Messages

hello everyone when i try to click + to add instance its stack and do nothing..

If you do not know by now, I cannot help you, sorry.

In AGH or Unbound, you have to redirect bad sites to the IP of your blocking webserver.

I gave a link to a project that can handle the blocking webserver (including certificates) part. It needs docker, but if you do not have that or know how to use docker-compose or do it another way, you are stuck.

OpnSense has no means to do it and it is complex by nature. Note that OpnSense is not your average consumer router that will handle these things automagically for you (actually, what you request cannot be done on OpnSense alone).

So i can to build up LXC in proxmox and give the solution to Production??

At the same time, is WIREGUARD better?

For your battery useage it 100% is according to many users :)

My battery in iphone working well good :) hahah
So what the solution about that case ??

[If]

I repeat: This approach does not work for HTTPS sites, which nowadays is the default for most sites.

Just think it through:

1. You request any URL, like https://www.badsite.com/url1.
2. No matter what you are using: Unbound, AGH or Pi-Hole see that "www.badsite.com" is on their blocklist.
3. You configure your DNS blocker to NOT deliver a "NOT FOUND" error, but a different IP than the real one for www.badsite.com.
4. The webserver behind that IP accepts the request on port 443. If it can present a certificate for www.badsite at all (for the purpose of which it has to be able to dynamically generate those), it will not be trusted by your browser per se (unless you import the generating CA first).
5. Therefore, your browser will bark and NOT show you the blocking notice, but instead a warning that something fishy is going on (which it is).

Result: You cannot have a blocking notice page (as requested per thread title) without dynamic certificates that your browser trusts.

So it try to understand what i need to do? 

I have an interest in the new interface of the rules RULES NEW, which I am making a law.
How does this manifest itself in IN OUT? I would love an in-depth explanation on the subject.

How do I simplify the rules to make them easier to include in terms of the constitution?

Hello everyone, I made an OPENVPN server in FULL TUNNEL.
Now I have a section that I connect to through my iPhone, and every time it just disconnects when I lock the iPhone and reconnects when I open it and it doesn't stay stable..
And I'm trying to figure out if it's a problem with OPENVPN or OPNSENSE or my iPhone?

At the same time, is WIREGUARD better? I tried to configure it and failed..

Adguard Home is not designed for that purpose - normally, it is supposed to just return a DNS error for "advertisements" that drops requests for advertisement URLs, such that ad content image parts will be left out from your normal pages.

Of course you can use blocklists that also block certain sites and you can specify the IP that AGH returns. You can then install a webserver on that IP that answers with a block notice for any URL. Yet, if the original URL was HTTPS, you would get an error because your block notice cannot produce a valid certificate for the original page called for. Thus, you need to create a certificate on-the-fly, the CA for that must be imported on your clients.

Here is a project that does that, but as I said, this is not how AGH is intended to be used, so it is a lot of manual work. Also, I assume that every advertisement on each page would be replaced by a small picture of the block site.

So if I understand you correctly, can I set the ADGUARD settings to give it an NGINX server address or some server with a white page or a design that says it's blocked and ADGUARD will redirect it to it every time??
The question is, if I don't give it a CA, what can happen?

Hello everyone i want to know how i can do a UserPage Block for users in my network try to access the Blocking WebSite.
I using on the opnsense about AdGuard Home.
And i want to do if some user log in to block website for example he get a Page Block ..

Like really Fw: Forti/Checkpoint.
Sorry about me english if its not good a lot :)

AdGuard Home needs a forwarder or upstream DNS server as it might be called. It cannot do recursive resolution by itself. That's why I

- let AGH listen on port 53 on all interfaces
- let Unbound listen on port 53530
- set 127.0.0.1:53530 as an upstream for AGH

If you don't want a local Unbound in that equation, you need to point your AGH at your ISP's or some other recursive DNS server.

With that being solved it's a matter of

- have AGH listen on *all* interfaces: 0.0.0.0 - firewall rules will take care of nobody abusing it
- point your OpenVPN clients at "OPNsense address in the OpenVPN network, port 53" for DNS

HTH,
Patrick

Dear Patrick, i solve that with reinstall AGH and do listen only to interface LAN and everything working great.
Thank you a lot.

I really appreciate that.
Haim

You need Unbound or any DNS resolver, so AGH should run on an alternative port. I do not use it, but here is a guide:

https://samuelsson.dev/install-adguard-home-on-an-opnsense-router/

Maybe you should use something different than 5353, because that collides with mDNS.

I managed to install ADGUARD. In the end, I disabled UNBOUND DNS. Now I also have OPENVPN, which comes out in FULL TUNNEL. I connect from my phone to the VPN, so the traffic doesn't go out. I see it in the ADGUARD logs as passing through, but on the phone there is no browsing at all.
What could be the solution to this?

The instructions to do this are literally on the linked page.

Thank you. I install that, but in adguard home installation its said me the port 53 not available after i turn off the unbound dns .. so what i do? Now ???

Yes, of course. Integrated with OPNsense.

So how i can download that?? Install that? You can give me a steps ??? 

wherer??!?!?!!? i search in community plugin and i didnt see nothing..

https://www.routerperformance.net/opnsense-repo/

If you pick the "just AdGuard" repository, there won't be any ill side effects caused by package conflicts. AGH is a single golang binary, all very clean and manageable.

What its do???
Its install a Full Adguard Home Solution???

[/EDIT :]

How can I fix this?

Unbound is nice for the whole 'Query Root DNS Servers' thing, but for blocking domains I would rather use Pi-Hole than anything else to be honest :)

Maybe one day there will be some kind of OPNsense alternative for pfBlockerNG but for now Pi-Hole + Unbound on a Raspberry Pi/Intel NUC/Proxmox CT or VM has my preference : https://docs.pi-hole.net/guides/dns/unbound/

/EDIT :

AdGuard Home is available as a community plug in and works very well. I prefer it over Pihole.

I know, but aside from disliking AdGuard since Day #1 the reason to not use it on OPNsense is because I like to keep my Router/Firewall as clean and simple as possible and something like that does not belong there IMHO :)

Listen, this OPNSENSE is in my rented apartment, I have S2S between my parents' house and here, and my parents' house has PROXMOX on it, which has ADGUARD and everything. I can redirect all the traffic to its name, but that's a bit stupid to me..
Can I do blocks in the FW and get a USERBLOCK page like this that it's blocked??

Maybe one day there will be some kind of OPNsense alternative

AdGuard Home is available as a community plug in and works very well. I prefer it over Pihole.

wherer??!?!?!!? i search in community plugin and i didnt see nothing..