AdGuard Home setup guide

[Kieros]

Truenas scale:

Version:OPNsense 23.7.8_1-amd64 running in a VM
Opnsense IP 192.168.1.1
Adguard IP 192.168.1.210 (Docker)

I have done these steps I skipped step 1-3 as it is running in container

3 - Opnsense - System - Settings -General

      DNS Servers: 192.168.1.210

      Untick: Do not use the local DNS service as a nameserver for this system

      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

4 - Services – DHCPv4 – [LAN] : DNS Servers all empty

5 – Opnsense – Services - Unbound DNS – General

       Tick: Enable Unbound ( Listen Port: 5353 )

       Tick: Enable DNSSEC Support
       
       Network Interfaces: All

6 - Skipped using unbound to resolve or might add later.

7 - Activate and start AdGuardHome from Services --> AdGuardHome

8 - Navigate to http://192.168.1.210:3001 to complete the setup Adguard

9 - Adguard Home - DNS Configuration - Upstream Servers:

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist

10 – Adguard Home – DNS Configuration – Bootstrap DNS servers

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist
     
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:

           192.168.1.1:5353

I followed all steps, but like I mentioned my adguard is running remote on another IP in the same network.
I run truenas and have containers running all working fine when I use only unbound.
When I start to use above setup with adguard. I can search the internet etc.

Can someone explain me the addidiontal steps or what am I doing wrong?

System - Settings - General - DNS servers list - 192.168.1.210
Services - DHCPv4 - [LAN] DNS servers - 192.168.1.210

As soon as I put back unbound back to 53 everything is working just fine on homeassistant.
When I use adguard with above settings somehow tuya stops working for the lights and there seems to be problems from homeassistant reaching 443 for example lights running with tuya and solardedge and soem cloud services running on 443 seem to sto pworking.

Unboud is set at 5353 and adguard at 53
I tried forcing DNS to redirect to 192.168.1.210. By creating NAT forward rules.
Nothing seem to help and if I use such rules nothing works?
Please provide me with an example. And perhaps I make this rule wrong because the example are all on opnsense ip or 127.0.0.1.

[Spoonman2002]

Truenas scale:

Version:OPNsense 23.7.8_1-amd64 running in a VM
Opnsense IP 192.168.1.1
Adguard IP 192.168.1.210 (Docker)

I have done these steps I skipped step 1-3 as it is running in container

3 - Opnsense - System - Settings -General

      DNS Servers: 192.168.1.210

      Untick: Do not use the local DNS service as a nameserver for this system

      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

4 - Services – DHCPv4 – [LAN] : DNS Servers all empty

5 – Opnsense – Services - Unbound DNS – General

       Tick: Enable Unbound ( Listen Port: 5353 )

       Tick: Enable DNSSEC Support
       
       Network Interfaces: All

6 - Skipped using unbound to resolve or might add later.

7 - Activate and start AdGuardHome from Services --> AdGuardHome

8 - Navigate to http://192.168.1.210:3001 to complete the setup Adguard

9 - Adguard Home - DNS Configuration - Upstream Servers:

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist

10 – Adguard Home – DNS Configuration – Bootstrap DNS servers

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist
     
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:

           192.168.1.1:5353

I followed all steps, but like I mentioned my adguard is running remote on another IP in the same network.
I run truenas and have containers running all working fine when I use only unbound.
When I start to use above setup with adguard. I can search the internet etc.

Can someone explain me the addidiontal steps or what am I doing wrong?

System - Settings - General - DNS servers list - 192.168.1.210
Services - DHCPv4 - [LAN] DNS servers - 192.168.1.210

As soon as I put back unbound back to 53 everything is working just fine on homeassistant.
When I use adguard with above settings somehow tuya stops working for the lights and there seems to be problems from homeassistant reaching 443 for example lights running with tuya and solardedge and soem cloud services running on 443 seem to sto pworking.

Unboud is set at 5353 and adguard at 53
I tried forcing DNS to redirect to 192.168.1.210. By creating NAT forward rules.
Nothing seem to help and if I use such rules nothing works?
Please provide me with an example. And perhaps I make this rule wrong because the example are all on opnsense ip or 127.0.0.1.

Try with Unbound to listen on port 5335 (and not 5353).

[rama3124]

Hi
I'm running adguard home plugin on opnsense, setup as per the guide linked early on in this thread. The guide mentions that I need to edit the yaml config to be as shown below:
bind_host: 0.0.0.0
bind_port: 3000
[...]
dns:
  bind_host: 0.0.0.0
  port: 53

I have changed the bind_host under dns to 0.0.0.0 but don't have the bind host or bind port option, instead I have:
http:
  pprof:
    port: 6060
    enabled: false
  address: 192.168.1.1:3000

Should I change this address to be 0.0.0.0:3000?
Also I haven't set up DNS encryption. Is it useful for the average home user? If so, can someone point me to a guide to setting it up in opnsense? I have a domain name that I purchased from cloudflare and expose some services run as docker containers on my server via traefik reverse proxy. How do i use this domain to setup DNS encryption? Thanks

[9axqe]

I have the same as you and it works fine for me (I have bind_hosts in plural because I have IPv6 a well)

excerpt:

http:
  address: 192.168.1.1:3000

dns:
  bind_hosts:
    - 192.168.1.1
    - 127.0.0.1
    - ::1
    - 'fd00::'

When it comes to encrypted DNS, modern browser will attempt to use it, but it's not a must. I tend to enable encryption when possible, so I force HTTPs traffic for admin interface, and I have enabled DNS over HTTPs (DoH), over TLS (DoT) and over QUIC (DoQ).

Please know that some browsers will bypass your local DNS though, and do a DNS over QUIC with a public DNS. I believe Chrome does this by default and hence I block most public DNS servers in the firewall to prevent that and force any device to use my local DNS (ADH) and have malware/adblocking.


tls:
  enabled: true
  server_name: my.opnsense.fqdn.com
  force_https: true
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 853
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: false
  certificate_chain: ""
  private_key: ""
  certificate_path: /var/etc/acme-client/certs/644c0950b1e780.38459566/fullchain.pem
  private_key_path: /var/etc/acme-client/keys/644c0950b1e780.38459566/private.key


I have to admit that ADH however seems the flimsiest part of my opnsense setup, it's where I had the most issues so far...

[rama3124]

Thanks for the prompt reply. Is it an issue to just have 0.0.0.0 as the only dns bind host or should I add the 192 one? Sorry, fairly new to networking.

Also regarding DNS encryption, if I don't want external access to the admin interface, do I still need a domain and certificate?

[9axqe]

I think that's fine, it will just bind to any IP your machine has, which also includes external IPs, so you must make sure your firewall does not allow port 3000 and 53 inbound (it does not by default).

You do not need DNS encryption, certificates or a domain, it's not required for simple DNS functionality.

[Cosigner4516]

Thank you very much, I have tried it and it works.

Opnsense 22.1 Clean Install - Installation:

It is very important to follow the order explained

1 - Activate mimugmail's community repository

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Activate and start AdGuardHome from Services --> AdGuardHome

4 - Opnsense - System - Settings -General

      Untick: Do not use the local DNS service as a nameserver for this system
      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

5 - Opnsense - Services - Unbound - Dns Over Tls

      Set the desired dns servers, ej, Cloudflare:
      Server IP: 1.1.1.1
      Server Port: 853
      Verify CN: cloudflare-dns.com

6 - Opnsense - Services - Unbound - General
 
     Listen Port: 5353

7 - Navigate to http://your.opnsense:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard

8 - Adguard Home - DNS Configuration - Upstream Servers: Add router_ip:5353  ( 192.168.1.1:5353 ) Delete those that exist

Security Extra: https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#1-allowing-only-specific-dns-servers

I wanted to add this here, as I spent hours trying to figure out what I was missing.

I would follow the above steps and get everything working for maybe a few minutes, but eventually none of my devices would have internet access. Both AdGuard Home and Unbound showed that they were receiving DNS traffic, but clearly something was wrong.

The problem was that I had previously configured DNS overrides in Unbound. Disabling/deleting my previously configured Unbound DNS overrides solved my issue. I then created those same overrides in AdGuard under Filters -> DNS rewrites.

[montagic]

Opnsense 23.1 Install:

1 - Activate mimugmail's community repository:

SSH Opnsense: fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Opnsense - System - Settings -General

      DNS Servers: empty

      Untick: Do not use the local DNS service as a nameserver for this system

      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

4 - Services – DHCPv4 – [LAN] : DNS Servers all empty

5 – Opnsense – Services - Unbound DNS – General

       Tick: Enable Unbound ( Listen Port: 5353 )

       Tick: Enable DNSSEC Support
       
       Network Interfaces: All

6 - Opnsense - Services - Unbound - Dns Over Tls

      Server IP: 1.1.1.1

      Server Port: 853

      Verify CN: cloudflare-dns.com

7 - Activate and start AdGuardHome from Services --> AdGuardHome

8 - Navigate to http://Opnsense ip:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard

9 - Adguard Home - DNS Configuration - Upstream Servers:

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist

10 – Adguard Home – DNS Configuration – Bootstrap DNS servers

      Add Opnsense ip:5353  ( 192.168.1.1:5353 ) Delete those that exist
     
11 - Adguard Home - DNS Configuration - Private reverse DNS servers:

           192.168.1.1:5353

This worked temporarily for me, but for some reason roughly 30 minutes later, Unbound no longer gets any requests from AdGuard (or at least in logging, it makes 0 requests when trying to hit a website). Not quite sure what's going on. Had everything on the Unbound side of things running at 5335, but otherwise followed everything else. Immediately starts resolving hostnames obviously as soon as I bring Unbound back to 53. Is there any way to run this configuration so that Unbound is the first entry point and can run on 53 instead? Not sure if that would rectify the issue though.

[montagic]

Thank you very much, I have tried it and it works.

Opnsense 22.1 Clean Install - Installation:

It is very important to follow the order explained

1 - Activate mimugmail's community repository

2 - Install AdGuardHome from System --> Firmware --> Plugins

3 - Activate and start AdGuardHome from Services --> AdGuardHome

4 - Opnsense - System - Settings -General

      Untick: Do not use the local DNS service as a nameserver for this system
      Untick: Allow DNS server list to be overridden by DHCP/PPP on WAN

5 - Opnsense - Services - Unbound - Dns Over Tls

      Set the desired dns servers, ej, Cloudflare:
      Server IP: 1.1.1.1
      Server Port: 853
      Verify CN: cloudflare-dns.com

6 - Opnsense - Services - Unbound - General
 
     Listen Port: 5353

7 - Navigate to http://your.opnsense:3000/ ( 192.168.1.1:3000 ) to complete the setup Adguard

8 - Adguard Home - DNS Configuration - Upstream Servers: Add router_ip:5353  ( 192.168.1.1:5353 ) Delete those that exist

Security Extra: https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#1-allowing-only-specific-dns-servers

I wanted to add this here, as I spent hours trying to figure out what I was missing.

I would follow the above steps and get everything working for maybe a few minutes, but eventually none of my devices would have internet access. Both AdGuard Home and Unbound showed that they were receiving DNS traffic, but clearly something was wrong.

The problem was that I had previously configured DNS overrides in Unbound. Disabling/deleting my previously configured Unbound DNS overrides solved my issue. I then created those same overrides in AdGuard under Filters -> DNS rewrites.

Could you share an example of what the overwrite looks like? I believe I'm having similar issues.

EDIT: Somehow I figured it out and am no longer having issues. I think there could be a potential issue with leaving the DHCPv4 LAN DNS servers as all empty as it may not be able to resolve your localhost (I'm still a networking newb so I could be totally wrong). I added 192.168.1.1 to my DNS servers for DHCP and now everything seems to be working. Could be some firewall rule changes I made, but not totally sure. I went ahead and added a similar DNS src * dst * LAN address rule for 5335 just in case.

[Frank84]

Hello Everybody,

I am totally confused...
I have a running OPNSense 23.7.10_1 with Unbound. Now I have set up AdGuard Home like it is explained here and it works.
Ok, I Thought it works. Internet is reachable and I can see in the Webinterface of AdGuard that there are things blocked.

But now I have a really strange behavior.
If I use the user filter rules and insert something like '||web.de^$important' I still can access it with my browser.
But if I do a nslookup from terminal I get 0.0.0.0

Although if I disable AdGuard and Unbound I still can open any Website I want. I even blocked Port 53 in my Firewall and nothing changed.

Now I hope to find some help here.

Best regards
Frank

[plikmuny]

Hi, is Unbound necessary for AGH to function properly in opnsense ? Or can we just disable unbound and use AGH with it's DHCP function to do the DNS queries??? Will this idea work at all???

[Patrick M. Hausen]

Some upstream recursive DNS server is necessary for AGH to work.

[mudhauler]

I want to use Unbound in resolve mode and have AGH use unbound as its dns server.

Doesn't seem that this guide does that? Or am I missing something?

EDIT:

I think is how you do it correct?

Have AGH listening on port 53
Unbound listens on port 5353
AGH uses only a single upstream of 127.0.0.1:5353

[9axqe]

Two remarks:
1. you wrote once 5353 and once 5335, I assume it's a typo.
2. I would recommend to use 53530 for example rather, as 5353 is the default port for mDNS.

Other than this, your configuration seems correct.

[mudhauler]

Yes that was  typo.. edited to correct..

ok will use 53530.. Thanks