AdGuard Home on OpenWRT

As my home router I am using a “TP-Link Archer C7 (v5)”¹ with OpenWRT² in version 19.07.7. In order to improve the security of my home network (get rid of trackers, advertisement, etc.), I already used Pi-hole³ as a solution in the past.

Unfortunately it was necessary to run Pi-hole as a separate device in my network. Now, with AdGuard Home⁴, it is possible to run a comparable solution to Pi-hole on OpenWRT itself.

There exists a nice HowTo by “brokenpipe” on the OpenWRT forums⁵ on how to run AdGuard Home on OpenWRT. But as the instructions proposed I first added a USB stick, before installing AdGuard Home.

Adding a USB stick to OpenWRT

Again, there exists a nice page in the documentation of OpenWRT⁶, which explains the necessary steps. The USB stick is a new device, therefore it already contains a partition table with one partition. I executed the following commands on my router:

opkg update && opkg install block-mount e2fsprogs kmod-fs-ext4 kmod-usb-storage kmod-usb2 kmod-usb3
mkfs.ext4 /dev/sda1
block detect | uci import fstab
uci set fstab.@mount[0].enabled='1' && uci set fstab.@global[0].anon_mount='1' && uci commit fstab
/etc/init.d/fstab boot

Afterwards the USB stick is always accessible via /mnt/sda1/, also after a reboot.

Installing AdGuard Home

After having secured storage for AdGuard Home, I basically followed the previously mentioned HowTo⁷. First install necessary packages to make downloading via wget possible:

opkg update && opkg install libustream-wolfssl ca-certificates

Afterwards download and extract AdGuard Home (my home router uses the “mips” architecture):

cd /mnt/sda1/
wget -c 'https://github.com/AdguardTeam/AdGuardHome/releases/download/v0.106.3/AdGuardHome_linux_mips_softfloat.tar.gz'
tar xfvz AdGuardHome_linux_mips_softfloat.tar.gz

Last step is installation:

cd AdGuardHome/
./AdGuardHome -s install

Afterwards AdGuardHome is installed and an installation wizard is accessible via the port number 3000. When using the -s install parameter, additionally an init-script is placed in /etc/init.d/, which is used to automatically start AdGuard Home after reboot and it can be used to e.g. restart AdGuard Home when necessary. For the first time configuration of AdGuard Home, I set the web interface to the port number 8080 and the DNS port 5353.

Configuration

The configuration is based on the idea, that every dns query is handled directly by AdGuard Home (via port 53), but DHCP and “local PTR” (resolution from local ip address to hostname) queries are still handled by OpenWRT. Therefore making it necessary to change the port number of dnsmasq to e.g. 1053.

Changes to OpenWRT

Since I’m also interested in (again) changing from a forward DNS resolver to a recursive one (like in my previous setup), I already skimmed through the README.md file of unbound for OpenWRT⁸. There you can find out (among others) how one can change the port number of dnsmasq to 1053. I more or less just deployed the “Parallel dnsmasq”⁹ approach, while leaving out the unbound configuration. Caution: As described in the README, it was necessary to set list dhcp_option 'option:dns-server,0.0.0.0', otherwise no DNS server was distributed via DHCP in my LAN anymore.

Changes to AdGuard Home

In /mnt/sda1/AdGuardHome/AdGuardHome.yaml it was necessary to change the bind_hosts and port:

…
dns:
  bind_hosts:
  - ::1
  - 127.0.0.1
  - 192.168.63.1
  port: 53
…

Adding localhost to bind_hosts is necessary, otherwise OpenWRT isn’t able to resolve DNS queries anymore. Caution: You’ll probably need to replace 192.168.63.1 in bind_hosts as this is the address of the LAN interface in my OpenWRT setup.

Additionally (via the web interface) I changed the “Upstream DNS servers” to the ones provided by my ISP and set the “Bootstrap DNS servers” to the same addresses. As “Private DNS servers” I set 127.0.0.1:1053, therefore forwarding “local PTR” queries to OpenWRT.