[How-To-Updated 2021] Installing AdGuardHome on OpenWrt [Manual and opkg method]

First of all, thanks for making this adguardhome package on openwrt.

I am trying to set it up properly on my openwrt router (TP link C2600) but are running into some problems when rebooting my router. I have used the tutorial of OneMarcFifty, from ~25 min, . Basically, moved DNSmasq to 5353 and let AGH run on port 53. I have set the AGH upstream DNS server 127.0.0.1:5353 as also mentioned in this wiki, .

I have enabled the adguardhome service by:

service adguardhome enable
service adguardhome start

Now when I perform a reboot of my router my internet stops and adguardhome is not starting up again. When I run by SSH: service adguardhome status the reply is running. logread -e AdGuardHome is not giving any errors.

When I now change my dnsmasq port back again from 5353 to 53 my internet works again. I have performed multiple attempts to opkg remove the adguardhome package and manually deleted the config file again (rm /etc/adguardhome.yaml). Then do a reinstall, AGH first works but every time after a router reboot the AGH breaks again.

I have read sometimes the NTP can be an issue and tried to add this to upstream server as well:

[/pool.ntp.org/]1.1.1.1

[/pool.ntp.org/]1.0.0.1

[/pool.ntp.org/]2606:4700:4700::1111

[/pool.ntp.org/]2606:4700:4700::1001

Any help on what I can do to make AGH survive a reboot of my router?

Never mind this post I have solved the issue by very carefully following the steps in the Wiki.

Now dnsmasq is running on port 54 and by running the setup script from the wiki I have made some extra change to my /etc/config/dhcp settings that I forgot earlier. Also, the adguardhome rDNS settings and LAN domain interception settings are now fully in line with the Wiki.

Now AGH is working and coming up again after a router reboot.

1 Like

Thank you for the guide,
I have one issue:

On my LAN I have internet access but from OpenWrt I have not, becouse of the name resolver.

root@OpenWrt:~# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: seq=0 ttl=59 time=19.352 ms
64 bytes from 1.1.1.1: seq=1 ttl=59 time=24.086 ms
64 bytes from 1.1.1.1: seq=2 ttl=59 time=24.827 ms
64 bytes from 1.1.1.1: seq=3 ttl=59 time=28.371 ms
64 bytes from 1.1.1.1: seq=4 ttl=59 time=23.944 ms
64 bytes from 1.1.1.1: seq=5 ttl=59 time=26.813 ms
64 bytes from 1.1.1.1: seq=6 ttl=59 time=29.624 ms
^C
--- 1.1.1.1 ping statistics ---
7 packets transmitted, 7 packets received, 0% packet loss
round-trip min/avg/max = 19.352/25.288/29.624 ms
root@OpenWrt:~# ping www.google.com
ping: bad address 'www.google.com'
root@OpenWrt:~# cat /etc/resolve.conf
search lan
nameserver 127.0.0.1
nameserver::1

If I change it to my openOpenWRTsIPsguard) the opeOpenWrtn resresolvee nameserver but after a reboot the resoresolvef revers my setting.

root@OpenWrt:~# cat /etc/resolve.conf
search lan
nameserver 192.168.20.1
nameserver ::1

root@OpenWrt:~# ping www.google.com
PING www.google.com (142.251.208.100): 56 data bytes
64 bytes from 142.251.208.100: seq=0 ttl=119 time=24.032 ms
64 bytes from 142.251.208.100: seq=1 ttl=119 time=17.753 ms
64 bytes from 142.251.208.100: seq=2 ttl=119 time=18.484 ms
64 bytes from 142.251.208.100: seq=3 ttl=119 time=17.345 ms
64 bytes from 142.251.208.100: seq=4 ttl=119 time=23.202 ms
^C
--- www.google.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 17.345/20.163/24.032 ms

How Can I make the config file pernament?

Well, I have this problem too. Opkg doesn't work with Adguard. Wrote 1.1.1.1 and 1.0.0.1 as dns servers on wan interface. No effect

Same issue here.

@mercygroundabyss Do you have the latest version of openWRT built by anaelorlinski? (Use the version of nftables + iptables compatibility packages)

same issues here too. setting dns server on wan interface have no effect.

@Reconvene9657 @Voidstranger and whoever it may concern please follow up this simple guide:
AdGuard Home
Also follow this tutorial https://www.youtube.com/watch?v=yMcM40ipDlQ
I'm on release version OpenWrt 22.03.3 with adguardhome package version 0.107.21-1

  1. Interfaces » WAN -> Disable Use DNS servers advertised by peer. Don't use any Use custom DNS servers
  2. DHCP and DNS > General settings > Disable Rebind protection. In Advanced, Change DNS server port to 54 from 53.
  3. Open AdguardHome Setup page 192.168.1.1:3000.
    Web Interface Listen Interface > Br-lan @ 8080
    DNS server Listen interface > All interfaces @ 53. Next and create a password.

This is what my adguardhome.yaml looks:

bind_host: 192.168.1.1
bind_port: 8080
beta_bind_port: 0
users:
  - name: usernamae
    password: password
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
debug_pprof: false
web_session_ttl: 720
dns:
  bind_hosts:
    - 192.168.1.1
    - 127.0.0.1
  port: 53
  statistics_interval: 1
  querylog_enabled: true
  querylog_file_enabled: true
  querylog_interval: 2160h
  querylog_size_memory: 1000
  anonymize_client_ip: false
  protection_enabled: true
  blocking_mode: default
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_response_ttl: 10
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  ratelimit: 20
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
    - '[/lan/]127.0.0.1:54'
    - '[//]127.0.0.1:54'
    - '[/pool.ntp.org/]1.1.1.1'
    - '[/pool.ntp.org/]1.0.0.1'
    - '[/pool.ntp.org/]8.8.8.8'
    - '[/pool.ntp.org/]8.8.4.4'
    - https://dns.cloudflare.com/dns-query
    - https://dns.google/dns-query
    - https://doh.opendns.com/dns-query
    - https://blitz.ahadns.com
    - https://dns.nextdns.io
    - https://basic.rethinkdns.com
  upstream_dns_file: ""
  bootstrap_dns:
    - 1.1.1.1
    - 1.0.0.1
    - 8.8.8.8
    - 8.8.4.4
  all_servers: true
  fastest_addr: false
  fastest_timeout: 1s
  allowed_clients: []
  disallowed_clients: []
  blocked_hosts:
    - version.bind
    - id.server
    - hostname.bind
  trusted_proxies:
    - 127.0.0.0/8
    - ::1/128
  cache_size: 4194304
  cache_ttl_min: 3600
  cache_ttl_max: 86400
  cache_optimistic: true
  bogus_nxdomain: []
  aaaa_disabled: false
  enable_dnssec: true
  edns_client_subnet: false
  max_goroutines: 300
  handle_ddr: true
  ipset: []
  ipset_file: ""
  filtering_enabled: true
  filters_update_interval: 24
  parental_enabled: false
  safesearch_enabled: false
  safebrowsing_enabled: false
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  rewrites: []
  blocked_services: []
  upstream_timeout: 10s
  private_networks: []
  use_private_ptr_resolvers: true
  local_ptr_upstreams:
    - 192.168.1.1:54
  serve_http3: false
  use_http3_upstreams: false
tls:
  enabled: false
  server_name: ""
  force_https: false
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 784
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: false
  certificate_chain: ""
  private_key: ""
  certificate_path: ""
  private_key_path: ""
  strict_sni_check: false
filters:
  - enabled: true
    url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
    name: AdGuard DNS filter
    id: 1
  - enabled: true
    url: https://adaway.org/hosts.txt
    name: AdAway Default Blocklist
    id: 2
  - enabled: true
    url: https://abp.oisd.nl/
    name: oisd
    id: 1665787488
whitelist_filters: []
user_rules: []
dhcp:
  enabled: false
  interface_name: ""
  local_domain_name: lan
  dhcpv4:
    gateway_ip: ""
    subnet_mask: ""
    range_start: ""
    range_end: ""
    lease_duration: 86400
    icmp_timeout_msec: 1000
    options: []
  dhcpv6:
    range_start: ""
    lease_duration: 86400
    ra_slaac_only: false
    ra_allow_slaac: false
clients:
  runtime_sources:
    whois: true
    arp: true
    rdns: true
    dhcp: true
    hosts: true
  persistent: []
log_file: ""
log_max_backups: 0
log_max_size: 100
log_max_age: 3
log_compress: false
log_localtime: false
verbose: false
os:
  group: ""
  user: ""
  rlimit_nofile: 0
schema_version: 14

I reinstalled Adguard and chose all interfaces on first settings page. Now adguard works as intended

1 Like

Tip: you could have also just removed adguardhome.yaml file instead reinstalling whole package to get on the setup page

Just for curiosity can I see your adguardhome.yaml file?

I'm using 0.108 version. Here yaml:

bind_host: 0.0.0.0
bind_port: 8080
users:
  - name: adguard
    password: xxx
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
theme: auto
debug_pprof: false
web_session_ttl: 720
dns:
  bind_hosts:
    - 0.0.0.0
  port: 53
  statistics_interval: 30
  querylog_enabled: true
  querylog_file_enabled: true
  querylog_interval: 720h
  querylog_size_memory: 1000
  anonymize_client_ip: false
  protection_enabled: true
  blocking_mode: default
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_response_ttl: 10
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  ratelimit: 150
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
    - https://dns.cloudflare.com/dns-query
    - '[/lan/]127.0.0.1:54'
    - '[//]127.0.0.1:54'
    - '[/downloads.openwrt.org/]1.1.1.1'
    - '[/pool.ntp.org/]1.1.1.1'
    - '[/pool.ntp.org/]1.0.0.1'
    - '[/ntp.time.in.ua/]1.1.1.1'
    - '[/ntp2.time.in.ua/]1.1.1.1'
    - '[/ntp3.time.in.ua/]1.1.1.1'
    - '[/0.openwrt.pool.ntp.org/]1.1.1.1'
    - '[/1.openwrt.pool.ntp.org/]1.1.1.1'
    - '[/2.openwrt.pool.ntp.org/]1.1.1.1'
    - '[/3.openwrt.pool.ntp.org/]1.1.1.1'
    - '[/ntp.time.in.ua/]1.0.0.1'
    - '[/ntp2.time.in.ua/]1.0.0.1'
    - '[/ntp3.time.in.ua/]1.0.0.1'
    - '[/0.openwrt.pool.ntp.org/]1.0.0.1'
    - '[/1.openwrt.pool.ntp.org/]1.0.0.1'
    - '[/2.openwrt.pool.ntp.org/]1.0.0.1'
    - '[/3.openwrt.pool.ntp.org/]1.0.0.1'
  upstream_dns_file: ""
  bootstrap_dns:
    - 9.9.9.10
    - 149.112.112.10
    - 2620:fe::10
    - 2620:fe::fe:10
  all_servers: false
  fastest_addr: false
  fastest_timeout: 1s
  allowed_clients: []
  disallowed_clients: []
  blocked_hosts:
    - version.bind
    - id.server
    - hostname.bind
  trusted_proxies:
    - 127.0.0.0/8
    - ::1/128
  cache_size: 4194304
  cache_ttl_min: 0
  cache_ttl_max: 0
  cache_optimistic: false
  bogus_nxdomain: []
  aaaa_disabled: false
  enable_dnssec: true
  edns_client_subnet: false
  max_goroutines: 300
  handle_ddr: true
  ipset: []
  ipset_file: ""
  filtering_enabled: true
  filters_update_interval: 168
  parental_enabled: false
  safesearch_enabled: false
  safebrowsing_enabled: false
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  rewrites: []
  blocked_services: []
  upstream_timeout: 10s
  private_networks: []
  use_private_ptr_resolvers: true
  local_ptr_upstreams: []
  use_dns64: false
  dns64_prefixes: []
  serve_http3: false
  use_http3_upstreams: false
tls:
  enabled: false
  server_name: ""
  force_https: false
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 853
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: false
  certificate_chain: ""
  private_key: ""
  certificate_path: ""
  private_key_path: ""
  strict_sni_check: false
filters:
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
    name: AdGuard DNS filter
    id: 1
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
    name: AdAway Default Blocklist
    id: 2
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_23.txt
    name: WindowsSpyBlocker - Hosts spy rules
    id: 1674589437
  - enabled: true
    url: https://easylist-downloads.adblockplus.org/advblock.txt
    name: RU AdList
    id: 1674589439
  - enabled: true
    url: https://easylist-downloads.adblockplus.org/antiadblockfilters.txt
    name: Adblock Warning Removal List
    id: 1674589440
  - enabled: true
    url: https://easylist.to/easylist/easylist.txt
    name: EasyList
    id: 1674589441
whitelist_filters: []
user_rules: []
dhcp:
  enabled: false
  interface_name: ""
  local_domain_name: lan
  dhcpv4:
    gateway_ip: ""
    subnet_mask: ""
    range_start: ""
    range_end: ""
    lease_duration: 86400
    icmp_timeout_msec: 1000
    options: []
  dhcpv6:
    range_start: ""
    lease_duration: 86400
    ra_slaac_only: false
    ra_allow_slaac: false
clients:
  runtime_sources:
    whois: true
    arp: true
    rdns: true
    dhcp: true
    hosts: true
  persistent: []
log_file: ""
log_max_backups: 0
log_max_size: 100
log_max_age: 3
log_compress: false
log_localtime: false
verbose: false
os:
  group: ""
  user: ""
  rlimit_nofile: 0
schema_version: 14

you can try

dns:
  bind_hosts:
    - 192.168.1.1
    - 127.0.0.1

This will make your client list on home page readable without causing any issue hopefully.

Also try to achieve Average processing time below 3-5ms
image

I'm thinking about keeping my AGH automatically updated with a daily cron job running the command "/opt/AdGuardHome/AdGuardHome --update"

Is there any "don't do it" reason I am missing?

Does anyone know how to get WireGuard working along side Adguard Home? Adguard is installed as per the instructions above.

Thanks

I haven't tried both at the same time but I will try help.

  1. Install the wireguard client on your router using opkg
  2. Download the appropriate wgcf binary release from Github https://github.com/ViRb3/wgcf if you are using Linux the "linux-amd64" binary
  3. Make the binary executable chmod a+x wgcf
  4. Run ./wgcf register
  5. Run run ./wgcf generate
  6. Finally paste wgcf-profile.conf in Luci-Interface.

Once done with these steps lemme know

So AdGuard is set up the same as above but it’s listening on all interfaces because I can’t opkg update otherwise. And WireGuard is set up like this https://youtu.be/04q41GEPvKA any tips?

While installing AGH give it default DNS port 53 and set openwrt DNS port to 54.
In adguardhome.yaml change dns to only these interfaces:

dns:
  bind_hosts:
    - 192.168.1.1
    - 127.0.0.1

Your Network file supposed to look like this after Wireguard installation:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'ef88:4821:2f84::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option proto 'pppoe'
	option device 'eth1'
	option username 'username'
	option ipv6 'auto'
	option peerdns '0'
	option password 'password'

config interface 'wireguard'
	option proto 'wireguard'
	option private_key 'privatekey='
	option peerdns '0'
	list dns '1.1.1.1'
	list addresses '2601:4500:124:8ef8:9ccf:abd9:7b95:196/128'
	list addresses '172.11.0.2/32'

config wireguard_wireguard
	option description 'wgcf-profile.conf'
	option public_key 'publickey='
	option endpoint_host 'engage.cloudflareclient.com'
	option endpoint_port '2408'
	option route_allowed_ips '1'
	option persistent_keepalive '25'   #If you're behind double-nat or else set to 0
	list allowed_ips '::/0'
	list allowed_ips '0.0.0.0/0'

But with these settings, the wireguard interface is not protected by Adguardhome. Is that correct?

I haven't tried but theoretically it should in my opinion. I will try this setup later but until now someone try it out and let me know

It doesn’t work for me, however I have

dns:
bind_hosts:
- 0.0.0.0

Because I can’t opkg update otherwise, it’s bugged for me. Does Wireguard need to be added to the AGH client settings? And what about upstream servers for AGH?