OPNsense Forum
English Forums => Documentation and Translation => Topic started by: N0_Klu3 on March 19, 2021, 10:54:50 pm
-
So I've been looking around and been unable to get a good AdGuard or PiHole setup.
I figured it out, and it seems to be working well, so I'm writing this for mainly my own future reference.
--------------------
Setup for a physical AdGuard (Raspberry Pi or something)
I installed AdGuard Home on a Raspberry Pi with the IP 10.0.0.12.
Settings -> DNS Settings
Chose and configure to your desired setup.
On OPNsense:
System -> General Setup
Set '10.0.0.12' as DNS server
Tick: Do not use the local DNS service as a the only nameserver for this system
Optional, but recommended:
Add a new Firewall rule to forward all DNS (Port 53) traffic to AdGuard:
Firewall -> NAT -> Port Forward
Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: LAN address
Destination port range: From: DNS - To: DNS
Redirect target IP: 10.0.0.12
Redirect target port: DNS
Description: Forward DNS to AdGuard
NAT Reflection: Disable
Unbound -> Untick 'Enable Unbound'. (So its turned off)
Or you can follow the steps below to use a router_ip:5353 to loopback to OPNsense unbound as a backup.
I also found that I had to add the DNS specifically on each DCHP interface.
Mainly due if you removed all DNS servers from System -> General Setup. I found some iOS devices struggled without the below.
Services -> DHCPv4 -> LAN
DNS servers: 10.0.0.12
If you have VLANs or other LANs you may need to do some Firewall rules to allow traffic through to the DNS server IP on Port 53 (DNS)
That is pretty much it.
--------------------
Setup for using AdGuard via the OPNsense community repo
Firstly install the Community repo from: https://www.routerperformance.net/opnsense-repo/
Then install AdGuard Home via Plugins.
Navigate to router_ip:3000 to setup AdGuard.
I set Admin interface to my main LAN as the only listen interface and via port 81 (OPNsense uses port 80 and 443 so select something other than this for AdGuard listen port and if you configure AdGuard's SSL settings)
DNS Server listen interface select 'All' on Port 53.
Setup DNS as you would like it with your own providers.
Settings -> DNS settings -> Bootstrap DNS servers -> Add router_ip:5353
On OPNsense:
System -> General Setup
Set '8.8.8.8' as DNS server (Or whatever DNS you would like as a backup, if you only want AdGuard you can remove all DNS servers from this list and leave it blank)
Untick: Do not use the local DNS service as a nameserver for this system
This way by default OPNsense will use itself (127.0.0.1) as the resolver which we want.
Services -> Unbound DNS -> General
Enable Unbound (it could be disabled if you'd prefer, then remove the Boostrap DNS setup as above)
Add port 5353 (instead of default 53)
Only select: 'Register DHCP leases' & 'Register DHCP static mappings'
Add a new Firewall rule to forward all DNS (Port 53) traffic to AdGuard:
Firewall -> NAT -> Port Forward
Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: LAN address
Destination port range: From: DNS - To: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
Description: Forward DNS to AdGuard
NAT Reflection: Disable
If you have multiple VLANs or LANs then duplicate the rule and change it to the relevant Interface and address.
I also found that I had to add the DNS specifically on each DCHP interface.
Mainly due if you removed all DNS servers from System -> General Setup. I found some iOS devices struggled without the below.
Services -> DHCPv4 -> LAN
DNS servers: router_ip
And the same for any VLANs, just set the route IP for each VLAN.
eg. 192.168.107.1 is my IoT VLAN
That should pretty much do it.
--------------------
Please let me know if you see any tweaks or better settings that you think can improve this, I'm more than happy to improve this and make this into a good guide.
*NOTE* I did find that running AdGuard via OPNsense router to lower the processing time by more than half.
9ms via router setup, compared to around 45ms via Raspberry Pi 3B+
-
Why don't you install AdGuardHome on your OPNsense? Which was precisely the point in that other thread?
-
Because there is no clear guide on how to set it up!
Also sometimes people want to use a physical device for this.
Like I say. I’m happy to update and include the AdGuard install on OPNsense but until I can get a good guide I just cannot.
If you can give me your setup and how you made it work I’ll test it out tomorrow and can add that to this guide too.
-
I did a write up in that other thread.
1. Activate mimugmail's community repository
2. Install AdGuardHome from System --> Firmware --> Plugins
3. Change your primary DNS server on OPNsense to use e.g. 127.0.0.1:53530 only
4. Activate and start AdGuardHome from Services --> AdGuardHome
5. Navigate to http://your.opnsense:3000/ to complete the setup
-
Do you not need to change AdGuard to use different ports upon setup?
So that it doesn’t affect OPNsense on port 80 and 443?
How do you specify port 53530 unless you mean change unbounds port?
Or on General DNS you can specify 127.0.0.1:53530? Wasn’t aware you can use : to specify a port there.
Do you do anything with your unbound?
Are there any specific benefits to doing it all in one box?
And thanks I’ll test it tomorrow.
-
I meant make your Unbound listen to 127.0.0.1:53530. I use BIND, so - sorry - I cannot show you a screenshot. I am just assuming that just as with BIND you can change the listen interface and port for Unbound too. If that is not the case, I am sorry.
You need to do that so AdGuardHome can listen on all interfaces port 53 so clients can use it. Then in AdGuardHome use this dialog to configure the upstream resolver (see screenshot).
To adjust the listen addresses of AdGuardHome itself you need to ssh to your OPNsense and edit the config file at /usr/local/AdGuardHome/AdGuardHome.yaml:bind_host: 0.0.0.0
bind_port: 3000
[...]
dns:
bind_host: 0.0.0.0
port: 53
-
Thanks if I can figure it out I’ll test it tomorrow.
I feel like my way just works and works far simpler.
Is there any benefit other than having 2 devices in one doing it your way?
-
I would not want another box just for a single application that works perfectly on my already present OPNsense.
-
Do I need to Listen on all interfaces for DNS Server?
As it has my WAN IP in there too.
I have LAN, and 2x VLANS so there are a lot of connections there.
I also changed the Admin to use port 81.
Like this:
-
@pmhausen
Take a look at my edits and addition of AdGuard via Community Repo.
Let me know what you think or if any of it needs changing/addition.
-
Of course you don't need to activate it on WAN, sorry.
-
Yup problem is as I have more than 1x LAN I could not manually select my LANs/VLANs.
Its was all or 1. Unless I missed something there.
So I just selected All
-
Well, even if it is listening on WAN your firewall rules should prevent access, right?
-
Yup should drop all traffic from WAN by default
-
AdGuard seems to be amazing! really slick interface and usefull features!
-
Yeah, and I find it works much quicker especially vs PiHole or external DNS
-
Opnsense 21.1.4 Installation:
1 - Activate mimugmail's community repository
2 - Install AdGuardHome from System --> Firmware --> Plugins
3 - Activate and start AdGuardHome from Services --> AdGuardHome
4 - Navigate to http://your.opnsense:3000/ to complete the setup
5 - In Adguard Home - DNS Configuration - Upstream Servers: Set the desired servers ( 1.1.1.1, 8.8.8.8 etc )
6 - In Opnsense disable Unbound. In case you want to use it leave it activated by changing the port to 5353 and in Adguard Home - DNS Configuration - Upstream Servers add router_ip:5353
- It is not necessary to activate the internal opnsense dns ( 127.0.0.1 ) in Opnsense in System-Settings-General
- No need to make port forward rules to forward all DNS (Port 53) traffic to AdGuard
- No need to set dns servers to DHCP
DNS over HTTPS - DNS over TLS:
Option 1:
- In Opnsense - Unbound - Miscellaneous set the desired dns servers 1.1.1.1@853 8.8.8.8@853
- Active Unbound in port 5353
- In Adguard Home - DNS Configuration - Upstream Servers add router_ip:5353
Option 2 ( Unbound disabled ): https://github.com/AdguardTeam/AdGuardHome/wiki/Encryption
-
Recommended DNS blocklists: 1Hosts (Pro) - Goodbye Ads - Energized Ultimate - Lightswitch05 - Steven Black - oisd
Installation in Adguard: Filters - DNS blocklist - Add blocking list - Add custom list
- https://hosts.netlify.app/Pro/adblock.txt
- https://raw.githubusercontent.com/jerryn70/GoodbyeAds/master/Hosts/GoodbyeAds.txt
- https://block.energized.pro/ultimate/formats/hosts.txt
- https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
- https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
- https://hosts.oisd.nl/
Extra. in Adguard: Filters - DNS blocklist - Add blocking list - Choose from the list:
- Perflyst's Smart-TV Blocklist
-
@yeraycito thanks for those lists. Which criteria did you apply when picking them?
-
Unlike the ones Adguard comes with, these are much more complete. Each of them includes many other lists. They are the most complete I have found. If you put these in, you don't need any more.
-
Many of the lists I have posted block most of Google's telemetry and spying but not all of it. More can be done.
Adguard - Filters - Custom filtering rules - add:
||dnsotls-ds.metric.gstatic.com^
||encrypted-tbn0.gstatic.com^
||encrypted-tbn2.gstatic.com^
||mtalk.google.com^
||metric.gstatic.com^
||chart.apis.google.com^
||cse.google.com^
||encrypted-tbn1.gstatic.com^
||www.gstatic.com^
||fonts.gstatic.com^
||ogs.google.com^
||ssl.gstatic.com^
||aa.google.com^
||encrypted-tbn3.gstatic.com^
||pki-goog.l.google.com^
||signaler-pa.clients6.google.com^
||addons-pa.clients6.google.com^
||apis.google.com^
||0.client-channel.google.com^
||clients2.google.com^
Result after applying the rules:
- Google searches: OK
- Gmail: OK
- Youtube: OK
- Instagram: OK
- Android: OK
- Playstore: OK
-
@yeraycito
Just a shout out to say thanks for your contributions to this thread. I found them very useful, and have Unbound / AdGuard working well together. Ads are gone, DNS lookups are resolving quickly. Your suggested blocklists are awesome!
That said, I'm still a little (embarrassingly) confused about something. That is, getting the LAN reverse lookups to function. Below I'll show one setup where the reverse looks actually do resolve, but upstream DNS resolver ends up being one of my two ISPS, and a second where upstream resolver is cloudflare, but then the reverse lookups stop working.
I have the following OPNSense Configuration:
Dual WAN, two gateway setup (might not be relevant to the discussion)
System/Settings/General:
- DNS Servers: all empty
Services/Unbound DNS/General:
- port: 5353
- DNSSEC: enabled
- DHCP Registration: enabled
- DHCP Static Mappings: enabled
- Local Zone Type: transparent
AdGuard Settings:
1) With this setup, reverse look ups function. That is, inside AdGuards Top Clients, I can see host names are resolving. However, upstream DNS server is my ISPs DNS server.
Adguard/DNS Settings:
127.0.0.1:5353
Bootstrap DNS servers:
127.0.0.1:5353
9.9.9.10
149.112.112.10
2620:fe::10
2620:fe::fe:10
2) Now, if I change the following, I get the reverse behaviour. Inside AdGuards Top Clients, I can see only IPs (no host names), but upstream DNS is now showing up as 108.162.218.241 (Cloudflare).
Adguard/DNS Settings:
127.0.0.1:5353
1.1.1.1
1.0.0.1
I've also experiments with a few things to no avail, like:
[/168.192.in-addr.arpa/]127.0.0.1:5353
[/168.192.in-addr.arpa/]127.0.0.1
[/168.192.in-addr.arpa/]192.168.0.1:5353
[/168.192.in-addr.arpa/]192.168.0.1
Do you have any suggestions what I might be doing wrong?
-
Hello, for the dns not to be those of your isp you have to put one in unbound. To resolve the hostnames you can add them better in the Adguard configuration.
-
My settings:
System/Settings/General:
- DNS Servers: all empty
- Do not use the local DNS service as a nameserver for this system: cheked
Services/Unbound DNS/General:
- port: 5353
- DNSSEC: enabled
- DHCP Registration: disabled
- DHCP Static Mappings: disabled
- Local Zone Type: transparent
Unbound DNS - Miscellaneous - DNS over TLS Servers: 1.1.1.1@853 1.0.0.1@853
In Adguard Home - DNS Configuration - Upstream Servers: 192.168.1.1:5353
In Adguard Home - DNS Configuration - Bootstrap DNS servers: 192.168.1.1:5353
In Adguard Home - configuration - clients configuration - add client: Add ip and hostname
-
A good complement is also to use NextDns dns servers.
-
They are just as fast as Cloudflare's but add more protection and the ability to add blocklists.
-
Installation;
Let's go to https://nextdns.io/ and register for free. Once registered you are given a personalised ID and dns.
Opnsense instalation:
- Follow the tutorial explained above for Adguard.
- Unbound - General - Custom Options: add ( XXXXXX is a custom ID in NextDns )
server:
tls-cert-bundle: "/etc/ssl/cert.pem"
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 45.90.28.0#XXXXXX.dns1.nextdns.io
forward-addr: 2a07:a8c0::#XXXXXX.dns1.nextdns.io
forward-addr: 45.90.30.0#XXXXXX.dns2.nextdns.io
forward-addr: 2a07:a8c1::#XXXXSS.dns2.nextdns.io
-
I installed adguard plugin...everything seems to be working ok...only under plugins the adguard is marked as miss-configured ? Why is that?
-
hello,
where can i found the logfile? on /var/log i found no adguard file.
Thanks
-
Transfer from PiHole (running on a Pi) to AdGuard on OPNSense went flawlessly. By using a virtual IP for AdGuard, I didn't even need to change any of my preconfigured rules, which was nice. I had allocated myself a few hours to get this done, and it ended up taking less than 15 minutes :)
Question though. One of the "optimizations" that is sometimes recommended when using PiHole in conjunction with Unbound is to disable DNS caching on the pi-hole, so that all DNS lookup is handled by Unbound. Would this provide any benefit with AdGuard?
Thanks!
EDIT - So an oddity. Using a virtual IP, it showed no port conflicts using Port 80 or Port 53, and everything worked great a day. Today I decided to tweak some unbound settings and had to restart the service... and it wouldn't start due to a port conflict. Any ideas?
~Spritz
-
Hi folks,
has anyone tried to set up Adguard WebGUI using https with the same cert that OPNsense´s WebGUI uses?
Thank you very much
Beclar
-
Adguard + wireguard in Opnsense ( solved ):
https://forum.opnsense.org/index.php?topic=22409.0
-
My settings:
System/Settings/General:
- DNS Servers: all empty
- Do not use the local DNS service as a nameserver for this system: cheked
Services/Unbound DNS/General:
- port: 5353
- DNSSEC: enabled
- DHCP Registration: disabled
- DHCP Static Mappings: disabled
- Local Zone Type: transparent
Unbound DNS - Miscellaneous - DNS over TLS Servers: 1.1.1.1@853 1.0.0.1@853
In Adguard Home - DNS Configuration - Upstream Servers: 192.168.1.1:5353
In Adguard Home - DNS Configuration - Bootstrap DNS servers: 192.168.1.1:5353
In Adguard Home - configuration - clients configuration - add client: Add ip and hostname
With this way, if you have multiple VLAN's or different IP's do you need to include all the IP's into upstream and bootstrap DNS servers?
IE: 192.168.1.1:5353
192.168.200.1:5353
And so on?
-
It is not necessary, just set the opnsense ip. Adguard listens for dns connections on all opnsense interfaces. It then passes them to the opnsense ip. Unbound is listening there.
-
Ok cheers will mess with it this week and update the main page with some updates.
Thanks for your efforts.
-
In this post I previously put up some blocking lists for Adguard. There are two of them that are very complete: 1Host (Pro ) and Energized Ultimate. They are so comprehensive that in some cases they block too much. If this is the case I recommend you to change them for 1Host (lite) and Energized Basic. These two lists are still very comprehensive.There are also smaller versions of these two lists, these are the intermediate ones.
- https://badmojr.github.io/1Hosts/Lite/adblock.txt
- https://block.energized.pro/basic/formats/hosts.txt
-
Yup I already use Energized Pro list and only that list myself :)
-
I'm sorry for my ignorance, but is this setup using the DNS over TLS function in Unbound? It appears yes.
If it is, why use that when you can use Unbound by itself for DNS resolving? I thought the point of using Unbound was to not have to worry about DNS lookups from companies like Cloudflare??
Thanks in advance!
Opnsense 21.1.4 Installation:
1 - Activate mimugmail's community repository
2 - Install AdGuardHome from System --> Firmware --> Plugins
3 - Activate and start AdGuardHome from Services --> AdGuardHome
4 - Navigate to http://your.opnsense:3000/ to complete the setup
5 - In Adguard Home - DNS Configuration - Upstream Servers: Set the desired servers ( 1.1.1.1, 8.8.8.8 etc )
6 - In Opnsense disable Unbound. In case you want to use it leave it activated by changing the port to 5353 and in Adguard Home - DNS Configuration - Upstream Servers add router_ip:5353
- It is not necessary to activate the internal opnsense dns ( 127.0.0.1 ) in Opnsense in System-Settings-General
- No need to make port forward rules to forward all DNS (Port 53) traffic to AdGuard
- No need to set dns servers to DHCP
DNS over HTTPS - DNS over TLS:
Option 1:
- In Opnsense - Unbound - Miscellaneous set the desired dns servers 1.1.1.1@853 8.8.8.8@853
- Active Unbound in port 5353
- In Adguard Home - DNS Configuration - Upstream Servers add router_ip:5353
Option 2 ( Unbound disabled ): https://github.com/AdguardTeam/AdGuardHome/wiki/Encryption
-
- Follow the tutorial explained above for Adguard.
Do we need both? Can one not configure just NextDNS without AdGurad?
-
If you want to use only NextDNS:
- Unbound - General - Custom Options: add ( XXXXXX is a custom ID in NextDns )
server:
tls-cert-bundle: "/etc/ssl/cert.pem"
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 45.90.28.0#XXXXXX.dns1.nextdns.io
forward-addr: 2a07:a8c0::#XXXXXX.dns1.nextdns.io
forward-addr: 45.90.30.0#XXXXXX.dns2.nextdns.io
forward-addr: 2a07:a8c1::#XXXXSS.dns2.nextdns.io
-
Great instructions! Thank you :)
The only issue I'm facing is getting the firewall redirect rule for dns just won't work for me.
I've tried using the "LAN address" object, and also specifying my LAN IP address and my VirtualIP's, but it just doesn't seem to want to redirect the dns traffic :(
I did notice when setting up Adguard it chose my Virtual IP, instead of my LAN address.
I feel like I'm missing something really simple, but I'm not sure what?
Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: LAN address
Destination port range: From: DNS - To: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
Description: Forward DNS to AdGuard
NAT Reflection: Disable
-
Possibly related to this?
https://github.com/AdguardTeam/AdGuardHome/issues/3015
-
I have a LAN that I want to use AdGuard for DNS using any family shield service. And a VLAN to use 8.8.8.8.
Is that possible and how?
-
Should we be setting DNS cache size in Adguard to 0 to allow Unbound to handle caching?
-
Great instructions! Thank you :)
The only issue I'm facing is getting the firewall redirect rule for dns just won't work for me.
I've tried using the "LAN address" object, and also specifying my LAN IP address and my VirtualIP's, but it just doesn't seem to want to redirect the dns traffic :(
I did notice when setting up Adguard it chose my Virtual IP, instead of my LAN address.
I feel like I'm missing something really simple, but I'm not sure what?
Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: LAN address
Destination port range: From: DNS - To: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
Description: Forward DNS to AdGuard
NAT Reflection: Disable
- It is not necessary to activate the internal opnsense dns ( 127.0.0.1 ) in Opnsense in System-Settings-General
- No need to make port forward rules to forward all DNS (Port 53) traffic to AdGuard
Adguard listens on all default interfaces in Opnsense. This can be seen in the Adguard - Configuration Guide.
-
Should we be setting DNS cache size in Adguard to 0 to allow Unbound to handle caching?
I have DNS caching active on both sites and everything works fine.
-
Sorry for the hijack, but just wondered if anyone has any idea of how I can solve a particular problem with my Adguard Home Plugin setup:
My LAN interface is a bridge made up of all the ports on a 4 port intel x540, and my WAN is on a different interface altogether (duh). I can successfully install the plugin and configure it, make it the default dns server by changing the port unbound uses to 5353 and leaving AdguardHome on 53. Problem is that first time resolution takes about 30 seconds! I am guessing it has to do with Adguard being bound to all existing interfaces. I tried to bind it to the bridge address editing the Adguard Yaml config file and restarting the service, but it did not solve the issue. Unbound works fine in its place, and I have adguard running on a secondary box in lan and unbound forwarding to it, as a workaround, and that works fine. If anyone knows how to fix that, and can share, I would appreciate it. Just in case, bridge is built following wiki directions, including tunables, and works as expected. I am aware of the disadvantages of bridging ports, but it is an experiment and I would like to make it work as is.
Thanks.
-
Try binding AdGuard Home to *:53 as you already did if I read your post correctly. Set Unbound to 53530 or similar. Reason being that 5353 is used by mDNS already.
I run AdGuard Home on all interfaces, 53, forwarding to BIND on 127.0.0.1:53530 - no problem so far.
-
2) Now, if I change the following, I get the reverse behaviour. Inside AdGuards Top Clients, I can see only IPs (no host names), but upstream DNS is now showing up as 108.162.218.241 (Cloudflare).
Adguard/DNS Settings:
127.0.0.1:5353
1.1.1.1
1.0.0.1
I've also experiments with a few things to no avail, like:
[/168.192.in-addr.arpa/]127.0.0.1:5353
[/168.192.in-addr.arpa/]127.0.0.1
[/168.192.in-addr.arpa/]192.168.0.1:5353
[/168.192.in-addr.arpa/]192.168.0.1
Do you have any suggestions what I might be doing wrong?
Hi, were you able to solve this? All I see are IP Addresses. I have way too many devices/clients to enter them manually
-
You just need to add your router ip in the upstream and bootstrap fields in the AdGuard DNS Setup menu with the appropriate port if you're still using UnBound...I am. So I set up Unbound to listen on port 53530 and then added the below in AdGuard
eg. 192.168.1.1:53530
Adguard now processes and listens on all interfaces.
Works well....
-
Thanks for posting this guide! In case anyone runs into problems with their Chromecast with Google TV after following these instructions and gets the error saying no internet is available, it might have to do with the optional but recommended port forward step.
Instead of including all sources for the port forward, you can select the devices you want to exclude from the port forward and tick the checkbox to invert the selection. This resolved my Chromecast with Google TV error. I have several so I made an alias. In the end, when I was done it looked like Source: !Google_devices.
Additionally, in the IRC, someone mentioned this port forward setup might lead to some abnormal behavior ie a device asks for 8.8.8.8 DNS but gets confused that Adguard Home responds. It may be better for reliability to set this up via a firewall rule to instead block all outbound DNS requests instead of forwarding the requests. Most devices will then use the local DNS as a back-up. I decided to make the change but still had to except the chromecast devices.
I made the following two rules and disabled the port forward. These rules are under Firewall -> LAN and are the top rules in the set.
Rule 1:
ALLOW
Source: [Google_devices] -- this is an alias set up with all IP for my google devices
Source Port: *
Destination: !Lan address
Destination Port: 53 (DNS)
Rule 2:
REJECT
Source: *
Source Port: *
Destination: !Lan address
Destination Port: 53 (DNS)
-
Does anyone know's where the raw config file is stored within OPNsense for AdGuard?
-
Mine's in /usr/local/AdGuardHome/AdGuardHome.yaml
-
i keep having problem with adguard not being started autmaticly
did reinstall/reboot removed other packages etc etc but still same prb
i followed last in this post https://forum.opnsense.org/index.php?topic=16692.15
root@OPNsense:/usr/local/AdGuardHome # ./AdGuardHome -s install
2021/07/27 10:02:41 [info] Service control action: install
2021/07/27 10:02:41 [fatal] Failed to install AdGuard Home service: Init already exists: /usr/local/etc/rc.d/AdGuardHome
problem is that only way for me to get it running after reboot is eather cli or webgui
why does it not start automatically?
ideas
regards /s
-
i followed last in this post https://forum.opnsense.org/index.php?topic=16692.15
root@OPNsense:/usr/local/AdGuardHome # ./AdGuardHome -s install
2021/07/27 10:02:41 [info] Service control action: install
2021/07/27 10:02:41 [fatal] Failed to install AdGuard Home service: Init already exists: /usr/local/etc/rc.d/AdGuardHome
This is not the way it should be done .. don't do this.
Usually installing the plugin and enable is enough.
Now your install dir can be anywhere.
-
ok, well that sux that people give wrong instructions
is there anyway for me to fix this?
EDIT: like i stated i have deleted/installed package and rebooted and the problem still persisted, when it still did´t work i tried those instructions
-
/usr/local/AdGuardHome # ./AdGuardHome -s uninstall / delete possibly?
Maybe then also remove the plugin and also /usr/local/AdGuard/Home folder.
Then install plugin again, enable and reboot. During reboot watch the console for errors
-
/usr/local/AdGuardHome # ./AdGuardHome -s uninstall / delete possibly?
Maybe then also remove the plugin and also /usr/local/AdGuard/Home folder.
Then install plugin again, enable and reboot. During reboot watch the console for errors
thanks for your answer, still no good though
service runs fine when started manually, take ages to boot box when dns is not running
are there any startup script i can force run on boot to se if that atleast get it running after boot?
nothing wrong on console when booting up, status also says "not installed", i tried reinstall/reboot but still the same
root@OPNsense:/usr/local/AdGuardHome # ./AdGuardHome -s status
2021/07/28 08:59:59 [info] Service control action: status
2021/07/28 08:59:59 [fatal] failed to get service status: the service is not installed
-
root@OPNsense:/usr/local/AdGuardHome # ./AdGuardHome -s status
2021/07/28 08:59:59 [info] Service control action: status
2021/07/28 08:59:59 [fatal] failed to get service status: the service is not installed
Dont do this! I wrote a startup script cause this AdGuardHome -s XXX is a total mess. And thats why AGH is a community plugin and not in the official plugin repo. This -go stuff with their own service control sucks on BSD.
You can use this:
/usr/local/etc/rc.d/adguardhome
But if you already ran "-s install" your are lost somewhere in the middle :(
-
root@OPNsense:/usr/local/AdGuardHome # ./AdGuardHome -s status
2021/07/28 08:59:59 [info] Service control action: status
2021/07/28 08:59:59 [fatal] failed to get service status: the service is not installed
Dont do this! I wrote a startup script cause this AdGuardHome -s XXX is a total mess. And thats why AGH is a community plugin and not in the official plugin repo. This -go stuff with their own service control sucks on BSD.
You can use this:
/usr/local/etc/rc.d/adguardhome
But if you already ran "-s install" your are lost somewhere in the middle :(
I havent run the -s install on this installation
i´m sure there is something with my install that´s causing this and not the plugins itself, just trying to get a working installation here ;)
i asume this should run on bootup "/usr/local/etc/rc.d/adguardhome"
can i force run it in some other startup script?...for some reason it wont start for me
-
Is there a known issue with fresh installs of this plugin and 21.7? I can't even get the setup page to load after a successful plugin install (http:<my.opnsense.ip>:3000).
The plugin is enabled and appears to be running
No errors are thrown in the logs
I have Unbound disabled
I am not running Grafana, NTPng, or any other service on port 3000. Netstat shows the AdGuardHome service is running on said port and nothing else.
I cannot get the start page to come up at all on port 3000. Since that triggers the initial setup wizard, there's no configuration yaml created (I checked via CLI). The service just appears to be running and waiting for me to kick off the process.
Could someone post a (more or less) "default" configuration yaml for the plugin? I can modify it for my own setup, restart the service, see if that gets past it, though I'd still like to figure out why I can't access the initial config wizard.
Thanks!
Edit: As often happens, writing this post made me re-think a couple things to try and I got it working.
The problem, if anyone else runs in to this, is I am using a failover group for a gateway (my ISP WAN interface + backup LTE modem) and for that to work correctly the LAN "pass all outbound" rule has to be modified to use it vs. the default "any" gateway.
This means you need to explicitly define any additional ports (besides 80 and 443 which are in the default anti-lockout rule) you want to access on the OPNsense box itself, in this case 3000 (for the wizard) and then 81 (the port I picked AdGuardHome to run on). Easy fix when I realized what the problem was.
I figured it out when I looked where I should have in the first place - the firewall logs vs. the service logs. The latter showed no issues because there weren't any with the service. The firewall blocked access, by design, until I explicitly allowed those ports access from my LAN net to my LAN address.
Hope this helps someone else :)
-
I was under the impression that the community repo won't work currently on 21.17, as the dependancy for Python 3.7 is missing (as it uses 3.8).
It has to be rebuilt.
-
How does one get a self signed certificate going for Adguard Home? Doing it mostly to learn, and thought it would be fun to have DoH/T enabled for my home network.
I have a CA & intermediate CA created and I created a certificate for adguard, but when I paste the cert & key into the fields I get "Certificate chain is invalid" for the certificate and "Your certificate does not verify: x509: certificate specifies an incompatible key usage" for the private key.
-
But if you already ran "-s install" your are lost somewhere in the middle :(
...
can i force run it in some other startup script?...for some reason it wont start for me
I also have the issue of the service adguardhome not auto-starting, but able to run with "service adguardhome start".
I noticed, that according to "pkg list os-adguardhome-maxit-1.5" there should only be a "/usr/local/etc/rc.d/adguardhome" file. I removed the additional file with "rm /usr/local/etc/rc.d/AdGuardHome".
Also I set "service adguardhome enable". Although the file "/etc/rc.conf.d/adguardhome" exists, it still does not autostart according to "service adguardhome status".
=> Is there a logfile as an alternative to "During reboot watch the console for errors"?
--
update:
I had a change to look into serial output:
I think the error that adguard does not start automatically occurs because the startup of adguard is quite late as a bootlevel
The problem seems to be a delayed newwanip process, as a workaround it might be possible to change the bootlevel (point in time when adguard starts).
This also seems to delay/block the auto-start of wireguard.
Starting power daemon...done.
Configuring system logging...done.
>>> Invoking start script 'newwanip'
Reconfiguring IPv4 on igb1: error in configd communication %s, see syslog for de
Reconfiguring routes: OK
>>> Invoking start script 'freebsd'
- ifconfig wg create name wg0
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument)
- wireguard-go wg0
┌─────────tun0: link state changed to UP
─────tun0: changing name to 'wg0'
───────────────────────────────────────┐
│ │
│ Running wireguard-go is not required because this │
│ kernel has first class support for WireGuard. For │
│ information on installing the kernel module, │
│ please visit: │
│ https://www.wireguard.com/install/ │
│ │
└──────────────────────────────────────────────────────┘
(...)
- Backgrounding route monitor
WARNING: attempt to domain_add(netgraph) after domainfinalize()
setup igb0_vlan10
setup igb0
setup igb1 [egress only]
Starting flowd_aggregate.
Starting flowd.
Starting adguardhome.
>>> Invoking start script 'syslog-ng'
Stopping syslog_ng.
Waiting for PIDS: 90451.
Starting syslog_ng.
-
I am also new to Adguard (switched from pihole).
In pihole i had:
Never forward non-FQDNs
Never forward reversed lookups for private ip ranges
Do you know how to get this in Adguard?
p.s. I think I fixed the auto start Adguard by adding system -> settings -> general -> dns servers 1.1.1.1 and 1.0.0.1
I read somewhere that opnsense needed it to start running while Adguard is not yet started. Seems to work.
p.s.s. just had to reboot my opnsense and I noticed that Adguard was not starting automatically, so no luck yet....
-
Currently using NextDNS and I wanted to give AdGuard home a try to see how they compare. Before I started I did the following:
Disabled Unbound.
Disabled NextDNS CLI (checked status )
Was able to get this installed but when I try to enable encryption under the Encryption settings it tells me that port 443 is being used:
Error: control/tls/validate | port 443 is not available, cannot enable HTTPS on it | 400
I then took a look to see what is using port 443 (if this is not the correct way of checking please let me know):
#sockstat -4 -l
root lighttpd 46986 5 tcp4 *:443 *:*
root lighttpd 46986 7 tcp4 *:80 *:*
Not sure exactly what is using lighttpd for the port.
-
Adguard + wireguard in Opnsense ( solved ):
https://forum.opnsense.org/index.php?topic=22409.0
I followed your instructions from that thread, but haven't been able to get WireGuard running alongside AdGuard.
WireGuard worked well before I added AdGuard, but now I'm just not getting a connection.
Does anyone else have experience of getting WireGuard running alongside AdGuard and Unbound DNS?
Not sure what Unbound DNS buys me alongside AdGuard, but it works well for my other devices.
-
I have it also up and running here.
maybe this will help you:
https://homenetworkguy.com/how-to/configure-wireguard-opnsense/
(https://homenetworkguy.com/how-to/configure-wireguard-opnsense/)
(Optional if not Automatic) Add ACL Entry for Unbound DNS
If you plan to use your WireGuard interface to provide DNS rather than some other DNS server on your network, it has been noted through feedback that there could be the possibility that you will need to add an entry to the Unbound DNS ACL (Access Control List) to allow the WireGuard interface to access your Unbound DNS server in OPNsense. For my configuration, it seems to have been added automatically, but if you are having issues with accessing your DNS server through the WireGuard interface (in my example, the DNS server would be 10.0.0.1), you may want to check your ACL configuration by going to the “Services > Unbound DNS > Access Lists” page. Click the “Add” button to enter the WireGuard network of 10.0.0.1/24 (for my example) to the ACL.
-
I have it also up and running here.
maybe this will help you:
https://homenetworkguy.com/how-to/configure-wireguard-opnsense/
(https://homenetworkguy.com/how-to/configure-wireguard-opnsense/)
(Optional if not Automatic) Add ACL Entry for Unbound DNS
If you plan to use your WireGuard interface to provide DNS rather than some other DNS server on your network, it has been noted through feedback that there could be the possibility that you will need to add an entry to the Unbound DNS ACL (Access Control List) to allow the WireGuard interface to access your Unbound DNS server in OPNsense. For my configuration, it seems to have been added automatically, but if you are having issues with accessing your DNS server through the WireGuard interface (in my example, the DNS server would be 10.0.0.1), you may want to check your ACL configuration by going to the “Services > Unbound DNS > Access Lists” page. Click the “Add” button to enter the WireGuard network of 10.0.0.1/24 (for my example) to the ACL.
Do you have it running with AdGuard Home setup?
I would be keen to see what settings you have within the WireGuard client and the OPNsense WireGuard settings. Also AdGuard Home.
There's just something missing, but I have no clue what it is.
-
I have the opnsense adguard home plugin running - https://www.routerperformance.net/opnsense-repo/ (https://www.routerperformance.net/opnsense-repo/)
What dns setting do you have in your Wireguard client config? I Use the Wireguard interface eg: 10.10.10.1
In Adguard dns settings i have
Bootstrap dns servers: 192.168.1.1:5353
private dns servers: 192.168.1.1:5353
where 192.168.1.1 is my opnsense ip and have Services: Unbound DNS: General - Listen Port : 5353
hope that helps.
-
Hi. It is likely I should ask this somewhere else as is not directly a technical setup question buy maybe.
I've been using OPN with DoT(get-dns)+Unbound _and_ a pi-hole for a while and all is good.
I wanted to compare with AdGuard and I've just done it yesterday by using mimugmail's plugin.
I wanted to limit the reconfiguration and to do that, I configured pi-hole and AdGuard in a chain. It was the easiest way to just put another app and point to it.
Now the question. They seem to be pretty much the same and the setup if almost identical.
Apart from AG being able to run directly on OPN, is there another big reason people prefer it with OPN?
-
for me personally the switch from pihole going to adguard was the assumption that running on my more powerful device with opnsense, and running it directly from the app, would make it faster.
Besides that I found Adguard home more user friendly and more easy to config.
With pihole I had around 36 ms average processing time and with adguard I get 8 to 9 ms on an average day.
This can be because of running it directly as an app, but maybe it is also because I use DoT with Cloudflare en Quad9 with dns settings - parallel requests.
-
thanks for sharing. I'm planning on reconfiguring now to bypass pi-hole. Performance is a good reason of course.
I'm on a tiny appliance so it might not be good for me. We'll see.
-
Tried, OPN not happy.
In Services > IPV4 > LAN I wanted to change from the IP for pi-hole to the LAN IP on a non standard DNS port in the "DNS Servers" field i.e. 192.168.5.1:5353 where ADG is running. I've tried with : @ and # as port delimiter.
Does anybody know if there is a way to do that there?
I know if not I'll have to do firewall rules but I was hoping I didn't have to.
-
I've tried as a workaround setting Unbound to listen on 5353 and In Services > DHCPv4 > LAN set to just it's LAN address 192.168.5.1, restarted both services and reconnected a client. No DNS resolution.
I'll keep looking at options.
-
do have you adguard on 53 and unbound on 5353?
-
I have Unbound on 53 pushing dns requests on via "Custom Options" to my preferred stub on localhost:853.
AdG is running on 5353.
DHCP clients get the independent pi-hole ipaddress as DNS server and pihole listens on 53 and has OPN as its upstream.
So currently clients DNS requests go:
client > pi-hole:53 > OPN-Unbound:53 > OPN-Stubby:853 > DoT resolvers.
Then to test ADG I put it inline:
client > pi-hole:53 > OPN-AdG:5353 > OPN-Unbound:53 > OPN-Stubby:853 > DoT resolvers.
With testing OK now I wanted to just bypass pi-hole.
That's where I'm scratching my head. Getting DHCPv4 to push 5353 to the clients.
-
Maybe it is the easiest way in your config to shutdown pihole and run than AdG on port 53 also to see if that works, and work from there?
-
pi-hole being "there" is not an issue. My issue is getting OPN to dish out a different port via DHCP for a DNS resolver.
If pi-hole was out of the equation I can change the listening ports on both Unbound or AdG but the tricky part is with AdG now being on the same IP (plugin on OPN). It could look like this:
client > OPN-AdG:53 > OPN-Unbound:5353 > OPN-Stubby:853 > DoT resolvers.
But then how do I get DHCP to push clients to AdG on 53. Hm, that could work actually. I'll check.
I appreciate the input.
-
I have the opnsense adguard home plugin running - https://www.routerperformance.net/opnsense-repo/ (https://www.routerperformance.net/opnsense-repo/)
What dns setting do you have in your Wireguard client config? I Use the Wireguard interface eg: 10.10.10.1
In Adguard dns settings i have
Bootstrap dns servers: 192.168.1.1:5353
private dns servers: 192.168.1.1:5353
where 192.168.1.1 is my opnsense ip and have Services: Unbound DNS: General - Listen Port : 5353
hope that helps.
In the client config (on my phone) I used the WireGuard interface IP (let's say it's 10.10.10.1).
On OPNsense, I didn't set a DNS server at the end point.
The issue is definitely with AdGuard Home added in.
I will recheck my configuration later today and see if I'm messing something up along the way.
The fixes at this threadt didn't seem to work for me: https://forum.opnsense.org/index.php?topic=22409.0
-
https://forum.opnsense.org/index.php?topic=22918.0 (https://forum.opnsense.org/index.php?topic=22918.0)
-
I might look at just removing Unbound from the chain right now.
I'm getting very confused as to why I suddenly can't resolve local names.
I use a domain name, example.net, for my internal network. This now isn't resolving.
I previously had my OPNsense router IP as my top upstream DNS in AdGuard, but I don't think this is correct?
I've discovered that you can definite a DNS server in upstream for specific domains, e.g. [/host.com/]1.2.3.4 (from here: https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#upstreams).
I feel like this is quite flakey and the sheer amount of conflicting and confusing posts in here isn't making it any easier to understand :-\ Definitely need a concise roundup/summary of what is correct.
Update: I had to re-enable the Static DHCP mapping and register leases in Unbound and it started working again for now. There's probably something else I could do to fix this, but for now I don't have the time to mess around too much.
-
pi-hole being "there" is not an issue. My issue is getting OPN to dish out a different port via DHCP for a DNS resolver.
If pi-hole was out of the equation I can change the listening ports on both Unbound or AdG but the tricky part is with AdG now being on the same IP (plugin on OPN). It could look like this:
client > OPN-AdG:53 > OPN-Unbound:5353 > OPN-Stubby:853 > DoT resolvers.
But then how do I get DHCP to push clients to AdG on 53. Hm, that could work actually. I'll check.
I appreciate the input.
Yup that worked. I've bypassed pi-hole now. It's still on so I can push the queries back but so far all good. I was expecting my firewall rules to be a little trickier with being localhost but so far just replacing the ip with the lan local has worked without problem.
I had to test different ad hosts blocklists but so far functionally I'm good.
-
Hmm. I may have fixed my WireGuard issue.
I had a Port Forward rule from WAN address to a different net and using the WireGuard port. When I disabled that it seemed to start working again.
Very weird. I can't use my local domain name right now, but I'm getting there.
Update: I think it's all fixed now. Used the WG interface as the DNS and it seems to work fine. Also added 1.1.1.1 to be safe. So have local name resolution and internet.
-
For local DNS I now use Unbound in OPNsense. I own a domain name and I have Pi-hole configured to do Conditional forwarding for my domain.
If I want to switch to adguard, how does Adguard know when to query Unbound for local domain? Does it take the domainname configured in OPNsense (Under System - Settings - General - Domain)?
-
deleted
-
Adguard beta ?
I have upgraded Opnsense to 21.7.3. After restarting Opnsense Adguard has moved to a beta version. After 10 minutes I logged in again and I had a new update, also beta. Adguard works fine but I don't quite understand the move to beta software.
-
Per the OPNsense adguard home maintainer on the reason for moving to .107 beta.
https://www.reddit.com/r/OPNsenseFirewall/comments/pm84nr/need_betatesters_for_adguardhome_0107_update/
https://www.reddit.com/r/OPNsenseFirewall/comments/pndq1m/new_updates_to_community_repo_adguardhome_caddy/
-
Thank you, I didn't know that.
-
Question about the config of Adguard Home: Is there a way to backup and restore the adguard home config?
Or is this already being added to the opnsense backup config file?
-
My ISP provides IPv6 addresses. When I enable that on OPNSense it also directs DNS via IPv6. Is there a good guide to follow to explain how to use IPv6 in a home environment and still use PIHole/Adguard for filtering? For now I just disabled IPv6.
-
Perhaps Im missing a step. If I dont have an ip listed in Settings/General in the DNS servers list. I dont have internet. I have to put 8.8.8.8 which I believe is defeating the purpose. I dont see any entries in adguard for my desktop for example. If i leave it blank I have no internet on it.
I have first changed unbound to 5353 but I have also disabled it. What could I be missing?
-
Hi all,
I've just migrated my firewall from the ubiquiti unifi udm pro to opnsense, I've been reading the forum for several months now and following my migration I'm quite curious on how to go about implementing NextDNS in addition to my Adguard/Unbound setup, so after following Yeracito's guide on how to use Adguard home standalone with Unbound in Opnsense I want to follow yet again another Yeracito's set of instructions but I believe that there were some changes between the version Yeracito was using when he posted his print screens and the latest Opnsense version which I'm currently running as I don't have a miscellaneous section under Services / Unbound nor Unbound /General / Custom Options.
Could someone guide me on which Unbound section I should be using to set this up?
Installation;
Let's go to https://nextdns.io/ and register for free. Once registered you are given a personalised ID and dns.
Opnsense instalation:
- Follow the tutorial explained above for Adguard.
- Unbound - General - Custom Options: add ( XXXXXX is a custom ID in NextDns )
server:
tls-cert-bundle: "/etc/ssl/cert.pem"
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 45.90.28.0#XXXXXX.dns1.nextdns.io
forward-addr: 2a07:a8c0::#XXXXXX.dns1.nextdns.io
forward-addr: 45.90.30.0#XXXXXX.dns2.nextdns.io
forward-addr: 2a07:a8c1::#XXXXSS.dns2.nextdns.io
Thanks in advance.
-
Hello, you can do it in the following way.
1 - Go to the NextDns website and copy the address that appears in the Dns over https section: https://dns.nextdns.io/xxxxx
2 - Disable Unbound
3 - In Adguard - Settings - DNS settings you set that address.
-
Hello, you can do it in the following way.
1 - Go to the NextDns website and copy the address that appears in the Dns over https section: https://dns.nextdns.io/xxxxx
2 - Disable Unbound
3 - In Adguard - Settings - DNS settings you set that address.
Thanks Yeraycito
One additional question, is there anyway to keep the Unbound enabled?
-
No, disable Unbound
-
Thanks Yeraycito!
-
I've been using this post as a reference setting up AdGuard was Unbound (very helpful, thanks!), but haven't managed to get hostnames showing in AdGuard, only IP addresses.
I thought of ditching Unbound and using just AdGuard for DNS and DHCP, but then remembered that I'm using overrides in Unbound in order to be able to use Nginx Proxy Manager. I have a FQD with a wildcard certificate to access my web apps (Home Assistant, Plex, Syncthing, etc.) but only internally, not accessible outside of my LAN.
Would doing that still be possible if I were to disable Unbound and only use AdGuard?
-
Hello,
Guys I have a question concerning the use of NextDNS within AdGuard, I have AdGuard running on 2 separate RPIs, so in case one fails we still have a DNS working, of course OpnSense points to both, my issue here is that First of all, I had to add the relevant https://dns.nextdns.io/xxxxx on the in the Dns upstream session and add the "normal IPs' (45.X.X.X.)in the section below concerning the DNS bootstramp, to get it working on the 1st RPI, but added that same information on the 2nd one I get an error stating that it's impossible to use https://dns.nextdns.io/xxxxx please check that the name is correct.
Not sure what I'm doing wrong here so any advise will be appreciated, please note that if I use the Cloudflare https://family.cloudflare-dns.com/dns-query with the 1.X.X.3 that works for the 2nd RPI, is there a limitation to 1 global device per network for the usage of NextDNS within AdGuard?
Any one has already had this issue, is it the expected behaviour?
thanks in advise for taking the time to help out, any advise will be highly appreciated.
-
anyway to update adguard?
it has shown me new version notification for few weeks now
-
I just hit update in AdGuard Home and it updates itself.
-
I just hit update in AdGuard Home and it updates itself.
ah I thought it would not work as its a plugin!
thanks
-
Hello,
Guys I have a question concerning the use of NextDNS within AdGuard, I have AdGuard running on 2 separate RPIs, so in case one fails we still have a DNS working, of course OpnSense points to both, my issue here is that First of all, I had to add the relevant https://dns.nextdns.io/xxxxx on the in the Dns upstream session and add the "normal IPs' (45.X.X.X.)in the section below concerning the DNS bootstramp, to get it working on the 1st RPI, but added that same information on the 2nd one I get an error stating that it's impossible to use https://dns.nextdns.io/xxxxx please check that the name is correct.
Not sure what I'm doing wrong here so any advise will be appreciated, please note that if I use the Cloudflare https://family.cloudflare-dns.com/dns-query with the 1.X.X.3 that works for the 2nd RPI, is there a limitation to 1 global device per network for the usage of NextDNS within AdGuard?
Any one has already had this issue, is it the expected behaviour?
thanks in advise for taking the time to help out, any advise will be highly appreciated.
Anyone to advise on the above please? Thanks
-
Hi,
Thank you for the guide. As I'm new to Opnsense, it helps a lot.
I run into one problem though.
My setup is using unbound as resolver, so: LAN -> AdGuard (listening on 53) -> unbound (listening on 53530) -> DoT server. DNS resolution works fine for all the client, adguard's doing its job properly too, except for the router itself. Tried to ping public domain from the router shell gives me Host name lookup failure and I can't update firmware and plugins because of that.
When I disable AdGuard and change my unbound port back to 53 it works, I can ping and update from the router.
Is there any settings that I should know of?
-
I have extended to backup AdGuardHome.yaml file using Git backup plugin (which is a pre-requisite).
1) login to shell in OpnSense
2) edit actions_adguardhome.conf
vi /usr/local/opnsense/service/conf/actions.d/actions_adguardhome.conf
3) Insert following:
[backup]
command:cp /usr/local/AdGuardHome/AdGuardHome.yaml /conf/backup/git ; cd /conf/backup/git; git add AdGuardHome.yaml; git commit -m "Adguard Config changes on `date`" AdGuardHome.yaml
parameters:
type:script
message:backing up Adguardhome config
description:Backup Adguardhome config
See 1.png attached
5) Restart configd
service configd restart
6) Configure Corn job in Web UI
See 2.png attached
7) Result See 3.png attached
-
The thing I have noticed that when I try to connect to another VLAN even by a simple ping or to access a web ui. It will hang on a first attempt. If I cancel and ping again or refresh the page it connects without issue. Im not exactly where this is happening. Its acting is if there is no route table created or something. Would love some insight into why this could be happening. Forgive me if this isnt enough info, just ask and il be happy to provide.
-
I was looking into the AdGuard Home queries and saw .local and .localdomain with processed NXDOMAIN.
Is it normal to have those queried to outside dns (in my case cloudflare)
Is there a way to have those queried only locally?
-
Add following to your upstream DNS servers box:
[/mydomain.local/]192.168.1.1
replace mydomain.local with your local domain and 192.168.1.1 with your local DNS server IP.
I was looking into the AdGuard Home queries and saw .local and .localdomain with processed NXDOMAIN.
Is it normal to have those queried to outside dns (in my case cloudflare)
Is there a way to have those queried only locally?
-
thnx for that tip.
But I see also domains like wpad.localdomain and api.wordpress.org.localdomain etc.
So I just tried a custom filtering rule (block):
||*.local^$important
||*.localdomain^$important
don't know what is better?
On further thought... maybe I can better add [/localdomain/]192.168.1.1:5353
to the Upstream DNS server
-
To Reject all wdap you can use following custom filtering rule:
/wpad[.]([a-z0-9.])*/$dnsrewrite=NXDOMAIN;;
I have seen api.wordpress.org.localdomain, when you use Blocking mode as NXDOMAIN, change to default and these will go away...
thnx for that tip.
But I see also domains like wpad.localdomain and api.wordpress.org.localdomain etc.
So I just tried a custom filtering rule (block):
||*.local^$important
||*.localdomain^$important
don't know what is better?
On further thought... maybe I can better add [/localdomain/]192.168.1.1:5353
to the Upstream DNS server
-
Are there anything happend with AdGuard? I am currently unable to log into the webinterface running on my opnsense installation.
Do I need custom username for this interface or is it the same as the admin-panel from opnsense?
I have used ADGuard now for really long time without any troubles, but now i am not able to login.
On the frontend from Opnsense i use ldap for the authentication.
Thanks for help.
Kind regards
-
I followed the guide at the site listed below to setup AdGuard Home using the freebsd version instead of the community plugin, and it's working great other than I only see one client (127.0.0.1) listed in the clients. All DNS queries are processing as far as I can tell. Anyone know how to fix my setup to show the individual clients instead of only 127.0.0.1?
Any thoughts on using the guide I linked below versus using the community plugin?
Thanks
https://forums.torguard.net/index.php?/topic/2545-opnsense-adguardhome-total-control-mode-doq/#replyForm
-
In regards to my post above, I suspect it has to do with the fact Unbound is listening on port 53 and AdGuard is listening on port 53530, but I'm not certain how to go about fixing it. I could try some things and probably will in the meantime until someone has some feedback. :)
-
Why not use the plugin version? Works great, including updates :-)
But For your unbound: have you tried setting unbound to port 5353 and adguard on port 53?
and in Adguard dns settings: Bootstrap DNS servers and Private reverse DNS servers pointing to opnsenseip:5353
That's my setting.
-
Why not use the plugin version? Works great, including updates :-)
But For your unbound: have you tried setting unbound to port 5353 and adguard on port 53?
and in Adguard dns settings: Bootstrap DNS servers and Private reverse DNS servers pointing to opnsenseip:5353
That's my setting.
Thanks RamSense for your response. I tried the plugin first, ran into an issue (most likely misconfiguration on my side), and then decided to try that other guide for fun, plus I wanted to use IPv6, but I'm not sure the plugin version supports it. I think it would, but I am not certain.
-
Ah ok. Well I hope you can get it to work with changing the ports.
p.s. I have also (very recently) got ipv6 and I can confirm it works with the plugin version.
-
Thanks RamSense. Are you able to see the individual clients in AdGuard or do they all show coming from your router or local host IP? Also, what did you do different to get IPv6 working? Thanks again.
-
settings - client settings -> I see the ipv6 devices and gave them a name in adguard. Opnsense is DHCP.
I did not have to do any changes in adguard, it worked right away. I do not remember what interfaces I used with the adguard install, maybe I just did all interfaces and that is why I did not have to change anything (?)
In opnsense i have static ipv6 what works great, but there is still a ipv6 bug in freebsd what will be hopefully fixed in the opnsense 22.1 / freebsd 13 version. see e.g. here: https://forum.opnsense.org/index.php?topic=25824.0 (https://forum.opnsense.org/index.php?topic=25824.0)
-
Has anyone gotten AdGuard to also listed on virtual IP addresses?
-
Has anyone setup keepalived to sync with this with a second instance on another server for high availability?
-
Has anyone setup keepalived to sync with this with a second instance on another server for high availability?
Hmm guess not. I guess if I tried this it would be best on something else than the firewall.
-
I recently changed my LAN address range from 192.168.x.x to 10.10.x.x based. After the swap I started having problems with DNS resolution in my VLANs. Before the change I did not need any firewall rules or DHCP DNS settings to get resolution on other VLANs, but now I need to set DNS server on VLAN DHCP settings to get any resolution.
This ofcourse is not a huge problem, but I just find it odd and figured that there is maybe something misconfigured in my setup. There is probably some setting that is causing this but I can't find it. Any advice on where to look?
E: I'm using Adguard and routing DNS over TLS with Unbound. The setup is basically the same as in here https://forum.opnsense.org/index.php?topic=22162.msg106715#msg106715
E2: Solved, I forgot to select all VLANs in DNS Listen Interfaces dropdown. Reconfigured and seems to be working as earlier now.
-
I did configure my opnsense like how described in this post and with Option 1
https://forum.opnsense.org/index.php?topic=22162.msg106715#msg106715
But i have some issues. It seems like dns resolving from the opnsense itself isn't working.
When i open a shell on opnsense and use "nslookup google.com" i get the answer:
;; connection timed out; no servers could be reached
Did i something wrong?
-
When rebooting opnsense, adguard does not start automatically and I have to start it manually.
is this, see picture I found in a pfsense guide, something I/we should ad? or can this be added to the plugin?
And if added manually, how to do this in opnsense:
Step 6: Making AdGuard Home start on boot:
Go to Services>shellcmd and click Add
Command: /usr/local/bin/screen -S AdGuardHome_screen -d -m /opt/AdGuardHome/AdGuardHome
Shellcmd Type: shellcmd
Description: AdGuard
as found here: https://broadbandforum.co/threads/installing-adguard-home-on-pfsense.205884/page-2 (https://broadbandforum.co/threads/installing-adguard-home-on-pfsense.205884/page-2)
-
When rebooting opnsense, adguard does not start automatically and I have to start it manually.
is this, see picture I found in a pfsense guide, something I/we should ad? or can this be added to the plugin?
And if added manually, how to do this in opnsense:
Step 6: Making AdGuard Home start on boot:
Go to Services>shellcmd and click Add
Command: /usr/local/bin/screen -S AdGuardHome_screen -d -m /opt/AdGuardHome/AdGuardHome
Shellcmd Type: shellcmd
Description: AdGuard
as found here: https://broadbandforum.co/threads/installing-adguard-home-on-pfsense.205884/page-2 (https://broadbandforum.co/threads/installing-adguard-home-on-pfsense.205884/page-2)
That is not how it should be done! Adguardhome should be installed as a plugin.
Look at this: https://www.routerperformance.net/opnsense-repo/ (https://www.routerperformance.net/opnsense-repo/)
-
sorry, forgot to mention that I'm running the plugin of adguard home.
N.B. With opnsense 22.1 it is fixed. after the installation the system came up automatically
-
Hi, I followed this tutorial but having a empty System:Settings:General DNS servers results in this error on the host:
dig google.com
Error: error sending query: No (valid) nameservers defined in the resolverI have also a time out error on OPNsense update check.
Could anyone with a working adguard + unbound configuration share their `/etc/resolv.conf`?
The only way to make it work for me is to set a fallback DNS servers in System:Settings:General DNS servers.
Here is my whole configuration DNS wise if it can help troubleshooting my issue:
System:Settings:General:
DNS Server: empty
Do not use the local DNS service as a nameserver for this system: CHECKED
Services:DHCPv4:[LAN]:
DNS servers: empty
Unbound DNS:General:
Listen Port: 53530
Enable: CHECKED
Enable DNSSEC Support: CHECKED
Register DHCP leases: CHECKED
Register DHCP static mappings: CHECKED
Local Zone Type: transparent
Adguard Home interfaces when initialling config were set to LAN only
Adguard:DNS settings:
Upstream DNS servers: 127.0.0.1:53530
Bootstrap DNS servers: 127.0.0.1:53530
-
I'm not sure you followed this tutorial. The original post, page 1 shows it using an ip in System:Settings:General DNS servers field. Looks like you are trying to do it differently.
I use Unbound and Adguard home. I also have that field setting and my /etc/resolv.conf only has "domain mydomain" in it. As expected.
Where are you issuing your dig command, a client or the firewall device?
Where is adguard running, another machine?
How are your clients being pointed to that_machine:53530 , dhcp?
-
After doing a clean install of Opnsense 22.1 I tried to install Adguard. It installs version 0.107.3 stable. I have encountered several difficulties that have prevented me from getting it up and running. When starting the Adguard configuration it indicates that port 53 is in use (Undbound) and forces you to change it if you want to continue configuring Adguard. I changed the Undbound port to 5353 and continued configuring Adguard normally. The problem is that it does not work and there is no internet connection. I have tried setting other ports in Unbound and the same thing happens, there is no internet connection. I have uninstalled Adguard and tried in Unbound to change the port and try to see if there is connection without Adguard. The result is that if Unbound is not set to port 53 by default there is no internet connection. If you set Unbound to any port other than 53 there is no internet connection even if you have configured the corresponding dns. I have done a second test, I have deactivated Unbound and installed Adguard on port 53. At the beginning and after configuring the dns in Adguard everything worked perfectly, but inexplicably after a short time the lan devices were without internet connection, they were no longer displayed in the Adguard logs. However, 127.0.0.1 continued to display and have a connection in Adguard. In the end I had to uninstall Adguard as I couldn't get it to work.
-
I'm not sure you followed this tutorial. The original post, page 1 shows it using an ip in System:Settings:General DNS servers field. Looks like you are trying to do it differently.
I use Unbound and Adguard home. I also have that field setting and my /etc/resolv.conf only has "domain mydomain" in it. As expected.
Where are you issuing your dig command, a client or the firewall device?
Where is adguard running, another machine?
How are your clients being pointed to that_machine:53530 , dhcp?
Thanks for your answer.
I did follow the tutorial as it says the following:
On OPNsense:
System -> General Setup
Set '8.8.8.8' as DNS server (Or whatever DNS you would like as a backup, if you only want AdGuard you can remove all DNS servers from this list and leave it blank)
Untick: Do not use the local DNS service as a nameserver for this system
This way by default OPNsense will use itself (127.0.0.1) as the resolver which we want.
For me these instructions result in a nonfonctionning changelog access.
I am doing the drill commands directly from the shell of the OPNsense box
Adguard is running as a plugin of OPNsense
The clients have no issues regarding the local DNS, they are getting their IPSs and DNS through OPNsense DHCP server yes.
In the end of the day, my issue isn't really that bad as it only means that OPNsense itself will use a different DNS.
@yeraycito: I suggest you try to reproduce my config as apart for my small issue everything is working flawlessly (it's a clean install)
-
Thank you very much, I have tried it and it works.
Opnsense 22.1 Clean Install - Installation:
It is very important to follow the order explained
1 - Activate mimugmail's community repository
2 - Install AdGuardHome from System --> Firmware --> Plugins
3 - Activate and start AdGuardHome from Services --> AdGuardHome
4 - Opnsense - System - Settings -General
Untick: Do not use the local DNS service as a nameserver for this system
Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN
5 - Opnsense - Services - Unbound - Dns Over Tls
Set the desired dns servers, ej, Cloudflare:
Server IP: 1.1.1.1
Server Port: 853
Verify CN: cloudflare-dns.com
6 - Opnsense - Services - Unbound - General
Listen Port: 5353
7 - Navigate to http://your.opnsense:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard
8 - Adguard Home - DNS Configuration - Upstream Servers: Add router_ip:5353 ( 192.168.1.1:5353 ) Delete those that exist
Security Extra: https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#1-allowing-only-specific-dns-servers
-
Decided to try AdGuardHome with Unbound, and are you guys also using the blocklist from Unbound or it's simply redundant ?
Tia.
-
It depends on the lists you put up. In Unbound they are already preconfigured and you can activate the ones you want. Adguard has two basic lists and you can add as many as you want. If you put good lists in Adguard you don't need to activate the ones in Unbound. Some of the lists I have in this post are a set of other lists.
-
I am running OPNsense 22.1 and installed AdGuard from the mimugmail repo. Unbound is listening on port 5335 on all my Lan's and VLan's. In AdGuard the upstream and bootstrap DNS-Server is set to 192.168.1.1:5335.
Furthermore under Settings - General there is no DNS-Server set (empty). Also in the DHCP settings is no DNS-Server set.
From my LAN Network I am able to resolve addresses but not from my VLan's. Any suggestions how to solve this problem?
As an example I have also added a screenshot from my IoT rules.
Regards Chris
-
Hi, try creating a dns rule and put it at the top. You can see how to do it here:
https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#1-allowing-only-specific-dns-servers
-
As a NAT - Port Forward rule?
In the past when I was using Pi-hole on a raspberry I was using this rule to forward all DNS traffic to the pi-hole.
-
Is there a way to change the listen interfaces in AdGuard.
During the first setup I selected only my physical LAN interface and not the VLan's. Maybe this is the fault.
-
You can't, you have to uninstall and reinstall it. The DNS rule is not a port forward, you have to create it in Firewall - Rules - IOT and put it at the top. When installing Adguard, configure it on all interfaces.
-
With this configuration of OPNsens and AdGuard is it necessary to create a NAT unbound rule to force all hardcoded devices like google home to use my provided DNS-Server?
-
So now with all interfaces selected during the initial setup it's working.
-
I'm trying to set AdGuardHome to work as the DNS for 4 vlans:
LAN:10.0.0.0
HOME: 10.1.0.0
LAB: 10.2.0.0
IOT: 10.3.0.0
On each interface, I have set the interface IP as the DNS server.
All VLANS have been set with a port forward rule to capture the dns requests and pass to 127.0.0.1:53.
Adguard works fine on LAN and HOME, but not on LAB and IOT I get no resolution and if I dig, I receive an error: "reply from unexpected source: 10.0.0.1#45443, expected 10.3.0.1#53"
If I set LAB or IOT DNS server to 10.0.0.1 (LAN address), it works.
I do not understand -- HOME works just fine with the DNS server set as HOME address, but LAB and IOT fail with DNS server set as their interface addresses.
Any suggestions as to why this is the case?
-
Do you have maybe an inter VLan-routing deny rule on both Vlan's.
-
I got it now working by following this instructions:
https://labzilla.io/blog/force-dns-pihole
But I also had to add a DNS-Allow rule on top of all other rules for the different networks.
https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#1-allowing-only-specific-dns-servers
Now my network clients are using AdGuard and the internal DNS resolver, also devices with hardcoded DNS like google nest mini.
-
Thanks for the resources. If I can't resolve it tonight, I guess I'll try rebuilding from scratch and try to follow these instructions.
I don't see how an intervlan deny rule would allow me to access across VLANs (IoT -> LAN) but not allow IoT -> IoT address (although it's entirely possible I've messed up somewhere)... Additionally, I have the automatic NAT rule created which should allow access to interface_address:53
When you set up outgoing NAT, did you set it up per interface?
I've tried outgoing NAT, and it doesn't make a difference. I wasn't sure I was doing it right, so I tried various permutations of LAN/IOT for interface, source, and destination. Still receiving the same error.
-
Thanks for the resources. If I can't resolve it tonight, I guess I'll try rebuilding from scratch and try to follow these instructions.
When you set up outgoing NAT, did you set it up per interface?
I've tried outgoing NAT, and it doesn't make a difference. I wasn't sure I was doing it right, so I tried various permutations of LAN/IOT for interface, source, and destination. Still receiving the same error.
I will do some screenshots from my rules this afternoon, I think this will explain it better than with my words.
The NAT rules I have not set them up for each interface. I have created a group with all related networks, including VLan's.
I will also do some screenshots from the NAT rules.
-
Here are my two Port Forward rules and the Outbound rule.
local_Networks is a Group and the members are all my related networks, eg. LAN, IoT, ...
Furthermore I have crated for all these Networks a pass DNS to internal server rule and below this a block any external DNS server rule.
I hope this will help you to setup your firewall.
-
How do I change the HTTP port/etc once it's been set up. It looks like it's a one time deal.
Also, how do you set up the DoT?
-
I think you are right its a one time deal.
for DoT I use unbound. But in AdGuard just type the TLS-server adrress in the upstream DNS-Server field. Examples are also shown on the DNS-settings page.
-
Here are my two Port Forward rules and the Outbound rule.
local_Networks is a Group and the members are all my related networks, eg. LAN, IoT, ...
Furthermore I have crated for all these Networks a pass DNS to internal server rule and below this a block any external DNS server rule.
I hope this will help you to setup your firewall.
Just to show another option:
I do my LAN rule a little differently. First one blocks everything but my Adguard Home server from reaching outside DNS using an alias containing a list of public DNS servers. This helps prevent clients from using DoT and DoH to bypass the NAT port forward. Second rule is generated from the NAT port forward.
The "Public_DNS" alias contains https://public-dns.info/nameservers-all.txt
-
I think you are right its a one time deal.
for DoT I use unbound. But in AdGuard just type the TLS-server adrress in the upstream DNS-Server field. Examples are also shown on the DNS-settings page.
Thanks. I uninstalled it since it does not support regex in whitelist...
-
@ChrisChros, @Fawkesguy -- thanks much for taking the time to share screenshots of your setup! I think I have a pretty good idea of what should work. Unfortunately, I'm still not getting an appropriate response (i.e., for some reason my IoT network (10.3.0.0/24) thinks it's getting a response from the LAN interface (10.0.0.1).
... which suggests to me that I probably have issues either elsewhere in my firewall rules or a bit of a hinky opnsense install.
I'll probably spend the weekend wiping and resetting everything...
-
A short update to my rules. They are not working as expected. I have two google devices connected to my IoT network. The google home mini is working without any issues, but the google nest mini do not want to establish an internet connection.
I can see in the live log that 10.10.10.22 (nest mini) is catched up by the rdr rule every second, while the home mini (10.10.10.23) has more or less no entries.
Nest mini and Home mini are more or less the same devices, but the behavior is completely different to my NAT rules.
Any suggestions what is going wrong with my rules?
-
So I think I have it now.
I checked all my port forward rules and realized that NAT reflection was set to "Use system default", this has to be set to "Disabled".
-
@ChrisChros,
I followed your https://labzilla.io/blog/force-dns-pihole (https://labzilla.io/blog/force-dns-pihole)
guide to adguard home plugin on opnsense. this works like it should for [Test it out]- point 4
but when doing [Test it out] - point 5 "by temporarily disabling the first NAT rule" I get
;; connection timed out; no servers could be reached
Do you know what can cause this?
-
Unfortunately not. I only performed Test 4.
After that I was happy that my hardcoded DNS devices were able to connect to the inet.
-
ah ok.
Well the difference I have with your guide vs what I had is that instead of nslookup showing always my adguard ip (opnsense ip), now when you try to bybass with e.g. 1.1.1.1 it is showing like it seems to come from 1.1.1.1 but actually adguard is doing the dns. Sounds better than what I had, so great.
only test 5 fails, I'm curious if that is working at your end
*update*
Got it working. I had a firewall-rules-lan block #53 still there :-)
when removed test 5 works like it should. It seems that with your bypass guide solution I can delete this block rule while all is going to be pushed to adguard now (normal and hardcoded) or does somebody else has another opinion?
-
So what I observed today ist a little bit strange.
My Google Nest mini is this morning not able to connect to the internet. In AdGuard I can see that at 2 AM the DNS queries rising from 2500 to 18000. No changes have been done to the firewall rules during that time.
Does anybody else has a similar behavior?
-
do you use ipv6?
I still have some problems with ipv6 on opnsense 22.1
if yes, try stop and start Services-DHCPv6 and stop and start services-Router Advertisements
and see if that gets your nest mini back on
-
I do not use IPv6, it is completely deactivated. I do not see the benefit for home use.
-
For the record, part of my problem was that my port forward rules were for TCP only... and DNS is UDP. So fixing that helped.
The other part of my problem was an overly complex and janky vpn setup between OPNsense and my switch.
Everything is working cleanly now.
-
I recently acquired a NanoPi R4S. Amazing router, and trivial to run OPNsense. However, the mimigmail repo doesn't work on aarch64.
Which leads to the question of why it's even necessary.
Installing the mimugmail repo already implies SSH access to run the requisite `fetch` command. So why not simply `fetch` the freebsd native adguard home? At that point, you just have to extract the archive, and then follow Adguard's own installation steps. Nothing terribly complicated there, beyond knowing that OPNsense is Freebsd-based, and what architecture you are running (likely 95%+ AMD64).
Yes, adguard will complain that port 80 is in use. Pick another one! (3000 works, unless you are running graphana on the same host. 8080 works too, unless you are running nginx on that port.)
If you don't stop unbound, it will complain about port 53, too, but you can either move adguard (and then point unbound to adguard), move unbound to a different port, or stop unbound. (adguard already does most of what unbound does).
As an alternative, you can load adguard (and other!) lists to unbound. A few years ago I wrote a script to "manage" black- and white- lists with unbound (whitelists being local overrides to the public lists, much like adguard does), but I abandoned that work after I found Adguard Home and realized they had already solved (better!) the big problem I was trying to solve: given a device trying to access a site, how do I know which site is blocked. It's easy to whitelest the site, but fairly difficult to parse the logs to see. Adguard gives me a simple interface to see that, and with a click I can whitelist the domain, either everywhere, or just for that one device.
I really don't think a scratch install is any more complicated than installing a custom repo...
-
I understand your view and opinion. But me for instance, i like the plugin concept. When being able to control opnsense and additions from the gui makes it easy and clear, gives a feeling of control compared to having to go to terminal / having to go and enable ssh for every install feels a bit threshold for me. I also like being able to get into the gui and control things in opnsense while being away by vpn and the comfort of my phone.
So with that being said; opnsense is all about being able to have many ways of control, the gui, terminal/ssh etc. So with both options available, everybody is happy :-)
ps. But there are improvements / wishlist: It would be great being able from within the plugin/gui to backup the config of adguard home with all dns-settings,used lists and custom rules.
-
I understand your view and opinion. But me for instance, i like the plugin concept. When being able to control opnsense and additions from the gui makes it easy and clear, gives a feeling of control compared to having to go to terminal / having to go and enable ssh for every install feels a bit threshold for me. I also like being able to get into the gui and control things in opnsense while being away by vpn and the comfort of my phone.
So with that being said; opnsense is all about being able to have many ways of control, the gui, terminal/ssh etc. So with both options available, everybody is happy :-)
I guess my main point was more for the "guide"; it really isn't difficult, and once installed the need for the cli is minimal.
It's probably also fair to note that I am the type who prefers the simplicity of a cli. Given the choice, I will almost always choose a cli over a gui because the vast majority of the time it's faster, and the gui usually is just an abstraction around the cli anyway, and often makes assumptions that are hidden (or can't even be set).
That said, I understand that lots of people prefer a gui approach, even if it is slower and less secure. For me (and after reading this thread, I know I'm not alone...), if what I wanted was a 99% GUI solution, I'd be running OpenWRT instead.
You *can* access your AdSense gui from a vpn easily enough. If you use the virtual IP approach, it wouldn't even feel weird because it would feel like you are logging on to a different host. It's no more difficult to access the AdGuard gui from your phone than OPNsense (arguably easier, because AdGuard's mobile interface is well optimized). You also can SSH on a vpn. I have a terminal program for my phone, even, that I could use. Granted, securely using ssh requires a bit of work, but if you can install the mimugmail repo, you can run the two or three cli commands for key-based (as opposed to password-based) ssh login. That's well out of scope *here* but I bet there's already guides for that... :D
-
I can't seem to figure out what's wrong with my setup.
My Port Forward NAT already has rules to redirect outbound DNS to Adguard (using Groups, for several VLANs), Unbound listens to 53530, and Adguard Upstream DNS and bootstrap DNS point to 127.0.0.1:53530 (or LAN_ip:53530, tried both), but it's still won't resolv. I tried to reinstall adguard several times to make sure that I choose all interface on DNS listen interface.
I don't know if resolv is the right word, because I can see that my DNS requests show up in Adguard AND Unbound log, so that means the flow is correct, but I still never got any response on my VLANs, only my LAN that works.
Anyone have any idea?
EDIT: nevermind, turns out I need to point the DNS server in DHCP to the gateway/Adguard interface IP of each VLAN or leave it empty. It works now.
-
Thanks for the guide/help.
I get a notification in the AdGuard Home webinterface that v0.107.5 is now available: can I update directly from the AdGuard Home webinterface or should I wait until the package gets updated?
-
Updates work fine here from the webinterface
-
Is there a known issue with fresh installs of this plugin and 21.7? I can't even get the setup page to load after a successful plugin install (http:<my.opnsense.ip>:3000).
The plugin is enabled and appears to be running
No errors are thrown in the logs
I have Unbound disabled
I am not running Grafana, NTPng, or any other service on port 3000. Netstat shows the AdGuardHome service is running on said port and nothing else.
I cannot get the start page to come up at all on port 3000. Since that triggers the initial setup wizard, there's no configuration yaml created (I checked via CLI). The service just appears to be running and waiting for me to kick off the process.
Could someone post a (more or less) "default" configuration yaml for the plugin? I can modify it for my own setup, restart the service, see if that gets past it, though I'd still like to figure out why I can't access the initial config wizard.
Thanks!
Edit: As often happens, writing this post made me re-think a couple things to try and I got it working.
The problem, if anyone else runs in to this, is I am using a failover group for a gateway (my ISP WAN interface + backup LTE modem) and for that to work correctly the LAN "pass all outbound" rule has to be modified to use it vs. the default "any" gateway.
This means you need to explicitly define any additional ports (besides 80 and 443 which are in the default anti-lockout rule) you want to access on the OPNsense box itself, in this case 3000 (for the wizard) and then 81 (the port I picked AdGuardHome to run on). Easy fix when I realized what the problem was.
I figured it out when I looked where I should have in the first place - the firewall logs vs. the service logs. The latter showed no issues because there weren't any with the service. The firewall blocked access, by design, until I explicitly allowed those ports access from my LAN net to my LAN address.
Hope this helps someone else :)
Can you explain exactly what you did to get this working? I'm having the same problem
-
I've followed the guide to install AdGuard using the repo and it works great. The problem is that my unraid server cannot update its docker containers. I have tried to specify a port forwarding rule just for the unraid server to send the traffic to port 5353 in the unbound server to effectively bypass AdGuard, however it seems to direct all traffic on the network to unbound. See the additional rule I set-up and moved it before the other rule in the guide:
Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: UnraidServerIP
Destination port range: From: DNS - To: DNS
Redirect target IP: 127.0.0.1
Redirect target port: 5353
Description: Bypass AdGuard for unraid server
NAT Reflection: Disable
What am I doing wrong? How can I achieve forwarding traffic to AdGuard with the exception of a single IP which doesn't need to go through AdGuard?
-
This broke unraid for me as well, not sure what happened that broke it, but it started in the past 3 days. I went to update today, and couldn't update anything.
Even when I set the DNS on unraid to use something else (quad9 in my case), it still tried to go through adguard and got blocked.
-
Updates work fine here from the webinterface
Hmmm...I get an error message "Auto-update failed."
(https://ibb.co/TMmYQq6)
What is the procedure for manual update? I am running OpnSense on an amd64 architecture, so I assume I need to download the latest AdGuardHome_freebsd_amd64.tar.gz from https://github.com/AdguardTeam/AdGuardHome/releases (https://github.com/AdguardTeam/AdGuardHome/releases) and replace /usr/local/AdGuardHome with it. But I also assume I first need to stop the AdGuard service; how do I do that? I tried ./AdGuardHome -s stop but that gave an error message. (I had already stopped AdGuardHome in the web interface, but on my previous setup that was not enough, the service also had to be stopped over SSH.)
-
Thank you very much, I have tried it and it works.
Opnsense 22.1 Clean Install - Installation:
It is very important to follow the order explained
1 - Activate mimugmail's community repository
2 - Install AdGuardHome from System --> Firmware --> Plugins
3 - Activate and start AdGuardHome from Services --> AdGuardHome
4 - Opnsense - System - Settings -General
Untick: Do not use the local DNS service as a nameserver for this system
Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN
5 - Opnsense - Services - Unbound - Dns Over Tls
Set the desired dns servers, ej, Cloudflare:
Server IP: 1.1.1.1
Server Port: 853
Verify CN: cloudflare-dns.com
6 - Opnsense - Services - Unbound - General
Listen Port: 5353
7 - Navigate to http://your.opnsense:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard
8 - Adguard Home - DNS Configuration - Upstream Servers: Add router_ip:5353 ( 192.168.1.1:5353 ) Delete those that exist
Security Extra: https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#1-allowing-only-specific-dns-servers
it works for me, the problem I have is that I can not identify the ip of my network, it only shows 127.0.0.1
-
It is very important to follow the order explained
-
It is very important to follow the order explained
I have followed your method and it does not work for me, with this guide it works https://forum.opnsense.org/index.php?topic=25614.0 , but I only see in the identification of the clients the localhost or the internal ip of my fw
and I think the problem to identify the clients is in the dns custom list section.
server:
do-not-query-localhost: no
forward-zone:
name: "." # Allow all DNS queries
forward-addr: 192.168.30.254@5310
forward-addr: ::1@5353
-
Hi Guys,
if i followed this guide - but i have one problem
I cannot fetch Firmware - Updates/Plugins anymore
I need to set an DNS under General and Tick "Do not use the local DNS service as a nameserver for this system"
to make my system fetch these
-
Hi, I have read some guides and discussions. Generally it is simply said do so and so without explaining why it is necessary that way.
From what I understand the best scheme:
Client -> OPNsense -> AD Guard -> Unbound -> Internet
Client: DHCP
OPNsense: System: Settings: General -> DNS servers -> blank (so everything is set to 127.0.0.1)
AD Guard:
Upstream DNS servers: [/local.lan//2009OPNsense_IP:5353
Bootstrap DNS servers: OPNsense_IP
Private reverse DNS servers: 127.0.0.1:5353 + OPNsense_IP: 5353
Unbound: DNS TLS of our choice
Rule in the firewall to intercept all DNS requests from the LAN and redirect them to AD Guard to prevent "crafty" programs from bypassing the system.
In this way the clients are forced to go from AG Guard which filters according to the rules, the DNS requests go through Unbound which takes care of contacting the servers for wan addresses and resolving the internal hosts.
Do you confirm that this is the best configuration?
Sorry my bad english, i use google translate.
-
Delete
-
How do I know if my DNS requests are using DoT when using this implementation? Do I still set DoT on opnsense' end as well or just in AdGuard?
-
So I followed the instructions here to setup AGH on my OPNsense. It's working fine so far but I have one issue that bugs me. I don't know whether this is some problem with AGH itself or something else.
When I set the upstream DNS servers in AGH it's always complaining that my entered DNS server is wrong.
For example: tls://1.1.1.1 works just fine but tls://1dot1dot1dot1.cloudflare-dns.com is not accepted.
Same problem with any other upstream DNS server.
I found threads on reddit where people experienced the same problem but they just use the working solution from above but I don't like that.
Does anybody know what to do to fix this?
Edit:
I found the solution: The problem was that I blocked outgoing packages with destination port 53 to ensure DoT and DoH must be used to resolve domain names. That made it impossible for the bootstrap DNS servers to resolve the names of my upstream DNS servers.
-
Hi, I’m looking for some assistance as I’ve read the entire 12 pages and have not been able to get opnsense dns resolution working after the settings below are applied. It times out. There are a number of requests in the thread which states to follow the set up which I think I have done but still the own self status check does not work.
Appreciate any input.
Opnsense 22.7.4
1 - Activate mimugmail's community repository
2 - Install AdGuardHome from System --> Firmware --> Plugins
3 - Activate and start AdGuardHome from Services --> AdGuardHome
4 - Opnsense - System - Settings -General
DNS Servers: empty
Untick: Do not use the local DNS service as a nameserver for this system
Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN
5 - Services – DHCPv4 – [LAN] : DNS Servers all blank
6 – Opnsense – Servies - Unbound DNS – General
Tick: Enable Unbound
Tick: Enable DNSSEC Support
Tick: Register DHCP Leases
Tick: Register DHCP static mappings
Tick: Register IPv6 link-local addresses
7 - Opnsense - Services - Unbound - Dns Over Tls
Untick: Use System Nameservers
Domain: blank
Server IP: 1.1.1.1
Server Port: 853
Verify CN: cloudflare-dns.com
8 - Opnsense - Services - Unbound - General
Listen Port: 53530
9 - Navigate to http://your.opnsense:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard
10 - Adguard Home - DNS Configuration - Upstream Servers: Add router_ip:53530 ( 192.168.1.1:5353 ) Delete those that exist
11 – Adguard Home – DNS Configuration – Private reverse DNS servers
127.0.0.1:53530
192.168.1.1:53530
Edit
Unfortunately with either the above configuration and or the previous one when I visit
https://1.1.1.1/help
it states that DNS over TLS is not being used. So I'm at a loss. Appears AGH is running and using unbound but unbound is not using the DNS over TLS configuration?
Edit
I remove AGH from the picture to validate that unbound is performing DNS over TLS. Using tcp dump on the WAN interface I can see that there are TLS sessions set up to 1.1.11 and 1.0.0.1 but the client dns queries are still going out the WAN interface on port 53. Guess that LAN fw rule may be required. I need to resolve this I guess before being concerned with AGH.
Edit
Easier avenue for initially validating DNS over TLS is Services-Unbound-Advance and set log level verbosity =2 and tick Log Queries. Then in unbound logs set to informational and you will see the queries and port #.
Solved
Issue is when you install AGH you need to bind to all interfaces or later edit the /usr/local/AdGuardHome/AdGuardHome.yaml file to bind to 0.0.0.0. Doing that permits the resolv.conf to still point to 127.0.0.1 which is bound to AGH and then to Unbound. The unbound logs are showing #853. So I'm happy. Good learning session.
-
Opnsense 22.7.4 Install:
1 - Activate mimugmail's community repository
2 - Install AdGuardHome from System --> Firmware --> Plugins
3 - Opnsense - System - Settings -General
DNS Servers: empty
Untick: Do not use the local DNS service as a nameserver for this system
Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN
4 - Services – DHCPv4 – [LAN] : DNS Servers all empty
5 – Opnsense – Services - Unbound DNS – General
Tick: Enable Unbound ( Listen Port: 5353 )
Tick: Enable DNSSEC Support
Network Interfaces: All
6 - Opnsense - Services - Unbound - Dns Over Tls
Server IP: 1.1.1.1
Server Port: 853
Verify CN: cloudflare-dns.com
7 - Activate and start AdGuardHome from Services --> AdGuardHome
8 - Navigate to http://Opnsense ip:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard
9 - Adguard Home - DNS Configuration - Upstream Servers:
Add Opnsense ip:5353 ( 192.168.1.1:5353 ) Delete those that exist
10 – Adguard Home – DNS Configuration – Bootstrap DNS servers
Add Opnsense ip:5353 ( 192.168.1.1:5353 ) Delete those that exist
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:
192.168.1.1:5353
Extra Wireguard: If we have created a wireguard network in Opnsense, for example, 10.0.0.1/24 we have to set the dns 10.0.0.1 in the wireguard clients. In Wireguard Opnsense it is not necessary to configure anything.
-
Unbound - General
Unbound - DNS over TLS
-
Adguardhome - DNS settings - Upstream DNS servers
Adguardhome - DNS settings - Bootstrap DNS servers
-
Hi everybody,
I just found your post. Does your AdGuard Home start without any problems? I tried to install it using GitHub versions (beta & final) but I am not even able to start it - same using the Max-It plugin. I see posts that it can use port 53, right after that I get the message "dhcpv4 srv: nil ist not an IP address".
Then I see posts for the IP addresses of my opnsense and the used ports 3000 and 3001. But there is no webinterface available. I got nothing on port 3000 and 3001.
Thought I try configuring it on a clean virtual machine, ended up in exactly the same problem!
Any idea what could be the reason for that?
-
Hello,
I am trying to install AdGuard Home using the guide provided. But when I change the listening port in Unbound to 5353 the service is not starting. When I return it to 53 the service starts. Any ideas why Unbound service would not start?
Currently on version 22.7.4.
Thank you.
-
Solution to Auto-update failed error when trying to install update 0.107.15 on Adguard Home:
1 - In Opnsense stop Adguard Home
2 - Donwload and unzip AdGuardHome_freebsd_amd64.tar.gz ( https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.107.15 )
3 - Access Opnsense via ssh to /usr/local/AdGuardHome and replace the old files with the new ones respecting the permissions of those files.
-
4 - In Opnsense launching Adguard Home
-
anyone else not able to update adguard?
it says cannot update error
-
Yes, running into the same error trying to update to v0.107.15. Never had this issue before.
Just did the manual upgrade and all works fine.
-
Just setup AdGuard Home with Unbound as the upstream server. Everything seems to be working except my configuration for SSL offloading via HAProxy plugin on Opnsense. I can access AdGuard Home using the IP, but not via a domain name. I can however access all my other services (password manager, local cloud etc) via the domain names.
I have already set up the necessary Overrides under Unbound for it and also created the Real Server, Backend Pool, Condition & Rules in HAProxy. Are there some headers that are required for this to work?
-
Hi, I have an OPNSense running fine with mimugmails AdGuard@Home.
When moving to a different PC (Fujitsu S920 AMD 4x1,5 + Intel NIC) and booting, then OPNSense is working fine. But Adguard@Home is not starting.
Where can/should I look for issues?
Never mind, the config in /usr/local/AdGuardHome/AdGuardHome.yaml was empty - crazy ;) I copied over the existing one from agh-backup to make it work again.
-
Hi Guys,
if i followed this guide - but i have one problem
I cannot fetch Firmware - Updates/Plugins anymore
I need to set an DNS under General and Tick "Do not use the local DNS service as a nameserver for this system"
to make my system fetch these
I ran into this problem also. I think it is caused by only selecting the LAN interface during initial adguard setup. My thinking was "why would I want to have DNS on the WAN?" I guess the answer is that, without it, opnsense doesn't get dns. Maybe it could have also been fixed by putting the router IP in the opnsense gui? Anyway, I fixed it by editing the AdGuardHome.yaml file.
# Different network interfaces.
'dns':
'bind_hosts':
- '127.0.0.1'
- '192.168.1.1'
https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration (https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration)
-
Hello Guys,
at first, a big thank you to @yeraycito for your tutorial!
I have some addional steps for the tutorial, if you want to use a wildcard certificate from acme client and domain name in your local network.
For me i can't get adguard webui with ssl working on the domain name from opnsense. My goal was to use the webui like this: https://opnsense.your-local-domain.tld or on a another port like opnsense.your-local-domain.tld:4443 with ssl wildcard certificate.
Opnsense 22.7.4 Install:
1 - Activate mimugmail's community repository
2 - Install AdGuardHome from System --> Firmware --> Plugins
3 - Opnsense - System - Settings -General
DNS Servers: empty
Untick: Do not use the local DNS service as a nameserver for this system
Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN
4 - Services – DHCPv4 – [LAN] : DNS Servers all empty
5 – Opnsense – Services - Unbound DNS – General
Tick: Enable Unbound ( Listen Port: 5353 )
Tick: Enable DNSSEC Support
Network Interfaces: All
6 - Opnsense - Services - Unbound - Dns Over Tls
Server IP: 1.1.1.1
Server Port: 853
Verify CN: cloudflare-dns.com
7 - Open SSH Tunnel to OPNSense and edit the following config file
nano /usr/local/AdGuardHome/AdGuardHome.yaml
7.1 - You need to change following parts:
bind_host: 0.0.0.0
dns:
bind_hosts:
- 0.0.0.0
7.2 - Activate and start AdGuardHome from Services --> AdGuardHome
8 - Navigate to http://Opnsense ip:3000/ ( 127.0.0.1:3000 ) to complete the setup Adguard
9 - Adguard Home - DNS Configuration - Upstream Servers:
Add 127.0.0.1:5353 !!!Delete those that exist!!!
10 – Adguard Home – DNS Configuration – Bootstrap DNS servers
Add 127.0.0.1:5353 !!!Delete those that exist!!!
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:
Add 127.0.0.1:5353
12 - Now go Settings -> Encryption
Pick "Encrytion activation"
Servername = opnsensehostname.your-local-domain.tld
Tick: "Automatic HTTPS redirect"
If you want change HTTPS do it in "HTTPS-Port"
Under Certificate choose your certificate from acme client which should be located in:
/var/etc/acme-client/home/*.your-local-domain.tld/fullchain.cer
Under Private Key choose your certificate from acme client which should be located in:
/var/etc/acme-client/home/*.your-local-domain.tld/*.your-local-domain.tld.key
13 - Save the settings
If you get a warninghint like: "validating certificate pair: certificates has no IP addresses; DNS-over-TLS won't be advertised via DDR" it's a known bug since version 0.127.16 with update to version 0.127.19 the color is only white and not red like in x.16, x.17, x.18
With best regards
techsolo12
EDIT: If you want to check if your setup works correctly you can use this website https://www.cloudflare.com/de-de/ssl/encrypted-sni/
-
DNS over IPsec did't work with Adguard and unbound. Only with unbound ist worked. Can someone help?
-
nobody has an idea? Or can someone test it to see if it works?
-
Hi all,
in addition to all the great manuals in this thread (because it drove me crazy):
if you use the mDNS repeater plugin you shouldn't use port 5353 for unbound. It interfers with the repeater plugin and in my case it caused adguard not starting up after rebooting opnsense. I had to start adguard manually then.
After using a different port in unbound the problem has gone.
-
Question : How do you edit the interfaces on Adguard to listen to ?
Issue, if you have say 2+ more network's IE vlans or phicical network cards then install adguard, it will listen to those interfaces, perfect.
Say you want to add another interface and have adguard protect it, there is no where to add the new interface.
I just did a trial on this, installed adguard, then added say a Vlan / inetwork interfact, passed traffic ok but Adguard is not listening and protecting those new interfaces.
Installed New Updated OPNsense added default lan network and 3 new Vlan's set them all up, then installed Adguard fresh & updated POOF all interfaces are being monitored.
Is there a new version coming out where we can add or remove interfaces ?
AM i wrong or am i drunk :D
-
So far as I know there are only 2 options now:
install adguard and listen on all interfaces
or
after installing adguard and adding a new interface you have to edit the yaml config file by hand.
-
So far as I know there are only 2 options now:
install adguard and listen on all interfaces
or
after installing adguard and adding a new interface you have to edit the yaml config file by hand.
Yup, i actually Found Matt's website on how to do this : https://0x2142.com/how-to-set-up-adguard-on-opnsense/
Very Bottom.
Example how to add more networks is, Example Default with no additional networks :
In there, you'll see a section like this:
dns:
bind_hosts:
- 192.168.1.1
And one with more :
dns:
bind_hosts:
- 192.168.1.1
- 192.168.10.1
- 192.168.100.1
-
Sorry if it's a dumb question, but for
1) AdGuard Home – DNS Configuration – Upstream servers
2) AdGuard Home – DNS Configuration – Bootstrap DNS servers
3) AdGuard Home – DNS Configuration – Private reverse DNS servers
I see someoen saying to use Opnsense ip:5353 and someone else to use 127.0.0.1:5353
Are those options exactly the same / should we use both ?
Tia.
-
Opnsense 22.7.4 Install:
1 - Activate mimugmail's community repository
2 - Install AdGuardHome from System --> Firmware --> Plugins
3 - Opnsense - System - Settings -General
DNS Servers: empty
Untick: Do not use the local DNS service as a nameserver for this system
Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN
4 - Services – DHCPv4 – [LAN] : DNS Servers all empty
5 – Opnsense – Services - Unbound DNS – General
Tick: Enable Unbound ( Listen Port: 5353 )
Tick: Enable DNSSEC Support
Network Interfaces: All
6 - Opnsense - Services - Unbound - Dns Over Tls
Server IP: 1.1.1.1
Server Port: 853
Verify CN: cloudflare-dns.com
7 - Activate and start AdGuardHome from Services --> AdGuardHome
8 - Navigate to http://Opnsense ip:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard
9 - Adguard Home - DNS Configuration - Upstream Servers:
Add Opnsense ip:5353 ( 192.168.1.1:5353 ) Delete those that exist
10 – Adguard Home – DNS Configuration – Bootstrap DNS servers
Add Opnsense ip:5353 ( 192.168.1.1:5353 ) Delete those that exist
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:
192.168.1.1:5353
As I'm not interesting in using DoT, if I skip step (6), Unbound will act as my recursive resolver and will contact the root servers directly, is that right?
tia.
-
Sorry if it's a dumb question, but for
...
Tia.
Do have nearly the same questions as you.
I want to run Unbound as my upstream resolver for Adguard Home (and don't want to run DoT).
Couldn't find the right settings.
-
Sorry if it's a dumb question, but for
1) AdGuard Home – DNS Configuration – Upstream servers
2) AdGuard Home – DNS Configuration – Bootstrap DNS servers
3) AdGuard Home – DNS Configuration – Private reverse DNS servers
I see someoen saying to use Opnsense ip:5353 and someone else to use 127.0.0.1:5353
Are those options exactly the same / should we use both ?
Tia.
127.0.0.1 is called the loopback address, and is the IP a computer uses to refer to itself.
Since you are running adguard home plugin on opnsense, it is running on the same device and points it to opnsense service listening on port 5353, e.g. your unbound listening to port 5353, or e.g. bind.
If you use the ip of your opnsense device, this will work also
no upstream servers in unbound / bind, Root servers are being used indeed
-
Sorry if it's a dumb question, but for
...
Tia.
Do have nearly the same questions as you.
I want to run Unbound as my upstream resolver for Adguard Home (and don't want to run DoT).
Couldn't find the right settings.
DNS Configuration – Upstream servers -> 127.0.0.1:portnumber of unbound or OpnsenseIP:portnumber
-
DNS Configuration – Upstream servers -> 127.0.0.1:portnumber of unbound or OpnsenseIP:portnumber
Thx for your help.
So it must be like:
- Upstream DNS servers = 127.0.0.1#'Port Number' or OPNsense IP + Port Number
- Bootstrap DNS servers = 127.0.0.1#'Port Number' or OPNsense IP + Port Number
- Private reverse DNS servers = 127.0.0.1#'Port Number' or OPNsense IP + Port Number
I would also like to read the host names of my devices - so that's why Private reverse servers DNS - or is it wrong?
-
correct, but since you are not using external DNS as upstream, but your unbound on opnsense, it already knows your local devices from unbound, but you can add your ip there in the field in adguard just in case.
-
If the forward DNS server is identical with the one keeping your local forward and reverse zones, than you do not need the "private reverse" setting. This is for the occasions when the two are different.
I do not know what the "bootstrap" is for from the top of my head but I also do not set this. If AGH forwards to a full capable local resolver, e.g. Unbound or BIND, only the "upstream" setting is necessary.
-
If the forward DNS server is identical with the one keeping your local forward and reverse zones, than you do not need the "private reverse" setting.
Thx. It's working. I didn't restart Unbound and AGH. That was the problem.
Now I only have to fix my issues with the NAT Port Forward Rule that no hardcoded DNS within my network can bypass my unbound.
The old rule does not work anymore because of my new setup :(
-
Try to forward to 127.0.0.1 instead of your interface IP address.
-
Try to forward to 127.0.0.1 instead of your interface IP address.
You mean this way?
-
Yes.
-
I do not know what the "bootstrap" is for from the top of my head but I also do not set this. If AGH forwards to a full capable local resolver, e.g. Unbound or BIND, only the "upstream" setting is necessary.
I recall I read on the AdGuard forum that bootstrap addresses are basically only used to resolve the hosts in the upstream servers (and that's also the comment you see in that section).
-
Makes sense. But then I put IP addresses in forwarder configurations, not host names.
-
Yes.
Then I'm doing some else wrong. If I go into Firewall > Rules > "Notebook" my test Network called "Notebook" (do also have a NAT Port Forward rule for it), then the upper rule is the one automatically set from the NAT rule.
After that rule I have to create another rule (I think this one is not working correct) that I can get any DNS resolution and the last rule is my rule, that I can access the internet but no RFC1918 Networks.
Maybe this rule is also not correct?
What rules do I need within this "Notebook" network, that the devices can access the internet but not other local networks?
-
If the forward DNS server is identical with the one keeping your local forward and reverse zones, than you do not need the "private reverse" setting. This is for the occasions when the two are different.
They are identical, but it does not work. No hostnames showing up - only IPs.
-
Maybe I found something. Could it be, that I need to set the Admin Web Interface "Listening Interface" to All instead of my LAN Network?
At the moment it's only listening on the IP of my OPNsense itself (example igc1 - 192.168.1.1).
I could choose:
- All
- WAN
- LAN
- Loopback
Or should I choose the loopback interface 127.0.0.1?
-
it states that ALL is recommended :-), but you can change it see also the opnsense manual: https://docs.opnsense.org/manual/settingsmenu.html (https://docs.opnsense.org/manual/settingsmenu.html)
p.s. also change the order of the firewall rules. You start with all -> source * and port * ..... port 53
Than the ones below that one for port 53 will not be reached.
End with the first one en put the other above the allow all/auto rule
-
it states that ALL is recommended :-), but you can change it see also the opnsense manual: https://docs.opnsense.org/manual/settingsmenu.html (https://docs.opnsense.org/manual/settingsmenu.html)
Within the OPNsense manual there is no manual for the AdGuard Home plugin. Already checked.
-
Ah, I was mistaken and thought you were referring to the opnsense gui listening ports.
Adguard listening to all works without thinking, but you can also manually configure it to listen only to your preferred interfaces.
-
Thx for your feedback.
The issue I still have is, that it doesn't resolve the host names within AGH. Only showing IPs.
Everything is working.
When I look at my OPNsense within DHCPv4 Leases I can see the hostnames of my devices.
Within unbound I activated:
- Register DHCP static mappings
- Register DHCP leases
- Flush DNS cache during reload
- Enable DNSSEC
Unbound Local Zone Type is: transparent
-
As soon as I enter 192.168.1.1:53530 within private reverse DNS servers AGH starts resolving hostnames.
But what confuses me is, that all of you are saying, that it also should work without any entry within this section.
If I leave it blank it stops resolving host names.
-
Do you have the same 192.168.1.1:53530 as the regular upstream DNS?
-
Do you have the same 192.168.1.1:53530 as the regular upstream DNS?
Yes.
Config is:
ADGUARD:
bind_host: 192.168.1.1
bind_port: 3000
beta_bind_port: 0
...
dns:
bind_hosts:
- 0.0.0.0
port: 53
AdGuard Webinterface:
Upstream DNS servers: 192.168.1.1:53530
UNBOUND:
Listen Port: 53530
Interfaces: All
DNSSEC = on
DHCP leases = on
Static mappings = on
Ipv6 link-local = on
Local Zone Type = transparent
OPNsense IP = 192.168.1.1
When the "Private reverse DNS servers" field is empty, then I do noch get any host resolution.
When I enter 192.168.1.1:53530 within Private reverse DNS servers I do get those host names.
-
Must be a feature then. I honestly don't know. AGH is a project entirely unrelated to OPNsense. May I suggest checking their documentation?
-
Will do.
I also find the documentation/video from the original source:
https://www.max-it.de/adguard-dns-blocker-neues-opnsense-plugin/
He is showing it in an other way.
Going with an other port for AGH and leaving port from Unbound at 53.
Then making a NAT Port Forward to (in this video) 5310.
Why not choosing this way? Is there any downside?
The advantage would be, that the Firewall itself does not need to go through AGH and other networks, which I don't want to can also be Unbound only.
-
Opnsense 23.1 Install:
1 - Activate mimugmail's community repository:
SSH Opnsense: fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf
2 - Install AdGuardHome from System --> Firmware --> Plugins
3 - Opnsense - System - Settings -General
DNS Servers: empty
Untick: Do not use the local DNS service as a nameserver for this system
Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN
4 - Services – DHCPv4 – [LAN] : DNS Servers all empty
5 – Opnsense – Services - Unbound DNS – General
Tick: Enable Unbound ( Listen Port: 5353 )
Tick: Enable DNSSEC Support
Network Interfaces: All
6 - Opnsense - Services - Unbound - Dns Over Tls
Server IP: 1.1.1.1
Server Port: 853
Verify CN: cloudflare-dns.com
7 - Activate and start AdGuardHome from Services --> AdGuardHome
8 - Navigate to http://Opnsense ip:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard
9 - Adguard Home - DNS Configuration - Upstream Servers:
Add Opnsense ip:5353 ( 192.168.1.1:5353 ) Delete those that exist
10 – Adguard Home – DNS Configuration – Bootstrap DNS servers
Add Opnsense ip:5353 ( 192.168.1.1:5353 ) Delete those that exist
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:
192.168.1.1:5353
-
Wireguard ( os-wireguard ) + Adguard:
https://homenetworkguy.com/how-to/configure-wireguard-opnsense/
-
NextDNS + QUIC + Adguard:
Adguardhome - Settings - DNS settings:
Upstream DNS servers: quic://xxxxxx.dns.nextdns.io ( xxxxxxx is nextdns ID )
Bootstrap DNS servers:
45.90.28.167
45.90.30.167
Private reverse DNS servers: quic://xxxxxx.dns.nextdns.io ( xxxxxxx is nextdns ID )
-
Opnsense 23.1 Install:
1 - Activate mimugmail's community repository:
SSH Opnsense: fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf
2 - Install AdGuardHome from System --> Firmware --> Plugins
3 - Opnsense - System - Settings -General
DNS Servers: empty
Untick: Do not use the local DNS service as a nameserver for this system
Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN
4 - Services – DHCPv4 – [LAN] : DNS Servers all empty
5 – Opnsense – Services - Unbound DNS – General
Tick: Enable Unbound ( Listen Port: 5353 )
….
Don‘t use port 5353 as it‘s used by mDNS service!!!
-
thanks for the guide! for some reason when i Untick: Do not use the local DNS service as a nameserver for this system. If i'm on opnsense box shell, i can't resolve any dns. once i change resolv.conf from localhost to opnsense's 192.168.1.1 address then dns works.
does anyone know why i can't use 127.0.0.1 but can use the actual ip of opnsense?
-
thanks for the guide! for some reason when i Untick: Do not use the local DNS service as a nameserver for this system. If i'm on opnsense box shell, i can't resolve any dns. once i change resolv.conf from localhost to opnsense's 192.168.1.1 address then dns works.
does anyone know why i can't use 127.0.0.1 but can use the actual ip of opnsense?
Assuming the question in the context of this guide, the tick is to not use the dns server(s) there and assumes you will setup another way for the system to do dns. So something has to resolve names and be available on an interface/ip designation
-
I am very happy that after following the Guide posted here i could able to setup AGH and Unbound successfully.
I have Internet now and the page loading time is insane. i amreally liking it.
But i have one problem, after setting AGH and Unbound as only Resolver i am not able to update the Package... once i click the update it keeps on waiing for the update... What is wrong with my Opnsense ? why cant i update my packages ? i also intend to install other Packages, but without updating how will i do it ? why only the firmware update function is not working but Internet is Working ???
i am clueless, pls help me to solve this problem... Thanks
-
I am very happy that after following the Guide posted here i could able to setup AGH and Unbound successfully.
I have Internet now and the page loading time is insane. i amreally liking it.
But i have one problem, after setting AGH and Unbound as only Resolver i am not able to update the Package... once i click the update it keeps on waiing for the update... What is wrong with my Opnsense ? why cant i update my packages ? i also intend to install other Packages, but without updating how will i do it ? why only the firmware update function is not working but Internet is Working ???
i am clueless, pls help me to solve this problem... Thanks
Hey there, I'm a n00b at OPNsense (actually came here to try and research a question) but I had a similar problem as you with updates.
Once I change the server location to get updates, mine worked. I picked one that was close to me regionally and then my updates went through with no problem.
(Sorry not on my network right now so I can't get screenshots) I'll try later if you would like.
Not sure if it's the same problem you are having but may be worth a try
Let me know if it works for ya
Sent from my SM-N950U using Tapatalk
-
I've successfully gotten Adguard home working following the steps posted above.
One of the steps however says to clear the DNS settings for each gateway in the System>Settings>General in doing so I believe this has caused conflict with my multiple gateway and failover group setup.
Would there be a work around for this step in multi wan? "Go to System ‣ Settings ‣ General and make sure each gateway has its own DNS setup"
I'm not sure how to make this work with Adguard home, having all of them cleared for AGH seems to do weird things with DNS when it failsover.
Any help would be much appreciated.
edit: I've thrown in the towel on this one, decided benefit of adguardhome was not worth the complication in my setup or to have issues with vlan or failover DNS (I'm new to opnsense).
-
Hi,
I just finished installing Adguard. Work like a charm. Please don't mind if I ask, is there a guide to add multiple networks to Adguard?
For example, I have a separate interface for AP, I changed rule of AP interface: Destination: AP address to Destination: LAN address and added 192.168.1.1 as DNS in its DHCP. It seems to work and I start seeing Adguard picking up IP from mobile devices. However, I wonder if it would cause any issue.
Cheers
Edit: Found the answer in page 14
Yup, i actually Found Matt's website on how to do this : https://0x2142.com/how-to-set-up-adguard-on-opnsense/
Very Bottom.
Example how to add more networks is, Example Default with no additional networks :
In there, you'll see a section like this:
dns:
bind_hosts:
- 192.168.1.1
And one with more :
dns:
bind_hosts:
- 192.168.1.1
- 192.168.10.1
- 192.168.100.1
Thanks jlab
Edit: Faced a slow loading dashboard, failed to update. Turns out the solution is just need to change bind_host and dns:bind_host to 0.0.0.0. Also was un-abled to update till I hit a couple more times, thing just went through.
Thanks everyone, I just need to read the whole thread :D
One question tho, in some screenshots, I see Unbound: Register DHCP leases & Register DHCP static mappings are unticked. Others said they ticked those. I tried both and had no issue with internet connection. Kinda confused. Sorry, I'm a noob. My excuse is I just start using Opnsense a couple months ago.
Edit: Upgraded to the latest Opnsense today and Connection drop after reboot. Router can connect to internet but Adguard does not resolve DNS. Disabled Adguard and change Unbound back to 53 fix the issue. # Adguard plugin needs update. Solution: opnsense-revert -r 23.1.5 opnsense
-
Opnsense 23.1 Install:
1 - Activate mimugmail's community repository:
SSH Opnsense: fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf
2 - Install AdGuardHome from System --> Firmware --> Plugins
3 - Opnsense - System - Settings -General
DNS Servers: empty
Untick: Do not use the local DNS service as a nameserver for this system
Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN
4 - Services – DHCPv4 – [LAN] : DNS Servers all empty
5 – Opnsense – Services - Unbound DNS – General
Tick: Enable Unbound ( Listen Port: 5353 )
Tick: Enable DNSSEC Support
Network Interfaces: All
6 - Opnsense - Services - Unbound - Dns Over Tls
Server IP: 1.1.1.1
Server Port: 853
Verify CN: cloudflare-dns.com
7 - Activate and start AdGuardHome from Services --> AdGuardHome
8 - Navigate to http://Opnsense ip:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard
9 - Adguard Home - DNS Configuration - Upstream Servers:
Add Opnsense ip:5353 ( 192.168.1.1:5353 ) Delete those that exist
10 – Adguard Home – DNS Configuration – Bootstrap DNS servers
Add Opnsense ip:5353 ( 192.168.1.1:5353 ) Delete those that exist
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:
192.168.1.1:5353
for some reason when I followed these steps, it seemingly brought down my WAN permanently...as in, it did not recover and I had to reverse everything, including Unbound to get the WAN UP again....anybody else?
-
Will do.
I also find the documentation/video from the original source:
https://www.max-it.de/adguard-dns-blocker-neues-opnsense-plugin/
He is showing it in an other way.
Going with an other port for AGH and leaving port from Unbound at 53.
Then making a NAT Port Forward to (in this video) 5310.
Why not choosing this way? Is there any downside?
The advantage would be, that the Firewall itself does not need to go through AGH and other networks, which I don't want to can also be Unbound only.
Hi! I started with this configuration a few days ago and at the moment it workes (OPNSense 23.1.7). I'm using another VLAN-Interface that I would like to remain untouched from ADGuard.
I'm looking for the right configuration for DoT, DoH, upstream, bootstrap DNS.
The goal would be:
- filtering rules for children (consideration of DoT, DoH)
- exceptions for Adults (ip addressess)
- additional VLAN interface untouched
any help or suggestions would be greatly appreciated!
kind regards,
Sarge
-
Hi, i had a working configuration of opnsense on 22.7 following these guides. I updated to 23.1.7. A result of this was that adguard was also updated to now be 107.29. Post this my Lan clients no longer receive a DNS address at all. If I disable adguard and change unbound back to dns port 53 the lan clients again recieve a DNS server. Appears that there are some issues regarding adguard now running with opnsense. A google found a similar issues lodged with adguard home on github .
https://github.com/AdguardTeam/AdGuardHome/issues/5827
Appears that you will now need to specify the DNS server in your Services->DHCP->DNS Servers for adguard to work. Without this the clients never get a DNS server.
EDIT/UPDATE: Confirmed with wireshark that opnsense is now only providing a default system dns entry to the LAN when unbound is running on port 53. If unbound is running on any other port then opnsense does not supply a default dns address to the lan dhcp request. This obviously breaks the listed settings for getting adguard home to work and does not appears to be an adguard issue but an opnsense issue. For example, with unbound set to listen on port 53 and the Services->DHCP->DNS servers blank a DHCP request has a return option 6 of the default LAN interface address. If I change unbound to listen on port 54 the a DHCP Request has no option6 (Domain Name Server) returned. Previously it used to return Option 6 regardless.
-
Your described Problem is already fixt by mimugmail. He updated the plugin a few week ago, now you should have the check box "Primary DNS" under SERVICES: ADGUARDHOME: GENERAL, which you have to activate.
https://forum.opnsense.org/index.php?topic=33661.0
https://github.com/opnsense/core/issues/6513#issuecomment-1518684956
-
Hej,
I used yeraycito's guide to use Adguard as a plugin. Thanks for this!
Now I wonder if DNSSEC does not also need to be enabled in the DNS settings under Adguard!?
Could someone please explain this to me?
Opnsense 23.1 Install:
1 - Activate mimugmail's community repository:
SSH Opnsense: fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf
2 - Install AdGuardHome from System --> Firmware --> Plugins
3 - Opnsense - System - Settings -General
DNS Servers: empty
Untick: Do not use the local DNS service as a nameserver for this system
Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN
4 - Services – DHCPv4 – [LAN] : DNS Servers all empty
5 – Opnsense – Services - Unbound DNS – General
Tick: Enable Unbound ( Listen Port: 5353 )
Tick: Enable DNSSEC Support
Network Interfaces: All
6 - Opnsense - Services - Unbound - Dns Over Tls
Server IP: 1.1.1.1
Server Port: 853
Verify CN: cloudflare-dns.com
7 - Activate and start AdGuardHome from Services --> AdGuardHome
8 - Navigate to http://Opnsense ip:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard
9 - Adguard Home - DNS Configuration - Upstream Servers:
Add Opnsense ip:5353 ( 192.168.1.1:5353 ) Delete those that exist
10 – Adguard Home – DNS Configuration – Bootstrap DNS servers
Add Opnsense ip:5353 ( 192.168.1.1:5353 ) Delete those that exist
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:
192.168.1.1:5353
-
I have a similar problem reported by bigverm23. Once I follow the guide by yeraycito, my internet stops working.
OPNsense 23.1.9-amd64
Adguard Home v0.107.31
Opnsense 23.1 Install:
1 - Activate mimugmail's community repository:
SSH Opnsense: fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf
2 - Install AdGuardHome from System --> Firmware --> Plugins
3 - Opnsense - System - Settings -General
DNS Servers: empty
Untick: Do not use the local DNS service as a nameserver for this system
Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN
4 - Services – DHCPv4 – [LAN] : DNS Servers all empty
5 – Opnsense – Services - Unbound DNS – General
Tick: Enable Unbound ( Listen Port: 5353 )
Tick: Enable DNSSEC Support
Network Interfaces: All
6 - Opnsense - Services - Unbound - Dns Over Tls
Server IP: 1.1.1.1
Server Port: 853
Verify CN: cloudflare-dns.com
7 - Activate and start AdGuardHome from Services --> AdGuardHome
8 - Navigate to http://Opnsense ip:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard
9 - Adguard Home - DNS Configuration - Upstream Servers:
Add Opnsense ip:5353 ( 192.168.1.1:5353 ) Delete those that exist
10 – Adguard Home – DNS Configuration – Bootstrap DNS servers
Add Opnsense ip:5353 ( 192.168.1.1:5353 ) Delete those that exist
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:
192.168.1.1:5353
for some reason when I followed these steps, it seemingly brought down my WAN permanently...as in, it did not recover and I had to reverse everything, including Unbound to get the WAN UP again....anybody else?
-
This quoted setup will work, the settings are a viable route to dns resolution.
Check and restart services or clients and diagnose on along the path.
-
I already heard that update to 107.31 makes AGH stopping. Solution was reinstalling AGH and restore configuration file from backup.
-
Two days ago version 0.107.30 was released, which has turned out to be buggy, yesterday version 0.107.31 was released, which fixes the bugs of the previous version and works great.
-
Free Android application to monitor and manage Adguard in Opnsense:
https://play.google.com/store/apps/details?id=com.jgeek00.adguard_home_manager
-
Can someone please explain how to make this work with multiple vlans? I have DNS working so far with Adguard and Unbound, but I'd like to forward all DNS traffic to Adguard.
If I simply create the NAT rules from here https://labzilla.io/blog/force-dns-pihole -- my vlan traffic can't access Adguard.
Do the vlans need to point to their respective gateway for DNS (opnsense IP)? Is there any way to avoid having a different DNS server IP for each vlan? I'm a bit lost..
-
During setup of Adguard have you selected all networks including vlan's?
I have two port forward and one outbound rule to achieve what you want.
Within DHCP setup I have no specific DNS servers selected, this field is empty.
Additionaly I have for each Lan and vlan one rule to block all external DNS traffic on port 53 and allow only internal DNS traffic.
-
@ChrisChros, yep all networks are selected.
I'm guessing that everything in Adguard and Unbound is set up correctly, and I just need to create to correct rules in the firewall to forward all DNS traffic to Adguard and block everything else.
Does your DNS traffic stay within the lan/vlan? i.e. is the default DNS server the same as the gateway for each subnet? And are the portforward and outbound rules applied only to the LAN interface?
-
@ChrisChros, yep all networks are selected.
Does your DNS traffic stay within the lan/vlan? i.e. is the default DNS server the same as the gateway for each subnet? And are the portforward and outbound rules applied only to the LAN interface?
DNS server is the same as the gateway for each subnet.
The Alias "local_Networks" include all subnets, Lan and vlan.
-
What does the "Primary DNS" tick box do?
-
you have to enable this button, there was a problem in the past which has been discussed also here in the forum.
Can't explain the reason.
-
I already heard that update to 107.31 makes AGH stopping. Solution was reinstalling AGH and restore configuration file from backup.
Two days ago version 0.107.30 was released, which has turned out to be buggy, yesterday version 0.107.31 was released, which fixes the bugs of the previous version and works great.
I have opnsense v23.1.11 and AGH v0.107.32 and still have AGH that stops after a few hours / days.
In my setup I actually have 2 opnsense instances as master/backup (CARP) and it happens on both instance.
Also to mention, I use one docker container ghcr.io/bakito/adguardhome-sync (http://ghcr.io/bakito/adguardhome-sync) for synchronizing the AGH configuration between both instances (each running on the master and backup opnsense instance). Maybe this is related somehow?
In my setup I also checked the new option "Primary DNS" since AGH is running on port 53 and Unbound DNS on another port.
Should I try what tiermutter suggested by reinstalling AGH and restore its configuration file from a backup?
Thanks for any advice.
Edit: I catch one time the moment when it crashes. It seems that the CPU consumption get very high:
https://drive.google.com/file/d/1Bq23bpAMBmBV8xU3hd_CZLb7Ck4pL0m6/view?usp=sharing
After killing the process with kill -9 74662 I could restart the AGH service and it runs again for some days (max 48h)
-
Is there a reason to keep Unbound enabled when using AdGuard Home? I turned mine off entirely and everything seems to be working fine.
Also, is there a way to get hostnames to appear in AGH rather than just IP?
-
Also, is there a way to get hostnames to appear in AGH rather than just IP?
[/quote
you have to enter the IP address of your OPNsense box in the Bootstrap DNS-Server field.
-
Anyone update today from the web admin page, then have the service not be able to start?
*edit*
Ended up deleting the plug in and re-installing.
-
I already heard that update to 107.31 makes AGH stopping. Solution was reinstalling AGH and restore configuration file from backup.
Two days ago version 0.107.30 was released, which has turned out to be buggy, yesterday version 0.107.31 was released, which fixes the bugs of the previous version and works great.
I have opnsense v23.1.11 and AGH v0.107.32 and still have AGH that stops after a few hours / days.
In my setup I actually have 2 opnsense instances as master/backup (CARP) and it happens on both instance.
Also to mention, I use one docker container ghcr.io/bakito/adguardhome-sync (http://ghcr.io/bakito/adguardhome-sync) for synchronizing the AGH configuration between both instances (each running on the master and backup opnsense instance). Maybe this is related somehow?
In my setup I also checked the new option "Primary DNS" since AGH is running on port 53 and Unbound DNS on another port.
Should I try what tiermutter suggested by reinstalling AGH and restore its configuration file from a backup?
Thanks for any advice.
Edit: I catch one time the moment when it crashes. It seems that the CPU consumption get very high:
https://drive.google.com/file/d/1Bq23bpAMBmBV8xU3hd_CZLb7Ck4pL0m6/view?usp=sharing
After killing the process with kill -9 74662 I could restart the AGH service and it runs again for some days (max 48h)
Update: since updating to AGH v0.107.34, the crashes on both opnsense instances are gone.
-
I run into an issue where I have to create rule to allow access to adguard dashboard or pretty any dashboard.
-
I think I need to reinstall my OpnSense Router
What is the best way to backup and restore AdGuard?
-
way to backup and restore AdGuard?
I would say, backup the AdGuardHome.yaml file and restore it after new installation. location:
/usr/local/AdGuardHome
-
I tried getting wireguard working while using Adguard and ran into issue where it didn't get any handshake if I use custom domain on Cloudflare. So eventually I found that I need to create another A record like vpn.domain_name.tld on Cloudflare and disable proxy. Then add vpn.domain_name.tld to Wireguard app - Endpoint. The rest are just as same as homenetworkguy's wireguard configuration guide.
I also found that in order to get enable encryption mode working, the correct path to the full chain certs and cert key are conveniently found in Service - ACME clients - Log file - ACME.log. In my case it's /var/etc/acme-client/home/*.domain_name.tld_ecc/fullchain.cer and /var/etc/acme-client/home/*.domain_name.tld_ecc/*.domain_name.tld.key
-
way to backup and restore AdGuard?
I would say, backup the AdGuardHome.yaml file and restore it after new installation. location:
/usr/local/AdGuardHome
Yes works.
In case someone else wants to do it here the steps I did (ps: This is on a new device)
(first of all make a backup of /usr/local/AdGuardHome )
1- installed and updated OpnSense
2- added the mimugmail.conf to /usr/local/etc/pkg/repos
3- did a pkg update
4- installed Adguard Home
5- Started Adguard, and followed the wizard
6- Stopped Adguard (under services)
7- copied the whole directory (which I saved earlier) over the new install of adguard
8- Started Adguard
After that Adguard was running with the same settings / block lists as on the old device.
Hope it helps someone
-
Is there a way to allow the web interface for AdGuardHome to be available on multiple interfaces but not all ?
Initially, I set it up on ALL interfaces and the yaml file used 0.0.0.0.
http:
address:0.0.0.0:8080
I have 5 separate VLANs and I have since changed the bind_hosts to stop listening on all interfaces and only enabled it on 4 of my VLANs. I would like to do the same to the web interface but I was looking to see what format I can use to do that
The following allows access on VLAN 1, but I would also like access on VLAN 7 and VLAN 10
http:
address:192.168.1.1:8080
I tried the following three formats, but then AdguardHome failed to start up.
http:
address:192.168.1.1:8080
address:192.168.7.1:8080
address:192.168.10.1:8080
http:
address:192.168.1.1:8080, 192.168.7.1:8080, 192.168.10.1:8080
http:
address:
- 192.168.1.1:8080
- 192.168.7.1:8080
- 192.168.10.1:8080
None of the above format worked for me and googling doesn't provide relevant results and I was hoping if someone could tell me what format to use
EDIT: Weirdly, when I remove 0.0.0.0 from the bind_hosts, my OpnSense firmware updates start timing out. I can still access the internet just fine, but the Opnsense updates keep failing.
So should AdGuardHome be listening on ALL interfaces by default for dns: bind_hosts? Seems strange that only the OpnSense updates should fail while the internet is still accessible!!
-
All, i did setup my AdGuard in Opnsense. But no statistics shows up in the dashboard. all are 0s
followed this post
https://forum.opnsense.org/index.php?topic=22162.msg146626#msg146626
Except.. i kept the unbound DNS port to be 53 (default). Changing this to anything else, im not getting internet.
kept adguard listen port to be 5353. So modified the DNS entries in adguard accordingly
DNSleak test shows cloudfare correctly. im not sure if traffic is going through Adguard or not
-
Just did the manual upgrade and all works fine.
I'm thinking about upgrading manually using the AdGuard Home GUI, but if the package is upgraded in the mimugmail repo, won't it then potentially **downgrade** the AdGuard Home? This would represent a high risk of breaking things in my view.
-
Is there a reason to keep Unbound enabled when using AdGuard Home?
Configuring Unbound as upstream DNS in adguard fixes one issue for me, which is that AGH won't start if internet is down.
Unbound is also able to do recursive DNS resolution, which some consider better from a privacy point of view (no one has all your DNS lookups, they are spread, but on the downsides lookups are in clear text).
-
I have everything set up and it's working fine, but with one caveat. My OPNSense box isn't able to get software updates and ping also does not work. Any device connected to the network can access the internet and resolve addresses just fine, except for the router itself.
I have Unbound turned off in the settings. In AGH I have the boxes checked for Primary and Enable DNS.
Under System: Settings: General I have nothing listed under DNS Servers. Should I add my OPNSense box IP address here?
Under Services: DHCPv4: [LAN] I have nothing listed under DNS Servers. Should I add my OPNSense box IP address here?
-
I have everything set up and it's working fine, but with one caveat. My OPNSense box isn't able to get software updates and ping also does not work. Any device connected to the network can access the internet and resolve addresses just fine, except for the router itself.
I have Unbound turned off in the settings. In AGH I have the boxes checked for Primary and Enable DNS.
Under System: Settings: General I have nothing listed under DNS Servers. Should I add my OPNSense box IP address here?
Under Services: DHCPv4: [LAN] I have nothing listed under DNS Servers. Should I add my OPNSense box IP address here?
If you don't use Unbound it is because you have the DNS set directly in Adguard and that is enough. What you do need to check is this:
3 - Opnsense - System - Settings -General
DNS Servers: empty
Untick: Do not use the local DNS service as a nameserver for this system
Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN
https://forum.opnsense.org/index.php?topic=22162.msg146626#msg146626
-
I have everything set up and it's working fine, but with one caveat. My OPNSense box isn't able to get software updates and ping also does not work. Any device connected to the network can access the internet and resolve addresses just fine, except for the router itself.
I have Unbound turned off in the settings. In AGH I have the boxes checked for Primary and Enable DNS.
Under System: Settings: General I have nothing listed under DNS Servers. Should I add my OPNSense box IP address here?
Under Services: DHCPv4: [LAN] I have nothing listed under DNS Servers. Should I add my OPNSense box IP address here?
If you don't use Unbound it is because you have the DNS set directly in Adguard and that is enough. What you do need to check is this:
3 - Opnsense - System - Settings -General
DNS Servers: empty
Untick: Do not use the local DNS service as a nameserver for this system
Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN
https://forum.opnsense.org/index.php?topic=22162.msg146626#msg146626
I verified that those settings are already in place. Could it be the WAN interface not being selected during the setup? I can't remember if I did that or not.
-
Hi to everyone.
I have AdGuard installed as plugin on Opnsense. And i have set Private reverse DNS servers to UnboundDns on Opnsese. And i have hostnames but with OPNsense domain.
Is it possible to exclude that domain, just to get hostnames?
-
Good day, I'm running OPNSense with the adguard plugin configured to integrate unbound, using this walkthrough: https://samuelsson.dev/install-adguard-home-on-an-opnsense-router/.
I'm also using an unRAID server, with SWAG as a reverse proxy. I've setup a nextcloud container according to Spaceinvaderone's tutorial: https://youtu.be/id4GcVZ5qBA?si=rgoe3g4jHB64aCNY.
I have established overrides for these subdomains in Unbound. Prior to adding adguard, everything worked.
With adguard running, everything appears to be working fine, except access to my subdomains from my own LAN. I can access my subdomain (nextcloud.mydomain.com) when I'm outside the network but anytime I try to access it through my LAN, I get a "404 Not Found, nginx" page. I've seen options to configure Adguard with blocklist custom rules (e.g. 192.168.1.10 nextcloud.mydomain.com) or with upstream DNS additions (e.g. [nextcloud.mydomain.com/]192.168.1.10) Neither of these options seem to work (although I may have misconfigured them).
Does anyone have a similar setup? Is this an adguard configuration issue or do I need to tweak Swag?
Thanks for your time.
-
Hej,
I would like to know how exactly forcing "safe search" works. Doesn't this require breaking the SSL connection?
Can someone please explain this to me?
Greatz Emmitt
-
Truenas scale:
Version:OPNsense 23.7.8_1-amd64 running in a VM
Opnsense IP 192.168.1.1
Adguard IP 192.168.1.210 (Docker)
I have done these steps I skipped step 1-3 as it is running in container
3 - Opnsense - System - Settings -General
DNS Servers: 192.168.1.210
Untick: Do not use the local DNS service as a nameserver for this system
Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN
4 - Services – DHCPv4 – [LAN] : DNS Servers all empty
5 – Opnsense – Services - Unbound DNS – General
Tick: Enable Unbound ( Listen Port: 5353 )
Tick: Enable DNSSEC Support
Network Interfaces: All
6 - Skipped using unbound to resolve or might add later.
7 - Activate and start AdGuardHome from Services --> AdGuardHome
8 - Navigate to http://192.168.1.210:3001 to complete the setup Adguard
9 - Adguard Home - DNS Configuration - Upstream Servers:
Add Opnsense ip:5353 ( 192.168.1.1:5353 ) Delete those that exist
10 – Adguard Home – DNS Configuration – Bootstrap DNS servers
Add Opnsense ip:5353 ( 192.168.1.1:5353 ) Delete those that exist
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:
192.168.1.1:5353
I followed all steps, but like I mentioned my adguard is running remote on another IP in the same network.
I run truenas and have containers running all working fine when I use only unbound.
When I start to use above setup with adguard. I can search the internet etc.
Can someone explain me the addidiontal steps or what am I doing wrong?
System - Settings - General - DNS servers list - 192.168.1.210
Services - DHCPv4 - [LAN] DNS servers - 192.168.1.210
As soon as I put back unbound back to 53 everything is working just fine on homeassistant.
When I use adguard with above settings somehow tuya stops working for the lights and there seems to be problems from homeassistant reaching 443 for example lights running with tuya and solardedge and soem cloud services running on 443 seem to sto pworking.
Unboud is set at 5353 and adguard at 53
I tried forcing DNS to redirect to 192.168.1.210. By creating NAT forward rules.
Nothing seem to help and if I use such rules nothing works?
Please provide me with an example. And perhaps I make this rule wrong because the example are all on opnsense ip or 127.0.0.1.
-
Truenas scale:
Version:OPNsense 23.7.8_1-amd64 running in a VM
Opnsense IP 192.168.1.1
Adguard IP 192.168.1.210 (Docker)
I have done these steps I skipped step 1-3 as it is running in container
3 - Opnsense - System - Settings -General
DNS Servers: 192.168.1.210
Untick: Do not use the local DNS service as a nameserver for this system
Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN
4 - Services – DHCPv4 – [LAN] : DNS Servers all empty
5 – Opnsense – Services - Unbound DNS – General
Tick: Enable Unbound ( Listen Port: 5353 )
Tick: Enable DNSSEC Support
Network Interfaces: All
6 - Skipped using unbound to resolve or might add later.
7 - Activate and start AdGuardHome from Services --> AdGuardHome
8 - Navigate to http://192.168.1.210:3001 to complete the setup Adguard
9 - Adguard Home - DNS Configuration - Upstream Servers:
Add Opnsense ip:5353 ( 192.168.1.1:5353 ) Delete those that exist
10 – Adguard Home – DNS Configuration – Bootstrap DNS servers
Add Opnsense ip:5353 ( 192.168.1.1:5353 ) Delete those that exist
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:
192.168.1.1:5353
I followed all steps, but like I mentioned my adguard is running remote on another IP in the same network.
I run truenas and have containers running all working fine when I use only unbound.
When I start to use above setup with adguard. I can search the internet etc.
Can someone explain me the addidiontal steps or what am I doing wrong?
System - Settings - General - DNS servers list - 192.168.1.210
Services - DHCPv4 - [LAN] DNS servers - 192.168.1.210
As soon as I put back unbound back to 53 everything is working just fine on homeassistant.
When I use adguard with above settings somehow tuya stops working for the lights and there seems to be problems from homeassistant reaching 443 for example lights running with tuya and solardedge and soem cloud services running on 443 seem to sto pworking.
Unboud is set at 5353 and adguard at 53
I tried forcing DNS to redirect to 192.168.1.210. By creating NAT forward rules.
Nothing seem to help and if I use such rules nothing works?
Please provide me with an example. And perhaps I make this rule wrong because the example are all on opnsense ip or 127.0.0.1.
Try with Unbound to listen on port 5335 (and not 5353).
-
Hi
I'm running adguard home plugin on opnsense, setup as per the guide linked early on in this thread. The guide mentions that I need to edit the yaml config to be as shown below:
bind_host: 0.0.0.0
bind_port: 3000
[...]
dns:
bind_host: 0.0.0.0
port: 53
I have changed the bind_host under dns to 0.0.0.0 but don't have the bind host or bind port option, instead I have:
http:
pprof:
port: 6060
enabled: false
address: 192.168.1.1:3000
Should I change this address to be 0.0.0.0:3000?
Also I haven't set up DNS encryption. Is it useful for the average home user? If so, can someone point me to a guide to setting it up in opnsense? I have a domain name that I purchased from cloudflare and expose some services run as docker containers on my server via traefik reverse proxy. How do i use this domain to setup DNS encryption? Thanks
-
I have the same as you and it works fine for me (I have bind_hosts in plural because I have IPv6 a well)
excerpt:
http:
address: 192.168.1.1:3000
dns:
bind_hosts:
- 192.168.1.1
- 127.0.0.1
- ::1
- 'fd00::'
When it comes to encrypted DNS, modern browser will attempt to use it, but it's not a must. I tend to enable encryption when possible, so I force HTTPs traffic for admin interface, and I have enabled DNS over HTTPs (DoH), over TLS (DoT) and over QUIC (DoQ).
Please know that some browsers will bypass your local DNS though, and do a DNS over QUIC with a public DNS. I believe Chrome does this by default and hence I block most public DNS servers in the firewall to prevent that and force any device to use my local DNS (ADH) and have malware/adblocking.
tls:
enabled: true
server_name: my.opnsense.fqdn.com
force_https: true
port_https: 443
port_dns_over_tls: 853
port_dns_over_quic: 853
port_dnscrypt: 0
dnscrypt_config_file: ""
allow_unencrypted_doh: false
certificate_chain: ""
private_key: ""
certificate_path: /var/etc/acme-client/certs/644c0950b1e780.38459566/fullchain.pem
private_key_path: /var/etc/acme-client/keys/644c0950b1e780.38459566/private.key
I have to admit that ADH however seems the flimsiest part of my opnsense setup, it's where I had the most issues so far...
-
Thanks for the prompt reply. Is it an issue to just have 0.0.0.0 as the only dns bind host or should I add the 192 one? Sorry, fairly new to networking.
Also regarding DNS encryption, if I don't want external access to the admin interface, do I still need a domain and certificate?
-
I think that's fine, it will just bind to any IP your machine has, which also includes external IPs, so you must make sure your firewall does not allow port 3000 and 53 inbound (it does not by default).
You do not need DNS encryption, certificates or a domain, it's not required for simple DNS functionality.
-
Thank you very much, I have tried it and it works.
Opnsense 22.1 Clean Install - Installation:
It is very important to follow the order explained
1 - Activate mimugmail's community repository
2 - Install AdGuardHome from System --> Firmware --> Plugins
3 - Activate and start AdGuardHome from Services --> AdGuardHome
4 - Opnsense - System - Settings -General
Untick: Do not use the local DNS service as a nameserver for this system
Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN
5 - Opnsense - Services - Unbound - Dns Over Tls
Set the desired dns servers, ej, Cloudflare:
Server IP: 1.1.1.1
Server Port: 853
Verify CN: cloudflare-dns.com
6 - Opnsense - Services - Unbound - General
Listen Port: 5353
7 - Navigate to http://your.opnsense:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard
8 - Adguard Home - DNS Configuration - Upstream Servers: Add router_ip:5353 ( 192.168.1.1:5353 ) Delete those that exist
Security Extra: https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#1-allowing-only-specific-dns-servers
I wanted to add this here, as I spent hours trying to figure out what I was missing.
I would follow the above steps and get everything working for maybe a few minutes, but eventually none of my devices would have internet access. Both AdGuard Home and Unbound showed that they were receiving DNS traffic, but clearly something was wrong.
The problem was that I had previously configured DNS overrides in Unbound. Disabling/deleting my previously configured Unbound DNS overrides solved my issue. I then created those same overrides in AdGuard under Filters -> DNS rewrites.
-
Opnsense 23.1 Install:
1 - Activate mimugmail's community repository:
SSH Opnsense: fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf
2 - Install AdGuardHome from System --> Firmware --> Plugins
3 - Opnsense - System - Settings -General
DNS Servers: empty
Untick: Do not use the local DNS service as a nameserver for this system
Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN
4 - Services – DHCPv4 – [LAN] : DNS Servers all empty
5 – Opnsense – Services - Unbound DNS – General
Tick: Enable Unbound ( Listen Port: 5353 )
Tick: Enable DNSSEC Support
Network Interfaces: All
6 - Opnsense - Services - Unbound - Dns Over Tls
Server IP: 1.1.1.1
Server Port: 853
Verify CN: cloudflare-dns.com
7 - Activate and start AdGuardHome from Services --> AdGuardHome
8 - Navigate to http://Opnsense ip:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard
9 - Adguard Home - DNS Configuration - Upstream Servers:
Add Opnsense ip:5353 ( 192.168.1.1:5353 ) Delete those that exist
10 – Adguard Home – DNS Configuration – Bootstrap DNS servers
Add Opnsense ip:5353 ( 192.168.1.1:5353 ) Delete those that exist
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:
192.168.1.1:5353
This worked temporarily for me, but for some reason roughly 30 minutes later, Unbound no longer gets any requests from AdGuard (or at least in logging, it makes 0 requests when trying to hit a website). Not quite sure what's going on. Had everything on the Unbound side of things running at 5335, but otherwise followed everything else. Immediately starts resolving hostnames obviously as soon as I bring Unbound back to 53. Is there any way to run this configuration so that Unbound is the first entry point and can run on 53 instead? Not sure if that would rectify the issue though.
-
Thank you very much, I have tried it and it works.
Opnsense 22.1 Clean Install - Installation:
It is very important to follow the order explained
1 - Activate mimugmail's community repository
2 - Install AdGuardHome from System --> Firmware --> Plugins
3 - Activate and start AdGuardHome from Services --> AdGuardHome
4 - Opnsense - System - Settings -General
Untick: Do not use the local DNS service as a nameserver for this system
Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN
5 - Opnsense - Services - Unbound - Dns Over Tls
Set the desired dns servers, ej, Cloudflare:
Server IP: 1.1.1.1
Server Port: 853
Verify CN: cloudflare-dns.com
6 - Opnsense - Services - Unbound - General
Listen Port: 5353
7 - Navigate to http://your.opnsense:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard
8 - Adguard Home - DNS Configuration - Upstream Servers: Add router_ip:5353 ( 192.168.1.1:5353 ) Delete those that exist
Security Extra: https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#1-allowing-only-specific-dns-servers
I wanted to add this here, as I spent hours trying to figure out what I was missing.
I would follow the above steps and get everything working for maybe a few minutes, but eventually none of my devices would have internet access. Both AdGuard Home and Unbound showed that they were receiving DNS traffic, but clearly something was wrong.
The problem was that I had previously configured DNS overrides in Unbound. Disabling/deleting my previously configured Unbound DNS overrides solved my issue. I then created those same overrides in AdGuard under Filters -> DNS rewrites.
Could you share an example of what the overwrite looks like? I believe I'm having similar issues.
EDIT: Somehow I figured it out and am no longer having issues. I think there could be a potential issue with leaving the DHCPv4 LAN DNS servers as all empty as it may not be able to resolve your localhost (I'm still a networking newb so I could be totally wrong). I added 192.168.1.1 to my DNS servers for DHCP and now everything seems to be working. Could be some firewall rule changes I made, but not totally sure. I went ahead and added a similar DNS src * dst * LAN address rule for 5335 just in case.
-
Hello Everybody,
I am totally confused...
I have a running OPNSense 23.7.10_1 with Unbound. Now I have set up AdGuard Home like it is explained here and it works.
Ok, I Thought it works. Internet is reachable and I can see in the Webinterface of AdGuard that there are things blocked.
But now I have a really strange behavior.
If I use the user filter rules and insert something like '||web.de^$important' I still can access it with my browser.
But if I do a nslookup from terminal I get 0.0.0.0
Although if I disable AdGuard and Unbound I still can open any Website I want. I even blocked Port 53 in my Firewall and nothing changed.
Now I hope to find some help here.
Best regards
Frank
-
Hi, is Unbound necessary for AGH to function properly in opnsense ? Or can we just disable unbound and use AGH with it's DHCP function to do the DNS queries??? Will this idea work at all???
-
Some upstream recursive DNS server is necessary for AGH to work.
-
I want to use Unbound in resolve mode and have AGH use unbound as its dns server.
Doesn't seem that this guide does that? Or am I missing something?
EDIT:
I think is how you do it correct?
Have AGH listening on port 53
Unbound listens on port 5353
AGH uses only a single upstream of 127.0.0.1:5353
-
Two remarks:
1. you wrote once 5353 and once 5335, I assume it's a typo.
2. I would recommend to use 53530 for example rather, as 5353 is the default port for mDNS.
Other than this, your configuration seems correct.
-
Yes that was typo.. edited to correct..
ok will use 53530.. Thanks
-
Are we able to use the AGH/Settings/DNS Encryption setting in this configuration?
Using AGH plugin on 53, Unbound on 53530 w/ DOT to cloudflare.
I have the acme plugin up and running.. Created a cert for AGH.. am pasting fullchain.pem and privatekey.pem but am getting 2 errors:
Error: control/tls/validate | port 443 is not available, cannot enable HTTPS on it | 400
and on both key paste entry fields:
Status:
*Certificate chain is invalid
Anyone have this working if even possible?
-
I would guess both your opnsense admin interface and the adguard admin interface are running on port 443. Considering DNS over HTTPS is a thing, I would recommend moving the opnsense admin intf to a different port.
Regarding the cert chain issue, I can confirm that using acme plugin to generate a certificate is indeed possible. But I am not pasting any certificate anywhere, this is not required, you simply configure adguard to reuse the same certs you created for the router. (You do need to figure out which ones are the right ones if you have multiples)
tls:
enabled: true
[...]
port_https: 443
[...]
certificate_path: /var/etc/acme-client/certs/644c0950b1e430.38459566/fullchain.pem
private_key_path: /var/etc/acme-client/keys/644c0950b1e430.38459566/private.key
-
That did it. I changed the AGH https port and that error went away, didnt want to move the admin ui.
On the AGH page the HTTPS port field says:
"If HTTPS port is configured, AdGuard Home admin interface will be accessible via HTTPS, and it will also provide DNS-over-HTTPS on '/dns-query' location."
So it seems the DOH should still work fine?
Thanks!
-
On the certs:
I use a very easy setup with acme let's encrypt certificates:
1. Use a wildcard cert
2. Paste into adguard home GUI settings -> encryption settings:
Certificate path:
/var/etc/cert.pem
Key file path:
/var/etc/key.pem
Works.
-
Anyone know how I can check what is the issue with my setup?
I have followed yeraycito's post and DNS ceases to work. The only configuration that seems to work for me is...
https://0x2142.com/how-to-set-up-adguard-on-opnsense/
But I want AdGuard to be on 53 and Unbound on some other port.
If I test upstream server in Adguard, that works so I figure there is some communication happening between Adguard and Unbound.
But I don't understand why there is no DNS resolution. I can access internal services by IP no problem so it's just the DNS resolution that isn't working
-
Hey @andyd, did you check that you can send DNS request to <opnsense_IP>:5353 ?
Something like "host example.com <opnsense_IP>:5353" from a linux box.
Does this work?
btw, I disagree a bit with @yeraycito's recommendation of using port 5353. It's the default port for mDNS, I see an unnecessary risk for conflict, I use 53530 for example.
-
Hey @andyd, did you check that you can send DNS request to <opnsense_IP>:5353 ?
Something like "host example.com <opnsense_IP>:5353" from a linux box.
Does this work?
btw, I disagree a bit with @yeraycito's recommendation of using port 5353. It's the default port for mDNS, I see an unnecessary risk for conflict, I use 53530 for example.
I'm going to try again later in the week but I'll try again. I suspect that I need to restart the router for the changes to really apply as the lesson I learnt this morning when I was trying to revert back to what I had.
In regards to 5353, yep! I read elsewhere that the port shouldn't be used.
-
this isn't windows ;) . No need to reboot for most services on userland. Just restart the service.
-
lol it seemed like it would be necessary to do so for some other change.
anyway, I cannot get this to work :/ Not sure what I'm missing but the logs aren't helpful (or if any).
I usually work on things remotely since i'm not always home - hard to tell right now if there is something off with vpn or home as well.
for wireguard vpn, it's just adding the dns ip of 10.10.10.1? I have that but still no luck. The only thing that works for me is having Unbound set to port 53 (and following the guide I linked to previously)
-
@andyd, I suggest to open your own thread with your settings
-
@cookiemonster
I actually got it working last night!
A few things...
I deleted Adguard and added it back in case I had messed with anything. After doing that...
1. I had forgotten about the option to set Adguard as `Primary DNS server`. I enabled that. Not sure if that helps. Also not sure when that option was introduced but it was never mentioned in this thread so I didn't think to go back to the adguard page to enable it.
2. I noticed that the bind address in the Adguard yaml was set to 0.0.0.0. I previously had it as the router ip. Not sure why I changed it but left it as default. Port was always 53 though
3. I followed this guide instead which seemed more comprehensive in general...
https://windgate.net/setup-adguard-home-opnsense-adblocker/
I am not sure what any of the four was the reason but yeah finally working. I recommend the guide above to others that are looking to set Adguard to 53 and unbound another port.
-
@andyd glad you're up and running.
This thread is so long that I don't even remember if it suggests AdGH as "the" dns server for the network or not. That's where we can use one of two ways, whichever you prefer.
In both cases only one process can be on a port. That means one on 53 and the other on whatever is preferred.
The next thing to consider is that depending on which way, firewall rules and NAT are different. Also need to remember this when setting the DNS server for OPN to use itself.
p.s. 0.0.0.0 means "bind to all interfaces on this host".
-
I feel like I need to jump in here and ask for some AdGuard help as well. I'm having issues configuring dnsmasq+adguard on opnsense to be able to distinguish which clients are making which DNS lookups (i.e. retain local client IPs).
I currently have the requests going like `client -> dnsmasq (53) -> adguard (53530)`. The reason why I have dnsmasq is because I own a domain that I route to an internal reverse proxy on the LAN, so dnsmasq is resolving mydomain.com to a local IP and forwarding the rest to AdGuard.
The thread is very long at this point, so apologies if this has already been answered, but how can one go about setting things up so that AdGuard will be able to display the local client IPs in the dashboard, and not just 192.168.1.1 when forwarding via dnsmasq on the opnsense device?
-
AGH has the ability to "rewrite" DNS as well, so you can make you own domain point to local IPs using just AdGuard Home. Hence you could put AdGuard first (and maybe you don't need dnsmasq at all anymore?).
Just an idea.
-
AGH has the ability to "rewrite" DNS as well, so you can make you own domain point to local IPs using just AdGuard Home. Hence you could put AdGuard first (and maybe you don't need dnsmasq at all anymore?).
Just an idea.
That's excellent, I didn't know AGH could do that with wildcards and exclusions, but it actually can.
I set up AGH to do the same as I've done with dnsmasq so far, and it seems to work correctly, so I'll be uninstalling dnsmasq and the end result is a simplified setup, very nice!
-
I have a question regarding the Blocked services.
I see that there is an option to pause the blocking. Can someone confirm if there's a way to pause blocking only for certain services instead of pausing the block for all services?
For eg. I just want to unblock YouTube from 6PM to 7AM on Weekdays and all day on Sat, Sun. I don't want to pause the blocking of any other services. Can this be achieved with the current Pause Blocking feature?
-
I don't know the answer to your question, I would recommend asking this on the AdGuard Home own forums, as this is unrelated to opnsense:
https://github.com/AdguardTeam/AdGuardHome/discussions
-
I think you can achieve this by per client setting: Adguard home - setting - client settings - Persistent clients, Add client. In there you can specify the "Pause service blocking" for that client, day and time.
-
I didn't want to do it per client. I just want the service available to all clients during a specified time. However, I don't want to unblock all the other services.
Looks like that is not possible at the moment with AdGuard Home
-
Does someone have the issues with the OPNsense update-mechanism since installing the mimugmail repository for ADGuard? I still didn't remove it to test it whether that really is the issue, but since I've installed it, updates take couple of minutes to load and plugins need like 3-5minutes to show up. And God forbid you change the menu and go back, the process begins again.
-
Hey Guys,
I just want to to double check,,
Is it ok to bind 0.0.0.0 interface instead of choosing local ip address?
I faced some issue with binding only local lan & 127.0.0.1 & ::1, where out of nowhere it stopped forwarding DNS to clients (even after adding firewall rule), so i changed the listening interfaces to 0.0.0.0 and i noticed it started working again and AGH seems now resolving ipv6 clients requests not just ipv4.
edit: NVM AGH stopped receiving DNS requests again, had to add router ip as DNS servers in opnsense setting to get it to work!! i dont even know if thats the right solution tbh..