[HowTo] Running Adguard Home on OpenWrt

To use those you must be using AdGuard DNS servers as upstream as it requires their DNS servers response.

Also I believe you need a paid licence to use it?

I'm now using AdGuard Home, but I prefer not to add a fully independent application like that directly to my OpenWRT install, not least (but not only) because every OpenWRT upgrade by default will clobber such applications. But OTOH it seems like a misapplication of resources to dedicate another physical device to it. (Which is why I find Pi-Hole a little silly.)

So for a little while I experimented with using a Pi Zero in gadget mode attached and powered by the OpenWRT router's USB port. I wrote this up a while ago. But it's an experimental approach that proved a little troublesome in practice, and required a distinct OpenWRT router interface just for the AdGuard resolver, which seems excessive.

For me the ideal compromise is to run it as an LXC container on the OpenWRT device. This does mean that in order to preserve it at OpenWRT upgrade time, I'll still have to carefully rewrite the OpenWRT partition/volume rather than allow it to clobber the entire disk the way it does by default. But I'm already using LXC containers in LVM storage on my (x86_64) OpenWRT router for other purposes anyway, so this is not a new thing.

One cool advantage of running it as a container on the same system is that you can share more than one interface -- this comes in handy if you have a DMZ and or a private network: no more adding firewall rules to allow forwarding DNS calls to the network your resolver is on, your resolver has access to all the same networks and can listen on any or all of them.

This is from the commit PR i posted earlier. Reverse proxying seems to be a simple answer. I went for just using AGH on seperate 8080 port.

However the advantage your method has is that you can bolt on to any router with a usb port a more powerful AGH boosted filtering system. This avoids a huge range of issues such as cpu usage, disk space and ram usage.

BTW there is now a AGH wiki entry now there is a opkg version.

@jamesmacwhite and everyone else.

Logging and space issues are being moved to 108 release as they have to refactor how their upgrades work.

Longer term their 1.0 release is looking to improve their DHCP which is also due for redoing as currently i would not recommend using AGH DHCP unless you only have a simple network. OpenWrt's DHCP is far more powerful and flexible for complex networks and VLANs.

I installed, fresh, using the wiki here:

I have overlay on usb stick.

Restarted, and manual start. But no resolving. Thanks for your help!

And tried this:AdGuardHome -v -c /etc/adguardhome.yaml -w /var/adguardhome --no-check-update

root@OpenWrt:/usr/bin# AdGuardHome -v -c /etc/adguardhome.yaml -w /var/adguardhome --no-check-update
2022/01/13 23:05:58.637105 4354#1 [info] AdGuard Home, version v0.107.0
2022/01/13 23:05:58.639403 4354#1 [debug] Current working directory is /tmp/adguardhome
2022/01/13 23:05:58.642391 4354#1 [debug] reading config file: /etc/adguardhome.yaml
2022/01/13 23:05:58.697585 4354#1 [debug] github.com/AdguardTeam/AdGuardHome/internal/home.upgradeConfig(): got schema version 12
2022/01/13 23:05:58.699859 4354#1 [debug] reading config file: /etc/adguardhome.yaml
2022/01/13 23:05:58.770682 4354#1 [debug] hosts container: starting
2022/01/13 23:05:58.773098 4354#1 [debug] hosts container: refreshing
2022/01/13 23:05:58.777328 4354#1 [debug] hosts container: added ip-host pair "127.0.0.1"-"localhost"
2022/01/13 23:05:58.780343 4354#1 [debug] hosts container: added ip-host pair "::1"-"localhost"
2022/01/13 23:05:58.783220 4354#1 [debug] hosts container: added ip-host pair "::1"-"ip6-localhost"
2022/01/13 23:05:58.785649 4354#1 [debug] hosts container: added ip-host pair "::1"-"ip6-loopback"
2022/01/13 23:05:58.788637 4354#1 [debug] hosts container: added ip-host pair "ff02::1"-"ip6-allnodes"
2022/01/13 23:05:58.791552 4354#1 [debug] hosts container: added ip-host pair "ff02::2"-"ip6-allrouters"
2022/01/13 23:05:58.795339 4354#1 [debug] hosts container: added ip-host pair "10.0.1.1"-"OpenWrt"
2022/01/13 23:05:58.798532 4354#1 [debug] hosts container: added ip-host pair "fdad:7158:cc26::1"-"OpenWrt"
2022/01/13 23:05:58.808894 4354#1 [debug] hosts container: sending upd
2022/01/13 23:05:58.811858 4354#1 [debug] clients: removed 0 client aliases
2022/01/13 23:05:58.813720 4354#1 [debug] clients: added 0 client aliases from dhcp
2022/01/13 23:05:58.816667 4354#11 [debug] clients: removed 0 client aliases
2022/01/13 23:05:58.816667 4354#1 [debug] Writing YAML file: /etc/adguardhome.yaml
2022/01/13 23:05:58.819391 4354#11 [debug] clients: added 127.0.0.1 -> "localhost" [1]
2022/01/13 23:05:58.821066 4354#11 [debug] clients: added ::1 -> "localhost" [2]
2022/01/13 23:05:58.823069 4354#11 [debug] clients: added ::1 -> "ip6-localhost" [2]
2022/01/13 23:05:58.824687 4354#11 [debug] clients: added ::1 -> "ip6-loopback" [2]
2022/01/13 23:05:58.835269 4354#11 [debug] clients: added ff02::1 -> "ip6-allnodes" [3]
2022/01/13 23:05:58.836922 4354#11 [debug] clients: added ff02::2 -> "ip6-allrouters" [4]
2022/01/13 23:05:58.838687 4354#11 [debug] clients: added 10.0.1.1 -> "OpenWrt" [5]
2022/01/13 23:05:58.840370 4354#11 [debug] clients: added fdad:7158:cc26::1 -> "OpenWrt" [6]
2022/01/13 23:05:58.842378 4354#11 [debug] clients: added 8 client aliases from system hosts-file
2022/01/13 23:05:58.880804 4354#1 [info] Initializing auth module: /tmp/adguardhome/data/sessions.db
2022/01/13 23:10:58.637311 4354#6 [debug] free os memory
2022/01/13 23:15:58.638439 4354#6 [debug] free os memory
2022/01/13 23:20:58.637589 4354#6 [debug] free os memory
2022/01/13 23:25:58.638190 4354#6 [debug] free os memory

you did this bit from the Setup part as well yes?

<snip> refer to wiki for updated info.

That adds DHCP Option 6 broadcast to tell the clients to use AGH as DNS.

yes, thanks, I did all of that. I'm very confused and frustrated at the moment. do you think it has anything to do with overlay on the usb stick?

try using dig to determine if you are getting dns lookups.

Dig via AGh on port 53

root@OpenWrt:~# dig @192.168.1.1 -p 53 www.google.com

; <<>> DiG 9.17.20 <<>> @192.168.1.1 -p 53 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46335
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         206     IN      A       142.250.200.36

;; Query time: 3 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Fri Jan 14 00:27:48 UTC 2022
;; MSG SIZE  rcvd: 59

Dig via dnsmasq on port 5353


root@OpenWrt:~# dig @192.168.1.1 -p 5353 www.google.com

; <<>> DiG 9.17.20 <<>> @192.168.1.1 -p 5353 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 26045
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; Query time: 0 msec
;; SERVER: 192.168.1.1#5353(192.168.1.1) (UDP)
;; WHEN: Fri Jan 14 00:27:59 UTC 2022
;; MSG SIZE  rcvd: 43

Dig from Cloudflare dns direct

root@OpenWrt:~# dig @1.1.1.1 www.google.com

; <<>> DiG 9.17.20 <<>> @1.1.1.1 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8804
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         237     IN      A       216.58.214.4

;; Query time: 15 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Fri Jan 14 00:30:17 UTC 2022
;; MSG SIZE  rcvd: 59

If that works then backtrack to your client pc and use dig or nslookup to check results there to see if it is DNS or DHCP that is the issue at client end.

also you have provided both ipv4 and ipv6 dns yes?

This sets them both to google dns. Swap them to your internal dns settings.

# Configure dnsmasq
uci -q delete dhcp.lan.dhcp_option
uci add_list dhcp.lan.dhcp_option="6,8.8.8.8,8.8.4.4"
uci commit dhcp
/etc/init.d/dnsmasq restart
 
# Configure odhcpd
uci -q delete dhcp.lan.dns
uci add_list dhcp.lan.dns="2001:4860:4860::8888"
uci add_list dhcp.lan.dns="2001:4860:4860::8844"
uci commit dhcp
/etc/init.d/odhcpd restart

The Setup script on the wiki now has DHCP v4 and v6 properly added. Please ensure you edit your IP addresses as required. (By default OpenWrt installs with 192.168.1.1 so that is the defaults we use.)

# 1. Disable dnsmasq from needlessly looking at the /etc/resolv.conf file.
# 2. Reduce dnsmasq cache size as it will only provide PTR/rDNS info.
# 3. Disable rebind protection. Filtered DNS service responses from blocked domains are 0.0.0.0 which causes dnsmasq to fill the system log with possible DNS-rebind attack detected messages.
# 4. Move dnsmasq to port 5353.
# 5. Set Ipv4 DNS advertised by option 6 DHCP 
# 6. Set Ipv6 DNS advertised by DHCP
uci set dhcp.@dnsmasq[0].noresolv="1"
uci set dhcp.@dnsmasq[0].cachesize="1000"
uci set dhcp.@dnsmasq[0].rebind_protection='0'
uci -q delete dhcp.@dnsmasq[0].server
uci set dhcp.@dnsmasq[0].port="5353"
uci add_list dhcp.@dnsmasq[0].server="192.168.1.1"
uci add_list dhcp.lan.dns="::1"
uci commit dhcp
/etc/init.d/dnsmasq restart

Redoing this will push both Ipv4 and v6 DNS servers to DHCP clients thus avoiding v6 IP clients bypassing your AGH or even not having DNS resolution. (Depending on if your ISP DNS is passed downstream or not). You will need to renew your DHCP or just reboot to get the changes.

(edit) https://openwrt.org/docs/guide-user/services/dns/adguard-home#uninstalling There is now an uninstall script available which will revert you back to original settings.

Did you manage to solve this issue.
Iā€™m testing on opnsense before implementing on openwrt.
Iā€™m using AGH plugin in opnsense with unbound.
Everything works fine, as soon as I enable these two options, DNS timed out occurs.
But safe search is working fine.
What are AG dns upstream servers, to try if that works.
I suspect if ISP filtering AG domains and DNS infrastructure.

As i explained before you must use AdGuards DNS servers for those options to work.

Its explained here how they work. https://kb.adguard.com/en/general/how-malware-protection-works

(edit) AdGuards DNS servers are here : https://kb.adguard.com/en/general/dns-providers#adguard-dns

I have just tried by adding AG DNS servers in upstream server
94.140.14.15
94.140.15.16
I also did nslookup from my host to see if resolves.
These 2 entries are used when 2 options are enabled.

parental_block_host: family-block.dns.adguard.com
176.103.130.135
safebrowsing_block_host: standard-block.dns.adguard.com
176.103.130.133

Still it does not work. DNS issue occurs and uncheck works.
Not sure where is problem

@mercygroundabyss you seem quite confident this works, as you have said several times before, but people keep coming back to say it AGH DNS servers do not work, even with the links you provide. Are you sure; did you test this, or just going based on what they say?

as so it was for me. I changed to AGH DNS servers and it still does not work. See earlier, I posted an image of what works. Or, go to General Settings and uncheck the Second and Third boxes.

I haven't used it. However from the AGH blogs about it and some of the info on their website that's how it should work. Beyond that its out of OpenWrt hands. I can only suggest filing an issue on AGH if it is not working.

It is similar to how other cloud providers like Cisco's "cloudumbrella" works in that it uses realtime lists to automatically block hostile sites. I think Cloudflare has their own version.

Its just a step up from malware filter block lists that exist. Just more real time.

@mercygroundabyss Thanks for this clarification, now folks can know to consider that. It's one thing for things to work, in 'theory' and quite another in practice. And since a lot of us rely on your 'word' here, it gives credit to you that you say, I haven't tried it but this is how they say it should work. Sent you a DM.

1 Like

I should have made it clear that as far as I'm aware that's how it should work from their documentation.

I personally don't use it and I'd have hoped that if they were offering it that the service DID work as their blogs informed me. It is a common thing to find in corporate networks with live malware blocking and querying of suspect domains.

https://blog.cloudflare.com/introducing-cloudflare-radar/

https://radar.cloudflare.com/

Active threat tracking in real time. Very neat.

That's right. It's not working here either
I'm not why these 2 options checks internet connectivity fails, host see DNS request timed out.
Even i have tried doing all possible combinations by adding AGH DNS servers and other stuff.
How is your AGH setup done and are you running any other resolver or forwarder.
I think its time write to AGH to troubleshoot further

@jamesmacwhite https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.107.3

Mind doing a PR for the new version?