AdGuard Home setup guide

[planetix]

Is there a known issue with fresh installs of this plugin and 21.7? I can't even get the setup page to load after a successful plugin install (http:<my.opnsense.ip>:3000).

The plugin is enabled and appears to be running
No errors are thrown in the logs
I have Unbound disabled
I am not running Grafana, NTPng, or any other service on port 3000. Netstat shows the AdGuardHome service is running on said port and nothing else. 

I cannot get the start page to come up at all on port 3000. Since that triggers the initial setup wizard, there's no configuration yaml created (I checked via CLI). The service just appears to be running and waiting for me to kick off the process.

Could someone post a (more or less) "default" configuration yaml for the plugin? I can modify it for my own setup, restart the service, see if that gets past it, though I'd still like to figure out why I can't access the initial config wizard.

Thanks!

Edit: As often happens, writing this post made me re-think a couple things to try and I got it working.

The problem, if anyone else runs in to this, is I am using a failover group for a gateway (my ISP WAN interface + backup LTE modem) and for that to work correctly the LAN "pass all outbound" rule has to be modified to use it vs. the default "any" gateway.

This means you need to explicitly define any additional ports (besides 80 and 443 which are in the default anti-lockout rule) you want to access on the OPNsense box itself, in this case 3000 (for the wizard) and then 81 (the port I picked AdGuardHome to run on). Easy fix when I realized what the problem was.

I figured it out when I looked where I should have in the first place - the firewall logs vs. the service logs. The latter showed no issues because there weren't any with the service. The firewall blocked access, by design, until I explicitly allowed those ports access from my LAN net to my LAN address.

Hope this helps someone else :)

[madindehead]

I was under the impression that the community repo won't work currently on 21.17, as the dependancy for Python 3.7 is missing (as it uses 3.8).

It has to be rebuilt.

[vorago]

How does one get a self signed certificate going for Adguard Home? Doing it mostly to learn, and thought it would be fun to have DoH/T enabled for my home network.

I have a CA & intermediate CA created and I created a certificate for adguard, but when I paste the cert & key into the fields I get "Certificate chain is invalid" for the certificate and "Your certificate does not verify: x509: certificate specifies an incompatible key usage" for the private key.

[jf2001j]

But if you already ran "-s install" your are lost somewhere in the middle :(

...

can i force run it in some other startup script?...for some reason it wont start for me

I also have the issue of the service adguardhome not auto-starting, but able to run with "service adguardhome start".

I noticed, that according to "pkg list os-adguardhome-maxit-1.5" there should only be a "/usr/local/etc/rc.d/adguardhome" file. I removed the additional file with "rm /usr/local/etc/rc.d/AdGuardHome".

Also I set "service adguardhome enable". Although the file "/etc/rc.conf.d/adguardhome" exists, it still does not autostart according to "service adguardhome status".

=> Is there a logfile as an alternative to "During reboot watch the console for errors"?

--
update:

I had a change to look into serial output:

I think the error that adguard does not start automatically occurs because the startup of adguard is quite late as a bootlevel

The problem seems to be a delayed newwanip process, as a workaround it might be possible to change the bootlevel (point in time when adguard starts).
This also seems to delay/block the auto-start of wireguard.

Starting power daemon...done.
Configuring system logging...done.
>>> Invoking start script 'newwanip'
Reconfiguring IPv4 on igb1: error in configd communication %s, see syslog for de
Reconfiguring routes: OK
>>> Invoking start script 'freebsd'

• ifconfig wg create name wg0
  [!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument)
  
• wireguard-go wg0
  ┌─────────tun0: link state changed to UP
  ─────tun0: changing name to 'wg0'
  ───────────────────────────────────────┐
  │                                                      │
  │   Running wireguard-go is not required because this  │
  │   kernel has first class support for WireGuard. For  │
  │   information on installing the kernel module,       │
  │   please visit:                                      │
  │         https://www.wireguard.com/install/           │
  │                                                      │
  └──────────────────────────────────────────────────────┘
  (...)
  
• Backgrounding route monitor
  WARNING: attempt to domain_add(netgraph) after domainfinalize()
  setup igb0_vlan10
  setup igb0
  setup igb1 [egress only]
  Starting flowd_aggregate.
  Starting flowd.
  Starting adguardhome.
  >>> Invoking start script 'syslog-ng'
  Stopping syslog_ng.
  Waiting for PIDS: 90451.
  Starting syslog_ng.

[RamSense]

I am also new to Adguard (switched from pihole).
In pihole i had:
Never forward non-FQDNs
Never forward reversed lookups for private ip ranges

Do you know how to get this in Adguard?

p.s. I think I fixed the auto start Adguard by adding system -> settings -> general -> dns servers 1.1.1.1 and 1.0.0.1
I read somewhere that opnsense needed it to start running while Adguard is not yet started. Seems to work.
p.s.s. just had to reboot my opnsense and I noticed that Adguard was not starting automatically, so no luck yet....

[Nnyan]

Currently using NextDNS and I wanted to give AdGuard home a try to see how they compare.  Before I started I did the following:

Disabled Unbound.
Disabled NextDNS CLI (checked status )

Was able to get this installed but when I try to enable encryption under the Encryption settings it tells me that port 443 is being used:

Error: control/tls/validate | port 443 is not available, cannot enable HTTPS on it | 400

I then took a look to see what is using port 443 (if this is not the correct way of checking please let me know):

#sockstat -4 -l

root     lighttpd   46986 5  tcp4   *:443                 *:*
root     lighttpd   46986 7  tcp4   *:80                  *:*

Not sure exactly what is using lighttpd for the port.

[madindehead]

Adguard + wireguard in Opnsense ( solved ):

https://forum.opnsense.org/index.php?topic=22409.0

I followed your instructions from that thread, but haven't been able to get WireGuard running alongside AdGuard.

WireGuard worked well before I added AdGuard, but now I'm just not getting a connection.

Does anyone else have experience of getting WireGuard running alongside AdGuard and Unbound DNS?
Not sure what Unbound DNS buys me alongside AdGuard, but it works well for my other devices.

[RamSense]

I have it also up and running here.
maybe this will help you:
https://homenetworkguy.com/how-to/configure-wireguard-opnsense/


(Optional if not Automatic) Add ACL Entry for Unbound DNS

If you plan to use your WireGuard interface to provide DNS rather than some other DNS server on your network, it has been noted through feedback that there could be the possibility that you will need to add an entry to the Unbound DNS ACL (Access Control List) to allow the WireGuard interface to access your Unbound DNS server in OPNsense. For my configuration, it seems to have been added automatically, but if you are having issues with accessing your DNS server through the WireGuard interface (in my example, the DNS server would be 10.0.0.1), you may want to check your ACL configuration by going to the "Services > Unbound DNS > Access Lists" page. Click the "Add" button to enter the WireGuard network of 10.0.0.1/24 (for my example) to the ACL.

[madindehead]

I have it also up and running here.
maybe this will help you:
https://homenetworkguy.com/how-to/configure-wireguard-opnsense/


(Optional if not Automatic) Add ACL Entry for Unbound DNS

If you plan to use your WireGuard interface to provide DNS rather than some other DNS server on your network, it has been noted through feedback that there could be the possibility that you will need to add an entry to the Unbound DNS ACL (Access Control List) to allow the WireGuard interface to access your Unbound DNS server in OPNsense. For my configuration, it seems to have been added automatically, but if you are having issues with accessing your DNS server through the WireGuard interface (in my example, the DNS server would be 10.0.0.1), you may want to check your ACL configuration by going to the "Services > Unbound DNS > Access Lists" page. Click the "Add" button to enter the WireGuard network of 10.0.0.1/24 (for my example) to the ACL.

Do you have it running with AdGuard Home setup?

I would be keen to see what settings you have within the WireGuard client and the OPNsense WireGuard settings. Also AdGuard Home.

There's just something missing, but I have no clue what it is.

[RamSense]

I have the opnsense adguard home plugin running - https://www.routerperformance.net/opnsense-repo/

What dns setting do you have in your Wireguard client config? I Use the Wireguard interface eg: 10.10.10.1

In Adguard dns settings i have
Bootstrap dns servers: 192.168.1.1:5353
private dns servers: 192.168.1.1:5353
where 192.168.1.1 is my opnsense ip and have Services: Unbound DNS: General - Listen Port : 5353

hope that helps.

[cookiemonster]

Hi. It is likely I should ask this somewhere else as is not directly a technical setup question buy maybe.
I've been using OPN with DoT(get-dns)+Unbound _and_ a pi-hole for a while and all is good.
I wanted to compare with AdGuard and I've just done it yesterday by using mimugmail's plugin.
I wanted to limit the reconfiguration and to do that, I configured pi-hole and AdGuard in a chain. It was the easiest way to just put another app and point to it.
Now the question. They seem to be pretty much the same and the setup if almost identical.
Apart from AG being able to run directly on OPN, is there another big reason people prefer it with OPN?

[RamSense]

for me personally the switch from pihole going to adguard was the assumption that running on my more powerful device with opnsense, and running it directly from the app, would make it faster.
Besides that I found Adguard home more user friendly and more easy to config.
With pihole I had around 36 ms average processing time and with adguard I get 8 to 9 ms on an average day.
This can be because of running it directly as an app, but maybe it is also because I use DoT with Cloudflare en Quad9 with dns settings - parallel requests.

[cookiemonster]

thanks for sharing. I'm planning on reconfiguring now to bypass pi-hole. Performance is a good reason of course.
I'm on a tiny appliance so it might not be good for me. We'll see.

[cookiemonster]

Tried, OPN not happy.
In Services > IPV4 > LAN I wanted to change from the IP for pi-hole to the LAN IP on a non standard DNS port in the "DNS Servers" field i.e. 192.168.5.1:5353 where ADG is running. I've tried with : @ and # as port delimiter.
Does anybody know if there is a way to do that there?
I know if not I'll have to do firewall rules but I was hoping I didn't have to.

[cookiemonster]

I've tried as a workaround setting Unbound to listen on 5353 and In Services > DHCPv4 > LAN set to just it's LAN address 192.168.5.1, restarted both services and reconnected a client. No DNS resolution.
I'll keep looking at options.