I got no problems with this:
dns:
bind_hosts:
- 192.168.1.1
- 127.0.0.1
127.0.0.1 is basically a localhost. So It should work.
Does Wireguard need to be added to the AGH client settings? And what about upstream servers for AGH?
I'll install it on my router later and report back
Thank you!
@FredFromTheFarm @norbertjoni Okay good news. Took me an hour to make it work since wireguard with cloudflare wasn't working for me somehow. I managed to make AGH work under wireguard. So you get both features simultaneously. This guide will be divided in three sections:
1. Wireguard
chmod a+x wgcf. Run ./wgcf register. Now run ./wgcf generate. You'll have wgcf-account.toml and wgcf-profile.conf files. We need only wgcf-profile.conf in this setup.wgcf-profile.conf.wan zone::/0 and 0.0.0.0/0. Enable Router Allowed IPs. If you're behind NAT then Persistent Keep Alive: 25 or else 0. Save.
Wireguard should be working now.
2.Setting up AdguardHome under wireguard
All interfaces. Port:8080. Second grid All Interfaces: Port:53.Upstream DNS servers: 192.168.1.1:54 (Optional)Bootstrap DNS servers: 8.8.8.8 & 8.8.4.4. Apply.config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fead:530c:4436::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option proto 'pppoe'
option device 'eth1'
option username 'username'
option password 'pass'
option ipv6 'auto'
config interface 'vpn'
option proto 'wireguard'
option private_key 'WJasdfasdfasdfEIbtrGp9padsfasdf9QiWEW4='
option peerdns '0'
list dns '1.1.1.1'
list addresses '2533:4500:120:7293:71e1:6eec:f234:4374/128'
list addresses '172.16.0.2/32'
config wireguard_vpn
option description 'wgcf-profile.conf'
option public_key 'cmYOD+F1FxEHF4dyiK5H2/1SUtzH0JuCo62h3wQfgPo='
option endpoint_host 'engage.cloudflareclient.com'
option endpoint_port '2408'
list allowed_ips '::/0'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option persistent_keepalive '25'
firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'vpn'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
adguardhome.yaml:
bind_host: 192.168.1.1
bind_port: 8080
beta_bind_port: 0
users:
- name: username
password: password
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
debug_pprof: false
web_session_ttl: 720
dns:
bind_hosts:
- 192.168.1.1
- 127.0.0.1
port: 53
statistics_interval: 1
querylog_enabled: true
querylog_file_enabled: true
querylog_interval: 2160h
querylog_size_memory: 1000
anonymize_client_ip: false
protection_enabled: true
blocking_mode: default
blocking_ipv4: ""
blocking_ipv6: ""
blocked_response_ttl: 10
parental_block_host: family-block.dns.adguard.com
safebrowsing_block_host: standard-block.dns.adguard.com
ratelimit: 20
ratelimit_whitelist: []
refuse_any: true
upstream_dns:
- 192.168.1.1:54
upstream_dns_file: ""
bootstrap_dns:
- 8.8.8.8
- 8.8.4.4
all_servers: true
fastest_addr: false
fastest_timeout: 1s
allowed_clients: []
disallowed_clients: []
blocked_hosts:
- version.bind
- id.server
- hostname.bind
trusted_proxies:
- 127.0.0.0/8
- ::1/128
cache_size: 4194304
cache_ttl_min: 0
cache_ttl_max: 0
cache_optimistic: false
bogus_nxdomain: []
aaaa_disabled: false
enable_dnssec: false
edns_client_subnet: false
max_goroutines: 300
handle_ddr: true
ipset: []
ipset_file: ""
filtering_enabled: true
filters_update_interval: 24
parental_enabled: false
safesearch_enabled: false
safebrowsing_enabled: false
safebrowsing_cache_size: 1048576
safesearch_cache_size: 1048576
parental_cache_size: 1048576
cache_time: 30
rewrites: []
blocked_services: []
upstream_timeout: 10s
private_networks: []
use_private_ptr_resolvers: true
local_ptr_upstreams: []
serve_http3: false
use_http3_upstreams: false
tls:
enabled: false
server_name: ""
force_https: false
port_https: 443
port_dns_over_tls: 853
port_dns_over_quic: 853
port_dnscrypt: 0
dnscrypt_config_file: ""
allow_unencrypted_doh: false
certificate_chain: ""
private_key: ""
certificate_path: ""
private_key_path: ""
strict_sni_check: false
filters:
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
name: AdGuard DNS filter
id: 1
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
name: AdAway Default Blocklist
id: 2
whitelist_filters: []
user_rules: []
dhcp:
enabled: false
interface_name: ""
local_domain_name: lan
dhcpv4:
gateway_ip: ""
subnet_mask: ""
range_start: ""
range_end: ""
lease_duration: 86400
icmp_timeout_msec: 1000
options: []
dhcpv6:
range_start: ""
lease_duration: 86400
ra_slaac_only: false
ra_allow_slaac: false
clients:
runtime_sources:
whois: true
arp: true
rdns: true
dhcp: true
hosts: true
persistent: []
log_file: ""
log_max_backups: 0
log_max_size: 100
log_max_age: 3
log_compress: false
log_localtime: false
verbose: false
os:
group: ""
user: ""
rlimit_nofile: 0
schema_version: 14
Note: In above file I changed bind_hosts to 192.168.1.1 & 127.0.0.1 instead of all interfaces i.e. 0.0.0.0 Still everything works.
When I use the flowing code :
echo "Router IPv6 : ""${NET_ADDR6}"
Output is:
2008:832e:42bf:c1f0::1
It was found that the IPV6 address was distributed by the ISP and was not a static address. Instead, the address changed automatically from time to time, or when the router was reboot.
Because of this situation,
The address (2008:832e:42bf:c1f0::1) I filled in on Advertised IPv6 DNS server is not available even if updated.
Although there is an address like fdf5:d7df:343::1 in the second column of the advertised IPV6 dns server.
Is this normal?
If this is not normal, what should be done about it?
Thank you!
English is not my native language. I use translation software for the above content.
Thank you, it's working fine 
But one thing to mention:
Wireguard != https://github.com/ViRb3/wgcf
Wgcf is for cloudflare warp.
Cloudflare warp is a VPN and wireguard is a protocol. You use VPN with that protocol which provides better speed than normal warp
Hello everyone, I would like to join the thread
I'm thinking of replacing my Pihole + unbound combo and running AdGuard directly on my OpenWrt router.
I have now read a lot of things and installed AdGuard in my OpenWrt test system (VM) to test a few things first.
Now I have a few, I think, smaller questions before I really want to install on my main system.
I understand because I want to use DNS over HTTPS in AdGuard, "unbound" is no longer absolutely necessary. I also want to keep it as simple as possible. Just install AdGuard Standard in OpenWrt.
@mercygroundabyss or anyone else.
I have successfully installed according to the wiki @mercygroundabyss WIKI. So that would be the opkg variant and is it currently up to date correct?
The thread here is about the manual installation and is apparently recommended? The opkg variant is now also version 107 and I don't care that the logs are gone after a reboot. So can I just use the opkg variant?
When I installed AdGuard using the installation instructions in the wiki, I not need to do the points 1-3 from @AlanDias17 LINK correctly?.
Sorry if this are stupid questions, I'm just not sure yet and I'd rather ask more than too little.
Ok I have been able to answer most of the questions myself. I would just like to know if anyone knows how often the opkg package is updated? It is a little behind with the version compared to github.
Another question, I have enough space on my router and unfortunately no USB port. Therefore I can not route /opt to an USB Stick.
But I thought it would be better to save the lifetime of the storage from the router it is not good to leave a software that generates many logs on the "disk" of the router. E.g. on a Rasperry Pi with a SD card, such log paths are often moved to the memory. Isn't that also a problem here with /opt then? Otherwise, I'll just leave it in the /opt path now and watch how that is growing or how many changes will there.
Thank you for this long and detailed thread. It helped me a lot to understand the whole topic better.
Yes. I'm using opkg version as well. Working 10/10. You can save logs by creating partition on your sdcard. I can walk through you if you want (I'm using RPi4).
- When I installed AdGuard using the installation instructions in the wiki, I not need to do the points 1-3 from @AlanDias17 LINK correctly?.
Disable Use DNS servers advertised by peer so that it'll only use provided dns from adguard.
Disable Rebind protection is necessary it's also documented in the wiki. It'll ignore unnecessary errors.
Adguard DNS should be 53 so it'd intercept all DNS queries rather host openwrt (@54)
Thanks Alan for your answers and your help.....
I have now tried both versions and I now found the manual variant via Github good because I am then up to date with the versions, I loved the dark modus
Everything worked fine but what is really stupid is that as soon as I activate filter lists that I want my storage space on the device is no longer sufficient.
Everything is installed under /opt and unfortunately I have no USB port to expand. I install directly on a router.
The opkg variant I also found great and I had more space available because the data is under /tmp and I have more space available there. That the data does not survive a reboot I do not care.
Disadvantage with opkg variant I think that it is not up to date and I never know when it will be up to date.
So I'm unsure which variant I should take and at the moment I don't know how to solve my space problem.... If I work with the Github variant, a symlink might work with which I can change the path /opt/data/filters to / tmp/data/filters show.
With the opkg variant I would have no memory problem but not the latest version.
EDIT:
I think I'll have to choose the opkg variant and hope someone will update the opkg. Who is responsible for this? How about opkg packages? I have no idea how that takes place.
Finally, my report what I've done now.
In fact, the opkg variant didn't fit on my router either, as my router only has about 30MB of disk space. The adguardhome binary located under /usr/bin, which is directly in the root file system, already has 36MB.
So unfortunately I can't also installed the opkg variant on my router without space problems.
What I have do now is created an NFS share to my NAS, which is also 24/7 online and mounted it under /opt.
Only the router is authorized on the NFS share and another firewall is running on the NAS, I think the NFS share is sufficiently protected.
So and that's why I was now able to simply install the github version that stores all of its large data under /opt.
It's working fine so far, but I'll keep testing until I transfer it to my productive router. It is currently only running on a test system.
As far as I can see, this is the only way to install AdGuardHome on my current "small" router. Until I eventually own a larger router or one with a USB port.
Package Makefile: Compress Binary with UPX - For Developers - OpenWrt Forum You can try this to compress binary files before installing. It might work? I tried UPX for AGH but it didn't work. Funny UPX worked for other modules I had installed.
I got an 404 page not found error on adguard home.
Im getting this since I factory reset my router and updated to latest snapshot then install adguard home.
I tried to uninstall adguardhome or even reset my router again but no luck.
error:
root@Dynalink-WRX36:~# AdGuardHome -v -c /etc/adguardhome.yaml -w /var/adguardhome --no-check-update
2023/03/02 10:40:39.745614 30997#1 [info] AdGuard Home, version v0.107.24
2023/03/02 10:40:39.745779 30997#1 [debug] current working directory is /tmp/adguardhome
2023/03/02 10:40:39.745904 30997#1 [info] This is the first time AdGuard Home is launched
2023/03/02 10:40:39.746008 30997#1 [info] Checking if AdGuard Home has necessary permissions
2023/03/02 10:40:39.746503 30997#1 [info] AdGuard failed to bind to port 53: listen tcp 127.0.0.1:53: bind: address already in use
Please note, that this is crucial for a DNS server to be able to use that port.
2023/03/02 10:40:39.746613 30997#1 [info] AdGuard Home can bind to port 53
2023/03/02 10:40:39.746689 30997#1 [info] AdGuard Home updates are disabled2023/03/02 10:40:39.749778 30997#1 [debug] filtering: initialized 48 services
2023/03/02 10:40:39.750143 30997#1 [debug] dhcpd: warning: creating dhcpv4
srv: dhcpv4: invalid IP is not an IPv4 address
2023/03/02 10:40:39.751201 30997#1 [debug] clients: removed 0 client aliases
2023/03/02 10:40:39.751318 30997#1 [debug] clients: added 0 client aliases
from dhcp
2023/03/02 10:40:39.751445 30997#1 [info] Initializing auth module: /tmp/adguardhome/data/sessions.db
Try deleting /etc/adguardhome.yaml file. Maybe it'll fix your problem
actually, there is no adguardhome.yaml because it only shows 404 page not found when visiting 192.168.1.1:3000 (no set up done)
I've got this problem, too. I'm on the most recent snapshot build for my Xiaomi AX3600 router. Adguardhome was installed successfully, runs but the WebIF shows "404 not found". I stopped the service and manually created the /etc/adguardhome.yaml configuration file. Now, adguardhome is working fine, but I cannot enter the web interface, still 404. What's the cause of this? OpenWrt opkg ships version 107.
bind_host: 0.0.0.0
bind_port: 3000
users: []
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
theme: auto
debug_pprof: false
web_session_ttl: 720
dns:
bind_hosts:
- 127.0.0.1
- 192.168.xx.yy
port: 53
anonymize_client_ip: false
protection_enabled: true
blocking_mode: default
blocking_ipv4: ""
blocking_ipv6: ""
blocked_response_ttl: 10
parental_block_host: ""
safebrowsing_block_host: ""
ratelimit: 20
ratelimit_whitelist: []
refuse_any: true
upstream_dns:
- 127.0.0.1:5353
upstream_dns_file: ""
bootstrap_dns:
- 127.0.0.1:5353
all_servers: false
fastest_addr: false
fastest_timeout: 1s
allowed_clients: []
disallowed_clients: []
blocked_hosts: []
trusted_proxies:
- 127.0.0.0/8
- ::1/128
cache_size: 4194304
cache_ttl_min: 0
cache_ttl_max: 0
cache_optimistic: false
bogus_nxdomain: []
aaaa_disabled: false
enable_dnssec: false
edns_client_subnet: false
max_goroutines: 300
handle_ddr: true
ipset: []
ipset_file: ""
filtering_enabled: true
filters_update_interval: 24
parental_enabled: false
safesearch_enabled: false
safebrowsing_enabled: false
safebrowsing_cache_size: 1048576
safesearch_cache_size: 1048576
parental_cache_size: 1048576
cache_time: 30
rewrites: []
blocked_services: []
upstream_timeout: 10s
private_networks: []
use_private_ptr_resolvers: true
local_ptr_upstreams:
- 127.0.0.1:5353
use_dns64: false
dns64_prefixes: []
serve_http3: false
use_http3_upstreams: false
tls:
enabled: false
server_name: ""
force_https: false
port_https: 443
port_dns_over_tls: 853
port_dns_over_quic: 853
port_dnscrypt: 0
dnscrypt_config_file: ""
allow_unencrypted_doh: false
certificate_chain: ""
private_key: ""
certificate_path: ""
private_key_path: ""
strict_sni_check: false
querylog:
enabled: true
file_enabled: true
interval: 2160h
size_memory: 1000
ignored: []
statistics:
enabled: true
interval: 1
ignored: []
filters:
- enabled: true
url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
name: AdGuard DNS filter
id: 1
- enabled: false
url: https://adaway.org/hosts.txt
name: AdAway Default Blocklist
id: 2
- enabled: true
url: https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV-AGH.txt
name: Perflyst and Dandelion Sprout's Smart-TV Blocklist
id: 1625359387
- enabled: true
url: https://raw.githubusercontent.com/durablenapkin/scamblocklist/master/adguard.txt
name: Scam Blocklist by DurableNapkin
id: 1625359388
- enabled: true
url: https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hacked-domains.list
name: The Big List of Hacked Malware Web Sites
id: 1625359389
- enabled: true
url: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
name: https://github.com/StevenBlack/hosts
id: 1625359390
- enabled: true
url: https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt
name: https://firebog.net/ - OSINT.digitalside.it
id: 1625359391
- enabled: true
url: https://v.firebog.net/hosts/Easyprivacy.txt
name: https://firebog.net/ - EasyPrivacy
id: 1625359393
- enabled: false
url: https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
name: https://www.github.developerdan.com/hosts/
id: 1633201708
whitelist_filters:
- enabled: true
url: https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt
name: https://github.com/anudeepND/whitelist
id: 1625359392
user_rules: []
dhcp:
enabled: false
interface_name: ""
local_domain_name: lan
dhcpv4:
gateway_ip: ""
subnet_mask: ""
range_start: ""
range_end: ""
lease_duration: 86400
icmp_timeout_msec: 1000
options: []
dhcpv6:
range_start: ""
lease_duration: 86400
ra_slaac_only: false
ra_allow_slaac: false
clients:
runtime_sources:
whois: true
arp: true
rdns: false
dhcp: true
hosts: true
persistent: []
log_file: ""
log_max_backups: 0
log_max_size: 100
log_max_age: 3
log_compress: false
log_localtime: false
verbose: false
os:
group: ""
user: ""
rlimit_nofile: 0
schema_version: 16
@Catfriend1 @oneinchashh what's wrong with opkg v107? I'm using it and it's stable. Maybe manually restart the service from Luci?
The web page on port 3000 says 404.
What version of AGH? Also I recommend you to have released OpenWrt build.