What's new

AdGuardHome Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI) cont.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
Can you elaborate on this? This router was setup from ”scratch”. I did an intial base setup, updated to Merlin 388.2, did a full reset. I then did a format on the usb ssd drive before proceeding to do the amtm entware install and setup.
So you didnt keep the same entware installation ? You completely wiped the SSD and started fresh with everything?
 
This is my current Path settings:

RT-AX86U_Pro-B190:/tmp/home/root# echo $PATH
/opt/bin:/opt/sbin:/bin:/usr/bin:/sbin:/usr/sbin:/home/Smokey613:/mmc/sbin:/mmc/bin:/mmc/usr/sbin:/mmc/usr/bin:/opt/sbin:/opt/bin:/opt/usr/sbin:/opt/usr/bin
what is your terminal output of running this command?

pip3 install bcrypt

here is an example of what you should expect to see.

1682084436269.png
 
Ok…. I wiped the usb drive and started over. Installed entware, created swap file and installed AGH.

Success!!!!

Now I can login to the admin web.

Thanks @SomeWhereOverTheRainBow for your assistance!
 
I am still puzzled why I needed to start over on the usb drive as I had already done that when I initially set this new router up. Maybe it needed the updated PATH variable all along even before I installed any scripts originally.

There was no way for me to know that ahead of time. Maybe a check for proper PATH could be included in the install script?
 
So you didnt keep the same entware installation ? You completely wiped the SSD and started fresh with everything?
Yes, I started completely fresh as I was setting up a new router and new usb ssd drive.
 
Yes, I started completely fresh as I was setting up a new router and new usb ssd drive.
Entware can be a quirky beast... and when things start going south, it seems to become a domino effect. Seemed to happen to me a while back when common programs would stop working and showing a "tainted" message in the syslog. And when you have these scares like as of late, such as when you install an entware version update, you could be facing a situation where it might break things even further. I'm always being cautiously optimistic that I might have better luck running this all from an SSD than I did from a flashdrive.
 
Hoping someone can just give me an accelerated primer here: I used to run Diversion, but moved away from it as it caused a bunch of issues with my wife's mobile games and I decided to just run a local ad block on my laptop. Been thinking of another central solution and think I prefer to try out AdGuard then go back to Diversion.

My router is pretty heavily customized, and I don't use it for DHCP for my main network (it does provide DHCP to some guest networks). I'm trying to figure out exactly how AdGuard functions with clients, DNS, reverse lookups etc. I read their setup page and a page on a blog, but it doesn't seem to talk much about client configuration. How does Adguard function alongside the built-in dnsmasq server on Merlin? Does dnsmasq answer the queries and then immediately forward to the AdGuard on the same box to do the recursive DNS lookups?

I do use dnsmasq on Merlin as my client's primary DNS server, and dnsmasq is configured to forward all requests to my internal domain (Active Directory) to those DNS server. I am just trying to figure out the basic way the traffic is routed.

In short, I'm not seeing in the main pages/docs here any real information on how to configure this after it is installed and would like a reference to all of that before I begin.

Also, does anyone have a rough estimate on cpu and RAM footprint?

thanks
 
Hoping someone can just give me an accelerated primer here: I used to run Diversion, but moved away from it as it caused a bunch of issues with my wife's mobile games and I decided to just run a local ad block on my laptop. Been thinking of another central solution and think I prefer to try out AdGuard then go back to Diversion.

My router is pretty heavily customized, and I don't use it for DHCP for my main network (it does provide DHCP to some guest networks). I'm trying to figure out exactly how AdGuard functions with clients, DNS, reverse lookups etc. I read their setup page and a page on a blog, but it doesn't seem to talk much about client configuration. How does Adguard function alongside the built-in dnsmasq server on Merlin? Does dnsmasq answer the queries and then immediately forward to the AdGuard on the same box to do the recursive DNS lookups?

I do use dnsmasq on Merlin as my client's primary DNS server, and dnsmasq is configured to forward all requests to my internal domain (Active Directory) to those DNS server. I am just trying to figure out the basic way the traffic is routed.

In short, I'm not seeing in the main pages/docs here any real information on how to configure this after it is installed and would like a reference to all of that before I begin.

Also, does anyone have a rough estimate on cpu and RAM footprint?

thanks
sounds like you would be better staying with diversion because of the complexity of your setup, and the amount of work you might possibly have to do to get every thing to function properly with adguardhome like it currently does with just your DNSmasq. From a historical point of view, AdGuardHome may prove to be too much on your RAM footprint (not so much the CPU). AdGuardHome can easily cause OOM situations because of its need to adjust its virtual memory size percentage over the life of a single runtime (this is because of the requirement to update and load block lists and filters behind the scenes).
 
Last edited:
sounds like you would be better staying with diversion because of the complexity of your setup, and the amount of work you might possibly have to do to get every thing to function properly with adguardhome like it currently does with just your DNSmasq. From a historical point of view, AdGuardHome may prove to be too much on your RAM footprint (not so much the CPU). AdGuardHome can easily cause OOM situations because of its need to adjust its virtual memory size percentage over the life of a single runtime (this is because of the requirement to update and load block lists and filters behind the scenes).
Thanks. Assuming other people are using it on 68Us I don't expect there will be an issue on mine. I actually have fairly low memory utilization so don't want that to be the initial reason not try.
So to that effect, all my original questions still stand. Diversion simply adds 127.0.0.1 entries into the hosts file and therefore doesn't really run anything other than dnsmasq. I want to understand the architecture of AdGuard and especially how it interacts with dnsmasq.

From the AGH OpenWRT page it states:
If you currently have dnsmasq or unbound installed, you should move these services to an alternative port and have AGH use DNS port 53 with upstream DNS resolvers of your choice configured. This wiki recommends keeping dnsmasq/unbound as your local/PTR resolver for Reverse DNS.

So does this installer actually do that on Merlin as well? Does it move dnsmasq to an alternate port or disable it entirely? I would think that not having dnsmasq as the primary on 53 would cause all sorts of issues with the stand alone router configuration as well as other third party configuration tools which may rely on it. Is dnsmasq even still required if using AGH or can it be a complete replacement?

How fully functional of a DNS server is AGH? My main concern right now is that with dnsmasq I have several server=x/x commands which direct certain domains (my internal AD) back to those DNS servers for resolution. I'm sure I can figure all of this out once it is on my box, but I'm aiming for as small amount of downtime as possible and would prefer to understand the working pieces prior to starting the install.

thanks
 
Thanks. Assuming other people are using it on 68Us I don't expect there will be an issue on mine. I actually have fairly low memory utilization so don't want that to be the initial reason not try.
So to that effect, all my original questions still stand. Diversion simply adds 127.0.0.1 entries into the hosts file and therefore doesn't really run anything other than dnsmasq. I want to understand the architecture of AdGuard and especially how it interacts with dnsmasq.

From the AGH OpenWRT page it states:


So does this installer actually do that on Merlin as well? Does it move dnsmasq to an alternate port or disable it entirely? I would think that not having dnsmasq as the primary on 53 would cause all sorts of issues with the stand alone router configuration as well as other third party configuration tools which may rely on it. Is dnsmasq even still required if using AGH or can it be a complete replacement?

How fully functional of a DNS server is AGH? My main concern right now is that with dnsmasq I have several server=x/x commands which direct certain domains (my internal AD) back to those DNS servers for resolution. I'm sure I can figure all of this out once it is on my box, but I'm aiming for as small amount of downtime as possible and would prefer to understand the working pieces prior to starting the install.

thanks
The only service dnsmasq serves on port 53 is dns resolution itself, the dhcp is handled by a different port, dnsmasq dns port is changed to port 553, and adguardhome becomes the dns service on port 53. Dnsmasq advertises the routers address on port 53 through dnsmasq dhcp options(done via a different port) to clients which tells the client that dns is served by the router at port 53(adguardhome). For local request and local name resolution, adguardhome is told to communicate back to dnsmasq (@ port 553) for client information that is communicated to it via dhcp.
 
The only service dnsmasq serves on port 53 is dns resolution itself, the dhcp is handled by a different port, dnsmasq dns port is changed to port 553, and adguardhome becomes the dns service on port 53. Dnsmasq advertises the routers address on port 53 through dnsmasq dhcp options(done via a different port) to clients which tells the client that dns is served by the router at port 53(adguardhome). For local request and local name resolution, adguardhome is told to communicate back to dnsmasq (@ port 553) for client information that is communicated to it via dhcp.
Thanks. I didn't realize that they offered a fully stand alone Windows version that is super easy to setup. I am playing with that for now to try and get familiar with all the basic setup before I even try to put it on the router. In the end I may choose not to and just keep a Windows installation.
Right now I'm having an issue with it not resolving IPv6 names that are generated over SLAAC, which really lessens the functionality of the service since all you see are IPv6 addresses. This of course is a problem for AdGuard solely, and I do see some bugs associated with this on GitHub.

Before this I was looking at the installer .sh file trying to see how it was going to set it up. I'm a bit concerned, because on first glance it looks like it may do some destructive things without warning. For instance it appears to see if apache is installed (via Entware) and if so it looks like it just totally removes it. This could be...er...problematic if apache is actually in use. I also see it configures other dependencies like python, go, brcrypt in addition to download AdGuard. I can't find anywhere on AdGuard's site that these dependencies are required. I of course haven't tried installing from scratch on my router yet, so it may very well be these are required...and I might prefer this route because I don't really like an installer adding/removing a bunch of packages without notifying its doing this.
 
Right now I'm having an issue with it not resolving IPv6 names that are generated over SLAAC, which really lessens the functionality of the service since all you see are IPv6 addresses. This of course is a problem for AdGuard solely, and I do see some bugs associated with this on GitHub.
This is a big privacy concern with AdGuardHome as well because they will ask the upstream DNS (and possibly your ISP) you are using for information about the IPV6 address using WHOIS. I believe there is away to disable the WHOIS approach, but you need to edit the .yaml file. I recommend looking at their wiki carefully before deciding to do such.

Before this I was looking at the installer .sh file trying to see how it was going to set it up. I'm a bit concerned, because on first glance it looks like it may do some destructive things without warning. For instance it appears to see if apache is installed (via Entware) and if so it looks like it just totally removes it. This could be...er...problematic if apache is actually in use. I also see it configures other dependencies like python, go, brcrypt in addition to download AdGuard. I can't find anywhere on AdGuard's site that these dependencies are required. I of course haven't tried installing from scratch on my router yet, so it may very well be these are required...and I might prefer this route because I don't really like an installer adding/removing a bunch of packages without notifying its doing this.
I am going to be removing the apache code pretty soon, however the bcrypt and python distributions are for generating the encrypted password for AdGuardHome. The Go packages are only installed to provide the same thing, if python fails to install or unavailable in entware for that particular architecture. Originally I used htpasswd from apache-utils to generate the password. However this installed apache on peoples routers (big security problem if your not actually using it correctly). The installer only uninstalls apache if it was originally used to install it (on the next update I will probably remove this). So, I switched to installing bcrypt through python packaging ( or alternatively through Go if python doesn't work). All of this is to generate the encrypted password for users to log into AdGuardHome WebUI (and change the password through the installer whenever they like).

So to recap,

  • Uninstall Apache-utils is present to remove a prior bad method used for generating the password for AdGuardHome (this was an idea contributed by a user that I should have considered better before deciding to use, originally we used the GO package for bcrypt password generation, but compiling in GO was taxing to some model routers).
  • Install of python3 python3-pip python3-bcrypt all for compatibility of generating (and user edit-ability) of the AdGuardHome password via the AdGuardHome Installer Menu, this method by far is the easiest, quickest, and safest password generation method.
  • As a last resort install of go for bcrypt password generation package if python package methods is unavailable to the user. (this does not get installed unless the python method isn't available)
 
Last edited:
Where is the cache file located for Adguard Home?
 
An FYI for both Diversion and Adguard, both do not work when WAN Aggregation is being used. Diversion stats show no ad blocking under both Lite and standard. Adguard stats show it blocking ads but all come through anyhow.

RT-AX86U on 388.2 running AMTM, 2GB Swap File
 
An FYI for both Diversion and Adguard, both do not work when WAN Aggregation is being used. Diversion stats show no ad blocking under both Lite and standard. Adguard stats show it blocking ads but all come through anyhow.

RT-AX86U on 388.2 running AMTM, 2GB Swap File
Oh hold on, I am sorry I think I forgot to mention that some where...

1683095109585.png

Wan aggregation in this instance falls under the "dual-wan" environment, since Asuswrt utilizes the same code for both of them. I am sure the issue is similar in this instance.

If you are interested in getting it to work, I suggest you follow this tutorial and adapt the changes needed to match your setup.


Then it will work.

You will be hard press to find Addon script to have been adapted to a Dual wan configuration whether it is aggregated or not, except for the Wan failover script.
 
Last edited:
This is a big privacy concern with AdGuardHome as well because they will ask the upstream DNS (and possibly your ISP) you are using for information about the IPV6 address using WHOIS. I believe there is away to disable the WHOIS approach, but you need to edit the .yaml file. I recommend looking at their wiki carefully before deciding to do such.

Thanks for the info. I put AdGuard on hold for a bit as I am trying to work out some IPv6 issues in order to get the name resolution I desire. I've seen something in the issue tracker about privacy concerns, but I'm not entirely sure they are warranted. If you are using GUAs in your environment, the idea is they are publicly routable anyway - so there should not be a concern if those are made visible to the outside.
It seems the concern should only be with stateless/SLAAC addressing when privacy extensions are not enabled. In which case a device's MAC might get leaked. Or perhaps the concern is simply tracking based on IP - whereas with IPv4 and NAT you simply know that the device is originating from the single public IP, here you know the specific GUA accessing. I wrote my observations up here:

I'm interested in specifically how you judge this as a privacy concern? Of course I agree that the WHOIS approach should be able to be disabled if you choose not to use it. I could not find anything about doing this, but I assume (since you reference the YAML) that the appropriate section is:

Code:
clients:
  runtime_sources:
    whois: true
    arp: true
    rdns: true
    dhcp: true
    hosts: true

Because I could not find anything about it, I don't know what the danger is of disabling WHOIS. I think the only time having WHOIS might be useful is if you are running a publicly accessible AdGuard server and accessing it from outside your network where an incoming client might not be registered. However since it is unlikely that another external client has a PTR record, it seems the best you are going to get with WHOIS is an OrgName. I suppose that's better than nothing, but it's not much :)

I am going to be removing the apache code pretty soon, however the bcrypt and python distributions are for generating the encrypted password for AdGuardHome. The Go packages are only installed to provide the same thing, if python fails to install or unavailable in entware for that particular architecture. Originally I used htpasswd from apache-utils to generate the password. However this installed apache on peoples routers (big security problem if your not actually using it correctly). The installer only uninstalls apache if it was originally used to install it (on the next update I will probably remove this). So, I switched to installing bcrypt through python packaging ( or alternatively through Go if python doesn't work). All of this is to generate the encrypted password for users to log into AdGuardHome WebUI (and change the password through the installer whenever they like).

Good to know. I have some concerns about the additional packages mostly because I have some other outside constraints (which I won't detail here) about the Entware install getting too large, but I don't actually know if this will be a problem or not for me.
I wasn't personally worried about Apache - because I'm not using it - I was just concerned on my first quick glance through of the code base that I saw it was getting removed.

What mechanism do/can you use to ensure that Apache only gets removed if it was installed by the installer itself?
 
Status
Not open for further replies.

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top