AdGuard Home setup guide

[N0_Klu3]

So I've been looking around and been unable to get a good AdGuard or PiHole setup.

I figured it out, and it seems to be working well, so I'm writing this for mainly my own future reference.

--------------------
Setup for a physical AdGuard (Raspberry Pi or something)

I installed AdGuard Home on a Raspberry Pi with the IP 10.0.0.12.
Settings -> DNS Settings
Chose and configure to your desired setup.

On OPNsense:
System -> General Setup
Set '10.0.0.12' as DNS server
Tick: Do not use the local DNS service as a the only nameserver for this system

Optional, but recommended:
Add a new Firewall rule to forward all DNS (Port 53) traffic to AdGuard:
Firewall -> NAT -> Port Forward

Code Select Expand

Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: LAN address
Destination port range: From: DNS - To: DNS
Redirect target IP: 10.0.0.12
Redirect target port: DNS
Description: Forward DNS to AdGuard
NAT Reflection: Disable

Unbound -> Untick 'Enable Unbound'. (So its turned off)
Or you can follow the steps below to use a router_ip:5353 to loopback to OPNsense unbound as a backup.

I also found that I had to add the DNS specifically on each DCHP interface.
Mainly due if you removed all DNS servers from System -> General Setup. I found some iOS devices struggled without the below.
Services -> DHCPv4 -> LAN
DNS servers: 10.0.0.12

If you have VLANs or other LANs you may need to do some Firewall rules to allow traffic through to the DNS server IP on Port 53 (DNS)

That is pretty much it.

--------------------
Setup for using AdGuard via the OPNsense community repo

Firstly install the Community repo from: https://www.routerperformance.net/opnsense-repo/
Then install AdGuard Home via Plugins.

Navigate to router_ip:3000 to setup AdGuard.
I set Admin interface to my main LAN as the only listen interface and via port 81 (OPNsense uses port 80 and 443 so select something other than this for AdGuard listen port and if you configure AdGuard's SSL settings)

DNS Server listen interface select 'All' on Port 53.

Setup DNS as you would like it with your own providers.
Settings -> DNS settings -> Bootstrap DNS servers -> Add router_ip:5353

On OPNsense:
System -> General Setup
Set '8.8.8.8' as DNS server (Or whatever DNS you would like as a backup, if you only want AdGuard you can remove all DNS servers from this list and leave it blank)
Untick: Do not use the local DNS service as a nameserver for this system
This way by default OPNsense will use itself (127.0.0.1) as the resolver which we want.

Services -> Unbound DNS -> General
Enable Unbound (it could be disabled if you'd prefer, then remove the Boostrap DNS setup as above)
Add port 5353 (instead of default 53)
Only select: 'Register DHCP leases' & 'Register DHCP static mappings'

Add a new Firewall rule to forward all DNS (Port 53) traffic to AdGuard:
Firewall -> NAT -> Port Forward

Code Select Expand

Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: LAN address
Destination port range: From: DNS - To: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
Description: Forward DNS to AdGuard
NAT Reflection: Disable

If you have multiple VLANs or LANs then duplicate the rule and change it to the relevant Interface and address.

I also found that I had to add the DNS specifically on each DCHP interface.
Mainly due if you removed all DNS servers from System -> General Setup. I found some iOS devices struggled without the below.
Services -> DHCPv4 -> LAN
DNS servers: router_ip

And the same for any VLANs, just set the route IP for each VLAN.
eg. 192.168.107.1 is my IoT VLAN

That should pretty much do it.

--------------------

Please let me know if you see any tweaks or better settings that you think can improve this, I'm more than happy to improve this and make this into a good guide.

*NOTE* I did find that running AdGuard via OPNsense router to lower the processing time by more than half.
9ms via router setup, compared to around 45ms via Raspberry Pi 3B+

[Patrick M. Hausen]

Why don't you install AdGuardHome on your OPNsense? Which was precisely the point in that other thread?

[N0_Klu3]

Because there is no clear guide on how to set it up!
Also sometimes people want to use a physical device for this.

Like I say. I'm happy to update and include the AdGuard install on OPNsense but until I can get a good guide I just cannot.
If you can give me your setup and how you made it work I'll test it out tomorrow and can add that to this guide too.

[Patrick M. Hausen]

I did a write up in that other thread.

1. Activate mimugmail's community repository
2. Install AdGuardHome from System --> Firmware --> Plugins
3. Change your primary DNS server on OPNsense to use e.g. 127.0.0.1:53530 only
4. Activate and start AdGuardHome from Services --> AdGuardHome
5. Navigate to http://your.opnsense:3000/ to complete the setup

[N0_Klu3]

Do you not need to change AdGuard to use different ports upon setup?
So that it doesn't affect OPNsense on port 80 and 443?

How do you specify port 53530 unless you mean change unbounds port?
Or on General DNS you can specify 127.0.0.1:53530? Wasn't aware you can use : to specify a port there.

Do you do anything with your unbound?
Are there any specific benefits to doing it all in one box?

And thanks I'll test it tomorrow.

[Patrick M. Hausen]

I meant make your Unbound listen to 127.0.0.1:53530. I use BIND, so - sorry - I cannot show you a screenshot. I am just assuming that just as with BIND you can change the listen interface and port for Unbound too. If that is not the case, I am sorry.

You need to do that so AdGuardHome can listen on all interfaces port 53 so clients can use it. Then in AdGuardHome use this dialog to configure the upstream resolver (see screenshot).

To adjust the listen addresses of AdGuardHome itself you need to ssh to your OPNsense and edit the config file at /usr/local/AdGuardHome/AdGuardHome.yaml:

Code Select Expand

bind_host: 0.0.0.0
bind_port: 3000
[...]
dns:
  bind_host: 0.0.0.0
  port: 53

[N0_Klu3]

Thanks if I can figure it out I'll test it tomorrow.
I feel like my way just works and works far simpler.

Is there any benefit other than having 2 devices in one doing it your way?

[Patrick M. Hausen]

I would not want another box just for a single application that works perfectly on my already present OPNsense.

[N0_Klu3]

Do I need to Listen on all interfaces for DNS Server?
As it has my WAN IP in there too.

I have LAN, and 2x VLANS so there are a lot of connections there.
I also changed the Admin to use port 81.

Like this:

[N0_Klu3]

@pmhausen
Take a look at my edits and addition of AdGuard via Community Repo.
Let me know what you think or if any of it needs changing/addition.

[Patrick M. Hausen]

Of course you don't need to activate it on WAN, sorry.

[N0_Klu3]

Yup problem is as I have more than 1x LAN I could not manually select my LANs/VLANs.
Its was all or 1. Unless I missed something there.
So I just selected All

[Patrick M. Hausen]

Well, even if it is listening on WAN your firewall rules should prevent access, right?

[N0_Klu3]

Yup should drop all traffic from WAN by default

[ekke]

AdGuard seems to be amazing! really slick interface and usefull features!