OPNsense Forum

English Forums => Documentation and Translation => Topic started by: N0_Klu3 on March 19, 2021, 10:54:50 pm

Title: AdGuard Home setup guide
Post by: N0_Klu3 on March 19, 2021, 10:54:50 pm
So I've been looking around and been unable to get a good AdGuard or PiHole setup.

I figured it out, and it seems to be working well, so I'm writing this for mainly my own future reference.

--------------------
Setup for a physical AdGuard (Raspberry Pi or something)

I installed AdGuard Home on a Raspberry Pi with the IP 10.0.0.12.
Settings -> DNS Settings
Chose and configure to your desired setup.

On OPNsense:
System -> General Setup
Set '10.0.0.12' as DNS server
Tick: Do not use the local DNS service as a the only nameserver for this system

Optional, but recommended:
Add a new Firewall rule to forward all DNS (Port 53) traffic to AdGuard:
Firewall -> NAT -> Port Forward
Code: [Select]
Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: LAN address
Destination port range: From: DNS - To: DNS
Redirect target IP: 10.0.0.12
Redirect target port: DNS
Description: Forward DNS to AdGuard
NAT Reflection: Disable

Unbound -> Untick 'Enable Unbound'. (So its turned off)
Or you can follow the steps below to use a router_ip:5353 to loopback to OPNsense unbound as a backup.

I also found that I had to add the DNS specifically on each DCHP interface.
Mainly due if you removed all DNS servers from System -> General Setup. I found some iOS devices struggled without the below.
Services -> DHCPv4 -> LAN
DNS servers: 10.0.0.12

If you have VLANs or other LANs you may need to do some Firewall rules to allow traffic through to the DNS server IP on Port 53 (DNS)

That is pretty much it.

--------------------
Setup for using AdGuard via the OPNsense community repo

Firstly install the Community repo from: https://www.routerperformance.net/opnsense-repo/
Then install AdGuard Home via Plugins.

Navigate to router_ip:3000 to setup AdGuard.
I set Admin interface to my main LAN as the only listen interface and via port 81 (OPNsense uses port 80 and 443 so select something other than this for AdGuard listen port and if you configure AdGuard's SSL settings)

DNS Server listen interface select 'All' on Port 53.

Setup DNS as you would like it with your own providers.
Settings -> DNS settings -> Bootstrap DNS servers -> Add router_ip:5353

On OPNsense:
System -> General Setup
Set '8.8.8.8' as DNS server (Or whatever DNS you would like as a backup, if you only want AdGuard you can remove all DNS servers from this list and leave it blank)
Untick: Do not use the local DNS service as a nameserver for this system
This way by default OPNsense will use itself (127.0.0.1) as the resolver which we want.

Services -> Unbound DNS -> General
Enable Unbound (it could be disabled if you'd prefer, then remove the Boostrap DNS setup as above)
Add port 5353 (instead of default 53)
Only select: 'Register DHCP leases' & 'Register DHCP static mappings'

Add a new Firewall rule to forward all DNS (Port 53) traffic to AdGuard:
Firewall -> NAT -> Port Forward
Code: [Select]
Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: LAN address
Destination port range: From: DNS - To: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
Description: Forward DNS to AdGuard
NAT Reflection: Disable

If you have multiple VLANs or LANs then duplicate the rule and change it to the relevant Interface and address.

I also found that I had to add the DNS specifically on each DCHP interface.
Mainly due if you removed all DNS servers from System -> General Setup. I found some iOS devices struggled without the below.
Services -> DHCPv4 -> LAN
DNS servers: router_ip

And the same for any VLANs, just set the route IP for each VLAN.
eg. 192.168.107.1 is my IoT VLAN

That should pretty much do it.

--------------------

Please let me know if you see any tweaks or better settings that you think can improve this, I'm more than happy to improve this and make this into a good guide.

*NOTE* I did find that running AdGuard via OPNsense router to lower the processing time by more than half.
9ms via router setup, compared to around 45ms via Raspberry Pi 3B+
Title: Re: AdGuard Home setup guide
Post by: pmhausen on March 19, 2021, 10:56:37 pm
Why don't you install AdGuardHome on your OPNsense? Which was precisely the point in that other thread?
Title: Re: AdGuard Home setup guide
Post by: N0_Klu3 on March 19, 2021, 11:04:26 pm
Because there is no clear guide on how to set it up!
Also sometimes people want to use a physical device for this.

Like I say. I’m happy to update and include the AdGuard install on OPNsense but until I can get a good guide I just cannot.
If you can give me your setup and how you made it work I’ll test it out tomorrow and can add that to this guide too.
Title: Re: AdGuard Home setup guide
Post by: pmhausen on March 19, 2021, 11:11:53 pm
I did a write up in that other thread.

1. Activate mimugmail's community repository
2. Install AdGuardHome from System --> Firmware --> Plugins
3. Change your primary DNS server on OPNsense to use e.g. 127.0.0.1:53530 only
4. Activate and start AdGuardHome from Services --> AdGuardHome
5. Navigate to http://your.opnsense:3000/ to complete the setup
Title: Re: AdGuard Home setup guide
Post by: N0_Klu3 on March 19, 2021, 11:17:14 pm
Do you not need to change AdGuard to use different ports upon setup?
So that it doesn’t affect OPNsense on port 80 and 443?

How do you specify port 53530 unless you mean change unbounds port?
Or on General DNS you can specify 127.0.0.1:53530? Wasn’t aware you can use : to specify a port there.

Do you do anything with your unbound?
Are there any specific benefits to doing it all in one box?

And thanks I’ll test it tomorrow.
Title: Re: AdGuard Home setup guide
Post by: pmhausen on March 19, 2021, 11:22:38 pm
I meant make your Unbound listen to 127.0.0.1:53530. I use BIND, so - sorry - I cannot show you a screenshot. I am just assuming that just as with BIND you can change the listen interface and port for Unbound too. If that is not the case, I am sorry.

You need to do that so AdGuardHome can listen on all interfaces port 53 so clients can use it. Then in AdGuardHome use this dialog to configure the upstream resolver (see screenshot).

To adjust the listen addresses of AdGuardHome itself you need to ssh to your OPNsense and edit the config file at /usr/local/AdGuardHome/AdGuardHome.yaml:
Code: [Select]
bind_host: 0.0.0.0
bind_port: 3000
[...]
dns:
  bind_host: 0.0.0.0
  port: 53
Title: Re: AdGuard Home setup guide
Post by: N0_Klu3 on March 19, 2021, 11:35:52 pm
Thanks if I can figure it out I’ll test it tomorrow.
I feel like my way just works and works far simpler.

Is there any benefit other than having 2 devices in one doing it your way?
Title: Re: AdGuard Home setup guide
Post by: pmhausen on March 19, 2021, 11:48:11 pm
I would not want another box just for a single application that works perfectly on my already present OPNsense.
Title: Re: AdGuard Home setup guide
Post by: N0_Klu3 on March 20, 2021, 11:07:26 am
Do I need to Listen on all interfaces for DNS Server?
As it has my WAN IP in there too.

I have LAN, and 2x VLANS so there are a lot of connections there.
I also changed the Admin to use port 81.

Like this:
Title: Re: AdGuard Home setup guide
Post by: N0_Klu3 on March 20, 2021, 08:00:33 pm
@pmhausen
Take a look at my edits and addition of AdGuard via Community Repo.
Let me know what you think or if any of it needs changing/addition.
Title: Re: AdGuard Home setup guide
Post by: pmhausen on March 20, 2021, 08:06:13 pm
Of course you don't need to activate it on WAN, sorry.
Title: Re: AdGuard Home setup guide
Post by: N0_Klu3 on March 20, 2021, 08:27:58 pm
Yup problem is as I have more than 1x LAN I could not manually select my LANs/VLANs.
Its was all or 1. Unless I missed something there.
So I just selected All
Title: Re: AdGuard Home setup guide
Post by: pmhausen on March 20, 2021, 08:40:05 pm
Well, even if it is listening on WAN your firewall rules should prevent access, right?
Title: Re: AdGuard Home setup guide
Post by: N0_Klu3 on March 20, 2021, 10:30:30 pm
Yup should drop all traffic from WAN by default
Title: Re: AdGuard Home setup guide
Post by: ekke on March 25, 2021, 09:34:48 am
AdGuard seems to be amazing! really slick interface and usefull features!
Title: Re: AdGuard Home setup guide
Post by: N0_Klu3 on March 28, 2021, 10:21:02 am
Yeah, and I find it works much quicker especially vs PiHole or external DNS
Title: Re: AdGuard Home setup guide
Post by: yeraycito on April 04, 2021, 08:16:42 pm
Opnsense 21.1.4 Installation:

1 - Activate mimugmail's community repository

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Activate and start AdGuardHome from Services --> AdGuardHome

4 - Navigate to http://your.opnsense:3000/ to complete the setup

5 - In Adguard Home - DNS Configuration - Upstream Servers:   Set the desired servers ( 1.1.1.1,   8.8.8.8     etc )

6 - In Opnsense disable Unbound. In case you want to use it leave it activated by changing the port to 5353 and in Adguard Home - DNS Configuration - Upstream Servers  add router_ip:5353

 - It is not necessary to activate the internal opnsense dns ( 127.0.0.1 ) in Opnsense in System-Settings-General

 - No need to make port forward rules to forward all DNS (Port 53) traffic to AdGuard

 - No need to set dns servers to DHCP

DNS over HTTPS - DNS over TLS:

Option 1:

 - In Opnsense - Unbound - Miscellaneous   set the desired dns servers 1.1.1.1@853     8.8.8.8@853

 - Active Unbound in port 5353

 - In Adguard Home - DNS Configuration - Upstream Servers add router_ip:5353

Option 2 ( Unbound disabled ): https://github.com/AdguardTeam/AdGuardHome/wiki/Encryption


Title: Re: AdGuard Home setup guide
Post by: yeraycito on April 04, 2021, 10:34:51 pm
Recommended DNS blocklists: 1Hosts (Pro) - Goodbye Ads - Energized Ultimate - Lightswitch05 - Steven Black - oisd

Installation in Adguard: Filters - DNS blocklist - Add blocking list - Add custom list

 - https://hosts.netlify.app/Pro/adblock.txt

 - https://raw.githubusercontent.com/jerryn70/GoodbyeAds/master/Hosts/GoodbyeAds.txt

 - https://block.energized.pro/ultimate/formats/hosts.txt

 - https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt

 - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

 - https://hosts.oisd.nl/

Extra. in Adguard: Filters - DNS blocklist - Add blocking list  - Choose from the list:

 - Perflyst's Smart-TV Blocklist
Title: Re: AdGuard Home setup guide
Post by: pmhausen on April 04, 2021, 10:56:14 pm
@yeraycito thanks for those lists. Which criteria did you apply when picking them?
Title: Re: AdGuard Home setup guide
Post by: yeraycito on April 04, 2021, 11:48:34 pm
Unlike the ones Adguard comes with, these are much more complete. Each of them includes many other lists. They are the most complete I have found. If you put these in, you don't need any more.
Title: Re: AdGuard Home setup guide
Post by: yeraycito on April 05, 2021, 01:11:31 am
Many of the lists I have posted block most of Google's telemetry and spying but not all of it. More can be done.

Adguard - Filters - Custom filtering rules - add:

||dnsotls-ds.metric.gstatic.com^ 
||encrypted-tbn0.gstatic.com^
||encrypted-tbn2.gstatic.com^
||mtalk.google.com^
||metric.gstatic.com^
||chart.apis.google.com^
||cse.google.com^
||encrypted-tbn1.gstatic.com^
||www.gstatic.com^
||fonts.gstatic.com^
||ogs.google.com^
||ssl.gstatic.com^
||aa.google.com^
||encrypted-tbn3.gstatic.com^
||pki-goog.l.google.com^
||signaler-pa.clients6.google.com^
||addons-pa.clients6.google.com^
||apis.google.com^
||0.client-channel.google.com^
||clients2.google.com^

Result after applying the rules:

 - Google searches: OK

 - Gmail: OK

 - Youtube: OK

 - Instagram: OK

 - Android: OK

 - Playstore: OK

Title: Re: AdGuard Home setup guide
Post by: Jaxon on April 12, 2021, 10:59:42 pm
@yeraycito

Just a shout out to say thanks for your contributions to this thread. I found them very useful, and have Unbound / AdGuard working well together. Ads are gone, DNS lookups are resolving quickly. Your suggested blocklists are awesome!

That said, I'm still a little (embarrassingly) confused about something. That is, getting the LAN reverse lookups to function. Below I'll show one setup where the reverse looks actually do resolve, but upstream DNS resolver ends up being one of my two ISPS, and a second where upstream resolver is cloudflare, but then the reverse lookups stop working.

I have the following OPNSense Configuration:
Dual WAN, two gateway setup (might not be relevant to the discussion)

System/Settings/General:
 - DNS Servers: all empty

Services/Unbound DNS/General:
 - port: 5353
 - DNSSEC: enabled
 - DHCP Registration: enabled
 - DHCP Static Mappings: enabled
 - Local Zone Type: transparent


AdGuard Settings:

1) With this setup, reverse look ups function. That is, inside AdGuards Top Clients, I can see host names are resolving. However, upstream DNS server is my ISPs DNS server.

Adguard/DNS Settings:
127.0.0.1:5353

Bootstrap DNS servers:
127.0.0.1:5353
9.9.9.10
149.112.112.10
2620:fe::10
2620:fe::fe:10


2) Now, if I change the following, I get the reverse behaviour.  Inside AdGuards Top Clients, I can see only IPs (no host names), but upstream DNS is now showing up as 108.162.218.241 (Cloudflare).

Adguard/DNS Settings:
127.0.0.1:5353
1.1.1.1
1.0.0.1


I've also experiments with a few things to no avail, like:

[/168.192.in-addr.arpa/]127.0.0.1:5353

[/168.192.in-addr.arpa/]127.0.0.1

[/168.192.in-addr.arpa/]192.168.0.1:5353

[/168.192.in-addr.arpa/]192.168.0.1



Do you have any suggestions what I might be doing wrong?





Title: Re: AdGuard Home setup guide
Post by: yeraycito on April 13, 2021, 07:36:06 pm
Hello, for the dns not to be those of your isp you have to put one in unbound. To resolve the hostnames you can add them better in the Adguard configuration.
Title: Re: AdGuard Home setup guide
Post by: yeraycito on April 13, 2021, 07:38:09 pm
My settings:

System/Settings/General:
 - DNS Servers: all empty
 - Do not use the local DNS service as a nameserver for this system:   cheked

Services/Unbound DNS/General:
 - port: 5353
 - DNSSEC: enabled
 - DHCP Registration: disabled
 - DHCP Static Mappings: disabled
 - Local Zone Type: transparent

Unbound DNS - Miscellaneous - DNS over TLS Servers:  1.1.1.1@853      1.0.0.1@853

In Adguard Home - DNS Configuration - Upstream Servers: 192.168.1.1:5353

In Adguard Home - DNS Configuration - Bootstrap DNS servers: 192.168.1.1:5353

In Adguard Home - configuration - clients configuration - add client:  Add ip and hostname
 
Title: Re: AdGuard Home setup guide
Post by: yeraycito on April 13, 2021, 08:50:53 pm
A good complement is also to use NextDns dns servers.
Title: Re: AdGuard Home setup guide
Post by: yeraycito on April 13, 2021, 08:51:30 pm
They are just as fast as Cloudflare's but add more protection and the ability to add blocklists.
Title: Re: AdGuard Home setup guide
Post by: yeraycito on April 13, 2021, 09:04:18 pm
Installation;

Let's go to   https://nextdns.io/    and register for free. Once registered you are given a personalised ID and dns.

Opnsense instalation:

 - Follow the tutorial explained above for Adguard.

 - Unbound - General - Custom Options: add                 ( XXXXXX is a custom ID in NextDns )


server:
      tls-cert-bundle: "/etc/ssl/cert.pem"
  forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 45.90.28.0#XXXXXX.dns1.nextdns.io
    forward-addr: 2a07:a8c0::#XXXXXX.dns1.nextdns.io
    forward-addr: 45.90.30.0#XXXXXX.dns2.nextdns.io
    forward-addr: 2a07:a8c1::#XXXXSS.dns2.nextdns.io
Title: Re: AdGuard Home setup guide
Post by: Dimi3 on April 19, 2021, 06:44:56 pm
I installed adguard plugin...everything seems to be working ok...only under plugins the adguard is marked as miss-configured ? Why is that?

Title: Re: AdGuard Home setup guide
Post by: wirehire on April 20, 2021, 12:38:45 pm
hello,

where can i found the logfile? on /var/log i found no adguard file.

Thanks
Title: Re: AdGuard Home setup guide
Post by: Spritzup on April 20, 2021, 03:54:49 pm
Transfer from PiHole (running on a Pi) to AdGuard on OPNSense went flawlessly.  By using a virtual IP for AdGuard, I didn't even need to change any of my preconfigured rules, which was nice.  I had allocated myself a few hours to get this done, and it ended up taking less than 15 minutes :)

Question though.  One of the "optimizations" that is sometimes recommended when using PiHole in conjunction with Unbound is to disable DNS caching on the pi-hole, so that all DNS lookup is handled by Unbound.  Would this provide any benefit with AdGuard?

Thanks!

EDIT - So an oddity.  Using a virtual IP, it showed no port conflicts using Port 80 or Port 53, and everything worked great a day.  Today I decided to tweak some unbound settings and had to restart the service... and it wouldn't start due to a port conflict.  Any ideas?

~Spritz
Title: Re: AdGuard Home setup guide
Post by: beclar2 on April 25, 2021, 10:32:13 am
Hi folks,

has anyone tried to set up Adguard WebGUI using https with the same cert that OPNsense´s WebGUI uses?

Thank you very much
Beclar
Title: Re: AdGuard Home setup guide
Post by: yeraycito on April 25, 2021, 06:45:38 pm
Adguard + wireguard in Opnsense ( solved ):

https://forum.opnsense.org/index.php?topic=22409.0
Title: Re: AdGuard Home setup guide
Post by: N0_Klu3 on April 26, 2021, 11:14:20 am
My settings:

System/Settings/General:
 - DNS Servers: all empty
 - Do not use the local DNS service as a nameserver for this system:   cheked

Services/Unbound DNS/General:
 - port: 5353
 - DNSSEC: enabled
 - DHCP Registration: disabled
 - DHCP Static Mappings: disabled
 - Local Zone Type: transparent

Unbound DNS - Miscellaneous - DNS over TLS Servers:  1.1.1.1@853      1.0.0.1@853

In Adguard Home - DNS Configuration - Upstream Servers: 192.168.1.1:5353

In Adguard Home - DNS Configuration - Bootstrap DNS servers: 192.168.1.1:5353

In Adguard Home - configuration - clients configuration - add client:  Add ip and hostname

With this way, if you have multiple VLAN's or different IP's do you need to include all the IP's into upstream and bootstrap DNS servers?

IE: 192.168.1.1:5353
192.168.200.1:5353

And so on?
Title: Re: AdGuard Home setup guide
Post by: yeraycito on April 26, 2021, 02:25:58 pm
It is not necessary, just set the opnsense ip. Adguard listens for dns connections on all opnsense interfaces. It then passes them to the opnsense ip. Unbound is listening there.
Title: Re: AdGuard Home setup guide
Post by: N0_Klu3 on April 26, 2021, 03:52:46 pm
Ok cheers will mess with it this week and update the main page with some updates.
Thanks for your efforts.
Title: Re: AdGuard Home setup guide
Post by: yeraycito on April 26, 2021, 08:33:16 pm
In this post I previously put up some blocking lists for Adguard. There are two of them that are very complete: 1Host (Pro ) and Energized Ultimate. They are so comprehensive that in some cases they block too much. If this is the case I recommend you to change them for 1Host (lite) and Energized Basic. These two lists are still very comprehensive.There are also smaller versions of these two lists, these are the intermediate ones.

 - https://badmojr.github.io/1Hosts/Lite/adblock.txt

 - https://block.energized.pro/basic/formats/hosts.txt




Title: Re: AdGuard Home setup guide
Post by: N0_Klu3 on April 28, 2021, 09:23:19 am
Yup I already use Energized Pro list and only that list myself :)
Title: Re: AdGuard Home setup guide
Post by: Superduke on May 03, 2021, 02:52:14 pm
I'm sorry for my ignorance, but is this setup using the DNS over TLS function in Unbound?  It appears yes.

If it is, why use that when you can use Unbound by itself for DNS resolving?  I thought the point of using Unbound was to not have to worry about DNS lookups from companies like Cloudflare??

Thanks in advance!

Opnsense 21.1.4 Installation:

1 - Activate mimugmail's community repository

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Activate and start AdGuardHome from Services --> AdGuardHome

4 - Navigate to http://your.opnsense:3000/ to complete the setup

5 - In Adguard Home - DNS Configuration - Upstream Servers:   Set the desired servers ( 1.1.1.1,   8.8.8.8     etc )

6 - In Opnsense disable Unbound. In case you want to use it leave it activated by changing the port to 5353 and in Adguard Home - DNS Configuration - Upstream Servers  add router_ip:5353

 - It is not necessary to activate the internal opnsense dns ( 127.0.0.1 ) in Opnsense in System-Settings-General

 - No need to make port forward rules to forward all DNS (Port 53) traffic to AdGuard

 - No need to set dns servers to DHCP

DNS over HTTPS - DNS over TLS:

Option 1:

 - In Opnsense - Unbound - Miscellaneous   set the desired dns servers 1.1.1.1@853     8.8.8.8@853

 - Active Unbound in port 5353

 - In Adguard Home - DNS Configuration - Upstream Servers add router_ip:5353

Option 2 ( Unbound disabled ): https://github.com/AdguardTeam/AdGuardHome/wiki/Encryption
Title: Re: AdGuard Home setup guide
Post by: yodaphone on May 05, 2021, 03:13:32 pm


 - Follow the tutorial explained above for Adguard.

 

Do we need both? Can one not configure just NextDNS without AdGurad?
Title: Re: AdGuard Home setup guide
Post by: yeraycito on May 05, 2021, 03:27:49 pm
If you want to use only NextDNS:

- Unbound - General - Custom Options: add                 ( XXXXXX is a custom ID in NextDns )


server:
      tls-cert-bundle: "/etc/ssl/cert.pem"
  forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 45.90.28.0#XXXXXX.dns1.nextdns.io
    forward-addr: 2a07:a8c0::#XXXXXX.dns1.nextdns.io
    forward-addr: 45.90.30.0#XXXXXX.dns2.nextdns.io
    forward-addr: 2a07:a8c1::#XXXXSS.dns2.nextdns.io
Title: Re: AdGuard Home setup guide
Post by: zer0k on May 05, 2021, 10:58:00 pm
Great instructions! Thank you :)

The only issue I'm facing is getting the firewall redirect rule for dns just won't work for me.
I've tried using the "LAN address" object, and also specifying my LAN IP address and my VirtualIP's, but it just doesn't seem to want to redirect the dns traffic :(

I did notice when setting up Adguard it chose my Virtual IP, instead of my LAN address.

I feel like I'm missing something really simple, but I'm not sure what?

Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: LAN address
Destination port range: From: DNS - To: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
Description: Forward DNS to AdGuard
NAT Reflection: Disable
Title: Re: AdGuard Home setup guide
Post by: pmhausen on May 05, 2021, 11:15:48 pm
Possibly related to this?

https://github.com/AdguardTeam/AdGuardHome/issues/3015
Title: Re: AdGuard Home setup guide
Post by: meazz1 on May 06, 2021, 12:08:34 am
I have a LAN that I want to use AdGuard for DNS using any family shield service. And a  VLAN to use 8.8.8.8.
Is that possible and how?
Title: Re: AdGuard Home setup guide
Post by: NV43 on May 06, 2021, 08:08:13 am
Should we be setting DNS cache size in Adguard to 0 to allow Unbound to handle caching?
Title: Re: AdGuard Home setup guide
Post by: yeraycito on May 06, 2021, 06:38:00 pm
Great instructions! Thank you :)

The only issue I'm facing is getting the firewall redirect rule for dns just won't work for me.
I've tried using the "LAN address" object, and also specifying my LAN IP address and my VirtualIP's, but it just doesn't seem to want to redirect the dns traffic :(

I did notice when setting up Adguard it chose my Virtual IP, instead of my LAN address.

I feel like I'm missing something really simple, but I'm not sure what?

Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: LAN address
Destination port range: From: DNS - To: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
Description: Forward DNS to AdGuard
NAT Reflection: Disable


- It is not necessary to activate the internal opnsense dns ( 127.0.0.1 ) in Opnsense in System-Settings-General

- No need to make port forward rules to forward all DNS (Port 53) traffic to AdGuard

Adguard listens on all default interfaces in Opnsense. This can be seen in the Adguard - Configuration Guide.
Title: Re: AdGuard Home setup guide
Post by: yeraycito on May 06, 2021, 06:41:16 pm
Should we be setting DNS cache size in Adguard to 0 to allow Unbound to handle caching?

I have DNS caching active on both sites and everything works fine.
Title: Re: AdGuard Home setup guide
Post by: mrancier on May 07, 2021, 03:57:24 pm
Sorry for the hijack, but just wondered if anyone has any idea of how I can solve a particular problem with my Adguard Home Plugin setup:

My LAN interface is a bridge made up of all the ports on a 4 port intel x540, and my WAN is on a different interface altogether (duh).  I can successfully install the plugin and configure it, make it the default dns server by changing the port unbound uses to 5353 and leaving AdguardHome on 53.  Problem is that first time resolution takes about 30 seconds!  I am guessing it has to do with Adguard being bound to all existing interfaces.  I tried to bind it to the bridge address editing the Adguard Yaml config file and restarting the service, but it did not solve the issue.  Unbound works fine in its place, and I have adguard running on a secondary box in lan and unbound forwarding to it, as a workaround, and that works fine.  If anyone knows how to fix that, and can share, I would appreciate it.  Just in case, bridge is built following wiki directions, including tunables, and works as expected.  I am aware of the disadvantages of bridging ports, but it is an experiment and I would like to make it work as is.

Thanks.
Title: Re: AdGuard Home setup guide
Post by: pmhausen on May 08, 2021, 01:02:06 am
Try binding AdGuard Home to *:53 as you already did if I read your post correctly. Set Unbound to 53530 or similar. Reason being that 5353 is used by mDNS already.

I run AdGuard Home on all interfaces, 53, forwarding to BIND on 127.0.0.1:53530 - no problem so far.
Title: Re: AdGuard Home setup guide
Post by: yodaphone on May 12, 2021, 02:42:34 pm
2) Now, if I change the following, I get the reverse behaviour.  Inside AdGuards Top Clients, I can see only IPs (no host names), but upstream DNS is now showing up as 108.162.218.241 (Cloudflare).

Adguard/DNS Settings:
127.0.0.1:5353
1.1.1.1
1.0.0.1


I've also experiments with a few things to no avail, like:

[/168.192.in-addr.arpa/]127.0.0.1:5353

[/168.192.in-addr.arpa/]127.0.0.1

[/168.192.in-addr.arpa/]192.168.0.1:5353

[/168.192.in-addr.arpa/]192.168.0.1

Do you have any suggestions what I might be doing wrong?

Hi, were you able to solve this? All I see are IP Addresses. I have way too many devices/clients to enter them manually
Title: Re: AdGuard Home setup guide
Post by: Superduke on May 13, 2021, 06:21:33 pm
You just need to add your router ip in the upstream and bootstrap fields in the AdGuard DNS Setup menu with the appropriate port if you're still using UnBound...I am.  So I set up Unbound to listen on port 53530 and then added the below in AdGuard

eg. 192.168.1.1:53530

Adguard now processes and listens on all interfaces.

Works well....
Title: Re: AdGuard Home setup guide
Post by: motamedn on June 07, 2021, 06:26:35 pm
Thanks for posting this guide! In case anyone runs into problems with their Chromecast with Google TV after following these instructions and gets the error saying no internet is available, it might have to do with the optional but recommended port forward step.

Instead of including all sources for the port forward, you can select the devices you want to exclude from the port forward and tick the checkbox to invert the selection. This resolved my Chromecast with Google TV error. I have several so I made an alias. In the end, when I was done it looked like Source: !Google_devices.

Additionally, in the IRC, someone mentioned this port forward setup might lead to some abnormal behavior ie a device asks for 8.8.8.8 DNS but gets confused that Adguard Home responds. It may be better for reliability to set this up via a firewall rule to instead block all outbound DNS requests instead of forwarding the requests. Most devices will then use the local DNS as a back-up. I decided to make the change but still had to except the chromecast devices.

I made the following two rules and disabled the port forward.  These rules are under Firewall -> LAN and are the top rules in the set.

Rule 1:

ALLOW
Source: [Google_devices] -- this is an alias set up with all IP for my google devices
Source Port: *
Destination: !Lan address
Destination Port: 53 (DNS)

Rule 2:

REJECT
Source: *
Source Port: *
Destination: !Lan address
Destination Port: 53 (DNS)
Title: Re: AdGuard Home setup guide
Post by: thebull on June 11, 2021, 02:21:16 pm
Does anyone know's where the raw config file is stored within OPNsense for AdGuard?
Title: Re: AdGuard Home setup guide
Post by: efahl on June 23, 2021, 02:51:10 am
Mine's in /usr/local/AdGuardHome/AdGuardHome.yaml
Title: Re: AdGuard Home setup guide
Post by: sp33dy on July 27, 2021, 10:04:07 am
i keep having problem with adguard not being started autmaticly

did reinstall/reboot removed other packages etc etc but still same prb

i followed last in this post https://forum.opnsense.org/index.php?topic=16692.15

root@OPNsense:/usr/local/AdGuardHome #  ./AdGuardHome -s install
2021/07/27 10:02:41 [info] Service control action: install
2021/07/27 10:02:41 [fatal] Failed to install AdGuard Home service: Init already exists: /usr/local/etc/rc.d/AdGuardHome


problem is that only way for me to get it running after reboot is eather cli or webgui

why does it not start automatically?
ideas

regards /s
Title: Re: AdGuard Home setup guide
Post by: mimugmail on July 27, 2021, 10:06:56 am

i followed last in this post https://forum.opnsense.org/index.php?topic=16692.15

root@OPNsense:/usr/local/AdGuardHome #  ./AdGuardHome -s install
2021/07/27 10:02:41 [info] Service control action: install
2021/07/27 10:02:41 [fatal] Failed to install AdGuard Home service: Init already exists: /usr/local/etc/rc.d/AdGuardHome



This is not the way it should be done .. don't do this.
Usually installing the plugin and enable is enough.

Now your install dir can be anywhere.
Title: Re: AdGuard Home setup guide
Post by: sp33dy on July 27, 2021, 10:56:49 am
ok, well that sux that people give wrong instructions

is there anyway for me to fix this?

EDIT: like i stated i have deleted/installed package and rebooted and the problem still persisted, when it still did´t work i tried those instructions
Title: Re: AdGuard Home setup guide
Post by: mimugmail on July 27, 2021, 11:06:39 am
/usr/local/AdGuardHome #  ./AdGuardHome -s uninstall / delete possibly?
Maybe then also remove the plugin and also /usr/local/AdGuard/Home folder.

Then install plugin again, enable and reboot. During reboot watch the console for errors
Title: Re: AdGuard Home setup guide
Post by: sp33dy on July 28, 2021, 09:03:53 am
/usr/local/AdGuardHome #  ./AdGuardHome -s uninstall / delete possibly?
Maybe then also remove the plugin and also /usr/local/AdGuard/Home folder.

Then install plugin again, enable and reboot. During reboot watch the console for errors

thanks for your answer, still no good though


service runs fine when started manually, take ages to boot box when dns is not running
are there any startup script i can force run on boot to se if that atleast get it running after boot?

nothing wrong on console when booting up, status also says "not installed", i tried reinstall/reboot but still the same

root@OPNsense:/usr/local/AdGuardHome # ./AdGuardHome -s status
2021/07/28 08:59:59 [info] Service control action: status
2021/07/28 08:59:59 [fatal] failed to get service status: the service is not installed
Title: Re: AdGuard Home setup guide
Post by: mimugmail on July 28, 2021, 09:50:43 am

root@OPNsense:/usr/local/AdGuardHome # ./AdGuardHome -s status
2021/07/28 08:59:59 [info] Service control action: status
2021/07/28 08:59:59 [fatal] failed to get service status: the service is not installed

Dont do this! I wrote a startup script cause this AdGuardHome -s XXX is a total mess. And thats why AGH is a community plugin and not in the official plugin repo. This -go stuff with their own service control sucks on BSD.

You can use this:
/usr/local/etc/rc.d/adguardhome

But if you already ran "-s install" your are lost somewhere in the middle :(
Title: Re: AdGuard Home setup guide
Post by: sp33dy on July 28, 2021, 10:23:59 am

root@OPNsense:/usr/local/AdGuardHome # ./AdGuardHome -s status
2021/07/28 08:59:59 [info] Service control action: status
2021/07/28 08:59:59 [fatal] failed to get service status: the service is not installed

Dont do this! I wrote a startup script cause this AdGuardHome -s XXX is a total mess. And thats why AGH is a community plugin and not in the official plugin repo. This -go stuff with their own service control sucks on BSD.

You can use this:
/usr/local/etc/rc.d/adguardhome

But if you already ran "-s install" your are lost somewhere in the middle :(



I havent run the -s install on this installation

i´m sure there is something with my install that´s causing this and not the plugins itself, just trying to get a working installation here ;)

i asume this should run on bootup "/usr/local/etc/rc.d/adguardhome"

can i force run it in some other startup script?...for some reason it wont start for me
Title: Re: AdGuard Home setup guide
Post by: planetix on August 03, 2021, 04:32:34 pm
Is there a known issue with fresh installs of this plugin and 21.7? I can't even get the setup page to load after a successful plugin install (http:<my.opnsense.ip>:3000).

The plugin is enabled and appears to be running
No errors are thrown in the logs
I have Unbound disabled
I am not running Grafana, NTPng, or any other service on port 3000. Netstat shows the AdGuardHome service is running on said port and nothing else. 

I cannot get the start page to come up at all on port 3000. Since that triggers the initial setup wizard, there's no configuration yaml created (I checked via CLI). The service just appears to be running and waiting for me to kick off the process.

Could someone post a (more or less) "default" configuration yaml for the plugin? I can modify it for my own setup, restart the service, see if that gets past it, though I'd still like to figure out why I can't access the initial config wizard.

Thanks!

Edit: As often happens, writing this post made me re-think a couple things to try and I got it working.

The problem, if anyone else runs in to this, is I am using a failover group for a gateway (my ISP WAN interface + backup LTE modem) and for that to work correctly the LAN "pass all outbound" rule has to be modified to use it vs. the default "any" gateway.

This means you need to explicitly define any additional ports (besides 80 and 443 which are in the default anti-lockout rule) you want to access on the OPNsense box itself, in this case 3000 (for the wizard) and then 81 (the port I picked AdGuardHome to run on). Easy fix when I realized what the problem was.

I figured it out when I looked where I should have in the first place - the firewall logs vs. the service logs. The latter showed no issues because there weren't any with the service. The firewall blocked access, by design, until I explicitly allowed those ports access from my LAN net to my LAN address.

Hope this helps someone else :)
Title: Re: AdGuard Home setup guide
Post by: madindehead on August 07, 2021, 03:02:01 pm
I was under the impression that the community repo won't work currently on 21.17, as the dependancy for Python 3.7 is missing (as it uses 3.8).

It has to be rebuilt.
Title: Re: AdGuard Home setup guide
Post by: vorago on August 08, 2021, 06:53:47 am
How does one get a self signed certificate going for Adguard Home? Doing it mostly to learn, and thought it would be fun to have DoH/T enabled for my home network.

I have a CA & intermediate CA created and I created a certificate for adguard, but when I paste the cert & key into the fields I get "Certificate chain is invalid" for the certificate and "Your certificate does not verify: x509: certificate specifies an incompatible key usage" for the private key.
Title: Re: AdGuard Home setup guide
Post by: jf2001j on August 09, 2021, 01:24:56 pm
But if you already ran "-s install" your are lost somewhere in the middle :(
...

can i force run it in some other startup script?...for some reason it wont start for me

I also have the issue of the service adguardhome not auto-starting, but able to run with "service adguardhome start".

I noticed, that according to "pkg list os-adguardhome-maxit-1.5" there should only be a "/usr/local/etc/rc.d/adguardhome" file. I removed the additional file with "rm /usr/local/etc/rc.d/AdGuardHome".

Also I set "service adguardhome enable". Although the file "/etc/rc.conf.d/adguardhome" exists, it still does not autostart according to "service adguardhome status".

=> Is there a logfile as an alternative to "During reboot watch the console for errors"?

--
update:

I had a change to look into serial output:

I think the error that adguard does not start automatically occurs because the startup of adguard is quite late as a bootlevel

The problem seems to be a delayed newwanip process, as a workaround it might be possible to change the bootlevel (point in time when adguard starts).
This also seems to delay/block the auto-start of wireguard.

Quote
Starting power daemon...done.
Configuring system logging...done.
>>> Invoking start script 'newwanip'
Reconfiguring IPv4 on igb1: error in configd communication %s, see syslog for de
Reconfiguring routes: OK
>>> Invoking start script 'freebsd'
  • ifconfig wg create name wg0
  • [!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument)
  • wireguard-go wg0

┌─────────tun0: link state changed to UP
─────tun0: changing name to 'wg0'
───────────────────────────────────────┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/           │
│                                                      │
└──────────────────────────────────────────────────────┘
(...)
  • Backgrounding route monitor

WARNING: attempt to domain_add(netgraph) after domainfinalize()
setup igb0_vlan10
setup igb0
setup igb1 [egress only]
Starting flowd_aggregate.
Starting flowd.
Starting adguardhome.
>>> Invoking start script 'syslog-ng'
Stopping syslog_ng.
Waiting for PIDS: 90451.
Starting syslog_ng.
Title: Re: AdGuard Home setup guide
Post by: RamSense on August 21, 2021, 10:40:18 pm
I am also new to Adguard (switched from pihole).
In pihole i had:
Never forward non-FQDNs
Never forward reversed lookups for private ip ranges

Do you know how to get this in Adguard?

p.s. I think I fixed the auto start Adguard by adding system -> settings -> general -> dns servers 1.1.1.1 and 1.0.0.1
I read somewhere that opnsense needed it to start running while Adguard is not yet started. Seems to work.
p.s.s. just had to reboot my opnsense and I noticed that Adguard was not starting automatically, so no luck yet....
Title: Re: AdGuard Home setup guide
Post by: Nnyan on August 23, 2021, 01:05:14 am
Currently using NextDNS and I wanted to give AdGuard home a try to see how they compare.  Before I started I did the following:

Disabled Unbound.
Disabled NextDNS CLI (checked status )

Was able to get this installed but when I try to enable encryption under the Encryption settings it tells me that port 443 is being used:

Error: control/tls/validate | port 443 is not available, cannot enable HTTPS on it | 400

I then took a look to see what is using port 443 (if this is not the correct way of checking please let me know):

#sockstat -4 -l

root     lighttpd   46986 5  tcp4   *:443                 *:*
root     lighttpd   46986 7  tcp4   *:80                  *:*

Not sure exactly what is using lighttpd for the port.
Title: Re: AdGuard Home setup guide
Post by: madindehead on September 08, 2021, 11:27:51 am
Adguard + wireguard in Opnsense ( solved ):

https://forum.opnsense.org/index.php?topic=22409.0

I followed your instructions from that thread, but haven't been able to get WireGuard running alongside AdGuard.

WireGuard worked well before I added AdGuard, but now I'm just not getting a connection.

Does anyone else have experience of getting WireGuard running alongside AdGuard and Unbound DNS?
Not sure what Unbound DNS buys me alongside AdGuard, but it works well for my other devices.
Title: Re: AdGuard Home setup guide
Post by: RamSense on September 08, 2021, 12:36:26 pm
I have it also up and running here.
maybe this will help you:
https://homenetworkguy.com/how-to/configure-wireguard-opnsense/
 (https://homenetworkguy.com/how-to/configure-wireguard-opnsense/)

(Optional if not Automatic) Add ACL Entry for Unbound DNS

If you plan to use your WireGuard interface to provide DNS rather than some other DNS server on your network, it has been noted through feedback that there could be the possibility that you will need to add an entry to the Unbound DNS ACL (Access Control List) to allow the WireGuard interface to access your Unbound DNS server in OPNsense. For my configuration, it seems to have been added automatically, but if you are having issues with accessing your DNS server through the WireGuard interface (in my example, the DNS server would be 10.0.0.1), you may want to check your ACL configuration by going to the “Services > Unbound DNS > Access Lists” page. Click the “Add” button to enter the WireGuard network of 10.0.0.1/24 (for my example) to the ACL.
Title: Re: AdGuard Home setup guide
Post by: madindehead on September 09, 2021, 03:44:26 pm
I have it also up and running here.
maybe this will help you:
https://homenetworkguy.com/how-to/configure-wireguard-opnsense/
 (https://homenetworkguy.com/how-to/configure-wireguard-opnsense/)

(Optional if not Automatic) Add ACL Entry for Unbound DNS

If you plan to use your WireGuard interface to provide DNS rather than some other DNS server on your network, it has been noted through feedback that there could be the possibility that you will need to add an entry to the Unbound DNS ACL (Access Control List) to allow the WireGuard interface to access your Unbound DNS server in OPNsense. For my configuration, it seems to have been added automatically, but if you are having issues with accessing your DNS server through the WireGuard interface (in my example, the DNS server would be 10.0.0.1), you may want to check your ACL configuration by going to the “Services > Unbound DNS > Access Lists” page. Click the “Add” button to enter the WireGuard network of 10.0.0.1/24 (for my example) to the ACL.

Do you have it running with AdGuard Home setup?

I would be keen to see what settings you have within the WireGuard client and the OPNsense WireGuard settings. Also AdGuard Home.

There's just something missing, but I have no clue what it is.
Title: Re: AdGuard Home setup guide
Post by: RamSense on September 09, 2021, 07:09:39 pm
I have the opnsense adguard home plugin running - https://www.routerperformance.net/opnsense-repo/ (https://www.routerperformance.net/opnsense-repo/)

What dns setting do you have in your Wireguard client config? I Use the Wireguard interface eg: 10.10.10.1

In Adguard dns settings i have
Bootstrap dns servers: 192.168.1.1:5353
private dns servers: 192.168.1.1:5353
where 192.168.1.1 is my opnsense ip and have Services: Unbound DNS: General - Listen Port : 5353

hope that helps.



Title: Re: AdGuard Home setup guide
Post by: cookiemonster on September 10, 2021, 10:37:06 am
Hi. It is likely I should ask this somewhere else as is not directly a technical setup question buy maybe.
I've been using OPN with DoT(get-dns)+Unbound _and_ a pi-hole for a while and all is good.
I wanted to compare with AdGuard and I've just done it yesterday by using mimugmail's plugin.
I wanted to limit the reconfiguration and to do that, I configured pi-hole and AdGuard in a chain. It was the easiest way to just put another app and point to it.
Now the question. They seem to be pretty much the same and the setup if almost identical.
Apart from AG being able to run directly on OPN, is there another big reason people prefer it with OPN?
Title: Re: AdGuard Home setup guide
Post by: RamSense on September 10, 2021, 01:02:00 pm
for me personally the switch from pihole going to adguard was the assumption that running on my more powerful device with opnsense, and running it directly from the app, would make it faster.
Besides that I found Adguard home more user friendly and more easy to config.
With pihole I had around 36 ms average processing time and with adguard I get 8 to 9 ms on an average day.
This can be because of running it directly as an app, but maybe it is also because I use DoT with Cloudflare en Quad9 with dns settings - parallel requests.

Title: Re: AdGuard Home setup guide
Post by: cookiemonster on September 10, 2021, 02:07:02 pm
thanks for sharing. I'm planning on reconfiguring now to bypass pi-hole. Performance is a good reason of course.
I'm on a tiny appliance so it might not be good for me. We'll see.
Title: Re: AdGuard Home setup guide
Post by: cookiemonster on September 10, 2021, 02:14:07 pm
Tried, OPN not happy.
In Services > IPV4 > LAN I wanted to change from the IP for pi-hole to the LAN IP on a non standard DNS port in the "DNS Servers" field i.e. 192.168.5.1:5353 where ADG is running. I've tried with : @ and # as port delimiter.
Does anybody know if there is a way to do that there?
I know if not I'll have to do firewall rules but I was hoping I didn't have to.
Title: Re: AdGuard Home setup guide
Post by: cookiemonster on September 10, 2021, 02:31:10 pm
I've tried as a workaround setting Unbound to listen on 5353 and In Services > DHCPv4 > LAN set to just it's LAN address 192.168.5.1, restarted both services and reconnected a client. No DNS resolution.
I'll keep looking at options.
Title: Re: AdGuard Home setup guide
Post by: RamSense on September 10, 2021, 02:57:18 pm
do have you adguard on 53 and unbound on 5353?
Title: Re: AdGuard Home setup guide
Post by: cookiemonster on September 10, 2021, 04:05:25 pm
I have Unbound on 53 pushing dns requests on via "Custom Options" to my preferred stub on localhost:853.
AdG is running on 5353.
DHCP clients get the independent pi-hole ipaddress as DNS server and pihole listens on 53 and has OPN as its upstream.
So currently clients DNS requests go:
client > pi-hole:53 > OPN-Unbound:53 > OPN-Stubby:853 > DoT resolvers.
Then to test ADG I put it inline:
client > pi-hole:53 > OPN-AdG:5353 > OPN-Unbound:53 > OPN-Stubby:853 > DoT resolvers.
With testing OK now I wanted to just bypass pi-hole.
That's where I'm scratching my head. Getting DHCPv4 to push 5353 to the clients.
Title: Re: AdGuard Home setup guide
Post by: RamSense on September 10, 2021, 04:35:41 pm
Maybe it is the easiest way in your config to shutdown pihole and run than AdG on port 53 also to see if that works, and work from there?
Title: Re: AdGuard Home setup guide
Post by: cookiemonster on September 10, 2021, 05:11:06 pm
pi-hole being "there" is not an issue. My issue is getting OPN to dish out a different port via DHCP for a DNS resolver.
If pi-hole was out of the equation I can change the listening ports on both Unbound or AdG but the tricky part is with AdG now being on the same IP (plugin on OPN). It could look like this:
client > OPN-AdG:53 > OPN-Unbound:5353 > OPN-Stubby:853 > DoT resolvers.
But then how do I get DHCP to push clients to AdG on 53. Hm, that could work actually. I'll check.
I appreciate the input.
Title: Re: AdGuard Home setup guide
Post by: madindehead on September 11, 2021, 02:02:56 pm
I have the opnsense adguard home plugin running - https://www.routerperformance.net/opnsense-repo/ (https://www.routerperformance.net/opnsense-repo/)

What dns setting do you have in your Wireguard client config? I Use the Wireguard interface eg: 10.10.10.1

In Adguard dns settings i have
Bootstrap dns servers: 192.168.1.1:5353
private dns servers: 192.168.1.1:5353
where 192.168.1.1 is my opnsense ip and have Services: Unbound DNS: General - Listen Port : 5353

hope that helps.

In the client config (on my phone) I used the WireGuard interface IP (let's say it's 10.10.10.1).
On OPNsense, I didn't set a DNS server at the end point.

The issue is definitely with AdGuard Home added in.

I will recheck my configuration later today and see if I'm messing something up along the way.

The fixes at this threadt didn't seem to work for me: https://forum.opnsense.org/index.php?topic=22409.0
Title: Re: AdGuard Home setup guide
Post by: RamSense on September 11, 2021, 04:17:00 pm
https://forum.opnsense.org/index.php?topic=22918.0 (https://forum.opnsense.org/index.php?topic=22918.0)
Title: Re: AdGuard Home setup guide
Post by: madindehead on September 12, 2021, 11:37:33 am
I might look at just removing Unbound from the chain right now.

I'm getting very confused as to why I suddenly can't resolve local names.

I use a domain name, example.net, for my internal network. This now isn't resolving.
I previously had my OPNsense router IP as my top upstream DNS in AdGuard, but I don't think this is correct?

I've discovered that you can definite a DNS server in upstream for specific domains, e.g. [/host.com/]1.2.3.4 (from here: https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#upstreams).

I feel like this is quite flakey and the sheer amount of conflicting and confusing posts in here isn't making it any easier to understand  :-\ Definitely need a concise roundup/summary of what is correct.

Update: I had to re-enable the Static DHCP mapping and register leases in Unbound and it started working again for now. There's probably something else I could do to fix this, but for now I don't have the time to mess around too much.
Title: Re: AdGuard Home setup guide
Post by: cookiemonster on September 12, 2021, 12:07:17 pm
pi-hole being "there" is not an issue. My issue is getting OPN to dish out a different port via DHCP for a DNS resolver.
If pi-hole was out of the equation I can change the listening ports on both Unbound or AdG but the tricky part is with AdG now being on the same IP (plugin on OPN). It could look like this:
client > OPN-AdG:53 > OPN-Unbound:5353 > OPN-Stubby:853 > DoT resolvers.
But then how do I get DHCP to push clients to AdG on 53. Hm, that could work actually. I'll check.
I appreciate the input.
Yup that worked. I've bypassed pi-hole now. It's still on so I can push the queries back but so far all good. I was expecting my firewall rules to be a little trickier with being localhost but so far just replacing the ip with the lan local has worked without problem.
I had to test different ad hosts blocklists but so far functionally I'm good.
Title: Re: AdGuard Home setup guide
Post by: madindehead on September 12, 2021, 01:25:29 pm
Hmm. I may have fixed my WireGuard issue.

I had a Port Forward rule from WAN address to a different net and using the WireGuard port. When I disabled that it seemed to start working again.

Very weird. I can't use my local domain name right now, but I'm getting there. 

Update: I think it's all fixed now. Used the WG interface as the DNS and it seems to work fine. Also added 1.1.1.1 to be safe. So have local name resolution and internet.
Title: Re: AdGuard Home setup guide
Post by: flushell on September 12, 2021, 09:50:48 pm
For local DNS I now use Unbound in OPNsense. I own a domain name and I have Pi-hole configured to do Conditional forwarding for my domain.

If I want to switch to adguard, how does Adguard know when to query Unbound for local domain? Does it take the domainname configured in OPNsense (Under System - Settings - General - Domain)?
Title: Re: AdGuard Home setup guide
Post by: burntoc on September 21, 2021, 03:25:07 am
deleted
Title: Re: AdGuard Home setup guide
Post by: yeraycito on September 23, 2021, 03:04:39 pm
Adguard beta ?

I have upgraded Opnsense to 21.7.3. After restarting Opnsense Adguard has moved to a beta version. After 10 minutes I logged in again and I had a new update, also beta. Adguard works fine but I don't quite understand the move to beta software.
Title: Re: AdGuard Home setup guide
Post by: Vesalius on September 23, 2021, 04:55:32 pm
Per the OPNsense adguard home maintainer on the reason for moving to .107 beta.

https://www.reddit.com/r/OPNsenseFirewall/comments/pm84nr/need_betatesters_for_adguardhome_0107_update/

https://www.reddit.com/r/OPNsenseFirewall/comments/pndq1m/new_updates_to_community_repo_adguardhome_caddy/
Title: Re: AdGuard Home setup guide
Post by: yeraycito on September 23, 2021, 05:36:10 pm
Thank you, I didn't know that.
Title: Re: AdGuard Home setup guide
Post by: RamSense on September 28, 2021, 09:45:32 pm
Question about the config of Adguard Home: Is there a way to backup and restore the adguard home config?
Or is this already being added to the opnsense backup config file?
Title: Re: AdGuard Home setup guide
Post by: Flyinace2000 on October 17, 2021, 03:55:32 pm
My ISP provides IPv6 addresses.  When I enable that on OPNSense it also directs DNS via IPv6.  Is there a good guide to follow to explain how to use IPv6 in a home environment and still use PIHole/Adguard for filtering?  For now I just disabled IPv6.
Title: Re: AdGuard Home setup guide
Post by: mkono87 on October 26, 2021, 02:59:16 am
Perhaps Im missing a step. If I dont have an ip listed in Settings/General in the DNS servers list. I dont have internet. I have to put 8.8.8.8 which I believe is defeating the purpose. I dont see any entries in adguard for my desktop for example. If i leave it blank I have no internet on it.

I have first changed unbound to 5353 but I have also disabled it. What could I be missing?
Title: Re: AdGuard Home setup guide
Post by: Lxndr on November 12, 2021, 05:56:44 pm
Hi all,

I've just migrated my firewall from the ubiquiti unifi udm pro to opnsense, I've been reading the forum for several months now and following my migration I'm quite curious on how to go about implementing NextDNS in addition to my Adguard/Unbound setup, so after following Yeracito's guide on how to use Adguard home standalone with Unbound in Opnsense I want to follow yet again another Yeracito's set of instructions but I believe that there were some changes between the version Yeracito was using when he posted his print screens and the latest Opnsense version which I'm currently running as I don't have a miscellaneous section under Services / Unbound nor Unbound /General / Custom Options.

Could someone guide me on which Unbound section I should be using to set this up?

Installation;

Let's go to   https://nextdns.io/    and register for free. Once registered you are given a personalised ID and dns.

Opnsense instalation:

 - Follow the tutorial explained above for Adguard.

 - Unbound - General - Custom Options: add                 ( XXXXXX is a custom ID in NextDns )


server:
      tls-cert-bundle: "/etc/ssl/cert.pem"
  forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 45.90.28.0#XXXXXX.dns1.nextdns.io
    forward-addr: 2a07:a8c0::#XXXXXX.dns1.nextdns.io
    forward-addr: 45.90.30.0#XXXXXX.dns2.nextdns.io
    forward-addr: 2a07:a8c1::#XXXXSS.dns2.nextdns.io

Thanks in advance.
Title: Re: AdGuard Home setup guide
Post by: yeraycito on November 12, 2021, 06:36:18 pm
Hello, you can do it in the following way.

1 - Go to the NextDns website and copy the address that appears in the Dns over https section: https://dns.nextdns.io/xxxxx

2 - Disable Unbound

3 - In Adguard - Settings - DNS settings you set that address.
Title: Re: AdGuard Home setup guide
Post by: Lxndr on November 12, 2021, 06:45:46 pm
Hello, you can do it in the following way.

1 - Go to the NextDns website and copy the address that appears in the Dns over https section: https://dns.nextdns.io/xxxxx

2 - Disable Unbound

3 - In Adguard - Settings - DNS settings you set that address.
Thanks Yeraycito

One additional question, is there anyway to keep the Unbound enabled?
Title: Re: AdGuard Home setup guide
Post by: yeraycito on November 13, 2021, 08:07:27 pm
No, disable Unbound
Title: Re: AdGuard Home setup guide
Post by: Lxndr on November 13, 2021, 11:54:47 pm
Thanks Yeraycito!
Title: Re: AdGuard Home setup guide
Post by: jonohunt on November 17, 2021, 01:43:37 pm
I've been using this post as a reference setting up AdGuard was Unbound (very helpful, thanks!), but haven't managed to get hostnames showing in AdGuard, only IP addresses.

I thought of ditching Unbound and using just AdGuard for DNS and DHCP, but then remembered that I'm using overrides in Unbound in order to be able to use Nginx Proxy Manager. I have a FQD with a wildcard certificate to access my web apps (Home Assistant, Plex, Syncthing, etc.) but only internally, not accessible outside of my LAN.

Would doing that still be possible if I were to disable Unbound and only use AdGuard?
Title: Re: AdGuard Home setup guide
Post by: Lxndr on November 24, 2021, 07:22:36 pm
Hello,

Guys I have a question concerning the use of NextDNS within AdGuard, I have AdGuard running on 2 separate RPIs,  so in case one fails we still have a DNS working, of course OpnSense points to both, my issue here is that First of all, I had to add the relevant https://dns.nextdns.io/xxxxx on the in the Dns upstream session and add the "normal IPs' (45.X.X.X.)in the section below concerning the DNS bootstramp, to get it working on the 1st RPI, but added that same information on the 2nd one I get an error stating that it's impossible to use https://dns.nextdns.io/xxxxx please check that the name is correct.

Not sure what I'm doing wrong here so any advise will be appreciated, please note that if I use the Cloudflare https://family.cloudflare-dns.com/dns-query with the 1.X.X.3 that works for the 2nd RPI, is there a limitation to 1 global device per network for the usage of NextDNS within AdGuard?

Any one has already had this issue, is it the expected behaviour?

thanks in advise for taking the time to help out, any advise will be highly appreciated.
Title: Re: AdGuard Home setup guide
Post by: Nekromantik on November 25, 2021, 07:01:40 pm
anyway to update adguard?
it has shown me new version notification for few weeks now
Title: Re: AdGuard Home setup guide
Post by: RamSense on November 25, 2021, 07:52:09 pm
I just hit update in AdGuard Home and it updates itself.
Title: Re: AdGuard Home setup guide
Post by: Nekromantik on November 25, 2021, 08:20:59 pm
I just hit update in AdGuard Home and it updates itself.

ah I thought it would not work as its a plugin!
thanks
Title: Re: AdGuard Home setup guide
Post by: Lxndr on November 27, 2021, 08:03:23 pm
Hello,

Guys I have a question concerning the use of NextDNS within AdGuard, I have AdGuard running on 2 separate RPIs,  so in case one fails we still have a DNS working, of course OpnSense points to both, my issue here is that First of all, I had to add the relevant https://dns.nextdns.io/xxxxx on the in the Dns upstream session and add the "normal IPs' (45.X.X.X.)in the section below concerning the DNS bootstramp, to get it working on the 1st RPI, but added that same information on the 2nd one I get an error stating that it's impossible to use https://dns.nextdns.io/xxxxx please check that the name is correct.

Not sure what I'm doing wrong here so any advise will be appreciated, please note that if I use the Cloudflare https://family.cloudflare-dns.com/dns-query with the 1.X.X.3 that works for the 2nd RPI, is there a limitation to 1 global device per network for the usage of NextDNS within AdGuard?

Any one has already had this issue, is it the expected behaviour?

thanks in advise for taking the time to help out, any advise will be highly appreciated.
Anyone to advise on the above please? Thanks
Title: Re: AdGuard Home setup guide
Post by: inlophe on November 28, 2021, 07:03:02 pm
Hi,

Thank you for the guide. As I'm new to Opnsense, it helps a lot.

I run into one problem though.
My setup is using unbound as resolver, so: LAN -> AdGuard (listening on 53) -> unbound (listening on 53530) -> DoT server. DNS resolution works fine for all the client, adguard's doing its job properly too, except for the router itself.  Tried to ping public domain from the router shell gives me Host name lookup failure and I can't update firmware and plugins because of that.

When I disable AdGuard and change my unbound port back to 53 it works, I can ping and update from the router.

Is there any settings that I should know of?
Title: Re: AdGuard Home setup guide
Post by: wadhwa on December 02, 2021, 11:45:18 am
I have extended to backup AdGuardHome.yaml file using Git backup plugin (which is a pre-requisite).

1) login to shell in OpnSense

2) edit actions_adguardhome.conf

Code: [Select]
vi /usr/local/opnsense/service/conf/actions.d/actions_adguardhome.conf
3) Insert following:

Code: [Select]
[backup]
command:cp /usr/local/AdGuardHome/AdGuardHome.yaml /conf/backup/git ; cd /conf/backup/git; git add AdGuardHome.yaml; git commit -m "Adguard Config changes on `date`" AdGuardHome.yaml
parameters:
type:script
message:backing up Adguardhome config
description:Backup Adguardhome config

See 1.png attached

5)  Restart configd

Code: [Select]
service configd restart
6) Configure Corn job in Web UI

See 2.png attached

7) Result See 3.png attached
Title: Re: AdGuard Home setup guide
Post by: mkono87 on December 02, 2021, 05:13:28 pm
The thing I have noticed that when I try to connect to another VLAN even by a simple ping or to access a web ui. It will hang on a first attempt. If I cancel and ping again or refresh the page it connects without issue. Im not exactly where this is happening. Its acting is if there is no route table created or something. Would love some insight into why this could be happening. Forgive me if this isnt enough info, just ask and il be happy to provide.
Title: Re: AdGuard Home setup guide
Post by: RamSense on December 04, 2021, 01:21:52 pm
I was looking into the AdGuard Home queries and saw .local and .localdomain with processed NXDOMAIN.

Is it normal to have those queried to outside dns (in my case cloudflare)

Is there a way to have those queried only locally?
Title: Re: AdGuard Home setup guide
Post by: wadhwa on December 04, 2021, 07:27:09 pm
Add following to your upstream DNS servers box:

[/mydomain.local/]192.168.1.1

replace mydomain.local with your local domain and 192.168.1.1 with your local DNS server IP.



I was looking into the AdGuard Home queries and saw .local and .localdomain with processed NXDOMAIN.

Is it normal to have those queried to outside dns (in my case cloudflare)

Is there a way to have those queried only locally?
Title: Re: AdGuard Home setup guide
Post by: RamSense on December 04, 2021, 09:17:18 pm
thnx for that tip.
But I see also domains like wpad.localdomain and api.wordpress.org.localdomain etc.
So I just tried a custom filtering rule (block):
||*.local^$important
||*.localdomain^$important

don't know what is better?

On further thought... maybe I can better add [/localdomain/]192.168.1.1:5353
to the Upstream DNS server
Title: Re: AdGuard Home setup guide
Post by: wadhwa on December 05, 2021, 07:13:16 pm
To Reject all wdap you can use following custom filtering rule:

Code: [Select]
/wpad[.]([a-z0-9.])*/$dnsrewrite=NXDOMAIN;;
I have seen api.wordpress.org.localdomain, when you use Blocking mode as NXDOMAIN, change to default and these will go away...

thnx for that tip.
But I see also domains like wpad.localdomain and api.wordpress.org.localdomain etc.
So I just tried a custom filtering rule (block):
||*.local^$important
||*.localdomain^$important

don't know what is better?

On further thought... maybe I can better add [/localdomain/]192.168.1.1:5353
to the Upstream DNS server
Title: Re: AdGuard Home setup guide
Post by: moe on December 08, 2021, 02:06:29 pm
Are there anything happend with AdGuard? I am currently unable to log into the webinterface running on my opnsense installation.
Do I need custom username for this interface or is it the same as the admin-panel from opnsense?
I have used ADGuard now for really long time without any troubles, but now i am not able to login.

On the frontend from Opnsense i use ldap for the authentication.

Thanks for help.
Kind regards
Title: Re: AdGuard Home setup guide
Post by: sclawrenc on December 10, 2021, 03:51:19 am
I followed the guide at the site listed below to setup AdGuard Home using the freebsd version instead of the community plugin, and it's working great other than I only see one client (127.0.0.1) listed in the clients.  All DNS queries are processing as far as I can tell.  Anyone know how to fix my setup to show the individual clients instead of only 127.0.0.1?

Any thoughts on using the guide I linked below versus using the community plugin?

Thanks

https://forums.torguard.net/index.php?/topic/2545-opnsense-adguardhome-total-control-mode-doq/#replyForm
Title: Re: AdGuard Home setup guide
Post by: sclawrenc on December 10, 2021, 03:53:54 pm
In regards to my post above, I suspect it has to do with the fact Unbound is listening on port 53 and AdGuard is listening on port 53530, but I'm not certain how to go about fixing it.  I could try some things and probably will in the meantime until someone has some feedback.  :)
Title: Re: AdGuard Home setup guide
Post by: RamSense on December 10, 2021, 05:32:33 pm
Why not use the plugin version? Works great, including updates :-)

But For your unbound: have you tried setting unbound to port 5353 and adguard on port 53?
and in Adguard dns settings: Bootstrap DNS servers and Private reverse DNS servers pointing to opnsenseip:5353

That's my setting.
Title: Re: AdGuard Home setup guide
Post by: sclawrenc on December 10, 2021, 07:17:28 pm
Why not use the plugin version? Works great, including updates :-)

But For your unbound: have you tried setting unbound to port 5353 and adguard on port 53?
and in Adguard dns settings: Bootstrap DNS servers and Private reverse DNS servers pointing to opnsenseip:5353

That's my setting.

Thanks RamSense for your response.  I tried the plugin first, ran into an issue (most likely misconfiguration on my side), and then decided to try that other guide for fun, plus I wanted to use IPv6, but I'm not sure the plugin version supports it.  I think it would, but I am not certain.
Title: Re: AdGuard Home setup guide
Post by: RamSense on December 10, 2021, 08:37:42 pm
Ah ok. Well I hope you can get it to work with changing the ports.

p.s. I have also (very recently) got ipv6 and I can confirm it works with the plugin version.
Title: Re: AdGuard Home setup guide
Post by: sclawrenc on December 10, 2021, 10:19:04 pm
Thanks RamSense.  Are you able to see the individual clients in AdGuard or do they all show coming from your router or local host IP?  Also, what did you do different to get IPv6 working?  Thanks again.
Title: Re: AdGuard Home setup guide
Post by: RamSense on December 11, 2021, 10:20:14 am
settings - client settings -> I see the ipv6 devices and gave them a name in adguard. Opnsense is DHCP.
I did not have to do any changes in adguard, it worked right away. I do not remember what interfaces I used with the adguard install, maybe I just did all interfaces and that is why I did not have to change anything (?)

In opnsense i have static ipv6 what works great, but there is still a ipv6 bug in freebsd what will be hopefully fixed in the opnsense 22.1 / freebsd 13 version. see e.g. here: https://forum.opnsense.org/index.php?topic=25824.0 (https://forum.opnsense.org/index.php?topic=25824.0)
Title: Re: AdGuard Home setup guide
Post by: supercm on December 22, 2021, 01:00:49 am
Has anyone gotten AdGuard to also listed on virtual IP addresses?
Title: Re: AdGuard Home setup guide
Post by: mkono87 on December 22, 2021, 03:58:11 am
Has anyone setup keepalived to sync with this with a second instance on another server for high availability?
Title: Re: AdGuard Home setup guide
Post by: mkono87 on December 28, 2021, 11:03:53 pm
Has anyone setup keepalived to sync with this with a second instance on another server for high availability?

Hmm guess not. I guess if I tried this it would be best on something else than the firewall.
Title: Re: AdGuard Home setup guide
Post by: bahamies on January 09, 2022, 02:23:34 pm
I recently changed my LAN address range from 192.168.x.x to 10.10.x.x based. After the swap I started having problems with DNS resolution in my VLANs. Before the change I did not need any firewall rules or DHCP DNS settings to get resolution on other VLANs, but now I need to set DNS server on VLAN DHCP settings to get any resolution.

This ofcourse is not a huge problem, but I just find it odd and figured that there is maybe something misconfigured in my setup. There is probably some setting that is causing this but I can't find it. Any advice on where to look?

E: I'm using Adguard and routing DNS over TLS with Unbound. The setup is basically the same as in here https://forum.opnsense.org/index.php?topic=22162.msg106715#msg106715

E2: Solved, I forgot to select all VLANs in DNS Listen Interfaces dropdown. Reconfigured and seems to be working as earlier now.
Title: Re: AdGuard Home setup guide
Post by: Steffen123 on January 18, 2022, 07:09:26 pm
I did configure my opnsense like how described in this post and with Option 1

https://forum.opnsense.org/index.php?topic=22162.msg106715#msg106715

But i have some issues. It seems like dns resolving from the opnsense itself isn't working.

When i open a shell on opnsense and use "nslookup google.com" i get the answer:

;; connection timed out; no servers could be reached

Did i something wrong?
Title: Re: AdGuard Home setup guide
Post by: RamSense on January 22, 2022, 09:18:26 am
When rebooting opnsense, adguard does not start automatically and I have to start it manually.

is this, see picture I found in a pfsense guide, something I/we should ad? or can this be added to the plugin?
And if added manually, how to do this in opnsense:

Step 6: Making AdGuard Home start on boot:​

Go to Services>shellcmd and click Add

Command: /usr/local/bin/screen -S AdGuardHome_screen -d -m /opt/AdGuardHome/AdGuardHome
Shellcmd Type: shellcmd
Description: AdGuard

as found here: https://broadbandforum.co/threads/installing-adguard-home-on-pfsense.205884/page-2 (https://broadbandforum.co/threads/installing-adguard-home-on-pfsense.205884/page-2)
Title: Re: AdGuard Home setup guide
Post by: gogolathome on January 24, 2022, 01:38:27 am
When rebooting opnsense, adguard does not start automatically and I have to start it manually.

is this, see picture I found in a pfsense guide, something I/we should ad? or can this be added to the plugin?
And if added manually, how to do this in opnsense:

Step 6: Making AdGuard Home start on boot:​

Go to Services>shellcmd and click Add

Command: /usr/local/bin/screen -S AdGuardHome_screen -d -m /opt/AdGuardHome/AdGuardHome
Shellcmd Type: shellcmd
Description: AdGuard

as found here: https://broadbandforum.co/threads/installing-adguard-home-on-pfsense.205884/page-2 (https://broadbandforum.co/threads/installing-adguard-home-on-pfsense.205884/page-2)
That is not how it should be done! Adguardhome should be installed as a plugin.
Look at this: https://www.routerperformance.net/opnsense-repo/ (https://www.routerperformance.net/opnsense-repo/)
Title: Re: AdGuard Home setup guide
Post by: RamSense on January 24, 2022, 08:00:36 am
sorry, forgot to mention that I'm running the plugin of adguard home.

N.B. With opnsense 22.1 it is fixed. after the installation the system came up automatically
Title: Re: AdGuard Home setup guide
Post by: bamboozilla on January 25, 2022, 10:21:23 am
Hi, I followed this tutorial but having a empty System:Settings:General DNS servers results in this error on the host:

dig google.com
Code: [Select]
Error: error sending query: No (valid) nameservers defined in the resolverI have also a time out error on OPNsense update check.

Could anyone with a working adguard + unbound configuration share their `/etc/resolv.conf`?

The only way to make it work for me is to set a fallback DNS servers in System:Settings:General DNS servers.

Here is my whole configuration DNS wise if it can help troubleshooting my issue:

System:Settings:General:
Code: [Select]
DNS Server: empty
Do not use the local DNS service as a nameserver for this system: CHECKED

Services:DHCPv4:[LAN]:
Code: [Select]
DNS servers: empty

Unbound DNS:General:
Code: [Select]
Listen Port: 53530
Enable: CHECKED
Enable DNSSEC Support: CHECKED
Register DHCP leases: CHECKED
Register DHCP static mappings: CHECKED
Local Zone Type: transparent

Adguard Home interfaces when initialling config were set to LAN only

Adguard:DNS settings:
Code: [Select]
Upstream DNS servers: 127.0.0.1:53530
Bootstrap DNS servers: 127.0.0.1:53530
Title: Re: AdGuard Home setup guide
Post by: cookiemonster on January 26, 2022, 06:10:04 pm
I'm not sure you followed this tutorial. The original post, page 1 shows it using an ip in System:Settings:General DNS servers field. Looks like you are trying to do it differently.
I use Unbound and Adguard home. I also have that field setting and my /etc/resolv.conf only has "domain mydomain" in it. As expected.
Where are you issuing your dig command, a client or the firewall device?
Where is adguard running, another machine?
How are your clients being pointed to that_machine:53530 , dhcp?
Title: Re: AdGuard Home setup guide
Post by: yeraycito on January 28, 2022, 02:19:41 pm
After doing a clean install of Opnsense 22.1 I tried to install Adguard. It installs version 0.107.3 stable. I have encountered several difficulties that have prevented me from getting it up and running. When starting the Adguard configuration it indicates that port 53 is in use (Undbound) and forces you to change it if you want to continue configuring Adguard. I changed the Undbound port to 5353 and continued configuring Adguard normally. The problem is that it does not work and there is no internet connection. I have tried setting other ports in Unbound and the same thing happens, there is no internet connection. I have uninstalled Adguard and tried in Unbound to change the port and try to see if there is connection without Adguard. The result is that if Unbound is not set to port 53 by default there is no internet connection. If you set Unbound to any port other than 53 there is no internet connection even if you have configured the corresponding dns. I have done a second test, I have deactivated Unbound and installed Adguard on port 53. At the beginning and after configuring the dns in Adguard everything worked perfectly, but inexplicably after a short time the lan devices were without internet connection, they were no longer displayed in the Adguard logs. However, 127.0.0.1 continued to display and have a connection in Adguard. In the end I had to uninstall Adguard as I couldn't get it to work.

Title: Re: AdGuard Home setup guide
Post by: bamboozilla on January 28, 2022, 05:08:28 pm
I'm not sure you followed this tutorial. The original post, page 1 shows it using an ip in System:Settings:General DNS servers field. Looks like you are trying to do it differently.
I use Unbound and Adguard home. I also have that field setting and my /etc/resolv.conf only has "domain mydomain" in it. As expected.
Where are you issuing your dig command, a client or the firewall device?
Where is adguard running, another machine?
How are your clients being pointed to that_machine:53530 , dhcp?

Thanks for your answer.

I did follow the tutorial as it says the following:
On OPNsense:
System -> General Setup
Set '8.8.8.8' as DNS server (Or whatever DNS you would like as a backup, if you only want AdGuard you can remove all DNS servers from this list and leave it blank)
Untick: Do not use the local DNS service as a nameserver for this system
This way by default OPNsense will use itself (127.0.0.1) as the resolver which we want.

For me these instructions result in a nonfonctionning changelog access.

I am doing the drill commands directly from the shell of the OPNsense box
Adguard is running as a plugin of OPNsense
The clients have no issues regarding the local DNS, they are getting their IPSs and DNS through OPNsense DHCP server yes.

In the end of the day, my issue isn't really that bad as it only means that OPNsense itself will use a different DNS.

@yeraycito: I suggest you try to reproduce my config as apart for my small issue everything is working flawlessly (it's a clean install)
Title: Re: AdGuard Home setup guide
Post by: yeraycito on January 28, 2022, 07:26:33 pm
Thank you very much, I have tried it and it works.

Opnsense 22.1 Clean Install - Installation:

It is very important to follow the order explained

1 - Activate mimugmail's community repository

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Activate and start AdGuardHome from Services --> AdGuardHome

4 - Opnsense - System - Settings -General

      Untick: Do not use the local DNS service as a nameserver for this system
      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

5 - Opnsense - Services - Unbound - Dns Over Tls

      Set the desired dns servers, ej, Cloudflare:
      Server IP: 1.1.1.1
      Server Port: 853
      Verify CN: cloudflare-dns.com

6 - Opnsense - Services - Unbound - General
 
     Listen Port: 5353

7 - Navigate to http://your.opnsense:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard

8 - Adguard Home - DNS Configuration - Upstream Servers: Add router_ip:5353  ( 192.168.1.1:5353 ) Delete those that exist

Security Extra: https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#1-allowing-only-specific-dns-servers
Title: Re: AdGuard Home setup guide
Post by: hushcoden on January 29, 2022, 12:14:58 pm
Decided to try AdGuardHome with Unbound, and are you guys also using the blocklist from Unbound or it's simply redundant ?

Tia.
Title: Re: AdGuard Home setup guide
Post by: yeraycito on January 29, 2022, 02:35:25 pm
It depends on the lists you put up. In Unbound they are already preconfigured and you can activate the ones you want. Adguard has two basic lists and you can add as many as you want. If you put good lists in Adguard you don't need to activate the ones in Unbound. Some of the lists I have in this post are a set of other lists.
Title: Re: AdGuard Home setup guide
Post by: ChrisChros on January 29, 2022, 08:02:14 pm
I am running OPNsense 22.1 and installed AdGuard from the mimugmail repo. Unbound is listening on port 5335 on all my Lan's and VLan's. In AdGuard the upstream and bootstrap DNS-Server is set to 192.168.1.1:5335.
Furthermore under Settings - General there is no DNS-Server set (empty). Also in the DHCP settings is no DNS-Server set.

From my LAN Network I am able to resolve addresses but not from my VLan's. Any suggestions how to solve this problem?

As an example I have also added a screenshot from my IoT rules.

Regards Chris
Title: Re: AdGuard Home setup guide
Post by: yeraycito on January 29, 2022, 08:11:07 pm
Hi, try creating a dns rule and put it at the top. You can see how to do it here:

https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#1-allowing-only-specific-dns-servers
Title: Re: AdGuard Home setup guide
Post by: ChrisChros on January 29, 2022, 08:21:13 pm
As a NAT - Port Forward rule?

In the past when I was using Pi-hole on a raspberry I was using this rule to forward all DNS traffic to the pi-hole.
Title: Re: AdGuard Home setup guide
Post by: ChrisChros on January 29, 2022, 08:40:57 pm
Is there a way to change the listen interfaces in AdGuard.
During the first setup I selected only my physical LAN interface and not the VLan's. Maybe this is the fault.
Title: Re: AdGuard Home setup guide
Post by: yeraycito on January 29, 2022, 09:15:33 pm
You can't, you have to uninstall and reinstall it. The DNS rule is not a port forward, you have to create it in Firewall - Rules - IOT and put it at the top. When installing Adguard, configure it on all interfaces.
Title: Re: AdGuard Home setup guide
Post by: ChrisChros on January 29, 2022, 09:27:08 pm
With this configuration of OPNsens and AdGuard is it necessary to create a NAT unbound rule to force all hardcoded devices like google home to use my provided DNS-Server?
Title: Re: AdGuard Home setup guide
Post by: ChrisChros on January 29, 2022, 10:07:40 pm
So now with all interfaces selected during the initial setup it's working.
Title: Re: AdGuard Home setup guide
Post by: namnnumbr on February 01, 2022, 03:29:24 am
I'm trying to set AdGuardHome to work as the DNS for 4 vlans:

LAN:10.0.0.0
HOME: 10.1.0.0
LAB: 10.2.0.0
IOT: 10.3.0.0

On each interface, I have set the interface IP as the DNS server.
All VLANS have been set with a port forward rule to capture the dns requests and pass to 127.0.0.1:53.

Adguard works fine on LAN and HOME, but not on  LAB and IOT I get no resolution and if I dig, I receive an error: "reply from unexpected source: 10.0.0.1#45443, expected 10.3.0.1#53"
If I set LAB or IOT DNS server to 10.0.0.1 (LAN address), it works. 

I do not understand -- HOME works just fine with the DNS server set as HOME address, but LAB and IOT fail with DNS server set as their interface addresses.

Any suggestions as to why this is the case?
Title: Re: AdGuard Home setup guide
Post by: ChrisChros on February 01, 2022, 04:52:11 pm
Do you have maybe an inter VLan-routing deny rule on both Vlan's.
Title: Re: AdGuard Home setup guide
Post by: ChrisChros on February 01, 2022, 07:43:48 pm
I got it now working by following this instructions:
https://labzilla.io/blog/force-dns-pihole

But I also had to add a DNS-Allow rule on top of all other rules for the different networks.
https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#1-allowing-only-specific-dns-servers

Now my network clients are using AdGuard and the internal DNS resolver, also devices with hardcoded DNS like google nest mini.
Title: Re: AdGuard Home setup guide
Post by: namnnumbr on February 02, 2022, 01:04:42 am
Thanks for the resources.  If I can't resolve it tonight, I guess I'll try rebuilding from scratch and try to follow these instructions.

I don't see how an intervlan deny rule would allow me to access across VLANs (IoT -> LAN) but not allow IoT -> IoT address (although it's entirely possible I've messed up somewhere)...  Additionally, I have the automatic NAT rule created which should allow access to interface_address:53

When you set up outgoing NAT, did you set it up per interface?
I've tried outgoing NAT, and it doesn't make a difference.  I wasn't sure I was doing it right, so I tried various permutations of LAN/IOT for interface, source, and destination.  Still receiving the same error.
Title: Re: AdGuard Home setup guide
Post by: ChrisChros on February 02, 2022, 08:04:17 am
Thanks for the resources.  If I can't resolve it tonight, I guess I'll try rebuilding from scratch and try to follow these instructions.

When you set up outgoing NAT, did you set it up per interface?
I've tried outgoing NAT, and it doesn't make a difference.  I wasn't sure I was doing it right, so I tried various permutations of LAN/IOT for interface, source, and destination.  Still receiving the same error.

I will do some screenshots from my rules this afternoon, I think this will explain it better than with my words.

The NAT rules I have not set them up for each interface. I have created a group with all related networks, including VLan's.
I will also do some screenshots from the NAT rules.
Title: Re: AdGuard Home setup guide
Post by: ChrisChros on February 02, 2022, 04:48:54 pm
Here are my two Port Forward rules and the Outbound rule.
local_Networks is a Group and the members are all my related networks, eg. LAN, IoT, ...

Furthermore I have crated for all these Networks a pass DNS to internal server rule and below this a block any external DNS server rule.

I hope this will help you to setup your firewall.
Title: Re: AdGuard Home setup guide
Post by: lilsense on February 02, 2022, 05:34:49 pm
How do I change the HTTP port/etc once it's been set up. It looks like it's a one time deal.

Also, how do you set up the DoT?
Title: Re: AdGuard Home setup guide
Post by: ChrisChros on February 02, 2022, 05:45:34 pm
I think you are right its a one time deal.

for DoT I use unbound. But in AdGuard just type the TLS-server adrress in the upstream DNS-Server field. Examples are also shown on the DNS-settings page.
Title: Re: AdGuard Home setup guide
Post by: Fawkesguy on February 02, 2022, 06:00:54 pm
Here are my two Port Forward rules and the Outbound rule.
local_Networks is a Group and the members are all my related networks, eg. LAN, IoT, ...

Furthermore I have crated for all these Networks a pass DNS to internal server rule and below this a block any external DNS server rule.

I hope this will help you to setup your firewall.

Just to show another option:

I do my LAN rule a little differently.  First one blocks everything but my Adguard Home server from reaching outside DNS using an alias containing a list of public DNS servers.  This helps prevent clients from using DoT and DoH to bypass the NAT port forward.  Second rule is generated from the NAT port forward.

The "Public_DNS" alias contains https://public-dns.info/nameservers-all.txt

Title: Re: AdGuard Home setup guide
Post by: lilsense on February 02, 2022, 06:29:17 pm
I think you are right its a one time deal.

for DoT I use unbound. But in AdGuard just type the TLS-server adrress in the upstream DNS-Server field. Examples are also shown on the DNS-settings page.

Thanks.  I uninstalled it since it does not support regex in whitelist...
Title: Re: AdGuard Home setup guide
Post by: namnnumbr on February 03, 2022, 03:05:39 am
@ChrisChros, @Fawkesguy -- thanks much for taking the time to share screenshots of your setup!  I think I have a pretty good idea of what should work.  Unfortunately, I'm still not getting an appropriate response (i.e., for some reason my IoT network (10.3.0.0/24) thinks it's getting a response from the LAN interface (10.0.0.1).

... which suggests to me that I probably have issues either elsewhere in my firewall rules or a bit of a hinky opnsense install.

I'll probably spend the weekend wiping and resetting everything...
Title: Re: AdGuard Home setup guide
Post by: ChrisChros on February 03, 2022, 06:52:43 am
A short update to my rules. They are not working as expected. I have two google devices connected to my IoT network. The google home mini is working without any issues, but the google nest mini do not want to establish an internet connection.
I can see in the live log that 10.10.10.22 (nest mini) is catched up by the rdr rule every second, while the home mini (10.10.10.23) has more or less no entries.

Nest mini and Home mini are more or less the same devices, but the behavior is completely different to my NAT rules.
Any suggestions what is going wrong with my rules?
Title: Re: AdGuard Home setup guide
Post by: ChrisChros on February 03, 2022, 05:39:41 pm
So I think I have it now.
I checked all my port forward rules and realized that NAT reflection was set to "Use system default", this has to be set to "Disabled".
Title: Re: AdGuard Home setup guide
Post by: RamSense on February 04, 2022, 09:37:19 pm
@ChrisChros,
I followed your https://labzilla.io/blog/force-dns-pihole (https://labzilla.io/blog/force-dns-pihole)
guide to adguard home plugin on opnsense. this works like it should for [Test it out]- point 4

but when doing [Test it out] - point 5 "by temporarily disabling the first NAT rule" I get
;; connection timed out; no servers could be reached

Do you know what can cause this?
Title: Re: AdGuard Home setup guide
Post by: ChrisChros on February 04, 2022, 10:18:42 pm
Unfortunately not. I only performed Test 4.

After that I was happy that my hardcoded DNS devices were able to connect to the inet.
Title: Re: AdGuard Home setup guide
Post by: RamSense on February 05, 2022, 07:58:33 am
ah ok.
Well the difference I have with your guide vs what I had is that instead of nslookup showing always my adguard ip (opnsense ip), now when you try to bybass with e.g. 1.1.1.1 it is showing like it seems to come from 1.1.1.1 but actually adguard is doing the dns. Sounds better than what I had, so great.

only test 5 fails, I'm curious if that is working at your end

*update*
Got it working. I had a firewall-rules-lan block #53 still there :-)
when removed test 5 works like it should. It seems that with your bypass guide solution I can delete this block rule while all is going to be pushed to adguard now (normal and hardcoded) or does somebody else has another opinion?
Title: Re: AdGuard Home setup guide
Post by: ChrisChros on February 05, 2022, 08:10:53 am
So what I observed today ist a little bit strange.
My Google Nest mini is this morning not able to connect to the internet. In AdGuard I can see that at 2 AM the DNS queries rising from 2500 to 18000. No changes have been done to the firewall rules during that time.
Does anybody else has a similar behavior?
Title: Re: AdGuard Home setup guide
Post by: RamSense on February 05, 2022, 08:22:55 am
do you use ipv6?
I still have some problems with ipv6 on opnsense 22.1
if yes, try stop and start Services-DHCPv6 and stop and start services-Router Advertisements
and see if that gets your nest mini back on
Title: Re: AdGuard Home setup guide
Post by: ChrisChros on February 05, 2022, 08:29:22 am
I do not use IPv6, it is completely deactivated. I do not see the benefit for home use.
Title: Re: AdGuard Home setup guide
Post by: namnnumbr on February 07, 2022, 03:16:13 am
For the record, part of my problem was that my port forward rules were for TCP only... and DNS is UDP.  So fixing that helped.

The other part of my problem was an overly complex and janky vpn setup between OPNsense and my switch.

Everything is working cleanly now.
Title: Re: AdGuard Home setup guide
Post by: mupi2k on February 08, 2022, 05:51:13 pm
I recently acquired a NanoPi R4S. Amazing router, and trivial to run OPNsense.  However, the mimigmail repo doesn't work on aarch64.

Which leads to the question of why it's even necessary.

Installing the mimugmail repo already implies SSH access to run the requisite `fetch` command.  So why not simply `fetch` the freebsd native adguard home?  At that point, you just have to extract the archive, and then follow Adguard's own installation steps.  Nothing terribly complicated there, beyond knowing that OPNsense is Freebsd-based, and what architecture you are running (likely 95%+ AMD64).

Yes, adguard will complain that port  80 is in use. Pick another one! (3000 works, unless you are running graphana on the same host. 8080 works too, unless you are running nginx on that port.)

If you don't stop unbound, it will complain about port 53, too, but you can either move adguard (and then point unbound to adguard), move unbound to a different port, or stop unbound. (adguard already does most of what unbound does).

As an alternative, you can load adguard (and other!) lists to unbound.  A few years ago I wrote a script to "manage" black- and white- lists with unbound (whitelists being local overrides to the public lists, much like adguard does), but I abandoned that work after I found Adguard Home and realized they had already solved (better!) the big problem I was trying to solve: given a device trying to access a site, how do I know which site is blocked. It's easy to whitelest the site, but fairly difficult to parse the logs to see.  Adguard gives me a simple interface to see that, and with a click I can whitelist the domain, either everywhere, or just for that one device.

I really don't think a scratch install is any more complicated than installing a custom repo...
Title: Re: AdGuard Home setup guide
Post by: RamSense on February 08, 2022, 06:41:38 pm
I understand your view and opinion. But me for instance, i like the plugin concept. When being able to control opnsense and additions from the gui makes it easy and clear, gives a feeling of control compared to having to go to terminal / having to go and enable ssh for every install feels a bit threshold for me. I also like being able to get into the gui and control things in opnsense while being away by vpn and the comfort of my phone.
So with that being said; opnsense is all about being able to have many ways of control, the gui, terminal/ssh etc. So with both options available, everybody is happy :-)

ps. But there are improvements / wishlist: It would be great being able from within the plugin/gui to backup the config of adguard home with all dns-settings,used lists and custom rules.
Title: Re: AdGuard Home setup guide
Post by: mupi2k on February 08, 2022, 08:37:28 pm
I understand your view and opinion. But me for instance, i like the plugin concept. When being able to control opnsense and additions from the gui makes it easy and clear, gives a feeling of control compared to having to go to terminal / having to go and enable ssh for every install feels a bit threshold for me. I also like being able to get into the gui and control things in opnsense while being away by vpn and the comfort of my phone.
So with that being said; opnsense is all about being able to have many ways of control, the gui, terminal/ssh etc. So with both options available, everybody is happy :-)



I guess my main point was more for the "guide"; it really isn't difficult, and once installed the need for the cli is minimal.

It's probably also fair to note that I am the type who prefers the simplicity of a cli. Given the choice, I will almost always choose a cli over a gui because the  vast majority of the time it's faster, and the gui usually is just an abstraction around the cli anyway, and often makes assumptions that are hidden (or can't even be set).

That said, I understand that lots of people prefer a gui approach, even if it is slower and less secure. For me (and after reading this thread, I know I'm not alone...), if what I wanted was a 99%  GUI solution, I'd be running OpenWRT instead.

You *can* access your AdSense gui from a vpn easily enough. If you use the virtual IP approach, it wouldn't even feel weird because it would feel like you are logging on to a different host.  It's no more difficult to access the AdGuard gui from your phone than OPNsense (arguably easier, because AdGuard's mobile interface is well optimized).  You also can SSH on a vpn. I have a terminal program for my phone, even, that I could use.  Granted, securely using ssh requires a bit of work, but if you can install the mimugmail repo, you can run the two or three cli commands for key-based (as opposed to password-based) ssh login.  That's well out of scope *here* but I bet there's already guides for that... :D
Title: Re: AdGuard Home setup guide
Post by: inlophe on March 03, 2022, 05:44:07 am
I can't seem to figure out what's wrong with my setup.

My Port Forward NAT already has rules to redirect outbound DNS to Adguard (using Groups, for several VLANs), Unbound listens to 53530, and Adguard Upstream DNS and bootstrap DNS point to 127.0.0.1:53530 (or LAN_ip:53530, tried both), but it's still won't resolv. I tried to reinstall adguard several times to make sure that I choose all interface on DNS listen interface.

I don't know if resolv is the right word, because I can see that my DNS requests show up in Adguard AND Unbound log, so that means the flow is correct, but I still never got any response on my VLANs, only my LAN that works.

Anyone have any idea?

EDIT: nevermind, turns out I need to point the DNS server in DHCP to the gateway/Adguard interface IP of each VLAN or leave it empty. It works now.
Title: Re: AdGuard Home setup guide
Post by: Videopac on March 28, 2022, 03:27:43 pm
Thanks for the guide/help.
I get a notification in the AdGuard Home webinterface that v0.107.5 is now available: can I update directly from the AdGuard Home webinterface or should I wait until the package gets updated?
Title: Re: AdGuard Home setup guide
Post by: RamSense on March 28, 2022, 03:54:51 pm
Updates work fine here from the webinterface
Title: Re: AdGuard Home setup guide
Post by: weslsew on April 04, 2022, 03:53:29 pm
Is there a known issue with fresh installs of this plugin and 21.7? I can't even get the setup page to load after a successful plugin install (http:<my.opnsense.ip>:3000).

The plugin is enabled and appears to be running
No errors are thrown in the logs
I have Unbound disabled
I am not running Grafana, NTPng, or any other service on port 3000. Netstat shows the AdGuardHome service is running on said port and nothing else. 

I cannot get the start page to come up at all on port 3000. Since that triggers the initial setup wizard, there's no configuration yaml created (I checked via CLI). The service just appears to be running and waiting for me to kick off the process.

Could someone post a (more or less) "default" configuration yaml for the plugin? I can modify it for my own setup, restart the service, see if that gets past it, though I'd still like to figure out why I can't access the initial config wizard.

Thanks!

Edit: As often happens, writing this post made me re-think a couple things to try and I got it working.

The problem, if anyone else runs in to this, is I am using a failover group for a gateway (my ISP WAN interface + backup LTE modem) and for that to work correctly the LAN "pass all outbound" rule has to be modified to use it vs. the default "any" gateway.

This means you need to explicitly define any additional ports (besides 80 and 443 which are in the default anti-lockout rule) you want to access on the OPNsense box itself, in this case 3000 (for the wizard) and then 81 (the port I picked AdGuardHome to run on). Easy fix when I realized what the problem was.

I figured it out when I looked where I should have in the first place - the firewall logs vs. the service logs. The latter showed no issues because there weren't any with the service. The firewall blocked access, by design, until I explicitly allowed those ports access from my LAN net to my LAN address.

Hope this helps someone else :)

Can you explain exactly what you did to get this working?  I'm having the same problem
Title: Re: AdGuard Home setup guide
Post by: 01cooperl on April 11, 2022, 11:52:51 pm
I've followed the guide to install AdGuard using the repo and it works great. The problem is that my unraid server cannot update its docker containers. I have tried to specify a port forwarding rule just for the unraid server to send the traffic to port 5353 in the unbound server to effectively bypass AdGuard, however it seems to direct all traffic on the network to unbound. See the additional rule I set-up and moved it before the other rule in the guide:

Code: [Select]
Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: UnraidServerIP
Destination port range: From: DNS - To: DNS
Redirect target IP: 127.0.0.1
Redirect target port: 5353
Description: Bypass AdGuard for unraid server
NAT Reflection: Disable

What am I doing wrong? How can I achieve forwarding traffic to AdGuard with the exception of a single IP which doesn't need to go through AdGuard?
Title: Re: AdGuard Home setup guide
Post by: Taubin on May 11, 2022, 06:06:44 am
This broke unraid for me as well, not sure what happened that broke it, but it started in the past 3 days. I went to update today, and couldn't update anything.

Even when I set the DNS on unraid to use something else (quad9 in my case), it still tried to go through adguard and got blocked.