH for now until i can do some further tests with different configs.
Thanks for now and have a good day.

1 Like

this seems to have solved the problem of not showing client addresses on the VLAN :+1: Thanks for the advice :grinning: P.S. I've only changed destination port according to my current setup. I have AdGuard running on port 54 because I'm using Openwrt DHCP.

I was wondering is there a way to retain adguardhome "dns cache" after router reboot?

That's something you should ask the AGH team.
However caches are designed to be refilled. Just let it do its thing.

1 Like

@mercygroundabyss
Thanks for this tutorial, I just installed it on my Archer C7 router (Extroot USB Storage).
I have a question about how to update AGH, from the "update now" button you can't get the error message.

translate the error please?

is it asking you to manually update?

It asks me to update, and when I click on update the following error appears, sorry I'm a bit of a noob

ok. it has failed to update and is asking you to follow the manual update method.

check the openwrt syslog to see if there is more errors there. See if it cannot get the update, or another reason.

I would check your disk space to ensure there is space to download to. remember you need double the binary space (35mb so at least 70mb spare. It backs up your original AGH binary and then updates to the new version).

check how much space you have in /tmp as well as it downloads the update there before unpacking it.

Revisiting filters.

I originally listed filters with this thread and took them out in the end once AGH updated their primary lists. I figure its time to lay out why I choose the lists I do and also publicise them for others to use or explore.

AdGuard DNS List - https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt

This is included and is the primary list built in to AGH. I leave this one enabled. This is a default filter for AdGuard Home and for the public AdGuard DNS servers.

Adaway block list - https://adaway.org/hosts.txt - disabled by default. I don't use this list.

Perflyst and Dandelion Sprout's Smart-TV Blocklist - https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV-AGH.txt
This list prevents smart tvs from monitoring/reporting back on you. He also has blocklists for other devices like Amazon fires and Android blocking.

Scam Blocklist by DurableNapkin - https://raw.githubusercontent.com/durablenapkin/scamblocklist/master/adguard.txt
This is now included in the osid blocklists but I leave it in as it wasn't included at first.

https://github.com/StevenBlack/hosts - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
My primary blocklist after the default AGH list.

Latest Domain list - https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt
These are recently registered lists that serve malware. Part of the https://osint.digitalside.it/ threat groups.

EasyPrivacy List - https://v.firebog.net/hosts/Easyprivacy.txt
Part of the firebog lists. I've previously used this list with AdBlock Pro in my browser.

https://www.github.developerdan.com/hosts/ - https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
Adblock list from developer dan. He has a selection of other lists as well.

Phishing Army List - https://phishing.army/download/phishing_army_blocklist.txt
AntiPhishing lists.

NoCoin Filter List - https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt
stops in browser-based crypto mining.

The Big List of Hacked Malware Web Sites - https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hosts

Online Malicious URL Blocklist - https://malware-filter.gitlab.io/malware-filter/urlhaus-filter.txt
A blocklist of malicious websites that are being used for malware distribution, based on the Database dump (CSV) of Abuse.ch URLhaus

Reference sites:

How AGH builds its default lists.

1 Like

How To Upgrade Your AdGuardHome Install :

Some claim that you can upgrade from AdGuardHome WEBGUI - it has never worked
for me while running OpenWRT. No need to fear - here is how to upgrade when new EDGE
Version pops up. Hopefully, if you initially Setup Exroot for your AdGuardHome Install
( that means on a USB Stick ) then all you have to do is grab the new
installation by doing exactly what you did when
you first installed AdGuardHome. With Exroot - you do not have to worry about
any space issues - this is why we recommend Exroot to begin with.
1 - Download the correct AdGuard Home package for your router's processor.
2 - Create a folder to extract the archive into - and use WinRAR, 7Zip, PeaZip or
some such file archiver to unzip AdGuardHome_linux_your_router.tar.gz
3 - You will now have a decompressed folder named " AdGuardHome " .
4 - Then issue this command below :

/etc/init.d/AdGuardHome stop

5 - Fire up WINSCP - open /opt/ directory on the right side of
the application - then Drag & Drop the AdGuardHome
decompressed folder from the directory you had it in on your desktop.
If you know how to use SCP on OpenWRT ( Linux ) you may use
that method here as well.

6 - After you drag and drop new AdGuardHome into the /opt/ directory
( overwriting the old installation ) - then enter these commands :

a - # /etc/init.d/AdGuardHome restart
b - # /etc/init.d/dnsmasq restart

Source:

The AGH manual update method is here : https://github.com/AdguardTeam/AdGuardHome/wiki/FAQ#manual-update

Its far more likely there is something else preventing his install from updating properly hence the need to check the logs.

Also AGH team has added update from shell method. https://github.com/AdguardTeam/AdGuardHome/wiki/Getting-Started#command-line-update

Command-line update
To update AdGuard Home package without the need to use Web API run:
./AdGuardHome --update

1 Like

AdGuard Home's DNS cache does not follow the cache logic of other DNS servers.