AdGuard Home setup guide

[mudhauler]

Are we able to use the AGH/Settings/DNS Encryption setting in this configuration?

Using AGH plugin on 53, Unbound on 53530 w/ DOT to cloudflare.

I have the acme plugin up and running.. Created a cert for AGH.. am pasting fullchain.pem and privatekey.pem but am getting 2 errors:

Code Select Expand

Error: control/tls/validate | port 443 is not available, cannot enable HTTPS on it | 400

and on both key paste entry fields:

Code Select Expand

Status:
    *Certificate chain is invalid




Anyone have this working if even possible?

[9axqe]

I would guess both your opnsense admin interface and the adguard admin interface are running on port 443. Considering DNS over HTTPS is a thing, I would recommend moving the opnsense admin intf to a different port.

Regarding the cert chain issue, I can confirm that using acme plugin to generate a certificate is indeed possible. But I am not pasting any certificate anywhere, this is not required, you simply configure adguard to reuse the same certs you created for the router. (You do need to figure out which ones are the right ones if you have multiples)

Code Select Expand


tls:
  enabled: true
  [...]
  port_https: 443
  [...]
  certificate_path: /var/etc/acme-client/certs/644c0950b1e430.38459566/fullchain.pem
  private_key_path: /var/etc/acme-client/keys/644c0950b1e430.38459566/private.key


[mudhauler]

That did it. I changed the AGH https port and that error went away, didnt want to move the admin ui.

On the AGH page the HTTPS port field says:
"If HTTPS port is configured, AdGuard Home admin interface will be accessible via HTTPS, and it will also provide DNS-over-HTTPS on '/dns-query' location."

So it seems the DOH should still work fine?




Thanks!

[abulafia]

On the certs:

I use a very easy setup with acme let's encrypt certificates:

1. Use a wildcard cert

2. Paste into adguard home GUI settings -> encryption settings:

Certificate path:
/var/etc/cert.pem

Key file path:
/var/etc/key.pem

Works.

[andyd]

Anyone know how I can check what is the issue with my setup?

I have followed yeraycito's post and DNS ceases to work. The only configuration that seems to work for me is...

https://0x2142.com/how-to-set-up-adguard-on-opnsense/

But I want AdGuard to be on 53 and Unbound on some other port.

If I test upstream server in Adguard, that works so I figure there is some communication happening between Adguard and Unbound.

But I don't understand why there is no DNS resolution. I can access internal services by IP no problem so it's just the DNS resolution that isn't working

[9axqe]

Hey @andyd, did you check that you can send DNS request to <opnsense_IP>:5353 ?

Something like "host example.com <opnsense_IP>:5353" from a linux box.

Does this work?

btw, I disagree a bit with @yeraycito's recommendation of using port 5353. It's the default port for mDNS, I see an unnecessary risk for conflict, I use 53530 for example.

[andyd]

Hey @andyd, did you check that you can send DNS request to <opnsense_IP>:5353 ?

Something like "host example.com <opnsense_IP>:5353" from a linux box.

Does this work?

btw, I disagree a bit with @yeraycito's recommendation of using port 5353. It's the default port for mDNS, I see an unnecessary risk for conflict, I use 53530 for example.

I'm going to try again later in the week but I'll try again. I suspect that I need to restart the router for the changes to really apply as the lesson I learnt this morning when I was trying to revert back to what I had.

In regards to 5353, yep! I read elsewhere that the port shouldn't be used.

[cookiemonster]

this isn't windows ;) . No need to reboot for most services on userland. Just restart the service.

[andyd]

lol it seemed like it would be necessary to do so for some other change.

anyway, I cannot get this to work :/ Not sure what I'm missing but the logs aren't helpful (or if any).

I usually work on things remotely since i'm not always home - hard to tell right now if there is something off with vpn or home as well.

for wireguard vpn, it's just adding the dns ip of 10.10.10.1? I have that but still no luck. The only thing that works for me is having Unbound set to port 53 (and following the guide I linked to previously)

[cookiemonster]

@andyd, I suggest to open your own thread with your settings

[andyd]

@cookiemonster

I actually got it working last night!

A few things...

I deleted Adguard and added it back in case I had messed with anything. After doing that...

1. I had forgotten about the option to set Adguard as `Primary DNS server`. I enabled that. Not sure if that helps. Also not sure when that option was introduced but it was never mentioned in this thread so I didn't think to go back to the adguard page to enable it.
2. I noticed that the bind address in the Adguard yaml was set to 0.0.0.0. I previously had it as the router ip. Not sure why I changed it but left it as default. Port was always 53 though
3. I followed this guide instead which seemed more comprehensive in general...

https://windgate.net/setup-adguard-home-opnsense-adblocker/

I am not sure what any of the four was the reason but yeah finally working. I recommend the guide above to others that are looking to set Adguard to 53 and unbound another port.

[cookiemonster]

@andyd glad you're up and running.
This thread is so long that I don't even remember if it suggests AdGH as "the" dns server for the network or not. That's where we can use one of two ways, whichever you prefer.
In both cases only one process can be on a port. That means one on 53 and the other on whatever is preferred.
The next thing to consider is that depending on which way, firewall rules and NAT are different. Also need to remember this when setting the DNS server for OPN to use itself.
p.s. 0.0.0.0 means "bind to all interfaces on this host".

[alto]

I feel like I need to jump in here and ask for some AdGuard help as well. I'm having issues configuring dnsmasq+adguard on opnsense to be able to distinguish which clients are making which DNS lookups (i.e. retain local client IPs).

I currently have the requests going like `client -> dnsmasq (53) -> adguard (53530)`. The reason why I have dnsmasq is because I own a domain that I route to an internal reverse proxy on the LAN, so dnsmasq is resolving mydomain.com to a local IP and forwarding the rest to AdGuard.

The thread is very long at this point, so apologies if this has already been answered, but how can one go about setting things up so that AdGuard will be able to display the local client IPs in the dashboard, and not just 192.168.1.1 when forwarding via dnsmasq on the opnsense device?

[9axqe]

AGH has the ability to "rewrite" DNS as well, so you can make you own domain point to local IPs using just AdGuard Home. Hence you could put AdGuard first (and maybe you don't need dnsmasq at all anymore?).

Just an idea.

[alto]

AGH has the ability to "rewrite" DNS as well, so you can make you own domain point to local IPs using just AdGuard Home. Hence you could put AdGuard first (and maybe you don't need dnsmasq at all anymore?).

Just an idea.

That's excellent, I didn't know AGH could do that with wildcards and exclusions, but it actually can.
I set up AGH to do the same as I've done with dnsmasq so far, and it seems to work correctly, so I'll be uninstalling dnsmasq and the end result is a simplified setup, very nice!