OpenWrt AdGuard Home 101 ( DNSMASQ )

Your guide is really helpful and certain has helped and will continue to help users. The official package was a little rough in the beginning but hopefully the 107 release will make it a lot better, so you can just use opkg. This however is officially tested and supported for 21.02 onwards, so manually installation may still be needed for those on older builds. You can run the package on 19.07, but there is a possibility dependencies and such may not work, so manually installation is still maybe required for certain users.

What might be good is preserving these guides into the official wiki?

Currently there is no official wiki page for AdGuardHome on OpenWrt, I think there's some great tips and guidance in this that should be incorporated.

I have wiki access, but I'm not going to take parts from your guide without permission, but that could be a really good thing. We could then even get the official AGH team to link to the OpenWrt wiki for anyone using on OpenWrt and have a single source, where others can contribute?

A big part of the issues with the opkg version (certainly in the 104 release) was that it installed into /tmp and thus lost everything when you rebooted. That may have resulted in some colourful language on my part and a look into AGH offical install. 106 as you say is broken due to dependencies on Go but a simple replace of the binary solves that.

107 brings a HUGE chunk of fixes and some that were badly needed for OpenWrt.

With the updated package things should be vastly easier for users now and I had a good back and forth with the PR requester and I think he is aiming to add some of the things from my guide into the opkg version.

I could certainly try wikify my updated article for those who wish to keep on the "bleeding" edge version of AGH. Regular users can use the opkg version now its more current and has some nasty issues resolved.

One of the things I'd like but its only timeframed for a later 107 build or even 108 is their fixes to DHCP.
That way you would just replace OpenWrt's dhcp and flip DNS and DHCP over to AGH and avoid the reconfiguring. (may need to be some tweaking of NTP for updating time/date and also DoH certs)

(edit - this explains it more. )

Stable vs edge builds is a good point. There's certainly a need for the edge builds i.e. testers, getting new features immediately etc, but it's also important to highlight and encourage using the stable release for those certainly on release builds. If you're on snapshot, chances are you are more likely to be aware of this.

The wiki could basically present two paths stable and edge and go from there, I'd imagine OpenWrt devs would encourage the use of opkg and as you've said that could be classed as the stable installation and then edge builds could be using your original guidance/script. I'm not sure if the opkg package will ever ship an edge build, it is more likely to probably move between the stable versions even in master.

It was more on the AGH end tbh. the 106 > 107 was a bumpy road and its why i switched to using edge builds to keep fixing issues. That being said. 107 is far better place now and is a much more capable "beta" if you will.

Thanks. But do you also give directions on how this can be done?

Either full manual install as documented here : [How-To-Updated 2021] Installing AdGuardHome on OpenWrt

or use the wiki and use the opkg version here :

What's the best way to make sure my filters are persistent on a reboot? Just installed adguard via the opt package and every time I reboot I have to manually refresh my filters for some reason. (rules count is set to 0 on reboot)

Hi all,

I'm running AGH and OpenWRT in a RPi4 (CM4 really, with DF Robot router board) and I have two interfaces:

  • eth1 - Main connection
  • eth1.10 - VLAN for guests

In the adguardhome.yaml file, I setup three dns "bind_hosts":

  • -IP from eth1-
  • -IP from eth1.10-

And I've tried everything: different firewall zones, added rules to allow DHCP and DNS for eth1.10, add DNS forwardings with both hosts from AGH, but I cannot make it work for the Guest interface (eth1.10).

All devices connected via eth1 are fine.
Devices connected via eth1.10 get an IP from DHCP, but can't get internet connection.
The browser error I get when connect to Guest is "ERR_NAME_NOT_RESOLVED".

Can any of you help me?

I just use one IP for bind host and reroute DNS requests by rules.

Try this:

iptables -t nat -A PREROUTING -i eth1.10 -p tcp --dport 53 -j DNAT --to
iptables -t nat -A PREROUTING -i eth1.10 -p udp --dport 53 -j DNAT --to

Adjust IP of the DNS server to your needs and put the rules in Network > Firewall > Custom rules

1 Like

Thanks for the tip, but it didn't work :frowning:

you should pass the required DNS for each zone as part of the dhcp request. Set option 6 for the dhcp for that interface.

1 Like

Follow-up question: what is "option 06"? Where do I set it up?

In any case, here's further details on my setup.

In Openwrt, DHCP and DNS > Advanced Settings, I have the DNS server port as 553 (because Adguardhome takes the port 53).

In Openwrt, Firewall, I have a "guest" zone, to which the interfacte eth1.10 is assigned to. Under Traffic rules, I have all incoming IPv4 and IPv6 from "guest" to "this device" directed to the DNS IPs, port 53. Note: the DHCP works, just the DNS doesn't work.

In Adguardhome, I have the reverse DNS servers set as the IPs of interfaces with th 553 port as set on the first step.

DHCP option 6: which DNS (Domain Name Server) to include in the IP configuration for name resolution

DHCP option 3: default router or last resort gateway for this interface

Set these for your guest and it willl broadcast DNS and DHCP as well as an ip address to clients on that interface.

Let AGH do the reverse DNS back to dnsmasq for PTR requests.

1 Like

Still doesn't work.

I use the same config as mercygroundabyss described and it works flawlessly since day one.
Here are the screenshots of my working config.

Adguard yaml:

Interface settings:

Traffic rules:

And custom rules:

1 Like

Remove the "GuestBLOCK" rule from your traffic rules.
What are you using it for?

1 Like

@danluckner you should check what gateway/Dns clients are getting.

But as @peras peras said. that rule needs to go because you are stopping your guest clients from talking to the router. Thus... no connectivity.

1 Like

Guys, it worked, but not because of that rule.
That rule is to prevent guests trying to ssh into the router.

Anyway, what I did is: in the Zones configuration, I had the input as "Accept".

That resolved. I missed that his was "reject" (see below)

Thank you all for the help @mercygroundabyss @peras

1 Like

By default dropbear (the ssh deamon) only listens on one interface. It is possible to set it to listen on multiple interfaces but there is a bug logged on it.

You can also stop luci listening on the guest interface too. No need for blocking rules then. The services are just not available to guests at all.

1 Like

I was playing around with AdGuard Home on OpenWRT and I think I've managed to make the update through WebGUI work again.
I didn't search the entire thread so sorry if this is already been described in another comment , but since I haven't found it as a solution at the OP, I'm posting it here...

@directnupe I've noticed something.

At first I thought I've installed the edge version but I think I actually installed the beta because I choose it from here and the update was working as expected.
Then I've changed to the edge release and I couldn't update automatically through the web interface.
Since I kept backup from the beta folder, I compared the two AdGuardHome.yaml files, the one from beta and the one from Edge, and I've noticed that even if the installation and configuration procedure was the same. At the Edge version of .yaml file first line, instead of being ex: bind_host:
it was bind_host:
I've replace the zeros with the actual IP and boom! Update is working as expected.

I hope this will work to the rest of you...

1 Like