Tome of Finite Knowledge

AdGuard Home on OpenWRT

2 min read

For some installations, it’s useful to have DNS resolution handled directly on the router. I tried to put PiHole & Unbound in a Docker container on OpenWRT — that was a horrible time and it’s VERY easy to poke unexpected holes in your firewall, so don’t recommend that. Instead, AdGuard Home can run natively on OpenWRT.

See also

The OpenWRT Wiki has good info on setting this up: https://openwrt.org/docs/guide-user/services/dns/adguard-home

OpenWRT configuration

In LuCI Network DHCP and DNS:

  1. In Devices and Ports, set DNS Server Port to 54
  2. In Forwards, remove any DNS Forwards entries

It’s important to do these steps first, as it frees up port 53 for AGH to use during setup.

To advertise the router as the DNS server for the network, go to LuCI Network Interfaces lan (edit):

  1. In Advanced Settings, clear any “use custom DNS servers” and add a new one with the router’s LAN address
  2. In DHCP Server Advanced Settings, add three DHCP options:
    1. 3,<router's LAN address> (e.g. 3,192.168.1.1)
    2. 6,<router's LAN address> (e.g. 6,192.168.1.1)
    3. 15,lan

When a device joins the network and is assigned an address via DHCP, you should be able to see that the network’s provided DNS server is the router.

Installing

In OpenWRT Software, install adguardhome.

You may need to reboot the router.

AdGuard Home configuration

First-time setup

You should be able to access AGH on your router’s IP address, port 3000. When greeted with a Get Started page, set the following options during the setup wizard:

  1. Set the Admin Web Interface to listen on port 8080 (or another port if you prefer)
  2. Set DNS server to listen on “All Interfaces” on port 53.
  3. Create a username and strong password.

AGH Options

In AGH Settings DNS Settings:

  1. Configure your upstream DNS resolvers as you wish (see example below)
  2. Under Private reverse DNS servers, enter the IP of your router (its LAN IP, not the WAN public nor 127.0.0.1) with port 54. For example, 192.168.1.1:54
  3. Ensure “Use private reverse DNS resolvers” is checked
  4. Ensure “Enable reverse resolving of clients’ IP addresses” is checked

Though you can adjust these settings to your preference, I use the following upstream DNS servers:

https://dns10.quad9.net/dns-query
tls://dns.quad9.net
https://base.dns.mullvad.net/dns-query
tls://base.dns.mullvad.net

Fallback DNS servers:

9.9.9.9
149.112.112.112
2620:fe::fe
2620:fe::9

Bootstrap DNS servers:

9.9.9.10
149.112.112.10
2620:fe::10
2620:fe::fe:10

Graph View