AdGuardHome [RELEASE] Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI)

SomeWhereOverTheRainBow

Part of the Furniture
1651965720275.png

Asuswrt-Merlin-AdGuardHome-Installer​

The Official Installer of AdGuardHome for Asuswrt-Merlin

Requirements:​

  • ARM based ASUS routers (not bridges or access points) that use Asuswrt-Merlin Firmware
  • JFFS support and enabled
  • REQUIRES ENTWARE(!) for package management, and a separate USB drive for storage -i.e. the same drive Entware is stored.
  • Recommended to have a 2gb swap file. (can be made with amtm).

Incompatibilities:​

  • No known issue, but may not be compatible with "some" doule-nat or dual-wan environments since AdGuardHome takes over DNSMASQ placement on port 53. DNSMASQ uses port 553 instead.

Current features:​

  • AdGuardHome Network-wide ads & trackers blocking DNS server, with multiple dns protocol encryption, and other features.
  • Support ARM based routers
  • Redirect all DNS queries on your network to AdGuardHome if user chooses to use Merlin DNS Filter Option
  • Ability to update AdGuardHome without reinstalling/reconfiguring
  • Improved Installer/Update/Backup Functions.

AdGuardHome Supports Multiple Features​


Features
  • 94.140.14.140: plain DNS (over UDP).
  • tls://dns-unfiltered.adguard.com: encrypted DNS-over-TLS.
  • https://cloudflare-dns.com/dns-query: encrypted DNS-over-HTTPS.
  • quic://dns-unfiltered.adguard.com:784: experimental DNS-over-QUIC support.
  • tcp://1.1.1.1: plain DNS (over TCP).
  • sdns://...: DNS Stamps for DNSCrypt or DNS-over-HTTPS resolvers.
  • [/example.local/]1.1.1.1: DNS upstream for specific domains, see below.
1650241718094.png

A good list of dns servers and how to use them can be found in this post :

Setting Up Your Routers Reverse DNS​


Lan
  • Under Lan DHCP page on Asuswrt-Merlin define a domain such as lan or some-domain like in the image above.
1650241786628.png

  • Define the appropriate rules inside the Private Reverse DNS Servers.
  • It should be noted that the Some-Domain line should be placed in the upstream DNS section.

Changelog:​

https://github.com/jumpsmm7/Asuswrt-Merlin-AdGuardHome-Installer/commits/master

Install/Update/Reconfig/Uninstall:​

Run this command from ssh shell and following the prompt for AdGuardHome:

Code:
curl -L -s -k -O https://raw.githubusercontent.com/jumpsmm7/Asuswrt-Merlin-AdGuardHome-Installer/master/installer && sh installer

Terminal Commands supported by AdGuardHome​


Traditional Commands:

Code:
/opt/etc/init.d/S99AdGuardHome {start|stop|restart|check|kill|reload}

New Supported Commands (recommended commands):

Code:
service {start|stop|restart|kill|reload}_AdGuardHome

How to check if it works​

Run this command in the ssh shell:
Code:
pidof AdGuardHome
will return a number.
or
Code:
/opt/etc/init.d/S99AdGuardHome check
which will return
Code:
 Checking AdGuardHome...              alive.

  1. While this is an ad-blocker just like Diversion, for all intensive purposes it shall be treated as an alternative and not a replacement. Diversion will continue to function as is.
  2. This script is not intended to be run on Access Points or Bridges.
  3. While browser adblocking can benefit along side AdGuardHome, AdGuardHome is meant to be your only DNS ad-blocking solution, support will not be provided for missconfigurations involving more than one DNS ad-blocking solution.
  4. This script is only intended to install AdGuardHome as a basic local DNS service on an Asuswrt-Merlin router running in router mode, any extra configurations or missconfigurations on your part are beyond the scope of this installer.
  5. This script does not install/configure AdGuardHome as a Remote DoH,DoT,DoQ, or Dnscrypt DNS server.
  6. Feel free to use this thread to share information with each other.
 
Last edited:

SomeWhereOverTheRainBow

Part of the Furniture
AdGuardHome-Unbound-Manager Guide:

Many thanks to @Martineau , & Install Unbound-Manager using easy-mode. No need for installation of any of the extra unbound features such as statistics, unbound-adblock, dot integration, or dns-firewall:


Alternatively Users can choose to integrate using @dave14305 beautiful Unbound-Merlin-UI :


Just to recap for future user confusion:

Here is everything
@xmanyes changed to make unbound-manager compatible (or simply unbound) for AdGuardHome upstream

1663639785770.png


For those who cry without having an IPV6 upstream:

1663639811555.png


Additional Notes:

Port 53535 may be different with @dave14305 port number which can be cleanly modified from Unbound-Merlin-UI. Please adapt port according to what your unbound port is actually set to.


Boot Strap Resolvers:

These are for specifically initializing DoH/DoT encryption. These must be set to a real DNS address, leaving them as the default ones is perfectly acceptable!.

1641192206835.png


Private Reverse DNS Servers:

These are already preconfigured by the installer to allow for easy client name resolution with Asuswrt-Merlin Routers. They point back to DNSMASQ which handles DHCP for the network. It is highly recommended not changing the defaults unless you know what you are doing or do not care about client name resolution.


1663639889592.png
 
Last edited:

SomeWhereOverTheRainBow

Part of the Furniture
To configure Guest Networks without YazFi:


an example of some of the addresses for guestnetworks done by the router

Code:
dhcp-range=br1,192.168.101.2,192.168.101.254,255.255.255.0
dhcp-option=br1,3,192.168.101.1
interface=br2
dhcp-range=br2,192.168.102.2,192.168.102.254,255.255.255.0
dhcp-option=br2,3,192.168.102.1

What you need to add to dnsmasq.conf.add:

Code:
dhcp-option=br1,6,192.168.101.1,192.168.101.1

Code:
dhcp-option=br2,6,192.168.102.1,192.168.102.1

DNS enforcement would look like this (add these to firewall-start script):

Code:
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 53 -i br1 -j DNAT --to-destination 192.168.101.1
iptables -t nat -A PREROUTING -p udp -m udp --dport 53 -i br1 -j DNAT --to-destination 192.168.101.1
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 53 -i br2 -j DNAT --to-destination 192.168.102.1
iptables -t nat -A PREROUTING -p udp -m udp --dport 53 -i br2 -j DNAT --to-destination 192.168.102.1


To configure with YazFi:


1643809093804.png


You change the DNS address to reflect the first address of the network. For example, if 192.168.2.0/24 is the network, the address would be 192.168.2.1.

Additionally, if directing the guest network to a VPN server using Yaz-Fi, you must set the "VPN Accept DNS" method to disabled. The below illustrates how:

1643819959619.png

Otherwise the vpn server will force its DNS to clients instead of allowing AdGuardHome as the only DNS.

If you are still interested in using the DNS servers of the VPN provider, just put the vpn dns server addresses in the upstream section of AdGuardHome, otherwise it will travel to the designated DNS servers placed in the upstream section of adguardhome, but it will travel via way of vpn server.

Scribe Integration:

@Markfree has shared a quick and easy way to integrate AdGuardHome with scribe.

However sed command will have to be rerun every time the installer update option is ran because the S99 file for AdGuardHome is dynamically replaced on updates... At least until I have time to add this as a feature to the installer.
 
Last edited:

thelonelycoder

Part of the Furniture
amtm support is coming soon to a router near you…
 

thelonelycoder

Part of the Furniture
I think we're going to need a Diversion vs Adguard comparison :)
I have not had the time to really look at the WebUI but it looks nice. And Diversion is sitting on that test router, waiting in vain for something to do.
 

BreakingDad

Very Senior Member
I currently run adguard on a pi4, you think the performance would be better on a standalone pi or adding to the router?

Great work btw, hope this is added to amtm.
 

BreakingDad

Very Senior Member
o_Oo_Oo_O Pages load slower with Adguardhome, but less memory footprint. That is my for what its worth analysis.
When you say slower, can you be more specific ? On my pi based adguard I get an average processing time of 31ms with literally all the filters and parental controls on.
 

thelonelycoder

Part of the Furniture
Great work btw, hope this is added to amtm.
I‘m the one that gently asked the devs last Friday for this threads installer script to be coded - in the hope that I can add support in amtm.

Things got very busy very quickly behind the scene. The AdGuardHome install script is released, now I have to code my part of the deal.
I‘m about 85% done.
 

SomeWhereOverTheRainBow

Part of the Furniture
When you say slower, can you be more specific ? On my pi based adguard I get an average processing time of 31ms with literally all the filters and parental controls on.
refresh times and query times. it takes longer to load webpages because of the filtering methods. it doesn't imply the ad-blocking isn't good. For example, in comparison with pihole and diversion, I have gotten marginally faster query times with pihole and diversion.
 
Last edited:

SomeWhereOverTheRainBow

Part of the Furniture
I currently run adguard on a pi4, you think the performance would be better on a standalone pi or adding to the router?

Great work btw, hope this is added to amtm.
I imagine it would be. Much faster response times on the router. The only difference is, you may get away with a larger filter size on the rpi than the router. I haven't tested this aspect out yet.
 

SomeWhereOverTheRainBow

Part of the Furniture
Why or how could it be much faster response time on the router? If the raspberry pi (4) is at your lan it should only add 1-2ms, right?
Like I said, still needs testing. I am looking for the many entrepreneurs of the forum to help fill in those gaps. If you feel up to the challenge, let us know. I imagine the response times will be faster, but that is still yet to be tested.
 

thelonelycoder

Part of the Furniture
Support for Asuswrt-Merlin-AdGuardHome-Installer has been added to amtm

Use u in amtm to update to its latest version 3.2.3
 

SomeWhereOverTheRainBow

Part of the Furniture
is there a way to setup a way to bypass Adguard for certain clients like with Diversion.
Dnsfilter on asuswrt-merlin or using iptables. You can also leverage aguardhome to control what (if any) filters get used by the in question client. As far as I know you could send the client through adguardhome and define a ruleset for it that makes it use no filters. Or simply use dnsfilter on asuswrt-merlin to make it completely bypass adguardhome altogether.

Visit the adguardhome wiki to see all that adguardhome is capable of

 
Last edited:

BreakingDad

Very Senior Member
Support for Asuswrt-Merlin-AdGuardHome-Installer has been added to amtm

Use u in amtm to update to its latest version 3.2.3
wow two amtm updates in 1 day :) impressive.
 

zekesdad

Regular Contributor
This exits with an error for me: pastebin.com/igTC64Jn

Seems like it thinks I'm not using a compatible router maybe? I don;t know though, Im on an RT-AX86U with 386.4 fw.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top