Yes I think so. Use wgcf to obtain credentials
Current setup doesn't work...
config interface 'WGSERVER'
option proto 'wireguard'
option private_key '...'
option listen_port '47362'
list addresses '10.0.49.1/24'
config wireguard_WGSERVER
option description 'VPN-xxx-GL-MT6000'
option public_key '...'
option private_key '...'
option preshared_key '...'
list allowed_ips '10.0.49.2/32'
option route_allowed_ips '1'
Peer
[Interface]
PrivateKey ...
Address = 10.0.49.2/32
# ListenPort not defined
DNS = 192.168.152.1 # GL-MT6000(AGH-DNS)
[Peer]
PublicKey ...
PresharedKey = ...
AllowedIPs = 0.0.0.0/0
Endpoint = 192.168.150.14:47362 # main router before GL-MT6000(AGH-DNS)
# PersistentKeepAlive not defined
Which VPN are you using? The settings I showed are for Cloudflare Warp using Wireguard.
config interface 'wg0'
option proto 'wireguard'
option private_key 'xxxxx'
option peerdns '0' <- Disables automatic DNS
list dns '1.1.1.1' <- Cloudflare dns
list addresses '2606:4700xxxxxx' <- Provided by your VPN
list addresses '172.xxxx/32'
config wireguard_wg0
option description 'wgcf-profile.conf'
option public_key 'xxxxxxxxxx'
option endpoint_host 'engage.cloudflareclient.com' <-Sets the host name of the Cloudflare Warp server endpoint. This is where WG will connect to establish the VPN tunnel
option endpoint_port 'xxxx'
list allowed_ips '::/0' <- Enables routing all traffic through the VPN tunnel
list allowed_ips '0.0.0.0/0'
option persistent_keepalive '25' <- If you're behind double NAT. Prevents NAT from closing the connection if inactive
option route_allowed_ips '1' <- Automatically routes all IPs to WG tunnel
Every line is important. So, don't skip any of it.
To simplify network configuration, install AGH and WG on your primary router. This will allow you to centralize network management. Also, enable DHCP only on this router to ensure consistent IP address assignment
I do not use a "commercial" VPN.
I use:
- a main router - DynDNS+ port forwarding
- a second router as wg server + AGH
Goal:
WG client sould connect from outside to the WG server
Instead list dns '1.1.1.1' <- Cloudflare dns I thought to use the main router.
The same with option endpoint_host 'engage.cloudflareclient.com' <-Sets the host name of the Cloudflare Warp server endpoint. This is where WG will connect to establish the VPN tunnel option endpoint_port 'xxxx'...
Is my thought process correct?
I've no clue then maybe you should create a new post and ask there 
1 Like
No problem.
Many thanks for your commitment anyway!
Neuro
Alan, ich found the root cause...I have forgotten to forward the correct IP-address of the router...
Many thanks again for your commitment!
Neuro
1 Like
Here a method to intercept DNS is described that appears to work with devices that use both IP4 and IP6 and DOH. https://virtualize.link/hardcoded-dns/#adguardhome
Is there a way to write this firewall rule and procedure for openwrt ?
One question, shouldn't the "noresolv" option be set to 1? because at 0 it will consult the "resolve.conf" file, which in my case, for example, has dns 1.1.1.1 configured. Wouldn't that be bypassing adguard?
Good afternoon friends. Help me set up AdGuard, please!. Xiaomi Redmi Router AX6S. OpenWrt 23.05.5. I currently have 8 devices connected. 7 of them via Wi-Fi and one via cable. But in the interface they are shown as one client. It is a router. What did I do wrong? Thank you
please post yaml file
No -at noresolv 0 it will not use the specified dns
1 Like
http:
pprof:
port: 6060
enabled: false
address: 192.168.1.1:8080
session_ttl: 720h
users:
- name: a
password:PW
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
theme: auto
dns:
bind_hosts:- 192.168.1.1
port: 5353
anonymize_client_ip: false
ratelimit: 20
ratelimit_subnet_len_ipv4: 24
ratelimit_subnet_len_ipv6: 56
ratelimit_whitelist:
refuse_any: true
upstream_dns: - https://dns10.quad9.net/dns-query
upstream_dns_file: ""
bootstrap_dns: - 9.9.9.10
- 149.112.112.10
- 2620:fe::10
- 2620:fe::fe:10
fallback_dns:
upstream_mode: load_balance
fastest_timeout: 1s
allowed_clients:
disallowed_clients:
blocked_hosts: - version.bind
- id.server
- hostname.bind
trusted_proxies: - 127.0.0.0/8
- ::1/128
cache_size: 4194304
cache_ttl_min: 0
cache_ttl_max: 0
cache_optimistic: false
bogus_nxdomain:
aaaa_disabled: false
enable_dnssec: false
edns_client_subnet:
custom_ip: ""
enabled: false
use_custom: false
max_goroutines: 300
handle_ddr: true
ipset:
ipset_file: ""
bootstrap_prefer_ipv6: false
upstream_timeout: 10s
private_networks:
use_private_ptr_resolvers: true
local_ptr_upstreams: - 127.0.0.1:53
use_dns64: false
dns64_prefixes:
serve_http3: false
use_http3_upstreams: false
serve_plain_dns: true
hostsfile_enabled: true
tls:
enabled: false
server_name: ""
force_https: false
port_https: 443
port_dns_over_tls: 853
port_dns_over_quic: 853
port_dnscrypt: 0
dnscrypt_config_file: ""
allow_unencrypted_doh: false
certificate_chain: ""
private_key: ""
certificate_path: ""
private_key_path: ""
strict_sni_check: false
querylog:
dir_path: ""
ignored:
interval: 720h
size_memory: 1000
enabled: true
file_enabled: true
statistics:
dir_path: ""
ignored:
interval: 168h
enabled: true
filters:
- 192.168.1.1
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
name: AdGuard DNS filter
id: 1 - enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
name: AdAway Default Blocklist
id: 2 - enabled: true
url: https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt
name: github
id: 1732313406 - enabled: true
whitelist_filters:
user_rules:
dhcp:
enabled: false
interface_name: ""
local_domain_name: lan
dhcpv4:
gateway_ip: ""
subnet_mask: ""
range_start: ""
range_end: ""
lease_duration: 86400
icmp_timeout_msec: 1000
options:
dhcpv6:
range_start: ""
lease_duration: 86400
ra_slaac_only: false
ra_allow_slaac: false
filtering:
blocking_ipv4: ""
blocking_ipv6: ""
blocked_services:
schedule:
time_zone: UTC
ids:
protection_disabled_until: null
safe_search:
enabled: false
bing: true
duckduckgo: true
google: true
pixabay: true
yandex: true
youtube: true
blocking_mode: default
parental_block_host: family-block.dns.adguard.com
safebrowsing_block_host: standard-block.dns.adguard.com
rewrites:
safebrowsing_cache_size: 1048576
safesearch_cache_size: 1048576
parental_cache_size: 1048576
cache_time: 30
filters_update_interval: 12
blocked_response_ttl: 10
filtering_enabled: true
parental_enabled: false
safebrowsing_enabled: false
protection_enabled: true
clients:
runtime_sources:
whois: true
arp: true
rdns: true
dhcp: true
hosts: true
persistent:- safe_search:
enabled: false
bing: true
duckduckgo: true
google: true
pixabay: true
yandex: true
youtube: true
blocked_services:
schedule:
time_zone: UTC
ids:
name: Ane
ids:- 02:00:c5:a6:f5:1e
tags: - device_phone
upstreams:
uid: 00000600-4795-258f-ba9c-33bea3cea50d
upstreams_cache_size: 0
upstreams_cache_enabled: false
use_global_settings: true
filtering_enabled: false
parental_enabled: false
safebrowsing_enabled: false
use_global_blocked_services: true
ignore_querylog: false
ignore_statistics: false
log:
file: ""
max_backups: 0
max_size: 100
max_age: 3
compress: false
local_time: false
verbose: false
os:
group: ""
user: ""
rlimit_nofile: 0
schema_version: 28
- 02:00:c5:a6:f5:1e
- safe_search:
add 127.0.0.1 in bind host
bind_hosts:
- 192.168.1.1
- 127.0.0.1
Change local ptr
local_ptr_upstreams:
- 192.168.1.1:53
Honestly you should reconfigure AGH again so AGH will have default DNS server 53 and OpenWrt should have 54 or whatever.
Just scroll up I've explained it somewhere in the thread
- Added
- I have the same )
Reboot, same
I have tried reinstalling several times. I deleted, cleaned and reinstalled.
At the first screen where the interface is selected, it says port 53 is busy and does not allow me to continue. Just change the port.
You'll first have to change openwrt dns to 54 then set your adguardhome with port 53
I uninstall ADG. I change the DNS forwarding to 192.168.1.1#54, then reboot the router. I install ADG and again port 53 says busy. Is there anything else I need to do to change the port on OpenWrt? Thanks
- Delete yaml file using WinSCP. Reboot router (Or just restart AGH service)
- Go to openwrt > Network > DHCP & DNS > Devices & ports > DNS server port. Change its value to 54.
- Login to AGH. It'll show you AGH setup again (Since you deleted yaml file) then put DNS server port as 53 (Make AGH your default DNS handler)
- Then make other changes I mentioned like Bind Host and local ptr
I don't have such a parameter in Go to openwrt > Network > DHCP and DNS > Devices and Ports > DNS Server Port. Only port forwarding. Changed. Still (.
Then I tried to completely remove it again, with port 54 installed. Reinstalled, the result is on the screen. Probably either I'm doing something wrong, although ADG works, blocks ads. Or there is a conflict between OWRT and ADG.