AdGuardHome [RELEASE] Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI)

[chongnt]

Hey if it works for you. Adguardhome supports ipset as well inside the .yaml file. Maybe you should explore that if you get the time. It is right under max go routines.

  max_goroutines: 300
  ipset: []

Thanks for the pointer. Tested AGH can recognize the ipset created by x3mRouting. I only use x3mRouting to create ipset and apply the iptables separately. Since the idea is to bypass dnsmasq, I am trying to extract the relevant ipset script from x3mRouting and populate it into AdGuardHome.yaml file.

 

[SomeWhereOverTheRainBow]

Thanks for the pointer. Tested AGH can recognize the ipset created by x3mRouting. I only use x3mRouting to create ipset and apply the iptables separately. Since the idea is to bypass dnsmasq, I am trying to extract the relevant ipset script from x3mRouting and populate it into AdGuardHome.yaml file.

I dont know if this will help but here is the syntax

ipset — List of domain-ipset_name associations for adding IP addresses of the specified domain names to an ipset list. Syntax: DOMAIN[,DOMAIN].../IPSET_NAME[,IPSET_NAME].... IPv4 addresses are added to an ipset list with ipv4 family, IPv6 addresses - to ipv6 ipset list. ipset list must exist. This setting is supported on Linux only. This feature is similar to --ipset in dnsmasq

 

[chongnt]

I dont know if this will help but here is the syntax

ipset — List of domain-ipset_name associations for adding IP addresses of the specified domain names to an ipset list. Syntax: DOMAIN[,DOMAIN].../IPSET_NAME[,IPSET_NAME].... IPv4 addresses are added to an ipset list with ipv4 family, IPv6 addresses - to ipv6 ipset list. ipset list must exist. This setting is supported on Linux only. This feature is similar to --ipset in dnsmasq

Thanks for the additional info. Earlier I got the syntax from openwrt. AGH ipset is working with unbound as upstream DNS. I don't need dnsmasq anymore for ipset. Rebooted a few times ipset are properly restored.

 ipset:
 - domain.com/ipset_name
 - domain1.com,domain2.com/ipset_name,ipset_name2
...

 

[SomeWhereOverTheRainBow]

]

Thanks for the additional info. Earlier I got the syntax from openwrt. AGH ipset is working with unbound as upstream DNS. I don't need dnsmasq anymore for ipset. Rebooted a few times ipset are properly restored.

ipset:
- domain.com/ipset_name
- domain1.com,domain2.com/ipset_name,ipset_name2
...

All you had to do was edit the .yaml? If you get the time, feel free to share any methods you had to employ to make this possible. It might benefit other users.

Additional: if any one feels the desire for regex ipset capabilities, Adguardhome devs will consider adding it if you put in a feature request for it.

ipset feature support · Issue #1191 · AdguardTeam/AdGuardHome

Prerequisites Please answer the following questions for yourself before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION. I am running the latest version I checked the documentation an...

github.com

 

[chongnt]

]
All you had to do was edit the .yaml? If you get the time, feel free to share any methods you had to employ to make this possible. It might benefit other users.

Additional: if any one feels the desire for regex ipset capabilities, Adguardhome devs will consider adding it if you put in a feature request for it.

Yes, with everything taken care by x3mRouiting, all I have to do is edit the yaml file. This alone is enough for it to work.
What I did is not necessary, I copy a few function of the x3mRouting codes:- entware readiness check, ipset restore, crontab creation, and modify the part that check dnsmasq.conf.add to AdGuardHome.yaml. So in case I want to create a new ipset, I can use this modified script and it will populate to yaml file directly.

 

[rlj2]

The installer script says Im in double-nat, it looks like it just checks wan to see if the wan ip is a local address 192.xx,etc. Is that the correct way?
My router is in bridge mode. So I believe im not in double-nat. I should mention Im using Starlink, which uses cgnat. My wanip is 100.xx
i think it may just be the grep command, maybe it needs to have 10.\ as a pattern insteal of 10\.

 

[SomeWhereOverTheRainBow]

The installer script says Im in double-nat, it looks like it just checks wan to see if the wan ip is a local address 192.xx,etc. Is that the correct way?
My router is in bridge mode. So I believe im not in double-nat. I should mention Im using Starlink, which uses cgnat. My wanip is 100.xx
i think it may just be the grep command, maybe it needs to have 10.\ as a pattern insteal of 10\.

The disclaimer on the first page says that it is incompatible for bridge and access point modes. If you can by some means of divine (or other) methods get it to work with your setup, then free to try. But I have no clue if or how to make it work under your networks conditions. I have tried troubleshooting it for users heading down the road you are in and been highly unsuccessful. I have only ran this under normal router mode where the router ip actually has the public ip of the wan. The check is checking for if your wan ip address has a private ip. (I.e. your router.)

 

[rlj2]

The disclaimer on the first page says that it is incompatible for bridge and access point modes. If you can by some means of divine (or other) methods get it to work with your setup, then free to try. But I have no clue if or how to make it work under your networks conditions. I have tried troubleshooting it for users heading down the road you are in and been highly unsuccessful. I have only ran this under normal router mode where the router ip actually has the public ip of the wan. The check is checking for if your wan ip address has a private ip. (I.e. your router.)

It works fine, its just detecting double-nat wrong on a wan ip of 100.X, which was making me try to figure out why I was in a double-nat situation. And my router is in normal router mode, I meant to say "starlink" router was in bridge mode, I made that confusing sorry . The asus router wans ip is the public ip

 

[SomeWhereOverTheRainBow]

It works fine, its just detecting double-nat wrong on a wan ip of 100.X, which was making me try to figure out why I was in a double-nat situation.

It is displaying that message because your routers wan ip is a private IP address which is 192. range. it has nothing to do with detecting the wan address of your modem.

run this in the ssh terminal of your router and confirm I am right or wrong

nvram get wan_ipaddr | grep -E '^(192\.168|10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.)'

It will spit back a private ip address if I am right. The IP address of WAN on the router is a private address when you are in a double nat condition on your router.

 

[rlj2]

It is displaying that message because your routers wan ip is a private IP address which is 192. range. it has nothing to do with detecting the wan address of your modem.

run this in the ssh terminal of your router and confirm I am right or wrong

nvram get wan_ipaddr | grep -E '^(192\.168|10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.)'

It will spit back a private ip address if I am right. The IP address of WAN is a private address when you are in a double nat condition on your router.

I already have. the grep of 10\. is also picking up 100.xxx, which isnt a private ip.

 

[SomeWhereOverTheRainBow]

I already have. the grep of 10\. is also picking up 100.xxx, which isnt a private ip. I think it just needs changed to 10.\

wrong it doesn't:

echo 100.100.100.100 | grep -E '^(192\.168|10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.)'
RT-AX88U-C7C0:/tmp/home/root#

echo 100.10.1.1 | grep -E '^(192\.168|10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.)'
RT-AX88U-C7C0:/tmp/home/root#

it returns no value.


Private ranges:

echo 192.168.1.1 | grep -E '^(192\.168|10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.)'
192.168.1.1
RT-AX88U-C7C0:/tmp/home/root#

echo 10.10.10.10 | grep -E '^(192\.168|10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.)'
10.10.10.10
RT-AX88U-C7C0:/tmp/home/root#

it returns a value.

Here is an actual test using a GCNAT address of the GCNAT range:

RT-AX88U-C7C0:/tmp/home/root# echo 100.127.255.255 | grep -E '^(192\.168|10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.)'
RT-AX88U-C7C0:/tmp/home/root#

RT-AX88U-C7C0:/tmp/home/root# echo 100.64.0.0 | grep -E '^(192\.168|10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.)'
RT-AX88U-C7C0:/tmp/home/root#

Returns no value.

My test go to show that this grep will only return values for private ip addresses.

It is detecting what ever your asus routers

nvram get wan_ipaddr

value is.

If it is a public IP address (i.e. non double-nat like scenario) , it will always not return a value.

If it is a private IP address like from 192.168.X or 10.X or 172.X (specific ones) ranges it will always return a value thus indicating a double nat like environment.

If your modem was serving as a full bridge mode the firewall on it gets completely cut off, any nat capabilities on it get turned off, and any dhcp on it gets completely turned off ; therefore your Asus router will then have a public ip address displayed as its WAN address and not one of a private range such as 192.168.1.1. The fact that your Router has a Private address in the Wan spot indicates that your modem is handing out a private address over DHCP, (or manually assigning a private address), that is somehow getting translated over the NAT of your partially bridged modem and read by your Asus router as a private address (e.g. 192.XXX). If your modem was fully bridged, you would expect your asus router not to have a private address value returned by

nvram get wan_ipaddr

, in fact your 100.XX address would be returned and you would no longer see the message in the installer.

A final note on this matter:
The message displayed in the installer serves as a warning for users in this condition, that the dev of this script does not operate in the aboved conditions, so therefore the script has not been adapted for any configuration issues that may or may not be presented in this type of environment. But users are still welcome to enjoy the script if it works for them in this scenario.

 

[Jeffrey Young]

Hello all. I have a quick question about installing AdGuardHome via this script.

I am aware that @SomeWhereOverTheRainBow script installs Apache2 as the HTTP backend. Currently, I am using NGINX on the router as a HTTPS reverse proxy to a backend NextCloud server.

Is there anyway of installing this script using NGNIX as the backend as opposed to Apache? Just not keen on having two separate web servers running on the router.

Of course, worst case, I can always learn Apache and set that up as the Reverse Proxy.

Thanks for all the hard work in this project @SomeWhereOverTheRainBow

 

[SomeWhereOverTheRainBow]

Hello all. I have a quick question about installing AdGuardHome via this script.

I am aware that @SomeWhereOverTheRainBow script installs Apache2 as the HTTP backend. Currently, I am using NGINX on the router as a HTTPS reverse proxy to a backend NextCloud server.

Is there anyway of installing this script using NGNIX as the backend as opposed to Apache? Just not keen on having two separate web servers running on the router.

Of course, worst case, I can always learn Apache and set that up as the Reverse Proxy.

Thanks for all the hard work in this project @SomeWhereOverTheRainBow

It doesn't install apache2 any more.

 

[SomeWhereOverTheRainBow]

Hello all. I have a quick question about installing AdGuardHome via this script.

I am aware that @SomeWhereOverTheRainBow script installs Apache2 as the HTTP backend. Currently, I am using NGINX on the router as a HTTPS reverse proxy to a backend NextCloud server.

Is there anyway of installing this script using NGNIX as the backend as opposed to Apache? Just not keen on having two separate web servers running on the router.

Of course, worst case, I can always learn Apache and set that up as the Reverse Proxy.

Thanks for all the hard work in this project @SomeWhereOverTheRainBow

Adguardhome can run with nginx as a reverse proxy , you would have to refer to adguardhome github wiki for the proper procedures to set it up. By default, this installer sets adguardhome up to use its default built in webserver. In retrospect, apache2 was only installed and disabled for its ability to set adguardhomes webui password using httpsswd, but I have removed this requirement by incorporating a python-bcrypt method for setting the password.

As far as nginx goes, I think you would need to make sure you were running the nginxssl package to ensure you were properly using the correct one for your future reverse proxy endeavors.

 

[SomeWhereOverTheRainBow]

@Jeffrey Young

This page:

Encryption

Network-wide ads & trackers blocking DNS server. Contribute to AdguardTeam/AdGuardHome development by creating an account on GitHub.

github.com

Has a section that talks about using a reverse proxy such as nginx.

It also refers to this link as a guide:

FAQ

Network-wide ads & trackers blocking DNS server. Contribute to AdguardTeam/AdGuardHome development by creating an account on GitHub.

github.com

 

[Jeffrey Young]

Perfect. Thanks @SomeWhereOverTheRainBow

I use NGINX on the router now as SSL termination. Thanks for the links. I'll have a look at them.

 

[SomeWhereOverTheRainBow]

Perfect. Thanks @SomeWhereOverTheRainBow

I use NGINX on the router now as SSL termination. Thanks for the links. I'll have a look at them.

Feel free to share any of your experiences, struggles, methods, and recommendations for those who are brave enough to traverse the path you travel!

 

[Jeffrey Young]

Feel free to share any of your experiences, struggles, methods, and recommendations for those who are brave enough to traverse the path you travel!

For sure. May be a while as summer time activities are upon me now. These little projects tend to be winter time things . I am more in the planning phase for AdGuardHome. My first attention will likely swing back to setting up Ubuntu on my RasPi as router/gateway.

If you're meaning NGINX on the router as a reverse proxy, it was actually you that got me onto that project from another chat that you, @garycnew and I were in concerning using ZeroSSL on the router (the covo was focusing on acme.sh/HTTPS router admin access, I think). I just ran with it, and proceeded to read up/learn NGINX and set it up on the router as a reverse proxy/SSL Termination to my NextCloud server. Besides the extra security (insulation), the setup has solved a couple of other quirks with just using port forwarding. Nonetheless, if anyone is interested, I am certainly happy to share.

 

[SomeWhereOverTheRainBow]

It works fine, its just detecting double-nat wrong on a wan ip of 100.X, which was making me try to figure out why I was in a double-nat situation. And my router is in normal router mode, I meant to say "starlink" router was in bridge mode, I made that confusing sorry . The asus router wans ip is the public ip

The new method is a bit over kill, but hopefully should have eliminated your detection issue.

nvram get wan_ipaddr | grep -oE '\b^(((10|127)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3})|(((172\.(1[6-9]|2[0-9]|3[0-1]))|(192\.168))(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){2}))$\b'

 

[rlj2]

The new method is a bit over kill, but hopefully should have eliminated your detection issue.

nvram get wan_ipaddr | grep -oE '\b^(((10|127)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3})|(((172\.(1[6-9]|2[0-9]|3[0-1]))|(192\.168))(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){2}))$\b'

I havent had a chance to mess with this since the other day, but figured out what was going on. I use dual-wan for failover. When the second line is considered "hot", for some reason it shows wan_ipaddr as a private. But what Im actually using is wan0_ipaddr , sorry I should have checked this more. The second failover connection is not bridged, ie double-nat.
admin@RT-AX86U-D7D0:/tmp/mnt/AX/entware/etc/AdGuardHome# nvram get wan_ipaddr
192.168.10.189
admin@RT-AX86U-D7D0:/tmp/mnt/AX/entware/etc/AdGuardHome# nvram get wan0_ipaddr
100.119.236.128