AdGuard Home setup guide

[BPengu]

Howdy,

I followed yeraycito's setup guide from September 22 2022 and configured DNS over TLS. It worked perfectly until I suddenly lost internet access. I could still ping 1.1.1.1 from my machine however DNS resolution seemed to be broken.

I reverted the changes and after obtaining a new IP address my internet was working again.

I played around with it and reconfigured everything per yeraycito's guide once again. I then decided to go into:
System > Settings > General
and added my OPNSense box as a DNS server (the thing hosting unbound). The error is now no longer occurring. Is this a step I was supposed to do and was just not provided in yeraycito's guide, or am I now bypassing DNS over TLS (or doing something else equally dumb)?

[9axqe]

System > Settings > General  is actually for DNS lookups initiated by opnsense itself. It should be configured, yes, but if it's missing it should break the DNS resolution of your clients.

What is relevant for your client is the DNS server configured in the DHCP server, because your client is learning the IP of the DNS server over DHCP:  Services: ISC DHCPv4: [your interface] > DNS Servers.

Could you see the DNS requests coming in in the AdGuard Home logs while the issue was happening? Can you see the requests in AdGuard Home now?

[BPengu]

Could you see the DNS requests coming in in the AdGuard Home logs while the issue was happening?
     I was not looking at the time and I'm hesitant to break it again.
Can you see the requests in AdGuard Home now?
     Yes

At this time should I change System > Settings > General back to something like cloudflare and change Services: ISC DHCPv4: [your interface] > DNS Servers to my OPNSense host? or am I misunderstanding what you are suggesting?

[jata]

Hello - I am new to opnsense but have my setup working well and I followed this guide to setup AdGuard Home with Unbound and it is working fine. So thank you to all the contributors!

I have one client (a server) using a ipv4 static DHCP lease that I wanted to setup so that it bypasses adguard but uses unbound.

I have tried to set the DNS to 192.168.1.1:5335 (unbound) but opnsense dhcp does not like the :5335 part...

If I use an external DNS like 8.8.8.8 it bypasses adguard but I can't access the server by its hostname as reverse lookup is through unbound.

In summary I need to configure a client to not use adguard but still be able to resolve it by hostname

Any thoughts on how I can make this work?

[guest45806]

I have one client (a server) using a ipv4 static DHCP lease that I wanted to setup so that it bypasses adguard but uses unbound.

Is it sufficient to configure AGH to not block anything for that client?
https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#client-rules

[jata]

hello dave14305! I know you from the asus / merlin forums.

Yes - i can not block easily and nothing important is being blocked from what I can see anyway.

I just don't like the noise/volume from this machine and there might be other clients that I want to exclude from adguard so looking for another way.

At the moment I have a trade off between resolving hostname and using adguard.

[jata]

UPDATE: Be very careful with this as it can have quite significant consequences - especially with servers that are doing lots of things. Looks like adding to disallowed clients has a big impact on dns resolution for the clients on this list.

By way of update on this I think I have found a couple of settings in AdGuard that help solve this.

If you want to completely ignore a client, then you add it to disallowed clients in the DNS settings of adguard.

If (like me) you are getting lots of noise from clients communicating with other clients on the lan by hostname (e.g. client1.lan), then you can add lan to disallowed domains in adguard DNS settings.

[prakhar]

Hey everyone, thanks for this detailed thread and all the solutions that have been mentioned.

I'm new to OPNsense and while I am well-versed in consumer-grade routers/AdGuard Home, I'm not great with advanced networking. Due to this, I'm facing a few issues trying to get AdGuard working with a dual-WAN setup on OPNsense. I hope someone can help me :)

The steps I followed:

   
• Setup my OPNsense box with a single WAN connection and verified internet connectivity on clients.
• Setup AdGuard according to this guide.
• Verified that the internet was accessible to clients.
• Followed the official multi-WAN documentation to setup a load-balancing configuration.

This set of steps seemed to work at first since I was able to access the internet.

However, immediately after this:

   
• AdGuard web UI becomes inaccessible at the correct ip/port (3000 or 8080, which I configured it to use).
• Load-balancing/fail-over seem to stop working.
• All access to the internet is lost at the client-end.

Other things I tried:

   
• I switched the sequence of steps to first setup dual-WAN and then attempt to setup AdGuard but then, I immediately run into an inaccessible AdGuard web UI, so even the configuration wizard at port 3000 is unreachable.
• Add a new Firewall rule to forward all DNS (Port 53) traffic to AdGuard as mentioned in the first post.
• Add my router IP address in System/Settings/General.

None of these have helped restore internet connectivity or access to AdGuard web UI. Additionally, I'm not sure if it's related, but, if I try to test WAN fallback in my load-balancing setup by disconnecting one of my internet connections to the router, it does not seem to failover to the second WAN and instead, all clients lose internet connectivity entirely. The router itself seems to have connectivity as it's able to check for updates successfully.

I also noticed this note by planetix:

Edit: As often happens, writing this post made me re-think a couple things to try and I got it working.

The problem, if anyone else runs in to this, is I am using a failover group for a gateway (my ISP WAN interface + backup LTE modem) and for that to work correctly the LAN "pass all outbound" rule has to be modified to use it vs. the default "any" gateway.

This means you need to explicitly define any additional ports (besides 80 and 443 which are in the default anti-lockout rule) you want to access on the OPNsense box itself, in this case 3000 (for the wizard) and then 81 (the port I picked AdGuardHome to run on). Easy fix when I realized what the problem was.

I figured it out when I looked where I should have in the first place - the firewall logs vs. the service logs. The latter showed no issues because there weren't any with the service. The firewall blocked access, by design, until I explicitly allowed those ports access from my LAN net to my LAN address.

Hope this helps someone else :)

However, I could not figure out how to do this so I'm not sure if this is the solution for the issues I'm facing.

Once I get this working, I want to integrate Zenarmor into OPNsense and install a few more useful plugins/packages.

Does anyone have experience in getting AdGuard + Unbound to work in a dual-WAN setup like mine? Is there anything simple/obvious that is escaping me? What else can I try to make this work?

Please do try to ELI5. Thanks in advance!

[prakhar]

Hey everyone, thanks for this detailed thread and all the solutions that have been mentioned.

I'm new to OPNsense and while I am well-versed in consumer-grade routers/AdGuard Home, I'm not great with advanced networking. Due to this, I'm facing a few issues trying to get AdGuard working with a dual-WAN setup on OPNsense. I hope someone can help me :)

The steps I followed:

   
• Setup my OPNsense box with a single WAN connection and verified internet connectivity on clients.
• Setup AdGuard according to this guide.
• Verified that the internet was accessible to clients.
• Followed the official multi-WAN documentation to setup a load-balancing configuration.

This set of steps seemed to work at first since I was able to access the internet.

However, immediately after this:

   
• AdGuard web UI becomes inaccessible at the correct ip/port (3000 or 8080, which I configured it to use).
• Load-balancing/fail-over seem to stop working.
• All access to the internet is lost at the client-end.

Other things I tried:

   
• I switched the sequence of steps to first setup dual-WAN and then attempt to setup AdGuard but then, I immediately run into an inaccessible AdGuard web UI, so even the configuration wizard at port 3000 is unreachable.
• Add a new Firewall rule to forward all DNS (Port 53) traffic to AdGuard as mentioned in the first post.
• Add my router IP address in System/Settings/General.

None of these have helped restore internet connectivity or access to AdGuard web UI. Additionally, I'm not sure if it's related, but, if I try to test WAN fallback in my load-balancing setup by disconnecting one of my internet connections to the router, it does not seem to failover to the second WAN and instead, all clients lose internet connectivity entirely. The router itself seems to have connectivity as it's able to check for updates successfully.

I also noticed this note by planetix:

Edit: As often happens, writing this post made me re-think a couple things to try and I got it working.

The problem, if anyone else runs in to this, is I am using a failover group for a gateway (my ISP WAN interface + backup LTE modem) and for that to work correctly the LAN "pass all outbound" rule has to be modified to use it vs. the default "any" gateway.

This means you need to explicitly define any additional ports (besides 80 and 443 which are in the default anti-lockout rule) you want to access on the OPNsense box itself, in this case 3000 (for the wizard) and then 81 (the port I picked AdGuardHome to run on). Easy fix when I realized what the problem was.

I figured it out when I looked where I should have in the first place - the firewall logs vs. the service logs. The latter showed no issues because there weren't any with the service. The firewall blocked access, by design, until I explicitly allowed those ports access from my LAN net to my LAN address.

Hope this helps someone else :)

However, I could not figure out how to do this so I'm not sure if this is the solution for the issues I'm facing.

Once I get this working, I want to integrate Zenarmor into OPNsense and install a few more useful plugins/packages.

Does anyone have experience in getting AdGuard + Unbound to work in a dual-WAN setup like mine? Is there anything simple/obvious that is escaping me? What else can I try to make this work?

Please do try to ELI5. Thanks in advance!

Anyone?

[9axqe]

However, I could not figure out how to do this so I'm not sure if this is the solution for the issues I'm facing.

Disclaimer: I do not have dual WAN, so my expertise here is limited.

the default pass all out rule in your firewall is going to have "LAN net" as source and "*" as destination. The above post says, you must change that to point to your dual WAN gateway.

Secondly, (actually, firstly, before the step above) you need LAN rules to allow from "LAN net" to "this firewall" ports 443, 3000, 22, etc.

Finally, a question: is Dual WAN working properly without AdGuard Home? Because if not, it has little to do with AdGuard Home then I guess.

[prakhar]

However, I could not figure out how to do this so I'm not sure if this is the solution for the issues I'm facing.

Disclaimer: I do not have dual WAN, so my expertise here is limited.

the default pass all out rule in your firewall is going to have "LAN net" as source and "*" as destination. The above post says, you must change that to point to your dual WAN gateway.

Secondly, (actually, firstly, before the step above) you need LAN rules to allow from "LAN net" to "this firewall" ports 443, 3000, 22, etc.

Finally, a question: is Dual WAN working properly without AdGuard Home? Because if not, it has little to do with AdGuard Home then I guess.

Thank you for these suggestions! I will try them and report back. Dual-WAN without AdGuard is working properly, so it's only when AdGuard is installed, that I start facing issues.

[9axqe]

And when you say you loose "internet access", does "ping 1.1.1.1" for example still works? I'm trying to understand if it's only DNS not working.

[jcsp101]

is AGH compatible with OPNsense 24.7.3 ?

[Patrick M. Hausen]

is AGH compatible with OPNsense 24.7.3 ?

Yes.

[hushcoden]

is AGH compatible with OPNsense 24.7.3 ?

I can confirm it works, BUT I can't see the update button, how do I update it then?

Tia.