AdGuard Home setup guide

[RamSense]

Updates work fine here from the webinterface

[weslsew]

Is there a known issue with fresh installs of this plugin and 21.7? I can't even get the setup page to load after a successful plugin install (http:<my.opnsense.ip>:3000).

The plugin is enabled and appears to be running
No errors are thrown in the logs
I have Unbound disabled
I am not running Grafana, NTPng, or any other service on port 3000. Netstat shows the AdGuardHome service is running on said port and nothing else. 

I cannot get the start page to come up at all on port 3000. Since that triggers the initial setup wizard, there's no configuration yaml created (I checked via CLI). The service just appears to be running and waiting for me to kick off the process.

Could someone post a (more or less) "default" configuration yaml for the plugin? I can modify it for my own setup, restart the service, see if that gets past it, though I'd still like to figure out why I can't access the initial config wizard.

Thanks!

Edit: As often happens, writing this post made me re-think a couple things to try and I got it working.

The problem, if anyone else runs in to this, is I am using a failover group for a gateway (my ISP WAN interface + backup LTE modem) and for that to work correctly the LAN "pass all outbound" rule has to be modified to use it vs. the default "any" gateway.

This means you need to explicitly define any additional ports (besides 80 and 443 which are in the default anti-lockout rule) you want to access on the OPNsense box itself, in this case 3000 (for the wizard) and then 81 (the port I picked AdGuardHome to run on). Easy fix when I realized what the problem was.

I figured it out when I looked where I should have in the first place - the firewall logs vs. the service logs. The latter showed no issues because there weren't any with the service. The firewall blocked access, by design, until I explicitly allowed those ports access from my LAN net to my LAN address.

Hope this helps someone else :)

Can you explain exactly what you did to get this working?  I'm having the same problem

[01cooperl]

I've followed the guide to install AdGuard using the repo and it works great. The problem is that my unraid server cannot update its docker containers. I have tried to specify a port forwarding rule just for the unraid server to send the traffic to port 5353 in the unbound server to effectively bypass AdGuard, however it seems to direct all traffic on the network to unbound. See the additional rule I set-up and moved it before the other rule in the guide:

Code Select Expand

Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: UnraidServerIP
Destination port range: From: DNS - To: DNS
Redirect target IP: 127.0.0.1
Redirect target port: 5353
Description: Bypass AdGuard for unraid server
NAT Reflection: Disable

What am I doing wrong? How can I achieve forwarding traffic to AdGuard with the exception of a single IP which doesn't need to go through AdGuard?

[Taubin]

This broke unraid for me as well, not sure what happened that broke it, but it started in the past 3 days. I went to update today, and couldn't update anything.

Even when I set the DNS on unraid to use something else (quad9 in my case), it still tried to go through adguard and got blocked.

[beneix]

Updates work fine here from the webinterface

Hmmm...I get an error message "Auto-update failed."

What is the procedure for manual update? I am running OpnSense on an amd64 architecture, so I assume I need to download the latest AdGuardHome_freebsd_amd64.tar.gz from https://github.com/AdguardTeam/AdGuardHome/releases and replace /usr/local/AdGuardHome with it. But I also assume I first need to stop the AdGuard service; how do I do that? I tried ./AdGuardHome -s stop but that gave an error message. (I had already stopped AdGuardHome in the web interface, but on my previous setup that was not enough, the service also had to be stopped over SSH.)

[rickygm]

Thank you very much, I have tried it and it works.

Opnsense 22.1 Clean Install - Installation:

It is very important to follow the order explained

1 - Activate mimugmail's community repository

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Activate and start AdGuardHome from Services --> AdGuardHome

4 - Opnsense - System - Settings -General

      Untick: Do not use the local DNS service as a nameserver for this system
      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

5 - Opnsense - Services - Unbound - Dns Over Tls

      Set the desired dns servers, ej, Cloudflare:
      Server IP: 1.1.1.1
      Server Port: 853
      Verify CN: cloudflare-dns.com

6 - Opnsense - Services - Unbound - General
 
     Listen Port: 5353

7 - Navigate to http://your.opnsense:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard

8 - Adguard Home - DNS Configuration - Upstream Servers: Add router_ip:5353  ( 192.168.1.1:5353 ) Delete those that exist

Security Extra: https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#1-allowing-only-specific-dns-servers

it works for me, the problem I have is that I can not identify the ip of my network, it only shows 127.0.0.1

[yeraycito]

It is very important to follow the order explained

[rickygm]

It is very important to follow the order explained

I have followed your method and it does not work for me, with this guide it works https://forum.opnsense.org/index.php?topic=25614.0 , but I only see in the identification of the clients the localhost or the internal ip of my fw

and I think the problem to identify the clients is in the dns custom list section.

server:
do-not-query-localhost: no
forward-zone:
name: "."    # Allow all DNS queries
forward-addr: 192.168.30.254@5310
forward-addr: ::1@5353

[twitch86]

Hi Guys,

if i followed this guide - but i have one problem

I cannot fetch Firmware - Updates/Plugins anymore
I need to set an DNS under General and Tick "Do not use the local DNS service as a nameserver for this system"
to make my system fetch these

[Mario_Rossi]

Hi, I have read some guides and discussions. Generally it is simply said do so and so without explaining why it is necessary that way.

From what I understand the best scheme:
Client -> OPNsense -> AD Guard -> Unbound -> Internet

Client: DHCP
OPNsense: System: Settings: General -> DNS servers -> blank (so everything is set to 127.0.0.1)
AD Guard:
Upstream DNS servers: [/local.lan//2009OPNsense_IP:5353
Bootstrap DNS servers: OPNsense_IP
Private reverse DNS servers: 127.0.0.1:5353 + OPNsense_IP: 5353
Unbound: DNS TLS of our choice

Rule in the firewall to intercept all DNS requests from the LAN and redirect them to AD Guard to prevent "crafty" programs from bypassing the system.

In this way the clients are forced to go from AG Guard which filters according to the rules, the DNS requests go through Unbound which takes care of contacting the servers for wan addresses and resolving the internal hosts.

Do you confirm that this is the best configuration?

Sorry my bad english, i use google translate.

[Coastal9772]

Delete

[Coastal9772]

How do I know if my DNS requests are using DoT when using this implementation? Do I still set DoT on opnsense' end as well or just in AdGuard?

[Vexz]

So I followed the instructions here to setup AGH on my OPNsense. It's working fine so far but I have one issue that bugs me. I don't know whether this is some problem with AGH itself or something else.

When I set the upstream DNS servers in AGH it's always complaining that my entered DNS server is wrong.
For example: tls://1.1.1.1 works just fine but tls://1dot1dot1dot1.cloudflare-dns.com is not accepted.
Same problem with any other upstream DNS server.

I found threads on reddit where people experienced the same problem but they just use the working solution from above but I don't like that.

Does anybody know what to do to fix this?

Edit:
I found the solution: The problem was that I blocked outgoing packages with destination port 53 to ensure DoT and DoH must be used to resolve domain names. That made it impossible for the bootstrap DNS servers to resolve the names of my upstream DNS servers.

[tommiy]

Hi, I'm looking for some assistance as I've read the entire 12 pages and have not been able to get opnsense dns resolution working after the settings below are applied. It times out. There are a number of requests in the thread which states to follow the set up which I think I have done but still the own self status check does not work.

Appreciate any input.

Opnsense 22.7.4

1 - Activate mimugmail's community repository
2 - Install AdGuardHome from System --> Firmware --> Plugins
3 - Activate and start AdGuardHome from Services --> AdGuardHome
4 - Opnsense - System - Settings -General
      DNS Servers: empty
      Untick: Do not use the local DNS service as a nameserver for this system
      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN
5 - Services – DHCPv4 – [LAN] : DNS Servers all blank
6 – Opnsense – Servies - Unbound DNS – General
       Tick: Enable Unbound
       Tick: Enable DNSSEC Support
       Tick: Register DHCP Leases
       Tick: Register DHCP static mappings
       Tick: Register IPv6 link-local addresses
7 - Opnsense - Services - Unbound - Dns Over Tls
      Untick: Use System Nameservers
      Domain: blank
      Server IP: 1.1.1.1
      Server Port: 853
      Verify CN: cloudflare-dns.com

8 - Opnsense - Services - Unbound - General
 
     Listen Port: 53530

9 - Navigate to http://your.opnsense:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard

10 - Adguard Home - DNS Configuration - Upstream Servers: Add router_ip:53530  ( 192.168.1.1:5353 ) Delete those that exist

11 – Adguard Home – DNS Configuration – Private reverse DNS servers
       127.0.0.1:53530
      192.168.1.1:53530



Edit
Unfortunately with either the above configuration and or the previous one when I visit
https://1.1.1.1/help
it states that DNS over TLS is not being used. So I'm at a loss. Appears AGH is running and using unbound but unbound is not using the DNS over TLS configuration?

Edit
I remove AGH from the picture to validate that unbound is performing DNS over TLS. Using tcp dump on the WAN interface I can see that there are TLS sessions set up to 1.1.11 and 1.0.0.1 but the client dns queries are still going out the WAN interface on port 53. Guess that LAN fw rule may be required. I need to resolve this I guess before being concerned with AGH.

Edit
Easier avenue for initially validating DNS over TLS is Services-Unbound-Advance and set log level verbosity =2 and tick Log Queries. Then in unbound logs set to informational and you will see the queries and port #.

Solved
Issue is when you install AGH you need to bind to all interfaces or later edit the /usr/local/AdGuardHome/AdGuardHome.yaml file to bind to 0.0.0.0. Doing that permits the resolv.conf to still point to 127.0.0.1 which is bound to AGH and then to Unbound. The unbound logs are showing #853. So I'm happy. Good learning session.

[yeraycito]

Opnsense 22.7.4 Install:

1 - Activate mimugmail's community repository

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Opnsense - System - Settings -General

      DNS Servers: empty

      Untick: Do not use the local DNS service as a nameserver for this system

      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

4 - Services – DHCPv4 – [LAN] : DNS Servers all empty

5 – Opnsense – Services - Unbound DNS – General

       Tick: Enable Unbound ( Listen Port: 5353 )

       Tick: Enable DNSSEC Support
       
       Network Interfaces: All

6 - Opnsense - Services - Unbound - Dns Over Tls

      Server IP: 1.1.1.1

      Server Port: 853

      Verify CN: cloudflare-dns.com

7 - Activate and start AdGuardHome from Services --> AdGuardHome

8 - Navigate to http://Opnsense ip:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard

9 - Adguard Home - DNS Configuration - Upstream Servers:

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist

10 – Adguard Home – DNS Configuration – Bootstrap DNS servers

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist
     
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:

           192.168.1.1:5353

           
Extra Wireguard: If we have created a wireguard network in Opnsense, for example, 10.0.0.1/24 we have to set the dns 10.0.0.1 in the wireguard clients. In Wireguard Opnsense it is not necessary to configure anything.