Sorry, this might be a stupid question, but I am new to the topic. The only thing I need to install the widely recommended version 107 it to ssh into my OpenWRT router and execute the script above?
:edit: Added some explanations and further details.
Yes and no. Assuming your router is 192.168.1.1 here is how I setup mine.
Under 19.07 make sure you have the following packages installed otherwise SSL will not work and AdGuard will fail to update.
ca-certificates ca-bundle libustream-mbedtls libustream-openssl
You can also use wolfssl which is what OpenWRT is using for 21 builds onwards. The new 21 builds come with SSL enabled and thus you shouldn't need to install these but just check they are installed.
libwolfssl libustream-wolfssl luci-ssl px5g-wolfssl wpad-basic-wolfssl
You will need to install Adguard using the script and then do some modifications.
Specifically these :
uci set dhcp.@dnsmasq[0].cachesize='1000'
uci set dhcp.@dnsmasq[0].noresolv='1'
uci set dhcp.@dnsmasq[0].server='192.168.1.1'
uci set dhcp.@dnsmasq[0].port='5353'
uci add_list dhcp.lan.dhcp_option='6,192.168.1.1'
uci add_list dhcp.lan.dhcp_option='3,192.168.1.1'
uci set dhcp.lan.leasetime='24h'
uci commit dhcp
/etc/init.d/dnsmasq restart
Now you can goto http://192.168.1.1:3000 and setup AdGuard.
Couple of notes about this.
This moves the existing OpenWRT dnsmasq from port 53 to 5353 (so it is there in background if you want to do forwarding or to run as a backup) Adguard can then run on port 53 and become your active DNS.
It modifies the DHCP options to notify DHCP clients of the router IP and DNS settings (option 3 and 6), If you are NOT using 192.168.1.1 you probably should change those lines
It also changes DHCP leases to 24hrs. Change or remove this if u wish.
AdGuard out of the box uses Quad9 but you can easily change the settings once you have it running.
When you goto the adguard setup page http://192.168.1.1:3000 (Note it is NOT HTTPS) make sure you set the port it will use to something OTHER than 80 as luci is living there. I just use 8080 for simplicity.
Select your interface and make sure the DNS takes port 53 and you are good to go.
you can set AdGuard up so it binds to all interfaces but i have it setup as the following.
The reason why i change that is because it also bound to the WAN side interface which is not desirable.
My filters i use are as follows
AdGuardHome.yaml
filters:
- enabled: true
url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
name: AdGuard DNS filter
id: 1
- enabled: false
url: https://adaway.org/hosts.txt
name: AdAway Default Blocklist
id: 2
- enabled: true
url: https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV-AGH.txt
name: Perflyst and Dandelion Sprout's Smart-TV Blocklist
id: 1625359387
- enabled: true
url: https://raw.githubusercontent.com/durablenapkin/scamblocklist/master/adguard.txt
name: Scam Blocklist by DurableNapkin
id: 1625359388
- enabled: true
url: https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hacked-domains.list
name: The Big List of Hacked Malware Web Sites
id: 1625359389
- enabled: true
url: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
name: https://github.com/StevenBlack/hosts
id: 1625359390
- enabled: true
url: https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt
name: https://firebog.net/ - OSINT.digitalside.it
id: 1625359391
- enabled: true
url: https://v.firebog.net/hosts/Easyprivacy.txt
name: https://firebog.net/ - EasyPrivacy
id: 1625359393
whitelist_filters:
- enabled: true
url: https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt
name: https://github.com/anudeepND/whitelist
id: 1625359392
This is the total number of filters each list has right now.
AdGuard DNS filter - 39,279
Perflyst and Dandelion Sprout's Smart-TV Blocklist - 151
Scam Blocklist by DurableNapkin - 483
The Big List of Hacked Malware Web Sites - 9
https://github.com/StevenBlack/hosts - 90,253
https://firebog.net/ - OSINT.digitalside.it - 44
https://firebog.net/ - EasyPrivacy - 11,424
Also finally. Under the settings page
Log Configuration. If you have limited disk space i HIGHLY recommend setting Query logs retention to 6hrs only. Mine was set to 7 days and filled my root partition with a 132mb log file. This then also blocked my updates as it silently failed in the background.
My Statistics configuration is set to 30days and is fine.
Thanks so much - ich am in the process of updating to 21, so I will follow your steps after that.
There is one other issue which i havent yet understood.
When i reboot my router, sometimes AdGuard will use all the router cpu and stop responding to DNS queries.
The way to fix it? SSH into the router and stop AdGuard running.
/etc/init.d/AdGuardHome stop
then delete the files in /opt/AdGuardHome/data/
They should be these :
querylog.json
sessions.db
stats.db
Now restart AdGuard
/etc/init.d/AdGuardHome restart
That usually fixes it. I think it is trying to load all the queries and stats data and chokes on it. It may be because my router is not the fastest and then takes forever to load it all. I haven't done any troubleshooting beyond that. I am going to update to the new release today and see if anything changes with that but its not that much an issue for me as i rarely restart my router. But if i find the cause i'll report to the AdGuard team and get them to look into it.
And it looks like they may have already patched this.
Looks like it was the stats database causing the issues.
Your instructions worked like a charm, thanks so much. I have three questions:
- How can I edit the AdGuardHome.yaml? I added all the lists you posted manually
- I saw an error message pop up that said port 443 is used by "someone else". I run my https for my QNAP there, so I assume I better change that?
- I want to create two different VLANs, one for normal traffic and on for kids traffic. Can I use AdGuard to have two "logics", one for the normal VLAN and one for the kids being more restrictive?
I use WinSCP to edit files on my router.
Luci will run on 443 or in your case your qnap. I dont bother using AdGuards HTTPS.
You can set different clients to use different filters for AdGuard I believe. its on their wiki.
Clients · AdguardTeam/AdGuardHome Wiki (github.com)
I won the fight yesterday in this thread to connect a VLAN to the internet. Today that internet access is not working anymore and also the additional VLANs I created do not get connected to the internet. I compared the settings (on switch and router) or the ones I created yesterday and today and cannot find any differences. They get the same IP range no matter whether I connect via cable to router or switch or via wifi to the respective VLAN. I added all VLANs to the "lan" firewall zone within OpenWRT. I can also ping 1.1.1.1 or 8.8.8.8 when connected to those VLANs, so my assumption is that AdGuard home needs to be set up to also resolve DNS for VLANs.
Could that assumption be correct and if yes, how do I do that? Or is there an on/off switch for AdGuard, so that I can test it without AdGuard?
Thanks a lot again
if you have migrated from your OpenWRT dns to AdGuard DNS (and its listening properly) then it should just be transparent. It maybe it is not listening on the correct interface however.
A simple way to test would be to stop Adguard and switch OpenWRT DNS back to port 53. Then flip back when you have finished testing.
/etc/init.d/AdGuardHome stop
uci set dhcp.@dnsmasq[0].server='1.1.1.1'
uci set dhcp.@dnsmasq[0].port='53'
uci delete dhcp.lan.dhcp_option
uci commit dhcp
/etc/init.d/dnsmasq restart
That will stop adguard. Reset your OpenWRT to use 1.1.1.1 Cloudflare DNS. Change the DNS port back to 53. Delete the dhcp option address that was pushed out and restart Dnsmasq.
Just checked the config. There is a difference between lan, the VLAN I created yesterday (vlan 3) and the one I created today (vlan_home). I also upgraded toe OpenWRT 21 today, maybe that is where the ra_flags line comes from?
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option dhcpv6 'server'
option ra 'server'
list dhcp_option '6,192.168.1.1'
list dhcp_option '3,192.168.1.1'
option leasetime '24h'
config dhcp 'VLAN3'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'VLAN3'
config dhcp 'VLAN_Home'
option interface 'VLAN_Home'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
However i suspect you just need to add in the vlan interfaces to your adguard yaml file.
AdGuardHome.yaml
dns:
bind_hosts:
- 127.0.0.1
- 192.168.1.1
- ::1
In theory if it has the loopback address it should do DNS lookups but you may have to explicitly add in your VLANS
eg
dns:
bind_hosts:
- 127.0.0.1
- 192.168.1.1
- 192.168.3.1
- ::1
:edit:
Currently the only way to modify the interface is via the yaml file and then to restart Adguard. It is something they are aware off and it is hopefully going to be part of the 108 release.
To be safe? stop adguard. edit the file then start adguard and it should take the new interface and start listening.
These are DHCPv6 options for dealing with IPv6 addresses. see Configuring IPv6 and DHCPv6 - Installing and Using OpenWrt / Network and Wireless Configuration - OpenWrt Forum for more details.
So after the changes you proposed, the internet connection stopped working entirely. I tried to revert te changes, but no luck.
Anyone idea how to get the connection back without a complete Openwrt reset?
When I do the dnsmasq restart, it only says: sending discover, no lease failing, started v1.33.1 in a loop a few times
At least I was correct that AdGuard was in the mix
redo that and restart AdGuard back up
/etc/init.d/AdGuardHome restart
Now go check your Adguard yaml file for its dns section. As i posted above i think you just need to add in your Vlan interface for it to listen to your vlans.
Thats all dnsmasq will say
the top portion of your /etc/config/dhcp file should look like this.
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option cachesize '1000'
option noresolv '1'
option server '192.168.1.1'
option port '5353'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
list dhcp_option '6,192.168.1.1'
list dhcp_option '3,192.168.1.1'
option leasetime '24h'
double check carefully as you may have to redo it with the reversions you made.
So the internet is back - thanks!
I will check the dhcp portion.
I got WinSCP working and am looking for the yaml files