AdGuardHome Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI) cont.

[SomeWhereOverTheRainBow]

Hi there, I'm running an AX58U (version 1) with Asuswrt-Merlin installed, when I try to run the installer-script it says that my router is not supported, is this a false positive since the AX58U V2 is not supported by Merlin? I didn't find a list of supported devices so I am asking here. Thank you, appreciate the work you do.

Do you mind sharing a screenshot of your terminal session where you have attempted to install adguardhome?

Also report back the output of this command

[ -z "$(nvram get odmpid)" ] && nvram get productid || nvram get odmpid

When you try to run it from the main ssh terminal command line.

 

[Smokey613]

I have been using the NextDNS CLI on my AC86U off and on during my hardware trial journey. It always seemed to provide good service but I recently got to thinking about other options. Yesterday, I decided to try AdGuardHome after following it’s progress for awhile. I am now a convert. This thing is great!

 

[jsbeddow]

I ran AdGuardHome on mr RT-AC86U for a couple weeks, but a had some instability that I couldn't pin down precisely. Is that model somewhat likely to be "borderline" capable of running AGH relative to other (more recent) router models with more RAM memory? I am well aware of my router models other failings (hardware, etc...), so I plan to replace it sometime in the next year or so, but was wondering if it was not really recommended to run AGH on this router due to the low RAM.

 

[Smokey613]

So far, I am not experiencing any issues but then, both of my units have always been very stable. I am only running the scripts listed in my signature.

 

[SomeWhereOverTheRainBow]

I ran AdGuardHome on mr RT-AC86U for a couple weeks, but a had some instability that I couldn't pin down precisely. Is that model somewhat likely to be "borderline" capable of running AGH relative to other (more recent) router models with more RAM memory? I am well aware of my router models other failings (hardware, etc...), so I plan to replace it sometime in the next year or so, but was wondering if it was not really recommended to run AGH on this router due to the low RAM.

I dont know how long it has been since you tried it last, but keep in mind that I have made some improvements over the last year with the managing script in regards to how well it maintains adguardhome. It might work better on your setup now, but then again you may have too many scripts competing for resources as well. I would consider looking at amtm to see what you have installed. Maybe something you have installed requires a good bit of resources that would have been better used by adguardhome.

 

[jsbeddow]

I dont know how long it has been since you tried it last, but keep in mind that I have made some improvements over the last year with the managing script in regards to how well it maintains adguardhome. It might work better on your setup now, but then again you may have too many scripts competing for resources as well. I would consider looking at amtm to see what you have installed. Maybe something you have installed requires a good bit of resources that would have been better used by adguardhome.

Thank you. I was running AGH in for maybe 2-3 weeks in late June-early July of this year. Normally I run Diversion (uninstalled when running AGH), Skynet, scribe, UIscribe, ntpMerlin, scMerlin...and that's all. I believe we were already on 386.7_2 by that time as well, same as now.

Hard to remember the exact details, but I had a couple of times when I had no internet in the morning and had to reboot to restore, which never happens with my conventional (long-term) setup with Diversion.

 

[SomeWhereOverTheRainBow]

Thank you. I was running AGH in for maybe 2-3 weeks in late June-early July of this year. Normally I run Diversion (uninstalled when running AGH), Skynet, scribe, UIscribe, ntpMerlin, scMerlin...and that's all. I believe we were already on 386.7_2 by that time as well, same as now.

Hard to remember the exact details, but I had a couple of times when I had no internet in the morning and had to reboot to restore, which never happens with my conventional (long-term) setup with Diversion.

Diversion is very stable. The beauty of diversion is that it utilizes the capabilities of DNSMASQ. DNSMASQ is so finely woven into the firmware that it does not normally break down under conventional use. Also, it does not necessarily compete for memory access unless you are using a giant adblock list with diversion. That being said, scripts like scribe, UIscribe, may be utilizing abit of extra memory as well. I have not really checked it out, but I know when ever I used those they typically used any where from 3 to 5% extra memory. I have no clue if it is the same across all routers, but when running adguardhome, that 3 to 5% extra memory could mean a lot. Especially if you are running it along side unbound for instance. Also, if you are removing diversion, it would make sense to remove uiDivStats as well. Note I am not saying those are bad scripts, however if they are using too much resources that you would have wanted to devote else where, that could explain some complications when trying to run AdGuardHome. AdGuardHome will spike the memory usage real quick when updating the filters/block lists.

The big difference between what you are running and what @Smokey613 is running is you are using Unbound while @Smokey613 is not. If you run AdGuardHome+Unbound, you would definitely need to minimalize unbound in the sense that you are not loading any adlist with unbound adblock. You would want to disable extra features like unbound statistics including the statistics-UI. Any thing that might be grabbing at extra resources.

 

[Smokey613]

I know lots of people use unbound but it was always erratic for me, even when I was using it on a Firewalla Gold.

 

[jsbeddow]

Diversion is very stable. The beauty of diversion is that it utilizes the capabilities of DNSMASQ. DNSMASQ is so finely woven into the firmware that it does not normally break down under conventional use. Also, it does not necessarily compete for memory access unless you are using a giant adblock list with diversion. That being said, scripts like scribe, UIscribe, may be utilizing abit of extra memory as well. I have not really checked it out, but I know when ever I used those they typically used any where from 3 to 5% extra memory. I have no clue if it is the same across all routers, but when running adguardhome, that 3 to 5% extra memory could mean a lot. Especially if you are running it along side unbound for instance. Also, if you are removing diversion, it would make sense to remove uiDivStats as well. Note I am not saying those are bad scripts, however if they are using too much resources that you would have wanted to devote else where, that could explain some complications when trying to run AdGuardHome. AdGuardHome will spike the memory usage real quick when updating the filters/block lists.

The big difference between what you are running and what @Smokey613 is running is you are using Unbound while @Smokey613 is not. If you run AdGuardHome+Unbound, you would definitely need to minimalize unbound in the sense that you are not loading any adlist with unbound adblock. You would want to disable extra features like unbound statistics including the statistics-UI. Any thing that might be grabbing at extra resources.

Err...no, with all due respect the reason I wrote out exactly what I have been most recently running in my reply was because you essentially asked in your first reply (and because my signature file isn't kept perfectly up to date), so no, I'm not running unbound at all anymore. I do appreciate the time you took to answer however.

Ultimately, it does sound like a router with 512MB of RAM is borderline for AGH, as I believe was mentioned somewhere in the massive thread(s) on this subject, I just couldn't find it again. Obliviously, the degree to which that is true will depend somewhat on how large the blocking lists being used are (and how many are loaded).

 

[jorgsmash]

For starters, You can use:
www.dnsleaktest.com
to tell if you are actually using any of the servers you selected.

If I recall, you said you were also unbound as well. In this instance i believe unbound deletes the "server/resolver file" line from dnsmasq.conf. in which case you wouldn't be able to use both dnscrypt proxy and unbound together, unless you installed dnscrypt-proxy after unbound. (-i.e. the line for dnscrypt proxy must follow after the line for unbound in /jffs/scripts/dnsmasq.postconf.)

Personally, I would recommend using one or the other. There is no need for both unbound and dnscrypt-proxy since the both do the same thing. While unbound acts as a dns server, dnscrypt-proxy proxies dns servers.

Now if you are using AdGuardHome- Adguardhome allows you to see what servers are responding to the query straight in the query log. So you could tell if it was a dot or doh server.

Also, Please Note: If you run into any more questions about dnscrypt proxy, please feel free to start a thread using the dnscrypt prefix so the questions you have about dnscrypt-proxy doesn't derail the support thread for adguardhome.

e.g.

View attachment 44685

Sorry, not trying to derail the support thread. Last night I went ahead and tried out AGH installation. Here's a few things I noticed during the set-up process:

1. I started by uninstalling dns-crypt proxy, and I installed the Unbound UI that you linked here.

• This caused DNS to break. I'm not sure if it's because Unbound was listening on port 53535, and the UI installer changes that to a different port by default. I tried your recommendation "Port 53535 may be different with @dave14305 port number which can be cleanly modified from Unbound-Merlin-UI. Please adapt port according to what your unbound port is actually set to." and went to the Unbound UI and changed the port back to 53535 and did a reboot. But DNS still wasn't working. Uninstalling Unbound and re-installing it fixed that issue. I only installed Unbound and none of the add-ons.

2. I installed AGH and logged into the web interface to take a look at the settings. Under the Encryption Settings, It looks like DoT and DoH are not configured by default and require you to supply your own certificates. I don't own a domain so I don't think I can get a free certificate from Let's Encrypt. My router does have a certificate from Let's Encrypt because I use the Dynamic DNS feature, but that certificate is only good for about 90 days I think. So where would we get certificates to use to set up encryption to get DoT and DoH working? Is this setting required only if I want https for the web GUI to work, and I can set up DoT and DoH by using these in the "Upstream DNS servers" setting?

• tls://dns-unfiltered.adguard.com: encrypted DNS-over-TLS.
• https://cloudflare-dns.com/dns-query: encrypted DNS-over-HTTPS.
• quic://dns-unfiltered.adguard.com:784: experimental DNS-over-QUIC support.

I don't think I fully understand the set-up process. I read over the installation guide you posted here (I installed through AMTM though).

Here is the current WAN DNS settings in the Router GUI. I'm not sure if these should be changed? Possibly pointing the router to use AGH as the DNS server?

And here is the upstream DNS setting in AGH. I set 9.9.9.9 and 1.1.1.1 during the AGH installation:

Should I remove the last 4 lines for 9.9.9.9 and 1.1.1.1 and add what you have in the guide for 127.0.0.1:53535 and tcp://127.0.0.1:53535? 9.9.9.9 and 1.1.1.1 are already added to AGH GUI under the "Bootstrap DNS servers" section.

For the DNS caching settings, there is nothing set by default. It seems like maybe I should just uninstall Unbound and use these settings. What is the recommended settings here for Cache size and TTL?

Sorry for my confusion. There just seems to be so many different places to change settings relating to DNS, both in the Router GUI and in the AGH GUI.

 

[SomeWhereOverTheRainBow]

Sorry, not trying to derail the support thread. Last night I went ahead and tried out AGH installation. Here's a few things I noticed during the set-up process:

1. I started by uninstalling dns-crypt proxy, and I installed the Unbound UI that you linked here.

• This caused DNS to break. I'm not sure if it's because Unbound was listening on port 53535, and the UI installer changes that to a different port by default. I tried your recommendation "Port 53535 may be different with @dave14305 port number which can be cleanly modified from Unbound-Merlin-UI. Please adapt port according to what your unbound port is actually set to." and went to the Unbound UI and changed the port back to 53535 and did a reboot. But DNS still wasn't working. Uninstalling Unbound and re-installing it fixed that issue. I only installed Unbound and none of the add-ons.

2. I installed AGH and logged into the web interface to take a look at the settings. Under the Encryption Settings, It looks like DoT and DoH are not configured by default and require you to supply your own certificates. I don't own a domain so I don't think I can get a free certificate from Let's Encrypt. My router does have a certificate from Let's Encrypt because I use the Dynamic DNS feature, but that certificate is only good for about 90 days I think. So where would we get certificates to use to set up encryption to get DoT and DoH working? Is this setting required only if I want https for the web GUI to work, and I can set up DoT and DoH by using these in the "Upstream DNS servers" setting?

• tls://dns-unfiltered.adguard.com: encrypted DNS-over-TLS.
• https://cloudflare-dns.com/dns-query: encrypted DNS-over-HTTPS.
• quic://dns-unfiltered.adguard.com:784: experimental DNS-over-QUIC support.

I don't think I fully understand the set-up process. I read over the installation guide you posted here (I installed through AMTM though).

Here is the current WAN DNS settings in the Router GUI. I'm not sure if these should be changed? Possibly pointing the router to use AGH as the DNS server?

View attachment 44726

And here is the upstream DNS setting in AGH. I set 9.9.9.9 and 1.1.1.1 during the AGH installation:

View attachment 44727

Should I remove the last 4 lines for 9.9.9.9 and 1.1.1.1 and add what you have in the guide for 127.0.0.1:53535 and tcp://127.0.0.1:53535? 9.9.9.9 and 1.1.1.1 are already added to AGH GUI under the "Bootstrap DNS servers" section.

For the DNS caching settings, there is nothing set by default. It seems like maybe I should just uninstall Unbound and use these settings. What is the recommended settings here for Cache size and TTL?

View attachment 44728

Sorry for my confusion. There just seems to be so many different places to change settings relating to DNS, both in the Router GUI and in the AGH GUI.

Here is the official adguardhome+Unbound guide.

https://www.snbforums.com/threads/r...dguardhome-installer-amaghi.76506/post-733236

Follow it, and you should be fine. Don't change anything in the official asus webui. Leave that part alone.

Here is adguardhomes wiki if you feel you need to modify other settings, it will explain to you what every setting is for.

Home

Network-wide ads & trackers blocking DNS server. Contribute to AdguardTeam/AdGuardHome development by creating an account on GitHub.

github.com

and

Here is the link to the Main adguardhome thread where there are pages upon pages where I have answered similar repetitive user questions.

AdGuardHome - [RELEASE] Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI)

Asuswrt-Merlin-AdGuardHome-Installer The Official Installer of AdGuardHome for Asuswrt-Merlin Requirements: ARM based ASUS routers (not bridges or access points) that use Asuswrt-Merlin Firmware JFFS support and enabled REQUIRES ENTWARE(!) for package management, and a separate USB drive for...

www.snbforums.com

 

[SomeWhereOverTheRainBow]

Err...no, with all due respect the reason I wrote out exactly what I have been most recently running in my reply was because you essentially asked in your first reply (and because my signature file isn't kept perfectly up to date), so no, I'm not running unbound at all anymore. I do appreciate the time you took to answer however.

Ultimately, it does sound like a router with 512MB of RAM is borderline for AGH, as I believe was mentioned somewhere in the massive thread(s) on this subject, I just couldn't find it again. Obliviously, the degree to which that is true will depend somewhat on how large the blocking lists being used are (and how many are loaded).

Sorry for my misunderstanding as I read your signature. Yes, you would need to consider how big of a block list you use as well. Along with the other considerations I mentioned in the previous post. All of these factors play in how much memory chokes on the router.

 

[jorgsmash]

Here is the official adguardhome+Unbound guide.

https://www.snbforums.com/threads/r...dguardhome-installer-amaghi.76506/post-733236

Follow it, and you should be fine. Don't change anything in the official asus webui. Leave that part alone.

Here is adguardhomes wiki if you feel you need to modify other settings, it will explain to you what every setting is for.

Home

Network-wide ads & trackers blocking DNS server. Contribute to AdguardTeam/AdGuardHome development by creating an account on GitHub.

github.com

and

Here is the link to the Main adguardhome thread where there are pages upon pages where I have answered similar repetitive user questions.

AdGuardHome - [RELEASE] Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI)

Asuswrt-Merlin-AdGuardHome-Installer The Official Installer of AdGuardHome for Asuswrt-Merlin Requirements: ARM based ASUS routers (not bridges or access points) that use Asuswrt-Merlin Firmware JFFS support and enabled REQUIRES ENTWARE(!) for package management, and a separate USB drive for...

www.snbforums.com

I did read through that already. It doesn't really answer my questions, unfortunately. If I set

in the upstream resolvers in AGH, where is DoT and DoH configured? I went ahead and made changes to this:

Are the certificate settings in AGH covered anywhere? Is that only for https to the GUI? Or is that required for DoT and DoH to work? The wording in the AGH GUI makes it seem like the certificates are required for those features:

AGH let me check the box to enable encryption, but I didn't supply any of the information in the fields below it for server name, certificates or private keys.

If DoT or DoH were working properly, would these queries in the Query log still show up as "Plain DNS" ?

And what about the AGH cache settings?


Again, thank you for the support and I hope I'm not being a nuisance.

 

[SomeWhereOverTheRainBow]

I did read through that already. It doesn't really answer my questions, unfortunately. If I set
View attachment 44733
in the upstream resolvers in AGH, where is DoT and DoH configured? I went ahead and made changes to this:

View attachment 44734

Are the certificate settings in AGH covered anywhere? Is that only for https to the GUI? Or is that required for DoT and DoH to work? The wording in the AGH GUI makes it seem like the certificates are required for those features:

View attachment 44735

AGH let me check the box to enable encryption, but I didn't supply any of the information in the fields below it for server name, certificates or private keys.

If DoT or DoH were working properly, would these queries in the Query log still show up as "Plain DNS" ?

View attachment 44736

And what about the AGH cache settings?


Again, thank you for the support and I hope I'm not being a nuisance.

Do not mess with this page unless you are going to set up a Remote AdGuardHome DNS server. You would have to make your AdGuardHome WAN accessible. Major security risk because you would have to open a port to the outside would.

 

[SomeWhereOverTheRainBow]

I did read through that already. It doesn't really answer my questions, unfortunately. If I set
View attachment 44733
in the upstream resolvers in AGH, where is DoT and DoH configured? I went ahead and made changes to this:

View attachment 44734

Are the certificate settings in AGH covered anywhere? Is that only for https to the GUI? Or is that required for DoT and DoH to work? The wording in the AGH GUI makes it seem like the certificates are required for those features:

View attachment 44735

AGH let me check the box to enable encryption, but I didn't supply any of the information in the fields below it for server name, certificates or private keys.

If DoT or DoH were working properly, would these queries in the Query log still show up as "Plain DNS" ?

View attachment 44736

And what about the AGH cache settings?


Again, thank you for the support and I hope I'm not being a nuisance.

You can leave adguardhome cache settings alone, but I gave you this link

Home

Network-wide ads & trackers blocking DNS server. Contribute to AdguardTeam/AdGuardHome development by creating an account on GitHub.

github.com

for you to actually read their wiki and make informed decisions on your own about what you want to change.

I am trying to keep these threads from blowing with customization questions. You are welcome to start a new thread using the AdGuardHome prefix, that way any user who uses adguardhome can respond with their knowledge. This thread is more of to answer questions in regards to "oh no, I think I broke something" or "I need help! It isn't working" or "the installer is not working for my specific model, what do i do?"

 

[SomeWhereOverTheRainBow]

If DoT or DoH were working properly, would these queries in the Query log still show up as "Plain DNS" ?

View attachment 44736

And what about the AGH cache settings?


Again, thank you for the support and I hope I'm not being a nuisance.

Click on the individual query and a window will pop up telling you which server was used to respond. That (Plain DNS) is talking about the type of query which was an "A" type query.

 

[SomeWhereOverTheRainBow]

I did read through that already. It doesn't really answer my questions, unfortunately. If I set
View attachment 44733
in the upstream resolvers in AGH, where is DoT and DoH configured? I went ahead and made changes to this:

View attachment 44734

These are the supported DNS upstream formats:

To add an ENCRYPTED DNS upstream use one of the formats listed above.

You add it to the same section that you added the UNBOUND addresses.

Right below those addresses.

to make unbound work, you add these

as well, to the same section.

This thread shows you how to add upstreams:

AdGuardHome - [RELEASE] Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI)

Sounds like the guide that may have been needed was the Step-by-Step amtm guide, in the link in my signature below. :)

www.snbforums.com

This is the point where the wheel has gotten reinvented.

 

[SomeWhereOverTheRainBow]

@jorgsmash

If you decide to use the sdns stamp method to easily copy the addresses into the upstream section (which is described in the forum I linked you to), you can add a comment at the end of the server line so you can identify who the server is easily.

e.g.

sdns://AgcAAAAAAAAAAAAPZG5zLmFkZ3VhcmQuY29tCi9kbnMtcXVlcnk # Adguard DOH

The upstream section supports adding comments so you remember what you added there.

 

[loveleeyoungae]

View attachment 44294

Sorry, I have a little confusion about this configuration. From what I know:
- [::] is equivalent to and is understood by most systems as the IPv4 0.0.0.0 address.
- When services are on the same device/router (AGH and dnsmasq in this case), people usually use the 127.0.0.1/[::1] loopback address
-> So, why are you using this [::]/0.0.0.0 type of address instead of the usual 127.0.0.1/[::1]?

 

[SomeWhereOverTheRainBow]

Sorry, I have a little confusion about this configuration. From what I know:
- [::] is equivalent to and is understood by most systems as the IPv4 0.0.0.0 address.
- When services are on the same device/router (AGH and dnsmasq in this case), people usually use the 127.0.0.1/[::1] loopback address
-> So, why are you using this [::]/0.0.0.0 type of address instead of the usual 127.0.0.1/[::1]?

0.0.0.0 [::] merely means we listen on 553 for any matching local address, while 127.0.0.1 means we talk back to loop back exclusively. Dnsmasq listens on 0.0.0.0, which means all possible local addresses within the router (including guest networks if configured). [::] and 0.0.0.0 means we will accept the answer from any of those local addresses. Technically you could use either for most use cases. Sorry for the "technical" confusion. In general, all of this stuff confuses people. I just prefer talking directly, then solely relying on the loopback to provide an accurate response. Functionality wise, the behaviors should be considered the same.