Jump to content
TorGuard

Search the Community

Showing results for tags 'dns over quic'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • The Lounge
    • General Stuff
    • Member Tutorials
    • TorGuard Reviews
  • TorGuard Software Releases
    • Network Status
    • TorGuard Client Releases
    • Android Client Releases
    • iOS App Releases
    • Chrome Extension Releases
    • Firefox Extension Releases
    • Edge Extension Releases
  • TorGuard VPN Support
    • VPN Questions and General Support
    • VPN Windows Support
    • VPN Mac Support
    • VPN Linux Support
    • VPN Router Support
    • iOS VPN Support
    • Android VPN Support
  • TorGuard Proxy Support
    • Proxy Questions and General Support
    • Firefox Extension Support
    • Chrome Extension Support

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 4 results

  1. Look A Here - Look A Here - Well, I am back one more again - spinning those hits that get you thumping and pumping for the tasks ( s ) ahead. You all know " The Time Honored Intro " - https://www.youtube.com/watch?v=xg5IRsPs5E8 and https://www.youtube.com/watch?v=2u-n__lHhWU sing along - https://genius.com/Led-zeppelin-good-times-bad-times-lyricshttps://www.youtube.com/watch?v=h1vKOchATXs - dig the vibe https://genius.com/Boogie-down-productions-my-philosophy-lyrics - and the original heart throb as a Surprise Bonus - https://www.youtube.com/watch?v=pc_F3PaYgl0 Now, that I have satisfied the full spectrum in time and space of " The Beats " needed here we go with pfSense AdGuardHome. See here for basic guide : pfSense AdGuardHome - Now this guide is designed for AdGuardHome on pfSense; however, I am going to modify it so that it is much simpler for you to master. I prefer this method as it gives me more control over updates / upgrades and configuration. In addition, this aforementioned guide sets up AdGuardHome on the LAN for DNS. I am going to set up AdGuardHome DNS on both the IPV4 and IPV6 local hosts - which are the default interfaces for pfSense UNBOUND. However, if you prefer to use your LAN for AdGuardHome DNS as described in tutorial by all means just follow the original guide. AdGuardHome works flawlessly with both OpenVPN and WireGuard protocols. No need for firewall rules or port forwarding with this set up. It works " as is " right " OUT THE BOX ". Step 1: Do Not Change the Port of your pfSense DNS Resolver To enable rDNS lookups and hostname lookups for devices on your LAN, enable " DHCP Registration" and " Static DHCP" in DNS Resolver settings. Step 2: Install these packages below, so that you can install AdGuardHome. # pkg install ca_root_nss # pkg install screen # pkg install nano # pkg install sudo ## AdGuardHome will not install as service without sudo Step 3 : Go to this page for auto installation script - the script will download proper package for your architecture. https://github.com/AdguardTeam/AdGuardHome#test-unstable-versions Using AGH install script is easier and simpler for most users. Just use their Edge builds as they are most up to date. It will also warn if there is missing dependencies. curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -c edge ATTENTION : I strongly suggest that you watch this video before you begin. Although lengthy - it is very informative and worthwhile. https://www.youtube.com/watch?v=yMcM40ipDlQ Van Tech Corner OpenWRT AdGuard Home. You also will be able to follow this guide much better - as a ( moving ) picture is worth a thousand words. Follow directions carefully - you will have AdGuard Home up and running on pfSense by the end of this guide / tutorial. Step 4 - After installation scripts runs, you should be seeing something like below. Naturally you may see a different IP Address depending on your network interfaces - but you must use the LAN for initial AdGuardHome Configuration here it is - http://192.168.5.10:3000 Pick out your LAN interface so that you can perform initial configuration of AdGuardHome . Now, I am going to show you how to use AdGuard Home with UNBOUND. Once again I implore you to look at Van Tech Corner OpenWRT AdGuard Home Video https://www.youtube.com/watch?v=yMcM40ipDlQ A - Choose LAN Address For Web Interface - Port 8088 / Choose Localhost ( 127.0.0.1 ) For DNS - Change to Port 5353 Step 5 - Now we need to configure UNBOUND for AdGuardHome. Go to Services > DNS Resolver > General Settings > Display Custom Options > Custom options In the Box For " Custom options " enter the following below : server: do-not-query-localhost: no forward-zone: name: "." # Allow all DNS queries forward-addr: [email protected] forward-addr: ::[email protected] Then Go To System > General Setup > DNS Server Settings > DNS Servers and enter the following below for DNS Servers : A - 127.0.0.1 B - ::1 both without any gateway and C - Remove ( Do Not ) Check " DNS Server Override " " Allow DNS server list to be overridden by DHCP/PPP on WAN " Option D - Leave Option " DNS Resolution Behavior " at Default Setting Step 6 - Making AdGuard Home start on boot : Special thanks to eoghan2t9 for a start up script for AdGuardHome which works flawlessly. The script is found here : https://github.com/AdguardTeam/AdGuardHome/issues/1352 Some modifications are required for pfSense AdGuardHome. Follow these steps below : A - # mv /usr/local/etc/rc.d/AdGuardHome /usr/local/etc/rc.d/adguardhome.sh B - # nano /usr/local/etc/rc.d/adguardhome.sh C - Delete the contents of the file and fill it with these contents below : #!/bin/sh . /etc/rc.subr name="adguardhome" rcvar="adguardhome_enable" adguardhome_user="root" adguardhome_command="/opt/AdGuardHome/AdGuardHome" pidfile="/var/run/${name}.pid" command="/usr/sbin/daemon" command_args="-P ${pidfile} -r -f ${adguardhome_command}" load_rc_config $name : ${adguardhome_enable:=yes} run_rc_command "$1" D- Make it executable - I run this command - it works for me: # chmod 755 /usr/local/etc/rc.d/adguardhome.sh E - In order to have pfSense use default start up script ( /usr/local/etc/rc.d/adguardhome.sh ) at boot time you will have to create a boot time start up script for it in /etc/rc.conf.d/. Not to prolong this - do the following : # touch /etc/rc.conf.d/adguardhome - create the needed new file # nano /etc/rc.conf.d/adguardhome - in the new file enter the following two lines: adguardhome_enable="YES" adguardhome_bootup_run="/usr/local/etc/rc.d/adguardhome.sh" Save and exit / then make the file executable - once again - works for me : # chmod 755 /etc/rc.conf.d/adguardhome Step 7 - Configure AdGuardHome via AdGuardHome.yaml for UNBOUND We will edit the sections listed below : ( a ) dns: ( bind_hosts: ) ( b ) upstream_dns: ( c ) bootstrap_dns: ( d ) all_servers: ( e ) filters: # nano /opt/AdGuardHome/AdGuardHome.yaml web_session_ttl: 720 dns: bind_hosts: - 127.0.0.1 - ::1 port: 5353 We will edit the sections listed below ( a ) upstream_dns: ( b ) bootstrap_dns: ( c ) all_servers: upstream_dns: - quic://dns.adguard.com:784 - quic://dot-jp.blahdns.com:784 - quic://dot-fi.blahdns.com:784 - quic://dot-sg.blahdns.com:784 - quic://dot-de.blahdns.com:784 - quic://doh.tiar.app:784 - quic://dns.emeraldonion.org:8853 - quic://uk.adhole.org:784 - quic://de.adhole.org:784 - quic://sg.adhole.org:784 - quic://dandelionsprout.asuscomm.com:48582 - quic://dns.arapurayil.com:784 - quic://dns.comss.one:784 - quic://dns.east.comss.one:784 - tls://getdnsapi.net - tls://dns-nyc.aaflalo.me - tls://dns.cmrg.net - tls://dot.ny.ahadns.net - tls://dot.la.ahadns.net - tls://dot.chi.ahadns.net - tls://ordns.he.net - tls://us-east.adhole.org - tls://dns.neutopia.org - tls://dns.digitale-gesellschaft.ch - tls://dot.sb - tls://draco.plan9-ns2.com upstream_dns_file: "" bootstrap_dns: - 1.1.1.2 - 1.0.0.2 - 2606:4700:4700::1112 - 2606:4700:4700::1002 all_servers: true Enter the following below for filters : filters: - enabled: true url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt name: AdGuard DNS filter id: 1 - enabled: true url: https://badmojr.github.io/1Hosts/Lite/adblock.txt name: 1Hosts (Lite) id: 1635566025 - enabled: true url: https://raw.githubusercontent.com/durablenapkin/scamblocklist/master/adguard.txt name: Scam Blocklist by DurableNapkin id: 1625359388 - enabled: true url: https://block.energized.pro/basic/formats/hosts.txt name: Energized Basic Protection id: 1625359389 - enabled: true url: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts name: https://github.com/StevenBlack/hosts id: 1625359390 - enabled: true url: https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt name: https://firebog.net/ - OSINT.digitalside.it id: 1625359391 - enabled: true url: https://v.firebog.net/hosts/Easyprivacy.txt name: https://firebog.net/ - EasyPrivacy id: 1625359393 whitelist_filters: - enabled: true url: https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt name: https://github.com/anudeepND/whitelist id: 1625359392 user_rules: [] After configuring AdGuardHome via AdGuardHome.yaml both of the commands below : a - # /usr/local/etc/rc.d/adguardhome.sh restart b - # /usr/local/etc/rc.d/unbound onestart Note : The best practice is to reboot your pfSense after configuring AdGuardHome via AdGuardHome.yaml . Step 8 - I strongly recommend enabled Encryption. With Encryption AdGuard Home admin interface will work over HTTPS, and the DNS server will listen for requests over DNS-over-HTTPS and DNS-over-TLS. For Encryption = Go To Top of AdGuardHome WEB GUI - Settings > Encryption settings the follow instructions ( a ) - enable Encryption - check the Box ( b ) - Fill in full server name such as this example - freedom.babybaby.mywire.org : https://www.wolffhaven45.com/2017/11/07/intranet-ssl-certificate-for-pfsense-using-lets-encrypt--cloudflare/ - I recommend Dynu ACME LET’S ENCRYPT ( c ) Certificates : In order to use encryption, you need to provide a valid SSL certificates chain for your domain. You can get a free certificate on LetsEncrypt.org or you can buy it from one of the trusted Certificate Authorities. If you follow the tutorial above you can issue yourself a LetsEncrypt Certificate cost free. This is fictional domain. See here for how to get Dynu Account and Credentials : https://forum.openwrt.org/t/dynu-openwrt-acme-lets-encrypt/110758 The target directory for ACME certificates is actually under /cf/config/acme/. Just browse to directory through Diagnostics > Edit File > Browse > The open /cf - then open /conf - open up /acme - just open these two files below and copy and paste them into appropriate boxes in the AdGuardHome WEB GUI. These are the files you will need to copy and paste below : freedom.babybaby.mywire.org/fullchain.cer freedom.babybaby.mywire.org/freedom.babybaby.mywire.org.key In order to log into AdGuardHome WEB GUI when it is encrypted you must move pfSense WEBGUI to a different port than 443 - You may now log into Encrypted AdGuardHome WEB GUI - this option is available by entering the following ( from example above ) : https://freedom.babybaby.mywire.org:443 - with Encryption Enabled you will see " green padlock " when logging in / your certificate pulls double duty. say moved FireWall Admin to Port 1443 - you may still log into your pfSsense Encrypted WEBGUI at : https://freedom.babybaby.mywire.org:1443 PS - I started this journey in order to learn how to use DNS-over-QUIC, or DoQ. In full disclosure I exclusively use DNS-over-QUIC upstream servers with AdGuardHome. Also, I used Encryption for DNS OVER TLS bootstrap servers. So - the whole damn thing ( my DNS ) is encrypted. BTW, I certainly will not at all miss having to update the SPKI PIN Keys for DOT SERVERS in the Stubby yaml configuration file. Bonus Feature: For Those Who Care To PIMP Their AdGuardHome WEBGUI You must install Stylish Addon To Use AdGuardHome Dark Theme Firefox addon : https://addons.mozilla.org/en-US/firefox/addon/stylish/ Chrome extension : https://tinyurl.com/yntw4wyw Go here - For Stylish Dark Themes : https://userstyles.org/styles/browse?search_terms=adguard&type=false I use XENORCHISM - https://userstyles.org/styles/178841/adguard-home-dark-theme You must enter your LAN IP ADDRESS IN " Customize Settings " Box prior to installation If you enabled Encryption with a valid SSL certificates chain for your domain - then enter your Full Domain Name in " Customize Settings " Box prior to installation instead of LAN IP. As per this example, Full Domain Name in " Customize Settings " Box see below : freedom.babybaby.mywire.org You may then access AdGuardHome WEBGIU on port 443 - here is example from above : https://freedom.babybaby.mywire.org:443 - with Encryption Enabled you will see " green padlock " when logging in / your certificate pulls double duty Here Is What You Get After Install : See AdGuardHome Dark Screenshot When a new AdGuardHome version becomes available on The Edge Channel it will show up in the WEBGUI. All you need to do in order to stay up to date is press the " update to the latest version " button on the AdGuardHome WEBGUI page. Easy Peasy.
  2. Y'all know how I get down by now. " The Intro " is where it is always at - https://www.youtube.com/watch?v=YiOgPd18UmQ - you just may want to glean the wisdom offered herein - https://genius.com/James-brown-mind-power-lyrics on to the next entry - https://www.youtube.com/watch?v=t7Csc6l4QLs - yes, I go eclectic and electric - https://genius.com/Reo-speedwagon-take-it-on-the-run-lyrics - Surprise Bonus : https://www.youtube.com/watch?v=7pOkpwgOOiI OK - now that we are rolling - we are going to learn how to install, configure and run OPNsense 21.7 AdGuardHome. See here for basic guide : https://broadbandforum.co/threads/installing-adguard-home-on-pfsense.205884/ - Now this guide is designed for AdGuardHome on pfSense; however, I am going to modify it for OPNsense. I know that there is a plugin for OPNsense 21.7 AdGuardHome, but I prefer this method as it gives me more control over updates / upgrades and configuration. In addition, this aforementioned guide sets up AdGuardHome on the LAN for DNS. I am going to set up AdGuardHome DNS on both the IPV4 and IPV6 local hosts - which are the default interfaces for OPNsense UNBOUND. AdGuardHome works flawlessly with both OpenVPN and WireGuard protocols. No need for firewall rules or port forwarding with this set up. It works " as is " right " OUT THE BOX ". Step 1: Do Not Change the Port of your OPNsense DNS Resolver To enable rDNS lookups and hostname lookups for devices on your LAN, enable " DHCP Registration" and " Static DHCP" in DNS Resolver settings. Step 2: Install these packages below, so that you can install AdGuardHome. pkg install ca_root_nss pkg install screen pkg install nano pkg install sudo ## AdGuardHome will not install as service without sudo Step 3 : Go to this page for auto installation script - the script will download proper package for your architecture. https://github.com/AdguardTeam/AdGuardHome#test-unstable-versions Using AGH install script is easier and simpler for most users. Just use their Edge builds as they are most up to date. It will also warn if there is missing dependencies. curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -c edge ATTENTION : I strongly suggest that you watch this video before you begin. Although lengthy - it is very informative and worthwhile. https://www.youtube.com/watch?v=yMcM40ipDlQ Van Tech Corner OpenWRT AdGuard Home. You also will be able to follow this guide much better - as a ( moving ) picture is worth a thousand words. Follow directions carefully - you will have AdGuard Home up and running on OPNsense by the end of this guide / tutorial. Step 4 - After installation scripts runs, you should be seeing something like below. Post Install Screenshot Naturally you may see a different IP Address depending on your network interfaces - but you must use the LAN for initial AdGuardHome Configuration here it is - http://192.168.5.10:3000 Pick out your LAN interface so that you can perform initial configuration of AdGuardHome . Now, I am going to show you how to use AdGuard Home with UNBOUND. Once again I implore you to look at Van Tech Corner OpenWRT AdGuard Home Video https://www.youtube.com/watch?v=yMcM40ipDlQ A - Choose LAN Address For Web Interface - Port 8088 / Choose Localhost ( 127.0.0.1 ) For DNS - Change to Port 5353 Step 5 - Now we need to configure UNBOUND for AdGuardHome. We are going to install https://github.com/mimugmail/opn-repo OPNsense repo by mimugmail so that we may be able to add UNBOUND " Custom Options " to OPNsense 21.7. Install repository following commands below : # fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf # pkg update # pkg install os-unboundcustom-maxit After installing plugin os-unboundcustom-maxit, go to Services > Unbound DNS > Custom Options in the box enter the following found below : server: do-not-query-localhost: no forward-zone: name: "." # Allow all DNS queries forward-addr: [email protected] forward-addr: ::[email protected] Then go to System > Settings > General > DNS Servers and enter the following : 1 - 127.0.0.1 2 - ::1 ### both without any gateway and 3 - Remove ( Do Not ) Check " Allow DNS server list to be overridden by DHCP/PPP on WAN " Option Step 6 - Making AdGuard Home start on boot : Special thanks to eoghan2t9 for a start up script for AdGuardHome which works flawlessly. The script is found here : https://github.com/AdguardTeam/AdGuardHome/issues/1352 Some modifications are required for OPNsense 21.7 AdGuardHome. Follow these steps below : A - # mv /usr/local/etc/rc.d/AdGuardHome /usr/local/etc/rc.d/adguardhome.sh B - # nano /usr/local/etc/rc.d/adguardhome.sh C - Delete the contents of the file and fill it with these contents below : #!/bin/sh . /etc/rc.subr name="adguardhome" rcvar="adguardhome_enable" adguardhome_user="root" adguardhome_command="/opt/AdGuardHome/AdGuardHome" pidfile="/var/run/${name}.pid" command="/usr/sbin/daemon" command_args="-P ${pidfile} -r -f ${adguardhome_command}" load_rc_config $name : ${adguardhome_enable:=yes} run_rc_command "$1" Make it executable - I run this command - it works for me: # chmod 755 /usr/local/etc/rc.d/adguardhome.sh E - In order to have OPNsense use default start up script ( /usr/local/etc/rc.d/adguardhome.sh ) at boot time you will have to create a boot time start up script for it in /etc/rc.conf.d/. Not to prolong this - do the following : # touch /etc/rc.conf.d/adguardhome - create the needed new file # nano /etc/rc.conf.d/adguardhome - in the new file enter the following two lines: adguardhome_enable="YES" adguardhome_bootup_run="/usr/local/etc/rc.d/adguardhome.sh" Save and exit / then make the file executable - once again - works for me : # chmod 755 /etc/rc.conf.d/adguardhome Step 7 - Configure AdGuardHome via AdGuardHome.yaml for UNBOUND We will edit the sections listed below : ( a ) dns: ( bind_hosts: ) ( b ) upstream_dns: ( c ) bootstrap_dns: ( d ) all_servers: ( e ) filters: # nano /opt/AdGuardHome/AdGuardHome.yaml dns: bind_hosts: - 127.0.0.1 - ::1 port: 5353 We will edit the sections listed below ( a ) upstream_dns: ( b ) bootstrap_dns: ( c ) all_servers: upstream_dns: - quic://dns.adguard.com:784 - quic://dot-jp.blahdns.com:784 - quic://dot-fi.blahdns.com:784 - quic://dot-sg.blahdns.com:784 - quic://dot-de.blahdns.com:784 - quic://doh.tiar.app:784 - quic://dns.emeraldonion.org:8853 - quic://uk.adhole.org:784 - quic://de.adhole.org:784 - quic://sg.adhole.org:784 - quic://dandelionsprout.asuscomm.com:48582 - quic://dns.arapurayil.com:784 - quic://dns.comss.one:784 - quic://dns.east.comss.one:784 - tls://getdnsapi.net - tls://dns-nyc.aaflalo.me - tls://dns.cmrg.net - tls://dot.ny.ahadns.net - tls://dot.la.ahadns.net - tls://dot.chi.ahadns.net - tls://ordns.he.net - tls://us-east.adhole.org - tls://dns.neutopia.org - tls://dns.digitale-gesellschaft.ch - tls://dot.sb - tls://draco.plan9-ns2.com upstream_dns_file: "" bootstrap_dns: - 1.1.1.2:853 - 1.0.0.2:853 - 2606:4700:4700::1112:853 - 2606:4700:4700::1002:853 all_servers: true Enter the following below for filters : filters: - enabled: true url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt name: AdGuard DNS filter id: 1 - enabled: true url: https://badmojr.github.io/1Hosts/Lite/adblock.txt name: 1Hosts (Lite) id: 1635566025 - enabled: true url: https://raw.githubusercontent.com/durablenapkin/scamblocklist/master/adguard.txt name: Scam Blocklist by DurableNapkin id: 1625359388 - enabled: true url: https://block.energized.pro/basic/formats/hosts.txt name: Energized Basic Protection id: 1625359389 - enabled: true url: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts name: https://github.com/StevenBlack/hosts id: 1625359390 - enabled: true url: https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt name: https://firebog.net/ - OSINT.digitalside.it id: 1625359391 - enabled: true url: https://v.firebog.net/hosts/Easyprivacy.txt name: https://firebog.net/ - EasyPrivacy id: 1625359393 whitelist_filters: - enabled: true url: https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt name: https://github.com/anudeepND/whitelist id: 1625359392 user_rules: [] After configuring AdGuardHome via AdGuardHome.yaml both of the commands below : a - # /usr/local/etc/rc.d/adguardhome.sh restart b - # /usr/local/etc/rc.d/unbound onestart Note : The best practice is to reboot your OPNense after configuring AdGuardHome via AdGuardHome.yaml . Step 8 - I strongly recommend enabled Encryption. With Encryption AdGuard Home admin interface will work over HTTPS, and the DNS server will listen for requests over DNS-over-HTTPS and DNS-over-TLS. For Encryption = Go To Top of AdGuardHome WEB GUI - Settings > Encryption settings the follow instructions ( a ) - enable Encryption - check the Box ( b ) - Fill in full server name such as this example - freedom.babybaby.mywire.org : https://www.wolffhaven45.com/2017/11/07/intranet-ssl-certificate-for-pfsense-using-lets-encrypt--cloudflare/ - I recommend Dynu ACME LET’S ENCRYPT ( c ) Certificates : In order to use encryption, you need to provide a valid SSL certificates chain for your domain. You can get a free certificate on LetsEncrypt.org or you can buy it from one of the trusted Certificate Authorities. If you follow the tutorial above you can issue yourself a LetsEncrypt Certificate cost free. This is fictional domain. See here for how to get Dynu Account and Credentials : https://forum.openwrt.org/t/dynu-openwrt-acme-lets-encrypt/110758 Your certificate and key would be in the following format below : /var/etc/acme-client/home//freedom.babybaby.mywire.org/fullchain.cer /var/etc/acme-client/home/freedom.babybaby.mywire.org/freedom.babybaby.mywire.org.key In order to log into AdGuardHome WEB GUI when it is encrypted you must move OPNsense WEBGUI to a different port than 443 - You may now log into Encrypted AdGuardHome WEB GUI - this option is available by entering the following ( from example above ) : https://freedom.babybaby.mywire.org:443 - with Encryption Enabled you will see " green padlock " when logging in / your certificate pulls double duty. say moved FireWall Admin to Port 1443 - you may still log into your OPNsense Encrypted WEBGUI at : https://freedom.babybaby.mywire.org:1443 PS - I started this journey in order to learn how to use DNS-over-QUIC, or DoQ. In full disclosure I exclusively use DNS-over-QUIC upstream servers with AdGuardHome. Also, I used Encryption for DNS OVER TLS bootstrap servers. So - the whole damn thing ( my DNS ) is encrypted. BTW, I certainly will not at all miss having to update the SPKI PIN Keys for DOT SERVERS in the Stubby yaml configuration file. Bonus Feature: For Those Who Care To PIMP Their AdGuardHome WEBGUI You must install Stylish Addon To Use AdGuardHome Dark Theme Firefox addon : https://addons.mozilla.org/en-US/firefox/addon/stylish/ Chrome extension : https://tinyurl.com/yntw4wyw Go here - For Stylish Dark Themes : https://userstyles.org/styles/browse?search_terms=adguard&type=false I use XENORCHISM - https://userstyles.org/styles/178841/adguard-home-dark-theme You must enter your LAN IP ADDRESS IN " Customize Settings " Box prior to installation If you enabled Encryption with a valid SSL certificates chain for your domain - then enter your Full Domain Name in " Customize Settings " Box prior to installation instead of LAN IP. As per this example, Full Domain Name in " Customize Settings " Box see below : freedom.babybaby.mywire.org You may then access AdGuardHome WEBGIU on port 443 - here is example from above : https://freedom.babybaby.mywire.org:443 - with Encryption Enabled you will see " green padlock " when logging in / your certificate pulls double duty Here Is What You Get After Install : See AdGuardHome Dark Screenshot When a new AdGuardHome version becomes available on The Edge Channel it will show up in the WEBGUI. All you need to do in order to stay up to date is press the " update to the latest version " button on the AdGuardHome WEBGUI page. Easy Peasy.
  3. Now, I am going to take you to " back in the day " hearkening the good ole' times of yore - maybe some will remember " The Blue Lights In The Basement " we pay tribute in the time honored tradition of the " Intro " ( yes - it is mandatory ) showcasing these classics -- https://www.youtube.com/watch?v=ZY7fZ95XfMY and the lyrics to sing and hum along - https://www.lyricsfreak.com/l/linda+jones/for+your+precious+love+spoken_21111123.html and on a lighter note ( no pun intended ) - free yourself - https://www.youtube.com/watch?v=K9F5xcpjDMU - and keep the feeling - https://genius.com/Black-sheep-the-choice-is-yours-lyrics Surprise Bonus - https://www.youtube.com/watch?v=WjI3pzhXO14 AdGuardHome works flawlessly with both OpenVPN and WireGuard protocols. No need for firewall rules or port forwarding with this set up. It works " as is " right " OUT THE BOX ". Attention : From OG Poster ( brokenpipe ) !!!! It is possible to install AdguardHome under /opt/, but this directory can grow. Old binaries are moved as backup after an update. blocklists can become relatively large. It is better to move AdGuardHome to a USB stick. So it will survive future OpenWRT updates !!!! That Means Setup Exroot for your AdGuardHome Install If At All Possible Here is a great deal on 4gb USB 3.0 Drives - Made and Shipped In The Good Ole' USA : USB KEYCHAIN KEY DRIVE 3.0 4 GB YO ! : I strongly suggest that you watch this video before you begin. Although lengthy - it is very informative and worthwhile. Van Tech Corner OpenWRT AdGuard Home Video Van Tech Corner OpenWRT AdGuard Home. You also will be able to follow this guide much better - as a ( moving ) picture is worth a thousand words. Follow directions carefully - you will have AdGuard Home up and running on OpenWRT by the end of this guide / tutorial. The setup uses UNBOUND. There is already a guide / tutorial incorporating DNSMASQ with AdGuard Home found here : OpenWrt AdGuard Home 101 ( DNSMASQ ) Many have stated " you don't need UNBOUND ". I answer that with " Well, I don't need custom made Armani suits or a Ferrari either. You see where I'm going with this ? 1 - First you will need to get the appropriate AdGuard Home package for your router's architecture. For example, I have WRT3200ACM, WRT32x, Wrt1900ACS V2, WRT1200AC, and NightHawk R7800. All of these have ARMv7 processors. You should find out your architecture before proceeding. Now there is a script on AdGuard Home - found here - https://github.com/AdguardTeam/AdGuardHome. However, I have never been able to get the automatic download and install script to work properly. So, I manually download and install AdGuard Home on OpenWRT, because this method is GUARANTEED ! to work. In order to find your router's Architecture - go to Luci > Status > Overview then under System - on the third line down underneath Model ( indicating your router ) You will find your router's Architecture - for the router I am currently running for example these are the entries below : Model Netgear Nighthawk X4S R7800 Architecture ARMv7 Processor rev 0 (v7l) Target Platform ipq806x/generic You can also enter command below : # cat /proc/cpuinfo or you can install hwinfo / opkg update && opkg install hwinfo and issue command below : # hwinfo ### this will render all the specs for your router - look at the beginning of readout for CPU First, Install These Packages To Get Started - The Main One Needed is sudo - otherwise you will not be able to install AdGuardHome successfully - as always # opkg update opkg update ; opkg install ca-certificates ca-bundle sudo libustream-mbedtls libustream-openssl libwolfssl libustream-wolfssl luci-ssl px5g-wolfssl wpad-basic-wolfssl luasocket curl libevent2-7 haveged unzip ip-full curl wget libmbedtls12 tar tcpdump-mini then run # opkg update again - and then install packages for UNBOUND as indicated below : opkg update ; opkg install unbound-daemon unbound-control unbound-control-setup luci-i18n-unbound-en luci-app-unbound unbound-anchor unbound-host unbound-checkconf NOTE : When running DNS OVER TLS ( my setup ) - You first must stop and disable odhcpd. This setup depends on DNS functionality. odhcpd conflicts with dnsmasq for dhcp hence also DOT. The commands are as below : # /etc/init.d/odhcpd stop # /etc/init.d/odhcpd disable 2 - There are two channels to download AdGuard Home - Beta and Edge. The consensus on the thread - found here : [HowTo] Running Adguard Home on OpenWrt - is to run Edge. As I mentioned earlier, make sure that you download the correct AdGuard Home package for your router's processor. In my case that is the following link - https://static.adguard.com/adguardhome/edge/AdGuardHome_linux_armv7.tar.gz - notice that edge is named in the link. A - Just copy and paste your correct link in your browser from this section of AdGuard Home - after downloading - you will have AdGuardHome_linux_armv7.tar.gz on your desktop. Create a folder to extract the archive into - and use WinRAR, 7Zip, PeaZip or some such file archiver to unzip AdGuardHome_linux_armv7.tar.gz ( remember to choose the proper package for your router ). You will now have a decompressed folder named " AdGuardHome " . 3 - Now we are going to use WINSCP, but first we need to create the default proper directory for AdGuard Home installation. Go into SSH shell - enter commands : A - # mkdir -p /opt/ B - After creating directory, fire up WINSCP - open /opt/ directory on the right side of the application - then Drag & Drop the AdGuardHome decompressed folder from the directory you had it in on your desktop. If you know how to use SCP on OpenWRT ( Linux ) you may use that method here as well. After closing WINSCP - then issue this command C - # chmod 755 /opt/AdGuardHome/AdGuardHome ## and then enter next command for installation of AdGuardHome D - # /opt/AdGuardHome/AdGuardHome -s install You should be seeing something like below. Naturally you may see a different IP Address depending on your network interfaces - but you must use the LAN for initial AdGuardHome Configuration - here it is - http://192.168.11.130:3000 4 - Pick out your LAN interface so that you can perform initial configuration of AdGuardHome . Now first I am going to show you how to use AdGuard Home with UNBOUND. Once again I implore you to look at Van Tech Corner OpenWRT AdGuard Home Video Van Tech Corner OpenWRT AdGuardHome A - Choose LAN Address For Web Interface - Port 8080 / Choose Localhost ( 127.0.0.1 ) For DNS - Change to Port 5353 B - enter commands below ( again adjust for your actual LAN IP Address ) : ( a ) # uci add_list [email protected][-1].server='/pool.ntp.org/129.6.15.30' ## --- Your router date & time must be correct in order to have sucessful tls init ( b ) # uci add_list [email protected][-1].server='127.0.0.1#5353' # UNBOUND IPV4 ( c ) # uci add_list [email protected][-1].server='::1#5353' # UNBOUND IPV6 ( d ) # uci add_list [email protected][-1].server='192.168.11.130#8080' # Port used for Web Interface - use your actual LAN IP ( e ) # uci set [email protected][-1].noresolv=1 # Use only servers listed here in this file ( f ) # uci commit && reload_config Note : Go into nano /etc/config/dhcp and modify file as detailed below : ### option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto' Make sure you disable (apply "###" in front) of entry above in order to ignore ISP Supplied DNS Servers 5 - Configure Unbound - My WORKING CONFIG /etc/unbound/unbound_srv.conf ( Adjust For Your Router ) see here: https://nlnetlabs.nl/documentation/unbound/howto-optimise/ cat >> /etc/unbound/unbound_srv.conf <<UNBOUND_SERVER_CONF # Use the root servers key for DNSSEC tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt # use all CPUs num-threads: 2 # more outgoing connections # depends on number of cores: 1024/cores - 50 outgoing-range: 120 num-queries-per-thread: 30 max-udp-size: 3072 # power of 2 close to num-threads key-cache-slabs: 1 # more cache memory, rrset=msg*2 msg-buffer-size: 8192 msg-cache-size: 100k msg-cache-slabs: 1 num-queries-per-thread: 30 rrset-cache-size: 100k rrset-cache-slabs: 1 infra-cache-slabs: 1 # Larger socket buffer. OS may need config. so-rcvbuf: 4m so-sndbuf: 4m hide-identity: yes hide-version: yes hide-trustanchor: yes harden-glue: yes harden-dnssec-stripped: yes harden-below-nxdomain: yes serve-expired: yes serve-expired-ttl: 3600 neg-cache-size: 10k aggressive-nsec: yes so-reuseport: yes unwanted-reply-threshold: 10000 target-fetch-policy: "2 1 0 0 0 0" val-clean-additional: yes ip-ratelimit: 300 ip-ratelimit-factor: 10 outgoing-num-tcp: 1 incoming-num-tcp: 1 infra-cache-numhosts: 200 minimal-responses: yes rrset-roundrobin: yes use-caps-for-id: no do-ip6: yes do-ip4: yes do-tcp: yes do-udp: yes prefetch: yes prefetch-key: yes qname-minimisation: yes qname-minimisation-strict: yes cache-min-ttl: 3600 cache-max-ttl: 14400 deny-any: yes edns-buffer-size: 1232 UNBOUND_SERVER_CONF then enter these two commands below : # uci set '[email protected][0].query_minimize=1' # uci commit 6- Configure Unbound To Use AdGuardHome enter the following below : cat >> /etc/unbound/unbound_ext.conf <<UNBOUND_FORWARD_CONF server: do-not-query-localhost: no forward-zone: name: "." # Allow all DNS queries forward-addr: [email protected] forward-addr: ::[email protected] UNBOUND_FORWARD_CONF 7 - Enter these commands below - # Move dnsmasq to port 53535 where it will still serve local DNS from DHCP # Network -> DHCP & DNS -> Advanced Settings -> DNS server port to 53535 ( a ) # uci set '[email protected][0].port=53535' # Configure dnsmasq to send a DNS Server DHCP option with its LAN IP # since it does not do this by default when port is configured. ( b ) # uci add_list "dhcp.lan.dhcp_option=option:dns-server,$(uci get network.lan.ipaddr)" ( c ) # uci set '[email protected][0].dhcp_link=dnsmasq' # Save & Apply (will restart dnsmasq, DNS unreachable until unbound is up) ( d ) # uci commit && reload_config # Restart (or start) unbound (System -> Startup -> unbound -> Restart) - or ( e ) # /etc/init.d/unbound enable - then ( f ) # /etc/init.d/unbound start 8 - Disable Sending DNS Requests to ISP Provided DNS Servers 8 - Disable Sending DNS Requests to ISP Provided DNS Servers ( a ) # uci set network.wan.peerdns='0' ( b ) # uci set network.wan.dns='127.0.0.1' ( c ) # uci set network.wan6.peerdns='0' ( d ) # uci set network.wan6.dns='::1' ( e ) #uci commit && reload_config 9 - nano /etc/config/unbound - Configure Main UNBOUND FILE config unbound 'ub_main' option add_extra_dns '0' option add_local_fqdn '1' option add_wan_fqdn '1' option dhcp4_slaac6 '0' option dns64 '0' option dns64_prefix '64:ff9b::/96' option domain 'your.domain.here' option domain_type 'transparent' option edns_size '1232' option extended_stats '1' option hide_binddata '1' option interface_auto '1' option extended_luci '1' option luci_expanded '1' option listen_port '53' option localservice '1' option manual_conf '0' option num_threads '2' option protocol 'mixed' option query_minimize '1' option query_min_strict '1' option rate_limit '0' option rebind_localhost '0' option rebind_protection '1' option recursion 'aggressive' option resource 'medium' option root_age '9' option ttl_min '120' option unbound_control '1' option validator '1' option validator_ntp '1' option verbosity '1' list trigger_interface 'lan' list trigger_interface 'wan' option query_minimize '1' list domain_insecure '3.us.pool.ntp.org' list domain_insecure 'your.domain.here' option dhcp_link 'dnsmasq' 10 - Run these three commands to complete UNBOUND ( a ) # unbound-checkconf ( b ) # unbound-control-setup ( c ) # unbound-anchor -a "/etc/unbound/root.key" 11 - Configure AdGuardHome via AdGuardHome.yaml for UNBOUND We will edit the sections listed below : ( a ) dns: ( bind_hosts: ) ( b ) upstream_dns: ( c ) bootstrap_dns: ( d ) all_servers: ( e ) filters: ( f ) # nano /opt/AdGuardHome/AdGuardHome.yaml web_session_ttl: 720 dns: bind_hosts: - 127.0.0.1 - ::1 port: 5353 B - We will edit the sections listed below ( a ) upstream_dns: ( b ) bootstrap_dns: ( c ) all_servers: upstream_dns: - quic://dns.adguard.com:784 - quic://dot-jp.blahdns.com:784 - quic://dot-fi.blahdns.com:784 - quic://dot-sg.blahdns.com:784 - quic://dot-de.blahdns.com:784 - quic://doh.tiar.app:784 - quic://dns.emeraldonion.org:8853 - quic://uk.adhole.org:784 - quic://de.adhole.org:784 - quic://sg.adhole.org:784 - quic://dandelionsprout.asuscomm.com:48582 - quic://dns.arapurayil.com:784 - quic://dns.comss.one:784 - quic://dns.east.comss.one:784 - tls://getdnsapi.net - tls://dns-nyc.aaflalo.me - tls://dns.cmrg.net - tls://dot.ny.ahadns.net - tls://dot.la.ahadns.net - tls://dot.chi.ahadns.net - tls://ordns.he.net - tls://us-east.adhole.org - tls://dns.neutopia.org - tls://dns.digitale-gesellschaft.ch - tls://dot.sb - tls://draco.plan9-ns2.com upstream_dns_file: "" bootstrap_dns: - 1.1.1.2:853 - 1.0.0.2:853 - 2606:4700:4700::1112:853 - 2606:4700:4700::1002:853 all_servers: true Above I used Cloudflare with Malware Blocking DNS using Encryption- if you preferCloudflare Plain DNS then it is : bootstrap_dns: - 1.1.1.1 - 1.0.0.1 - 2606:4700:4700::1111 - 2606:4700:4700::1001 all_servers: true and for Cloudflare Plain DOT Servers using Encryption - where you enter your own valid SSL certificates chain for your domain : bootstrap_dns: - 1.1.1.1:853 - 1.0.0.1:853 - 2606:4700:4700::1111:853 - 2606:4700:4700::1001:853 all_servers: true C - Enter the following below for filters : filters: - enabled: true url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt name: AdGuard DNS filter id: 1 - enabled: true url: https://badmojr.github.io/1Hosts/Lite/adblock.txt name: 1Hosts (Lite) id: 1635566025 - enabled: true url: https://raw.githubusercontent.com/durablenapkin/scamblocklist/master/adguard.txt name: Scam Blocklist by DurableNapkin id: 1625359388 - enabled: true url: https://block.energized.pro/basic/formats/hosts.txt name: Energized Basic Protection id: 1625359389 - enabled: true url: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts name: https://github.com/StevenBlack/hosts id: 1625359390 - enabled: true url: https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt name: https://firebog.net/ - OSINT.digitalside.it id: 1625359391 - enabled: true url: https://v.firebog.net/hosts/Easyprivacy.txt name: https://firebog.net/ - EasyPrivacy id: 1625359393 whitelist_filters: - enabled: true url: https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt name: https://github.com/anudeepND/whitelist id: 1625359392 user_rules: [] D - From Original Post [HowTo] Running Adguard Home on OpenWrt Adguard Home Regex: Those are really good regex rules which already block 50% of all ads/trackers/bots etc. You have to add the to http://192.168.11.130:8080/#custom_rules ( as per this example - use your actual LAN IP ) https://github.com/mmotti/adguard-home-filters/blob/master/regex.txt Configure Via /opt/AdGuardHome/AdGuardHome.yaml : nano /opt/AdGuardHome/AdGuardHome.yaml user_rules: - https://github.com/mmotti/adguard-home-filters/blob/master/regex.txt dhcp: After configuring AdGuardHome via AdGuardHome.yaml one or both of the commands below : a - # /etc/init.d/AdGuardHome restart b - # /etc/init.d/dnsmasq restart 12- I strongly recommend enabled Encryption. With Encryption AdGuard Home admin interface will work over HTTPS, and the DNS server will listen for requests over DNS-over-HTTPS and DNS-over-TLS. For Encryption = Go To Top of AdGuardHome WEB GUI - Settings > Encryption settings the follow instructions ( a ) - enable Encryption - check the Box ( b ) - Fill in full server name such as this example - freedom.babybaby.mywire.org from my tutorial : Dynu OpenWRT ACME LET’S ENCRYPT ( c ) Certificates : In order to use encryption, you need to provide a valid SSL certificates chain for your domain. You can get a free certificate on LetsEncrypt.org or you can buy it from one of the trusted Certificate Authorities. If you follow my tutorial above you can issue yourself a LetsEncrypt Certificate cost free. Cross referencing my tutorial above your certificate and key would be the following below : a - /root/.acme.sh/freedom.babybaby.mywire.org/fullchain.cer b - /root/.acme.sh/freedom.babybaby.mywire.org/freedom.babybaby.mywire.org.key You have the option to " set the path " ( use a & b above ) or copy and paste them into the appropriate boxes found at the bottom of Encryption settings page. You must move Luci to different port than 443 see commands below : c - # nano /etc/config/uhttpd list listen_https '0.0.0.0:1443' list listen_https '[::]:1443' You may now log into Encrypted AdGuardHome WEB GUI - this option is available by entering the following ( from example above ) : https://freedom.babybaby.mywire.org:443 - with Encryption Enabled you will see " green padlock " when logging in / your certificate pulls double duty. Since you moved OpenWRT Admin Port to Port 1443 you may still log into your Luci Encrypted WEBGUI at : https://freedom.babybaby.mywire.org:1443 How To Upgrade Your AdGuardHome Install : Some claim that you can upgrade from AdGuardHome WEBGUI - it has never worked for me while running OpenWRT. No need to fear - here is how to upgrade when new EDGE Version pops up. Hopefully, if you initially Setup Exroot for your AdGuardHome Install ( that means on a USB Stick ) then all you have to do is grab the new installation by doing exactly what you did when you first installed AdGuardHome. With Exroot - you do not have to worry about any space issues - this is why we recommend Exroot to begin with. 1 - Download the correct AdGuard Home package for your router's processor. 2 - Create a folder to extract the archive into - and use WinRAR, 7Zip, PeaZip or some such file archiver to unzip AdGuardHome_linux_your_router.tar.gz 3 - You will now have a decompressed folder named " AdGuardHome " . 4 - Then issue this command below : # /etc/init.d/AdGuardHome stop 5 - Fire up WINSCP - open /opt/ directory on the right side of the application - then Drag & Drop the AdGuardHome decompressed folder from the directory you had it in on your desktop. If you know how to use SCP on OpenWRT ( Linux ) you may use that method here as well. 6 - After you drag and drop new AdGuardHome into the /opt/ directory ( overwriting the old installation ) - then enter these commands : a - # /etc/init.d/AdGuardHome restart b - # /etc/init.d/dnsmasq restart You have now upgraded your AdGuardHome Install on OpenWRT. Peace Stay Safe and God Bless All Always PS - I started this journey in order to learn how to use DNS-over-QUIC, or DoQ. In full disclosure I exclusively use DNS-over-QUIC upstream servers with AdGuardHome. Also, I used Encryption for DNS OVER TLS bootstrap servers. So - the whole damn thing ( my DNS ) is encrypted. Special thanks to mercygroundabyss for his devotion to this project, his time and patience for all with inquiries, and most of all his kindness and thoroughness in demeanor and practice. BTW, I certainly will not at all miss having to update the SPKI PIN Keys for DOT SERVERS in the Stubby yaml configuration file. Bonus Feature: For Those Who Care To PIMP Their AdGuardHome WEBGUI You must install Stylish Addon To Use AdGuardHome Dark Theme Firefox addon : https://addons.mozilla.org/en-US/firefox/addon/stylish/ Chrome extension : https://tinyurl.com/yntw4wyw Go here - For Stylish Dark Themes : Themes & Skins for "adguard" I use - XENORCHISM You must enter your LAN IP ADDRESS IN " Customize Settings " Box prior to installation If you enabled Encryption with a valid SSL certificates chain for your domain - then enter your Full Domain Name in " Customize Settings " Box prior to installation instead of LAN IP. As per this example, Full Domain Name in " Customize Settings " Box see below : freedom.babybaby.mywire.org You may then access AdGuardHome WEBGUI on port 443 - here is example from above : https://freedom.babybaby.mywire.org:443 - with Encryption Enabled you will see " green padlock " when logging in / your certificate pulls double duty Here Is What You Get After Install :
  4. Back here one more again - but as you well know, before we can get to the " get-go " - we must indulge ourselves with the time honored tradition of " The Intro " - check out a Soul Classic - https://www.youtube.com/watch?v=9UTqdGZt2_4 and as always lyrics - https://genius.com/Linda-jones-hypnotized-lyrics - and to keep the Groove flowing at the outset - Bounce - https://www.youtube.com/watch?v=CdvITn5cAVc - for the lyrical - https://genius.com/Martha-reeves-and-the-vandellas-dancing-in-the-street-lyrics / OK - now that the foundation has been laid - let us proceed. AdGuardHome works flawlessly with both OpenVPN and WireGuard protocols. No need for firewall rules or port forwarding with this set up. It works " as is " right " OUT THE BOX ". Attention : From OG Poster ( brokenpipe ) !!!! It is possible to install AdguardHome under /opt/, but this directory can grow. Old binaries are moved as backup after an update. blocklists can become relatively large. It is better to move AdGuardHome to a USB stick. So it will survive future OpenWRT updates !!!! That Means Setup Exroot for your AdGuardHome Install If At All Possible Here is a great deal on 4gb USB 3.0 Drives - Made and Shipped In The Good Ole' USA : USB KEYCHAIN KEY DRIVE 3.0 4 GB YO ! : I strongly suggest that you watch this video before you begin. Although lengthy - it is very informative and worthwhile. Van Tech Corner OpenWRT AdGuard Home You also will be able to follow this guide much better - as a ( moving ) picture is worth a thousand words. Follow directions carefully - you will have AdGuard Home up and running on OpenWRT by the end of this guide / tutorial. The setup uses DNSMASQ. I will write up a guide / tutorial incorporating Unbound with AdGuard Home in a soon to be released tutorial. 1 - First you will need to get the appropriate AdGuard Home package for your router's architecture. For example, I have WRT3200ACM, WRT32x, Wrt1900ACS V2, WRT1200AC, and NightHawk R7800. All of these have ARMv7 processors. You should find out your architecture before proceeding. Now there is a script on AdGuard Home - found here - https://github.com/AdguardTeam/AdGuardHome. However, I have never been able to get the automatic download and install script to work properly. So, I manually download and install AdGuard Home on OpenWRT, because this method is GUARANTEED ! to work. In order to find your router's Architecture - go to Luci > Status > Overview then under System - on the third line down underneath Model ( indicating your router ) You will find your router's Architecture - for the router I am currently running for example these are the entries below : Model Netgear Nighthawk X4S R7800 Architecture ARMv7 Processor rev 0 (v7l) Target Platform ipq806x/generic You can also enter command below : # cat /proc/cpuinfo or you can install hwinfo / opkg update && opkg install hwinfo and issue command below : # hwinfo ### this will render all the specs for your router - look at the beginning of readout for CPU 2 - There are two channels to download AdGuard Home - Beta and Edge. The consensus on the thread - found here: [HowTo] Running Adguard Home on OpenWrt is to run Edge. As I mentioned earlier, make sure that you download the correct AdGuard Home package for your router's processor. In my case that is the following link - https://static.adguard.com/adguardhome/edge/AdGuardHome_linux_armv7.tar.gz - notice that edge is named in the link. A - Just copy and paste your correct link in your browser from this section of AdGuard Home - after downloading - you will have AdGuardHome_linux_armv7.tar.gz on your desktop. Create a folder - and use WinRAR, 7Zip, PeaZip or some such file archiver to unzip AdGuardHome_linux_armv7.tar.gz ( remember to choose the proper package for your router ). You will now have a decompressed folder named " AdGuardHome " . AdguardTeam / AdGuardHome GitHub Home Page Downloads First, Install These Packages To Get Started - The Main One Needed is sudo - otherwise you will not be able to install AdGuardHome successfully - as always # opkg update opkg update ; opkg install ca-certificates ca-bundle sudo libustream-mbedtls libustream-openssl libwolfssl libustream-wolfssl luci-ssl px5g-wolfssl wpad-basic-wolfssl luasocket curl libevent2-7 haveged unzip ip-full curl wget libmbedtls12 tar tcpdump-mini 3 - Now we are going to use WINSCP, but first we need to create the default proper directory for AdGuard Home installation. Go into SSH shell - enter command : A - # mkdir -p /opt/ B - After creating directory, fire up WINSCP - open /opt/ directory on the right side of the application - then Drag & Drop the AdGuardHome decompressed folder from the directory you had it in on your desktop. If you know how to use SCP on OpenWRT ( Linux ) you may use that method here as well. After closing WINSCP - then issue this command C - # chmod 755 /opt/AdGuardHome/AdGuardHome ## and then enter next command for installation of AdGuardHome D - # /opt/AdGuardHome/AdGuardHome -s install You should be seeing something like below. Naturally you may see a different IP Address depending on your network interfaces - but you must use the LAN for initial AdGuardHome Configuration - here it is - http://192.168.11.130:3000 E - Pick out your LAN interface so that you can perform initial configuration of AdGuardHome . Now first I am going to show you how to use AdGuard Home with DNSMASQ alone. Once again I implore you to look at this particular AdGuard Home Video Van Tech Corner OpenWRT AdGuard Home Note: I Corrected Huge Error On This Guide - see below: Choose LAN Address For DNS - Change Port To Port 5353 is the Proper Configuration For Initial AdGuardHome WEBGUI Setup Please Forgive Me - and we move on F - Choose LAN Address For Web Interface - Port 8080 / Choose LAN Address For DNS - Change Port To Port 5353 G - Enter commands below ( again adjust for your actual LAN IP Address ). Here we add the IPV4 and IPV6 Local Hosts in order to prevent these interfaces from binding to WAN Interface. See mercygroundabyss comment below. ( 1 ) # uci add_list [email protected][-1].server='192.168.11.130#5353' # Port used for DNSMASQ DNS supplied by way of AdGuardHome ( 2 ) # uci add_list [email protected][-1].server='192.168.11.130#8080' # Port used for Web Interface ( 3 ) # uci add_list [email protected][-1].server='127.0.0.1#5353' ( 4 ) # uci add_list [email protected][-1].server='::1#5353' ( 5 ) # uci set [email protected][-1].noresolv=1 # Use only servers listed here in this file ( 6 ) # uci add_list "dhcp.lan.dhcp_option=option:dns-server,$(uci get network.lan.ipaddr)" # Configure dnsmasq to send a DNS Server DHCP option with its LAN IP # since it does not do this by default when port is configured. ( 7 ) # uci commit && reload_config Next enter These Commands To Disable Sending DNS Requests to ISP Provided DNS Servers : ( 1 ) # uci set network.wan.peerdns='0' ( 2 ) # uci set network.wan.dns='127.0.0.1' ( 3 ) # uci set network.wan6.peerdns='0' ( 4 ) # uci set network.wan6.dns='::1' ( 5 ) # uci commit && reload_config Note : Go into nano /etc/config/dhcp and modify file as detailed below : ### option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto' Make sure you disable (apply "###" in front) of entry above in order to ignore ISP Supplied DNS Servers Explanation: Here Native DNSMASQ is still on unchanged Port 53. However, DNSMASQ is using AdGuardHome on Port 5353 for DNS and its' own LAN IP ADDRESS for DHCP. H - Configure AdGuardHome via AdGuardHome.yaml for DNSMASQ We will edit the sections listed below ( a ) upstream_dns: ( b ) bootstrap_dns: ( c ) all_servers: and ( d ) filters: ( e ) dns: ( bind_hosts: EDIT : From mercygroundabyss : Only other gotcha is to manually edit the interfaces (because they will bind to the WAN side for DNS as well - I really should PR that) so manually editing the yaml file once it is up is needed. Enter the command below and edit file as detailed here : # nano /opt/AdGuardHome/AdGuardHome.yaml 1 - Enter the following below ( these entries cover dns: ( bind_hosts: ), upstream_dns, bootstrap_dns and sets AdGuardHome DNS in parallel mode ) web_session_ttl: 720 dns: bind_hosts: - 127.0.0.1 - 192.168.11.130 # enter your LAN IP ADDRESS HERE - ::1 port: 5353 upstream_dns: - quic://dot-jp.blahdns.com:784 - quic://dot-fi.blahdns.com:784 - quic://dot-sg.blahdns.com:784 - quic://dot-de.blahdns.com:784 - quic://doh.tiar.app:784 - quic://dns.emeraldonion.org:8853 - quic://uk.adhole.org:784 - quic://de.adhole.org:784 - quic://sg.adhole.org:784 - quic://dandelionsprout.asuscomm.com:48582 - tls://getdnsapi.net - tls://dns-nyc.aaflalo.me - tls://dns.cmrg.net - tls://dot.ny.ahadns.net - tls://dot.la.ahadns.net - tls://dot.chi.ahadns.net - tls://ordns.he.net - tls://us-east.adhole.org - tls://fdns1.dismail.de - tls://dns.neutopia.org - tls://dns.digitale-gesellschaft.ch upstream_dns_file: "" bootstrap_dns: - 1.1.1.2 - 1.0.0.2 - 2606:4700:4700::1112 - 2606:4700:4700::1002 all_servers: true If you use Encryption - where you enter your own valid SSL certificates chain for your domain then for bootstrap_dns: entry you may enter something like this below for DOT Bootstrap DNS : bootstrap_dns: - 1.1.1.2:853 - 1.0.0.2:853 - 2606:4700:4700::1112:853 - 2606:4700:4700::1002:853 all_servers: true Cloudflare Alternative DNS SERVERS Two Flavors: 1.1.1.2 (No Malware) & 1.1.1.3 (No Malware or Adult Content See Here Below : 1.1.1.1 for Families Above Malware Blocking DNS - if you prefer Cloudflare Plain DNS then it is : bootstrap_dns: - 1.1.1.1 - 1.0.0.1 - 2606:4700:4700::1111 - 2606:4700:4700::1001 all_servers: true and for Cloudflare Plain DOT Servers using Encryption - where you enter your own valid SSL certificates chain for your domain bootstrap_dns: - 1.1.1.1:853 - 1.0.0.1:853 - 2606:4700:4700::1111:853 - 2606:4700:4700::1001:853 all_servers: true 2 - Enter the following below for filters filters: - enabled: true url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt name: AdGuard DNS filter id: 1 - enabled: true url: https://badmojr.github.io/1Hosts/Lite/adblock.txt name: 1Hosts (Lite) id: 1635566025 - enabled: true url: https://raw.githubusercontent.com/durablenapkin/scamblocklist/master/adguard.txt name: Scam Blocklist by DurableNapkin id: 1625359388 - enabled: true url: https://block.energized.pro/basic/formats/hosts.txt name: Energized Basic Protection id: 1625359389 - enabled: true url: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts name: https://github.com/StevenBlack/hosts id: 1625359390 - enabled: true url: https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt name: https://firebog.net/ - OSINT.digitalside.it id: 1625359391 - enabled: true url: https://v.firebog.net/hosts/Easyprivacy.txt name: https://firebog.net/ - EasyPrivacy id: 1625359393 whitelist_filters: - enabled: true url: https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt name: https://github.com/anudeepND/whitelist id: 1625359392 user_rules: [] 3 - From Original Post [HowTo] Running Adguard Home on OpenWrt Adguard Home Regex: Those are really good regex rules which already block 50% of all ads/trackers/bots etc. You have to add the to http://192.168.11.130:8080/#custom_rules ( as per this example - use your actual LAN IP ) https://github.com/mmotti/adguard-home-filters/blob/master/regex.txt Configure Via /opt/AdGuardHome/AdGuardHome.yaml : nano /opt/AdGuardHome/AdGuardHome.yaml user_rules: - https://github.com/mmotti/adguard-home-filters/blob/master/regex.txt dhcp: After configuring AdGuardHome via AdGuardHome.yaml one or both of the commands below : a - # /etc/init.d/AdGuardHome restart b - # /etc/init.d/dnsmasq restart I - If encryption is enabled, AdGuard Home admin interface will work over HTTPS, and the DNS server will listen for requests over DNS-over-HTTPS and DNS-over-TLS. For Encryption = Go To Top of AdGuardHome WEB GUI - Settings > Encryption settings the follow instructions ( 1 ) - enable Encryption - check the Box ( 2 ) - Fill in full server name such as this example - freedom.babybaby.mywire.org from my tutorial below : ( 3 ) Certificates Dynu OpenWRT ACME LET’S ENCRYPT In order to use encryption, you need to provide a valid SSL certificates chain for your domain. You can get a free certificate on LetsEncrypt.org or you can buy it from one of the trusted Certificate Authorities.If you follow my tutorial above you can issue yourself a LetsEncrypt Certificate cost free.Cross referencing my tutorial above your certificate and key would be the following below : Dynu OpenWRT ACME LET’S ENCRYPT a - /root/.acme.sh/freedom.babybaby.mywire.org/fullchain.cer b - /root/.acme.sh/freedom.babybaby.mywire.org/freedom.babybaby.mywire.org.key You have the option to " set the path " ( use a & b above ) or copy and paste them into the appropriate boxes found at the bottom of Encryption settings page. You must move Luci to different port than 443 see commands below : c - # nano /etc/config/uhttpd list listen_https '0.0.0.0:1443' list listen_https '[::]:1443' You may now log into Encrypted AdGuardHome WEB GUI - this option is available by entering the following ( from example above ) : https://freedom.babybaby.mywire.org:443 - with Encryption Enabled you will see " green padlock " when logging in / your certificate pulls double duty. Since you moved OpenWRT Admin Port to Port 1443 you may still log into your Luci Encrypted WEBGUI at : https://freedom.babybaby.mywire.org:1443 I could not get DNSSEC with AdGuardHome and I tried DNSMASQ-FULL FOR DNSSEC. However this proved to be problematic on several levels. So here is how I solved that issue. First go into AdGuardHome WEBGUI - then Settings > scroll down to DNS server configuration Enable EDNS client subnet and Enable DNSSEC. The solution comes from here : Specimen -GETDNS AND STUBBY From dnsmasq man page: --proxy-dnssec Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it. This is an alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between dnsmasq and the upstream servers, and the trustworthiness of the upstream servers. You don't need dnsmasq-full, the DNSSEC validation is being done by stubby, ( in this case AdGuardHome ) this is what the setting "proxy-dnssec" in dnsmasq configuration means. This Method Works Great ! Enter the five lines shown below at end of file - I am using 10.19.199.111 instead of 192.168.11.130 because I changed routers. Just substitute your actual LAN IP as always. # nano /etc/dnsmasq.conf - file to edit no-resolv proxy-dnssec server=10.19.199.111#5353 server=127.0.0.1#5353 server=::1#5353 Make sure that Upstream DNS Servers in your /opt/AdGuardHome/AdGuardHome.yaml file - ( and /or AdGuardHome WEBGUI ) support DNSSSEC. Otherwise this method will not work as proxy-dnssec mechanism piggybacks on configured DNS Servers for DNSSEC Validation. After rebooting, you can verify that DNSSEC is working on AdGuardHome by issuing command: dig dnssectest.sidn.nl +dnssec +multi @127.0.0.1 So long as you see in the ;; flags: section the ad; entry = ( meaning Authenticated Data ) you are all set and good to go. See example of AdGuardHome ( proxy-dnssec ) DNSSEC in action below : How to set the DNS query higher than 150 You will need this - just trust me # uci set [email protected][0].dnsforwardmax=1024 # uci commit dhcp && reload_config I am used to running UNBOUND so I accustomed its' caching feature. To increase DNSMASQ cache use one of these two methods: Via UCI (Unified Configuration Interface) - in shell # uci set [email protected][0].cachesize=8192 # uci commit dhcp Or edit the /etc/config/dhcp file nano /etc/config/dhcp option cachesize '8192' After installing DNSMASQ-FULL issue the following command so your router's DNSSEC validation starts at boot up : # uci add_list [email protected][-1].server='/pool.ntp.org/129.6.15.30' # uci commit && reload_config ## --- Your router date & time must be correct in order to have sucessful tls init Now restart DNSMASQ and restart AdGuardHome once again: service dnsmasq restart service AdGuardHome restart Then reboot and test for DNSSEC : # dig dnssectest.sidn.nl +dnssec +multi @127.0.0.1 - you must install bind-tools to use command If you see next to flags: section the ad; entry then you are good to go see below : I was going to tackle Unbound on AdGuardHome here but I think that is best covered in a separate guide. How To Upgrade Your AdGuardHome Install : Some claim that you can upgrade from AdGuardHome WEBGUI - it has never worked for me while running OpenWRT. No need to fear - here is how to upgrade when new EDGE Version pops up. Hopefully, if you initially Setup Exroot for your AdGuardHome Install ( that means on a USB Stick ) then all you have to do is grab the new installation by doing exactly what you did when you first installed AdGuardHome. With Exroot - you do not have to worry about any space issues - this is why we recommend Exroot to begin with. 1 - Download the correct AdGuard Home package for your router's processor. 2 - Create a folder to extract the archive into - and use WinRAR, 7Zip, PeaZip or some such file archiver to unzip AdGuardHome_linux_your_router.tar.gz 3 - You will now have a decompressed folder named " AdGuardHome " . 4 - Then issue this command below : # /etc/init.d/AdGuardHome stop 5 - Fire up WINSCP - open /opt/ directory on the right side of the application - then Drag & Drop the AdGuardHome decompressed folder from the directory you had it in on your desktop. If you know how to use SCP on OpenWRT ( Linux ) you may use that method here as well. 6 - After you drag and drop new AdGuardHome into the /opt/ directory ( overwriting the old installation ) - then enter these commands : a - # /etc/init.d/AdGuardHome restart b - # /etc/init.d/dnsmasq restart You have now upgraded your AdGuardHome Install on OpenWRT. I was going to tackle Unbound on AdGuardHome here but I think that is best covered in a separate guide. Peace Stay Safe and God Bless All Always PS - I started this journey in order to learn how to use DNS-over-QUIC, or DoQ. In full disclosure I exclusively use DNS-over-QUIC upstream servers with AdGuardHome. Also, I used Encryption for DNS OVER TLS bootstrap servers. So - the whole damn thing ( my DNS ) is encrypted. Special thanks to mercygroundabyss for his devotion to this project, his time and patience for all with inquiries, and most of all his kindness and thoroughness in demeanor and practice. BTW, I certainly will not at all miss having to update the SPKI PIN Keys for DOT SERVERS in the Stubby yaml configuration file. Bonus Feature: For Those Who Care To PIMP Their AdGuardHome WEBGUI You must install Stylish Addon To Use AdGuardHome Dark Theme Firefox addon : https://addons.mozilla.org/en-US/firefox/addon/stylish/ Chrome extension : https://tinyurl.com/yntw4wyw Go here - For Stylish Dark Themes : Themes & Skins for "adguard" I use - XENORCHISM You must enter your LAN IP ADDRESS IN " Customize Settings " Box prior to installation If you enabled Encryption with a valid SSL certificates chain for your domain - then enter your Full Domain Name in " Customize Settings " Box prior to installation instead of LAN IP. As per this example, Full Domain Name in " Customize Settings " Box see below : freedom.babybaby.mywire.org You may then access AdGuardHome WEBGUI on port 443 - here is example from above : https://freedom.babybaby.mywire.org:443 - with Encryption Enabled you will see " green padlock " when logging in / your certificate pulls double duty Here Is What You Get After Install :
×
×
  • Create New...