OpenWrt news, tools, tips and discussion. Related projects, such as DD-WRT, Tomato and OpenSAN, are also on-topic.
Beginner in OpenWRT : Can't set Adguard home as my DNS for all my networks
Hi,
I am new to OpenWRT and managed to have my network configured as well as a guest network. Now I'm trying to put everything behind Adguard Home. I tried to follow this guide : https://openwrt.org/docs/guide-user/services/dns/adguard-home#installation
But after doing so I have 2 problems :
-
The guest network no longer have DNS access (so no internet)
-
OpenWRT doesn't have internet access (so it can't download opkg packages for example)
Adguard works only for my main network. Could someone help me to set it up properly ? I can't find how.
I made a post about this with my whole config : https://forum.openwrt.org/t/adguard-home-as-my-primary-dns-doesnt-work-for-guests/155083
By the way, I am new to OpenWRT so if you see errors or bad things in my config, or have tips to improve it, I'm very interested.
Thanks in advance for any answer, have a great day
GoogleCloudOfficial
By default inbound connection on WAN should be blocked. You also don’t have TLS enabled (which would need a cert anyway) so it won’t conflict with 443 for uhttpd/ha.
The ports that can be used by AGH is:
-
53 (unencrypted DNS)
-
443 (DoH)
-
853 (DoT/DoQ)
The alternative is to define multiple bind_hosts (apparently):
https://forum.openwrt.org/t/solved-adguard-home-and-vlans-that-cant-access-the-internet/151507
— Starfox
By default inbound connection on WAN should be blocked.
I ran the 0.0.0.0 configuration for 24 hours and found a few IP addreses (mostly of the v6 variety) that I didn't recognize in my logs under Top Clients. I cannot say for certain that I was serving the entire wide world since I only had logging on for a short time this morning, but I was very spooked.
I've since done this:
bind_hosts: - ::1 - 127.0.0.1 - [router-localIP]
and my devices and router can access the internet, and the devices that show up in the client are all lan devices and none of the weird IPv6 addresses that were not my own.
Sorry for the very late reply, I have been very busy these days.
Thanks a lot for your help ! I re-made my whole openwrt config, along with Adguard, and it now correctly listens on all interfaces! Thank you so much !
The only thing left I would like to activate is DoH or DoT. But I already have a lot of webservices hosted on a Raspberry Pi, with Caddy as my reverse proxy, which means my 80 and 443 ports are already redirect to the Raspberry. Adguard tells me that port 443 is not available. Is there a way out of this ? How can I make it available ?
What is the best way to get auto renawable certs for Adguard on openwrt ? Before I was using the DoH addon for openwrt, that was taking care of everything by itself. Is there a way to get something similar with adguard ?
Thanks in advance and have a great day
You can enable DoH but you’d have to listen on a different port, and specify that port in the URI as well. Nothing should be listening on 853 so you can use that for DoT. The alternative would be to install nginx and redirect to individual services via reverse proxy.
I use ACME to get certs for uhttpd, and point to the cert file within AGH itself so I have DoH/DoT. The only downside is that it won’t use the updated cert until AGH is restarted, could be automated via cron if strictly necessary.
— Starfox
OK, thanks a lot for the explanations. I will try this this evening.But I noticed something strange this morning : yesterday, I had everything working perfectly and I had correctly DNS from adguard on my guest network (as I've set it to listen on all interfaces). But this morning, it no longer works. Guests don't have any DNS access. That's strange because I tested it and didn't change anything in between. Could you help me with that? I also don't have any ipv6 incoming. There could be something wrong with my firewall but I can't find what. Here is my config :
Network:
Firewall