[HowTo] Running Adguard Home on OpenWrt

hmm. Yes.

12days running
AGH binary? 35mb
stats and query db 11mb
filters? 16mb
and another 35mb in AGH backup of previous version

that is not inconsiderable. And something that smaller routers will not manage lightly.
My HH5 has 128mb of ram and just about manages 100k of lists. (i started getting OOMs when i hit 140k)

(edit)

bugger. Seems they have bounced this to 109 release.

thats just one of the things that makes the need for OpenWRT to handle DHCP and AGH home only the DNS. (One improvement i asked for was the ability to properly select interfaces you serve DNS on as by default you could only pick ONE interface or ALL interfaces. ALL ment that it would server dns on your WAN interface (or DSL) which is not advisable.) And yes... yet ANOTHER reason you have to manually edit the yaml file.

1 Like

However, if I install AdGuard Home and do not configure any settings through LuCi, I will not be able to manage AdGuard Home. openWRT will refuse me to connect to the Dashboard of AdGuard Home.

install AGH and move its management port to 8080 instead of port 80.

If u read further back in the thread i've done a number of posts explaining how i did it and the changes to make.

In my experience, the best way to add AdGuard Home to OpenWrt is to use the installer script and install the most recent beta from the AdGuard Home site. As mentioned above, do not use the existing OpenWrt package, it's outdated.
To make it easy to integrate with dnsmasq, before installation change dnsmasq port to 5353, restart dnsmasq, then run the installation script. This will install AdGuardHome with DHCP disabled by default, and have AdGuardHome DNS server use the default DNS port 53. After the installation script is run, finish config from port 3000 and set the administration port to 8080.

Before installation, it's important to read the following in full, otherwise you risk making wrong choices in the config process: https://github.com/AdguardTeam/AdGuardHome#getting-started

YMMV

1 Like

I've used the split dnsmasq config for quite a while now for running a "kid safe" network. The IP network is completely separated. This works just fine.

I thought I'd try the AdGuard Home way of parental controls, not to control, but to shield some sites for younger eyes and let's face it, not all of us can distinguish a phishing attempt from the real thing.

Anyway, I've got a USB stick mounted, installed AGH on that and set it up to run as a DNS server for all clients on the network. I now have one single ipv4 network for all clients, including the one for my kids, so they are not on a separate ipv4 network anymore. In order to filter the right clients, I added clients in AGH. I'm tried AGH's DHCP server, but I can't edit, only delete and add new reservations. But, as I have just learned, if you run a lot of Apple devices, mainly the iPhones and iPads, the DHCP reservations are kind of a bummer.

Apple's default behavior on WiFi networks is to spoof a randomly generated MAC address, so the owners of the WiFi network are unable to track your activity based on a MAC address... I haven't discovered the limits of that privacy feature yet, but if I disable using a private MAC address I get this annoying message about a privacy warning on the Apple device in question...

So you can imagine that setting and actually trusting the MAC address as DHCP reservation for Apple devices is not a set and forget thing, on any DHCP server.
So far the clients in AGH based on MAC address and specific filtering is not a bulletproof method. Whether you set AGH as DHCP server, or let dnsmasq hand out fixed IP addresses based on DHCP reservations and use those fixed IP addresses in AGH to identify clients.

But, then there's IPv6... Identifying clients on fixed IPv4 addresses is kinda bulletproof except for Apple's privacy option. On IPv6 there's no telling how to identify with which IPv6 address a client will go on the Internet. It might be one of your ULA addresses OpenWRT hands out, or a public IPv6 address from your provider.

Any clues on how to tackle specific clients in a trustworthy manner to enable filtering with AGH? Because I do like it.

1 Like

i havent used AGH DHCP. It badly needs extra work. I do use OpenWRTs DHCP however.

Android and Apple both do privacy but you can "trust" a home network and tell it not to use MAC randomization. (i dont have any apple devices so i dont know how you do that bit)

Ok so apple call it Private addresses.

you can edit your reservations on AGH... if you edit the yaml file which isnt ideal.

That you need to set by changing your IPv6 settings.

You need to set it so your router hands out your ISP v6 ips and doesnt auto generate its own.

you need a duid to reserve ipv6

1 Like

I used the script you provided to install AGH. After installation, I still cannot enter AGH from Port 3000.

I have been tackling this in my own home network with AGH and filtering based on MAC address. From my experience so far with that Private Address feature in iOS, currently it generates the MAC address based on the wireless network SSID. So for example, if you have a network SSID of OpenWrt-2.4, it will always keep that same randomly generated MAC on that network. It will only change the MAC if you change the SSID. Also in AGH, you can create a client group that contains multiple MAC addresses for kids. You can add the regular device MACs and also the private MACs.

It is possible that Apple could randomize the MAC addresses even further (in future iOS updates), but now it is just dependent on the SSID.

I have adapted my whole KidSafe setup into AGH now. Different client groups for adults, different client group for each child, etc. I have Cloudflare DNS as upstream for the adult devices and OpenDNS Family Shield as upstream DNS for the KidSafe client groups. AGH is incredibly flexible once you get used to it.

I ended up dropping the two instances of dnsmasq that I was using with a similar KidSafe setup. I have dnsmasq completely disabled now and only AGH handling all DNS and DHCP. The only way to do MAC filtering on AGH is by using it as DHCP server, otherwise it cannot get MAC by forwarding from dnsmasq to AGH. That's why I only use AGH now for both DNS and DHCP.

2 Likes

did you remove the old AGH install?

what output did you get when you installed the new AGH?

The way I uninstalled AGH is to re-flash openWRT.
There is an error "udhcpc: no lease, failing"

can you post the output when you ran the install script? Without any info its kinda hard to diagnose issues.

I am now unable to install AGH smoothly.

you should be running this:

curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -c edge

If I use this instruction to install AGH, there will be questions about the instruction "curl -s -S -L"

curl pulls the install script from AGH github. you could download it and manually run it yourself

I use NanoPi R2S, can I use this script to install AGH?

should work for any device in theory. If it fails however you'll need to report an issue to AGH guys.

Just a note on the dns leak firewall rules re-routing to 192.168.1.1:5353..

If dnsmasq continues being the primary resolver with adguard as an upstream (per the instructions), then these rules don't support that setup, bypassing dnsmasq and going straight to adguard.

In my case, it meant that local hosts were no longer resolved with the static lease host names defined in openwrt / dnsmasq until I changed the rules to reroute to 192.168.1.1:53 where dnsmasq would then call adguard upstream.

Adguard does have an option to specify a dns server for private addresses and could point back to dnsmsaq and dnsmasq has an option not to forward local hosts upstream (to prevent a loop) but that didn't work for me. Updating the rules did.

PS I did try and use the search feature to see if someone posted about this in the thread already but it was hard to find within the results.

2 Likes

(afair) this is how i'd set mine up and seemed to work ok... ( did not test static lease hostnames tho' )

(unrelated sidenote: was also pretty lost when it came to ipv6 - most internet guides don't mention this re: AGH, pihole is alot clearer regarding this)

WAN port DNS, upstream DNS server, Bootstrap DNS server, best shielding advertising effect, which type of DNS to fill in respectively