13 KiB
13 KiB
OpenWRT and AdGuard Home Configuration Guide
Network Overview
Current Setup:
- Router: 10.0.0.254 (TPLink)
- DNS: 10.0.0.55 (HomeAssistant/AdGuard)
New Setup:
- OpenWRT Router: 10.0.0.246
- New AdGuard: 10.0.0.245
- DHCP Range: 10.0.0.1 - 10.0.0.200
Part 1: Initial OpenWRT Setup
1.1 First Login and Basic Configuration
-
Connect to OpenWRT:
- Connect via Ethernet to LAN port
- Default IP is usually
192.168.1.1 - Access via browser:
http://192.168.1.1 - Default login:
root(no password initially)
-
Set Root Password:
System → Administration → Router PasswordSet a strong password immediately.
1.2 Configure LAN Interface
-
Navigate to Network → Interfaces
-
Edit LAN interface:
- Protocol:
Static address - IPv4 address:
10.0.0.246 - IPv4 netmask:
255.255.255.0 - IPv4 gateway:
10.0.0.254(your main TPLink router) - Use custom DNS servers:
10.0.0.245(your new AdGuard) - Click "Save" then "Save & Apply"
- Protocol:
-
Reconnect:
- Your OpenWRT will now be at
http://10.0.0.246 - You may need to manually set your PC to 10.0.0.x network temporarily
- Your OpenWRT will now be at
Part 2: DHCP Server Configuration
2.1 Basic DHCP Settings
-
Navigate to Network → DHCP and DNS
-
Server Settings (General Settings tab):
- Check "Authoritative" if this will be the only DHCP server on this network
- DNS forwardings:
10.0.0.245 - Click "Save"
-
DHCP Pool Settings:
- Navigate to Network → Interfaces → LAN → Edit → DHCP Server tab
- Check "Enable this DHCP server"
- Start:
1 - Limit:
200 - Lease time:
12h(or your preference)
2.2 Static Leases Configuration
-
Navigate to Network → DHCP and DNS → Static Leases tab
-
Add Static Leases:
- Click "Add"
- Hostname: Device name (e.g., "homeassistant")
- MAC Address: Device MAC
- IPv4 Address: Desired IP (e.g., 10.0.0.55)
- Lease time: Leave empty for infinite
- Click "Save" then "Save & Apply"
Example static leases you might want:
10.0.0.55 - HomeAssistant/Current AdGuard
10.0.0.245 - New AdGuard
10.0.0.246 - OpenWRT itself
10.0.0.254 - TPLink Router
2.3 DHCP Options for Custom DNS per Client
To set different DNS servers for specific clients, you'll need to use DHCP options.
Option 1: Via LuCI (GUI)
- Navigate to Network → DHCP and DNS → Static Leases
- When adding/editing a static lease, you can add DHCP options
- Add option
6with comma-separated DNS IPs:8.8.8.8,8.8.4.4
Option 2: Via Config File (more flexible)
SSH into OpenWRT and edit /etc/config/dhcp:
vi /etc/config/dhcp
Add configuration like this:
config host
option name 'special-device'
option mac 'AA:BB:CC:DD:EE:FF'
option ip '10.0.0.100'
option dns '8.8.8.8 8.8.4.4'
config host
option name 'standard-device'
option mac '11:22:33:44:55:66'
option ip '10.0.0.101'
# Uses default DNS (AdGuard at 10.0.0.245)
Then restart dnsmasq:
/etc/init.d/dnsmasq restart
Part 3: Access Control Configuration
3.1 Install Required Packages
SSH into your OpenWRT router and install firewall management tools:
opkg update
opkg install luci-app-firewall
opkg install iptables-mod-extra
3.2 Method 1: MAC Address Filtering (Simple Block)
Via LuCI:
- Navigate to Network → Wireless (if WiFi) or DHCP
- For each device you want to block:
- Add to static lease with specific IP
- Then create firewall rule to block that IP
Create Firewall Rule:
- Network → Firewall → Traffic Rules
- Add new rule:
- Name:
Block Device Name - Source zone:
lan - Source MAC or IP:
10.0.0.XXorAA:BB:CC:DD:EE:FF - Destination zone:
wan - Action:
reject
- Name:
3.3 Method 2: IP Sets for Group Management (Advanced)
This allows you to easily manage groups of blocked devices.
SSH Configuration:
Create custom firewall rules in /etc/firewall.user:
vi /etc/firewall.user
Add:
# Create IP set for blocked devices
ipset create blocked_devices hash:ip -exist
# Add devices to blocked list (can be managed dynamically)
ipset add blocked_devices 10.0.0.100 -exist
ipset add blocked_devices 10.0.0.101 -exist
# Block internet access for devices in the set
iptables -I FORWARD -m set --match-set blocked_devices src -o eth1 -j REJECT
Apply:
/etc/init.d/firewall restart
To add/remove devices from block list:
# Block a device
ipset add blocked_devices 10.0.0.150
# Unblock a device
ipset del blocked_devices 10.0.0.150
# List blocked devices
ipset list blocked_devices
3.4 Method 3: Parental Controls Package (Easiest GUI)
Install parental controls:
opkg update
opkg install luci-app-advanced-reboot
opkg install luci-app-simple-adblock # Optional, if not using AdGuard
For better device management, install:
opkg install luci-app-nlbwmon # Network bandwidth monitoring
This gives you per-device traffic monitoring and easier access control.
Part 4: AdGuard Home Setup (10.0.0.245)
4.1 Installation Options
Option A: Docker (Recommended if you have Docker)
docker run -d \
--name adguardhome \
--restart unless-stopped \
-v /path/to/adguard/work:/opt/adguardhome/work \
-v /path/to/adguard/conf:/opt/adguardhome/conf \
-p 10.0.0.245:53:53/tcp \
-p 10.0.0.245:53:53/udp \
-p 10.0.0.245:3000:3000/tcp \
adguard/adguardhome
Option B: Native Linux Install
curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v
Option C: Windows Download from: https://github.com/AdguardTeam/AdGuardHome/releases
4.2 Initial AdGuard Configuration
-
Access Setup:
http://10.0.0.245:3000 -
Setup Wizard:
- Admin Web Interface: Port
3000(or your choice) - DNS Server: Port
53 - Admin credentials: Set username and password
- Admin Web Interface: Port
-
Configure Upstream DNS:
- Navigate to Settings → DNS settings
- Add upstream DNS servers:
https://dns.cloudflare.com/dns-query https://dns.google/dns-query 1.1.1.1 8.8.8.8 - Enable parallel queries for better performance
- Set rate limit: 20 (adjust based on needs)
-
Configure Private Reverse DNS:
- Add your local network:
10.0.0.0/24 - Enable "Use private reverse DNS resolvers"
- Add your local network:
-
Enable Query Logging:
- Settings → General settings
- Query logs retention: 7 days (or your preference)
- Statistics retention: 90 days
4.3 Blocklists Configuration
Add recommended blocklists:
- Navigate to Filters → DNS blocklists
- Add these lists:
# OISD Big List (comprehensive)
https://big.oisd.nl/
# AdGuard DNS filter
https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
# Steven Black's Unified Hosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
# Hagezi's Pro DNS Blocklist
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/pro-onlydomains.txt
- Click "Save" and "Apply"
4.4 Custom Filtering Rules
For local network DNS resolution, add custom rules:
- Navigate to Filters → DNS rewrites
- Add entries:
openwrt.local → 10.0.0.246 adguard.local → 10.0.0.245 homeassistant.local → 10.0.0.55 router.local → 10.0.0.254
Part 5: Integration and Testing
5.1 Point OpenWRT to AdGuard
Ensure OpenWRT is configured to use AdGuard:
- Network → Interfaces → LAN → Edit
- Advanced Settings tab:
- Use custom DNS servers:
10.0.0.245
- Use custom DNS servers:
- Network → DHCP and DNS:
- DNS forwardings:
10.0.0.245
- DNS forwardings:
5.2 Testing DHCP
- Connect a test device to the OpenWRT network
- Check IP assignment:
# On Windows ipconfig /all # On Linux ip addr show - Verify you receive:
- IP in range 10.0.0.1-200
- DNS server: 10.0.0.245
- Gateway: 10.0.0.246 or 10.0.0.254
5.3 Testing DNS Resolution
# On Windows
nslookup google.com 10.0.0.245
# On Linux
dig @10.0.0.245 google.com
5.4 Testing Access Control
- Add a device to block list
- Try to access internet from that device
- Verify connection is blocked
- Check OpenWRT firewall logs: Status → Firewall
5.5 Monitor AdGuard
- Access AdGuard dashboard:
http://10.0.0.245:3000 - Check:
- Query log shows requests
- Blocked requests are being filtered
- All devices are showing up
Part 6: Advanced Configuration
6.1 Create Easy Device Management Script
Save this script on OpenWRT as /root/device-control.sh:
#!/bin/sh
# Device Access Control Script for OpenWRT
ACTION=$1
DEVICE_IP=$2
DEVICE_NAME=$3
case $ACTION in
block)
ipset add blocked_devices $DEVICE_IP -exist
echo "Blocked: $DEVICE_NAME ($DEVICE_IP)"
;;
unblock)
ipset del blocked_devices $DEVICE_IP
echo "Unblocked: $DEVICE_NAME ($DEVICE_IP)"
;;
list)
echo "Currently blocked devices:"
ipset list blocked_devices
;;
status)
ipset test blocked_devices $DEVICE_IP && echo "$DEVICE_IP is BLOCKED" || echo "$DEVICE_IP is ALLOWED"
;;
*)
echo "Usage: $0 {block|unblock|list|status} [IP] [NAME]"
exit 1
;;
esac
Make executable:
chmod +x /root/device-control.sh
Usage:
# Block a device
./device-control.sh block 10.0.0.100 "Kids Tablet"
# Unblock
./device-control.sh unblock 10.0.0.100 "Kids Tablet"
# List all blocked
./device-control.sh list
# Check status
./device-control.sh status 10.0.0.100
6.2 Setup Scheduled Device Controls (Optional)
To block devices at specific times (e.g., bedtime):
# Edit crontab
crontab -e
Add entries:
# Block kids devices at 9 PM
0 21 * * * /root/device-control.sh block 10.0.0.100 "Kids Tablet"
# Unblock at 7 AM
0 7 * * * /root/device-control.sh unblock 10.0.0.100 "Kids Tablet"
6.3 Backup Configurations
OpenWRT Backup:
- System → Backup / Flash Firmware
- Click "Generate archive"
- Save the
.tar.gzfile
AdGuard Backup:
- Settings → General settings
- Scroll to "Export settings"
- Click "Download" to save YAML config
Part 7: Network Topology Options
Option A: OpenWRT as Router (Full Gateway)
Internet → TPLink (10.0.0.254) → OpenWRT (10.0.0.246) → Devices
↓
AdGuard (10.0.0.245)
- Requires routing configuration
- More complex but more control
Option B: OpenWRT as DHCP/Access Point (Recommended for your setup)
Internet → TPLink (10.0.0.254) ← Gateway for all
↓
OpenWRT (10.0.0.246) - DHCP Server + Access Control
↓
AdGuard (10.0.0.245) - DNS Filtering
↓
Devices (10.0.0.1-200)
- OpenWRT provides DHCP and access control
- TPLink remains gateway
- AdGuard handles DNS
- Simpler setup, which I've documented above
Troubleshooting
DHCP not working
# Check DHCP status
/etc/init.d/dnsmasq status
# Restart DHCP
/etc/init.d/dnsmasq restart
# Check logs
logread | grep -i dhcp
DNS not resolving
# Test DNS on OpenWRT itself
nslookup google.com 10.0.0.245
# Check if AdGuard is running
# On AdGuard server
netstat -tulpn | grep :53
Access control not working
# Check firewall rules
iptables -L FORWARD -v -n
# Check ipset
ipset list blocked_devices
# Reload firewall
/etc/init.d/firewall restart
Can't access OpenWRT web interface
# SSH in and check
netstat -tulpn | grep :80
# Restart web interface
/etc/init.d/uhttpd restart
Quick Reference Commands
# OpenWRT
/etc/init.d/network restart # Restart network
/etc/init.d/dnsmasq restart # Restart DHCP/DNS
/etc/init.d/firewall restart # Restart firewall
logread # View system logs
# View DHCP leases
cat /tmp/dhcp.leases
# View current connections
cat /proc/net/nf_conntrack
# Monitor traffic
tcpdump -i br-lan port 53 # Monitor DNS traffic
Next Steps
- Set up OpenWRT first with static IP 10.0.0.246
- Configure DHCP with your range and static leases
- Install and configure AdGuard on 10.0.0.245
- Point OpenWRT DNS to AdGuard
- Set up access control using one of the methods above
- Test thoroughly with various devices
- Create backups of both configurations
Security Recommendations
- Change default passwords on both OpenWRT and AdGuard
- Enable HTTPS for OpenWRT web interface (System → Administration → HTTP(S) Access)
- Disable SSH password authentication, use keys instead
- Keep OpenWRT updated: System → Software → Update lists
- Enable AdGuard statistics to monitor unusual activity
- Set up firewall rules to prevent LAN → LAN attacks if needed
- Regular backups of both configurations
Additional Resources
- OpenWRT Documentation: https://openwrt.org/docs/start
- AdGuard Home Documentation: https://github.com/AdguardTeam/AdGuardHome/wiki
- OpenWRT Forum: https://forum.openwrt.org/
- AdGuard Forum: https://forum.adguard.com/