cptnoblivious
Senior Member
For anyone else setting this up, this is the setting on the VPN Client page: "Accept DNS Configuration" needs to be Disabled
AdGuardHome [RELEASE] Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI)
- Thread starter SomeWhereOverTheRainBow
- Start date
SomeWhereOverTheRainBow
Part of the Furniture
To add to cptoblivious discovery, this allows the user to specify the DNS used in AdGuardHome, but the traffic to the DNS server will still travel via the VPN tunnel as long as the YazFi Guestnetwork is set to go via the VPN tunnel.
johndoe85
Senior Member
Shame there is no pastebinit tool for the router. Would make the copy of configs much easier
It goes much faster if NTP can get access to internet.
I am using the latest of all versions, amtm, adguard, and unbound. And the firmware asus merlin 386.4
unbound config
adguard.config
adding these lines to the bottom of the unbound config
# Fix NTP
domain-insecure: "time1.google.com"
domain-insecure: "time2.google.com"
domain-insecure: "time3.google.com"
domain-insecure: "time4.google.com"
gives this error when opening amtm and then opening unbound
+======================================================================+/opt/var/lib/unbound/unbound.conf:220: error: syntax error
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file
[1643533767] unbound-control[21314:0] fatal error: could not read config file
/opt/var/lib/unbound/unbound.conf:220: error: syntax error
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file
***ERROR INVALID unbound configuration - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file
or 'e' exit; then issue debug command
unbound -dv
EDIT:
syslog - Pastebin.com
Unbound still does not come up and the system has been running for 33 minutes.
I added domain-insecure directly under DNSSEC like this
# DNSSEC
domain-insecure: "pool.ntp.org"
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
and that worked without complaints from unbound. But it does not solve my issues.
EDIT2:
I got it working by setting an ip-adress under Administration -> System -> NTP Server -> 194.58.202.20
before this i tried to swap to NTP merlin but there was no change, i tried with ip only in the ntp.conf in /jffs/addons/ntpmerlin.d/ntp.conf and still no change.
After that i changed the NTP settings in the GUI and it worked.
NTP settings
I think it would not hurt if there was some hard coded fail back to an IP only adress for NTP in cases like these. NTP needs a working name resolver such as unbound, and unbound need a working clock in order to start.
It's a stupid loop.
Last edited:
thelonelycoder
Part of the Furniture
I have pushed a minor update for amtm, no version change.
What's new
CHANGED: Checks which AdGuardHome binary branch is installed.
Only the release branch will be checked for updates with u.
What's new
CHANGED: Checks which AdGuardHome binary branch is installed.
Only the release branch will be checked for updates with u.
SomeWhereOverTheRainBow
Part of the Furniture
Yea will have to bring that error check up with unbound-manager script dev. Those lines have worked in any unbound.conf I have ever used.Shame there is no pastebinit tool for the router. Would make the copy of configs much easier
It goes much faster if NTP can get access to internet.
I am using the latest of all versions, amtm, adguard, and unbound. And the firmware asus merlin 386.4
unbound config
adguard.config
adding these lines to the bottom of the unbound config
# Fix NTP
domain-insecure: "time1.google.com"
domain-insecure: "time2.google.com"
domain-insecure: "time3.google.com"
domain-insecure: "time4.google.com"
gives this error when opening amtm and then opening unbound
+======================================================================+/opt/var/lib/unbound/unbound.conf:220: error: syntax error
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file
[1643533767] unbound-control[21314:0] fatal error: could not read config file
/opt/var/lib/unbound/unbound.conf:220: error: syntax error
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file
***ERROR INVALID unbound configuration - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file
or 'e' exit; then issue debug command
unbound -dv
EDIT:
syslog - Pastebin.com
Unbound still does not come up and the system has been running for 33 minutes.
I added domain-insecure directly under DNSSEC like this
# DNSSEC
domain-insecure: "pool.ntp.org"
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
and that worked without complaints from unbound. But it does not solve my issues.
EDIT2:
I got it working by setting an ip-adress under Administration -> System -> NTP Server -> 194.58.202.20
before this i tried to swap to NTP merlin but there was no change, i tried with ip only in the ntp.conf in /jffs/addons/ntpmerlin.d/ntp.conf and still no change.
After that i changed the NTP settings in the GUI and it worked.
NTP settings
I think it would not hurt if there was some hard coded fail back to an IP only adress for NTP in cases like these. NTP needs a working name resolver such as unbound, and unbound need a working clock in order to start.
It's a stupid loop.
Martineau
Part of the Furniture
When using
unbound_manager, it is recommended to place unbound customserver: directives in'/opt/share/unbound/configs/unbound.conf.add'
Alternatively insert the directives into 'unbound.conf' as per the official
unbound documentation.... https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#server-options
SomeWhereOverTheRainBow
Part of the Furniture
Thank you for that @Martineau ,
I figured it had to do with the placement, that is the only way I have ever seen unbound complain.
Last edited:
SomeWhereOverTheRainBow
Part of the Furniture
So there are two conditions I could think of where Asuswrt-Merlin has a hard time getting NTP.Shame there is no pastebinit tool for the router. Would make the copy of configs much easier
It goes much faster if NTP can get access to internet.
I am using the latest of all versions, amtm, adguard, and unbound. And the firmware asus merlin 386.4
unbound config
adguard.config
adding these lines to the bottom of the unbound config
# Fix NTP
domain-insecure: "time1.google.com"
domain-insecure: "time2.google.com"
domain-insecure: "time3.google.com"
domain-insecure: "time4.google.com"
gives this error when opening amtm and then opening unbound
+======================================================================+/opt/var/lib/unbound/unbound.conf:220: error: syntax error
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file
[1643533767] unbound-control[21314:0] fatal error: could not read config file
/opt/var/lib/unbound/unbound.conf:220: error: syntax error
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file
***ERROR INVALID unbound configuration - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file
or 'e' exit; then issue debug command
unbound -dv
EDIT:
syslog - Pastebin.com
Unbound still does not come up and the system has been running for 33 minutes.
I added domain-insecure directly under DNSSEC like this
# DNSSEC
domain-insecure: "pool.ntp.org"
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
and that worked without complaints from unbound. But it does not solve my issues.
EDIT2:
I got it working by setting an ip-adress under Administration -> System -> NTP Server -> 194.58.202.20
before this i tried to swap to NTP merlin but there was no change, i tried with ip only in the ntp.conf in /jffs/addons/ntpmerlin.d/ntp.conf and still no change.
After that i changed the NTP settings in the GUI and it worked.
NTP settings
I think it would not hurt if there was some hard coded fail back to an IP only adress for NTP in cases like these. NTP needs a working name resolver such as unbound, and unbound need a working clock in order to start.
It's a stupid loop.
Condition #1
No DNS server defined for Wan dns 1 or Wan dns 2
(this is where the user has turned off use automatically and cleared out the wan dns1 and wan dns 2 slots)
Condition #2
You are in some kind of strange Double Nat Situation or Your ISP configuration is creating some type of connection interference or issue.
Solutions I have seen in the past to circumvent this:
#1
Put IP address inside the NTP server slot. While this solves the need for dnsmasq to resolve the IP, it creates an issue if someday the IP address were to out of the blue change.
#2
Try to force DNSMASQ to know what address to use to resolve the ntp domain
example: dnsmasq.conf.add
server=/time1.google.com/8.8.8.8
This tells dnsmasq to only use google to resolve its ntp domain.
#3
Attempt to tell unbound to allow resolving of the domain as insecure thus avoiding the need to check it as a secure dnssec domain first.
johndoe85
Senior Member
What settings are these? I dont have unbound to block ads, not via amtm atleast, and I have not enabled that earlier either.
johndoe85
Senior Member
I dont think it has anything to do with the insecure option since unbound needs a working clock in order to start and ntp needs a working revolver to start so neither can start du to eachother.
And I did try the insecure option and there was no difference.
The solution was to set a ip adress to a external NTP server in the NTP field in the system settings.
johndoe85
Senior Member
They did work, just they could not be placed at the bottom of the conf. They needed to be added directly under the #DNSSEC tag.
But it would not hurt with more options in the script menu in amtm for unbound to enable, disable dnssec, DoH, domain-insecure for NTP and whatever good stuff there could be there.
And also something that checks for NTP to be able to work if DNSSEC is enabled in adguard.
I have not turned that off and use only DoH in adguard. Sinne some reddit post claimed that it was unneccessery if DNSSEC was enabled in unbound.
Either way, some failsafe ip only adress for NTP would not hurt.
johndoe85
Senior Member
Yes, is there no safe bet ip's to use? Like google dns will probably never change? Something similar for NTP. Like a brunch of ip's.
SomeWhereOverTheRainBow
Part of the Furniture
Yes but adguardhome waiting has nothing to do with the ntp sync itself. That is a miss configuration on some how on your end preventing it. Adguard needs valid ntp for encryption and dnssec to work properly
I think I read the same post too. When I use 127.0.0.1:53535 (unbound) as upstream DNS server in AGH, http://dnssec-or-not.com/ shows I am protected by DNSSEC. I did not use AGH encryption.
SomeWhereOverTheRainBow
Part of the Furniture
When you run your DoH or dot server it requires accurate ntp to create the encryption between your devices and the server other wise it falls back to plain text
johndoe85
Senior Member
I have not changed when or how adguard should start. All installation is done via amtm. And configuration through web interface or amtm. Except the few extra lines for unbound.
johndoe85
Senior Member
When installing adguard i choose the option to force all trafficking through adguard. If I dont choose this option the router settings in DNSfilter -> router, would get disabled. This is shown after a reboot.
And when i turn on the dnssec in adguard without extra upstream servers i get the same result. An loop where i cant access host lookup.
I am not an expert in any means, and I do wish there were more automation for these options, dnssec, doh, your own dns resolver etc. Autogenerating sdns strings and such.
johndoe85
Senior Member
Ok, like what?
SomeWhereOverTheRainBow
Part of the Furniture
All this script does is install it and setup a vanilla setup the rest is in your hands. The installer does everything it is functionally intended to. If you need configuration help, you are welcome to use the adguardhome prefix and start a new thread.
Last edited:
SomeWhereOverTheRainBow
Part of the Furniture
Here is how you tell if your traffic is going by way of encryption, Hover your mose over the ? mark next to the processed query. (not the question mark by the IP address).
Last edited:
Similar threads
Similar threads
Similar threads
-
DomainVPNRouting Domain VPN Routing v3.0.3 ***Release***
- Started by Ranger802004
- Replies: 45
-
-
amtm amtm 5.0 - the Asuswrt-Merlin Terminal Menu, November 17, 2024- Started by thelonelycoder
- Replies: 61
-
Entware Possible to install jdownloader on asuswrt-merlin router with entware??
- Started by JeyJ
- Replies: 9
-
Skynet SOLVED: Scrollbar Disappears on Skynet Tab on Asuswrt-Merlin 386.14
- Started by WRobertE
- Replies: 10
-
scMerlin scMerlin 2.5.8 - Service and script control menu for Asuswrt-Merlin, October 20, 2024
- Started by thelonelycoder
- Replies: 85
-
uKasa uKasa - A utility script that manages Kasa smart outlets and switches with Asuswrt-Merlin routers- Started by JGrana
- Replies: 29
-
Updated Hue Utility - huetil Control and manage your Hue system from Asuswrt-Merlin or Raspbian
- Started by JGrana
- Replies: 1