[HowTo] Running Adguard Home on OpenWrt

Dumb question; doesn't adblock do the same as adguard?

Not dumb, yes, it does. However, adguard has some pretty cool features.

Yes, per Adguard it is much more complete and beautiful.

Maybe I should give it a go :slight_smile: Running divested build and dnscrypt-proxy 2 and adblock at the moment.

I am kind of struggling with this, it's confusing what to change where, where to use configs and where to use the interface. Here is what I am trying to do. I have a WRT1900ACS, with Draytek vigor 300 as my modem, worked ootb when flashing openWRT, didn't have to change WAN settings. I want to have: Adguard Home and Unbound, but dnsmasq confuses me, I get double queries with what I have for now, using luci-app-adguard and manually installed AdGuard Home to /etc/AdguardHome. Installed unbound and I think it's working, I set upstream to 127.0.0.1:5335 in AdGuardHome and bootstrap DNS servers to 127.0.0.1. It appears to be working, DNS queries are really long to start with, which is consistent with my experience with AGH + unbound on my raspberry pi. I want to use AGH as my DHCP so that I can see clients and not just 192.168.1.1 in queries, this was required on my RPI to see IPs, but on here somehow IPs are detected without AGH being the DHCP server. I am very confused on how to set this all up.

Here are the double queries as I have shown earlier, instead of just happening with my PC IP like I had on the RPi in the past, I get a query on the PC IP AND also the router IP. Sometimes only the router IP shows up.

Edit: Perhaps I should skip unbound, now that I think about it, AGH supports all the security goodies, maybe I am overcomplicating things, I would still like to solve the dual query thing and probably use AGH as my DHCP server, but not sure how to work with dnsmasq, the existence of both web ui AND file config makes this more complicated in my mind.

2021-07-04T23:00:00Z

Right. Having done a clean install of OpenWrt 21.02.0-rc3. I've knocked up a script to make it a one click (well an SSH and chmod) install. (This is NOT the bleeding edge AdGuard. This is the current opkg install via OpenWRT. AdGuard Home, version 0.104.3, channel release, arch linux mips)

installadguard.sh

#!/bin/sh
# Switch to Adguard setup

opkg install adguardhome ca-certificates ca-bundle 

uci set dhcp.@dnsmasq[0].cachesize='1000'
uci set dhcp.@dnsmasq[0].noresolv='1'
uci set dhcp.@dnsmasq[0].server='192.168.1.1'
uci set dhcp.@dnsmasq[0].port='5353'
uci add_list dhcp.lan.dhcp_option='6,192.168.1.1' 
uci add_list dhcp.lan.dhcp_option='3,192.168.1.1' 
uci set dhcp.lan.leasetime='24h' 
uci set network.wan.peerdns='0' 

uci commit dhcp
uci commit network
# Save changes

# Restart network + dnsmasq service to reflect changes
/etc/init.d/network restart
/etc/init.d/dnsmasq restart

echo 'Goto http://192.168.1.1:3000 and install AdGuard.'

Couple of notes about this.
This moves dnsmasq from port 53 to 5353 (so it is there in background if you want to do forwarding or to run as a backup)
This also uses DHCP options to set router and DNS settings (option 3 and 6), If you are NOT using 192.168.1.1 you probably should change those lines :slight_smile:
It also changes DHCP leases to 24hrs, and sets to IGNORE your upstream ISP DNS (because you want to use AdGuards DNS right?)
AdGuard out of the box uses Quad9 but you can easily change the settings once you have it running.

When you goto the adguard setup page http://192.168.1.1:3000 (Note it is NOT HTTPS) make sure you set the port it will use to something OTHER than 80 as luci is living there. I just use 8080 for simplicity.

Select your interface and make sure the DNS takes port 53 and you are good to go.

Debugging issues.

/usr/bin/AdGuardHome -c /etc/adguardhome.yaml -w /tmp/adguardhome --no-check-update

If AdGuard fails to start. SSH in and run this manually. yaml files are REALLY picky if u screw up an edit :smiley:

Cloudflare ESNI Checker | Cloudflare UK

Use that to ensure you secure. (make sure you tick the Secure DNS on the DNS Configuration page. Its in the middle section) It is NOT ticked by default. Also ensure your upstream hosts can do DNS Sec.

stopping dnsmasq and ohdcp and disabling them in services will enable you to use Adguards DHCP server however there are issues with this.

the leases are saved in /tmp/adguardhome/leases.db and thus when the router reboots that data will be lost unless you have some sort of usb storage and the tmp folder remapped to it.

There is a issue filed to have the static leases moved into the yaml file like the clients are currently kept but this is outstanding at present. Ability to edit "DHCP static leases" entry after its saved · Issue #1700 · AdguardTeam/AdGuardHome (github.com)

They are improving Adguard to trim down the logging and save space but this is a work in progress.
OpenWRT version needs shorter query log retention options due to free space limitations · Issue #2504 · AdguardTeam/AdGuardHome (github.com)

Is there a reason to use this script over what is listed on GitHub? Is the official script buggier than yours?

Automated install (Linux and Mac)

Run the following command in your terminal:

curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v

if you install from scratch using their script you'll have the more up to date version. Mine was just to migrate settings so the opkg installable version (which is behind the AdguardHome release version) easier and more consistent.
The offical script installs Adguard to /opt/AdGuardHome and doesnt appear to create a default yaml file.
I'm going to try the official version and see if it fixes some issues i'm having later this week. (dhcp v6 is not working nor will it configure correctly)

Ah, does the non-opkg version not have a means to update safely/cleanly? In that case perhaps I should try opkg instead of waiting to hear back what you find since bleeding edge isn't critical to me I think and I'd prefer automatic update.

The issue is that the OpenWRT version is significantly behind AdGuard's. its v104 vs 107.
There are a number of critical patches that fix things but the major issue is that the DNS/DHCP in AdGuard is sorely lacking. I'm struggling to find some proper documentation and reading the issues on their github they acknowledge that it has issues and needs some clean up. Its acutally causing me enough problems that i may switch DHCP back to OpenWRT and just use AdGuard for DNS.

Its not unfixable but they are in need of some patching to ensure better compatability with OpenWRT and to improve their DHCP issues (v4 dhcp is fine. its v6 dhcp and addititional options that need work)

Issues like this (which is fixed now but is not fixed in the OpenWRT version) https://github.com/AdguardTeam/AdGuardHome/issues/3053 are kinda concerning as it is basic stuff that should have been in from the get go.

Additionally. You can define "Clients" via Adguard and they are saved in the yaml file. but DHCP lease reservations are saved in the dhcp file which lives on the /tmp partiton and is thus lost when you reboot your router. Now if you have a perment usb hosted /tmp its not an issue but for the bulk of OpenWRT routers this is an issue. There is an open issue for getting DHCP leases to be saved in the yaml file like the client tags but it is still outstanding from last year.

In theory it should be a simplish fix but its a key one as you essentially have to redo your reservations because of it. Also the db file they use is non standard and thus i dont think you can back it up and replace it? (i've not tried but i havent figured out how it all works). Its just... irritating and thus for now till issues like that are fixed i will redo my router so OpenWRT handles dhcp v4 and 6 and just use AdGuard for the dns. Its abit sad thou cos in disabling dhcp on openwrt and just using adguard i got a good chunk of router memory back. (i think about 20mb) which on a 128mb router is significant.

:edit: just to clarify this. It was a combination of switching from RC1 to RC3 and then disabling openwrts dnsmasq and ohdcp so there is most likely some other savings in there too.

Let me know how your experience goes. I'm drawn in by the expressed efforts to eventually block stuff like sponsored ads that aren't captured via the DNS sinkhole methodology which I don't see Adblock doing in the future, but if even stable is that unstable/buggy perhaps I'll stick with Adblock for a good while yet.

The potential is definatly there. Just needs some polishing and tweaking.
It is a major rip and replace to make AdGuard do both DNS and DHCP. It does the DNS fine its just the DHCP that has issues. I just wanted it "simple" and thus make the network management easier as you had additional config to do if OpenWRT was doing DHCP but you could mitigate that by putting the Client data in AdGuard. I figured that by swapping it all to AdGuard that it would remove the extra configuration issues. Regrettably that is not the case. In time improvements will make it possible but i would not recommend using it in this fashion at this time.

By all means use it for DNS blocking but be aware that the DHCP issues are a problem. It also crashes due to out of memory errors. (I suspect that trimming the query logging down to 24hrs may improve things. It takes about a week before things get unstable. A reboot clears things up but that isnt a good fix when you have to rebuild the config as those tmp files are purged)
:edit: i should make this clear that is with the 104 version. I have yet to move to the latest AdGuard release and its possible they have fixed some of the issues.

Plzz Help me I have same problem, and I spent 3 days but couldn't find a fix. Plzzz Help I really tired.

(:edit: I didnt realise TheHellSite had his issue solved. Edited to remove him)

@khang.nguyenan6868 How did you install Adguard? Are you using the opkg install or did you install via the script on the adguard page? Do you have the ca-certificates or ca-bundles installed?

What does wget 'https://dns.google/' return when you try from an SSH shell?

wget 'https://dns.google/'
Downloading 'https://dns.google/'
Connecting to 8.8.8.8:443
Writing to 'index.html'

Download completed (1383 bytes)

I installed on the operating system openwrt 19, I download sure from https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.107.0-b.4
then I used Winscp to copy the file to my Pi 3, and I proceeded to extract and run, before that I followed the instructions https://forum.openwrt.org/t/howto-running-adguard-home -on-openwrt/51678, when i log in i get the error


and when i add the purge feature i get this error.
2

i know i'm missing some certificate, but i tried to find a fix from google but i can't.Can you help me?

Thank you and very much appreciated

wait. So you have openwrt running on your router and want Adguard running on your pi?

Just run their install script on your Pi. Not on your router. Then u will just need to point your router DNS at the newly setup Adguard on your Pi.

But if your router is powerful enough you may be able to run Adguard directly on your router.