@FredFromTheFarm@norbertjoni Okay good news. Took me an hour to make it work since wireguard with cloudflare wasn't working for me somehow. I managed to make AGH work under wireguard. So you get both features simultaneously. This guide will be divided in three sections:
Setting up wireguard on a clean firmware.
Setup AGH
(Optional) My configs for the reference. So let's begin-
1. Wireguard
Reset your router add your wan (for me is pppoe) and make sure internet is working.
Install luci-app-wireguard then restart router.
Now you need Public and private keys. Download the appropriate wgcf binary release from Github https://github.com/ViRb3/wgcf. Make the binary executable chmod a+x wgcf. Run ./wgcf register. Now run ./wgcf generate. You'll have wgcf-account.toml and wgcf-profile.conf files. We need only wgcf-profile.conf in this setup.
Go to Luci > Network > Interfaces > Add new interfaces. Name: vpn. Protocol: Wireguard VPN
In general settings at the bottom import your wgcf-profile.conf.
Make sure it added both (IPv4 & IPv6) addresses. Go to firewall settings choose wan zone
In Peers, Allowed IPs should be: ::/0 and 0.0.0.0/0. Enable Router Allowed IPs. If you're behind NAT then Persistent Keep Alive: 25 or else 0. Save.
Wireguard should be working now.
2.Setting up AdguardHome under wireguard
Install AGH from opkg. (Mine was pre-compiled with image)
Network > DHCP and DNS. Change DNS server port: 54
Go to AGH setup page 192.168.1.1:3000
First grid All interfaces. Port:8080. Second grid All Interfaces: Port:53.
Next Upstream DNS servers: 192.168.1.1:54 (Optional)Bootstrap DNS servers: 8.8.8.8 & 8.8.4.4. Apply.
Restart router and test DNS leak to confirm.
My configs just for the reference- Network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fead:530c:4436::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option proto 'pppoe'
option device 'eth1'
option username 'username'
option password 'pass'
option ipv6 'auto'
config interface 'vpn'
option proto 'wireguard'
option private_key 'WJasdfasdfasdfEIbtrGp9padsfasdf9QiWEW4='
option peerdns '0'
list dns '1.1.1.1'
list addresses '2533:4500:120:7293:71e1:6eec:f234:4374/128'
list addresses '172.16.0.2/32'
config wireguard_vpn
option description 'wgcf-profile.conf'
option public_key 'cmYOD+F1FxEHF4dyiK5H2/1SUtzH0JuCo62h3wQfgPo='
option endpoint_host 'engage.cloudflareclient.com'
option endpoint_port '2408'
list allowed_ips '::/0'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option persistent_keepalive '25'
firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'vpn'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
It was found that the IPV6 address was distributed by the ISP and was not a static address. Instead, the address changed automatically from time to time, or when the router was reboot.
Because of this situation,
The address (2008:832e:42bf:c1f0::1) I filled in on Advertised IPv6 DNS server is not available even if updated.
Although there is an address like fdf5:d7df:343::1 in the second column of the advertised IPV6 dns server.
Is this normal?
If this is not normal, what should be done about it?
Thank you!
English is not my native language. I use translation software for the above content.
I'm thinking of replacing my Pihole + unbound combo and running AdGuard directly on my OpenWrt router.
I have now read a lot of things and installed AdGuard in my OpenWrt test system (VM) to test a few things first.
Now I have a few, I think, smaller questions before I really want to install on my main system.
I understand because I want to use DNS over HTTPS in AdGuard, "unbound" is no longer absolutely necessary. I also want to keep it as simple as possible. Just install AdGuard Standard in OpenWrt.
I have successfully installed according to the wiki @mercygroundabyssWIKI. So that would be the opkg variant and is it currently up to date correct?
The thread here is about the manual installation and is apparently recommended? The opkg variant is now also version 107 and I don't care that the logs are gone after a reboot. So can I just use the opkg variant?
When I installed AdGuard using the installation instructions in the wiki, I not need to do the points 1-3 from @AlanDias17LINK correctly?.
Sorry if this are stupid questions, I'm just not sure yet and I'd rather ask more than too little.
Ok I have been able to answer most of the questions myself. I would just like to know if anyone knows how often the opkg package is updated? It is a little behind with the version compared to github.
Another question, I have enough space on my router and unfortunately no USB port. Therefore I can not route /opt to an USB Stick.
But I thought it would be better to save the lifetime of the storage from the router it is not good to leave a software that generates many logs on the "disk" of the router. E.g. on a Rasperry Pi with a SD card, such log paths are often moved to the memory. Isn't that also a problem here with /opt then? Otherwise, I'll just leave it in the /opt path now and watch how that is growing or how many changes will there.
Thank you for this long and detailed thread. It helped me a lot to understand the whole topic better.
Yes. I'm using opkg version as well. Working 10/10. You can save logs by creating partition on your sdcard. I can walk through you if you want (I'm using RPi4).
When I installed AdGuard using the installation instructions in the wiki, I not need to do the points 1-3 from @AlanDias17LINK correctly?.
Disable Use DNS servers advertised by peer so that it'll only use provided dns from adguard.
Disable Rebind protection is necessary it's also documented in the wiki. It'll ignore unnecessary errors.
Adguard DNS should be 53 so it'd intercept all DNS queries rather host openwrt (@54)
I have now tried both versions and I now found the manual variant via Github good because I am then up to date with the versions, I loved the dark modus
Everything worked fine but what is really stupid is that as soon as I activate filter lists that I want my storage space on the device is no longer sufficient.
Everything is installed under /opt and unfortunately I have no USB port to expand. I install directly on a router.
The opkg variant I also found great and I had more space available because the data is under /tmp and I have more space available there. That the data does not survive a reboot I do not care.
Disadvantage with opkg variant I think that it is not up to date and I never know when it will be up to date.
So I'm unsure which variant I should take and at the moment I don't know how to solve my space problem.... If I work with the Github variant, a symlink might work with which I can change the path /opt/data/filters to / tmp/data/filters show.
With the opkg variant I would have no memory problem but not the latest version.
EDIT:
I think I'll have to choose the opkg variant and hope someone will update the opkg. Who is responsible for this? How about opkg packages? I have no idea how that takes place.
Finally, my report what I've done now.
In fact, the opkg variant didn't fit on my router either, as my router only has about 30MB of disk space. The adguardhome binary located under /usr/bin, which is directly in the root file system, already has 36MB.
So unfortunately I can't also installed the opkg variant on my router without space problems.
What I have do now is created an NFS share to my NAS, which is also 24/7 online and mounted it under /opt.
Only the router is authorized on the NFS share and another firewall is running on the NAS, I think the NFS share is sufficiently protected.
So and that's why I was now able to simply install the github version that stores all of its large data under /opt.
It's working fine so far, but I'll keep testing until I transfer it to my productive router. It is currently only running on a test system.
As far as I can see, this is the only way to install AdGuardHome on my current "small" router. Until I eventually own a larger router or one with a USB port.
I got an 404 page not found error on adguard home.
Im getting this since I factory reset my router and updated to latest snapshot then install adguard home.
I tried to uninstall adguardhome or even reset my router again but no luck.
error:
root@Dynalink-WRX36:~# AdGuardHome -v -c /etc/adguardhome.yaml -w /var/adguardhome --no-check-update
2023/03/02 10:40:39.745614 30997#1 [info] AdGuard Home, version v0.107.24
2023/03/02 10:40:39.745779 30997#1 [debug] current working directory is /tmp/adguardhome
2023/03/02 10:40:39.745904 30997#1 [info] This is the first time AdGuard Home is launched
2023/03/02 10:40:39.746008 30997#1 [info] Checking if AdGuard Home has necessary permissions
2023/03/02 10:40:39.746503 30997#1 [info] AdGuard failed to bind to port 53: listen tcp 127.0.0.1:53: bind: address already in use
Please note, that this is crucial for a DNS server to be able to use that port.
2023/03/02 10:40:39.746613 30997#1 [info] AdGuard Home can bind to port 53
2023/03/02 10:40:39.746689 30997#1 [info] AdGuard Home updates are disabled2023/03/02 10:40:39.749778 30997#1 [debug] filtering: initialized 48 services
2023/03/02 10:40:39.750143 30997#1 [debug] dhcpd: warning: creating dhcpv4
srv: dhcpv4: invalid IP is not an IPv4 address
2023/03/02 10:40:39.751201 30997#1 [debug] clients: removed 0 client aliases
2023/03/02 10:40:39.751318 30997#1 [debug] clients: added 0 client aliases
from dhcp
2023/03/02 10:40:39.751445 30997#1 [info] Initializing auth module: /tmp/adguardhome/data/sessions.db
I've got this problem, too. I'm on the most recent snapshot build for my Xiaomi AX3600 router. Adguardhome was installed successfully, runs but the WebIF shows "404 not found". I stopped the service and manually created the /etc/adguardhome.yaml configuration file. Now, adguardhome is working fine, but I cannot enter the web interface, still 404. What's the cause of this? OpenWrt opkg ships version 107.