AdGuard Home setup guide

[beclar2]

Hi folks,

has anyone tried to set up Adguard WebGUI using https with the same cert that OPNsense´s WebGUI uses?

Thank you very much
Beclar

[yeraycito]

Adguard + wireguard in Opnsense ( solved ):

https://forum.opnsense.org/index.php?topic=22409.0

[N0_Klu3]

My settings:

System/Settings/General:
 - DNS Servers: all empty
 - Do not use the local DNS service as a nameserver for this system:   cheked

Services/Unbound DNS/General:
 - port: 5353
 - DNSSEC: enabled
 - DHCP Registration: disabled
 - DHCP Static Mappings: disabled
 - Local Zone Type: transparent

Unbound DNS - Miscellaneous - DNS over TLS Servers:  1.1.1.1@853      1.0.0.1@853

In Adguard Home - DNS Configuration - Upstream Servers: 192.168.1.1:5353

In Adguard Home - DNS Configuration - Bootstrap DNS servers: 192.168.1.1:5353

In Adguard Home - configuration - clients configuration - add client:  Add ip and hostname

With this way, if you have multiple VLAN's or different IP's do you need to include all the IP's into upstream and bootstrap DNS servers?

IE: 192.168.1.1:5353
192.168.200.1:5353

And so on?

[yeraycito]

It is not necessary, just set the opnsense ip. Adguard listens for dns connections on all opnsense interfaces. It then passes them to the opnsense ip. Unbound is listening there.

[N0_Klu3]

Ok cheers will mess with it this week and update the main page with some updates.
Thanks for your efforts.

[yeraycito]

In this post I previously put up some blocking lists for Adguard. There are two of them that are very complete: 1Host (Pro ) and Energized Ultimate. They are so comprehensive that in some cases they block too much. If this is the case I recommend you to change them for 1Host (lite) and Energized Basic. These two lists are still very comprehensive.There are also smaller versions of these two lists, these are the intermediate ones.

 - https://badmojr.github.io/1Hosts/Lite/adblock.txt

 - https://block.energized.pro/basic/formats/hosts.txt

[N0_Klu3]

Yup I already use Energized Pro list and only that list myself

[Superduke]

I'm sorry for my ignorance, but is this setup using the DNS over TLS function in Unbound?  It appears yes.

If it is, why use that when you can use Unbound by itself for DNS resolving?  I thought the point of using Unbound was to not have to worry about DNS lookups from companies like Cloudflare??

Thanks in advance!

Opnsense 21.1.4 Installation:

1 - Activate mimugmail's community repository

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Activate and start AdGuardHome from Services --> AdGuardHome

4 - Navigate to http://your.opnsense:3000/ to complete the setup

5 - In Adguard Home - DNS Configuration - Upstream Servers:   Set the desired servers ( 1.1.1.1,   8.8.8.8     etc )

6 - In Opnsense disable Unbound. In case you want to use it leave it activated by changing the port to 5353 and in Adguard Home - DNS Configuration - Upstream Servers  add router_ip:5353

 - It is not necessary to activate the internal opnsense dns ( 127.0.0.1 ) in Opnsense in System-Settings-General

 - No need to make port forward rules to forward all DNS (Port 53) traffic to AdGuard

 - No need to set dns servers to DHCP

DNS over HTTPS - DNS over TLS:

Option 1:

 - In Opnsense - Unbound - Miscellaneous   set the desired dns servers 1.1.1.1@853     8.8.8.8@853

 - Active Unbound in port 5353

 - In Adguard Home - DNS Configuration - Upstream Servers add router_ip:5353

Option 2 ( Unbound disabled ): https://github.com/AdguardTeam/AdGuardHome/wiki/Encryption

[yodaphone]

 - Follow the tutorial explained above for Adguard.

 

Do we need both? Can one not configure just NextDNS without AdGurad?

[yeraycito]

If you want to use only NextDNS:

- Unbound - General - Custom Options: add                 ( XXXXXX is a custom ID in NextDns )


server:
      tls-cert-bundle: "/etc/ssl/cert.pem"
  forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 45.90.28.0#XXXXXX.dns1.nextdns.io
    forward-addr: 2a07:a8c0::#XXXXXX.dns1.nextdns.io
    forward-addr: 45.90.30.0#XXXXXX.dns2.nextdns.io
    forward-addr: 2a07:a8c1::#XXXXSS.dns2.nextdns.io

[zer0k]

Great instructions! Thank you

The only issue I'm facing is getting the firewall redirect rule for dns just won't work for me.
I've tried using the "LAN address" object, and also specifying my LAN IP address and my VirtualIP's, but it just doesn't seem to want to redirect the dns traffic

I did notice when setting up Adguard it chose my Virtual IP, instead of my LAN address.

I feel like I'm missing something really simple, but I'm not sure what?

Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: LAN address
Destination port range: From: DNS - To: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
Description: Forward DNS to AdGuard
NAT Reflection: Disable

[Patrick M. Hausen]

Possibly related to this?

https://github.com/AdguardTeam/AdGuardHome/issues/3015

[meazz1]

I have a LAN that I want to use AdGuard for DNS using any family shield service. And a  VLAN to use 8.8.8.8.
Is that possible and how?

[NV43]

Should we be setting DNS cache size in Adguard to 0 to allow Unbound to handle caching?

[yeraycito]

Great instructions! Thank you

The only issue I'm facing is getting the firewall redirect rule for dns just won't work for me.
I've tried using the "LAN address" object, and also specifying my LAN IP address and my VirtualIP's, but it just doesn't seem to want to redirect the dns traffic

I did notice when setting up Adguard it chose my Virtual IP, instead of my LAN address.

I feel like I'm missing something really simple, but I'm not sure what?

Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: LAN address
Destination port range: From: DNS - To: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
Description: Forward DNS to AdGuard
NAT Reflection: Disable

- It is not necessary to activate the internal opnsense dns ( 127.0.0.1 ) in Opnsense in System-Settings-General

- No need to make port forward rules to forward all DNS (Port 53) traffic to AdGuard

Adguard listens on all default interfaces in Opnsense. This can be seen in the Adguard - Configuration Guide.