[How-To-Updated 2021] Installing AdGuardHome on OpenWrt [Manual and opkg method]

Hi!
What is the backup DNS server in this AGH setup - for the cases when AGH becomes unresponsive? Is there any?
I followed the instructions, got AGH running for a while, but it got totally unresponsive after some time, bringing down DNS resolving for any client. AGH is installed on external drive (/opt) - lack of space should not be an issue. Only a couple of blocklists, which supposedly should be OK for LinksysWRT1900ACS to handle.
Perhaps, any suggestions where to look for fixing?
Thank you!

Please post your yaml, dhcp and firewall files

Hi!

Apologies for the late reply. The settings are below.

Thank you!

yaml:

bind_host: 0.0.0.0
bind_port: 8080
users:
  - name: ____
    password: ____
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: en
theme: auto
debug_pprof: false
web_session_ttl: 720
dns:
  bind_hosts:
    - 127.0.0.1
    - ::1
    - 172.17.73.11
    - fd6f:e08a:d5ae::1
  port: 53
  anonymize_client_ip: false
  protection_enabled: true
  blocking_mode: default
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_response_ttl: 10
  protection_disabled_until: null
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  ratelimit: 20
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
    - https://family.adguard-dns.com/dns-query
    - '[/lan/]127.0.0.1:54'
    - '[//]127.0.0.1:54'
    - '[/pool.ntp.org/]1.1.1.1'
    - '[/pool.ntp.org/]1.0.0.1'
    - '[/pool.ntp.org/]2606:4700:4700::1111'
    - '[/pool.ntp.org/]2606:4700:4700::1001'
  upstream_dns_file: ""
  bootstrap_dns:
    - 9.9.9.10
    - 149.112.112.10
    - 2620:fe::10
    - 2620:fe::fe:10
  all_servers: false
  fastest_addr: false
  fastest_timeout: 1s
  allowed_clients: []
  disallowed_clients: []
  blocked_hosts:
    - version.bind
    - id.server
    - hostname.bind
  trusted_proxies:
    - 127.0.0.0/8
    - ::1/128
  cache_size: 4194304
  cache_ttl_min: 0
  cache_ttl_max: 0
  cache_optimistic: false
  bogus_nxdomain: []
  aaaa_disabled: false
  enable_dnssec: false
  edns_client_subnet:
    custom_ip: ""
    enabled: false
    use_custom: false
  max_goroutines: 300
  handle_ddr: true
  ipset: []
  ipset_file: ""
  bootstrap_prefer_ipv6: false
  filtering_enabled: true
  filters_update_interval: 24
  parental_enabled: false
  safebrowsing_enabled: false
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  safe_search:
    enabled: false
    bing: false
    duckduckgo: false
    google: false
    pixabay: false
    yandex: false
    youtube: false
  rewrites: []
  blocked_services: []
  upstream_timeout: 10s
  private_networks: []
  use_private_ptr_resolvers: true
  local_ptr_upstreams:
    - 172.17.73.11:54
  use_dns64: false
  dns64_prefixes: []
  serve_http3: false
  use_http3_upstreams: false
tls:
  enabled: false
  server_name: ""
  force_https: false
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 853
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: false
  certificate_chain: ""
  private_key: ""
  certificate_path: ""
  private_key_path: ""
  strict_sni_check: false
querylog:
  ignored: []
  interval: 2160h
  size_memory: 1000
  enabled: true
  file_enabled: true
statistics:
  ignored: []
  interval: 24h
  enabled: true
filters:
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
    name: AdGuard DNS filter
    id: 1
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
    name: AdAway Default Blocklist
    id: 2
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_23.txt
    name: WindowsSpyBlocker - Hosts spy rules
    id: 1680717706
whitelist_filters: []
user_rules: []
dhcp:
  enabled: false
  interface_name: ""
  local_domain_name: lan
  dhcpv4:
    gateway_ip: ""
    subnet_mask: ""
    range_start: ""
    range_end: ""
    lease_duration: 86400
    icmp_timeout_msec: 1000
    options: []
  dhcpv6:
    range_start: ""
    lease_duration: 86400
    ra_slaac_only: false
    ra_allow_slaac: false
clients:
  runtime_sources:
    whois: true
    arp: true
    rdns: true
    dhcp: true
    hosts: true
  persistent: []
log_file: ""
log_max_backups: 0
log_max_size: 100
log_max_age: 3
log_compress: false
log_localtime: false
verbose: false
os:
  group: ""
  user: ""
  rlimit_nofile: 0
schema_version: 20

dhcp:

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option noresolv '0'
	option cachesize '1000'
	option rebind_protection '0'
	option port '54'
	list server '172.17.73.11'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option leasetime '24h'
	list dhcp_option '6,172.17.73.11'
	list dhcp_option '3,172.17.73.11'
	list dns 'fd6f:e08a:d5ae::1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

firewall:

config defaults
	option syn_flood	1
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

I'd suggest you start from default settings.
Only changes you've to do in DHCP is that turn off rebind_protection and set dns port to 54.

In Netowrk > WAN disable Use DNS servers advertised by peer

Refer my yaml file:

bind_host: 192.168.1.1
bind_port: 8080
beta_bind_port: 0
users:
  - name: ____________
    password: ___________
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
debug_pprof: false
web_session_ttl: 720
dns:
  bind_hosts:
    - 192.168.1.1
    - 127.0.0.1
  port: 53
  statistics_interval: 1
  querylog_enabled: true
  querylog_file_enabled: true
  querylog_interval: 2160h
  querylog_size_memory: 1000
  anonymize_client_ip: false
  protection_enabled: true
  blocking_mode: default
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_response_ttl: 10
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  ratelimit: 20
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
    - '[/lan/]127.0.0.1:54'
    - '[//]127.0.0.1:54'
    - '[/pool.ntp.org/]1.1.1.1'
    - '[/pool.ntp.org/]1.0.0.1'
    - '[/pool.ntp.org/]8.8.8.8'
    - '[/pool.ntp.org/]8.8.4.4'
    - https://dns.cloudflare.com/dns-query
    - https://dns.google/dns-query
    - https://doh.opendns.com/dns-query
    - https://blitz.ahadns.com
    - https://dns.nextdns.io
    - https://basic.rethinkdns.com
  upstream_dns_file: ""
  bootstrap_dns:
    - 1.1.1.1
    - 1.0.0.1
    - 8.8.8.8
    - 8.8.4.4
  all_servers: true
  fastest_addr: false
  fastest_timeout: 1s
  allowed_clients: []
  disallowed_clients: []
  blocked_hosts:
    - version.bind
    - id.server
    - hostname.bind
  trusted_proxies:
    - 127.0.0.0/8
    - ::1/128
  cache_size: 4194304
  cache_ttl_min: 3600
  cache_ttl_max: 86400
  cache_optimistic: true
  bogus_nxdomain: []
  aaaa_disabled: false
  enable_dnssec: true
  edns_client_subnet: false
  max_goroutines: 300
  handle_ddr: true
  ipset: []
  ipset_file: ""
  filtering_enabled: true
  filters_update_interval: 24
  parental_enabled: false
  safesearch_enabled: false
  safebrowsing_enabled: false
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  rewrites: []
  blocked_services: []
  upstream_timeout: 10s
  private_networks: []
  use_private_ptr_resolvers: true
  local_ptr_upstreams:
    - 192.168.1.1:54
  serve_http3: false
  use_http3_upstreams: false
tls:
  enabled: false
  server_name: ""
  force_https: false
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 784
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: false
  certificate_chain: ""
  private_key: ""
  certificate_path: ""
  private_key_path: ""
  strict_sni_check: false
filters:
  - enabled: true
    url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
    name: AdGuard DNS filter
    id: 1
  - enabled: true
    url: https://adaway.org/hosts.txt
    name: AdAway Default Blocklist
    id: 2
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_27.txt
    name: OISD Blocklist Full
    id: 1678555417
  - enabled: false
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_5.txt
    name: OISD Blocklist Basic
    id: 1678555418
whitelist_filters: []
user_rules: []
dhcp:
  enabled: false
  interface_name: ""
  local_domain_name: lan
  dhcpv4:
    gateway_ip: ""
    subnet_mask: ""
    range_start: ""
    range_end: ""
    lease_duration: 86400
    icmp_timeout_msec: 1000
    options: []
  dhcpv6:
    range_start: ""
    lease_duration: 86400
    ra_slaac_only: false
    ra_allow_slaac: false
clients:
  runtime_sources:
    whois: true
    arp: true
    rdns: true
    dhcp: true
    hosts: true
  persistent: []
log_file: ""
log_max_backups: 0
log_max_size: 100
log_max_age: 3
log_compress: false
log_localtime: false
verbose: false
os:
  group: ""
  user: ""
  rlimit_nofile: 0
schema_version: 14

Noted if there's enough space for AGH then it shouldn't be a problem.

DNS bind_host add only your router IP and 127.0.0.1

Thanks! The major difference in yaml files was in bind_host line. I used 0.0.0.0, not the router IP. Changed this.

I also found out that my USB dongle (plugged into USB 3.0) with AGH installed was at times not properly handled / seen by OpenWrt. This may have been the reason of "unresponsive" AGH. Plugged the dongle into USB 2.0. For now seems to be working OK.

Still, any idea how to ensure fallback to OpenWrt internal DNS resolver if AGH is for whatever reason not available / not performing?

1 Like

Don't know if this will work but try adding AGH IP followed by router IP with it's port under "Use custom DNS servers"

A bit of a curiosity. I have used this guide previously to setup AdGuard successfully; however, now that I have changed ISPs, the setup doesn't seem to make as much sense to me anymore. For context and for diagnostic purposes of the reader, my topology looks as follows FTTP ONT -> x86 router (with OpenWRT 22.03.3 installed) with PPPoE as the WAN interface with VLAN ID tags 911 and a IPv6 assigned address from the ISP -> Belkin RT3200 dumbAP (with a Master OpenWRT Build installed) providing Wi-Fi.

Adguard DNS settings as follows:



image

Now for the part where I am a bit confused and am hoping for some pointers. The Adguard dashboard is reporting that it is indeed getting DNS queries from my router, but a dnsleak test shows that my ISP is acting as the DNS resolver.


How do I ensure that Adguard is indeed forwarding all the traffic to my preferred DNS resolver?

Make sure to untick Use DNS servers advertised by peer in network> wan section.

Then you have to port forward and add NAT rule as below

config redirect
        option dest 'lan'
        option target 'DNAT'
        option src 'lan'
        option src_dport '53'
        option name 'AdGuardHome DNS Interception'
        option src_ip '!192.168.1.1'
        option dest_ip '192.168.1.1'
        option dest_port '53'
config nat
        option name 'Prevent hardcoded DNS'
        list proto 'tcp'
        list proto 'udp'
        option src 'lan'
        option dest_ip '192.168.1.1'
        option dest_port '53'
        option target 'MASQUERADE'
1 Like

Thank you Alan. It turned out I had forgotten that I switched wan6 interface protocol which had a knock-on effect on the settings.

hi,

i take it this is on /etc/config/firewall?

thanks

Since setting up AGH I'm finding that my router crashes (or at least becomes unresponsive) after an indeterminate amount of time. I suspect it's falling foul to some kind of memory leak caused by AGH (eg: https://github.com/AdguardTeam/AdGuardHome/issues/5606). I've set a task to restart AGH once a day which I hoped would be enough.

Before jumping to conclusions though, is there a way to determine if it is in fact AGH or not some other issue brought forward by it? Basically, how does one attain logs on a crash?

I'm running v0.107.21 AGH on OpenWrt 22.03.5. For me there's no memory leak issue or at least ever faced. In Luci > Status > System Log can give you more info

Great guide, I installed AdGuardHome using opkg.

I failed in 4 things:

  1. Did not understand how to make openwrt.lan url work again with AdGuard as DNS resolver. I enabled rDNS but nothing changed. Is that related?
  2. Did not manage to add the firewall rules in order to prevent DNS hijaking. Basically the custom firewall rule tab is no longer there in luci, and I do not know how to exclude router and adguard from those dns hijaking firewall rules.
  3. Did not manage to enable DNS encryption on AdGuardHome. I am having trouble adding any SSL certificate. The procedures in the github/wiki are not clear to me.
  4. Can´t find why stats that appear in AdGuardHome dashboard get reset after each router reboot. I do not have any USB port on my router but it has plenty of free memory! BTW also OpenWRT statistics in luci are lost after reboot...

Thanks in advance for any help.

Has anyone managed to actually run this with any kind of stability? I've had nothing but issues in the month or so I've moved to it - dropped DNS, filters not loading, memory leaks and router crashes. This is on an armv7 256mb machine.

I really like the idea but given how important DNS is I've kinda lost faith in this as a real option, versus adblock which had uptime into the months.

Late to the party. Show me your network, firewall and AGH yaml file

I wanted to move my AGH to rpi, and before i start doing anything i just wanted to ask, will this owrt configuration(excluding ofc the parts that are directly about installing AGH on openwrt) work with AGH on other device? And if yes, im assuming id have to change the ip addresses in "${NET_ADDR}" and thats just it right?

You'll have to make few necessary changes like changing IP (if its required)

1 Like

so, after reading ~200 comments, it's almost impossible to install local version of agh, because i have other machine installed and it was 1 click, but i see insctructions and it's just a mess of scripts, errors, mistakes.. or there is a new guides or something?

Hi. I see the warning, that I need to edit scripts, if my lan IP address different, than 192.168.1.1

My lan ip is 192.168.2.1

Looking into the scripts and I don't understand, what I need to edit. From my perspective, install script must take correct IP address from br-lan.
This code must take correct IP address from br-lan (in my case 192.168.2.1), right?

# Get the first IPv4 and IPv6 Address of router and store them in following variables for use during the script.
NET_ADDR=$(/sbin/ip -o -4 addr list br-lan | awk 'NR==1{ split($4, ip_addr, "/"); print ip_addr[1] }')
NET_ADDR6=$(/sbin/ip -o -6 addr list br-lan scope global | awk 'NR==1{ split($4, ip_addr, "/"); print ip_addr[1] }')

What did I miss?

I would have a look at how long your dns logs are being kept for before they are deleted in the settings tab. These, I have found, can use all available space if a lot of traffic is being generated. Setting these up according to your available space could be helpful.