[HowTo] Running Adguard Home on OpenWrt

Save any edits back then you will need to restart the services

eg:

/etc/init.d/AdGuardHome restart

or

/etc/init.d/dnsmasq restart

You will only need to restart the services you edit. A full router restart is abit overkill but is another way to do it.

Adding the VLAN IPs to the bind_hosts did not work. Will check the dhcp settings later.

Do I need to copy the dhcp settigns from lan to the VLANs also?

in theory you just need to have AdGuard listen on the vlan interface.

you should get output like this in your system log

OpenWrt - System Log - LuCI

Sun Sep  5 17:43:28 2021 daemon.err AdGuardHome[3229]: 2021/09/05 16:43:28.193966 [info] Starting the DNS proxy server
Sun Sep  5 17:43:28 2021 daemon.err AdGuardHome[3229]: 2021/09/05 16:43:28.195685 [info] Ratelimit is enabled and set to 20 rps
Sun Sep  5 17:43:28 2021 daemon.err AdGuardHome[3229]: 2021/09/05 16:43:28.198177 [info] The server is configured to refuse ANY requests
Sun Sep  5 17:43:28 2021 daemon.err AdGuardHome[3229]: 2021/09/05 16:43:28.203706 [info] DNS cache is enabled
Sun Sep  5 17:43:28 2021 daemon.err AdGuardHome[3229]: 2021/09/05 16:43:28.205092 [info] MaxGoroutines is set to 300
Sun Sep  5 17:43:28 2021 daemon.err AdGuardHome[3229]: 2021/09/05 16:43:28.208523 [info] Creating the UDP server socket
Sun Sep  5 17:43:28 2021 daemon.err AdGuardHome[3229]: 2021/09/05 16:43:28.220304 [info] Listening to udp://127.0.0.1:53
Sun Sep  5 17:43:28 2021 daemon.err AdGuardHome[3229]: 2021/09/05 16:43:28.220552 [info] Creating the UDP server socket
Sun Sep  5 17:43:28 2021 daemon.err AdGuardHome[3229]: 2021/09/05 16:43:28.221518 [info] Listening to udp://192.168.1.1:53
Sun Sep  5 17:43:28 2021 daemon.err AdGuardHome[3229]: 2021/09/05 16:43:28.221773 [info] Creating the UDP server socket
Sun Sep  5 17:43:28 2021 daemon.err AdGuardHome[3229]: 2021/09/05 16:43:28.223923 [info] Listening to udp://[::1]:53
Sun Sep  5 17:43:28 2021 daemon.err AdGuardHome[3229]: 2021/09/05 16:43:28.225279 [info] Creating a TCP server socket
Sun Sep  5 17:43:28 2021 daemon.err AdGuardHome[3229]: 2021/09/05 16:43:28.225959 [info] Listening to tcp://127.0.0.1:53
Sun Sep  5 17:43:28 2021 daemon.err AdGuardHome[3229]: 2021/09/05 16:43:28.226202 [info] Creating a TCP server socket
Sun Sep  5 17:43:28 2021 daemon.err AdGuardHome[3229]: 2021/09/05 16:43:28.226809 [info] Listening to tcp://192.168.1.1:53
Sun Sep  5 17:43:28 2021 daemon.err AdGuardHome[3229]: 2021/09/05 16:43:28.227024 [info] Creating a TCP server socket
Sun Sep  5 17:43:28 2021 daemon.err AdGuardHome[3229]: 2021/09/05 16:43:28.228025 [info] Listening to tcp://[::1]:53
Sun Sep  5 17:43:28 2021 daemon.err AdGuardHome[3229]: 2021/09/05 16:43:28.236456 [info] Entering the UDP listener loop on 127.0.0.1:53
Sun Sep  5 17:43:28 2021 daemon.err AdGuardHome[3229]: 2021/09/05 16:43:28.242263 [info] Entering the tcp listener loop on 127.0.0.1:53
Sun Sep  5 17:43:28 2021 daemon.err AdGuardHome[3229]: 2021/09/05 16:43:28.244311 [info] Entering the tcp listener loop on 192.168.1.1:53
Sun Sep  5 17:43:28 2021 daemon.err AdGuardHome[3229]: 2021/09/05 16:43:28.244804 [info] Entering the tcp listener loop on [::1]:53
Sun Sep  5 17:43:28 2021 daemon.err AdGuardHome[3229]: 2021/09/05 16:43:28.244384 [info] Entering the UDP listener loop on 192.168.1.1:53
Sun Sep  5 17:43:28 2021 daemon.err AdGuardHome[3229]: 2021/09/05 16:43:28.248713 [info] Entering the UDP listener loop on [::1]:53

This is listening on the local loopback (127), Local Lan (192) and IPv6 (::1) addresses.

one thing you need to be VERY careful editing the yaml file. it is syntax dependant. Even an extra space will screw things up.

It seems like AdGuard has picked up the IPs in the yaml file:

Sun Sep  5 17:48:43 2021 daemon.err AdGuardHome[16214]: 2021/09/05 21:48:42.999918 [info] Entering the UDP listener loop on 192.168.5.1:53
Sun Sep  5 17:48:43 2021 daemon.err AdGuardHome[16214]: 2021/09/05 21:48:43.000283 [info] Entering the UDP listener loop on 192.168.10.1:53
Sun Sep  5 17:48:43 2021 daemon.err AdGuardHome[16214]: 2021/09/05 21:48:43.000664 [info] Entering the UDP listener loop on 192.168.15.1:53
Sun Sep  5 17:48:43 2021 daemon.err AdGuardHome[16214]: 2021/09/05 21:48:43.001033 [info] Entering the UDP listener loop on 192.168.20.1:53
Sun Sep  5 17:48:43 2021 daemon.err AdGuardHome[16214]: 2021/09/05 21:48:43.001391 [info] Entering the tcp listener loop on 192.168.15.1:53
Sun Sep  5 17:48:43 2021 daemon.err AdGuardHome[16214]: 2021/09/05 21:48:43.001491 [info] Entering the tcp listener loop on 127.0.0.1:53
Sun Sep  5 17:48:43 2021 daemon.err AdGuardHome[16214]: 2021/09/05 21:48:43.001578 [info] Entering the tcp listener loop on 192.168.1.1:53
Sun Sep  5 17:48:43 2021 daemon.err AdGuardHome[16214]: 2021/09/05 21:48:43.003016 [info] Entering the tcp listener loop on 192.168.3.1:53
Sun Sep  5 17:48:43 2021 daemon.err AdGuardHome[16214]: 2021/09/05 21:48:43.003122 [info] Entering the tcp listener loop on 192.168.5.1:53

Here is the only difference in the dhcp config:

config dnsmasq
	option ednspacket_max '1232'

Rest is identical.

Your lan looks quite a bit different than mine:

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option dhcpv6 'server'
	option ra 'server'
	option leasetime '24h'
	list dhcp_option '6,192.168.1.1'
	list dhcp_option '3,192.168.1.1'
	list dhcp_option '6,192.168.1.1'
	list dhcp_option '3,192.168.1.1'
	list dhcp_option '6,192.168.1.1'
	list dhcp_option '3,192.168.1.1'

I will align it with yours next. edit: no change

Also copying the additional lines from lan to one of the vlans in the dhcp config did not work

So far there is still an issue with DNS resolution. If I connect via Wifi and set the DNS manually, it works fine, but the automatic way does not work.

It works for the "lan" but not for any of the VLANs

I ran out of ideas, maybe one of you has one or two left

you only need 2 of them. take the first pair and delete the rest.

You arent actually serving DHCP to your VLANS btw. Thats proberbly your issue. They are simple static assignments.

goto your interface page and look at the DHCP page for it. Then check out your VLANs.

Assign the same dhcp options but for that VLAN subnet and enable dhcp. save it and then when you look in the dhcp file you will see it has filled in settings similar to your LAN settings. Thats the missing bit you require.

I could have thought of that one myself …

This worked, thanks so much! Next stop: restricting access between VLANs and restricting internet access from one VLAN

I have another question. AdGuard is running really well on my laptop, and also with different VLANs etc, the requests are in the AdGuard log. My iPad is connected to the same VLAN and Wi-Fi, but none of the connections are in AdGuard. Is there something specific I need to do?

check that it is correctly using the right ip settings. check its using the adguard DNS and not using its own.

IOS likes to do its own thing at times. See iOS 13.3 using DoH (DNS over HTTPS) to bypass Pi-Hole : pihole (reddit.com)

If you want to lock things down? [OpenWrt Wiki] DNS hijacking

Firewall rules to enforce your Adguard DNS to be the only DNS and to block other outgoing attempts.

Just make sure you have an exclusion for your router and Adguard or you will find yourself DNSless.

How do I do that? As it is part of a vlan it shows the vlan dns/gateway

Check your settings for the ipad. ( Apparently Settings > General > Device Management May have settings that might override DNS resolution) I dont use apple so have no clue on management of them.

Cloudflare ESNI Checker | Cloudflare UK

https://www.dnsleaktest.com/

Check what DNS its using. (edit) Don't forget to reboot it so the DNS cache is purged)

hi everyone,
I tried to install wire guard and had to reboot my router. It seems like this crashed the AdGuard Home setup. I did not change anything on the DNS side yet. I cannot open the AdGuard config URL anymore, which means to me it did not get started properly. I already deleted the wire guard interface and firewall zone for now, but internet does not work anymore, as I assume DNS is not working.

How can I get the AdGuard back up? I tried

/etc/init.d/AdGuardHome restart

And

/etc/init.d/dnsmasq restart

It seemed like the page was loading and then stopped working

Thanks for a quick solution

It worked for a minute or so and then we are back to broken :frowning:

Of course I also forgot my credentials - how can I get to those?

And how can I get around AdGuard Home in case it continues to act up?

SSH in and check the syslog or use luci and look at the syslog there.
OpenWrt - System Log - LuCI

logread is the command you need from the SSH prompt.

Cheat. Edit your adguard yaml file to the following

users:
- name: admin
  password: $2a$10$Jh8aYu1S9.SayAY5emmiEeYpAYmoFOPYhdwogc6lXZTNyytsGVQAa
auth_attempts: 5

That changes the name and password to admin and admin.

1 Like

OK, back online - thanks!

Two more questions:

  1. Is there a way to change the password? Do I need to find the md5 value of my password and put it into the file?

  2. AdGuard offer to upgrade to a new version: " AdGuard Home v0.107.0-a.161+fac574d3 is now available! Click here for more info". Is that recommended and can I just click on the link or do I need to jump through more hoops?

Thanks again!

  1. yes. Theres been discussions on a number of their issues into being able to change settings that you currently can only change via resetting up again or manually editing the YAML file. I believe its a 108 tagged update however.
* `users` — Web users info
  * `name` — User name
  * `password` — BCrypt-encrypted password
  1. Yes. Click and it should download, update and restart AdGuard. It does have a nasty habit of failing if you dont have diskspace (as i found out after a couple of updates filled my root partition).

In the meantime, I am going to try this approach - let's see:

Configuration · AdguardTeam/AdGuardHome Wiki · GitHub (github-wiki-see.page)

New question :smiley: :grinning_face_with_smiling_eyes:
I would like to install Wireguard and have a few interfaces run through that by default. Can I still use AGH for DNS and still be "protected"?

The acutal page is Configuration · AdguardTeam/AdGuardHome Wiki (github.com)

Also looks like password is bcrypt and not md5.

As for wireguard. No clue. Never used it. From what i remember however you need to be careful with VPN tunnels. doing Split DNS can result in DNS Leakage. However as AdGuard is in your control its probably less of an issue. Just something to think about. IIRC most VPN providers get you to use their DNS.

1 Like