AdGuardHome Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI) cont.

[chongnt]

Also, how do I access your GUI? None of those links are properly working from my end..

To access the GUI, use your router LAN IP and the bind port when you set up AdGuard Home.
http://<your router ip>:<bind_port>/

 

[chongnt]

Trying to implement also this setting on the AGH to use Unbound, but get error about syntax... Should I use actual port instead of "unbound-listenport" argument ?

Instead of "127.0.0.1:unbound-listenport", you need to put in the actual port number. For example: 127.0.0.1:53535
If you are using unbound manager, you can run unbound_manager advanced, and query the port

A:Option ==> oq port

unbound-control 'port' '53535'

 

[SomeWhereOverTheRainBow]

Trying to implement also this setting on the AGH to use Unbound, but get error about syntax... Should I use actual port instead of "unbound-listenport" argument ?

Yes , change the argument to correct port number . I put that arguement there so you would have some indication on where the port number goes.

 

[xmanyes]

Ok.. thank you both SWOTR & chongnt for the obvious... I did try also with ports.

Apparently there's some "magic" involved... my port in Unbound is 53535 (oq port in advance), but in AGH all settings under "Upstream DNS servers" are set to :553 and if I try to go with 127.0.0.1:53535 all network clients would be left without DNS resolution and every webpage not entered by IP ends in error, if I use :553, everything gets back to normal...

 

[SomeWhereOverTheRainBow]

Ok.. thank you both SWOTR & chongnt for the obvious... I did try also with ports.

Apparently there's some "magic" involved... my port in Unbound is 53535 (oq port in advance), but in AGH all settings under "Upstream DNS servers" are set to :553 and if I try to go with 127.0.0.1:53535 all network clients would be left without DNS resolution and every webpage not entered by IP ends in error, if I use :553, everything gets back to normal...

Nooooo the only one you need to change to 53535 is the one specifically for unbound. The other ones are for dnsmasq and should be left at 553. So unbound ones should look like



127.0.0.1:53535
tcp://127.0.0.1:53535

All servers above these two need to be left as :553 which is their intended purpose.

I am trying to figure out where those wires got crossed.

 

[xmanyes]

... the wires got crossed because I am newbie

 

[xmanyes]

It works perfectly oK with your settings:


127.0.0.1:53535
tcp://127.0.0.1:53535

Just would like to check if there should be some other settings for the "Bootstrap DNS servers" (9.9.9.9 and 1.1.1.1 in my case) and for "private reverse DNS servers" - now they look "default":


[::]:553
[/10.in-addr.arpa/][::]:553
[/168.192.in-addr.arpa/][::]:553

I am sure these "hints" would help others as well.

 

[SomeWhereOverTheRainBow]

It works perfectly oK with your settings:


127.0.0.1:53535
tcp://127.0.0.1:53535

Just would like to check if there should be some other settings for the "Bootstrap DNS servers" (9.9.9.9 and 1.1.1.1 in my case) and for "private reverse DNS servers" - now they look "default":


[::]:553
[/10.in-addr.arpa/][::]:553
[/168.192.in-addr.arpa/][::]:553

I am sure these "hints" would help others as well.

Those are fine, nothing else needs to be done there. Aside from the boot strap resolvers which is for use only by DoH to create initial encryption, those are strictly for local client name resolution services. They are intentionally pre-configured by the installer to save users the extra time of having to figure it
out themselves. But it is clear by the many times I have had to explain this throught out these threads that all this is doing is creating unnecessary confusion. I may consider removing them in the future for users to have a more purely self taught experience.

 

[SomeWhereOverTheRainBow]

Trying to implement also this setting on the AGH to use Unbound, but get error about syntax... Should I use actual port instead of "unbound-listenport" argument ?

AdGuardHome-Unbound-Manager Guide:

Many thanks to @Martineau , & Install Unbound-Manager using easy-mode. No need for installation of any of the extra unbound features such as statistics, unbound-adblock, dot integration, or dns-firewall:

Unbound-Asuswrt-Merlin/Readme.md at master · MartineauUK/Unbound-Asuswrt-Merlin

Install and manage unbound (Recursive DNS) on Asus routers - MartineauUK/Unbound-Asuswrt-Merlin

github.com

Alternatively Users can choose to integrate using @dave14305 beautiful Unbound-Merlin-UI :

GitHub - dave14305/Unbound-Merlin-UI: ASUSWRT-Merlin Unbound User Interface

ASUSWRT-Merlin Unbound User Interface. Contribute to dave14305/Unbound-Merlin-UI development by creating an account on GitHub.

github.com

Just to recap for future user confusion:

Here is everything @xmanyes changed to make unbound-manager compatible (or simply unbound) for AdGuardHome upstream

For those who cry without having an IPV6 upstream:

Additional Notes:

Port 53535 may be different with @dave14305 port number which can be cleanly modified from Unbound-Merlin-UI. Please adapt port according to what your unbound port is actually set to.

 

[steef84]

Installed this package with no errors for now for some time, however I don't get 1 thing to work.

When remotely connecting via OpenVPN server to my router running AGH my external devices don't seem to go trough ADH service. Ads are visible everywhere. I found on the former AGH thread that "Advertise DNS to clients" has to be set to "NO" in the OpenVPN server settings. But I still see ads with this setting. Any pointers for me? Local clients over my networks are working as supposed!

 

[chongnt]

Installed this package with no errors for now for some time, however I don't get 1 thing to work.

When remotely connecting via OpenVPN server to my router running AGH my external devices don't seem to go trough ADH service. Ads are visible everywhere. I found on the former AGH thread that "Advertise DNS to clients" has to be set to "NO" in the OpenVPN server settings. But I still see ads with this setting. Any pointers for me? Local clients over my networks are working as supposed!

Not sure where you read that "Advertise DNS to clients" has to set to "No". It should be set to Yes for DNS request will go through your router, so that AGH is in the picture. In custom configuration, you may also add push "block-outside-dns"

 

[SomeWhereOverTheRainBow]

Installed this package with no errors for now for some time, however I don't get 1 thing to work.

When remotely connecting via OpenVPN server to my router running AGH my external devices don't seem to go trough ADH service. Ads are visible everywhere. I found on the former AGH thread that "Advertise DNS to clients" has to be set to "NO" in the OpenVPN server settings. But I still see ads with this setting. Any pointers for me? Local clients over my networks are working as supposed!

Yes for using the site tunnel to your router, you must advertise dns to clients. Otherwise you will be using the dns service of the device themselves which would bypass the routers dns.

I think you might have confused the directions for when connecting your router as VPN client of a vpn server, which uses different directions.

The information in the image above relates to connecting the router and router clients to an upstream vpn server. They are not related to using the router as a site tunnel.

 

[SomeWhereOverTheRainBow]

Not sure where you read that "Advertise DNS to clients" has to set to "No". It should be set to Yes for DNS request will go through your router, so that AGH is in the picture. In custom configuration, you may also add push "block-outside-dns"

While this extra step I am going to provide should not be necessary with the default site tunnel settings.

Let's say the ip address of the site tunnel is 10.9.0.1 on its tun interface. In this instance Adguardhome listens on all interfaces.

We could simply push a dhcp option dns.

push "dhcp-option DNS 10.9.0.1"

 

[jorgsmash]

AdGuardHome-Unbound-Manager Guide:

Many thanks to @Martineau , & Install Unbound-Manager using easy-mode. No need for installation of any of the extra unbound features such as statistics, unbound-adblock, dot integration, or dns-firewall:

Unbound-Asuswrt-Merlin/Readme.md at master · MartineauUK/Unbound-Asuswrt-Merlin

Install and manage unbound (Recursive DNS) on Asus routers - MartineauUK/Unbound-Asuswrt-Merlin

github.com

Alternatively Users can choose to integrate using @dave14305 beautiful Unbound-Merlin-UI :

GitHub - dave14305/Unbound-Merlin-UI: ASUSWRT-Merlin Unbound User Interface

ASUSWRT-Merlin Unbound User Interface. Contribute to dave14305/Unbound-Merlin-UI development by creating an account on GitHub.

github.com

Just to recap for future user confusion:

Here is everything @xmanyes changed to make unbound-manager compatible (or simply unbound) for AdGuardHome upstream

View attachment 44293

For those who cry without having an IPV6 upstream:

View attachment 44294

Additional Notes:

Port 53535 may be different with @dave14305 port number which can be cleanly modified from Unbound-Merlin-UI. Please adapt port according to what your unbound port is actually set to.

Is running AdGuardHome with Unbound recommended over running Diversion, DNScrypt-proxy, and Unbound (my current setup)? I've been reading around trying to find out if running all three of these is a good idea or if they even work well together. Currently I have DNScrypt-proxy installed and going through the setup, I think I have DoT configured. Not really sure how I can be sure of that. I also installed Unbound recently and used the options to enable ad blocking and DNS-firewall. I was doing some testing on my wife's Mac using Safari (garbage) and I was still getting lots of ads. So I enabled Diversion.

Will running Unbound with ad-block enabled and also running Diversion side-by-side compliment each other? Or are they competing? Will one catch an ad that the other might not have or how do they work together? I understand Diversion and DNS-crypt use dnsmasq, and AGH does not. So diversion and DNS-crypt would be out of the question if I switched to AGH + Unbound.

I just stumbled across this and it definitely looks interesting. Is there anything wrong with my existing setup or is it recommended to switch over to AGH + Unbound?

Thanks for your contributions here too!

 

[SomeWhereOverTheRainBow]

Is running AdGuardHome with Unbound recommended over running Diversion, DNScrypt-proxy, and Unbound (my current setup)? I've been reading around trying to find out if running all three of these is a good idea or if they even work well together. Currently I have DNScrypt-proxy installed and going through the setup, I think I have DoT configured. Not really sure how I can be sure of that. I also installed Unbound recently and used the options to enable ad blocking and DNS-firewall. I was doing some testing on my wife's Mac using Safari (garbage) and I was still getting lots of ads. So I enabled Diversion.

Will running Unbound with ad-block enabled and also running Diversion side-by-side compliment each other? Or are they competing? Will one catch an ad that the other might not have or how do they work together? I understand Diversion and DNS-crypt use dnsmasq, and AGH does not. So diversion and DNS-crypt would be out of the question if I switched to AGH + Unbound.

I just stumbled across this and it definitely looks interesting. Is there anything wrong with my existing setup or is it recommended to switch over to AGH + Unbound?

Thanks for your contributions here too!

Only two "supported" ways to run adguardhome, either adguardhome by itself, or adguardhome with unbound using the setup method on this thread. The recommended method is adguardhome by itself simply because the majority of Rmerlin supported routers have limited memory resources. Some people decide to keep diversion installed, but one should realize this uses dnsmasq. Adguardhome pushes dnsmasq out of the way and takes over port 53 as the dns solution for the network. Effectively dnsmasq (and by extension diversion) will no longer be blocking any ads so loading a diversion block list into memory is wasting extra router resources that could otherwise be reserved for using adguardhome.

Essentially anything that requires dnsmasq (or by extention port 53) will be out of the question when running adguardhome since adguardhome listens to universal 0.0.0.0:53 address. Dnscrypt-proxy uses 127.0.1.1:53 which would cause adguardhome not to start.

 

[jorgsmash]

Only two "supported" ways to run adguardhome, either adguardhome by itself, or adguardhome with unbound using the setup method on this thread. The recommended method is adguardhome by itself simply because the majority of Rmerlin supported routers have limited memory resources. Some people decide to keep diversion installed, but one should realize this uses dnsmasq. Adguardhome pushes dnsmasq out of the way and takes over port 53 as the dns solution for the network. Effectively dnsmasq (and by extension diversion) will no longer be blocking any ads so loading a diversion block list into memory is wasting extra router resources that could otherwise be reserved for using adguardhome.

Essentially anything that requires dnsmasq (or by extention port 53) will be out of the question when running adguardhome since adguardhome listens to universal 0.0.0.0:53 address. Dnscrypt-proxy uses 127.0.1.1:53 which would cause adguardhome not to start.

Thanks for that. But is there any benefit to switching from Diversion + Unbound + dnscrypt to AGH + Unbound. I have an AX88U which has 1 GB of memory, but it seems to always be at 70-90% mem utilization.

 

[SomeWhereOverTheRainBow]

Thanks for that. But is there any benefit to switching from Diversion + Unbound + dnscrypt to AGH + Unbound. I have an AX88U which has 1 GB of memory, but it seems to always be at 70-90% mem utilization.

The memory usage would be about the same. The only benefit was the ability to use adguardhomes filter method of blocking. Essentially filters allow users to use reduced size lists. However the counter arguement means more whitelisting might be necessary since filters potentially block more, but this should not pose a significant problem because of adguardhomes easy to navigate webui. Also, many of dnscrypt proxy features come built into adguardhome such as the ability to use dot, doq, doh, and dnscrypt upstreams. The major difference is it does not have anonymization which is a unique feature to dnscrypt-proxy. However, adguardhome can be configured as a dot,doh,doq,and dnscrypt remote server(note I don't provide guides for this part, but users are welcome to share their tutorials of remote setup if they would like.)

 

[jorgsmash]

The memory usage would be about the same. The only benefit was the ability to use adguardhomes filter method of blocking. Essentially filters allow users to use reduced size lists. However the counter arguement means more whitelisting might be necessary since filters potentially block more, but this should not pose a significant problem because of adguardhomes easy to navigate webui. Also, many of dnscrypt proxy features come built into adguardhome such as the ability to use dot, doq, doh, and dnscrypt upstreams. The major difference is it does not have anonymization which is a unique feature to dnscrypt-proxy. However, adguardhome can be configured as a dot,doh,doq,and dnscrypt remote server(note I don't provide guides for this part, but users are welcome to share their tutorials of remote setup if they would like.)

Awesome. Sounds like a great tool and thanks for describing that and putting together the tutorial. I'm curious what steps I can take to make sure that dnscrypt-proxy was set up correctly. I went through the setup in amtm, but I don't know how to check if it's working. Kind of a broad question, I know, but what can I do to check that dot or doh is working as expected?

 

[SomeWhereOverTheRainBow]

Awesome. Sounds like a great tool and thanks for describing that and putting together the tutorial. I'm curious what steps I can take to make sure that dnscrypt-proxy was set up correctly. I went through the setup in amtm, but I don't know how to check if it's working. Kind of a broad question, I know, but what can I do to check that dot or doh is working as expected?

For starters, You can use:
www.dnsleaktest.com
to tell if you are actually using any of the servers you selected.

If I recall, you said you were also unbound as well. In this instance i believe unbound deletes the "server/resolver file" line from dnsmasq.conf. in which case you wouldn't be able to use both dnscrypt proxy and unbound together, unless you installed dnscrypt-proxy after unbound. (-i.e. the line for dnscrypt proxy must follow after the line for unbound in /jffs/scripts/dnsmasq.postconf.)

Personally, I would recommend using one or the other. There is no need for both unbound and dnscrypt-proxy since the both do the same thing. While unbound acts as a dns server, dnscrypt-proxy proxies dns servers.

Now if you are using AdGuardHome- Adguardhome allows you to see what servers are responding to the query straight in the query log. So you could tell if it was a dot or doh server.

Also, Please Note: If you run into any more questions about dnscrypt proxy, please feel free to start a thread using the dnscrypt prefix so the questions you have about dnscrypt-proxy doesn't derail the support thread for adguardhome.

e.g.

 

[Lakkerol]

Hi there, I'm running an AX58U (version 1) with Asuswrt-Merlin installed, when I try to run the installer-script it says that my router is not supported, is this a false positive since the AX58U V2 is not supported by Merlin? I didn't find a list of supported devices so I am asking here. Thank you, appreciate the work you do.