OPNsense Forum

So I've been looking around and been unable to get a good AdGuard or PiHole setup.

I figured it out, and it seems to be working well, so I'm writing this for mainly my own future reference.

--------------------
Setup for a physical AdGuard (Raspberry Pi or something)

I installed AdGuard Home on a Raspberry Pi with the IP 10.0.0.12.
Settings -> DNS Settings
Chose and configure to your desired setup.

On OPNsense:
System -> General Setup
Set '10.0.0.12' as DNS server
Tick: Do not use the local DNS service as a the only nameserver for this system

Optional, but recommended:
Add a new Firewall rule to forward all DNS (Port 53) traffic to AdGuard:
Firewall -> NAT -> Port Forward
Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: LAN address
Destination port range: From: DNS - To: DNS
Redirect target IP: 10.0.0.12
Redirect target port: DNS
Description: Forward DNS to AdGuard
NAT Reflection: Disable

Unbound -> Untick 'Enable Unbound'. (So its turned off)
Or you can follow the steps below to use a router_ip:5353 to loopback to OPNsense unbound as a backup.

I also found that I had to add the DNS specifically on each DCHP interface.
Mainly due if you removed all DNS servers from System -> General Setup. I found some iOS devices struggled without the below.
Services -> DHCPv4 -> LAN
DNS servers: 10.0.0.12

If you have VLANs or other LANs you may need to do some Firewall rules to allow traffic through to the DNS server IP on Port 53 (DNS)

That is pretty much it.

--------------------
Setup for using AdGuard via the OPNsense community repo

Firstly install the Community repo from: https://www.routerperformance.net/opnsense-repo/
Then install AdGuard Home via Plugins.

Navigate to router_ip:3000 to setup AdGuard.
I set Admin interface to my main LAN as the only listen interface and via port 81 (OPNsense uses port 80 and 443 so select something other than this for AdGuard listen port and if you configure AdGuard's SSL settings)

DNS Server listen interface select 'All' on Port 53.

Setup DNS as you would like it with your own providers.
Settings -> DNS settings -> Bootstrap DNS servers -> Add router_ip:5353

On OPNsense:
System -> General Setup
Set '8.8.8.8' as DNS server (Or whatever DNS you would like as a backup, if you only want AdGuard you can remove all DNS servers from this list and leave it blank)
Untick: Do not use the local DNS service as a nameserver for this system
This way by default OPNsense will use itself (127.0.0.1) as the resolver which we want.

Services -> Unbound DNS -> General
Enable Unbound (it could be disabled if you'd prefer, then remove the Boostrap DNS setup as above)
Add port 5353 (instead of default 53)
Only select: 'Register DHCP leases' & 'Register DHCP static mappings'

Add a new Firewall rule to forward all DNS (Port 53) traffic to AdGuard:
Firewall -> NAT -> Port Forward
Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: LAN address
Destination port range: From: DNS - To: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
Description: Forward DNS to AdGuard
NAT Reflection: Disable

If you have multiple VLANs or LANs then duplicate the rule and change it to the relevant Interface and address.

I also found that I had to add the DNS specifically on each DCHP interface.
Mainly due if you removed all DNS servers from System -> General Setup. I found some iOS devices struggled without the below.
Services -> DHCPv4 -> LAN
DNS servers: router_ip

And the same for any VLANs, just set the route IP for each VLAN.
eg. 192.168.107.1 is my IoT VLAN

That should pretty much do it.

--------------------

Please let me know if you see any tweaks or better settings that you think can improve this, I'm more than happy to improve this and make this into a good guide.

*NOTE* I did find that running AdGuard via OPNsense router to lower the processing time by more than half.
9ms via router setup, compared to around 45ms via Raspberry Pi 3B+

Why don't you install AdGuardHome on your OPNsense? Which was precisely the point in that other thread?

Because there is no clear guide on how to set it up!
Also sometimes people want to use a physical device for this.

Like I say. I'm happy to update and include the AdGuard install on OPNsense but until I can get a good guide I just cannot.
If you can give me your setup and how you made it work I'll test it out tomorrow and can add that to this guide too.

I did a write up in that other thread.

1. Activate mimugmail's community repository
2. Install AdGuardHome from System --> Firmware --> Plugins
3. Change your primary DNS server on OPNsense to use e.g. 127.0.0.1:53530 only
4. Activate and start AdGuardHome from Services --> AdGuardHome
5. Navigate to http://your.opnsense:3000/ to complete the setup

Do you not need to change AdGuard to use different ports upon setup?
So that it doesn't affect OPNsense on port 80 and 443?

How do you specify port 53530 unless you mean change unbounds port?
Or on General DNS you can specify 127.0.0.1:53530? Wasn't aware you can use : to specify a port there.

Do you do anything with your unbound?
Are there any specific benefits to doing it all in one box?

And thanks I'll test it tomorrow.

I meant make your Unbound listen to 127.0.0.1:53530. I use BIND, so - sorry - I cannot show you a screenshot. I am just assuming that just as with BIND you can change the listen interface and port for Unbound too. If that is not the case, I am sorry.

You need to do that so AdGuardHome can listen on all interfaces port 53 so clients can use it. Then in AdGuardHome use this dialog to configure the upstream resolver (see screenshot).

To adjust the listen addresses of AdGuardHome itself you need to ssh to your OPNsense and edit the config file at /usr/local/AdGuardHome/AdGuardHome.yaml:bind_host: 0.0.0.0
bind_port: 3000
[...]
dns:
  bind_host: 0.0.0.0
  port: 53

Thanks if I can figure it out I'll test it tomorrow.
I feel like my way just works and works far simpler.

Is there any benefit other than having 2 devices in one doing it your way?

I would not want another box just for a single application that works perfectly on my already present OPNsense.

Do I need to Listen on all interfaces for DNS Server?
As it has my WAN IP in there too.

I have LAN, and 2x VLANS so there are a lot of connections there.
I also changed the Admin to use port 81.

Like this:

@pmhausen
Take a look at my edits and addition of AdGuard via Community Repo.
Let me know what you think or if any of it needs changing/addition.

Of course you don't need to activate it on WAN, sorry.

Yup problem is as I have more than 1x LAN I could not manually select my LANs/VLANs.
Its was all or 1. Unless I missed something there.
So I just selected All

Well, even if it is listening on WAN your firewall rules should prevent access, right?

Yup should drop all traffic from WAN by default

AdGuard seems to be amazing! really slick interface and usefull features!

Yeah, and I find it works much quicker especially vs PiHole or external DNS

Opnsense 21.1.4 Installation:

1 - Activate mimugmail's community repository

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Activate and start AdGuardHome from Services --> AdGuardHome

4 - Navigate to http://your.opnsense:3000/ to complete the setup

5 - In Adguard Home - DNS Configuration - Upstream Servers:   Set the desired servers ( 1.1.1.1,   8.8.8.8     etc )

6 - In Opnsense disable Unbound. In case you want to use it leave it activated by changing the port to 5353 and in Adguard Home - DNS Configuration - Upstream Servers  add router_ip:5353

- It is not necessary to activate the internal opnsense dns ( 127.0.0.1 ) in Opnsense in System-Settings-General

- No need to make port forward rules to forward all DNS (Port 53) traffic to AdGuard

- No need to set dns servers to DHCP

DNS over HTTPS - DNS over TLS:

Option 1:

- In Opnsense - Unbound - Miscellaneous   set the desired dns servers 1.1.1.1@853     8.8.8.8@853

- Active Unbound in port 5353

- In Adguard Home - DNS Configuration - Upstream Servers add router_ip:5353

Option 2 ( Unbound disabled ): https://github.com/AdguardTeam/AdGuardHome/wiki/Encryption

Recommended DNS blocklists: 1Hosts (Pro) - Goodbye Ads - Energized Ultimate - Lightswitch05 - Steven Black - oisd

Installation in Adguard: Filters - DNS blocklist - Add blocking list - Add custom list

- https://hosts.netlify.app/Pro/adblock.txt

- https://raw.githubusercontent.com/jerryn70/GoodbyeAds/master/Hosts/GoodbyeAds.txt

- https://block.energized.pro/ultimate/formats/hosts.txt

- https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt

- https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

- https://hosts.oisd.nl/

Extra. in Adguard: Filters - DNS blocklist - Add blocking list  - Choose from the list:

- Perflyst's Smart-TV Blocklist

@yeraycito thanks for those lists. Which criteria did you apply when picking them?

Unlike the ones Adguard comes with, these are much more complete. Each of them includes many other lists. They are the most complete I have found. If you put these in, you don't need any more.

Many of the lists I have posted block most of Google's telemetry and spying but not all of it. More can be done.

Adguard - Filters - Custom filtering rules - add:

||dnsotls-ds.metric.gstatic.com^ 
||encrypted-tbn0.gstatic.com^
||encrypted-tbn2.gstatic.com^
||mtalk.google.com^
||metric.gstatic.com^
||chart.apis.google.com^
||cse.google.com^
||encrypted-tbn1.gstatic.com^
||www.gstatic.com^
||fonts.gstatic.com^
||ogs.google.com^
||ssl.gstatic.com^
||aa.google.com^
||encrypted-tbn3.gstatic.com^
||pki-goog.l.google.com^
||signaler-pa.clients6.google.com^
||addons-pa.clients6.google.com^
||apis.google.com^
||0.client-channel.google.com^
||clients2.google.com^

Result after applying the rules:

- Google searches: OK

- Gmail: OK

- Youtube: OK

- Instagram: OK

- Android: OK

- Playstore: OK

@yeraycito

Just a shout out to say thanks for your contributions to this thread. I found them very useful, and have Unbound / AdGuard working well together. Ads are gone, DNS lookups are resolving quickly. Your suggested blocklists are awesome!

That said, I'm still a little (embarrassingly) confused about something. That is, getting the LAN reverse lookups to function. Below I'll show one setup where the reverse looks actually do resolve, but upstream DNS resolver ends up being one of my two ISPS, and a second where upstream resolver is cloudflare, but then the reverse lookups stop working.

I have the following OPNSense Configuration:
Dual WAN, two gateway setup (might not be relevant to the discussion)

System/Settings/General:
- DNS Servers: all empty

Services/Unbound DNS/General:
- port: 5353
- DNSSEC: enabled
- DHCP Registration: enabled
- DHCP Static Mappings: enabled
- Local Zone Type: transparent


AdGuard Settings:

1) With this setup, reverse look ups function. That is, inside AdGuards Top Clients, I can see host names are resolving. However, upstream DNS server is my ISPs DNS server.

Adguard/DNS Settings:
127.0.0.1:5353

Bootstrap DNS servers:
127.0.0.1:5353
9.9.9.10
149.112.112.10
2620:fe::10
2620:fe::fe:10


2) Now, if I change the following, I get the reverse behaviour.  Inside AdGuards Top Clients, I can see only IPs (no host names), but upstream DNS is now showing up as 108.162.218.241 (Cloudflare).

Adguard/DNS Settings:
127.0.0.1:5353
1.1.1.1
1.0.0.1


I've also experiments with a few things to no avail, like:

[/168.192.in-addr.arpa/]127.0.0.1:5353

[/168.192.in-addr.arpa/]127.0.0.1

[/168.192.in-addr.arpa/]192.168.0.1:5353

[/168.192.in-addr.arpa/]192.168.0.1



Do you have any suggestions what I might be doing wrong?

Hello, for the dns not to be those of your isp you have to put one in unbound. To resolve the hostnames you can add them better in the Adguard configuration.

My settings:

System/Settings/General:
- DNS Servers: all empty
- Do not use the local DNS service as a nameserver for this system:   cheked

Services/Unbound DNS/General:
- port: 5353
- DNSSEC: enabled
- DHCP Registration: disabled
- DHCP Static Mappings: disabled
- Local Zone Type: transparent

Unbound DNS - Miscellaneous - DNS over TLS Servers:  1.1.1.1@853      1.0.0.1@853

In Adguard Home - DNS Configuration - Upstream Servers: 192.168.1.1:5353

In Adguard Home - DNS Configuration - Bootstrap DNS servers: 192.168.1.1:5353

In Adguard Home - configuration - clients configuration - add client:  Add ip and hostname

A good complement is also to use NextDns dns servers.

They are just as fast as Cloudflare's but add more protection and the ability to add blocklists.

Installation;

Let's go to   https://nextdns.io/    and register for free. Once registered you are given a personalised ID and dns.

Opnsense instalation:

- Follow the tutorial explained above for Adguard.

- Unbound - General - Custom Options: add                 ( XXXXXX is a custom ID in NextDns )


server:
      tls-cert-bundle: "/etc/ssl/cert.pem"
  forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 45.90.28.0#XXXXXX.dns1.nextdns.io
    forward-addr: 2a07:a8c0::#XXXXXX.dns1.nextdns.io
    forward-addr: 45.90.30.0#XXXXXX.dns2.nextdns.io
    forward-addr: 2a07:a8c1::#XXXXSS.dns2.nextdns.io

I installed adguard plugin...everything seems to be working ok...only under plugins the adguard is marked as miss-configured ? Why is that?

hello,

where can i found the logfile? on /var/log i found no adguard file.

Thanks

Transfer from PiHole (running on a Pi) to AdGuard on OPNSense went flawlessly.  By using a virtual IP for AdGuard, I didn't even need to change any of my preconfigured rules, which was nice.  I had allocated myself a few hours to get this done, and it ended up taking less than 15 minutes :)

Question though.  One of the "optimizations" that is sometimes recommended when using PiHole in conjunction with Unbound is to disable DNS caching on the pi-hole, so that all DNS lookup is handled by Unbound.  Would this provide any benefit with AdGuard?

Thanks!

EDIT - So an oddity.  Using a virtual IP, it showed no port conflicts using Port 80 or Port 53, and everything worked great a day.  Today I decided to tweak some unbound settings and had to restart the service... and it wouldn't start due to a port conflict.  Any ideas?

~Spritz

Hi folks,

has anyone tried to set up Adguard WebGUI using https with the same cert that OPNsense´s WebGUI uses?

Thank you very much
Beclar

Adguard + wireguard in Opnsense ( solved ):

https://forum.opnsense.org/index.php?topic=22409.0

Quote from: yeraycito on April 13, 2021, 07:38:09 PM
My settings:

System/Settings/General:
- DNS Servers: all empty
- Do not use the local DNS service as a nameserver for this system:   cheked

Services/Unbound DNS/General:
- port: 5353
- DNSSEC: enabled
- DHCP Registration: disabled
- DHCP Static Mappings: disabled
- Local Zone Type: transparent

Unbound DNS - Miscellaneous - DNS over TLS Servers:  1.1.1.1@853      1.0.0.1@853

In Adguard Home - DNS Configuration - Upstream Servers: 192.168.1.1:5353

In Adguard Home - DNS Configuration - Bootstrap DNS servers: 192.168.1.1:5353

In Adguard Home - configuration - clients configuration - add client:  Add ip and hostname

With this way, if you have multiple VLAN's or different IP's do you need to include all the IP's into upstream and bootstrap DNS servers?

IE: 192.168.1.1:5353
192.168.200.1:5353

And so on?

It is not necessary, just set the opnsense ip. Adguard listens for dns connections on all opnsense interfaces. It then passes them to the opnsense ip. Unbound is listening there.

Ok cheers will mess with it this week and update the main page with some updates.
Thanks for your efforts.

In this post I previously put up some blocking lists for Adguard. There are two of them that are very complete: 1Host (Pro ) and Energized Ultimate. They are so comprehensive that in some cases they block too much. If this is the case I recommend you to change them for 1Host (lite) and Energized Basic. These two lists are still very comprehensive.There are also smaller versions of these two lists, these are the intermediate ones.

- https://badmojr.github.io/1Hosts/Lite/adblock.txt

- https://block.energized.pro/basic/formats/hosts.txt

Yup I already use Energized Pro list and only that list myself :)

I'm sorry for my ignorance, but is this setup using the DNS over TLS function in Unbound?  It appears yes.

If it is, why use that when you can use Unbound by itself for DNS resolving?  I thought the point of using Unbound was to not have to worry about DNS lookups from companies like Cloudflare??

Thanks in advance!

Quote from: yeraycito on April 04, 2021, 08:16:42 PM
Opnsense 21.1.4 Installation:

1 - Activate mimugmail's community repository

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Activate and start AdGuardHome from Services --> AdGuardHome

4 - Navigate to http://your.opnsense:3000/ to complete the setup

5 - In Adguard Home - DNS Configuration - Upstream Servers:   Set the desired servers ( 1.1.1.1,   8.8.8.8     etc )

6 - In Opnsense disable Unbound. In case you want to use it leave it activated by changing the port to 5353 and in Adguard Home - DNS Configuration - Upstream Servers  add router_ip:5353

- It is not necessary to activate the internal opnsense dns ( 127.0.0.1 ) in Opnsense in System-Settings-General

- No need to make port forward rules to forward all DNS (Port 53) traffic to AdGuard

- No need to set dns servers to DHCP

DNS over HTTPS - DNS over TLS:

Option 1:

- In Opnsense - Unbound - Miscellaneous   set the desired dns servers 1.1.1.1@853     8.8.8.8@853

- Active Unbound in port 5353

- In Adguard Home - DNS Configuration - Upstream Servers add router_ip:5353

Option 2 ( Unbound disabled ): https://github.com/AdguardTeam/AdGuardHome/wiki/Encryption

Quote from: yeraycito on April 13, 2021, 09:04:18 PM


- Follow the tutorial explained above for Adguard.

Do we need both? Can one not configure just NextDNS without AdGurad?

If you want to use only NextDNS:

- Unbound - General - Custom Options: add                 ( XXXXXX is a custom ID in NextDns )


server:
      tls-cert-bundle: "/etc/ssl/cert.pem"
  forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 45.90.28.0#XXXXXX.dns1.nextdns.io
    forward-addr: 2a07:a8c0::#XXXXXX.dns1.nextdns.io
    forward-addr: 45.90.30.0#XXXXXX.dns2.nextdns.io
    forward-addr: 2a07:a8c1::#XXXXSS.dns2.nextdns.io

Great instructions! Thank you :)

The only issue I'm facing is getting the firewall redirect rule for dns just won't work for me.
I've tried using the "LAN address" object, and also specifying my LAN IP address and my VirtualIP's, but it just doesn't seem to want to redirect the dns traffic :(

I did notice when setting up Adguard it chose my Virtual IP, instead of my LAN address.

I feel like I'm missing something really simple, but I'm not sure what?

Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: LAN address
Destination port range: From: DNS - To: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
Description: Forward DNS to AdGuard
NAT Reflection: Disable

Possibly related to this?

https://github.com/AdguardTeam/AdGuardHome/issues/3015

I have a LAN that I want to use AdGuard for DNS using any family shield service. And a  VLAN to use 8.8.8.8.
Is that possible and how?

Should we be setting DNS cache size in Adguard to 0 to allow Unbound to handle caching?

Quote from: zer0k on May 05, 2021, 10:58:00 PM
Great instructions! Thank you :)

The only issue I'm facing is getting the firewall redirect rule for dns just won't work for me.
I've tried using the "LAN address" object, and also specifying my LAN IP address and my VirtualIP's, but it just doesn't seem to want to redirect the dns traffic :(

I did notice when setting up Adguard it chose my Virtual IP, instead of my LAN address.

I feel like I'm missing something really simple, but I'm not sure what?

Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: LAN address
Destination port range: From: DNS - To: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
Description: Forward DNS to AdGuard
NAT Reflection: Disable

- It is not necessary to activate the internal opnsense dns ( 127.0.0.1 ) in Opnsense in System-Settings-General

- No need to make port forward rules to forward all DNS (Port 53) traffic to AdGuard

Adguard listens on all default interfaces in Opnsense. This can be seen in the Adguard - Configuration Guide.

Quote from: NV43 on May 06, 2021, 08:08:13 AM
Should we be setting DNS cache size in Adguard to 0 to allow Unbound to handle caching?

I have DNS caching active on both sites and everything works fine.

Sorry for the hijack, but just wondered if anyone has any idea of how I can solve a particular problem with my Adguard Home Plugin setup:

My LAN interface is a bridge made up of all the ports on a 4 port intel x540, and my WAN is on a different interface altogether (duh).  I can successfully install the plugin and configure it, make it the default dns server by changing the port unbound uses to 5353 and leaving AdguardHome on 53.  Problem is that first time resolution takes about 30 seconds!  I am guessing it has to do with Adguard being bound to all existing interfaces.  I tried to bind it to the bridge address editing the Adguard Yaml config file and restarting the service, but it did not solve the issue.  Unbound works fine in its place, and I have adguard running on a secondary box in lan and unbound forwarding to it, as a workaround, and that works fine.  If anyone knows how to fix that, and can share, I would appreciate it.  Just in case, bridge is built following wiki directions, including tunables, and works as expected.  I am aware of the disadvantages of bridging ports, but it is an experiment and I would like to make it work as is.

Thanks.

Try binding AdGuard Home to *:53 as you already did if I read your post correctly. Set Unbound to 53530 or similar. Reason being that 5353 is used by mDNS already.

I run AdGuard Home on all interfaces, 53, forwarding to BIND on 127.0.0.1:53530 - no problem so far.

Quote from: Jaxon on April 12, 2021, 10:59:42 PM
2) Now, if I change the following, I get the reverse behaviour.  Inside AdGuards Top Clients, I can see only IPs (no host names), but upstream DNS is now showing up as 108.162.218.241 (Cloudflare).

Adguard/DNS Settings:
127.0.0.1:5353
1.1.1.1
1.0.0.1


I've also experiments with a few things to no avail, like:

[/168.192.in-addr.arpa/]127.0.0.1:5353

[/168.192.in-addr.arpa/]127.0.0.1

[/168.192.in-addr.arpa/]192.168.0.1:5353

[/168.192.in-addr.arpa/]192.168.0.1

Do you have any suggestions what I might be doing wrong?

Hi, were you able to solve this? All I see are IP Addresses. I have way too many devices/clients to enter them manually

You just need to add your router ip in the upstream and bootstrap fields in the AdGuard DNS Setup menu with the appropriate port if you're still using UnBound...I am.  So I set up Unbound to listen on port 53530 and then added the below in AdGuard

eg. 192.168.1.1:53530

Adguard now processes and listens on all interfaces.

Works well....

Thanks for posting this guide! In case anyone runs into problems with their Chromecast with Google TV after following these instructions and gets the error saying no internet is available, it might have to do with the optional but recommended port forward step.

Instead of including all sources for the port forward, you can select the devices you want to exclude from the port forward and tick the checkbox to invert the selection. This resolved my Chromecast with Google TV error. I have several so I made an alias. In the end, when I was done it looked like Source: !Google_devices.

Additionally, in the IRC, someone mentioned this port forward setup might lead to some abnormal behavior ie a device asks for 8.8.8.8 DNS but gets confused that Adguard Home responds. It may be better for reliability to set this up via a firewall rule to instead block all outbound DNS requests instead of forwarding the requests. Most devices will then use the local DNS as a back-up. I decided to make the change but still had to except the chromecast devices.

I made the following two rules and disabled the port forward.  These rules are under Firewall -> LAN and are the top rules in the set.

Rule 1:
ALLOW
Source: [Google_devices] -- this is an alias set up with all IP for my google devices
Source Port: *
Destination: !Lan address
Destination Port: 53 (DNS)

Rule 2:
REJECT
Source: *
Source Port: *
Destination: !Lan address
Destination Port: 53 (DNS)

Does anyone know's where the raw config file is stored within OPNsense for AdGuard?

Mine's in /usr/local/AdGuardHome/AdGuardHome.yaml

i keep having problem with adguard not being started autmaticly

did reinstall/reboot removed other packages etc etc but still same prb

i followed last in this post https://forum.opnsense.org/index.php?topic=16692.15

root@OPNsense:/usr/local/AdGuardHome #  ./AdGuardHome -s install
2021/07/27 10:02:41 [info] Service control action: install
2021/07/27 10:02:41 [fatal] Failed to install AdGuard Home service: Init already exists: /usr/local/etc/rc.d/AdGuardHome


problem is that only way for me to get it running after reboot is eather cli or webgui

why does it not start automatically?
ideas

regards /s

Quote from: sp33dy on July 27, 2021, 10:04:07 AM

i followed last in this post https://forum.opnsense.org/index.php?topic=16692.15

root@OPNsense:/usr/local/AdGuardHome #  ./AdGuardHome -s install
2021/07/27 10:02:41 [info] Service control action: install
2021/07/27 10:02:41 [fatal] Failed to install AdGuard Home service: Init already exists: /usr/local/etc/rc.d/AdGuardHome

This is not the way it should be done .. don't do this.
Usually installing the plugin and enable is enough.

Now your install dir can be anywhere.

ok, well that sux that people give wrong instructions

is there anyway for me to fix this?

EDIT: like i stated i have deleted/installed package and rebooted and the problem still persisted, when it still did´t work i tried those instructions

/usr/local/AdGuardHome #  ./AdGuardHome -s uninstall / delete possibly?
Maybe then also remove the plugin and also /usr/local/AdGuard/Home folder.

Then install plugin again, enable and reboot. During reboot watch the console for errors

Quote from: mimugmail on July 27, 2021, 11:06:39 AM
/usr/local/AdGuardHome #  ./AdGuardHome -s uninstall / delete possibly?
Maybe then also remove the plugin and also /usr/local/AdGuard/Home folder.

Then install plugin again, enable and reboot. During reboot watch the console for errors

thanks for your answer, still no good though


service runs fine when started manually, take ages to boot box when dns is not running
are there any startup script i can force run on boot to se if that atleast get it running after boot?

nothing wrong on console when booting up, status also says "not installed", i tried reinstall/reboot but still the same

root@OPNsense:/usr/local/AdGuardHome # ./AdGuardHome -s status
2021/07/28 08:59:59 [info] Service control action: status
2021/07/28 08:59:59 [fatal] failed to get service status: the service is not installed

Quote from: sp33dy on July 28, 2021, 09:03:53 AM

root@OPNsense:/usr/local/AdGuardHome # ./AdGuardHome -s status
2021/07/28 08:59:59 [info] Service control action: status
2021/07/28 08:59:59 [fatal] failed to get service status: the service is not installed

Dont do this! I wrote a startup script cause this AdGuardHome -s XXX is a total mess. And thats why AGH is a community plugin and not in the official plugin repo. This -go stuff with their own service control sucks on BSD.

You can use this:
/usr/local/etc/rc.d/adguardhome

But if you already ran "-s install" your are lost somewhere in the middle :(

Quote from: mimugmail on July 28, 2021, 09:50:43 AM

Quote from: sp33dy on July 28, 2021, 09:03:53 AM

root@OPNsense:/usr/local/AdGuardHome # ./AdGuardHome -s status
2021/07/28 08:59:59 [info] Service control action: status
2021/07/28 08:59:59 [fatal] failed to get service status: the service is not installed

Dont do this! I wrote a startup script cause this AdGuardHome -s XXX is a total mess. And thats why AGH is a community plugin and not in the official plugin repo. This -go stuff with their own service control sucks on BSD.

You can use this:
/usr/local/etc/rc.d/adguardhome

But if you already ran "-s install" your are lost somewhere in the middle :(

I havent run the -s install on this installation

i´m sure there is something with my install that´s causing this and not the plugins itself, just trying to get a working installation here ;)

i asume this should run on bootup "/usr/local/etc/rc.d/adguardhome"

can i force run it in some other startup script?...for some reason it wont start for me

Is there a known issue with fresh installs of this plugin and 21.7? I can't even get the setup page to load after a successful plugin install (http:<my.opnsense.ip>:3000).

The plugin is enabled and appears to be running
No errors are thrown in the logs
I have Unbound disabled
I am not running Grafana, NTPng, or any other service on port 3000. Netstat shows the AdGuardHome service is running on said port and nothing else. 

I cannot get the start page to come up at all on port 3000. Since that triggers the initial setup wizard, there's no configuration yaml created (I checked via CLI). The service just appears to be running and waiting for me to kick off the process.

Could someone post a (more or less) "default" configuration yaml for the plugin? I can modify it for my own setup, restart the service, see if that gets past it, though I'd still like to figure out why I can't access the initial config wizard.

Thanks!

Edit: As often happens, writing this post made me re-think a couple things to try and I got it working.

The problem, if anyone else runs in to this, is I am using a failover group for a gateway (my ISP WAN interface + backup LTE modem) and for that to work correctly the LAN "pass all outbound" rule has to be modified to use it vs. the default "any" gateway.

This means you need to explicitly define any additional ports (besides 80 and 443 which are in the default anti-lockout rule) you want to access on the OPNsense box itself, in this case 3000 (for the wizard) and then 81 (the port I picked AdGuardHome to run on). Easy fix when I realized what the problem was.

I figured it out when I looked where I should have in the first place - the firewall logs vs. the service logs. The latter showed no issues because there weren't any with the service. The firewall blocked access, by design, until I explicitly allowed those ports access from my LAN net to my LAN address.

Hope this helps someone else :)

I was under the impression that the community repo won't work currently on 21.17, as the dependancy for Python 3.7 is missing (as it uses 3.8).

It has to be rebuilt.

How does one get a self signed certificate going for Adguard Home? Doing it mostly to learn, and thought it would be fun to have DoH/T enabled for my home network.

I have a CA & intermediate CA created and I created a certificate for adguard, but when I paste the cert & key into the fields I get "Certificate chain is invalid" for the certificate and "Your certificate does not verify: x509: certificate specifies an incompatible key usage" for the private key.

Quote from: sp33dy on July 28, 2021, 10:23:59 AM

Quote from: mimugmail on July 28, 2021, 09:50:43 AM
But if you already ran "-s install" your are lost somewhere in the middle :(

...

can i force run it in some other startup script?...for some reason it wont start for me

I also have the issue of the service adguardhome not auto-starting, but able to run with "service adguardhome start".

I noticed, that according to "pkg list os-adguardhome-maxit-1.5" there should only be a "/usr/local/etc/rc.d/adguardhome" file. I removed the additional file with "rm /usr/local/etc/rc.d/AdGuardHome".

Also I set "service adguardhome enable". Although the file "/etc/rc.conf.d/adguardhome" exists, it still does not autostart according to "service adguardhome status".

=> Is there a logfile as an alternative to "During reboot watch the console for errors"?

--
update:

I had a change to look into serial output:

I think the error that adguard does not start automatically occurs because the startup of adguard is quite late as a bootlevel

The problem seems to be a delayed newwanip process, as a workaround it might be possible to change the bootlevel (point in time when adguard starts).
This also seems to delay/block the auto-start of wireguard.

QuoteStarting power daemon...done.
Configuring system logging...done.
>>> Invoking start script 'newwanip'
Reconfiguring IPv4 on igb1: error in configd communication %s, see syslog for de
Reconfiguring routes: OK
>>> Invoking start script 'freebsd'

• ifconfig wg create name wg0
  [!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument)
  
• wireguard-go wg0
  ┌─────────tun0: link state changed to UP
  ─────tun0: changing name to 'wg0'
  ───────────────────────────────────────┐
  │                                                      │
  │   Running wireguard-go is not required because this  │
  │   kernel has first class support for WireGuard. For  │
  │   information on installing the kernel module,       │
  │   please visit:                                      │
  │         https://www.wireguard.com/install/           │
  │                                                      │
  └──────────────────────────────────────────────────────┘
  (...)
  
• Backgrounding route monitor
  WARNING: attempt to domain_add(netgraph) after domainfinalize()
  setup igb0_vlan10
  setup igb0
  setup igb1 [egress only]
  Starting flowd_aggregate.
  Starting flowd.
  Starting adguardhome.
  >>> Invoking start script 'syslog-ng'
  Stopping syslog_ng.
  Waiting for PIDS: 90451.
  Starting syslog_ng.

I am also new to Adguard (switched from pihole).
In pihole i had:
Never forward non-FQDNs
Never forward reversed lookups for private ip ranges

Do you know how to get this in Adguard?

p.s. I think I fixed the auto start Adguard by adding system -> settings -> general -> dns servers 1.1.1.1 and 1.0.0.1
I read somewhere that opnsense needed it to start running while Adguard is not yet started. Seems to work.
p.s.s. just had to reboot my opnsense and I noticed that Adguard was not starting automatically, so no luck yet....

Currently using NextDNS and I wanted to give AdGuard home a try to see how they compare.  Before I started I did the following:

Disabled Unbound.
Disabled NextDNS CLI (checked status )

Was able to get this installed but when I try to enable encryption under the Encryption settings it tells me that port 443 is being used:

Error: control/tls/validate | port 443 is not available, cannot enable HTTPS on it | 400

I then took a look to see what is using port 443 (if this is not the correct way of checking please let me know):

#sockstat -4 -l

root     lighttpd   46986 5  tcp4   *:443                 *:*
root     lighttpd   46986 7  tcp4   *:80                  *:*

Not sure exactly what is using lighttpd for the port.

Quote from: yeraycito on April 25, 2021, 06:45:38 PM
Adguard + wireguard in Opnsense ( solved ):

https://forum.opnsense.org/index.php?topic=22409.0

I followed your instructions from that thread, but haven't been able to get WireGuard running alongside AdGuard.

WireGuard worked well before I added AdGuard, but now I'm just not getting a connection.

Does anyone else have experience of getting WireGuard running alongside AdGuard and Unbound DNS?
Not sure what Unbound DNS buys me alongside AdGuard, but it works well for my other devices.

I have it also up and running here.
maybe this will help you:
https://homenetworkguy.com/how-to/configure-wireguard-opnsense/
(https://homenetworkguy.com/how-to/configure-wireguard-opnsense/)

(Optional if not Automatic) Add ACL Entry for Unbound DNS

If you plan to use your WireGuard interface to provide DNS rather than some other DNS server on your network, it has been noted through feedback that there could be the possibility that you will need to add an entry to the Unbound DNS ACL (Access Control List) to allow the WireGuard interface to access your Unbound DNS server in OPNsense. For my configuration, it seems to have been added automatically, but if you are having issues with accessing your DNS server through the WireGuard interface (in my example, the DNS server would be 10.0.0.1), you may want to check your ACL configuration by going to the "Services > Unbound DNS > Access Lists" page. Click the "Add" button to enter the WireGuard network of 10.0.0.1/24 (for my example) to the ACL.

Quote from: RamSense on September 08, 2021, 12:36:26 PM
I have it also up and running here.
maybe this will help you:
https://homenetworkguy.com/how-to/configure-wireguard-opnsense/
(https://homenetworkguy.com/how-to/configure-wireguard-opnsense/)

(Optional if not Automatic) Add ACL Entry for Unbound DNS

If you plan to use your WireGuard interface to provide DNS rather than some other DNS server on your network, it has been noted through feedback that there could be the possibility that you will need to add an entry to the Unbound DNS ACL (Access Control List) to allow the WireGuard interface to access your Unbound DNS server in OPNsense. For my configuration, it seems to have been added automatically, but if you are having issues with accessing your DNS server through the WireGuard interface (in my example, the DNS server would be 10.0.0.1), you may want to check your ACL configuration by going to the "Services > Unbound DNS > Access Lists" page. Click the "Add" button to enter the WireGuard network of 10.0.0.1/24 (for my example) to the ACL.

Do you have it running with AdGuard Home setup?

I would be keen to see what settings you have within the WireGuard client and the OPNsense WireGuard settings. Also AdGuard Home.

There's just something missing, but I have no clue what it is.

I have the opnsense adguard home plugin running - https://www.routerperformance.net/opnsense-repo/ (https://www.routerperformance.net/opnsense-repo/)

What dns setting do you have in your Wireguard client config? I Use the Wireguard interface eg: 10.10.10.1

In Adguard dns settings i have
Bootstrap dns servers: 192.168.1.1:5353
private dns servers: 192.168.1.1:5353
where 192.168.1.1 is my opnsense ip and have Services: Unbound DNS: General - Listen Port : 5353

hope that helps.

Hi. It is likely I should ask this somewhere else as is not directly a technical setup question buy maybe.
I've been using OPN with DoT(get-dns)+Unbound _and_ a pi-hole for a while and all is good.
I wanted to compare with AdGuard and I've just done it yesterday by using mimugmail's plugin.
I wanted to limit the reconfiguration and to do that, I configured pi-hole and AdGuard in a chain. It was the easiest way to just put another app and point to it.
Now the question. They seem to be pretty much the same and the setup if almost identical.
Apart from AG being able to run directly on OPN, is there another big reason people prefer it with OPN?

for me personally the switch from pihole going to adguard was the assumption that running on my more powerful device with opnsense, and running it directly from the app, would make it faster.
Besides that I found Adguard home more user friendly and more easy to config.
With pihole I had around 36 ms average processing time and with adguard I get 8 to 9 ms on an average day.
This can be because of running it directly as an app, but maybe it is also because I use DoT with Cloudflare en Quad9 with dns settings - parallel requests.

thanks for sharing. I'm planning on reconfiguring now to bypass pi-hole. Performance is a good reason of course.
I'm on a tiny appliance so it might not be good for me. We'll see.

Tried, OPN not happy.
In Services > IPV4 > LAN I wanted to change from the IP for pi-hole to the LAN IP on a non standard DNS port in the "DNS Servers" field i.e. 192.168.5.1:5353 where ADG is running. I've tried with : @ and # as port delimiter.
Does anybody know if there is a way to do that there?
I know if not I'll have to do firewall rules but I was hoping I didn't have to.

I've tried as a workaround setting Unbound to listen on 5353 and In Services > DHCPv4 > LAN set to just it's LAN address 192.168.5.1, restarted both services and reconnected a client. No DNS resolution.
I'll keep looking at options.

do have you adguard on 53 and unbound on 5353?

I have Unbound on 53 pushing dns requests on via "Custom Options" to my preferred stub on localhost:853.
AdG is running on 5353.
DHCP clients get the independent pi-hole ipaddress as DNS server and pihole listens on 53 and has OPN as its upstream.
So currently clients DNS requests go:
client > pi-hole:53 > OPN-Unbound:53 > OPN-Stubby:853 > DoT resolvers.
Then to test ADG I put it inline:
client > pi-hole:53 > OPN-AdG:5353 > OPN-Unbound:53 > OPN-Stubby:853 > DoT resolvers.
With testing OK now I wanted to just bypass pi-hole.
That's where I'm scratching my head. Getting DHCPv4 to push 5353 to the clients.

Maybe it is the easiest way in your config to shutdown pihole and run than AdG on port 53 also to see if that works, and work from there?

pi-hole being "there" is not an issue. My issue is getting OPN to dish out a different port via DHCP for a DNS resolver.
If pi-hole was out of the equation I can change the listening ports on both Unbound or AdG but the tricky part is with AdG now being on the same IP (plugin on OPN). It could look like this:
client > OPN-AdG:53 > OPN-Unbound:5353 > OPN-Stubby:853 > DoT resolvers.
But then how do I get DHCP to push clients to AdG on 53. Hm, that could work actually. I'll check.
I appreciate the input.

Quote from: RamSense on September 09, 2021, 07:09:39 PM
I have the opnsense adguard home plugin running - https://www.routerperformance.net/opnsense-repo/ (https://www.routerperformance.net/opnsense-repo/)

What dns setting do you have in your Wireguard client config? I Use the Wireguard interface eg: 10.10.10.1

In Adguard dns settings i have
Bootstrap dns servers: 192.168.1.1:5353
private dns servers: 192.168.1.1:5353
where 192.168.1.1 is my opnsense ip and have Services: Unbound DNS: General - Listen Port : 5353

hope that helps.

In the client config (on my phone) I used the WireGuard interface IP (let's say it's 10.10.10.1).
On OPNsense, I didn't set a DNS server at the end point.

The issue is definitely with AdGuard Home added in.

I will recheck my configuration later today and see if I'm messing something up along the way.

The fixes at this threadt didn't seem to work for me: https://forum.opnsense.org/index.php?topic=22409.0

https://forum.opnsense.org/index.php?topic=22918.0 (https://forum.opnsense.org/index.php?topic=22918.0)

I might look at just removing Unbound from the chain right now.

I'm getting very confused as to why I suddenly can't resolve local names.

I use a domain name, example.net, for my internal network. This now isn't resolving.
I previously had my OPNsense router IP as my top upstream DNS in AdGuard, but I don't think this is correct?

I've discovered that you can definite a DNS server in upstream for specific domains, e.g. [/host.com/]1.2.3.4 (from here: https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#upstreams).

I feel like this is quite flakey and the sheer amount of conflicting and confusing posts in here isn't making it any easier to understand  :-\ Definitely need a concise roundup/summary of what is correct.

Update: I had to re-enable the Static DHCP mapping and register leases in Unbound and it started working again for now. There's probably something else I could do to fix this, but for now I don't have the time to mess around too much.

Quote from: cookiemonster on September 10, 2021, 05:11:06 PM
pi-hole being "there" is not an issue. My issue is getting OPN to dish out a different port via DHCP for a DNS resolver.
If pi-hole was out of the equation I can change the listening ports on both Unbound or AdG but the tricky part is with AdG now being on the same IP (plugin on OPN). It could look like this:
client > OPN-AdG:53 > OPN-Unbound:5353 > OPN-Stubby:853 > DoT resolvers.
But then how do I get DHCP to push clients to AdG on 53. Hm, that could work actually. I'll check.
I appreciate the input.

Yup that worked. I've bypassed pi-hole now. It's still on so I can push the queries back but so far all good. I was expecting my firewall rules to be a little trickier with being localhost but so far just replacing the ip with the lan local has worked without problem.
I had to test different ad hosts blocklists but so far functionally I'm good.

Hmm. I may have fixed my WireGuard issue.

I had a Port Forward rule from WAN address to a different net and using the WireGuard port. When I disabled that it seemed to start working again.

Very weird. I can't use my local domain name right now, but I'm getting there. 

Update: I think it's all fixed now. Used the WG interface as the DNS and it seems to work fine. Also added 1.1.1.1 to be safe. So have local name resolution and internet.

For local DNS I now use Unbound in OPNsense. I own a domain name and I have Pi-hole configured to do Conditional forwarding for my domain.

If I want to switch to adguard, how does Adguard know when to query Unbound for local domain? Does it take the domainname configured in OPNsense (Under System - Settings - General - Domain)?

deleted

Adguard beta ?

I have upgraded Opnsense to 21.7.3. After restarting Opnsense Adguard has moved to a beta version. After 10 minutes I logged in again and I had a new update, also beta. Adguard works fine but I don't quite understand the move to beta software.

Per the OPNsense adguard home maintainer on the reason for moving to .107 beta.

https://www.reddit.com/r/OPNsenseFirewall/comments/pm84nr/need_betatesters_for_adguardhome_0107_update/

https://www.reddit.com/r/OPNsenseFirewall/comments/pndq1m/new_updates_to_community_repo_adguardhome_caddy/

Thank you, I didn't know that.

Question about the config of Adguard Home: Is there a way to backup and restore the adguard home config?
Or is this already being added to the opnsense backup config file?

My ISP provides IPv6 addresses.  When I enable that on OPNSense it also directs DNS via IPv6.  Is there a good guide to follow to explain how to use IPv6 in a home environment and still use PIHole/Adguard for filtering?  For now I just disabled IPv6.

Perhaps Im missing a step. If I dont have an ip listed in Settings/General in the DNS servers list. I dont have internet. I have to put 8.8.8.8 which I believe is defeating the purpose. I dont see any entries in adguard for my desktop for example. If i leave it blank I have no internet on it.

I have first changed unbound to 5353 but I have also disabled it. What could I be missing?

Hi all,

I've just migrated my firewall from the ubiquiti unifi udm pro to opnsense, I've been reading the forum for several months now and following my migration I'm quite curious on how to go about implementing NextDNS in addition to my Adguard/Unbound setup, so after following Yeracito's guide on how to use Adguard home standalone with Unbound in Opnsense I want to follow yet again another Yeracito's set of instructions but I believe that there were some changes between the version Yeracito was using when he posted his print screens and the latest Opnsense version which I'm currently running as I don't have a miscellaneous section under Services / Unbound nor Unbound /General / Custom Options.

Could someone guide me on which Unbound section I should be using to set this up?

Quote from: yeraycito on April 13, 2021, 09:04:18 PM
Installation;

Let's go to   https://nextdns.io/    and register for free. Once registered you are given a personalised ID and dns.

Opnsense instalation:

- Follow the tutorial explained above for Adguard.

- Unbound - General - Custom Options: add                 ( XXXXXX is a custom ID in NextDns )


server:
      tls-cert-bundle: "/etc/ssl/cert.pem"
  forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 45.90.28.0#XXXXXX.dns1.nextdns.io
    forward-addr: 2a07:a8c0::#XXXXXX.dns1.nextdns.io
    forward-addr: 45.90.30.0#XXXXXX.dns2.nextdns.io
    forward-addr: 2a07:a8c1::#XXXXSS.dns2.nextdns.io

Thanks in advance.

Hello, you can do it in the following way.

1 - Go to the NextDns website and copy the address that appears in the Dns over https section: https://dns.nextdns.io/xxxxx

2 - Disable Unbound

3 - In Adguard - Settings - DNS settings you set that address.

Quote from: yeraycito on November 12, 2021, 06:36:18 PM
Hello, you can do it in the following way.

1 - Go to the NextDns website and copy the address that appears in the Dns over https section: https://dns.nextdns.io/xxxxx

2 - Disable Unbound

3 - In Adguard - Settings - DNS settings you set that address.

Thanks Yeraycito

One additional question, is there anyway to keep the Unbound enabled?

No, disable Unbound

Thanks Yeraycito!

I've been using this post as a reference setting up AdGuard was Unbound (very helpful, thanks!), but haven't managed to get hostnames showing in AdGuard, only IP addresses.

I thought of ditching Unbound and using just AdGuard for DNS and DHCP, but then remembered that I'm using overrides in Unbound in order to be able to use Nginx Proxy Manager. I have a FQD with a wildcard certificate to access my web apps (Home Assistant, Plex, Syncthing, etc.) but only internally, not accessible outside of my LAN.

Would doing that still be possible if I were to disable Unbound and only use AdGuard?

Hello,

Guys I have a question concerning the use of NextDNS within AdGuard, I have AdGuard running on 2 separate RPIs,  so in case one fails we still have a DNS working, of course OpnSense points to both, my issue here is that First of all, I had to add the relevant https://dns.nextdns.io/xxxxx on the in the Dns upstream session and add the "normal IPs' (45.X.X.X.)in the section below concerning the DNS bootstramp, to get it working on the 1st RPI, but added that same information on the 2nd one I get an error stating that it's impossible to use https://dns.nextdns.io/xxxxx please check that the name is correct.

Not sure what I'm doing wrong here so any advise will be appreciated, please note that if I use the Cloudflare https://family.cloudflare-dns.com/dns-query with the 1.X.X.3 that works for the 2nd RPI, is there a limitation to 1 global device per network for the usage of NextDNS within AdGuard?

Any one has already had this issue, is it the expected behaviour?

thanks in advise for taking the time to help out, any advise will be highly appreciated.

anyway to update adguard?
it has shown me new version notification for few weeks now

I just hit update in AdGuard Home and it updates itself.

Quote from: RamSense on November 25, 2021, 07:52:09 PM
I just hit update in AdGuard Home and it updates itself.

ah I thought it would not work as its a plugin!
thanks

Quote from: Lxndr on November 24, 2021, 07:22:36 PM
Hello,

Guys I have a question concerning the use of NextDNS within AdGuard, I have AdGuard running on 2 separate RPIs,  so in case one fails we still have a DNS working, of course OpnSense points to both, my issue here is that First of all, I had to add the relevant https://dns.nextdns.io/xxxxx on the in the Dns upstream session and add the "normal IPs' (45.X.X.X.)in the section below concerning the DNS bootstramp, to get it working on the 1st RPI, but added that same information on the 2nd one I get an error stating that it's impossible to use https://dns.nextdns.io/xxxxx please check that the name is correct.

Not sure what I'm doing wrong here so any advise will be appreciated, please note that if I use the Cloudflare https://family.cloudflare-dns.com/dns-query with the 1.X.X.3 that works for the 2nd RPI, is there a limitation to 1 global device per network for the usage of NextDNS within AdGuard?

Any one has already had this issue, is it the expected behaviour?

thanks in advise for taking the time to help out, any advise will be highly appreciated.

Anyone to advise on the above please? Thanks

Hi,

Thank you for the guide. As I'm new to Opnsense, it helps a lot.

I run into one problem though.
My setup is using unbound as resolver, so: LAN -> AdGuard (listening on 53) -> unbound (listening on 53530) -> DoT server. DNS resolution works fine for all the client, adguard's doing its job properly too, except for the router itself.  Tried to ping public domain from the router shell gives me Host name lookup failure and I can't update firmware and plugins because of that.

When I disable AdGuard and change my unbound port back to 53 it works, I can ping and update from the router.

Is there any settings that I should know of?

I have extended to backup AdGuardHome.yaml file using Git backup plugin (which is a pre-requisite).

1) login to shell in OpnSense

2) edit actions_adguardhome.conf

vi /usr/local/opnsense/service/conf/actions.d/actions_adguardhome.conf

3) Insert following:

[backup]
command:cp /usr/local/AdGuardHome/AdGuardHome.yaml /conf/backup/git ; cd /conf/backup/git; git add AdGuardHome.yaml; git commit -m "Adguard Config changes on `date`" AdGuardHome.yaml
parameters:
type:script
message:backing up Adguardhome config
description:Backup Adguardhome config

See 1.png attached

5)  Restart configd

service configd restart

6) Configure Corn job in Web UI

See 2.png attached

7) Result See 3.png attached

The thing I have noticed that when I try to connect to another VLAN even by a simple ping or to access a web ui. It will hang on a first attempt. If I cancel and ping again or refresh the page it connects without issue. Im not exactly where this is happening. Its acting is if there is no route table created or something. Would love some insight into why this could be happening. Forgive me if this isnt enough info, just ask and il be happy to provide.

I was looking into the AdGuard Home queries and saw .local and .localdomain with processed NXDOMAIN.

Is it normal to have those queried to outside dns (in my case cloudflare)

Is there a way to have those queried only locally?

Add following to your upstream DNS servers box:

[/mydomain.local/]192.168.1.1

replace mydomain.local with your local domain and 192.168.1.1 with your local DNS server IP.

Quote from: RamSense on December 04, 2021, 01:21:52 PM
I was looking into the AdGuard Home queries and saw .local and .localdomain with processed NXDOMAIN.

Is it normal to have those queried to outside dns (in my case cloudflare)

Is there a way to have those queried only locally?

thnx for that tip.
But I see also domains like wpad.localdomain and api.wordpress.org.localdomain etc.
So I just tried a custom filtering rule (block):
||*.local^$important
||*.localdomain^$important

don't know what is better?

On further thought... maybe I can better add [/localdomain/]192.168.1.1:5353
to the Upstream DNS server

To Reject all wdap you can use following custom filtering rule:

/wpad[.]([a-z0-9.])*/$dnsrewrite=NXDOMAIN;;

I have seen api.wordpress.org.localdomain, when you use Blocking mode as NXDOMAIN, change to default and these will go away...

Quote from: RamSense on December 04, 2021, 09:17:18 PM
thnx for that tip.
But I see also domains like wpad.localdomain and api.wordpress.org.localdomain etc.
So I just tried a custom filtering rule (block):
||*.local^$important
||*.localdomain^$important

don't know what is better?

On further thought... maybe I can better add [/localdomain/]192.168.1.1:5353
to the Upstream DNS server

Are there anything happend with AdGuard? I am currently unable to log into the webinterface running on my opnsense installation.
Do I need custom username for this interface or is it the same as the admin-panel from opnsense?
I have used ADGuard now for really long time without any troubles, but now i am not able to login.

On the frontend from Opnsense i use ldap for the authentication.

Thanks for help.
Kind regards

I followed the guide at the site listed below to setup AdGuard Home using the freebsd version instead of the community plugin, and it's working great other than I only see one client (127.0.0.1) listed in the clients.  All DNS queries are processing as far as I can tell.  Anyone know how to fix my setup to show the individual clients instead of only 127.0.0.1?

Any thoughts on using the guide I linked below versus using the community plugin?

Thanks

https://forums.torguard.net/index.php?/topic/2545-opnsense-adguardhome-total-control-mode-doq/#replyForm

In regards to my post above, I suspect it has to do with the fact Unbound is listening on port 53 and AdGuard is listening on port 53530, but I'm not certain how to go about fixing it.  I could try some things and probably will in the meantime until someone has some feedback.  :)

Why not use the plugin version? Works great, including updates :-)

But For your unbound: have you tried setting unbound to port 5353 and adguard on port 53?
and in Adguard dns settings: Bootstrap DNS servers and Private reverse DNS servers pointing to opnsenseip:5353

That's my setting.

Quote from: RamSense on December 10, 2021, 05:32:33 PM
Why not use the plugin version? Works great, including updates :-)

But For your unbound: have you tried setting unbound to port 5353 and adguard on port 53?
and in Adguard dns settings: Bootstrap DNS servers and Private reverse DNS servers pointing to opnsenseip:5353

That's my setting.

Thanks RamSense for your response.  I tried the plugin first, ran into an issue (most likely misconfiguration on my side), and then decided to try that other guide for fun, plus I wanted to use IPv6, but I'm not sure the plugin version supports it.  I think it would, but I am not certain.

Ah ok. Well I hope you can get it to work with changing the ports.

p.s. I have also (very recently) got ipv6 and I can confirm it works with the plugin version.

Thanks RamSense.  Are you able to see the individual clients in AdGuard or do they all show coming from your router or local host IP?  Also, what did you do different to get IPv6 working?  Thanks again.

settings - client settings -> I see the ipv6 devices and gave them a name in adguard. Opnsense is DHCP.
I did not have to do any changes in adguard, it worked right away. I do not remember what interfaces I used with the adguard install, maybe I just did all interfaces and that is why I did not have to change anything (?)

In opnsense i have static ipv6 what works great, but there is still a ipv6 bug in freebsd what will be hopefully fixed in the opnsense 22.1 / freebsd 13 version. see e.g. here: https://forum.opnsense.org/index.php?topic=25824.0 (https://forum.opnsense.org/index.php?topic=25824.0)

Has anyone gotten AdGuard to also listed on virtual IP addresses?

Has anyone setup keepalived to sync with this with a second instance on another server for high availability?

Quote from: mkono87 on December 22, 2021, 03:58:11 AM
Has anyone setup keepalived to sync with this with a second instance on another server for high availability?

Hmm guess not. I guess if I tried this it would be best on something else than the firewall.

I recently changed my LAN address range from 192.168.x.x to 10.10.x.x based. After the swap I started having problems with DNS resolution in my VLANs. Before the change I did not need any firewall rules or DHCP DNS settings to get resolution on other VLANs, but now I need to set DNS server on VLAN DHCP settings to get any resolution.

This ofcourse is not a huge problem, but I just find it odd and figured that there is maybe something misconfigured in my setup. There is probably some setting that is causing this but I can't find it. Any advice on where to look?

E: I'm using Adguard and routing DNS over TLS with Unbound. The setup is basically the same as in here https://forum.opnsense.org/index.php?topic=22162.msg106715#msg106715

E2: Solved, I forgot to select all VLANs in DNS Listen Interfaces dropdown. Reconfigured and seems to be working as earlier now.

I did configure my opnsense like how described in this post and with Option 1

https://forum.opnsense.org/index.php?topic=22162.msg106715#msg106715

But i have some issues. It seems like dns resolving from the opnsense itself isn't working.

When i open a shell on opnsense and use "nslookup google.com" i get the answer:

;; connection timed out; no servers could be reached

Did i something wrong?

When rebooting opnsense, adguard does not start automatically and I have to start it manually.

is this, see picture I found in a pfsense guide, something I/we should ad? or can this be added to the plugin?
And if added manually, how to do this in opnsense:

Step 6: Making AdGuard Home start on boot:​

Go to Services>shellcmd and click Add

Command: /usr/local/bin/screen -S AdGuardHome_screen -d -m /opt/AdGuardHome/AdGuardHome
Shellcmd Type: shellcmd
Description: AdGuard

as found here: https://broadbandforum.co/threads/installing-adguard-home-on-pfsense.205884/page-2 (https://broadbandforum.co/threads/installing-adguard-home-on-pfsense.205884/page-2)

Quote from: RamSense on January 22, 2022, 09:18:26 AM
When rebooting opnsense, adguard does not start automatically and I have to start it manually.

is this, see picture I found in a pfsense guide, something I/we should ad? or can this be added to the plugin?
And if added manually, how to do this in opnsense:

Step 6: Making AdGuard Home start on boot:​

Go to Services>shellcmd and click Add

Command: /usr/local/bin/screen -S AdGuardHome_screen -d -m /opt/AdGuardHome/AdGuardHome
Shellcmd Type: shellcmd
Description: AdGuard

as found here: https://broadbandforum.co/threads/installing-adguard-home-on-pfsense.205884/page-2 (https://broadbandforum.co/threads/installing-adguard-home-on-pfsense.205884/page-2)

That is not how it should be done! Adguardhome should be installed as a plugin.
Look at this: https://www.routerperformance.net/opnsense-repo/ (https://www.routerperformance.net/opnsense-repo/)

sorry, forgot to mention that I'm running the plugin of adguard home.

N.B. With opnsense 22.1 it is fixed. after the installation the system came up automatically

Hi, I followed this tutorial but having a empty System:Settings:General DNS servers results in this error on the host:

dig google.com
Error: error sending query: No (valid) nameservers defined in the resolver
I have also a time out error on OPNsense update check.

Could anyone with a working adguard + unbound configuration share their `/etc/resolv.conf`?

The only way to make it work for me is to set a fallback DNS servers in System:Settings:General DNS servers.

Here is my whole configuration DNS wise if it can help troubleshooting my issue:

System:Settings:General:

DNS Server: empty
Do not use the local DNS service as a nameserver for this system: CHECKED


Services:DHCPv4:[LAN]:

DNS servers: empty


Unbound DNS:General:

Listen Port: 53530
Enable: CHECKED
Enable DNSSEC Support: CHECKED
Register DHCP leases: CHECKED
Register DHCP static mappings: CHECKED
Local Zone Type: transparent


Adguard Home interfaces when initialling config were set to LAN only

Adguard:DNS settings:

Upstream DNS servers: 127.0.0.1:53530
Bootstrap DNS servers: 127.0.0.1:53530


I'm not sure you followed this tutorial. The original post, page 1 shows it using an ip in System:Settings:General DNS servers field. Looks like you are trying to do it differently.
I use Unbound and Adguard home. I also have that field setting and my /etc/resolv.conf only has "domain mydomain" in it. As expected.
Where are you issuing your dig command, a client or the firewall device?
Where is adguard running, another machine?
How are your clients being pointed to that_machine:53530 , dhcp?

After doing a clean install of Opnsense 22.1 I tried to install Adguard. It installs version 0.107.3 stable. I have encountered several difficulties that have prevented me from getting it up and running. When starting the Adguard configuration it indicates that port 53 is in use (Undbound) and forces you to change it if you want to continue configuring Adguard. I changed the Undbound port to 5353 and continued configuring Adguard normally. The problem is that it does not work and there is no internet connection. I have tried setting other ports in Unbound and the same thing happens, there is no internet connection. I have uninstalled Adguard and tried in Unbound to change the port and try to see if there is connection without Adguard. The result is that if Unbound is not set to port 53 by default there is no internet connection. If you set Unbound to any port other than 53 there is no internet connection even if you have configured the corresponding dns. I have done a second test, I have deactivated Unbound and installed Adguard on port 53. At the beginning and after configuring the dns in Adguard everything worked perfectly, but inexplicably after a short time the lan devices were without internet connection, they were no longer displayed in the Adguard logs. However, 127.0.0.1 continued to display and have a connection in Adguard. In the end I had to uninstall Adguard as I couldn't get it to work.

Quote from: cookiemonster on January 26, 2022, 06:10:04 PM
I'm not sure you followed this tutorial. The original post, page 1 shows it using an ip in System:Settings:General DNS servers field. Looks like you are trying to do it differently.
I use Unbound and Adguard home. I also have that field setting and my /etc/resolv.conf only has "domain mydomain" in it. As expected.
Where are you issuing your dig command, a client or the firewall device?
Where is adguard running, another machine?
How are your clients being pointed to that_machine:53530 , dhcp?

Thanks for your answer.

I did follow the tutorial as it says the following:
On OPNsense:
System -> General Setup
Set '8.8.8.8' as DNS server (Or whatever DNS you would like as a backup, if you only want AdGuard you can remove all DNS servers from this list and leave it blank)
Untick: Do not use the local DNS service as a nameserver for this system
This way by default OPNsense will use itself (127.0.0.1) as the resolver which we want.

For me these instructions result in a nonfonctionning changelog access.

I am doing the drill commands directly from the shell of the OPNsense box
Adguard is running as a plugin of OPNsense
The clients have no issues regarding the local DNS, they are getting their IPSs and DNS through OPNsense DHCP server yes.

In the end of the day, my issue isn't really that bad as it only means that OPNsense itself will use a different DNS.

@yeraycito: I suggest you try to reproduce my config as apart for my small issue everything is working flawlessly (it's a clean install)

Thank you very much, I have tried it and it works.

Opnsense 22.1 Clean Install - Installation:

It is very important to follow the order explained

1 - Activate mimugmail's community repository

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Activate and start AdGuardHome from Services --> AdGuardHome

4 - Opnsense - System - Settings -General

      Untick: Do not use the local DNS service as a nameserver for this system
      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

5 - Opnsense - Services - Unbound - Dns Over Tls

      Set the desired dns servers, ej, Cloudflare:
      Server IP: 1.1.1.1
      Server Port: 853
      Verify CN: cloudflare-dns.com

6 - Opnsense - Services - Unbound - General
 
     Listen Port: 5353

7 - Navigate to http://your.opnsense:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard

8 - Adguard Home - DNS Configuration - Upstream Servers: Add router_ip:5353  ( 192.168.1.1:5353 ) Delete those that exist

Security Extra: https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#1-allowing-only-specific-dns-servers

Decided to try AdGuardHome with Unbound, and are you guys also using the blocklist from Unbound or it's simply redundant ?

Tia.

It depends on the lists you put up. In Unbound they are already preconfigured and you can activate the ones you want. Adguard has two basic lists and you can add as many as you want. If you put good lists in Adguard you don't need to activate the ones in Unbound. Some of the lists I have in this post are a set of other lists.

I am running OPNsense 22.1 and installed AdGuard from the mimugmail repo. Unbound is listening on port 5335 on all my Lan's and VLan's. In AdGuard the upstream and bootstrap DNS-Server is set to 192.168.1.1:5335.
Furthermore under Settings - General there is no DNS-Server set (empty). Also in the DHCP settings is no DNS-Server set.

From my LAN Network I am able to resolve addresses but not from my VLan's. Any suggestions how to solve this problem?

As an example I have also added a screenshot from my IoT rules.

Regards Chris

Hi, try creating a dns rule and put it at the top. You can see how to do it here:

https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#1-allowing-only-specific-dns-servers

As a NAT - Port Forward rule?

In the past when I was using Pi-hole on a raspberry I was using this rule to forward all DNS traffic to the pi-hole.

Is there a way to change the listen interfaces in AdGuard.
During the first setup I selected only my physical LAN interface and not the VLan's. Maybe this is the fault.

You can't, you have to uninstall and reinstall it. The DNS rule is not a port forward, you have to create it in Firewall - Rules - IOT and put it at the top. When installing Adguard, configure it on all interfaces.

With this configuration of OPNsens and AdGuard is it necessary to create a NAT unbound rule to force all hardcoded devices like google home to use my provided DNS-Server?

So now with all interfaces selected during the initial setup it's working.

I'm trying to set AdGuardHome to work as the DNS for 4 vlans:

LAN:10.0.0.0
HOME: 10.1.0.0
LAB: 10.2.0.0
IOT: 10.3.0.0

On each interface, I have set the interface IP as the DNS server.
All VLANS have been set with a port forward rule to capture the dns requests and pass to 127.0.0.1:53.

Adguard works fine on LAN and HOME, but not on  LAB and IOT I get no resolution and if I dig, I receive an error: "reply from unexpected source: 10.0.0.1#45443, expected 10.3.0.1#53"
If I set LAB or IOT DNS server to 10.0.0.1 (LAN address), it works. 

I do not understand -- HOME works just fine with the DNS server set as HOME address, but LAB and IOT fail with DNS server set as their interface addresses.

Any suggestions as to why this is the case?

Do you have maybe an inter VLan-routing deny rule on both Vlan's.

I got it now working by following this instructions:
https://labzilla.io/blog/force-dns-pihole

But I also had to add a DNS-Allow rule on top of all other rules for the different networks.
https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#1-allowing-only-specific-dns-servers

Now my network clients are using AdGuard and the internal DNS resolver, also devices with hardcoded DNS like google nest mini.

Thanks for the resources.  If I can't resolve it tonight, I guess I'll try rebuilding from scratch and try to follow these instructions.

I don't see how an intervlan deny rule would allow me to access across VLANs (IoT -> LAN) but not allow IoT -> IoT address (although it's entirely possible I've messed up somewhere)...  Additionally, I have the automatic NAT rule created which should allow access to interface_address:53

When you set up outgoing NAT, did you set it up per interface?
I've tried outgoing NAT, and it doesn't make a difference.  I wasn't sure I was doing it right, so I tried various permutations of LAN/IOT for interface, source, and destination.  Still receiving the same error.

Quote from: namnnumbr on February 02, 2022, 01:04:42 AM
Thanks for the resources.  If I can't resolve it tonight, I guess I'll try rebuilding from scratch and try to follow these instructions.

When you set up outgoing NAT, did you set it up per interface?
I've tried outgoing NAT, and it doesn't make a difference.  I wasn't sure I was doing it right, so I tried various permutations of LAN/IOT for interface, source, and destination.  Still receiving the same error.

I will do some screenshots from my rules this afternoon, I think this will explain it better than with my words.

The NAT rules I have not set them up for each interface. I have created a group with all related networks, including VLan's.
I will also do some screenshots from the NAT rules.

Here are my two Port Forward rules and the Outbound rule.
local_Networks is a Group and the members are all my related networks, eg. LAN, IoT, ...

Furthermore I have crated for all these Networks a pass DNS to internal server rule and below this a block any external DNS server rule.

I hope this will help you to setup your firewall.

How do I change the HTTP port/etc once it's been set up. It looks like it's a one time deal.

Also, how do you set up the DoT?

I think you are right its a one time deal.

for DoT I use unbound. But in AdGuard just type the TLS-server adrress in the upstream DNS-Server field. Examples are also shown on the DNS-settings page.

Quote from: ChrisChros on February 02, 2022, 04:48:54 PM
Here are my two Port Forward rules and the Outbound rule.
local_Networks is a Group and the members are all my related networks, eg. LAN, IoT, ...

Furthermore I have crated for all these Networks a pass DNS to internal server rule and below this a block any external DNS server rule.

I hope this will help you to setup your firewall.

Just to show another option:

I do my LAN rule a little differently.  First one blocks everything but my Adguard Home server from reaching outside DNS using an alias containing a list of public DNS servers.  This helps prevent clients from using DoT and DoH to bypass the NAT port forward.  Second rule is generated from the NAT port forward.

The "Public_DNS" alias contains https://public-dns.info/nameservers-all.txt

Quote from: ChrisChros on February 02, 2022, 05:45:34 PM
I think you are right its a one time deal.

for DoT I use unbound. But in AdGuard just type the TLS-server adrress in the upstream DNS-Server field. Examples are also shown on the DNS-settings page.

Thanks.  I uninstalled it since it does not support regex in whitelist...

@ChrisChros, @Fawkesguy -- thanks much for taking the time to share screenshots of your setup!  I think I have a pretty good idea of what should work.  Unfortunately, I'm still not getting an appropriate response (i.e., for some reason my IoT network (10.3.0.0/24) thinks it's getting a response from the LAN interface (10.0.0.1).

... which suggests to me that I probably have issues either elsewhere in my firewall rules or a bit of a hinky opnsense install.

I'll probably spend the weekend wiping and resetting everything...

A short update to my rules. They are not working as expected. I have two google devices connected to my IoT network. The google home mini is working without any issues, but the google nest mini do not want to establish an internet connection.
I can see in the live log that 10.10.10.22 (nest mini) is catched up by the rdr rule every second, while the home mini (10.10.10.23) has more or less no entries.

Nest mini and Home mini are more or less the same devices, but the behavior is completely different to my NAT rules.
Any suggestions what is going wrong with my rules?

So I think I have it now.
I checked all my port forward rules and realized that NAT reflection was set to "Use system default", this has to be set to "Disabled".

@ChrisChros,
I followed your https://labzilla.io/blog/force-dns-pihole (https://labzilla.io/blog/force-dns-pihole)
guide to adguard home plugin on opnsense. this works like it should for [Test it out]- point 4

but when doing [Test it out] - point 5 "by temporarily disabling the first NAT rule" I get
;; connection timed out; no servers could be reached

Do you know what can cause this?

Unfortunately not. I only performed Test 4.

After that I was happy that my hardcoded DNS devices were able to connect to the inet.

ah ok.
Well the difference I have with your guide vs what I had is that instead of nslookup showing always my adguard ip (opnsense ip), now when you try to bybass with e.g. 1.1.1.1 it is showing like it seems to come from 1.1.1.1 but actually adguard is doing the dns. Sounds better than what I had, so great.

only test 5 fails, I'm curious if that is working at your end

*update*
Got it working. I had a firewall-rules-lan block #53 still there :-)
when removed test 5 works like it should. It seems that with your bypass guide solution I can delete this block rule while all is going to be pushed to adguard now (normal and hardcoded) or does somebody else has another opinion?

So what I observed today ist a little bit strange.
My Google Nest mini is this morning not able to connect to the internet. In AdGuard I can see that at 2 AM the DNS queries rising from 2500 to 18000. No changes have been done to the firewall rules during that time.
Does anybody else has a similar behavior?

do you use ipv6?
I still have some problems with ipv6 on opnsense 22.1
if yes, try stop and start Services-DHCPv6 and stop and start services-Router Advertisements
and see if that gets your nest mini back on

I do not use IPv6, it is completely deactivated. I do not see the benefit for home use.

For the record, part of my problem was that my port forward rules were for TCP only... and DNS is UDP.  So fixing that helped.

The other part of my problem was an overly complex and janky vpn setup between OPNsense and my switch.

Everything is working cleanly now.

I recently acquired a NanoPi R4S. Amazing router, and trivial to run OPNsense.  However, the mimigmail repo doesn't work on aarch64.

Which leads to the question of why it's even necessary.

Installing the mimugmail repo already implies SSH access to run the requisite `fetch` command.  So why not simply `fetch` the freebsd native adguard home?  At that point, you just have to extract the archive, and then follow Adguard's own installation steps.  Nothing terribly complicated there, beyond knowing that OPNsense is Freebsd-based, and what architecture you are running (likely 95%+ AMD64).

Yes, adguard will complain that port  80 is in use. Pick another one! (3000 works, unless you are running graphana on the same host. 8080 works too, unless you are running nginx on that port.)

If you don't stop unbound, it will complain about port 53, too, but you can either move adguard (and then point unbound to adguard), move unbound to a different port, or stop unbound. (adguard already does most of what unbound does).

As an alternative, you can load adguard (and other!) lists to unbound.  A few years ago I wrote a script to "manage" black- and white- lists with unbound (whitelists being local overrides to the public lists, much like adguard does), but I abandoned that work after I found Adguard Home and realized they had already solved (better!) the big problem I was trying to solve: given a device trying to access a site, how do I know which site is blocked. It's easy to whitelest the site, but fairly difficult to parse the logs to see.  Adguard gives me a simple interface to see that, and with a click I can whitelist the domain, either everywhere, or just for that one device.

I really don't think a scratch install is any more complicated than installing a custom repo...

I understand your view and opinion. But me for instance, i like the plugin concept. When being able to control opnsense and additions from the gui makes it easy and clear, gives a feeling of control compared to having to go to terminal / having to go and enable ssh for every install feels a bit threshold for me. I also like being able to get into the gui and control things in opnsense while being away by vpn and the comfort of my phone.
So with that being said; opnsense is all about being able to have many ways of control, the gui, terminal/ssh etc. So with both options available, everybody is happy :-)

ps. But there are improvements / wishlist: It would be great being able from within the plugin/gui to backup the config of adguard home with all dns-settings,used lists and custom rules.

Quote from: RamSense on February 08, 2022, 06:41:38 PM
I understand your view and opinion. But me for instance, i like the plugin concept. When being able to control opnsense and additions from the gui makes it easy and clear, gives a feeling of control compared to having to go to terminal / having to go and enable ssh for every install feels a bit threshold for me. I also like being able to get into the gui and control things in opnsense while being away by vpn and the comfort of my phone.
So with that being said; opnsense is all about being able to have many ways of control, the gui, terminal/ssh etc. So with both options available, everybody is happy :-)

I guess my main point was more for the "guide"; it really isn't difficult, and once installed the need for the cli is minimal.

It's probably also fair to note that I am the type who prefers the simplicity of a cli. Given the choice, I will almost always choose a cli over a gui because the  vast majority of the time it's faster, and the gui usually is just an abstraction around the cli anyway, and often makes assumptions that are hidden (or can't even be set).

That said, I understand that lots of people prefer a gui approach, even if it is slower and less secure. For me (and after reading this thread, I know I'm not alone...), if what I wanted was a 99%  GUI solution, I'd be running OpenWRT instead.

You *can* access your AdSense gui from a vpn easily enough. If you use the virtual IP approach, it wouldn't even feel weird because it would feel like you are logging on to a different host.  It's no more difficult to access the AdGuard gui from your phone than OPNsense (arguably easier, because AdGuard's mobile interface is well optimized).  You also can SSH on a vpn. I have a terminal program for my phone, even, that I could use.  Granted, securely using ssh requires a bit of work, but if you can install the mimugmail repo, you can run the two or three cli commands for key-based (as opposed to password-based) ssh login.  That's well out of scope *here* but I bet there's already guides for that... :D

I can't seem to figure out what's wrong with my setup.

My Port Forward NAT already has rules to redirect outbound DNS to Adguard (using Groups, for several VLANs), Unbound listens to 53530, and Adguard Upstream DNS and bootstrap DNS point to 127.0.0.1:53530 (or LAN_ip:53530, tried both), but it's still won't resolv. I tried to reinstall adguard several times to make sure that I choose all interface on DNS listen interface.

I don't know if resolv is the right word, because I can see that my DNS requests show up in Adguard AND Unbound log, so that means the flow is correct, but I still never got any response on my VLANs, only my LAN that works.

Anyone have any idea?

EDIT: nevermind, turns out I need to point the DNS server in DHCP to the gateway/Adguard interface IP of each VLAN or leave it empty. It works now.

Thanks for the guide/help.
I get a notification in the AdGuard Home webinterface that v0.107.5 is now available: can I update directly from the AdGuard Home webinterface or should I wait until the package gets updated?

Updates work fine here from the webinterface

Quote from: planetix on August 03, 2021, 04:32:34 PM
Is there a known issue with fresh installs of this plugin and 21.7? I can't even get the setup page to load after a successful plugin install (http:<my.opnsense.ip>:3000).

The plugin is enabled and appears to be running
No errors are thrown in the logs
I have Unbound disabled
I am not running Grafana, NTPng, or any other service on port 3000. Netstat shows the AdGuardHome service is running on said port and nothing else. 

I cannot get the start page to come up at all on port 3000. Since that triggers the initial setup wizard, there's no configuration yaml created (I checked via CLI). The service just appears to be running and waiting for me to kick off the process.

Could someone post a (more or less) "default" configuration yaml for the plugin? I can modify it for my own setup, restart the service, see if that gets past it, though I'd still like to figure out why I can't access the initial config wizard.

Thanks!

Edit: As often happens, writing this post made me re-think a couple things to try and I got it working.

The problem, if anyone else runs in to this, is I am using a failover group for a gateway (my ISP WAN interface + backup LTE modem) and for that to work correctly the LAN "pass all outbound" rule has to be modified to use it vs. the default "any" gateway.

This means you need to explicitly define any additional ports (besides 80 and 443 which are in the default anti-lockout rule) you want to access on the OPNsense box itself, in this case 3000 (for the wizard) and then 81 (the port I picked AdGuardHome to run on). Easy fix when I realized what the problem was.

I figured it out when I looked where I should have in the first place - the firewall logs vs. the service logs. The latter showed no issues because there weren't any with the service. The firewall blocked access, by design, until I explicitly allowed those ports access from my LAN net to my LAN address.

Hope this helps someone else :)

Can you explain exactly what you did to get this working?  I'm having the same problem

I've followed the guide to install AdGuard using the repo and it works great. The problem is that my unraid server cannot update its docker containers. I have tried to specify a port forwarding rule just for the unraid server to send the traffic to port 5353 in the unbound server to effectively bypass AdGuard, however it seems to direct all traffic on the network to unbound. See the additional rule I set-up and moved it before the other rule in the guide:

Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: UnraidServerIP
Destination port range: From: DNS - To: DNS
Redirect target IP: 127.0.0.1
Redirect target port: 5353
Description: Bypass AdGuard for unraid server
NAT Reflection: Disable

What am I doing wrong? How can I achieve forwarding traffic to AdGuard with the exception of a single IP which doesn't need to go through AdGuard?

This broke unraid for me as well, not sure what happened that broke it, but it started in the past 3 days. I went to update today, and couldn't update anything.

Even when I set the DNS on unraid to use something else (quad9 in my case), it still tried to go through adguard and got blocked.

Quote from: RamSense on March 28, 2022, 03:54:51 PM
Updates work fine here from the webinterface

Hmmm...I get an error message "Auto-update failed."
(https://ibb.co/TMmYQq6)
What is the procedure for manual update? I am running OpnSense on an amd64 architecture, so I assume I need to download the latest AdGuardHome_freebsd_amd64.tar.gz from https://github.com/AdguardTeam/AdGuardHome/releases (https://github.com/AdguardTeam/AdGuardHome/releases) and replace /usr/local/AdGuardHome with it. But I also assume I first need to stop the AdGuard service; how do I do that? I tried ./AdGuardHome -s stop but that gave an error message. (I had already stopped AdGuardHome in the web interface, but on my previous setup that was not enough, the service also had to be stopped over SSH.)

Quote from: yeraycito on January 28, 2022, 07:26:33 PM
Thank you very much, I have tried it and it works.

Opnsense 22.1 Clean Install - Installation:

It is very important to follow the order explained

1 - Activate mimugmail's community repository

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Activate and start AdGuardHome from Services --> AdGuardHome

4 - Opnsense - System - Settings -General

      Untick: Do not use the local DNS service as a nameserver for this system
      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

5 - Opnsense - Services - Unbound - Dns Over Tls

      Set the desired dns servers, ej, Cloudflare:
      Server IP: 1.1.1.1
      Server Port: 853
      Verify CN: cloudflare-dns.com

6 - Opnsense - Services - Unbound - General
 
     Listen Port: 5353

7 - Navigate to http://your.opnsense:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard

8 - Adguard Home - DNS Configuration - Upstream Servers: Add router_ip:5353  ( 192.168.1.1:5353 ) Delete those that exist

Security Extra: https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#1-allowing-only-specific-dns-servers

it works for me, the problem I have is that I can not identify the ip of my network, it only shows 127.0.0.1

It is very important to follow the order explained

Quote from: yeraycito on June 10, 2022, 06:55:45 PM
It is very important to follow the order explained

I have followed your method and it does not work for me, with this guide it works https://forum.opnsense.org/index.php?topic=25614.0 , but I only see in the identification of the clients the localhost or the internal ip of my fw

and I think the problem to identify the clients is in the dns custom list section.

Quoteserver:
do-not-query-localhost: no
forward-zone:
name: "."    # Allow all DNS queries
forward-addr: 192.168.30.254@5310
forward-addr: ::1@5353

Hi Guys,

if i followed this guide - but i have one problem

I cannot fetch Firmware - Updates/Plugins anymore
I need to set an DNS under General and Tick "Do not use the local DNS service as a nameserver for this system"
to make my system fetch these

Hi, I have read some guides and discussions. Generally it is simply said do so and so without explaining why it is necessary that way.

From what I understand the best scheme:
Client -> OPNsense -> AD Guard -> Unbound -> Internet

Client: DHCP
OPNsense: System: Settings: General -> DNS servers -> blank (so everything is set to 127.0.0.1)
AD Guard:
Upstream DNS servers: [/local.lan//2009OPNsense_IP:5353
Bootstrap DNS servers: OPNsense_IP
Private reverse DNS servers: 127.0.0.1:5353 + OPNsense_IP: 5353
Unbound: DNS TLS of our choice

Rule in the firewall to intercept all DNS requests from the LAN and redirect them to AD Guard to prevent "crafty" programs from bypassing the system.

In this way the clients are forced to go from AG Guard which filters according to the rules, the DNS requests go through Unbound which takes care of contacting the servers for wan addresses and resolving the internal hosts.

Do you confirm that this is the best configuration?

Sorry my bad english, i use google translate.

Delete

How do I know if my DNS requests are using DoT when using this implementation? Do I still set DoT on opnsense' end as well or just in AdGuard?

So I followed the instructions here to setup AGH on my OPNsense. It's working fine so far but I have one issue that bugs me. I don't know whether this is some problem with AGH itself or something else.

When I set the upstream DNS servers in AGH it's always complaining that my entered DNS server is wrong.
For example: tls://1.1.1.1 works just fine but tls://1dot1dot1dot1.cloudflare-dns.com is not accepted.
Same problem with any other upstream DNS server.

I found threads on reddit where people experienced the same problem but they just use the working solution from above but I don't like that.

Does anybody know what to do to fix this?

Edit:
I found the solution: The problem was that I blocked outgoing packages with destination port 53 to ensure DoT and DoH must be used to resolve domain names. That made it impossible for the bootstrap DNS servers to resolve the names of my upstream DNS servers.

Hi, I'm looking for some assistance as I've read the entire 12 pages and have not been able to get opnsense dns resolution working after the settings below are applied. It times out. There are a number of requests in the thread which states to follow the set up which I think I have done but still the own self status check does not work.

Appreciate any input.

Opnsense 22.7.4

1 - Activate mimugmail's community repository
2 - Install AdGuardHome from System --> Firmware --> Plugins
3 - Activate and start AdGuardHome from Services --> AdGuardHome
4 - Opnsense - System - Settings -General
      DNS Servers: empty
      Untick: Do not use the local DNS service as a nameserver for this system
      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN
5 - Services – DHCPv4 – [LAN] : DNS Servers all blank
6 – Opnsense – Servies - Unbound DNS – General
       Tick: Enable Unbound
       Tick: Enable DNSSEC Support
       Tick: Register DHCP Leases
       Tick: Register DHCP static mappings
       Tick: Register IPv6 link-local addresses
7 - Opnsense - Services - Unbound - Dns Over Tls
      Untick: Use System Nameservers
      Domain: blank
      Server IP: 1.1.1.1
      Server Port: 853
      Verify CN: cloudflare-dns.com

8 - Opnsense - Services - Unbound - General
 
     Listen Port: 53530

9 - Navigate to http://your.opnsense:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard

10 - Adguard Home - DNS Configuration - Upstream Servers: Add router_ip:53530  ( 192.168.1.1:5353 ) Delete those that exist

11 – Adguard Home – DNS Configuration – Private reverse DNS servers
       127.0.0.1:53530
      192.168.1.1:53530



Edit
Unfortunately with either the above configuration and or the previous one when I visit
https://1.1.1.1/help
it states that DNS over TLS is not being used. So I'm at a loss. Appears AGH is running and using unbound but unbound is not using the DNS over TLS configuration?

Edit
I remove AGH from the picture to validate that unbound is performing DNS over TLS. Using tcp dump on the WAN interface I can see that there are TLS sessions set up to 1.1.11 and 1.0.0.1 but the client dns queries are still going out the WAN interface on port 53. Guess that LAN fw rule may be required. I need to resolve this I guess before being concerned with AGH.

Edit
Easier avenue for initially validating DNS over TLS is Services-Unbound-Advance and set log level verbosity =2 and tick Log Queries. Then in unbound logs set to informational and you will see the queries and port #.

Solved
Issue is when you install AGH you need to bind to all interfaces or later edit the /usr/local/AdGuardHome/AdGuardHome.yaml file to bind to 0.0.0.0. Doing that permits the resolv.conf to still point to 127.0.0.1 which is bound to AGH and then to Unbound. The unbound logs are showing #853. So I'm happy. Good learning session.

Opnsense 22.7.4 Install:

1 - Activate mimugmail's community repository

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Opnsense - System - Settings -General

      DNS Servers: empty

      Untick: Do not use the local DNS service as a nameserver for this system

      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

4 - Services – DHCPv4 – [LAN] : DNS Servers all empty

5 – Opnsense – Services - Unbound DNS – General

       Tick: Enable Unbound ( Listen Port: 5353 )

       Tick: Enable DNSSEC Support
       
       Network Interfaces: All

6 - Opnsense - Services - Unbound - Dns Over Tls

      Server IP: 1.1.1.1

      Server Port: 853

      Verify CN: cloudflare-dns.com

7 - Activate and start AdGuardHome from Services --> AdGuardHome

8 - Navigate to http://Opnsense ip:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard

9 - Adguard Home - DNS Configuration - Upstream Servers:

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist

10 – Adguard Home – DNS Configuration – Bootstrap DNS servers

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist
     
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:

           192.168.1.1:5353

           
Extra Wireguard: If we have created a wireguard network in Opnsense, for example, 10.0.0.1/24 we have to set the dns 10.0.0.1 in the wireguard clients. In Wireguard Opnsense it is not necessary to configure anything.

Unbound - General

Unbound - DNS over TLS

Adguardhome - DNS settings - Upstream DNS servers

Adguardhome - DNS settings - Bootstrap DNS servers

Hi everybody,

I just found your post. Does your AdGuard Home start without any problems? I tried to install it using GitHub versions (beta & final) but I am not even able to start it - same using the Max-It plugin. I see posts that it can use port 53, right after that I get the message "dhcpv4 srv: nil ist not an IP address".

Then I see posts for the IP addresses of my opnsense and the used ports 3000 and 3001. But there is no webinterface available. I got nothing on port 3000 and 3001.

Thought I try configuring it on a clean virtual machine, ended up in exactly the same problem!

Any idea what could be the reason for that?

Hello,

I am trying to install AdGuard Home using the guide provided. But when I change the listening port in Unbound to 5353 the service is not starting. When I return it to 53 the service starts. Any ideas why Unbound service would not start?

Currently on version 22.7.4.

Thank you.

Solution to Auto-update failed error when trying to install update 0.107.15 on Adguard Home:

1 - In Opnsense stop Adguard Home

2 - Donwload and unzip AdGuardHome_freebsd_amd64.tar.gz ( https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.107.15 )

3 - Access Opnsense via ssh to /usr/local/AdGuardHome and replace the old files with the new ones respecting the permissions of those files.

4 - In Opnsense launching Adguard Home

anyone else not able to update adguard?
it says cannot update error

Yes, running into the same error trying to update to v0.107.15. Never had this issue before.
Just did the manual upgrade and all works fine.

Just setup AdGuard Home with Unbound as the upstream server. Everything seems to be working except my configuration for SSL offloading via HAProxy plugin on Opnsense. I can access AdGuard Home using the IP, but not via a domain name. I can however access all my other services (password manager, local cloud etc) via the domain names.

I have already set up the necessary Overrides under Unbound for it and also created the Real Server, Backend Pool, Condition & Rules in HAProxy. Are there some headers that are required for this to work?

Hi, I have an OPNSense running fine with mimugmails AdGuard@Home.
When moving to a different PC (Fujitsu S920 AMD 4x1,5 + Intel NIC) and booting, then OPNSense is working fine. But Adguard@Home is not starting.

Where can/should I look for issues?

Never mind, the config in /usr/local/AdGuardHome/AdGuardHome.yaml was empty - crazy ;) I copied over the existing one from agh-backup to make it work again.

Quote from: twitch86 on June 28, 2022, 10:58:03 AM
Hi Guys,

if i followed this guide - but i have one problem

I cannot fetch Firmware - Updates/Plugins anymore
I need to set an DNS under General and Tick "Do not use the local DNS service as a nameserver for this system"
to make my system fetch these

I ran into this problem also. I think it is caused by only selecting the LAN interface during initial adguard setup. My thinking was "why would I want to have DNS on the WAN?" I guess the answer is that, without it, opnsense doesn't get dns. Maybe it could have also been fixed by putting the router IP in the opnsense gui? Anyway,  I fixed it by editing the AdGuardHome.yaml file.


# Different network interfaces.
'dns':
    'bind_hosts':
    - '127.0.0.1'
    - '192.168.1.1'


https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration (https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration)

Hello Guys,

at first, a big thank you to @yeraycito for your tutorial!

I have some addional steps for the tutorial, if you want to use a wildcard certificate from acme client and domain name in your local network.
For me i can't get adguard webui with ssl working on the domain name from opnsense. My goal was to use the webui like this: https://opnsense.your-local-domain.tld or on a another port like opnsense.your-local-domain.tld:4443 with ssl wildcard certificate.


Opnsense 22.7.4 Install:

1 - Activate mimugmail's community repository

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Opnsense - System - Settings -General

      DNS Servers: empty

      Untick: Do not use the local DNS service as a nameserver for this system

      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

4 - Services – DHCPv4 – [LAN] : DNS Servers all empty

5 – Opnsense – Services - Unbound DNS – General

       Tick: Enable Unbound ( Listen Port: 5353 )

       Tick: Enable DNSSEC Support
       
       Network Interfaces: All

6 - Opnsense - Services - Unbound - Dns Over Tls

      Server IP: 1.1.1.1

      Server Port: 853

      Verify CN: cloudflare-dns.com

7 - Open SSH Tunnel to OPNSense and edit the following config file
      nano /usr/local/AdGuardHome/AdGuardHome.yaml

7.1 - You need to change following parts:
bind_host: 0.0.0.0
dns:
  bind_hosts:
    - 0.0.0.0


7.2 - Activate and start AdGuardHome from Services --> AdGuardHome

8 - Navigate to http://Opnsense ip:3000/ ( 127.0.0.1:3000 ) to complete the setup Adguard

9 - Adguard Home - DNS Configuration - Upstream Servers:

       Add 127.0.0.1:5353    !!!Delete those that exist!!!

10 – Adguard Home – DNS Configuration – Bootstrap DNS servers

       Add 127.0.0.1:5353    !!!Delete those that exist!!!
     
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:

       Add 127.0.0.1:5353

12 - Now go Settings -> Encryption

       Pick "Encrytion activation"

       Servername = opnsensehostname.your-local-domain.tld

       Tick: "Automatic HTTPS redirect"
 
       If you want change HTTPS do it in "HTTPS-Port"

       Under Certificate choose your certificate from acme client which should be located in:

/var/etc/acme-client/home/*.your-local-domain.tld/fullchain.cer

       Under Private Key choose your certificate from acme client which should be located in:

/var/etc/acme-client/home/*.your-local-domain.tld/*.your-local-domain.tld.key

13 - Save the settings
       
If you get a warninghint like: "validating certificate pair: certificates has no IP addresses; DNS-over-TLS won't be advertised via DDR" it's a known bug since version 0.127.16 with update to version 0.127.19 the color is only white and not red like in x.16, x.17, x.18

With best regards
techsolo12

EDIT: If you want to check if your setup works correctly you can use this website https://www.cloudflare.com/de-de/ssl/encrypted-sni/

DNS over IPsec did't work with Adguard and unbound. Only with unbound ist worked. Can someone help?

nobody has an idea? Or can someone test it to see if it works?

Hi all,

in addition to all the great manuals in this thread (because it drove me crazy):

if you use the mDNS repeater plugin you shouldn't use port 5353 for unbound. It interfers with the repeater plugin and in my case it caused adguard not starting up after rebooting opnsense. I had to start adguard manually then.
After using a different port in unbound the problem has gone.

Question :  How do you edit the interfaces on Adguard to listen to ?

Issue, if you have say 2+ more network's IE vlans or phicical network cards then install adguard, it will  listen to those interfaces, perfect.

Say you want to add another interface and have adguard protect it, there is no where to add the new interface.

I just did a trial on this, installed adguard, then added say a Vlan / inetwork interfact, passed traffic ok but Adguard is not listening and protecting those new interfaces.

Installed New Updated OPNsense added default lan network and 3 new Vlan's set them all up, then installed Adguard fresh & updated POOF all interfaces are being  monitored.

Is there a new version coming out where we can add or remove interfaces ?

AM i wrong or am i drunk  :D

So far as I know there are only 2 options now:
install adguard and listen on all interfaces
or
after installing adguard and adding a new interface you have to edit the yaml config file by hand.

Quote from: RamSense on January 08, 2023, 08:44:11 AM
So far as I know there are only 2 options now:
install adguard and listen on all interfaces
or
after installing adguard and adding a new interface you have to edit the yaml config file by hand.

Yup, i actually Found Matt's website on how to do this : https://0x2142.com/how-to-set-up-adguard-on-opnsense/

Very Bottom.

Example how to add more networks is, Example Default with no additional networks :

In there, you'll see a section like this:
dns:
   bind_hosts:
       - 192.168.1.1

And one with more :

dns:
   bind_hosts:
       - 192.168.1.1
       - 192.168.10.1
       - 192.168.100.1

Sorry if it's a dumb question, but for

  1) AdGuard Home – DNS Configuration – Upstream servers
 
  2) AdGuard Home – DNS Configuration – Bootstrap DNS servers

  3) AdGuard Home – DNS Configuration – Private reverse DNS servers

I see someoen saying to use Opnsense ip:5353 and someone else to use 127.0.0.1:5353

Are those options exactly the same / should we use both ?

Tia.

Quote from: yeraycito on September 22, 2022, 06:54:08 PM
Opnsense 22.7.4 Install:

1 - Activate mimugmail's community repository

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Opnsense - System - Settings -General

      DNS Servers: empty

      Untick: Do not use the local DNS service as a nameserver for this system

      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

4 - Services – DHCPv4 – [LAN] : DNS Servers all empty

5 – Opnsense – Services - Unbound DNS – General

       Tick: Enable Unbound ( Listen Port: 5353 )

       Tick: Enable DNSSEC Support
       
       Network Interfaces: All

6 - Opnsense - Services - Unbound - Dns Over Tls

      Server IP: 1.1.1.1

      Server Port: 853

      Verify CN: cloudflare-dns.com

7 - Activate and start AdGuardHome from Services --> AdGuardHome

8 - Navigate to http://Opnsense ip:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard

9 - Adguard Home - DNS Configuration - Upstream Servers:

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist

10 – Adguard Home – DNS Configuration – Bootstrap DNS servers

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist
     
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:

           192.168.1.1:5353

As I'm not interesting in using DoT, if I skip step (6), Unbound will act as my recursive resolver and will contact the root servers directly, is that right?

tia.

Quote from: hushcoden on January 09, 2023, 05:35:42 PM
Sorry if it's a dumb question, but for
...

Tia.

Do have nearly the same questions as you.

I want to run Unbound as my upstream resolver for Adguard Home (and don't want to run DoT).

Couldn't find the right settings.

Quote from: hushcoden on January 09, 2023, 05:35:42 PM
Sorry if it's a dumb question, but for

  1) AdGuard Home – DNS Configuration – Upstream servers
 
  2) AdGuard Home – DNS Configuration – Bootstrap DNS servers

  3) AdGuard Home – DNS Configuration – Private reverse DNS servers

I see someoen saying to use Opnsense ip:5353 and someone else to use 127.0.0.1:5353

Are those options exactly the same / should we use both ?

Tia.

127.0.0.1 is called the loopback address, and is the IP a computer uses to refer to itself.
Since you are running adguard home plugin on opnsense, it is running on the same device and points it to opnsense service listening on port 5353, e.g. your unbound listening to port 5353, or e.g. bind.

If you use the ip of your opnsense device, this will work also

no upstream servers in unbound / bind, Root servers are being used indeed

Quote from: dumbo on January 15, 2023, 02:50:00 PM

Quote from: hushcoden on January 09, 2023, 05:35:42 PM
Sorry if it's a dumb question, but for
...

Tia.

Do have nearly the same questions as you.

I want to run Unbound as my upstream resolver for Adguard Home (and don't want to run DoT).

Couldn't find the right settings.

DNS Configuration – Upstream servers -> 127.0.0.1:portnumber of unbound or OpnsenseIP:portnumber

Quote from: RamSense on January 15, 2023, 08:47:39 PM
DNS Configuration – Upstream servers -> 127.0.0.1:portnumber of unbound or OpnsenseIP:portnumber

Thx for your help.

So it must be like:

• Upstream DNS servers = 127.0.0.1#'Port Number' or OPNsense IP + Port Number
• Bootstrap DNS servers = 127.0.0.1#'Port Number' or OPNsense IP + Port Number
• Private reverse DNS servers = 127.0.0.1#'Port Number' or OPNsense IP + Port Number

I would also like to read the host names of my devices - so that's why Private reverse servers DNS - or is it wrong?

correct, but since you are not using external DNS as upstream, but your unbound on opnsense, it already knows your local devices from unbound, but you can add your ip there in the field in adguard just in case.

If the forward DNS server is identical with the one keeping your local forward and reverse zones, than you do not need the "private reverse" setting. This is for the occasions when the two are different.

I do not know what the "bootstrap" is for from the top of my head but I also do not set this. If AGH forwards to a full capable local resolver, e.g. Unbound or BIND, only the "upstream" setting is necessary.

Quote from: pmhausen on January 16, 2023, 10:24:56 PM
If the forward DNS server is identical with the one keeping your local forward and reverse zones, than you do not need the "private reverse" setting.

Thx. It's working. I didn't restart Unbound and AGH. That was the problem.

Now I only have to fix my issues with the NAT Port Forward Rule that no hardcoded DNS within my network can bypass my unbound.
The old rule does not work anymore because of my new setup :(

Try to forward to 127.0.0.1 instead of your interface IP address.

Quote from: pmhausen on January 17, 2023, 08:47:41 AM
Try to forward to 127.0.0.1 instead of your interface IP address.

You mean this way?

Yes.

Quote from: pmhausen on January 16, 2023, 10:24:56 PM
I do not know what the "bootstrap" is for from the top of my head but I also do not set this. If AGH forwards to a full capable local resolver, e.g. Unbound or BIND, only the "upstream" setting is necessary.

I recall I read on the AdGuard forum that bootstrap addresses are basically only used to resolve the hosts in the upstream servers (and that's also the comment you see in that section).

Makes sense. But then I put IP addresses in forwarder configurations, not host names.

Quote from: pmhausen on January 17, 2023, 10:29:57 AM
Yes.

Then I'm doing some else wrong. If I go into Firewall > Rules > "Notebook" my test Network called "Notebook" (do also have a NAT Port Forward rule for it), then the upper rule is the one automatically set from the NAT rule.

After that rule I have to create another rule (I think this one is not working correct) that I can get any DNS resolution and the last rule is my rule, that I can access the internet but no RFC1918 Networks.
Maybe this rule is also not correct?

What rules do I need within this "Notebook" network, that the devices can access the internet but not other local networks?

Quote from: pmhausen on January 16, 2023, 10:24:56 PM
If the forward DNS server is identical with the one keeping your local forward and reverse zones, than you do not need the "private reverse" setting. This is for the occasions when the two are different.

They are identical, but it does not work. No hostnames showing up - only IPs.

Maybe I found something. Could it be, that I need to set the Admin Web Interface "Listening Interface" to All instead of my LAN Network?

At the moment it's only listening on the IP of my OPNsense itself (example igc1 - 192.168.1.1).

I could choose:
- All
- WAN
- LAN
- Loopback

Or should I choose the loopback interface 127.0.0.1?

it states that ALL is recommended :-), but you can change it see also the opnsense manual: https://docs.opnsense.org/manual/settingsmenu.html (https://docs.opnsense.org/manual/settingsmenu.html)

p.s. also change the order of the firewall rules. You start with all -> source  * and port * ..... port 53
Than the ones below that one for port 53 will not be reached.
End with the first one en put the other above the allow all/auto rule

Quote from: RamSense on January 19, 2023, 12:44:59 PM
it states that ALL is recommended :-), but you can change it see also the opnsense manual: https://docs.opnsense.org/manual/settingsmenu.html (https://docs.opnsense.org/manual/settingsmenu.html)

Within the OPNsense manual there is no manual for the AdGuard Home plugin. Already checked.

Ah, I was mistaken and thought you were referring to the opnsense gui listening ports.
Adguard listening to all works without thinking, but you can also manually configure it to listen only to your preferred interfaces.

Thx for your feedback.

The issue I still have is, that it doesn't resolve the host names within AGH. Only showing IPs.
Everything is working.

When I look at my OPNsense within DHCPv4 Leases I can see the hostnames of my devices.

Within unbound I activated:
- Register DHCP static mappings
- Register DHCP leases
- Flush DNS cache during reload
- Enable DNSSEC

Unbound Local Zone Type is: transparent

As soon as I enter 192.168.1.1:53530 within private reverse DNS servers AGH starts resolving hostnames.

But what confuses me is, that all of you are saying, that it also should work without any entry within this section.

If I leave it blank it stops resolving host names.

Do you have the same 192.168.1.1:53530 as the regular upstream DNS?

Quote from: pmhausen on January 19, 2023, 02:45:09 PM
Do you have the same 192.168.1.1:53530 as the regular upstream DNS?

Yes.

Config is:
ADGUARD:
bind_host: 192.168.1.1
bind_port: 3000
beta_bind_port: 0
...
dns:
  bind_hosts:
    - 0.0.0.0
  port: 53


AdGuard Webinterface:

Upstream DNS servers: 192.168.1.1:53530


UNBOUND:

Listen Port: 53530
Interfaces: All
DNSSEC = on
DHCP leases = on
Static mappings = on
Ipv6 link-local = on
Local Zone Type = transparent


OPNsense IP = 192.168.1.1

When the "Private reverse DNS servers" field is empty, then I do noch get any host resolution.
When I enter 192.168.1.1:53530 within Private reverse DNS servers I do get those host names.

Must be a feature then. I honestly don't know. AGH is a project entirely unrelated to OPNsense. May I suggest checking their documentation?

Will do.

I also find the documentation/video from the original source:

https://www.max-it.de/adguard-dns-blocker-neues-opnsense-plugin/

He is showing it in an other way.
Going with an other port for AGH and leaving port from Unbound at 53.
Then making a NAT Port Forward to (in this video) 5310.

Why not choosing this way? Is there any downside?

The advantage would be, that the Firewall itself does not need to go through AGH and other networks, which I don't want to can also be Unbound only.

Opnsense 23.1 Install:

1 - Activate mimugmail's community repository:

SSH Opnsense: fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Opnsense - System - Settings -General

      DNS Servers: empty

      Untick: Do not use the local DNS service as a nameserver for this system

      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

4 - Services – DHCPv4 – [LAN] : DNS Servers all empty

5 – Opnsense – Services - Unbound DNS – General

       Tick: Enable Unbound ( Listen Port: 5353 )

       Tick: Enable DNSSEC Support
       
       Network Interfaces: All

6 - Opnsense - Services - Unbound - Dns Over Tls

      Server IP: 1.1.1.1

      Server Port: 853

      Verify CN: cloudflare-dns.com

7 - Activate and start AdGuardHome from Services --> AdGuardHome

8 - Navigate to http://Opnsense ip:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard

9 - Adguard Home - DNS Configuration - Upstream Servers:

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist

10 – Adguard Home – DNS Configuration – Bootstrap DNS servers

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist
     
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:

           192.168.1.1:5353

Wireguard ( os-wireguard ) + Adguard:

https://homenetworkguy.com/how-to/configure-wireguard-opnsense/

NextDNS + QUIC + Adguard:

Adguardhome - Settings - DNS settings:

Upstream DNS servers: quic://xxxxxx.dns.nextdns.io          ( xxxxxxx is nextdns ID )

Bootstrap DNS servers:

45.90.28.167
45.90.30.167

Private reverse DNS servers: quic://xxxxxx.dns.nextdns.io          ( xxxxxxx is nextdns ID )

Quote from: yeraycito on January 28, 2023, 01:35:39 AM
Opnsense 23.1 Install:

1 - Activate mimugmail's community repository:

SSH Opnsense: fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Opnsense - System - Settings -General

      DNS Servers: empty

      Untick: Do not use the local DNS service as a nameserver for this system

      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

4 - Services – DHCPv4 – [LAN] : DNS Servers all empty

5 – Opnsense – Services - Unbound DNS – General

       Tick: Enable Unbound ( Listen Port: 5353 )

     ....

Don't use port 5353 as it's used by mDNS service!!!

thanks for the guide! for some reason when i Untick: Do not use the local DNS service as a nameserver for this system.  If i'm on opnsense box shell, i can't resolve any dns.  once i change resolv.conf from localhost to opnsense's 192.168.1.1 address then dns works.

does anyone know why i can't use 127.0.0.1 but can use the actual ip of opnsense?

Quote from: bbchucks on February 08, 2023, 10:53:13 PM
thanks for the guide! for some reason when i Untick: Do not use the local DNS service as a nameserver for this system.  If i'm on opnsense box shell, i can't resolve any dns.  once i change resolv.conf from localhost to opnsense's 192.168.1.1 address then dns works.

does anyone know why i can't use 127.0.0.1 but can use the actual ip of opnsense?

Assuming the question in the context of this guide, the tick is to not use the dns server(s) there and assumes you will setup another way for the system to do dns. So something has to resolve names and be available on an interface/ip designation

I am very happy that after following the Guide posted here i could able to setup AGH and Unbound successfully.

I have Internet now and the page loading time is insane. i amreally liking it.

But i have one problem, after setting AGH and Unbound as only Resolver i am not able to update the Package... once i click the update it keeps on waiing for the update... What is wrong with my Opnsense ? why cant i update my packages ? i also intend to install other Packages, but without updating how will i do it ? why only the firmware update function is not working but Internet is Working ???

i am clueless, pls help me to solve this problem... Thanks

Quote from: plikmuny on February 28, 2023, 01:58:51 PM
I am very happy that after following the Guide posted here i could able to setup AGH and Unbound successfully.

I have Internet now and the page loading time is insane. i amreally liking it.

But i have one problem, after setting AGH and Unbound as only Resolver i am not able to update the Package... once i click the update it keeps on waiing for the update... What is wrong with my Opnsense ? why cant i update my packages ? i also intend to install other Packages, but without updating how will i do it ? why only the firmware update function is not working but Internet is Working ???

i am clueless, pls help me to solve this problem... Thanks

Hey there, I'm a n00b at OPNsense (actually came here to try and research a question) but I had a similar problem as you with updates.

Once I change the server location to get updates, mine worked. I picked one that was close to me regionally and then my updates went through with no problem.
(Sorry not on my network right now so I can't get screenshots) I'll try later if you would like.

Not sure if it's the same problem you are having but may be worth a try

Let me know if it works for ya

Sent from my SM-N950U using Tapatalk

I've successfully gotten Adguard home working following the steps posted above.
One of the steps however says to clear the DNS settings for each gateway in the System>Settings>General in doing so I believe this has caused conflict with my multiple gateway and failover group setup.

Would there be a work around for this step in multi wan? "Go to System ‣ Settings ‣ General and make sure each gateway has its own DNS setup"

I'm not sure how to make this work with Adguard home, having all of them cleared for AGH seems to do weird things with DNS when it failsover.

Any help would be much appreciated.

edit: I've thrown in the towel on this one, decided benefit of adguardhome was not worth the complication in my setup or to have issues with vlan or failover DNS (I'm new to opnsense).

Hi,

I just finished installing Adguard. Work like a charm. Please don't mind if I ask, is there a guide to add multiple networks to Adguard?
For example, I have a separate interface for AP, I changed rule of AP interface: Destination: AP address  to Destination: LAN address and added 192.168.1.1 as DNS in its DHCP. It seems to work and I start seeing Adguard picking up IP from mobile devices. However, I wonder if it would cause any issue.

Cheers

Edit: Found the answer in page 14

Quote from: jlab on January 08, 2023, 05:25:17 PM

Yup, i actually Found Matt's website on how to do this : https://0x2142.com/how-to-set-up-adguard-on-opnsense/

Very Bottom.

Example how to add more networks is, Example Default with no additional networks :

In there, you'll see a section like this:
dns:
   bind_hosts:
       - 192.168.1.1

And one with more :

dns:
   bind_hosts:
       - 192.168.1.1
       - 192.168.10.1
       - 192.168.100.1

Thanks jlab

Edit: Faced a slow loading dashboard, failed to update. Turns out the solution is just need to change bind_host and dns:bind_host to 0.0.0.0. Also was un-abled to update till I hit a couple more times, thing just went through.

Thanks everyone, I just need to read the whole thread :D

One question tho, in some screenshots, I see Unbound: Register DHCP leases & Register DHCP static mappings are unticked. Others said they ticked those. I tried both and had no issue with internet connection. Kinda confused. Sorry, I'm a noob. My excuse is I just start using Opnsense a couple months ago.

Edit: Upgraded to the latest Opnsense today and Connection drop after reboot. Router can connect to internet but Adguard does not resolve DNS. Disabled Adguard and change Unbound back to 53 fix the issue. # Adguard plugin needs update. Solution: opnsense-revert -r 23.1.5 opnsense

Quote from: yeraycito on January 28, 2023, 01:35:39 AM
Opnsense 23.1 Install:

1 - Activate mimugmail's community repository:

SSH Opnsense: fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Opnsense - System - Settings -General

      DNS Servers: empty

      Untick: Do not use the local DNS service as a nameserver for this system

      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

4 - Services – DHCPv4 – [LAN] : DNS Servers all empty

5 – Opnsense – Services - Unbound DNS – General

       Tick: Enable Unbound ( Listen Port: 5353 )

       Tick: Enable DNSSEC Support
       
       Network Interfaces: All

6 - Opnsense - Services - Unbound - Dns Over Tls

      Server IP: 1.1.1.1

      Server Port: 853

      Verify CN: cloudflare-dns.com

7 - Activate and start AdGuardHome from Services --> AdGuardHome

8 - Navigate to http://Opnsense ip:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard

9 - Adguard Home - DNS Configuration - Upstream Servers:

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist

10 – Adguard Home – DNS Configuration – Bootstrap DNS servers

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist
     
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:

           192.168.1.1:5353

for some reason when I followed these steps, it seemingly brought down my WAN permanently...as in, it did not recover and I had to reverse everything, including Unbound to get the WAN UP again....anybody else?

Quote from: dumbo on January 19, 2023, 03:44:28 PM
Will do.

I also find the documentation/video from the original source:

https://www.max-it.de/adguard-dns-blocker-neues-opnsense-plugin/

He is showing it in an other way.
Going with an other port for AGH and leaving port from Unbound at 53.
Then making a NAT Port Forward to (in this video) 5310.

Why not choosing this way? Is there any downside?

The advantage would be, that the Firewall itself does not need to go through AGH and other networks, which I don't want to can also be Unbound only.

Hi! I started with this configuration a few days ago and at the moment it workes (OPNSense 23.1.7). I'm using another VLAN-Interface that I would like to remain untouched from ADGuard.

I'm looking for the right configuration for DoT, DoH, upstream, bootstrap DNS.

The goal would be:
- filtering rules for children (consideration of DoT, DoH)
- exceptions for Adults (ip addressess)
- additional VLAN interface untouched

any help or suggestions would be greatly appreciated!

kind regards,

Sarge

Hi, i had a working configuration of opnsense on 22.7 following these guides. I updated to 23.1.7. A result of this was that adguard was also updated to now be 107.29. Post this my Lan clients no longer receive a DNS address at all. If I disable adguard and change unbound back to dns port 53 the lan clients again recieve a DNS server. Appears that there are some issues regarding adguard now running with opnsense. A google found a similar issues lodged with adguard home on github .

https://github.com/AdguardTeam/AdGuardHome/issues/5827

Appears that you will now need to specify the DNS server in your Services->DHCP->DNS Servers for adguard to work. Without this the clients never get a DNS server.

EDIT/UPDATE: Confirmed with wireshark that opnsense is now only providing a default system dns entry to the LAN when unbound is running on port 53. If unbound is running on any other port then opnsense does not supply a default dns address to the lan dhcp request. This obviously breaks the listed settings for getting adguard home to work and does not appears to be an adguard issue but an opnsense issue. For example, with unbound set to listen on port 53 and the Services->DHCP->DNS servers blank a DHCP request has a return option 6 of the default LAN interface address. If I change unbound to listen on port 54 the a DHCP Request has no option6 (Domain Name Server) returned. Previously it used to return Option 6 regardless.

Your described Problem is already fixt by mimugmail. He updated the plugin a few week ago, now you should have the check box "Primary DNS" under SERVICES: ADGUARDHOME: GENERAL, which you have to activate.
https://forum.opnsense.org/index.php?topic=33661.0

https://github.com/opnsense/core/issues/6513#issuecomment-1518684956

Hej,

I used yeraycito's guide to use Adguard as a plugin. Thanks for this!
Now I wonder if DNSSEC does not also need to be enabled in the DNS settings under Adguard!?
Could someone please explain this to me?

Quote from: yeraycito on January 28, 2023, 01:35:39 AM
Opnsense 23.1 Install:

1 - Activate mimugmail's community repository:

SSH Opnsense: fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Opnsense - System - Settings -General

      DNS Servers: empty

      Untick: Do not use the local DNS service as a nameserver for this system

      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

4 - Services – DHCPv4 – [LAN] : DNS Servers all empty

5 – Opnsense – Services - Unbound DNS – General

       Tick: Enable Unbound ( Listen Port: 5353 )

       Tick: Enable DNSSEC Support
       
       Network Interfaces: All

6 - Opnsense - Services - Unbound - Dns Over Tls

      Server IP: 1.1.1.1

      Server Port: 853

      Verify CN: cloudflare-dns.com

7 - Activate and start AdGuardHome from Services --> AdGuardHome

8 - Navigate to http://Opnsense ip:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard

9 - Adguard Home - DNS Configuration - Upstream Servers:

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist

10 – Adguard Home – DNS Configuration – Bootstrap DNS servers

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist
     
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:

           192.168.1.1:5353

I have a similar problem reported by bigverm23. Once I follow the guide by yeraycito, my internet stops working.

OPNsense 23.1.9-amd64
Adguard Home v0.107.31

Quote from: bigverm23 on May 16, 2023, 05:21:45 PM

Quote from: yeraycito on January 28, 2023, 01:35:39 AM
Opnsense 23.1 Install:

1 - Activate mimugmail's community repository:

SSH Opnsense: fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Opnsense - System - Settings -General

      DNS Servers: empty

      Untick: Do not use the local DNS service as a nameserver for this system

      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

4 - Services – DHCPv4 – [LAN] : DNS Servers all empty

5 – Opnsense – Services - Unbound DNS – General

       Tick: Enable Unbound ( Listen Port: 5353 )

       Tick: Enable DNSSEC Support
       
       Network Interfaces: All

6 - Opnsense - Services - Unbound - Dns Over Tls

      Server IP: 1.1.1.1

      Server Port: 853

      Verify CN: cloudflare-dns.com

7 - Activate and start AdGuardHome from Services --> AdGuardHome

8 - Navigate to http://Opnsense ip:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard

9 - Adguard Home - DNS Configuration - Upstream Servers:

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist

10 – Adguard Home – DNS Configuration – Bootstrap DNS servers

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist
     
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:

           192.168.1.1:5353

for some reason when I followed these steps, it seemingly brought down my WAN permanently...as in, it did not recover and I had to reverse everything, including Unbound to get the WAN UP again....anybody else?

This quoted setup will work, the settings are a viable route to dns resolution.
Check and restart services or clients and diagnose on along the path.

I already heard that update to 107.31 makes AGH stopping. Solution was reinstalling AGH and restore configuration file from backup.

Two days ago version 0.107.30 was released, which has turned out to be buggy, yesterday version 0.107.31 was released, which fixes the bugs of the previous version and works great.

Free Android application to monitor and manage Adguard in Opnsense:

https://play.google.com/store/apps/details?id=com.jgeek00.adguard_home_manager

Can someone please explain how to make this work with multiple vlans? I have DNS working so far with Adguard and Unbound, but I'd like to forward all DNS traffic to Adguard.

If I simply create the NAT rules from here https://labzilla.io/blog/force-dns-pihole -- my vlan traffic can't access Adguard.

Do the vlans need to point to their respective gateway for DNS (opnsense IP)? Is there any way to avoid having a different DNS server IP for each vlan? I'm a bit lost..

During setup of Adguard have you selected all networks including vlan's?
I have two port forward and one outbound rule to achieve what you want.

Within DHCP setup I have no specific DNS servers selected, this field is empty.

Additionaly I have for each Lan and vlan one rule to block all external DNS traffic on port 53 and allow only internal DNS traffic.

@ChrisChros, yep all networks are selected.

I'm guessing that everything in Adguard and Unbound is set up correctly, and I just need to create to correct rules in the firewall to forward all DNS traffic to Adguard and block everything else.

Does your DNS traffic stay within the lan/vlan? i.e. is the default DNS server the same as the gateway for each subnet? And are the portforward and outbound rules applied only to the LAN interface?

Quote from: Sbbh on June 20, 2023, 03:01:30 AM
@ChrisChros, yep all networks are selected.
Does your DNS traffic stay within the lan/vlan? i.e. is the default DNS server the same as the gateway for each subnet? And are the portforward and outbound rules applied only to the LAN interface?

DNS server is the same as the gateway for each subnet.
The Alias "local_Networks" include all subnets, Lan and vlan.

What does the "Primary DNS" tick box do?

you have to enable this button, there was a problem in the past which has been discussed also here in the forum.
Can't explain the reason.

Quote from: tiermutter on June 09, 2023, 09:08:22 AM
I already heard that update to 107.31 makes AGH stopping. Solution was reinstalling AGH and restore configuration file from backup.

Quote from: yeraycito on June 09, 2023, 06:14:26 PM
Two days ago version 0.107.30 was released, which has turned out to be buggy, yesterday version 0.107.31 was released, which fixes the bugs of the previous version and works great.

I have opnsense v23.1.11 and AGH v0.107.32 and still have AGH that stops after a few hours / days.
In my setup I actually have 2 opnsense instances as master/backup (CARP) and it happens on both instance.
Also to mention, I use one docker container ghcr.io/bakito/adguardhome-sync (http://ghcr.io/bakito/adguardhome-sync) for synchronizing the AGH configuration between both instances (each running on the master and backup opnsense instance). Maybe this is related somehow?
In my setup I also checked the new option "Primary DNS" since AGH is running on port 53 and Unbound DNS on another port.

Should I try what tiermutter suggested by reinstalling AGH and restore its configuration file from a backup?

Thanks for any advice.

Edit: I catch one time the moment when it crashes. It seems that the CPU consumption get very high:
https://drive.google.com/file/d/1Bq23bpAMBmBV8xU3hd_CZLb7Ck4pL0m6/view?usp=sharing

After killing the process with kill -9 74662 I could restart the AGH service and it runs again for some days (max 48h)

Is there a reason to keep Unbound enabled when using AdGuard Home? I turned mine off entirely and everything seems to be working fine.

Also, is there a way to get hostnames to appear in AGH rather than just IP?

Quote from: Limete on July 08, 2023, 07:28:01 PM
Also, is there a way to get hostnames to appear in AGH rather than just IP?
[/quote
you have to enter the IP address of your OPNsense box in the Bootstrap DNS-Server field.

Anyone update today from the web admin page, then have the service not be able to start?

*edit*
Ended up deleting the plug in and re-installing.

Quote from: huwylphi on July 04, 2023, 04:01:18 PM

Quote from: tiermutter on June 09, 2023, 09:08:22 AM
I already heard that update to 107.31 makes AGH stopping. Solution was reinstalling AGH and restore configuration file from backup.

Quote from: yeraycito on June 09, 2023, 06:14:26 PM
Two days ago version 0.107.30 was released, which has turned out to be buggy, yesterday version 0.107.31 was released, which fixes the bugs of the previous version and works great.

I have opnsense v23.1.11 and AGH v0.107.32 and still have AGH that stops after a few hours / days.
In my setup I actually have 2 opnsense instances as master/backup (CARP) and it happens on both instance.
Also to mention, I use one docker container ghcr.io/bakito/adguardhome-sync (http://ghcr.io/bakito/adguardhome-sync) for synchronizing the AGH configuration between both instances (each running on the master and backup opnsense instance). Maybe this is related somehow?
In my setup I also checked the new option "Primary DNS" since AGH is running on port 53 and Unbound DNS on another port.

Should I try what tiermutter suggested by reinstalling AGH and restore its configuration file from a backup?

Thanks for any advice.

Edit: I catch one time the moment when it crashes. It seems that the CPU consumption get very high:
https://drive.google.com/file/d/1Bq23bpAMBmBV8xU3hd_CZLb7Ck4pL0m6/view?usp=sharing

After killing the process with kill -9 74662 I could restart the AGH service and it runs again for some days (max 48h)

Update: since updating to AGH v0.107.34, the crashes on both opnsense instances are gone.

I run into an issue where I have to create rule to allow access to adguard dashboard or pretty any dashboard.

I think I need to reinstall my OpnSense Router

What is the best way to backup and restore AdGuard?

Quoteway to backup and restore AdGuard?

I would say, backup the AdGuardHome.yaml file and restore it after new installation. location:
/usr/local/AdGuardHome

I tried getting wireguard working while using Adguard and ran into issue where it didn't get any handshake if I use custom domain on Cloudflare. So eventually I found that I need to create another A record like vpn.domain_name.tld on Cloudflare and disable proxy. Then add vpn.domain_name.tld to Wireguard app - Endpoint. The rest are just as same as homenetworkguy's wireguard configuration guide.

I also found that in order to get enable encryption mode working, the correct path to  the full chain certs and cert key are conveniently found in Service - ACME clients - Log file - ACME.log. In my case it's /var/etc/acme-client/home/*.domain_name.tld_ecc/fullchain.cer and /var/etc/acme-client/home/*.domain_name.tld_ecc/*.domain_name.tld.key

Quote from: RamSense on July 22, 2023, 06:54:04 AM

Quoteway to backup and restore AdGuard?

I would say, backup the AdGuardHome.yaml file and restore it after new installation. location:
/usr/local/AdGuardHome

Yes works.

In case someone else wants to do it here the steps I did (ps: This is on a new device)
(first of all make a backup of /usr/local/AdGuardHome )

1- installed and updated OpnSense
2- added the mimugmail.conf to /usr/local/etc/pkg/repos
3- did a pkg update
4- installed Adguard Home
5- Started Adguard, and followed the wizard
6- Stopped Adguard (under services)
7- copied the whole directory (which I saved earlier) over the new install of adguard
8- Started Adguard

After that Adguard was running with the same settings / block lists as on the old device.

Hope it helps someone

Is there a way to allow the web interface for AdGuardHome to be available on multiple interfaces but not all ?

Initially, I set it up on ALL interfaces and the yaml file used 0.0.0.0.

http:
      address:0.0.0.0:8080


I have 5 separate VLANs and I have since changed the bind_hosts to stop listening on all interfaces and only enabled it on 4 of my VLANs. I would like to do the same to the web interface but I was looking to see what format I can use to do that

The following allows access on VLAN 1, but I would also like access on VLAN 7 and VLAN 10

http:
      address:192.168.1.1:8080


I tried the following three formats, but then AdguardHome failed to start up.

http:
      address:192.168.1.1:8080
      address:192.168.7.1:8080
      address:192.168.10.1:8080



http:
      address:192.168.1.1:8080, 192.168.7.1:8080, 192.168.10.1:8080



http:
      address:
            - 192.168.1.1:8080
            - 192.168.7.1:8080
            - 192.168.10.1:8080


None of the above format worked for me and googling doesn't provide relevant results and I was hoping if someone could tell me what format to use

EDIT: Weirdly, when I remove 0.0.0.0 from the bind_hosts, my OpnSense firmware updates start timing out. I can still access the internet just fine, but the Opnsense updates keep failing.

So should AdGuardHome be listening on ALL interfaces by default for dns: bind_hosts? Seems strange that only the OpnSense updates should fail while the internet is still accessible!!

All, i did setup my AdGuard in Opnsense. But no statistics shows up in the dashboard. all are 0s

followed this post

https://forum.opnsense.org/index.php?topic=22162.msg146626#msg146626

Except.. i kept the unbound DNS port to be 53 (default). Changing this to anything else, im not getting internet.

kept adguard listen port to be 5353. So modified the DNS entries in adguard accordingly


DNSleak test shows cloudfare correctly. im not sure if traffic is going through Adguard or not

Quote from: svengru on October 04, 2022, 09:58:31 PM
Just did the manual upgrade and all works fine.

I'm thinking about upgrading manually using the AdGuard Home GUI, but if the package is upgraded in the mimugmail repo, won't it then potentially **downgrade** the AdGuard Home? This would represent a high risk of breaking things in my view.

Quote from: Limete on July 08, 2023, 07:28:01 PM
Is there a reason to keep Unbound enabled when using AdGuard Home?

Configuring Unbound as upstream DNS in adguard fixes one issue for me, which is that AGH won't start if internet is down.

Unbound is also able to do recursive DNS resolution, which some consider better from a privacy point of view (no one has all your DNS lookups, they are spread, but on the downsides lookups are in clear text).

I have everything set up and it's working fine, but with one caveat. My OPNSense box isn't able to get software updates and ping also does not work. Any device connected to the network can access the internet and resolve addresses just fine, except for the router itself.

I have Unbound turned off in the settings. In AGH I have the boxes checked for Primary and Enable DNS.

Under System: Settings: General I have nothing listed under DNS Servers. Should I add my OPNSense box IP address here?

Under Services: DHCPv4: [LAN] I have nothing listed under DNS Servers. Should I add my OPNSense box IP address here?

Quote from: Limete on September 16, 2023, 09:18:58 PM
I have everything set up and it's working fine, but with one caveat. My OPNSense box isn't able to get software updates and ping also does not work. Any device connected to the network can access the internet and resolve addresses just fine, except for the router itself.

I have Unbound turned off in the settings. In AGH I have the boxes checked for Primary and Enable DNS.

Under System: Settings: General I have nothing listed under DNS Servers. Should I add my OPNSense box IP address here?

Under Services: DHCPv4: [LAN] I have nothing listed under DNS Servers. Should I add my OPNSense box IP address here?

If you don't use Unbound it is because you have the DNS set directly in Adguard and that is enough. What you do need to check is this:

3 - Opnsense - System - Settings -General

      DNS Servers: empty

      Untick: Do not use the local DNS service as a nameserver for this system

      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

https://forum.opnsense.org/index.php?topic=22162.msg146626#msg146626

Quote from: yeraycito on September 16, 2023, 10:46:28 PM

Quote from: Limete on September 16, 2023, 09:18:58 PM
I have everything set up and it's working fine, but with one caveat. My OPNSense box isn't able to get software updates and ping also does not work. Any device connected to the network can access the internet and resolve addresses just fine, except for the router itself.

I have Unbound turned off in the settings. In AGH I have the boxes checked for Primary and Enable DNS.

Under System: Settings: General I have nothing listed under DNS Servers. Should I add my OPNSense box IP address here?

Under Services: DHCPv4: [LAN] I have nothing listed under DNS Servers. Should I add my OPNSense box IP address here?

If you don't use Unbound it is because you have the DNS set directly in Adguard and that is enough. What you do need to check is this:

3 - Opnsense - System - Settings -General

      DNS Servers: empty

      Untick: Do not use the local DNS service as a nameserver for this system

      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

https://forum.opnsense.org/index.php?topic=22162.msg146626#msg146626

I verified that those settings are already in place. Could it be the WAN interface not being selected during the setup? I can't remember if I did that or not.

Hi to everyone.

I have AdGuard installed as plugin on Opnsense. And i have set Private reverse DNS servers to UnboundDns on Opnsese. And i have hostnames but with OPNsense domain.

Is it possible to exclude that domain, just to get hostnames?

Good day, I'm running OPNSense with the adguard plugin configured to integrate unbound, using this walkthrough: https://samuelsson.dev/install-adguard-home-on-an-opnsense-router/.

I'm also using an unRAID server, with SWAG as a reverse proxy. I've setup a nextcloud container according to Spaceinvaderone's tutorial: https://youtu.be/id4GcVZ5qBA?si=rgoe3g4jHB64aCNY.

I have established overrides for these subdomains in Unbound.  Prior to adding adguard, everything worked.
With adguard running, everything appears to be working fine, except access to my subdomains from my own LAN.  I can access my subdomain (nextcloud.mydomain.com) when I'm outside the network but anytime I try to access it through my LAN, I get a "404 Not Found, nginx" page. I've seen options to configure Adguard with blocklist custom rules (e.g. 192.168.1.10 nextcloud.mydomain.com) or with upstream DNS additions (e.g. [nextcloud.mydomain.com/]192.168.1.10) Neither of these options seem to work (although I may have misconfigured them).

Does anyone have a similar setup? Is this an adguard configuration issue or do I need to tweak Swag?

Thanks for your time.

Hej,
I would like to know how exactly forcing "safe search" works. Doesn't this require breaking the SSL connection?
Can someone please explain this to me?
Greatz Emmitt

Truenas scale:

Version:OPNsense 23.7.8_1-amd64 running in a VM
Opnsense IP 192.168.1.1
Adguard IP 192.168.1.210 (Docker)

I have done these steps I skipped step 1-3 as it is running in container

Quote3 - Opnsense - System - Settings -General

      DNS Servers: 192.168.1.210

      Untick: Do not use the local DNS service as a nameserver for this system

      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

4 - Services – DHCPv4 – [LAN] : DNS Servers all empty

5 – Opnsense – Services - Unbound DNS – General

       Tick: Enable Unbound ( Listen Port: 5353 )

       Tick: Enable DNSSEC Support
       
       Network Interfaces: All

6 - Skipped using unbound to resolve or might add later.

7 - Activate and start AdGuardHome from Services --> AdGuardHome

8 - Navigate to http://192.168.1.210:3001 to complete the setup Adguard

9 - Adguard Home - DNS Configuration - Upstream Servers:

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist

10 – Adguard Home – DNS Configuration – Bootstrap DNS servers

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist
     
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:

           192.168.1.1:5353

I followed all steps, but like I mentioned my adguard is running remote on another IP in the same network.
I run truenas and have containers running all working fine when I use only unbound.
When I start to use above setup with adguard. I can search the internet etc.

Can someone explain me the addidiontal steps or what am I doing wrong?

System - Settings - General - DNS servers list - 192.168.1.210
Services - DHCPv4 - [LAN] DNS servers - 192.168.1.210

As soon as I put back unbound back to 53 everything is working just fine on homeassistant.
When I use adguard with above settings somehow tuya stops working for the lights and there seems to be problems from homeassistant reaching 443 for example lights running with tuya and solardedge and soem cloud services running on 443 seem to sto pworking.

Unboud is set at 5353 and adguard at 53
I tried forcing DNS to redirect to 192.168.1.210. By creating NAT forward rules.
Nothing seem to help and if I use such rules nothing works?
Please provide me with an example. And perhaps I make this rule wrong because the example are all on opnsense ip or 127.0.0.1.

Quote from: Kieros on November 13, 2023, 11:03:01 PM
Truenas scale:

Version:OPNsense 23.7.8_1-amd64 running in a VM
Opnsense IP 192.168.1.1
Adguard IP 192.168.1.210 (Docker)

I have done these steps I skipped step 1-3 as it is running in container

Quote3 - Opnsense - System - Settings -General

      DNS Servers: 192.168.1.210

      Untick: Do not use the local DNS service as a nameserver for this system

      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

4 - Services – DHCPv4 – [LAN] : DNS Servers all empty

5 – Opnsense – Services - Unbound DNS – General

       Tick: Enable Unbound ( Listen Port: 5353 )

       Tick: Enable DNSSEC Support
       
       Network Interfaces: All

6 - Skipped using unbound to resolve or might add later.

7 - Activate and start AdGuardHome from Services --> AdGuardHome

8 - Navigate to http://192.168.1.210:3001 to complete the setup Adguard

9 - Adguard Home - DNS Configuration - Upstream Servers:

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist

10 – Adguard Home – DNS Configuration – Bootstrap DNS servers

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist
     
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:

           192.168.1.1:5353

I followed all steps, but like I mentioned my adguard is running remote on another IP in the same network.
I run truenas and have containers running all working fine when I use only unbound.
When I start to use above setup with adguard. I can search the internet etc.

Can someone explain me the addidiontal steps or what am I doing wrong?

System - Settings - General - DNS servers list - 192.168.1.210
Services - DHCPv4 - [LAN] DNS servers - 192.168.1.210

As soon as I put back unbound back to 53 everything is working just fine on homeassistant.
When I use adguard with above settings somehow tuya stops working for the lights and there seems to be problems from homeassistant reaching 443 for example lights running with tuya and solardedge and soem cloud services running on 443 seem to sto pworking.

Unboud is set at 5353 and adguard at 53
I tried forcing DNS to redirect to 192.168.1.210. By creating NAT forward rules.
Nothing seem to help and if I use such rules nothing works?
Please provide me with an example. And perhaps I make this rule wrong because the example are all on opnsense ip or 127.0.0.1.

Try with Unbound to listen on port 5335 (and not 5353).

Hi
I'm running adguard home plugin on opnsense, setup as per the guide linked early on in this thread. The guide mentions that I need to edit the yaml config to be as shown below:
bind_host: 0.0.0.0
bind_port: 3000
[...]
dns:
  bind_host: 0.0.0.0
  port: 53

I have changed the bind_host under dns to 0.0.0.0 but don't have the bind host or bind port option, instead I have:
http:
  pprof:
    port: 6060
    enabled: false
  address: 192.168.1.1:3000

Should I change this address to be 0.0.0.0:3000?
Also I haven't set up DNS encryption. Is it useful for the average home user? If so, can someone point me to a guide to setting it up in opnsense? I have a domain name that I purchased from cloudflare and expose some services run as docker containers on my server via traefik reverse proxy. How do i use this domain to setup DNS encryption? Thanks

I have the same as you and it works fine for me (I have bind_hosts in plural because I have IPv6 a well)

excerpt:

http:
  address: 192.168.1.1:3000

dns:
  bind_hosts:
    - 192.168.1.1
    - 127.0.0.1
    - ::1
    - 'fd00::'

When it comes to encrypted DNS, modern browser will attempt to use it, but it's not a must. I tend to enable encryption when possible, so I force HTTPs traffic for admin interface, and I have enabled DNS over HTTPs (DoH), over TLS (DoT) and over QUIC (DoQ).

Please know that some browsers will bypass your local DNS though, and do a DNS over QUIC with a public DNS. I believe Chrome does this by default and hence I block most public DNS servers in the firewall to prevent that and force any device to use my local DNS (ADH) and have malware/adblocking.


tls:
  enabled: true
  server_name: my.opnsense.fqdn.com
  force_https: true
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 853
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: false
  certificate_chain: ""
  private_key: ""
  certificate_path: /var/etc/acme-client/certs/644c0950b1e780.38459566/fullchain.pem
  private_key_path: /var/etc/acme-client/keys/644c0950b1e780.38459566/private.key


I have to admit that ADH however seems the flimsiest part of my opnsense setup, it's where I had the most issues so far...

Thanks for the prompt reply. Is it an issue to just have 0.0.0.0 as the only dns bind host or should I add the 192 one? Sorry, fairly new to networking.

Also regarding DNS encryption, if I don't want external access to the admin interface, do I still need a domain and certificate?

I think that's fine, it will just bind to any IP your machine has, which also includes external IPs, so you must make sure your firewall does not allow port 3000 and 53 inbound (it does not by default).

You do not need DNS encryption, certificates or a domain, it's not required for simple DNS functionality.

Quote from: yeraycito on January 28, 2022, 07:26:33 PM
Thank you very much, I have tried it and it works.

Opnsense 22.1 Clean Install - Installation:

It is very important to follow the order explained

1 - Activate mimugmail's community repository

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Activate and start AdGuardHome from Services --> AdGuardHome

4 - Opnsense - System - Settings -General

      Untick: Do not use the local DNS service as a nameserver for this system
      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

5 - Opnsense - Services - Unbound - Dns Over Tls

      Set the desired dns servers, ej, Cloudflare:
      Server IP: 1.1.1.1
      Server Port: 853
      Verify CN: cloudflare-dns.com

6 - Opnsense - Services - Unbound - General
 
     Listen Port: 5353

7 - Navigate to http://your.opnsense:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard

8 - Adguard Home - DNS Configuration - Upstream Servers: Add router_ip:5353  ( 192.168.1.1:5353 ) Delete those that exist

Security Extra: https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#1-allowing-only-specific-dns-servers

I wanted to add this here, as I spent hours trying to figure out what I was missing.

I would follow the above steps and get everything working for maybe a few minutes, but eventually none of my devices would have internet access. Both AdGuard Home and Unbound showed that they were receiving DNS traffic, but clearly something was wrong.

The problem was that I had previously configured DNS overrides in Unbound. Disabling/deleting my previously configured Unbound DNS overrides solved my issue. I then created those same overrides in AdGuard under Filters -> DNS rewrites.

Quote from: yeraycito on January 28, 2023, 01:35:39 AM
Opnsense 23.1 Install:

1 - Activate mimugmail's community repository:

SSH Opnsense: fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Opnsense - System - Settings -General

      DNS Servers: empty

      Untick: Do not use the local DNS service as a nameserver for this system

      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

4 - Services – DHCPv4 – [LAN] : DNS Servers all empty

5 – Opnsense – Services - Unbound DNS – General

       Tick: Enable Unbound ( Listen Port: 5353 )

       Tick: Enable DNSSEC Support
       
       Network Interfaces: All

6 - Opnsense - Services - Unbound - Dns Over Tls

      Server IP: 1.1.1.1

      Server Port: 853

      Verify CN: cloudflare-dns.com

7 - Activate and start AdGuardHome from Services --> AdGuardHome

8 - Navigate to http://Opnsense ip:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard

9 - Adguard Home - DNS Configuration - Upstream Servers:

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist

10 – Adguard Home – DNS Configuration – Bootstrap DNS servers

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist
     
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:

           192.168.1.1:5353

This worked temporarily for me, but for some reason roughly 30 minutes later, Unbound no longer gets any requests from AdGuard (or at least in logging, it makes 0 requests when trying to hit a website). Not quite sure what's going on. Had everything on the Unbound side of things running at 5335, but otherwise followed everything else. Immediately starts resolving hostnames obviously as soon as I bring Unbound back to 53. Is there any way to run this configuration so that Unbound is the first entry point and can run on 53 instead? Not sure if that would rectify the issue though.

Quote from: Cosigner4516 on December 04, 2023, 11:52:14 PM

Quote from: yeraycito on January 28, 2022, 07:26:33 PM
Thank you very much, I have tried it and it works.

Opnsense 22.1 Clean Install - Installation:

It is very important to follow the order explained

1 - Activate mimugmail's community repository

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Activate and start AdGuardHome from Services --> AdGuardHome

4 - Opnsense - System - Settings -General

      Untick: Do not use the local DNS service as a nameserver for this system
      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

5 - Opnsense - Services - Unbound - Dns Over Tls

      Set the desired dns servers, ej, Cloudflare:
      Server IP: 1.1.1.1
      Server Port: 853
      Verify CN: cloudflare-dns.com

6 - Opnsense - Services - Unbound - General
 
     Listen Port: 5353

7 - Navigate to http://your.opnsense:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard

8 - Adguard Home - DNS Configuration - Upstream Servers: Add router_ip:5353  ( 192.168.1.1:5353 ) Delete those that exist

Security Extra: https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#1-allowing-only-specific-dns-servers

I wanted to add this here, as I spent hours trying to figure out what I was missing.

I would follow the above steps and get everything working for maybe a few minutes, but eventually none of my devices would have internet access. Both AdGuard Home and Unbound showed that they were receiving DNS traffic, but clearly something was wrong.

The problem was that I had previously configured DNS overrides in Unbound. Disabling/deleting my previously configured Unbound DNS overrides solved my issue. I then created those same overrides in AdGuard under Filters -> DNS rewrites.

Could you share an example of what the overwrite looks like? I believe I'm having similar issues.

EDIT: Somehow I figured it out and am no longer having issues. I think there could be a potential issue with leaving the DHCPv4 LAN DNS servers as all empty as it may not be able to resolve your localhost (I'm still a networking newb so I could be totally wrong). I added 192.168.1.1 to my DNS servers for DHCP and now everything seems to be working. Could be some firewall rule changes I made, but not totally sure. I went ahead and added a similar DNS src * dst * LAN address rule for 5335 just in case.

Hello Everybody,

I am totally confused...
I have a running OPNSense 23.7.10_1 with Unbound. Now I have set up AdGuard Home like it is explained here and it works.
Ok, I Thought it works. Internet is reachable and I can see in the Webinterface of AdGuard that there are things blocked.

But now I have a really strange behavior.
If I use the user filter rules and insert something like '||web.de^$important' I still can access it with my browser.
But if I do a nslookup from terminal I get 0.0.0.0

Although if I disable AdGuard and Unbound I still can open any Website I want. I even blocked Port 53 in my Firewall and nothing changed.

Now I hope to find some help here.

Best regards
Frank

Hi, is Unbound necessary for AGH to function properly in opnsense ? Or can we just disable unbound and use AGH with it's DHCP function to do the DNS queries??? Will this idea work at all???

Some upstream recursive DNS server is necessary for AGH to work.

I want to use Unbound in resolve mode and have AGH use unbound as its dns server.

Doesn't seem that this guide does that? Or am I missing something?

EDIT:

I think is how you do it correct?

Have AGH listening on port 53
Unbound listens on port 5353
AGH uses only a single upstream of 127.0.0.1:5353

Two remarks:
1. you wrote once 5353 and once 5335, I assume it's a typo.
2. I would recommend to use 53530 for example rather, as 5353 is the default port for mDNS.

Other than this, your configuration seems correct.

Yes that was  typo.. edited to correct..

ok will use 53530.. Thanks

Are we able to use the AGH/Settings/DNS Encryption setting in this configuration?

Using AGH plugin on 53, Unbound on 53530 w/ DOT to cloudflare.

I have the acme plugin up and running.. Created a cert for AGH.. am pasting fullchain.pem and privatekey.pem but am getting 2 errors:

Error: control/tls/validate | port 443 is not available, cannot enable HTTPS on it | 400

and on both key paste entry fields:

Status:
    *Certificate chain is invalid




Anyone have this working if even possible?

I would guess both your opnsense admin interface and the adguard admin interface are running on port 443. Considering DNS over HTTPS is a thing, I would recommend moving the opnsense admin intf to a different port.

Regarding the cert chain issue, I can confirm that using acme plugin to generate a certificate is indeed possible. But I am not pasting any certificate anywhere, this is not required, you simply configure adguard to reuse the same certs you created for the router. (You do need to figure out which ones are the right ones if you have multiples)


tls:
  enabled: true
  [...]
  port_https: 443
  [...]
  certificate_path: /var/etc/acme-client/certs/644c0950b1e430.38459566/fullchain.pem
  private_key_path: /var/etc/acme-client/keys/644c0950b1e430.38459566/private.key


That did it. I changed the AGH https port and that error went away, didnt want to move the admin ui.

On the AGH page the HTTPS port field says:
"If HTTPS port is configured, AdGuard Home admin interface will be accessible via HTTPS, and it will also provide DNS-over-HTTPS on '/dns-query' location."

So it seems the DOH should still work fine?




Thanks!

On the certs:

I use a very easy setup with acme let's encrypt certificates:

1. Use a wildcard cert

2. Paste into adguard home GUI settings -> encryption settings:

Certificate path:
/var/etc/cert.pem

Key file path:
/var/etc/key.pem

Works.

Anyone know how I can check what is the issue with my setup?

I have followed yeraycito's post and DNS ceases to work. The only configuration that seems to work for me is...

https://0x2142.com/how-to-set-up-adguard-on-opnsense/

But I want AdGuard to be on 53 and Unbound on some other port.

If I test upstream server in Adguard, that works so I figure there is some communication happening between Adguard and Unbound.

But I don't understand why there is no DNS resolution. I can access internal services by IP no problem so it's just the DNS resolution that isn't working

Hey @andyd, did you check that you can send DNS request to <opnsense_IP>:5353 ?

Something like "host example.com <opnsense_IP>:5353" from a linux box.

Does this work?

btw, I disagree a bit with @yeraycito's recommendation of using port 5353. It's the default port for mDNS, I see an unnecessary risk for conflict, I use 53530 for example.

Quote from: 9axqe on February 12, 2024, 12:59:21 PM
Hey @andyd, did you check that you can send DNS request to <opnsense_IP>:5353 ?

Something like "host example.com <opnsense_IP>:5353" from a linux box.

Does this work?

btw, I disagree a bit with @yeraycito's recommendation of using port 5353. It's the default port for mDNS, I see an unnecessary risk for conflict, I use 53530 for example.

I'm going to try again later in the week but I'll try again. I suspect that I need to restart the router for the changes to really apply as the lesson I learnt this morning when I was trying to revert back to what I had.

In regards to 5353, yep! I read elsewhere that the port shouldn't be used.

this isn't windows ;) . No need to reboot for most services on userland. Just restart the service.

lol it seemed like it would be necessary to do so for some other change.

anyway, I cannot get this to work :/ Not sure what I'm missing but the logs aren't helpful (or if any).

I usually work on things remotely since i'm not always home - hard to tell right now if there is something off with vpn or home as well.

for wireguard vpn, it's just adding the dns ip of 10.10.10.1? I have that but still no luck. The only thing that works for me is having Unbound set to port 53 (and following the guide I linked to previously)

@andyd, I suggest to open your own thread with your settings

@cookiemonster

I actually got it working last night!

A few things...

I deleted Adguard and added it back in case I had messed with anything. After doing that...

1. I had forgotten about the option to set Adguard as `Primary DNS server`. I enabled that. Not sure if that helps. Also not sure when that option was introduced but it was never mentioned in this thread so I didn't think to go back to the adguard page to enable it.
2. I noticed that the bind address in the Adguard yaml was set to 0.0.0.0. I previously had it as the router ip. Not sure why I changed it but left it as default. Port was always 53 though
3. I followed this guide instead which seemed more comprehensive in general...

https://windgate.net/setup-adguard-home-opnsense-adblocker/

I am not sure what any of the four was the reason but yeah finally working. I recommend the guide above to others that are looking to set Adguard to 53 and unbound another port.

@andyd glad you're up and running.
This thread is so long that I don't even remember if it suggests AdGH as "the" dns server for the network or not. That's where we can use one of two ways, whichever you prefer.
In both cases only one process can be on a port. That means one on 53 and the other on whatever is preferred.
The next thing to consider is that depending on which way, firewall rules and NAT are different. Also need to remember this when setting the DNS server for OPN to use itself.
p.s. 0.0.0.0 means "bind to all interfaces on this host".

I feel like I need to jump in here and ask for some AdGuard help as well. I'm having issues configuring dnsmasq+adguard on opnsense to be able to distinguish which clients are making which DNS lookups (i.e. retain local client IPs).

I currently have the requests going like `client -> dnsmasq (53) -> adguard (53530)`. The reason why I have dnsmasq is because I own a domain that I route to an internal reverse proxy on the LAN, so dnsmasq is resolving mydomain.com to a local IP and forwarding the rest to AdGuard.

The thread is very long at this point, so apologies if this has already been answered, but how can one go about setting things up so that AdGuard will be able to display the local client IPs in the dashboard, and not just 192.168.1.1 when forwarding via dnsmasq on the opnsense device?

AGH has the ability to "rewrite" DNS as well, so you can make you own domain point to local IPs using just AdGuard Home. Hence you could put AdGuard first (and maybe you don't need dnsmasq at all anymore?).

Just an idea.

Quote from: 9axqe on February 27, 2024, 08:59:13 AM
AGH has the ability to "rewrite" DNS as well, so you can make you own domain point to local IPs using just AdGuard Home. Hence you could put AdGuard first (and maybe you don't need dnsmasq at all anymore?).

Just an idea.

That's excellent, I didn't know AGH could do that with wildcards and exclusions, but it actually can.
I set up AGH to do the same as I've done with dnsmasq so far, and it seems to work correctly, so I'll be uninstalling dnsmasq and the end result is a simplified setup, very nice!

I have a question regarding the Blocked services.

I see that there is an option to pause the blocking. Can someone confirm if there's a way to pause blocking only for certain services instead of pausing the block for all services?

For eg. I just want to unblock YouTube from 6PM to 7AM on Weekdays and all day on Sat, Sun. I don't want to pause the blocking of any other services. Can this be achieved with the current Pause Blocking feature?

I don't know the answer to your question, I would recommend asking this on the AdGuard Home own forums, as this is unrelated to opnsense:
https://github.com/AdguardTeam/AdGuardHome/discussions

I think you can achieve this by per client setting: Adguard home - setting - client settings - Persistent clients, Add client. In there you can specify the "Pause service blocking" for that client, day and time.

I didn't want to do it per client. I just want the service available to all clients during a specified time. However, I don't want to unblock all the other services.

Looks like that is not possible at the moment with AdGuard Home

Does someone have the issues with the OPNsense update-mechanism since installing the mimugmail repository for ADGuard? I still didn't remove it to test it whether that really is the issue, but since I've installed it, updates take couple of minutes to load and plugins need like 3-5minutes to show up. And God forbid you change the menu and go back, the process begins again.

Hey Guys,

I just want to to double check,,

Is it ok to bind 0.0.0.0 interface instead of choosing local ip address?

I faced some issue with binding only local lan & 127.0.0.1 & ::1, where out of nowhere it stopped forwarding DNS to clients (even after adding firewall rule), so i changed the listening interfaces to 0.0.0.0 and i noticed it started working again and AGH seems now resolving  ipv6 clients requests not just ipv4.

edit: NVM AGH stopped receiving DNS requests again, had to add router ip as DNS servers in opnsense setting to get it to work!! i dont even know if thats the right solution tbh..

Hi, I hope someone can assist me here?

I've installed AGH on my OpnSense Router, I kept the default port of 3000, but I can only administer it from the subnet/interface that I installed it from (192.168.50.x). I've created some additional fw rules to attempt access from a wifi network (192.168.61.x) as I have multiple VLANs, but no success. Am I missing something?

Has anyone else found a fix for this?

thanks

I think you need to edit the "/usr/local/AdGuardHome/AdGuardHome.yaml" and bind against the IPs of the router in each subnet. Or, alternatively, you must route between subnets.

Are you able to ping from the second subnet anything in the first subnet?

Hi

I'll check the yaml file, but I can see in the settings the IPs are bound to all the IP's of the router,

I would have thought that AGH was accessible from the default gateway on each subnet and therefore I should be able to login to the admin console from the default gateway (192.168.61.1:3000) on each subnet or am I wrong?

thanks for your reply.

the Yaml file looks like this, looks like I need something different where the address is 192.168.50.1:3000, like 127.0.0.1???

http:
  pprof:
    port: 6060
    enabled: false
  address: 192.168.50.1:3000
  session_ttl: 720h
users:
EXCLUDED
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: en
theme: auto
dns:
  bind_hosts:
    - 0.0.0.0
  port: 53

0.0.0.0:3000 probably.

Until a few months back, I had a fully working setup with unbound and adguard home, until something happened (my guess is that an update broke something).

Short story is that devices within the DHCP range is not affected by blocked client services, not by ip and not by MAC.

If I add the device to a static DHCP outside of the DHCP range, it works. I have also checked which DNS server is used and the clients are shown using cloudflare, which is set up in opnsense and not in adguard.

Also, no clients has ad filtering applied (at least not that I can see the effect of).

adguard:

Upstream DNS
192.168.1.1:8053

Bootstrap DNS servers
192.168.1.1:8053

Private reverse DNS servers
192.168.1.1:8053

opnsense
Settings > General (checked)
Prefer IPv4 over IPv6
Allow DNS server list to be overridden by DHCP/PPP on WAN

unbound > general (checked)
enabled
listen port: 8053
DNSSEC support
Register ISC DHCP4 Leases
Register ISC DHCP Static Mappings
Flush DNS Cache during reload

unbound > DNS over TLS
ip 1.1.1.1
port 853
Verify CN cloudflare-dns.com

ISC DHCPv4
DNS entries empty

I think that's it.

Anything I have overlooked/misunderstood?

If you haven't configured a DNS IP under ISC DHCPv4, which is what I understand when you write "DNS entries empty" then I would say it is expected the device will not take adguard.

You need to configure the IPs adguard is listening to (which you can find in the "/usr/local/AdGuardHome/AdGuardHome.yaml" file.

Hmm but to get a global setting that all devices are filtered through adguard, I don't need to specify them there? I use static dhcp as a workaround and don't really need static addresses on most devices.

Edit: Ok, understood and checked yaml, it points to opnsense ip, which I added in DHCP settings as well. Still no change.

It might take a while, DHCP lease has to expire or reach something like 75% or 50% of its lifetime to be automatically renewed. Disconnect/reconnect wifi on a client should trigger a new DHCP lease.

You could do a packet capture and filter for dhcp, DHCP is not encrypted and you should be able to see if it's sending the right DNS server IP to the clients.

Howdy,

I followed yeraycito's setup guide from September 22 2022 and configured DNS over TLS. It worked perfectly until I suddenly lost internet access. I could still ping 1.1.1.1 from my machine however DNS resolution seemed to be broken.

I reverted the changes and after obtaining a new IP address my internet was working again.

I played around with it and reconfigured everything per yeraycito's guide once again. I then decided to go into:
System > Settings > General
and added my OPNSense box as a DNS server (the thing hosting unbound). The error is now no longer occurring. Is this a step I was supposed to do and was just not provided in yeraycito's guide, or am I now bypassing DNS over TLS (or doing something else equally dumb)?

System > Settings > General  is actually for DNS lookups initiated by opnsense itself. It should be configured, yes, but if it's missing it should break the DNS resolution of your clients.

What is relevant for your client is the DNS server configured in the DHCP server, because your client is learning the IP of the DNS server over DHCP:  Services: ISC DHCPv4: [your interface] > DNS Servers.

Could you see the DNS requests coming in in the AdGuard Home logs while the issue was happening? Can you see the requests in AdGuard Home now?

Could you see the DNS requests coming in in the AdGuard Home logs while the issue was happening?
     I was not looking at the time and I'm hesitant to break it again.
Can you see the requests in AdGuard Home now?
     Yes

At this time should I change System > Settings > General back to something like cloudflare and change Services: ISC DHCPv4: [your interface] > DNS Servers to my OPNSense host? or am I misunderstanding what you are suggesting?

Hello - I am new to opnsense but have my setup working well and I followed this guide to setup AdGuard Home with Unbound and it is working fine. So thank you to all the contributors!

I have one client (a server) using a ipv4 static DHCP lease that I wanted to setup so that it bypasses adguard but uses unbound.

I have tried to set the DNS to 192.168.1.1:5335 (unbound) but opnsense dhcp does not like the :5335 part...

If I use an external DNS like 8.8.8.8 it bypasses adguard but I can't access the server by its hostname as reverse lookup is through unbound.

In summary I need to configure a client to not use adguard but still be able to resolve it by hostname

Any thoughts on how I can make this work?

Quote from: jata on June 20, 2024, 01:30:11 AM
I have one client (a server) using a ipv4 static DHCP lease that I wanted to setup so that it bypasses adguard but uses unbound.

Is it sufficient to configure AGH to not block anything for that client?
https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#client-rules

hello dave14305! I know you from the asus / merlin forums.

Yes - i can not block easily and nothing important is being blocked from what I can see anyway.

I just don't like the noise/volume from this machine and there might be other clients that I want to exclude from adguard so looking for another way.

At the moment I have a trade off between resolving hostname and using adguard.

UPDATE: Be very careful with this as it can have quite significant consequences - especially with servers that are doing lots of things. Looks like adding to disallowed clients has a big impact on dns resolution for the clients on this list.

By way of update on this I think I have found a couple of settings in AdGuard that help solve this.

If you want to completely ignore a client, then you add it to disallowed clients in the DNS settings of adguard.

If (like me) you are getting lots of noise from clients communicating with other clients on the lan by hostname (e.g. client1.lan), then you can add lan to disallowed domains in adguard DNS settings.

Hey everyone, thanks for this detailed thread and all the solutions that have been mentioned.

I'm new to OPNsense and while I am well-versed in consumer-grade routers/AdGuard Home, I'm not great with advanced networking. Due to this, I'm facing a few issues trying to get AdGuard working with a dual-WAN setup on OPNsense. I hope someone can help me :)

The steps I followed:

   
• Setup my OPNsense box with a single WAN connection and verified internet connectivity on clients.
• Setup AdGuard according to this guide (https://samuelsson.dev/install-adguard-home-on-an-opnsense-router/).
• Verified that the internet was accessible to clients.
• Followed the official multi-WAN documentation (https://docs.opnsense.org/manual/how-tos/multiwan.html) to setup a load-balancing configuration.

This set of steps seemed to work at first since I was able to access the internet.

However, immediately after this:

   
• AdGuard web UI becomes inaccessible at the correct ip/port (3000 or 8080, which I configured it to use).
• Load-balancing/fail-over seem to stop working.
• All access to the internet is lost at the client-end.

Other things I tried:

   
• I switched the sequence of steps to first setup dual-WAN and then attempt to setup AdGuard but then, I immediately run into an inaccessible AdGuard web UI, so even the configuration wizard at port 3000 is unreachable.
• Add a new Firewall rule to forward all DNS (Port 53) traffic to AdGuard as mentioned in the first post (https://forum.opnsense.org/index.php?topic=22162.msg105035#msg105035).
• Add my router IP address in System/Settings/General.

None of these have helped restore internet connectivity or access to AdGuard web UI. Additionally, I'm not sure if it's related, but, if I try to test WAN fallback in my load-balancing setup by disconnecting one of my internet connections to the router, it does not seem to failover to the second WAN and instead, all clients lose internet connectivity entirely. The router itself seems to have connectivity as it's able to check for updates successfully.

I also noticed this note by planetix:

Quote from: planetix on August 03, 2021, 04:32:34 PM
Edit: As often happens, writing this post made me re-think a couple things to try and I got it working.

The problem, if anyone else runs in to this, is I am using a failover group for a gateway (my ISP WAN interface + backup LTE modem) and for that to work correctly the LAN "pass all outbound" rule has to be modified to use it vs. the default "any" gateway.

This means you need to explicitly define any additional ports (besides 80 and 443 which are in the default anti-lockout rule) you want to access on the OPNsense box itself, in this case 3000 (for the wizard) and then 81 (the port I picked AdGuardHome to run on). Easy fix when I realized what the problem was.

I figured it out when I looked where I should have in the first place - the firewall logs vs. the service logs. The latter showed no issues because there weren't any with the service. The firewall blocked access, by design, until I explicitly allowed those ports access from my LAN net to my LAN address.

Hope this helps someone else :)

However, I could not figure out how to do this so I'm not sure if this is the solution for the issues I'm facing.

Once I get this working, I want to integrate Zenarmor into OPNsense and install a few more useful plugins/packages.

Does anyone have experience in getting AdGuard + Unbound to work in a dual-WAN setup like mine? Is there anything simple/obvious that is escaping me? What else can I try to make this work?

Please do try to ELI5. Thanks in advance!

Quote from: prakhar on June 29, 2024, 07:32:26 AM
Hey everyone, thanks for this detailed thread and all the solutions that have been mentioned.

I'm new to OPNsense and while I am well-versed in consumer-grade routers/AdGuard Home, I'm not great with advanced networking. Due to this, I'm facing a few issues trying to get AdGuard working with a dual-WAN setup on OPNsense. I hope someone can help me :)

The steps I followed:

   
• Setup my OPNsense box with a single WAN connection and verified internet connectivity on clients.
• Setup AdGuard according to this guide (https://samuelsson.dev/install-adguard-home-on-an-opnsense-router/).
• Verified that the internet was accessible to clients.
• Followed the official multi-WAN documentation (https://docs.opnsense.org/manual/how-tos/multiwan.html) to setup a load-balancing configuration.

This set of steps seemed to work at first since I was able to access the internet.

However, immediately after this:

   
• AdGuard web UI becomes inaccessible at the correct ip/port (3000 or 8080, which I configured it to use).
• Load-balancing/fail-over seem to stop working.
• All access to the internet is lost at the client-end.

Other things I tried:

   
• I switched the sequence of steps to first setup dual-WAN and then attempt to setup AdGuard but then, I immediately run into an inaccessible AdGuard web UI, so even the configuration wizard at port 3000 is unreachable.
• Add a new Firewall rule to forward all DNS (Port 53) traffic to AdGuard as mentioned in the first post (https://forum.opnsense.org/index.php?topic=22162.msg105035#msg105035).
• Add my router IP address in System/Settings/General.

None of these have helped restore internet connectivity or access to AdGuard web UI. Additionally, I'm not sure if it's related, but, if I try to test WAN fallback in my load-balancing setup by disconnecting one of my internet connections to the router, it does not seem to failover to the second WAN and instead, all clients lose internet connectivity entirely. The router itself seems to have connectivity as it's able to check for updates successfully.

I also noticed this note by planetix:

Quote from: planetix on August 03, 2021, 04:32:34 PM
Edit: As often happens, writing this post made me re-think a couple things to try and I got it working.

The problem, if anyone else runs in to this, is I am using a failover group for a gateway (my ISP WAN interface + backup LTE modem) and for that to work correctly the LAN "pass all outbound" rule has to be modified to use it vs. the default "any" gateway.

This means you need to explicitly define any additional ports (besides 80 and 443 which are in the default anti-lockout rule) you want to access on the OPNsense box itself, in this case 3000 (for the wizard) and then 81 (the port I picked AdGuardHome to run on). Easy fix when I realized what the problem was.

I figured it out when I looked where I should have in the first place - the firewall logs vs. the service logs. The latter showed no issues because there weren't any with the service. The firewall blocked access, by design, until I explicitly allowed those ports access from my LAN net to my LAN address.

Hope this helps someone else :)

However, I could not figure out how to do this so I'm not sure if this is the solution for the issues I'm facing.

Once I get this working, I want to integrate Zenarmor into OPNsense and install a few more useful plugins/packages.

Does anyone have experience in getting AdGuard + Unbound to work in a dual-WAN setup like mine? Is there anything simple/obvious that is escaping me? What else can I try to make this work?

Please do try to ELI5. Thanks in advance!

Anyone?

Quote from: prakhar on June 29, 2024, 07:32:26 AM
However, I could not figure out how to do this so I'm not sure if this is the solution for the issues I'm facing.

Disclaimer: I do not have dual WAN, so my expertise here is limited.

the default pass all out rule in your firewall is going to have "LAN net" as source and "*" as destination. The above post says, you must change that to point to your dual WAN gateway.

Secondly, (actually, firstly, before the step above) you need LAN rules to allow from "LAN net" to "this firewall" ports 443, 3000, 22, etc.

Finally, a question: is Dual WAN working properly without AdGuard Home? Because if not, it has little to do with AdGuard Home then I guess.

Quote from: 9axqe on July 08, 2024, 11:54:26 AM

Quote from: prakhar on June 29, 2024, 07:32:26 AM
However, I could not figure out how to do this so I'm not sure if this is the solution for the issues I'm facing.

Disclaimer: I do not have dual WAN, so my expertise here is limited.

the default pass all out rule in your firewall is going to have "LAN net" as source and "*" as destination. The above post says, you must change that to point to your dual WAN gateway.

Secondly, (actually, firstly, before the step above) you need LAN rules to allow from "LAN net" to "this firewall" ports 443, 3000, 22, etc.

Finally, a question: is Dual WAN working properly without AdGuard Home? Because if not, it has little to do with AdGuard Home then I guess.

Thank you for these suggestions! I will try them and report back. Dual-WAN without AdGuard is working properly, so it's only when AdGuard is installed, that I start facing issues.

And when you say you loose "internet access", does "ping 1.1.1.1" for example still works? I'm trying to understand if it's only DNS not working.

is AGH compatible with OPNsense 24.7.3 ?

Quote from: jcsp101 on September 03, 2024, 12:10:34 AM
is AGH compatible with OPNsense 24.7.3 ?

Yes.

Quote from: jcsp101 on September 03, 2024, 12:10:34 AM
is AGH compatible with OPNsense 24.7.3 ?

I can confirm it works, BUT I can't see the update button, how do I update it then?

Tia.

Quote from: yeraycito on April 05, 2021, 01:11:31 AM
Many of the lists I have posted block most of Google's telemetry and spying but not all of it. More can be done.

Adguard - Filters - Custom filtering rules - add:

||dnsotls-ds.metric.gstatic.com^ 
||encrypted-tbn0.gstatic.com^
||encrypted-tbn2.gstatic.com^
||mtalk.google.com^
||metric.gstatic.com^
||chart.apis.google.com^
||cse.google.com^
||encrypted-tbn1.gstatic.com^
||www.gstatic.com^
||fonts.gstatic.com^
||ogs.google.com^
||ssl.gstatic.com^
||aa.google.com^
||encrypted-tbn3.gstatic.com^
||pki-goog.l.google.com^
||signaler-pa.clients6.google.com^
||addons-pa.clients6.google.com^
||apis.google.com^
||0.client-channel.google.com^
||clients2.google.com^

Result after applying the rules:

- Google searches: OK

- Gmail: OK

- Youtube: OK

- Instagram: OK

- Android: OK

- Playstore: OK

I had to omit some of these from my custom filter rules because they messed up my daughter's Google Classroom:

||www.gstatic.com^
||fonts.gstatic.com^
||ogs.google.com^
||ssl.gstatic.com^
||pki-goog.l.google.com^
||signaler-pa.clients6.google.com^
||apis.google.com^

Please update this list or indicate this.

Opnsense 24.7.4 Installation:


1 - Activate mimugmail's community repository:


SSH Opnsense: fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf


2 - Install AdGuardHome ( os-adguardhome-maxit ) from System - Firmware - Plugins


3 - Opnsense: System - Settings - General:


- DNS Servers: all empty

- Allow DNS server list to be overridden by DHCP/PPP on WAN: uncheked

- Do not use the local DNS service as a nameserver for this system: uncheked


4 - Disable Unbound


5 - Activate and start AdGuardHome from Services - AdGuardHome - General ( Primary DNS cheked )


6 - Navigate to http://your.opnsense:3000/ to complete the setup


7 - In Adguard Home - Settings - DNS settings - Upstream DNS Servers:   Set the desired servers ( 1.1.1.1,   8.8.8.8  etc ):

  tls://1.1.1.1

  tls://1.0.0.1

  https://odoh.cloudflare-dns.com/dns-query

  quic://dns0.eu


8 - In Adguard Home - Settings - DNS settings - Bootstrap DNS servers:

  1.1.1.1

  1.0.0.1

  193.110.81.0

  185.253.5.0

@yeraycito - do you know why the update button (which it should be on the left bottom corner) is missing?

Quote from: hushcoden on September 18, 2024, 05:18:38 PM
@yeraycito - do you know why the update button (which it should be on the left bottom corner) is missing?

If I get it, try accessing it with another browser or check your cookies.

Quote from: yeraycito on September 18, 2024, 03:51:22 PM
Opnsense 24.7.4 Installation:


1 - Activate mimugmail's community repository:


SSH Opnsense: fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf


2 - Install AdGuardHome ( os-adguardhome-maxit ) from System - Firmware - Plugins


3 - Opnsense: System - Settings - General:


- DNS Servers: all empty

- Allow DNS server list to be overridden by DHCP/PPP on WAN: uncheked

- Do not use the local DNS service as a nameserver for this system: uncheked


4 - Disable Unbound


5 - Activate and start AdGuardHome from Services - AdGuardHome - General ( Primary DNS cheked )


6 - Navigate to http://your.opnsense:3000/ to complete the setup


7 - In Adguard Home - Settings - DNS settings - Upstream DNS Servers:   Set the desired servers ( 1.1.1.1,   8.8.8.8  etc ):

  tls://1.1.1.1

  tls://1.0.0.1

  https://odoh.cloudflare-dns.com/dns-query

  quic://dns0.eu


8 - In Adguard Home - Settings - DNS settings - Bootstrap DNS servers:

  1.1.1.1

  1.0.0.1

  193.110.81.0

  185.253.5.0

I like this configuration approach of having AdGuard Home handling all things DNS on default port 53, and disabling UnBound DNS, it's cleaner and has no redirects.

1.- Is there an advantage of keeping UnBound DNS enabled and being the man-in-the-middle?
2.- Is there a disadvantage of disabling UnBound DNS and use ONLY AdGuard Home?

Thanks

I prefer maintaining my local overrides in Unbound. Also I do not want to use public recursive upstream servers. So port forwarding where applicable --> AGH --> Unbound. Server networks go directly to Unbound. Block DNS and DoT to anything but local firewall, add DoH blocklist to AGH.

Hi, I've got an issue where every device in my network can resolve DNS, but the OPNsense system itself can't, meaning it's not possible to check for updates, also DNS lookups don't work. The setup consists of Unbound DNS being the upstream of Adguard.

I've followed the usual guides present in this thread (the two DNS server options checkboxes are unticked in System->Settings->General, no DNS servers are present there, Unbound is set to run on port 5353 and so on).

What's weird is that if I just enter a public DNS (like 8.8.8.8 ) in System->Settings->General, the OPNsense system itself can suddenly resolve all DNS queries. I'd like it to use at least Unbound as well though.

Could anyone possibly help me with this?

Quote from: Tabascl on September 27, 2024, 01:26:52 AM
Hi, I've got an issue where every device in my network can resolve DNS, but the OPNsense system itself can't, meaning it's not possible to check for updates, also DNS lookups don't work. The setup consists of Unbound DNS being the upstream of Adguard.

I've followed the usual guides present in this thread (the two DNS server options checkboxes are unticked in System->Settings->General, no DNS servers are present there, Unbound is set to run on port 5353 and so on).

What's weird is that if I just enter a public DNS (like 8.8.8.8 ) in System->Settings->General, the OPNsense system itself can suddenly resolve all DNS queries. I'd like it to use at least Unbound as well though.

Could anyone possibly help me with this?

You have to add localhost (127.0.0.1) to the /usr/local/AdGuardHome/AdGuardHome.yaml in the following section:

dns:
  bind_hosts:
    - 127.0.0.1
    - 192.168.1.1 (whatever the OPNsense address is)
  portL 53

After that, restart the AdGuardHome service from the OPNsense console.

Do you guys use the unbound dns as well besides the Adguard homes one? If so: Why?

I made the experience that AdGuard stopped working when internet was down (not even resolving local DNS) and that having unbound as upstream DNS worked around this issue.

I still run it like this, but that was a while back.

There's also a whole debate about using a recursive DNS resolver vs. using a DNS client.

1/ AdGuard is a simple DNS client to whatever is upstream (you can configure Cloudflare DNS, Google DNS, et,).

Con: whatever is configured upstream sees every single DNS query you make
Pro: DNS lookups are all encrypted (if you configure it) – but this is of limited use until all your connections are made with QUIC, as the full domain is still transmitted in clear text (I believe it's the SNI) for every TLS handshake.

2/ Unbound is a recursive DNS resolver, meaning, it will talk to multiple different DNS servers, depending on what you are trying to resolve. For example, if attempting to resolve "example.com", it will talk to the authoritative server for ".com" and ask "who is authoritative for example.com". And so on.
Con: not all DNS servers out there support DNS over HTTPS/TLS/QUIC, resulting in plain text DNS lookups.
Pro: there is no single entity seeing all your DNS lookups.

My view is that 2/ is what will be the best method in the long term, as DNS over QUIC and QUIC in general gain popularity. But as of today, YMMV.

I use unbound for reverse DNS and if ADGuard fails it's a quick change to get it working as the primary until I can fix ADGuard.  Tbh though that's only happened once.

Been using this happily for years, have just now upgraded to 24.7 and the adguard service doesn't start even after an additional reboot. Have tried via command line and all but nada


root@OPNsense:/usr/local/etc/rc.d # ./adguardhome start
Starting adguardhome.
root@OPNsense:/usr/local/etc/rc.d # ./adguardhome status
adguardhome is not running.


I don't see a log file so as to help troubleshoot whats going on, so is there a recommended way to tackle this other than uninstall and then reinstall the package and hope for the best?

Edit: Backed up the yaml file, uninstalled the package, reinstalled it, restored the yaml file, but still the service doesn't start. WIthout some sort of log file I've no idea. I can see the version installed is 1.12, and the Opnsense version is 24.7.9_1

Edit2: In case anyone else runs into this, some additional googling led me to https://forum.opnsense.org/index.php?topic=41610.0 (https://forum.opnsense.org/index.php?topic=41610.0) and that starting the application directly rather than via the startup script gives information as to why it fails on startup. In my case it was dropbox rather than yy it had an issue with. Deleting that line from the yaml file, and restarting the service works and I can access the WebUI again. Only slight downside is the lack of stats as they were deleted during the uninstall/reinstall of the package, but I can live with that. 

Hi guys,

I'm running into a problem with one of my WAN interfaces related-DNS issue & wanted to check if that is how ADGuard is supposed to be listening on port 53:

root@OPNsense:/usr/local/AdGuardHome # sockstat -4 -l
USER     COMMAND    PID   FD  PROTO  LOCAL ADDRESS         FOREIGN ADDRESS     
dhcpd    dhcpd      42496 13  udp4   *:67                  *:*
unbound  unbound    30726 7   udp4   *:5353                *:*
unbound  unbound    30726 8   tcp4   *:5353                *:*
unbound  unbound    30726 11  udp4   *:5353                *:*
unbound  unbound    30726 12  tcp4   *:5353                *:*
unbound  unbound    30726 15  udp4   *:5353                *:*
unbound  unbound    30726 16  tcp4   *:5353                *:*
unbound  unbound    30726 17  tcp4   127.0.0.1:953         *:*
root     eastpect   56118 15  udp4   *:*                   *:*
root     eastpect   56118 17  udp4   *:*                   *:*
root     AdGuardHom 13351 110 udp46  *:53                  *:*
root     AdGuardHom 13351 111 tcp46  *:53                  *:*
root     AdGuardHom 13351 112 tcp46  *:3000                *:*


These are the only 2 instances of Adguard listening on port 53 but as you can see isn't udp/tcp64 is IPv6?

I use AdGuard only on the LAN bridge intf, not on the WAN, but I do use IPv6 as well and I do not see udp46 and tcp46, only udp4, tcp4, udp6 and tcp6. According to my search-fu, upd46 is a socket that can handle both IPv4 and IPv6. Didn't even know that existed...

Long time lurker.  First time Poster.

Quote from: yeraycito on September 18, 2024, 03:51:22 PMOpnsense 24.7.4 Installation:

1 - Activate mimugmail's community repository:

  185.253.5.0

Thanks for this awesome instruction.  Adguard working home on my first time opnsense install, previously rocked an Edgerouter4 for almost a decade before I made the jump to +1Gig home internet.

Question:  What do I have to do to setup masquerade / NAT rules to supplment this adguard install for "rogue" devices on my network that have hardcoded DNS lookups?  Is there a link?    All the reddit posts seem to be contradictory to this working instruction here.  For edgerouter, I had to create a NAT rule that anything trying to look up ANY Ip address port:53 would get forced to the router lookup.  It was shocking to me just how many devices were doing this.  I also doin't care about "tricking" these devices into thinking it made it through.  Is this thread still the right way?  https://forum.opnsense.org/index.php?topic=9245.75     Roku can go forth and multiply if it cant DOH as far as I am concerned.

Sorry if this is a dumb question, but with Unbound DNS disabled, I am unsure if NAT / dnsmasq rules are required for this software. 

Hope this makes sense.

Hej,
unfortunately, I only have an apu2 board in the OPNsense and I have the feeling that the OPNsense is somewhat overwhelmed with AdGuard and the following lists. The response time is getting worse and worse - especially at heise.de the page load feels slow.
I use: HaGeZi's Pro Blocklist, uBlock₀ filters – Badware risks and Perflyst and Dandelion Sprout's Smart TV Blocklist.

Would it make more sense to set up a Raspberry Pi with Adguard or could there be other reasons for the drop in performance?