# OpenWRT & AdGuard Setup - Quick Checklist ## Pre-Setup Information - [ ] Note current network gateway: **10.0.0.246** (TP-Link AP) - [ ] Note current DNS: **10.0.0.55** (HomeAssistant/AdGuard) - [ ] OpenWRT target IP: **10.0.0.254** - [ ] New AdGuard IP: **10.0.0.245** - [ ] New TP-Link AP IP: **10.0.0.246** - [ ] DHCP range: **10.0.0.1 - 10.0.0.200** --- ## Phase 1: OpenWRT Initial Setup (15 minutes) ### Step 1: First Connection - [ ] Connect Ethernet cable to OpenWRT LAN port - [ ] Access default IP: http://192.168.1.1 - [ ] Login as root (no password on first boot) ### Step 2: Set Security - [ ] System → Administration → Router Password - [ ] Set strong root password: _________________ - [ ] Save the password in your password manager ### Step 3: Configure LAN Interface - [ ] Network → Interfaces → LAN → Edit - [ ] IPv4 address: `10.0.0.254` - [ ] IPv4 netmask: `255.255.255.0` - [ ] IPv4 gateway: `10.0.0.254` - [ ] Use custom DNS: `10.0.0.245` - [ ] Save & Apply - [ ] Reconnect to http://10.0.0.254 --- ## Phase 2: DHCP Configuration (10 minutes) ### Step 4: Basic DHCP - [ ] Network → DHCP and DNS - [ ] DNS forwardings: `10.0.0.245` - [ ] Save ### Step 5: DHCP Range - [ ] Network → Interfaces → LAN → Edit → DHCP Server - [ ] Enable DHCP server: ✓ - [ ] Start: `1` - [ ] Limit: `200` - [ ] Lease time: `12h` - [ ] Save & Apply ### Step 6: Advanced DHCP Options - [ ] Network → DHCP and DNS → Advanced - [ ] Add DHCP Options: - [ ] Dual DNS: `6,10.0.0.245,10.0.0.254` - [ ] Domain: `15,home.local` - [ ] NTP Server: `42,10.0.0.254` - [ ] Save & Apply ### Step 7: Static Leases - [ ] Network → DHCP and DNS → Static Leases - [ ] Add lease: HomeAssistant → MAC: _______________ → IP: 10.0.0.55 - [ ] Add lease: New AdGuard → MAC: _______________ → IP: 10.0.0.245 - [ ] Add lease: TPLink Router → MAC: _______________ → IP: 10.0.0.246 - [ ] Add other critical devices as needed --- ## Phase 3: AdGuard Home Setup (20 minutes) ### Step 7: Install AdGuard Choose your installation method: - [ ] Option A: Docker installation on __________ - [ ] Option B: Native Linux installation on __________ - [ ] Option C: Windows installation on __________ ### Step 8: Initial Configuration - [ ] Access: http://10.0.0.245:3000 - [ ] Complete setup wizard - [ ] Admin interface port: `3000` - [ ] DNS server port: `53` - [ ] Set admin username: _________________ - [ ] Set admin password: _________________ - [ ] Save credentials in password manager ### Step 9: Configure Upstream DNS - [ ] Settings → DNS settings - [ ] Add upstream servers: - [ ] `https://dns.cloudflare.com/dns-query` - [ ] `https://dns.google/dns-query` - [ ] `1.1.1.1` - [ ] `8.8.8.8` - [ ] Enable parallel queries - [ ] Save ### Step 10: Add Blocklists - [ ] Filters → DNS blocklists - [ ] Add OISD Big List: `https://big.oisd.nl/` - [ ] Add AdGuard DNS: `https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt` - [ ] Add Steven Black: `https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts` - [ ] Save and Apply ### Step 11: Local DNS Entries - [ ] Filters → DNS rewrites - [ ] Add: `openwrt.local` → `10.0.0.254` - [ ] Add: `adguard.local` → `10.0.0.245` - [ ] Add: `homeassistant.local` → `10.0.0.55` - [ ] Add: `tplink.local` → `10.0.0.246` --- ## Phase 4: Access Control Setup (15 minutes) ### Step 12: Install Required Packages SSH to OpenWRT (ssh root@10.0.0.254): ```bash opkg update opkg install luci-app-firewall iptables-mod-extra ``` - [ ] Packages installed successfully ### Step 13: Copy Device Control Script - [ ] Upload device-control.sh to /root/ - [ ] Run: `chmod +x /root/device-control.sh` - [ ] Run: `/root/device-control.sh init` ### Step 14: Configure Persistence - [ ] Edit /etc/firewall.user - [ ] Add these lines: ```bash ipset create blocked_devices hash:ip timeout 0 comment -exist iptables -I FORWARD -m set --match-set blocked_devices src -j REJECT ``` - [ ] Save and exit - [ ] Run: `/etc/init.d/firewall restart` --- ## Phase 5: Testing (20 minutes) ### Step 15: Test DHCP - [ ] Connect test device to network - [ ] Verify IP received in range 10.0.0.1-200 - [ ] Verify DNS servers show 10.0.0.245 and 10.0.0.254 - [ ] Verify gateway is 10.0.0.254 ### Step 16: Test DNS Resolution From test device: ```bash nslookup google.com 10.0.0.245 ``` - [ ] DNS query successful - [ ] Response received ### Step 17: Test AdGuard Filtering - [ ] Access http://10.0.0.245:3000 - [ ] Dashboard → Query Log - [ ] Browse to a website from test device - [ ] Verify queries appear in log - [ ] Try accessing known ad domain - [ ] Verify ads are blocked ### Step 18: Test Access Control - [ ] Get test device IP: _________________ - [ ] Run: `/root/device-control.sh block [IP] "Test Device"` - [ ] Verify internet access is blocked - [ ] Run: `/root/device-control.sh unblock [IP]` - [ ] Verify internet access restored ### Step 19: Verify Static Leases - [ ] Check each static device is getting correct IP - [ ] HomeAssistant: 10.0.0.55 ✓ - [ ] New AdGuard: 10.0.0.245 ✓ - [ ] TPLink Router: 10.0.0.246 ✓ --- ## Phase 6: TP-Link AX72 Pro Configuration (AP Mode) ### Step 20: Connect to TP-Link - [ ] Connect computer directly to TP-Link LAN port - [ ] Access: `http://192.168.0.1` or `http://tplinwifi.net` - [ ] Login: `admin/admin` (or on sticker) ### Step 21: Change Operation Mode - [ ] Advanced → System Tools → Operation Mode - [ ] Select: "Access Point Mode" - [ ] Click "Save" ### Step 22: Set Static IP ``` Advanced → Network → LAN IP address: 10.0.0.246 Subnet Mask: 255.255.255.0 Gateway: 10.0.0.254 Primary DNS: 10.0.0.245 Secondary DNS: 10.0.0.254 Save ``` - [ ] Configuration saved - [ ] Device will reboot ### Step 23: Reconnect After Reboot - [ ] New address: `http://10.0.0.246` - [ ] Login with same credentials ### Step 24: Configure WiFi 6 (2.4GHz) ``` Wireless → Wireless Settings (2.4GHz) SSID: YourNetworkName Channel: 1, 6, or 11 Channel Width: 20MHz or 40MHz (20MHz recommended) Mode: 802.11ax (WiFi 6) Max Tx Rate: 574 Mbps Enable Wireless: ✓ Enable SSID Broadcast: ✓ Enable OFDMA: ✓ Enable MU-MIMO: ✓ Enable BSS Coloring: ✓ Enable Target Wake Time: ✓ Enable Beamforming: ✓ ``` ### Step 25: Configure WiFi 6 (5GHz) ``` Wireless → Wireless Settings (5GHz) SSID: YourNetworkName-5G Channel: 36, 40, 44, 48, 149, 153, 157, 161 Channel Width: 80MHz (or 160MHz if supported) Mode: 802.11ax (WiFi 6) Max Tx Rate: 2402 Mbps (80MHz) or 4804 Mbps (160MHz) Enable Wireless: ✓ Enable SSID Broadcast: ✓ Enable OFDMA: ✓ Enable MU-MIMO: ✓ Enable BSS Coloring: ✓ Enable Target Wake Time: ✓ Enable Smart Connect: ✗ (disable unless needed) ``` ### Step 26: WiFi Security (both bands) ``` Wireless → Wireless Security Version: WPA3-Personal or WPA2/WPA3-Mixed Encryption: AES Wireless Password: [Strong password 12+ characters] Group Key Update Period: 3600 seconds ``` --- ## Phase 7: Backup & Documentation (10 minutes) ### Step 27: Create Backups - [ ] OpenWRT: System → Backup/Flash → Generate Archive - [ ] Save backup file: openwrt-backup-[DATE].tar.gz - [ ] AdGuard: Settings → General → Export Settings - [ ] Save backup file: adguard-backup-[DATE].yaml ### Step 28: Document Your Setup Create a file with: - [ ] OpenWRT admin password - [ ] AdGuard admin credentials - [ ] List of static IP assignments - [ ] List of blocked devices (if any) - [ ] Any custom firewall rules - [ ] Backup file locations --- ## Post-Setup Verification ### Final Checks - [ ] All devices can get DHCP leases - [ ] DNS resolution working through AdGuard - [ ] Internet access working for allowed devices - [ ] AdGuard dashboard accessible - [ ] OpenWRT web interface accessible - [ ] Device blocking working correctly - [ ] Static leases all functioning - [ ] Local DNS names resolving (openwrt.local, etc.) - [ ] Dual DNS configuration working (both 10.0.0.245 and 10.0.0.254) ### Performance Checks - [ ] Run speed test from multiple devices - [ ] Verify DNS response times in AdGuard - [ ] Check for any connection issues - [ ] Monitor AdGuard query log for problems --- ## Common Device Management Commands ### Block/Unblock Devices ```bash # Block a device /root/device-control.sh block 10.0.0.100 "Kids Tablet" # Unblock a device /root/device-control.sh unblock 10.0.0.100 # List all blocked devices /root/device-control.sh list # Check device status /root/device-control.sh status 10.0.0.100 ``` ### Monitor System ```bash # View DHCP leases cat /tmp/dhcp.leases # View system log logread # Check DNS traffic tcpdump -i br-lan port 53 # Restart services /etc/init.d/dnsmasq restart /etc/init.d/firewall restart ``` --- ## Troubleshooting Reference ### Issue: Can't access OpenWRT web interface ```bash /etc/init.d/uhttpd restart netstat -tulpn | grep :80 ``` ### Issue: DHCP not giving out addresses ```bash /etc/init.d/dnsmasq restart logread | grep -i dhcp ``` ### Issue: DNS not resolving ```bash nslookup google.com 10.0.0.245 ping 10.0.0.245 ``` ### Issue: Device blocking not working ```bash ipset list blocked_devices iptables -L FORWARD -v -n /etc/init.d/firewall restart ``` --- ## Maintenance Schedule ### Weekly - [ ] Check AdGuard query logs for anomalies - [ ] Review blocked devices list - [ ] Check OpenWRT system log for errors ### Monthly - [ ] Update AdGuard blocklists - [ ] Review and update static leases - [ ] Check for OpenWRT updates: System → Software - [ ] Create fresh backups ### Quarterly - [ ] Review all firewall rules - [ ] Audit device access permissions - [ ] Update OpenWRT firmware if available - [ ] Test backup restoration procedure --- ## Emergency Contacts & Resources ### Reset Instructions **OpenWRT Hard Reset:** - Press and hold reset button for 10 seconds - Default IP will be 192.168.1.1 **AdGuard Reset:** - Stop AdGuard service - Delete config files - Restart and run setup wizard ### Support Resources - OpenWRT Forum: https://forum.openwrt.org/ - AdGuard Forum: https://forum.adguard.com/ - This documentation folder: _________________ --- ## Completion Sign-off Setup completed by: _________________ Date: _________________ Time taken: ________ minutes All phases completed successfully: ☐ YES ☐ NO Notes/Issues encountered: _____________________________________________ _____________________________________________ _____________________________________________ Next review date: _________________