AdGuardHome Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI) cont.

[SomeWhereOverTheRainBow]

Can you elaborate on this? This router was setup from ”scratch”. I did an intial base setup, updated to Merlin 388.2, did a full reset. I then did a format on the usb ssd drive before proceeding to do the amtm entware install and setup.

So you didnt keep the same entware installation ? You completely wiped the SSD and started fresh with everything?

 

[SomeWhereOverTheRainBow]

This is my current Path settings:

RT-AX86U_Pro-B190:/tmp/home/root# echo $PATH
/opt/bin:/opt/sbin:/bin:/usr/bin:/sbin:/usr/sbin:/home/Smokey613:/mmc/sbin:/mmc/bin:/mmc/usr/sbin:/mmc/usr/bin:/opt/sbin:/opt/bin:/opt/usr/sbin:/opt/usr/bin

what is your terminal output of running this command?

pip3 install bcrypt

here is an example of what you should expect to see.

 

[Smokey613]

what is your terminal output of running this command?

pip3 install bcrypt

here is an example of what you should expect to see.

View attachment 49497

-sh: pip3: not found

 

[SomeWhereOverTheRainBow]

-sh: pip3: not found

What about

opkg install python3-base

 

[Smokey613]

Ok…. I wiped the usb drive and started over. Installed entware, created swap file and installed AGH.

Success!!!!

Now I can login to the admin web.

Thanks @SomeWhereOverTheRainBow for your assistance!

 

[Tech9]

Success!!!!

This will last for a week until next hardware rotation cycle.

 

[SomeWhereOverTheRainBow]

Ok…. I wiped the usb drive and started over. Installed entware, created swap file and installed AGH.

Success!!!!

Now I can login to the admin web.

Thanks @SomeWhereOverTheRainBow for your assistance!

 

[Smokey613]

I am still puzzled why I needed to start over on the usb drive as I had already done that when I initially set this new router up. Maybe it needed the updated PATH variable all along even before I installed any scripts originally.

There was no way for me to know that ahead of time. Maybe a check for proper PATH could be included in the install script?

 

[Smokey613]

So you didnt keep the same entware installation ? You completely wiped the SSD and started fresh with everything?

Yes, I started completely fresh as I was setting up a new router and new usb ssd drive.

 

[Viktor Jaep]

Yes, I started completely fresh as I was setting up a new router and new usb ssd drive.

Entware can be a quirky beast... and when things start going south, it seems to become a domino effect. Seemed to happen to me a while back when common programs would stop working and showing a "tainted" message in the syslog. And when you have these scares like as of late, such as when you install an entware version update, you could be facing a situation where it might break things even further. I'm always being cautiously optimistic that I might have better luck running this all from an SSD than I did from a flashdrive.

 

[bengalih]

Hoping someone can just give me an accelerated primer here: I used to run Diversion, but moved away from it as it caused a bunch of issues with my wife's mobile games and I decided to just run a local ad block on my laptop. Been thinking of another central solution and think I prefer to try out AdGuard then go back to Diversion.

My router is pretty heavily customized, and I don't use it for DHCP for my main network (it does provide DHCP to some guest networks). I'm trying to figure out exactly how AdGuard functions with clients, DNS, reverse lookups etc. I read their setup page and a page on a blog, but it doesn't seem to talk much about client configuration. How does Adguard function alongside the built-in dnsmasq server on Merlin? Does dnsmasq answer the queries and then immediately forward to the AdGuard on the same box to do the recursive DNS lookups?

I do use dnsmasq on Merlin as my client's primary DNS server, and dnsmasq is configured to forward all requests to my internal domain (Active Directory) to those DNS server. I am just trying to figure out the basic way the traffic is routed.

In short, I'm not seeing in the main pages/docs here any real information on how to configure this after it is installed and would like a reference to all of that before I begin.

Also, does anyone have a rough estimate on cpu and RAM footprint?

thanks

 

[SomeWhereOverTheRainBow]

Hoping someone can just give me an accelerated primer here: I used to run Diversion, but moved away from it as it caused a bunch of issues with my wife's mobile games and I decided to just run a local ad block on my laptop. Been thinking of another central solution and think I prefer to try out AdGuard then go back to Diversion.

My router is pretty heavily customized, and I don't use it for DHCP for my main network (it does provide DHCP to some guest networks). I'm trying to figure out exactly how AdGuard functions with clients, DNS, reverse lookups etc. I read their setup page and a page on a blog, but it doesn't seem to talk much about client configuration. How does Adguard function alongside the built-in dnsmasq server on Merlin? Does dnsmasq answer the queries and then immediately forward to the AdGuard on the same box to do the recursive DNS lookups?

I do use dnsmasq on Merlin as my client's primary DNS server, and dnsmasq is configured to forward all requests to my internal domain (Active Directory) to those DNS server. I am just trying to figure out the basic way the traffic is routed.

In short, I'm not seeing in the main pages/docs here any real information on how to configure this after it is installed and would like a reference to all of that before I begin.

Also, does anyone have a rough estimate on cpu and RAM footprint?

thanks

sounds like you would be better staying with diversion because of the complexity of your setup, and the amount of work you might possibly have to do to get every thing to function properly with adguardhome like it currently does with just your DNSmasq. From a historical point of view, AdGuardHome may prove to be too much on your RAM footprint (not so much the CPU). AdGuardHome can easily cause OOM situations because of its need to adjust its virtual memory size percentage over the life of a single runtime (this is because of the requirement to update and load block lists and filters behind the scenes).

 

[bengalih]

sounds like you would be better staying with diversion because of the complexity of your setup, and the amount of work you might possibly have to do to get every thing to function properly with adguardhome like it currently does with just your DNSmasq. From a historical point of view, AdGuardHome may prove to be too much on your RAM footprint (not so much the CPU). AdGuardHome can easily cause OOM situations because of its need to adjust its virtual memory size percentage over the life of a single runtime (this is because of the requirement to update and load block lists and filters behind the scenes).

Thanks. Assuming other people are using it on 68Us I don't expect there will be an issue on mine. I actually have fairly low memory utilization so don't want that to be the initial reason not try.
So to that effect, all my original questions still stand. Diversion simply adds 127.0.0.1 entries into the hosts file and therefore doesn't really run anything other than dnsmasq. I want to understand the architecture of AdGuard and especially how it interacts with dnsmasq.

From the AGH OpenWRT page it states:

If you currently have dnsmasq or unbound installed, you should move these services to an alternative port and have AGH use DNS port 53 with upstream DNS resolvers of your choice configured. This wiki recommends keeping dnsmasq/unbound as your local/PTR resolver for Reverse DNS.

So does this installer actually do that on Merlin as well? Does it move dnsmasq to an alternate port or disable it entirely? I would think that not having dnsmasq as the primary on 53 would cause all sorts of issues with the stand alone router configuration as well as other third party configuration tools which may rely on it. Is dnsmasq even still required if using AGH or can it be a complete replacement?

How fully functional of a DNS server is AGH? My main concern right now is that with dnsmasq I have several server=x/x commands which direct certain domains (my internal AD) back to those DNS servers for resolution. I'm sure I can figure all of this out once it is on my box, but I'm aiming for as small amount of downtime as possible and would prefer to understand the working pieces prior to starting the install.

thanks

 

[SomeWhereOverTheRainBow]

Thanks. Assuming other people are using it on 68Us I don't expect there will be an issue on mine. I actually have fairly low memory utilization so don't want that to be the initial reason not try.
So to that effect, all my original questions still stand. Diversion simply adds 127.0.0.1 entries into the hosts file and therefore doesn't really run anything other than dnsmasq. I want to understand the architecture of AdGuard and especially how it interacts with dnsmasq.

From the AGH OpenWRT page it states:


So does this installer actually do that on Merlin as well? Does it move dnsmasq to an alternate port or disable it entirely? I would think that not having dnsmasq as the primary on 53 would cause all sorts of issues with the stand alone router configuration as well as other third party configuration tools which may rely on it. Is dnsmasq even still required if using AGH or can it be a complete replacement?

How fully functional of a DNS server is AGH? My main concern right now is that with dnsmasq I have several server=x/x commands which direct certain domains (my internal AD) back to those DNS servers for resolution. I'm sure I can figure all of this out once it is on my box, but I'm aiming for as small amount of downtime as possible and would prefer to understand the working pieces prior to starting the install.

thanks

The only service dnsmasq serves on port 53 is dns resolution itself, the dhcp is handled by a different port, dnsmasq dns port is changed to port 553, and adguardhome becomes the dns service on port 53. Dnsmasq advertises the routers address on port 53 through dnsmasq dhcp options(done via a different port) to clients which tells the client that dns is served by the router at port 53(adguardhome). For local request and local name resolution, adguardhome is told to communicate back to dnsmasq (@ port 553) for client information that is communicated to it via dhcp.

 

[bengalih]

The only service dnsmasq serves on port 53 is dns resolution itself, the dhcp is handled by a different port, dnsmasq dns port is changed to port 553, and adguardhome becomes the dns service on port 53. Dnsmasq advertises the routers address on port 53 through dnsmasq dhcp options(done via a different port) to clients which tells the client that dns is served by the router at port 53(adguardhome). For local request and local name resolution, adguardhome is told to communicate back to dnsmasq (@ port 553) for client information that is communicated to it via dhcp.

Thanks. I didn't realize that they offered a fully stand alone Windows version that is super easy to setup. I am playing with that for now to try and get familiar with all the basic setup before I even try to put it on the router. In the end I may choose not to and just keep a Windows installation.
Right now I'm having an issue with it not resolving IPv6 names that are generated over SLAAC, which really lessens the functionality of the service since all you see are IPv6 addresses. This of course is a problem for AdGuard solely, and I do see some bugs associated with this on GitHub.

Before this I was looking at the installer .sh file trying to see how it was going to set it up. I'm a bit concerned, because on first glance it looks like it may do some destructive things without warning. For instance it appears to see if apache is installed (via Entware) and if so it looks like it just totally removes it. This could be...er...problematic if apache is actually in use. I also see it configures other dependencies like python, go, brcrypt in addition to download AdGuard. I can't find anywhere on AdGuard's site that these dependencies are required. I of course haven't tried installing from scratch on my router yet, so it may very well be these are required...and I might prefer this route because I don't really like an installer adding/removing a bunch of packages without notifying its doing this.

 

[SomeWhereOverTheRainBow]

Right now I'm having an issue with it not resolving IPv6 names that are generated over SLAAC, which really lessens the functionality of the service since all you see are IPv6 addresses. This of course is a problem for AdGuard solely, and I do see some bugs associated with this on GitHub.

This is a big privacy concern with AdGuardHome as well because they will ask the upstream DNS (and possibly your ISP) you are using for information about the IPV6 address using WHOIS. I believe there is away to disable the WHOIS approach, but you need to edit the .yaml file. I recommend looking at their wiki carefully before deciding to do such.

Before this I was looking at the installer .sh file trying to see how it was going to set it up. I'm a bit concerned, because on first glance it looks like it may do some destructive things without warning. For instance it appears to see if apache is installed (via Entware) and if so it looks like it just totally removes it. This could be...er...problematic if apache is actually in use. I also see it configures other dependencies like python, go, brcrypt in addition to download AdGuard. I can't find anywhere on AdGuard's site that these dependencies are required. I of course haven't tried installing from scratch on my router yet, so it may very well be these are required...and I might prefer this route because I don't really like an installer adding/removing a bunch of packages without notifying its doing this.

I am going to be removing the apache code pretty soon, however the bcrypt and python distributions are for generating the encrypted password for AdGuardHome. The Go packages are only installed to provide the same thing, if python fails to install or unavailable in entware for that particular architecture. Originally I used htpasswd from apache-utils to generate the password. However this installed apache on peoples routers (big security problem if your not actually using it correctly). The installer only uninstalls apache if it was originally used to install it (on the next update I will probably remove this). So, I switched to installing bcrypt through python packaging ( or alternatively through Go if python doesn't work). All of this is to generate the encrypted password for users to log into AdGuardHome WebUI (and change the password through the installer whenever they like).

So to recap,

• Uninstall Apache-utils is present to remove a prior bad method used for generating the password for AdGuardHome (this was an idea contributed by a user that I should have considered better before deciding to use, originally we used the GO package for bcrypt password generation, but compiling in GO was taxing to some model routers).
• Install of python3 python3-pip python3-bcrypt all for compatibility of generating (and user edit-ability) of the AdGuardHome password via the AdGuardHome Installer Menu, this method by far is the easiest, quickest, and safest password generation method.
• As a last resort install of go for bcrypt password generation package if python package methods is unavailable to the user. (this does not get installed unless the python method isn't available)

 

[johndoe85]

Where is the cache file located for Adguard Home?

 

[WET]

An FYI for both Diversion and Adguard, both do not work when WAN Aggregation is being used. Diversion stats show no ad blocking under both Lite and standard. Adguard stats show it blocking ads but all come through anyhow.

RT-AX86U on 388.2 running AMTM, 2GB Swap File

 

[SomeWhereOverTheRainBow]

An FYI for both Diversion and Adguard, both do not work when WAN Aggregation is being used. Diversion stats show no ad blocking under both Lite and standard. Adguard stats show it blocking ads but all come through anyhow.

RT-AX86U on 388.2 running AMTM, 2GB Swap File

Oh hold on, I am sorry I think I forgot to mention that some where...

Wan aggregation in this instance falls under the "dual-wan" environment, since Asuswrt utilizes the same code for both of them. I am sure the issue is similar in this instance.

If you are interested in getting it to work, I suggest you follow this tutorial and adapt the changes needed to match your setup.

Tutorial - AdGuard Home - adblocker - Clean install on Asus Merlin (No 3rd party scripts !!!)

I have finally managed to install AdGuard Home on an Asus Router.... this is without using any special scripts. There was a previous forum post (here) on the same, but that involved installing using a custom script (that asked for your ssh login credentials, installed its own version of Samba...

www.snbforums.com

Then it will work.

You will be hard press to find Addon script to have been adapted to a Dual wan configuration whether it is aggregated or not, except for the Wan failover script.

 

[bengalih]

This is a big privacy concern with AdGuardHome as well because they will ask the upstream DNS (and possibly your ISP) you are using for information about the IPV6 address using WHOIS. I believe there is away to disable the WHOIS approach, but you need to edit the .yaml file. I recommend looking at their wiki carefully before deciding to do such.

Thanks for the info. I put AdGuard on hold for a bit as I am trying to work out some IPv6 issues in order to get the name resolution I desire. I've seen something in the issue tracker about privacy concerns, but I'm not entirely sure they are warranted. If you are using GUAs in your environment, the idea is they are publicly routable anyway - so there should not be a concern if those are made visible to the outside.
It seems the concern should only be with stateless/SLAAC addressing when privacy extensions are not enabled. In which case a device's MAC might get leaked. Or perhaps the concern is simply tracking based on IP - whereas with IPv4 and NAT you simply know that the device is originating from the single public IP, here you know the specific GUA accessing. I wrote my observations up here:

rDNS for IPv6 (resolv hostnames from IP-Adress) · AdguardTeam AdGuardHome · Discussion #2912

Hello, in my configuration I am using Adguard home with unbound. the network setup is following: Router/Gateway is an Fritz!Box with DHCP for IPv4 and IPv6 FritzBox is providing via DHCP the the IP...

github.com

I'm interested in specifically how you judge this as a privacy concern? Of course I agree that the WHOIS approach should be able to be disabled if you choose not to use it. I could not find anything about doing this, but I assume (since you reference the YAML) that the appropriate section is:

clients:
  runtime_sources:
    whois: true
    arp: true
    rdns: true
    dhcp: true
    hosts: true

Because I could not find anything about it, I don't know what the danger is of disabling WHOIS. I think the only time having WHOIS might be useful is if you are running a publicly accessible AdGuard server and accessing it from outside your network where an incoming client might not be registered. However since it is unlikely that another external client has a PTR record, it seems the best you are going to get with WHOIS is an OrgName. I suppose that's better than nothing, but it's not much

I am going to be removing the apache code pretty soon, however the bcrypt and python distributions are for generating the encrypted password for AdGuardHome. The Go packages are only installed to provide the same thing, if python fails to install or unavailable in entware for that particular architecture. Originally I used htpasswd from apache-utils to generate the password. However this installed apache on peoples routers (big security problem if your not actually using it correctly). The installer only uninstalls apache if it was originally used to install it (on the next update I will probably remove this). So, I switched to installing bcrypt through python packaging ( or alternatively through Go if python doesn't work). All of this is to generate the encrypted password for users to log into AdGuardHome WebUI (and change the password through the installer whenever they like).

Good to know. I have some concerns about the additional packages mostly because I have some other outside constraints (which I won't detail here) about the Entware install getting too large, but I don't actually know if this will be a problem or not for me.
I wasn't personally worried about Apache - because I'm not using it - I was just concerned on my first quick glance through of the code base that I saw it was getting removed.

What mechanism do/can you use to ensure that Apache only gets removed if it was installed by the installer itself?