[HowTo] Running Adguard Home on OpenWrt

OpenWrt 19.07.7. That's the issue, I suppose.
Do you know if the issue on DNS and dnsmasq is resolved in the package in 21.02?
There's a lot of confusion on how to set up dnsmasq between OpenWrt and AdGuard Home. Perhaps the need to make changes in OpenWrt and AGH are resolved so it's automated, and not need to change ports, for example.
Thanks a lot.

Great find, too bad it does not say how to go about doing this, as stated on that link:
Adguard DNS and dnsmasq issues
If you use Adguard DNS as forwarder (to have a cheap and efficient network adblocker), you need to disable Rebind protection, to avoid lag or site unreachable due to Rebin protection.
If not, you can see lot of this log in system.log, and have lag or host unreachable issue.
daemon.warn dnsmasq[xxx]: possible DNS-rebind attack detected: any.adserver.dns

Until now, none of the HowTo's I've read on AGH mention this. I really hope that the package in 21.02 OpenWrt resolve all these issues. And it will be nice to know.

1 Like

I don't know if it is just me, but I thought it was easy.

The specific documentation is talking about dnsmasq service in general.

The rebind protection can be easily turned off by the following two ways.

In the luci interface > Network > DHCP and DNS > General settings > Rebind protection

Or

When setting up aduardhome, where you change the default list server, rebind protection is also found there, which you can disable by changing it to 0

Thanks for this, that was easy enough. Since I have your attention, can you please tell me what settings concerning dnsmasq to be made on Openwrt and adguardhome, please?
Thanks a lot.

Did you try the instructions that appear in the first commit of this package? And as I already said. To install as another OpenWrt package, you should use snapshots from Master or 21.02.

So in the same section as the rebind protection, you need to make sure that DNS forwarding is set to the same IP that is displayed in Adguardhome > setup guide. Except removing ":" between the up and port number and use # instead.

Theoretically, that is all you need to do, although you may incur DNS leaks. If you do you have to go to the luci interface > Network > Interfaces > Lan > edit > DHCP server > advance settings > DHCP options you want to add 6, followed by the up. This will enforce those who connect via LAN and WIFI to use Adguardhome as the DNS. So for example, if your DNS IP is 192.168.1.1 then you would enter 6,192.168.1.1 in the DHCP options.

You may find that the clients do not get listed on the home page of aguardhome, if so you need to ever the custom firewall rules under network > firewall > custom firewall rules with the details linked in the OP where it mentions firewall.

It's too bad Luci can't give you some guidance after installing a new package. Could just be a readme with link to the settings.

This is a community project, therefore it depends on the effort of each person to provide the necessary help.

Dumb question; doesn't adblock do the same as adguard?

Not dumb, yes, it does. However, adguard has some pretty cool features.

Yes, per Adguard it is much more complete and beautiful.

Maybe I should give it a go :slight_smile: Running divested build and dnscrypt-proxy 2 and adblock at the moment.

I am kind of struggling with this, it's confusing what to change where, where to use configs and where to use the interface. Here is what I am trying to do. I have a WRT1900ACS, with Draytek vigor 300 as my modem, worked ootb when flashing openWRT, didn't have to change WAN settings. I want to have: Adguard Home and Unbound, but dnsmasq confuses me, I get double queries with what I have for now, using luci-app-adguard and manually installed AdGuard Home to /etc/AdguardHome. Installed unbound and I think it's working, I set upstream to 127.0.0.1:5335 in AdGuardHome and bootstrap DNS servers to 127.0.0.1. It appears to be working, DNS queries are really long to start with, which is consistent with my experience with AGH + unbound on my raspberry pi. I want to use AGH as my DHCP so that I can see clients and not just 192.168.1.1 in queries, this was required on my RPI to see IPs, but on here somehow IPs are detected without AGH being the DHCP server. I am very confused on how to set this all up.

Here are the double queries as I have shown earlier, instead of just happening with my PC IP like I had on the RPi in the past, I get a query on the PC IP AND also the router IP. Sometimes only the router IP shows up.

Edit: Perhaps I should skip unbound, now that I think about it, AGH supports all the security goodies, maybe I am overcomplicating things, I would still like to solve the dual query thing and probably use AGH as my DHCP server, but not sure how to work with dnsmasq, the existence of both web ui AND file config makes this more complicated in my mind.

2021-07-04T23:00:00Z

Right. Having done a clean install of OpenWrt 21.02.0-rc3. I've knocked up a script to make it a one click (well an SSH and chmod) install. (This is NOT the bleeding edge AdGuard. This is the current opkg install via OpenWRT. AdGuard Home, version 0.104.3, channel release, arch linux mips)

installadguard.sh

#!/bin/sh
# Switch to Adguard setup

opkg install adguardhome ca-certificates ca-bundle 

uci set dhcp.@dnsmasq[0].cachesize='1000'
uci set dhcp.@dnsmasq[0].noresolv='1'
uci set dhcp.@dnsmasq[0].server='192.168.1.1'
uci set dhcp.@dnsmasq[0].port='5353'
uci add_list dhcp.lan.dhcp_option='6,192.168.1.1' 
uci add_list dhcp.lan.dhcp_option='3,192.168.1.1' 
uci set dhcp.lan.leasetime='24h' 
uci set network.wan.peerdns='0' 

uci commit dhcp
uci commit network
# Save changes

# Restart network + dnsmasq service to reflect changes
/etc/init.d/network restart
/etc/init.d/dnsmasq restart

echo 'Goto http://192.168.1.1:3000 and install AdGuard.'

Couple of notes about this.
This moves dnsmasq from port 53 to 5353 (so it is there in background if you want to do forwarding or to run as a backup)
This also uses DHCP options to set router and DNS settings (option 3 and 6), If you are NOT using 192.168.1.1 you probably should change those lines :slight_smile:
It also changes DHCP leases to 24hrs, and sets to IGNORE your upstream ISP DNS (because you want to use AdGuards DNS right?)
AdGuard out of the box uses Quad9 but you can easily change the settings once you have it running.

When you goto the adguard setup page http://192.168.1.1:3000 (Note it is NOT HTTPS) make sure you set the port it will use to something OTHER than 80 as luci is living there. I just use 8080 for simplicity.

Select your interface and make sure the DNS takes port 53 and you are good to go.

Debugging issues.

/usr/bin/AdGuardHome -c /etc/adguardhome.yaml -w /tmp/adguardhome --no-check-update

If AdGuard fails to start. SSH in and run this manually. yaml files are REALLY picky if u screw up an edit :smiley:

Cloudflare ESNI Checker | Cloudflare UK

Use that to ensure you secure. (make sure you tick the Secure DNS on the DNS Configuration page. Its in the middle section) It is NOT ticked by default. Also ensure your upstream hosts can do DNS Sec.

stopping dnsmasq and ohdcp and disabling them in services will enable you to use Adguards DHCP server however there are issues with this.

the leases are saved in /tmp/adguardhome/leases.db and thus when the router reboots that data will be lost unless you have some sort of usb storage and the tmp folder remapped to it.

There is a issue filed to have the static leases moved into the yaml file like the clients are currently kept but this is outstanding at present. Ability to edit "DHCP static leases" entry after its saved · Issue #1700 · AdguardTeam/AdGuardHome (github.com)

They are improving Adguard to trim down the logging and save space but this is a work in progress.
OpenWRT version needs shorter query log retention options due to free space limitations · Issue #2504 · AdguardTeam/AdGuardHome (github.com)

Is there a reason to use this script over what is listed on GitHub? Is the official script buggier than yours?

Automated install (Linux and Mac)

Run the following command in your terminal:

curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v

if you install from scratch using their script you'll have the more up to date version. Mine was just to migrate settings so the opkg installable version (which is behind the AdguardHome release version) easier and more consistent.
The offical script installs Adguard to /opt/AdGuardHome and doesnt appear to create a default yaml file.
I'm going to try the official version and see if it fixes some issues i'm having later this week. (dhcp v6 is not working nor will it configure correctly)

Ah, does the non-opkg version not have a means to update safely/cleanly? In that case perhaps I should try opkg instead of waiting to hear back what you find since bleeding edge isn't critical to me I think and I'd prefer automatic update.