Having problems getting AdGuard working

[ajoeiam]

Greetings

Have had a bunch of interesting learning experiences getting OPNsense up =- - - but it is.

Now trying to configure it =- - - wow!

Stumbling right now on AdGuard - - - specifically at the point of initial setup.

Is this the right place to ask questions - - - it is a community plugin and not official so me not knowing am asking.

Where might I get assistance?

TIA

[ajoeiam]

Did a lot of looking.

paging  @mimugmail

Greetings

I am having sever problems (unable to complete) initial setup for AdGuardHome.
Your repository has version 1.12 as being AdGuardHome 0.107.45 .

AdGuardHome version update 0.107.50 seems to be related to my difficulties.

Would you be able to update the repository - - - perhaps to 0.107.52?

(I have no clue of what I'm doing (can you tell) or I'd offer to help out with this!)

TIA

[cookiemonster]

Don't get too concerned with having the latest version of AdGH. It doesn't need to be on latest to work.
Just post your setup and where it is failing and we'll try to figure out what is the problem.

[newsense]

AGH can be upgraded once you're past the initial setup.



In more restrictive setups you'll need two FW rules as follows:

1) Allow TCP -- source (v)lan net or IP -- destination <FW IP interface> destination port 3000   ### This is only used for the initial setup

2) Allow TCP -- source (v)lan net or IP -- destination <FW IP interface> destination port <port number you chose during the initial setup>

[ajoeiam]

Don't get too concerned with having the latest version of AdGH. It doesn't need to be on latest to work.
Just post your setup and where it is failing and we'll try to figure out what is the problem.

That's the issue in a nutshell - - - I can't do the initial setup.

screen 2/5 (when one logs into 192.168.x.x:3000) needs 2 ports set.

I cannot set either of them.
Read some chatter that it might be related to not using static urls but that's not the case (ASAIK at least).
Or it might be related to the release notes for 0.107.50.

I dunno and have no real way of figuring out what the issue is.

Any ideas - - - - I'm a listening!!!

TIA

[ajoeiam]

AGH can be upgraded once you're past the initial setup.



In more restrictive setups you'll need two FW rules as follows:

1) Allow TCP -- source (v)lan net or IP -- destination <FW IP interface> destination port 3000   ### This is only used for the initial setup

2) Allow TCP -- source (v)lan net or IP -- destination <FW IP interface> destination port <port number you chose during the initial setup>

Apologies (but I'm a firewall 'me don't understand') all I've ever used was ufw.
You're suggesting that I write firewall rules like you have suggested - - yes?

(understand that 'IP interface' would be replaced with my system url, is there any similar in the 'source lan net or IP' ?)

TIA

[newsense]

You can post the LAN rules here in a screenshot - assuming that is where you'd be connecting from to the FW for AGH management.

In the creation of a rule you can specify either a source IP such as 192.168.2.34/32 which effectively gives access to that machine to whatever you specify as IPdestination/port, or you can go broader wherever appropiate and say LAN NET as source which effectively allows all the machines in that (v)lan to access the resource.

For example, if your LAN is 192.168.1.0/24 (or subnet mask 255.255.255.0) then the machines in the 1920168.1.2-254 range would be allowed to connect to the destination.

In OPNsense you'll find these networks (wherever there are more vlans) in the rule drop down menu as <vlan_name net>

[cookiemonster]

Don't get too concerned with having the latest version of AdGH. It doesn't need to be on latest to work.
Just post your setup and where it is failing and we'll try to figure out what is the problem.

screen 2/5 (when one logs into 192.168.x.x:3000) needs 2 ports set.

I cannot set either of them.

TIA

Sorry don't remember what that screen asks for, can you post a screenshot or describe what it says?
AdG needs to know what DNS servers to use upstream, it might be related to that but want to be sure.
Also, please add your complete setup of what is your current DNS servers for the network. Is it Unbound and what port is Unbound using. Also confirm Unbound is set to listen on all interfaces (recommended).
Firewall rules are not normally needed when using defaults. That is because the allow all default rule will permit the LAN clients to reach the firewall on any port.
For other interfaces and networks in the firewall, yes, rules are needed.

[ajoeiam]

Don't get too concerned with having the latest version of AdGH. It doesn't need to be on latest to work.
Just post your setup and where it is failing and we'll try to figure out what is the problem.

screen 2/5 (when one logs into 192.168.x.x:3000) needs 2 ports set.

I cannot set either of them.

TIA

Sorry don't remember what that screen asks for, can you post a screenshot or describe what it says?
AdG needs to know what DNS servers to use upstream, it might be related to that but want to be sure.
Also, please add your complete setup of what is your current DNS servers for the network. Is it Unbound and what port is Unbound using. Also confirm Unbound is set to listen on all interfaces (recommended).
Firewall rules are not normally needed when using defaults. That is because the allow all default rule will permit the LAN clients to reach the firewall on any port.
For other interfaces and networks in the firewall, yes, rules are needed.

(tried to attach a .png file - - - (using copy and paste - - unsuccessful instead used attach (was unseccessful as image was some 450k so cropped the image as much as possible - - - hope it works for you! )
Did not see all of the third part (static ip address).
Unbound is my current DNS server and port 5353 is the listed port. I had Unbound listening only to LAN but changed that to all (recommended). (I would prefer that my DNS server not really listen to outside stuff but if that's what is required I will acquiesce.)

Was unable to test the AdGuardHome setup as I seem to no longer get to it.

Previously I was able to unselect the service, reboot the machine. then re-select the service, again reboot the machine and at that point I was able to try the 192.168.x.x:3000 successfully - - - but not today.

Dunno - - - I'm wondering if the whole setup has become less responsive - - - becoming quite unsure of what to do going forward - - - starting to think that this is another instance of 'it works for someone else but NOT here' - - - I hope not!

Appreciate your continuing assistance - - really don't want to have to run another mini-pc that would make another point of failure - - - imo - - - I think I have too many already!
Regards

[ajoeiam]

You can post the LAN rules here in a screenshot - assuming that is where you'd be connecting from to the FW for AGH management.

In the creation of a rule you can specify either a source IP such as 192.168.2.34/32 which effectively gives access to that machine to whatever you specify as IPdestination/port, or you can go broader wherever appropiate and say LAN NET as source which effectively allows all the machines in that (v)lan to access the resource.

For example, if your LAN is 192.168.1.0/24 (or subnet mask 255.255.255.0) then the machines in the 1920168.1.2-254 range would be allowed to connect to the destination.

In OPNsense you'll find these networks (wherever there are more vlans) in the rule drop down menu as <vlan_name net>

@cookiemonster suggested that if I made unBound able to listen on all ports that I may be able to not need to use firewall rules.
Did that change - - - - still not successful.

Now quite lost!

Thanks for your assistance.

[cookiemonster]

Unbound is my current DNS server and port 5353 is the listed port. I had Unbound listening only to LAN but changed that to all (recommended). (I would prefer that my DNS server not really listen to outside stuff but if that's what is required I will acquiesce.)

The default rule which prevents unsolicited inbound traffic to WAN will prevent it from answering queries in WAN. The query will never get to Unbound, it would have been blocked by the firewall by default. No need to worry about that.
Please check what processes have listeners open, like this:

Code: [Select]

$ sudo sockstat -4l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS     
unbound  unbound    58332 5  udp4   *:5353                *:*
unbound  unbound    58332 6  tcp4   *:5353                *:*
unbound  unbound    58332 7  udp4   *:5353                *:*
unbound  unbound    58332 8  tcp4   *:5353                *:*
unbound  unbound    58332 9  tcp4   127.0.0.1:953         *:*
dhcpd    dhcpd      49891 12 udp4   *:67                  *:*
root     lighttpd   25766 7  tcp4   *:55443               *:*
root     eastpect   74039 13 udp4   *:*                   *:*
root     eastpect   74039 15 udp4   *:*                   *:*
root     eastpect   74039 17 udp4   *:*                   *:*
root     ntpd       13199 21 udp4   *:123                 *:*
root     ntpd       13199 22 udp4   92.28.XXX.163:123     *:*
root     ntpd       13199 23 udp4   192.168.5.1:123       *:*
root     ntpd       13199 26 udp4   127.0.0.1:123         *:*
root     ntpd       13199 27 udp4   192.168.5.100:123     *:*
root     ntpd       13199 28 udp4   192.168.200.1:123     *:*
root     ntpd       13199 30 udp4   10.8.0.1:123          *:*
root     ntpd       13199 31 udp4   10.0.0.1:123          *:*
root     lighttpd   32222 4  tcp4   127.0.0.1:43580       *:*
root     stubby     7242  3  udp4   127.0.0.1:8053        *:*
root     stubby     7242  4  tcp4   127.0.0.1:8053        *:*
www      haproxy    64624 4  tcp4   *:853                 *:*
www      haproxy    64624 5  tcp4   *:5000                *:*
www      haproxy    64624 6  tcp4   *:443                 *:*
www      haproxy    64624 7  tcp4   192.168.5.100:80      *:*
www      haproxy    64624 8  tcp4   192.168.5.100:853     *:*
www      haproxy    64624 9  tcp4   192.168.5.100:5000    *:*
www      haproxy    64624 10 tcp4   192.168.5.100:443     *:*
root     AdGuardHom 348   115 udp46 *:53                  *:*
root     AdGuardHom 348   116 tcp4  192.168.5.1:8080      *:*
root     AdGuardHom 348   117 tcp46 *:53                  *:*
root     crowdsec   96744 18 tcp4   192.168.5.1:8081      *:*
root     crowdsec   96744 190 tcp4  127.0.0.1:6060        *:*
root     openvpn    84396 8  udp4   92.28.XXX.163:1193    *:*
root     sshd       70841 4  tcp4   *:22                  *:*
?        ?          ?     ?  udp4   *:51820               *:*I've masked a part of my WAN ip but you can see I have AdG listening on port 53 and Unbound on 5353 so they don't clash. AdG ui on 8080. Unbound on all interfaces.

AdG settings:
- DHCP service is disabled. I don't want AdG to provide dhcp. OPN is doing that.
- Upstream DNS servers: 192.168.5.1:5353 - I am telling AdG to use Unbound as its upstream DNS server.
- Bootstrap DNS servers: 192.168.5.1:5353 - I am telling AdG to use Unbound as its upstream DNS server.
- Private reverse DNS servers: 192.168.5.1:5353 - I am telling AdG to use Unbound as its reverse DNS server.
- Encryption settings: Only plain DNS is enabled. If you want to change this, I suggest to do it later, once the basic is working. For me there is no need. The encryption is done by from Unbound out.

DHCPv4 settings:
-- On LAN:
- DNS Servers: blank - I don't need to set DNS servers here because with Unbound enabled, the leases are issued with the Unbound ip address for each interface, in the LAN case it is 192.168.5.1 ; the default port 53 will be used, and that means will get to AdGuard, which will in turn send up to Unbound:

Code: [Select]

Starting Nmap 7.80 ( https://nmap.org ) at 2024-07-18 23:36 BST
Pre-scan script results:
| broadcast-dhcp-discover:
|   Response 1 of 1:
|     IP Offered: 192.168.5.238
|     DHCP Message Type: DHCPOFFER
|     Server Identifier: 192.168.5.1
|     IP Address Lease Time: 5m00s
|     Subnet Mask: 255.255.255.0
|     Router: 192.168.5.1
|     Domain Name Server: 192.168.5.1
|     Domain Name: moomooland
|     Bootfile Name: pxelinux.0
|_    TFTP Server Name: 192.168.5.1
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 1.81 seconds

Firewall rules:
- I have port forward to force misbehaved clients to comply with the settings above. We can get to that after.

Please check against this and we'll take it from there.
You did have an unorthodox setup before, with a pc you only switched on from time to time and plugged directly in a port of the firewall, that triggered a reconfiguration of interfaces and services every time. Even if that's changed, it would be good to tell us what the setup is, they might give clues. For now let's just see it as a service that you want to setup for the first time

[ajoeiam]

Unbound is my current DNS server
snip
Please check what processes have listeners open, like this:

Code: [Select]

$ sudo sockstat -4l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS     
unbound  unbound    58332 5  udp4   *:5353                *:*
snip
root     AdGuardHom 348   115 udp46 *:53                  *:*
root     AdGuardHom 348   116 tcp4  192.168.5.1:8080      *:*
root     AdGuardHom 348   117 tcp46 *:53                  *:*
root     crowdsec   96744 18 tcp4   192.168.5.1:8081      *:*
root     crowdsec   96744 190 tcp4  127.0.0.1:6060        *:*
root     openvpn    84396 8  udp4   92.28.XXX.163:1193    *:*
root     sshd       70841 4  tcp4   *:22                  *:*
?        ?          ?     ?  udp4   *:51820               *:*I've masked a part of my WAN ip but you can see I have AdG listening on port 53 and Unbound on 5353 so they don't clash. AdG ui on 8080. Unbound on all interfaces.

AdG settings:
- DHCP service is disabled. I don't want AdG to provide dhcp. OPN is doing that.
- Upstream DNS servers: 192.168.5.1:5353 - I am telling AdG to use Unbound as its upstream DNS server.
- Bootstrap DNS servers: 192.168.5.1:5353 - I am telling AdG to use Unbound as its upstream DNS server.
- Private reverse DNS servers: 192.168.5.1:5353 - I am telling AdG to use Unbound as its reverse DNS server.
- Encryption settings: Only plain DNS is enabled. If you want to change this, I suggest to do it later, once the basic is working. For me there is no need. The encryption is done by from Unbound out.
snip
Please check against this and we'll take it from there.
You did have an unorthodox setup before, with a pc you only switched on from time to time and plugged directly in a port of the firewall, that triggered a reconfiguration of interfaces and services every time. Even if that's changed, it would be good to tell us what the setup is, they might give clues. For now let's just see it as a service that you want to setup for the first time

Very interesting - -
you have quite a few more lines in the output of sockstat than I have (grin)  - - - lines that include AdGuardHome look like this:

root    AdGuardHom 90822 13 tcp4    192.168.1.1:80           *:*
root    AdGuardHom 90822 15 udp4   127.0.0.1:53               *:*
root    AdGuardHom 90822 22 tcp4    127.0.0.1:53               *:*

Cannot do any AdG settings - - - cannot log into that 192.168.1.1:3000 address to set up my instance.

Suggestions on how I might be able to change the configuration file for AdG ?

TIA

[cookiemonster]

that's probably your problem:
root    AdGuardHom 90822 13 tcp4    192.168.1.1:80           *:*
Unless you have moved from port 80, it will be clashing with OPN GUI port, look for your port for httpd in your output of sockstat.
If you have a clash, then you could move the OPN Gui to another port and a restart of loghttpd will free up port 80 when it moves to the new one and will allow you then to reach AdG.

[newsense]

It's best to leave the core services running on their default ports, plugins can be set up on any other ports with an associated port forward rule.

Would be a lot cleaner for troubleshooting, and in case of a plugin/service loss you'll know the FW boots and it is operational even if a faulty upgrade brought down AdGuardHome in this case.

[cookiemonster]

System > Settings > Administration.
The UI has the ability to change the port the GUI is listening on. Many of us change it from the default for a variety of reasons. No need to worry about changing it here, is not a hack, and it survives updates and upgrades.
That said, in general, the advice is sound.