OPNsense Forum

English Forums => Documentation and Translation => Topic started by: N0_Klu3 on March 19, 2021, 10:54:50 pm

Title: AdGuard Home setup guide
Post by: N0_Klu3 on March 19, 2021, 10:54:50 pm
So I've been looking around and been unable to get a good AdGuard or PiHole setup.

I figured it out, and it seems to be working well, so I'm writing this for mainly my own future reference.

--------------------
Setup for a physical AdGuard (Raspberry Pi or something)

I installed AdGuard Home on a Raspberry Pi with the IP 10.0.0.12.
Settings -> DNS Settings
Chose and configure to your desired setup.

On OPNsense:
System -> General Setup
Set '10.0.0.12' as DNS server
Tick: Do not use the local DNS service as a the only nameserver for this system

Optional, but recommended:
Add a new Firewall rule to forward all DNS (Port 53) traffic to AdGuard:
Firewall -> NAT -> Port Forward
Code: [Select]
Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: LAN address
Destination port range: From: DNS - To: DNS
Redirect target IP: 10.0.0.12
Redirect target port: DNS
Description: Forward DNS to AdGuard
NAT Reflection: Disable

Unbound -> Untick 'Enable Unbound'. (So its turned off)
Or you can follow the steps below to use a router_ip:5353 to loopback to OPNsense unbound as a backup.

I also found that I had to add the DNS specifically on each DCHP interface.
Mainly due if you removed all DNS servers from System -> General Setup. I found some iOS devices struggled without the below.
Services -> DHCPv4 -> LAN
DNS servers: 10.0.0.12

If you have VLANs or other LANs you may need to do some Firewall rules to allow traffic through to the DNS server IP on Port 53 (DNS)

That is pretty much it.

--------------------
Setup for using AdGuard via the OPNsense community repo

Firstly install the Community repo from: https://www.routerperformance.net/opnsense-repo/
Then install AdGuard Home via Plugins.

Navigate to router_ip:3000 to setup AdGuard.
I set Admin interface to my main LAN as the only listen interface and via port 81 (OPNsense uses port 80 and 443 so select something other than this for AdGuard listen port and if you configure AdGuard's SSL settings)

DNS Server listen interface select 'All' on Port 53.

Setup DNS as you would like it with your own providers.
Settings -> DNS settings -> Bootstrap DNS servers -> Add router_ip:5353

On OPNsense:
System -> General Setup
Set '8.8.8.8' as DNS server (Or whatever DNS you would like as a backup, if you only want AdGuard you can remove all DNS servers from this list and leave it blank)
Untick: Do not use the local DNS service as a nameserver for this system
This way by default OPNsense will use itself (127.0.0.1) as the resolver which we want.

Services -> Unbound DNS -> General
Enable Unbound (it could be disabled if you'd prefer, then remove the Boostrap DNS setup as above)
Add port 5353 (instead of default 53)
Only select: 'Register DHCP leases' & 'Register DHCP static mappings'

Add a new Firewall rule to forward all DNS (Port 53) traffic to AdGuard:
Firewall -> NAT -> Port Forward
Code: [Select]
Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: LAN address
Destination port range: From: DNS - To: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
Description: Forward DNS to AdGuard
NAT Reflection: Disable

If you have multiple VLANs or LANs then duplicate the rule and change it to the relevant Interface and address.

I also found that I had to add the DNS specifically on each DCHP interface.
Mainly due if you removed all DNS servers from System -> General Setup. I found some iOS devices struggled without the below.
Services -> DHCPv4 -> LAN
DNS servers: router_ip

And the same for any VLANs, just set the route IP for each VLAN.
eg. 192.168.107.1 is my IoT VLAN

That should pretty much do it.

--------------------

Please let me know if you see any tweaks or better settings that you think can improve this, I'm more than happy to improve this and make this into a good guide.

*NOTE* I did find that running AdGuard via OPNsense router to lower the processing time by more than half.
9ms via router setup, compared to around 45ms via Raspberry Pi 3B+
Title: Re: AdGuard Home setup guide
Post by: pmhausen on March 19, 2021, 10:56:37 pm
Why don't you install AdGuardHome on your OPNsense? Which was precisely the point in that other thread?
Title: Re: AdGuard Home setup guide
Post by: N0_Klu3 on March 19, 2021, 11:04:26 pm
Because there is no clear guide on how to set it up!
Also sometimes people want to use a physical device for this.

Like I say. I’m happy to update and include the AdGuard install on OPNsense but until I can get a good guide I just cannot.
If you can give me your setup and how you made it work I’ll test it out tomorrow and can add that to this guide too.
Title: Re: AdGuard Home setup guide
Post by: pmhausen on March 19, 2021, 11:11:53 pm
I did a write up in that other thread.

1. Activate mimugmail's community repository
2. Install AdGuardHome from System --> Firmware --> Plugins
3. Change your primary DNS server on OPNsense to use e.g. 127.0.0.1:53530 only
4. Activate and start AdGuardHome from Services --> AdGuardHome
5. Navigate to http://your.opnsense:3000/ to complete the setup
Title: Re: AdGuard Home setup guide
Post by: N0_Klu3 on March 19, 2021, 11:17:14 pm
Do you not need to change AdGuard to use different ports upon setup?
So that it doesn’t affect OPNsense on port 80 and 443?

How do you specify port 53530 unless you mean change unbounds port?
Or on General DNS you can specify 127.0.0.1:53530? Wasn’t aware you can use : to specify a port there.

Do you do anything with your unbound?
Are there any specific benefits to doing it all in one box?

And thanks I’ll test it tomorrow.
Title: Re: AdGuard Home setup guide
Post by: pmhausen on March 19, 2021, 11:22:38 pm
I meant make your Unbound listen to 127.0.0.1:53530. I use BIND, so - sorry - I cannot show you a screenshot. I am just assuming that just as with BIND you can change the listen interface and port for Unbound too. If that is not the case, I am sorry.

You need to do that so AdGuardHome can listen on all interfaces port 53 so clients can use it. Then in AdGuardHome use this dialog to configure the upstream resolver (see screenshot).

To adjust the listen addresses of AdGuardHome itself you need to ssh to your OPNsense and edit the config file at /usr/local/AdGuardHome/AdGuardHome.yaml:
Code: [Select]
bind_host: 0.0.0.0
bind_port: 3000
[...]
dns:
  bind_host: 0.0.0.0
  port: 53
Title: Re: AdGuard Home setup guide
Post by: N0_Klu3 on March 19, 2021, 11:35:52 pm
Thanks if I can figure it out I’ll test it tomorrow.
I feel like my way just works and works far simpler.

Is there any benefit other than having 2 devices in one doing it your way?
Title: Re: AdGuard Home setup guide
Post by: pmhausen on March 19, 2021, 11:48:11 pm
I would not want another box just for a single application that works perfectly on my already present OPNsense.
Title: Re: AdGuard Home setup guide
Post by: N0_Klu3 on March 20, 2021, 11:07:26 am
Do I need to Listen on all interfaces for DNS Server?
As it has my WAN IP in there too.

I have LAN, and 2x VLANS so there are a lot of connections there.
I also changed the Admin to use port 81.

Like this:
Title: Re: AdGuard Home setup guide
Post by: N0_Klu3 on March 20, 2021, 08:00:33 pm
@pmhausen
Take a look at my edits and addition of AdGuard via Community Repo.
Let me know what you think or if any of it needs changing/addition.
Title: Re: AdGuard Home setup guide
Post by: pmhausen on March 20, 2021, 08:06:13 pm
Of course you don't need to activate it on WAN, sorry.
Title: Re: AdGuard Home setup guide
Post by: N0_Klu3 on March 20, 2021, 08:27:58 pm
Yup problem is as I have more than 1x LAN I could not manually select my LANs/VLANs.
Its was all or 1. Unless I missed something there.
So I just selected All
Title: Re: AdGuard Home setup guide
Post by: pmhausen on March 20, 2021, 08:40:05 pm
Well, even if it is listening on WAN your firewall rules should prevent access, right?
Title: Re: AdGuard Home setup guide
Post by: N0_Klu3 on March 20, 2021, 10:30:30 pm
Yup should drop all traffic from WAN by default
Title: Re: AdGuard Home setup guide
Post by: ekke on March 25, 2021, 09:34:48 am
AdGuard seems to be amazing! really slick interface and usefull features!
Title: Re: AdGuard Home setup guide
Post by: N0_Klu3 on March 28, 2021, 10:21:02 am
Yeah, and I find it works much quicker especially vs PiHole or external DNS
Title: Re: AdGuard Home setup guide
Post by: yeraycito on April 04, 2021, 08:16:42 pm
Opnsense 21.1.4 Installation:

1 - Activate mimugmail's community repository

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Activate and start AdGuardHome from Services --> AdGuardHome

4 - Navigate to http://your.opnsense:3000/ to complete the setup

5 - In Adguard Home - DNS Configuration - Upstream Servers:   Set the desired servers ( 1.1.1.1,   8.8.8.8     etc )

6 - In Opnsense disable Unbound. In case you want to use it leave it activated by changing the port to 5353 and in Adguard Home - DNS Configuration - Upstream Servers  add router_ip:5353

 - It is not necessary to activate the internal opnsense dns ( 127.0.0.1 ) in Opnsense in System-Settings-General

 - No need to make port forward rules to forward all DNS (Port 53) traffic to AdGuard

 - No need to set dns servers to DHCP

DNS over HTTPS - DNS over TLS:

Option 1:

 - In Opnsense - Unbound - Miscellaneous   set the desired dns servers 1.1.1.1@853     8.8.8.8@853

 - Active Unbound in port 5353

 - In Adguard Home - DNS Configuration - Upstream Servers add router_ip:5353

Option 2 ( Unbound disabled ): https://github.com/AdguardTeam/AdGuardHome/wiki/Encryption


Title: Re: AdGuard Home setup guide
Post by: yeraycito on April 04, 2021, 10:34:51 pm
Recommended DNS blocklists: 1Hosts (Pro) - Goodbye Ads - Energized Ultimate - Lightswitch05 - Steven Black - oisd

Installation in Adguard: Filters - DNS blocklist - Add blocking list - Add custom list

 - https://hosts.netlify.app/Pro/adblock.txt

 - https://raw.githubusercontent.com/jerryn70/GoodbyeAds/master/Hosts/GoodbyeAds.txt

 - https://block.energized.pro/ultimate/formats/hosts.txt

 - https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt

 - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

 - https://hosts.oisd.nl/

Extra. in Adguard: Filters - DNS blocklist - Add blocking list  - Choose from the list:

 - Perflyst's Smart-TV Blocklist
Title: Re: AdGuard Home setup guide
Post by: pmhausen on April 04, 2021, 10:56:14 pm
@yeraycito thanks for those lists. Which criteria did you apply when picking them?
Title: Re: AdGuard Home setup guide
Post by: yeraycito on April 04, 2021, 11:48:34 pm
Unlike the ones Adguard comes with, these are much more complete. Each of them includes many other lists. They are the most complete I have found. If you put these in, you don't need any more.
Title: Re: AdGuard Home setup guide
Post by: yeraycito on April 05, 2021, 01:11:31 am
Many of the lists I have posted block most of Google's telemetry and spying but not all of it. More can be done.

Adguard - Filters - Custom filtering rules - add:

||dnsotls-ds.metric.gstatic.com^ 
||encrypted-tbn0.gstatic.com^
||encrypted-tbn2.gstatic.com^
||mtalk.google.com^
||metric.gstatic.com^
||chart.apis.google.com^
||cse.google.com^
||encrypted-tbn1.gstatic.com^
||www.gstatic.com^
||fonts.gstatic.com^
||ogs.google.com^
||ssl.gstatic.com^
||aa.google.com^
||encrypted-tbn3.gstatic.com^
||pki-goog.l.google.com^
||signaler-pa.clients6.google.com^
||addons-pa.clients6.google.com^
||apis.google.com^
||0.client-channel.google.com^
||clients2.google.com^

Result after applying the rules:

 - Google searches: OK

 - Gmail: OK

 - Youtube: OK

 - Instagram: OK

 - Android: OK

 - Playstore: OK

Title: Re: AdGuard Home setup guide
Post by: Jaxon on April 12, 2021, 10:59:42 pm
@yeraycito

Just a shout out to say thanks for your contributions to this thread. I found them very useful, and have Unbound / AdGuard working well together. Ads are gone, DNS lookups are resolving quickly. Your suggested blocklists are awesome!

That said, I'm still a little (embarrassingly) confused about something. That is, getting the LAN reverse lookups to function. Below I'll show one setup where the reverse looks actually do resolve, but upstream DNS resolver ends up being one of my two ISPS, and a second where upstream resolver is cloudflare, but then the reverse lookups stop working.

I have the following OPNSense Configuration:
Dual WAN, two gateway setup (might not be relevant to the discussion)

System/Settings/General:
 - DNS Servers: all empty

Services/Unbound DNS/General:
 - port: 5353
 - DNSSEC: enabled
 - DHCP Registration: enabled
 - DHCP Static Mappings: enabled
 - Local Zone Type: transparent


AdGuard Settings:

1) With this setup, reverse look ups function. That is, inside AdGuards Top Clients, I can see host names are resolving. However, upstream DNS server is my ISPs DNS server.

Adguard/DNS Settings:
127.0.0.1:5353

Bootstrap DNS servers:
127.0.0.1:5353
9.9.9.10
149.112.112.10
2620:fe::10
2620:fe::fe:10


2) Now, if I change the following, I get the reverse behaviour.  Inside AdGuards Top Clients, I can see only IPs (no host names), but upstream DNS is now showing up as 108.162.218.241 (Cloudflare).

Adguard/DNS Settings:
127.0.0.1:5353
1.1.1.1
1.0.0.1


I've also experiments with a few things to no avail, like:

[/168.192.in-addr.arpa/]127.0.0.1:5353

[/168.192.in-addr.arpa/]127.0.0.1

[/168.192.in-addr.arpa/]192.168.0.1:5353

[/168.192.in-addr.arpa/]192.168.0.1



Do you have any suggestions what I might be doing wrong?





Title: Re: AdGuard Home setup guide
Post by: yeraycito on April 13, 2021, 07:36:06 pm
Hello, for the dns not to be those of your isp you have to put one in unbound. To resolve the hostnames you can add them better in the Adguard configuration.
Title: Re: AdGuard Home setup guide
Post by: yeraycito on April 13, 2021, 07:38:09 pm
My settings:

System/Settings/General:
 - DNS Servers: all empty
 - Do not use the local DNS service as a nameserver for this system:   cheked

Services/Unbound DNS/General:
 - port: 5353
 - DNSSEC: enabled
 - DHCP Registration: disabled
 - DHCP Static Mappings: disabled
 - Local Zone Type: transparent

Unbound DNS - Miscellaneous - DNS over TLS Servers:  1.1.1.1@853      1.0.0.1@853

In Adguard Home - DNS Configuration - Upstream Servers: 192.168.1.1:5353

In Adguard Home - DNS Configuration - Bootstrap DNS servers: 192.168.1.1:5353

In Adguard Home - configuration - clients configuration - add client:  Add ip and hostname
 
Title: Re: AdGuard Home setup guide
Post by: yeraycito on April 13, 2021, 08:50:53 pm
A good complement is also to use NextDns dns servers.
Title: Re: AdGuard Home setup guide
Post by: yeraycito on April 13, 2021, 08:51:30 pm
They are just as fast as Cloudflare's but add more protection and the ability to add blocklists.
Title: Re: AdGuard Home setup guide
Post by: yeraycito on April 13, 2021, 09:04:18 pm
Installation;

Let's go to   https://nextdns.io/    and register for free. Once registered you are given a personalised ID and dns.

Opnsense instalation:

 - Follow the tutorial explained above for Adguard.

 - Unbound - General - Custom Options: add                 ( XXXXXX is a custom ID in NextDns )


server:
      tls-cert-bundle: "/etc/ssl/cert.pem"
  forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 45.90.28.0#XXXXXX.dns1.nextdns.io
    forward-addr: 2a07:a8c0::#XXXXXX.dns1.nextdns.io
    forward-addr: 45.90.30.0#XXXXXX.dns2.nextdns.io
    forward-addr: 2a07:a8c1::#XXXXSS.dns2.nextdns.io
Title: Re: AdGuard Home setup guide
Post by: Dimi3 on April 19, 2021, 06:44:56 pm
I installed adguard plugin...everything seems to be working ok...only under plugins the adguard is marked as miss-configured ? Why is that?

Title: Re: AdGuard Home setup guide
Post by: wirehire on April 20, 2021, 12:38:45 pm
hello,

where can i found the logfile? on /var/log i found no adguard file.

Thanks
Title: Re: AdGuard Home setup guide
Post by: Spritzup on April 20, 2021, 03:54:49 pm
Transfer from PiHole (running on a Pi) to AdGuard on OPNSense went flawlessly.  By using a virtual IP for AdGuard, I didn't even need to change any of my preconfigured rules, which was nice.  I had allocated myself a few hours to get this done, and it ended up taking less than 15 minutes :)

Question though.  One of the "optimizations" that is sometimes recommended when using PiHole in conjunction with Unbound is to disable DNS caching on the pi-hole, so that all DNS lookup is handled by Unbound.  Would this provide any benefit with AdGuard?

Thanks!

EDIT - So an oddity.  Using a virtual IP, it showed no port conflicts using Port 80 or Port 53, and everything worked great a day.  Today I decided to tweak some unbound settings and had to restart the service... and it wouldn't start due to a port conflict.  Any ideas?

~Spritz
Title: Re: AdGuard Home setup guide
Post by: beclar2 on April 25, 2021, 10:32:13 am
Hi folks,

has anyone tried to set up Adguard WebGUI using https with the same cert that OPNsense´s WebGUI uses?

Thank you very much
Beclar
Title: Re: AdGuard Home setup guide
Post by: yeraycito on April 25, 2021, 06:45:38 pm
Adguard + wireguard in Opnsense ( solved ):

https://forum.opnsense.org/index.php?topic=22409.0
Title: Re: AdGuard Home setup guide
Post by: N0_Klu3 on April 26, 2021, 11:14:20 am
My settings:

System/Settings/General:
 - DNS Servers: all empty
 - Do not use the local DNS service as a nameserver for this system:   cheked

Services/Unbound DNS/General:
 - port: 5353
 - DNSSEC: enabled
 - DHCP Registration: disabled
 - DHCP Static Mappings: disabled
 - Local Zone Type: transparent

Unbound DNS - Miscellaneous - DNS over TLS Servers:  1.1.1.1@853      1.0.0.1@853

In Adguard Home - DNS Configuration - Upstream Servers: 192.168.1.1:5353

In Adguard Home - DNS Configuration - Bootstrap DNS servers: 192.168.1.1:5353

In Adguard Home - configuration - clients configuration - add client:  Add ip and hostname

With this way, if you have multiple VLAN's or different IP's do you need to include all the IP's into upstream and bootstrap DNS servers?

IE: 192.168.1.1:5353
192.168.200.1:5353

And so on?
Title: Re: AdGuard Home setup guide
Post by: yeraycito on April 26, 2021, 02:25:58 pm
It is not necessary, just set the opnsense ip. Adguard listens for dns connections on all opnsense interfaces. It then passes them to the opnsense ip. Unbound is listening there.
Title: Re: AdGuard Home setup guide
Post by: N0_Klu3 on April 26, 2021, 03:52:46 pm
Ok cheers will mess with it this week and update the main page with some updates.
Thanks for your efforts.
Title: Re: AdGuard Home setup guide
Post by: yeraycito on April 26, 2021, 08:33:16 pm
In this post I previously put up some blocking lists for Adguard. There are two of them that are very complete: 1Host (Pro ) and Energized Ultimate. They are so comprehensive that in some cases they block too much. If this is the case I recommend you to change them for 1Host (lite) and Energized Basic. These two lists are still very comprehensive.There are also smaller versions of these two lists, these are the intermediate ones.

 - https://badmojr.github.io/1Hosts/Lite/adblock.txt

 - https://block.energized.pro/basic/formats/hosts.txt




Title: Re: AdGuard Home setup guide
Post by: N0_Klu3 on April 28, 2021, 09:23:19 am
Yup I already use Energized Pro list and only that list myself :)
Title: Re: AdGuard Home setup guide
Post by: Superduke on May 03, 2021, 02:52:14 pm
I'm sorry for my ignorance, but is this setup using the DNS over TLS function in Unbound?  It appears yes.

If it is, why use that when you can use Unbound by itself for DNS resolving?  I thought the point of using Unbound was to not have to worry about DNS lookups from companies like Cloudflare??

Thanks in advance!

Opnsense 21.1.4 Installation:

1 - Activate mimugmail's community repository

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Activate and start AdGuardHome from Services --> AdGuardHome

4 - Navigate to http://your.opnsense:3000/ to complete the setup

5 - In Adguard Home - DNS Configuration - Upstream Servers:   Set the desired servers ( 1.1.1.1,   8.8.8.8     etc )

6 - In Opnsense disable Unbound. In case you want to use it leave it activated by changing the port to 5353 and in Adguard Home - DNS Configuration - Upstream Servers  add router_ip:5353

 - It is not necessary to activate the internal opnsense dns ( 127.0.0.1 ) in Opnsense in System-Settings-General

 - No need to make port forward rules to forward all DNS (Port 53) traffic to AdGuard

 - No need to set dns servers to DHCP

DNS over HTTPS - DNS over TLS:

Option 1:

 - In Opnsense - Unbound - Miscellaneous   set the desired dns servers 1.1.1.1@853     8.8.8.8@853

 - Active Unbound in port 5353

 - In Adguard Home - DNS Configuration - Upstream Servers add router_ip:5353

Option 2 ( Unbound disabled ): https://github.com/AdguardTeam/AdGuardHome/wiki/Encryption
Title: Re: AdGuard Home setup guide
Post by: yodaphone on May 05, 2021, 03:13:32 pm


 - Follow the tutorial explained above for Adguard.

 

Do we need both? Can one not configure just NextDNS without AdGurad?
Title: Re: AdGuard Home setup guide
Post by: yeraycito on May 05, 2021, 03:27:49 pm
If you want to use only NextDNS:

- Unbound - General - Custom Options: add                 ( XXXXXX is a custom ID in NextDns )


server:
      tls-cert-bundle: "/etc/ssl/cert.pem"
  forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 45.90.28.0#XXXXXX.dns1.nextdns.io
    forward-addr: 2a07:a8c0::#XXXXXX.dns1.nextdns.io
    forward-addr: 45.90.30.0#XXXXXX.dns2.nextdns.io
    forward-addr: 2a07:a8c1::#XXXXSS.dns2.nextdns.io
Title: Re: AdGuard Home setup guide
Post by: zer0k on May 05, 2021, 10:58:00 pm
Great instructions! Thank you :)

The only issue I'm facing is getting the firewall redirect rule for dns just won't work for me.
I've tried using the "LAN address" object, and also specifying my LAN IP address and my VirtualIP's, but it just doesn't seem to want to redirect the dns traffic :(

I did notice when setting up Adguard it chose my Virtual IP, instead of my LAN address.

I feel like I'm missing something really simple, but I'm not sure what?

Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: LAN address
Destination port range: From: DNS - To: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
Description: Forward DNS to AdGuard
NAT Reflection: Disable
Title: Re: AdGuard Home setup guide
Post by: pmhausen on May 05, 2021, 11:15:48 pm
Possibly related to this?

https://github.com/AdguardTeam/AdGuardHome/issues/3015
Title: Re: AdGuard Home setup guide
Post by: meazz1 on May 06, 2021, 12:08:34 am
I have a LAN that I want to use AdGuard for DNS using any family shield service. And a  VLAN to use 8.8.8.8.
Is that possible and how?
Title: Re: AdGuard Home setup guide
Post by: NV43 on May 06, 2021, 08:08:13 am
Should we be setting DNS cache size in Adguard to 0 to allow Unbound to handle caching?
Title: Re: AdGuard Home setup guide
Post by: yeraycito on May 06, 2021, 06:38:00 pm
Great instructions! Thank you :)

The only issue I'm facing is getting the firewall redirect rule for dns just won't work for me.
I've tried using the "LAN address" object, and also specifying my LAN IP address and my VirtualIP's, but it just doesn't seem to want to redirect the dns traffic :(

I did notice when setting up Adguard it chose my Virtual IP, instead of my LAN address.

I feel like I'm missing something really simple, but I'm not sure what?

Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: LAN address
Destination port range: From: DNS - To: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
Description: Forward DNS to AdGuard
NAT Reflection: Disable


- It is not necessary to activate the internal opnsense dns ( 127.0.0.1 ) in Opnsense in System-Settings-General

- No need to make port forward rules to forward all DNS (Port 53) traffic to AdGuard

Adguard listens on all default interfaces in Opnsense. This can be seen in the Adguard - Configuration Guide.
Title: Re: AdGuard Home setup guide
Post by: yeraycito on May 06, 2021, 06:41:16 pm
Should we be setting DNS cache size in Adguard to 0 to allow Unbound to handle caching?

I have DNS caching active on both sites and everything works fine.
Title: Re: AdGuard Home setup guide
Post by: mrancier on May 07, 2021, 03:57:24 pm
Sorry for the hijack, but just wondered if anyone has any idea of how I can solve a particular problem with my Adguard Home Plugin setup:

My LAN interface is a bridge made up of all the ports on a 4 port intel x540, and my WAN is on a different interface altogether (duh).  I can successfully install the plugin and configure it, make it the default dns server by changing the port unbound uses to 5353 and leaving AdguardHome on 53.  Problem is that first time resolution takes about 30 seconds!  I am guessing it has to do with Adguard being bound to all existing interfaces.  I tried to bind it to the bridge address editing the Adguard Yaml config file and restarting the service, but it did not solve the issue.  Unbound works fine in its place, and I have adguard running on a secondary box in lan and unbound forwarding to it, as a workaround, and that works fine.  If anyone knows how to fix that, and can share, I would appreciate it.  Just in case, bridge is built following wiki directions, including tunables, and works as expected.  I am aware of the disadvantages of bridging ports, but it is an experiment and I would like to make it work as is.

Thanks.
Title: Re: AdGuard Home setup guide
Post by: pmhausen on May 08, 2021, 01:02:06 am
Try binding AdGuard Home to *:53 as you already did if I read your post correctly. Set Unbound to 53530 or similar. Reason being that 5353 is used by mDNS already.

I run AdGuard Home on all interfaces, 53, forwarding to BIND on 127.0.0.1:53530 - no problem so far.
Title: Re: AdGuard Home setup guide
Post by: yodaphone on May 12, 2021, 02:42:34 pm
2) Now, if I change the following, I get the reverse behaviour.  Inside AdGuards Top Clients, I can see only IPs (no host names), but upstream DNS is now showing up as 108.162.218.241 (Cloudflare).

Adguard/DNS Settings:
127.0.0.1:5353
1.1.1.1
1.0.0.1


I've also experiments with a few things to no avail, like:

[/168.192.in-addr.arpa/]127.0.0.1:5353

[/168.192.in-addr.arpa/]127.0.0.1

[/168.192.in-addr.arpa/]192.168.0.1:5353

[/168.192.in-addr.arpa/]192.168.0.1

Do you have any suggestions what I might be doing wrong?

Hi, were you able to solve this? All I see are IP Addresses. I have way too many devices/clients to enter them manually
Title: Re: AdGuard Home setup guide
Post by: Superduke on May 13, 2021, 06:21:33 pm
You just need to add your router ip in the upstream and bootstrap fields in the AdGuard DNS Setup menu with the appropriate port if you're still using UnBound...I am.  So I set up Unbound to listen on port 53530 and then added the below in AdGuard

eg. 192.168.1.1:53530

Adguard now processes and listens on all interfaces.

Works well....
Title: Re: AdGuard Home setup guide
Post by: motamedn on June 07, 2021, 06:26:35 pm
Thanks for posting this guide! In case anyone runs into problems with their Chromecast with Google TV after following these instructions and gets the error saying no internet is available, it might have to do with the optional but recommended port forward step.

Instead of including all sources for the port forward, you can select the devices you want to exclude from the port forward and tick the checkbox to invert the selection. This resolved my Chromecast with Google TV error. I have several so I made an alias. In the end, when I was done it looked like Source: !Google_devices.

Additionally, in the IRC, someone mentioned this port forward setup might lead to some abnormal behavior ie a device asks for 8.8.8.8 DNS but gets confused that Adguard Home responds. It may be better for reliability to set this up via a firewall rule to instead block all outbound DNS requests instead of forwarding the requests. Most devices will then use the local DNS as a back-up. I decided to make the change but still had to except the chromecast devices.

I made the following two rules and disabled the port forward.  These rules are under Firewall -> LAN and are the top rules in the set.

Rule 1:

ALLOW
Source: [Google_devices] -- this is an alias set up with all IP for my google devices
Source Port: *
Destination: !Lan address
Destination Port: 53 (DNS)

Rule 2:

REJECT
Source: *
Source Port: *
Destination: !Lan address
Destination Port: 53 (DNS)
Title: Re: AdGuard Home setup guide
Post by: thebull on June 11, 2021, 02:21:16 pm
Does anyone know's where the raw config file is stored within OPNsense for AdGuard?
Title: Re: AdGuard Home setup guide
Post by: efahl on June 23, 2021, 02:51:10 am
Mine's in /usr/local/AdGuardHome/AdGuardHome.yaml