jessikitty/openwrt-adguard-setup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2e6fd4b39646b7f93c46c2cb98e4300c59550a6c
openwrt-adguard-setup/setup-checklist.md
jessikitty 952851cc25 Update IP configuration and add dual DNS setup 
Changes:
- OpenWRT IP changed from 10.0.0.246 to 10.0.0.254
- TP-Link AX72 IP changed from 10.0.0.254 to 10.0.0.246 (swapped)
- Added Step 6: Advanced DHCP Options with dual DNS configuration
- Added dual DNS verification in Step 15
- Updated all IP references throughout checklist
- Added TP-Link AX72 Pro WiFi 6 configuration phase
2025-12-15 11:19:05 +11:00

10 KiB
Raw Blame History

OpenWRT & AdGuard Setup - Quick Checklist

Pre-Setup Information

  • Note current network gateway: 10.0.0.246 (TP-Link AP)
  • Note current DNS: 10.0.0.55 (HomeAssistant/AdGuard)
  • OpenWRT target IP: 10.0.0.254
  • New AdGuard IP: 10.0.0.245
  • New TP-Link AP IP: 10.0.0.246
  • DHCP range: 10.0.0.1 - 10.0.0.200

Phase 1: OpenWRT Initial Setup (15 minutes)

Step 1: First Connection

  • Connect Ethernet cable to OpenWRT LAN port
  • Access default IP: http://192.168.1.1
  • Login as root (no password on first boot)

Step 2: Set Security

  • System → Administration → Router Password
  • Set strong root password: _________________
  • Save the password in your password manager

Step 3: Configure LAN Interface

  • Network → Interfaces → LAN → Edit
  • IPv4 address: 10.0.0.254
  • IPv4 netmask: 255.255.255.0
  • IPv4 gateway: 10.0.0.254
  • Use custom DNS: 10.0.0.245
  • Save & Apply
  • Reconnect to http://10.0.0.254

Phase 2: DHCP Configuration (10 minutes)

Step 4: Basic DHCP

  • Network → DHCP and DNS
  • DNS forwardings: 10.0.0.245
  • Save

Step 5: DHCP Range

  • Network → Interfaces → LAN → Edit → DHCP Server
  • Enable DHCP server: ✓
  • Start: 1
  • Limit: 200
  • Lease time: 12h
  • Save & Apply

Step 6: Advanced DHCP Options

  • Network → DHCP and DNS → Advanced
  • Add DHCP Options:
    • Dual DNS: 6,10.0.0.245,10.0.0.254
    • Domain: 15,home.local
    • NTP Server: 42,10.0.0.254
  • Save & Apply

Step 7: Static Leases

  • Network → DHCP and DNS → Static Leases
  • Add lease: HomeAssistant → MAC: _______________ → IP: 10.0.0.55
  • Add lease: New AdGuard → MAC: _______________ → IP: 10.0.0.245
  • Add lease: TPLink Router → MAC: _______________ → IP: 10.0.0.246
  • Add other critical devices as needed

Phase 3: AdGuard Home Setup (20 minutes)

Step 7: Install AdGuard

Choose your installation method:

  • Option A: Docker installation on __________
  • Option B: Native Linux installation on __________
  • Option C: Windows installation on __________

Step 8: Initial Configuration

  • Access: http://10.0.0.245:3000
  • Complete setup wizard
  • Admin interface port: 3000
  • DNS server port: 53
  • Set admin username: _________________
  • Set admin password: _________________
  • Save credentials in password manager

Step 9: Configure Upstream DNS

  • Settings → DNS settings
  • Add upstream servers:
    • https://dns.cloudflare.com/dns-query
    • https://dns.google/dns-query
    • 1.1.1.1
    • 8.8.8.8
  • Enable parallel queries
  • Save

Step 10: Add Blocklists

  • Filters → DNS blocklists
  • Add OISD Big List: https://big.oisd.nl/
  • Add AdGuard DNS: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
  • Add Steven Black: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
  • Save and Apply

Step 11: Local DNS Entries

  • Filters → DNS rewrites
  • Add: openwrt.local10.0.0.254
  • Add: adguard.local10.0.0.245
  • Add: homeassistant.local10.0.0.55
  • Add: tplink.local10.0.0.246

Phase 4: Access Control Setup (15 minutes)

Step 12: Install Required Packages

SSH to OpenWRT (ssh root@10.0.0.254):

opkg update
opkg install luci-app-firewall iptables-mod-extra
  • Packages installed successfully

Step 13: Copy Device Control Script

  • Upload device-control.sh to /root/
  • Run: chmod +x /root/device-control.sh
  • Run: /root/device-control.sh init

Step 14: Configure Persistence

  • Edit /etc/firewall.user
  • Add these lines:
ipset create blocked_devices hash:ip timeout 0 comment -exist
iptables -I FORWARD -m set --match-set blocked_devices src -j REJECT
  • Save and exit
  • Run: /etc/init.d/firewall restart

Phase 5: Testing (20 minutes)

Step 15: Test DHCP

  • Connect test device to network
  • Verify IP received in range 10.0.0.1-200
  • Verify DNS servers show 10.0.0.245 and 10.0.0.254
  • Verify gateway is 10.0.0.254

Step 16: Test DNS Resolution

From test device:

nslookup google.com 10.0.0.245
  • DNS query successful
  • Response received

Step 17: Test AdGuard Filtering

  • Access http://10.0.0.245:3000
  • Dashboard → Query Log
  • Browse to a website from test device
  • Verify queries appear in log
  • Try accessing known ad domain
  • Verify ads are blocked

Step 18: Test Access Control

  • Get test device IP: _________________
  • Run: /root/device-control.sh block [IP] "Test Device"
  • Verify internet access is blocked
  • Run: /root/device-control.sh unblock [IP]
  • Verify internet access restored

Step 19: Verify Static Leases

  • Check each static device is getting correct IP
  • HomeAssistant: 10.0.0.55 ✓
  • New AdGuard: 10.0.0.245 ✓
  • TPLink Router: 10.0.0.246 ✓

Phase 6: TP-Link AX72 Pro Configuration (AP Mode)

Step 20: Connect to TP-Link

  • Connect computer directly to TP-Link LAN port
  • Access: http://192.168.0.1 or http://tplinwifi.net
  • Login: admin/admin (or on sticker)

Step 21: Change Operation Mode

  • Advanced → System Tools → Operation Mode
  • Select: "Access Point Mode"
  • Click "Save"

Step 22: Set Static IP

Advanced → Network → LAN
IP address: 10.0.0.246
Subnet Mask: 255.255.255.0
Gateway: 10.0.0.254
Primary DNS: 10.0.0.245
Secondary DNS: 10.0.0.254
Save
  • Configuration saved
  • Device will reboot

Step 23: Reconnect After Reboot

  • New address: http://10.0.0.246
  • Login with same credentials

Step 24: Configure WiFi 6 (2.4GHz)

Wireless → Wireless Settings (2.4GHz)
SSID: YourNetworkName
Channel: 1, 6, or 11
Channel Width: 20MHz or 40MHz (20MHz recommended)
Mode: 802.11ax (WiFi 6)
Max Tx Rate: 574 Mbps
Enable Wireless: ✓
Enable SSID Broadcast: ✓
Enable OFDMA: ✓
Enable MU-MIMO: ✓
Enable BSS Coloring: ✓
Enable Target Wake Time: ✓
Enable Beamforming: ✓

Step 25: Configure WiFi 6 (5GHz)

Wireless → Wireless Settings (5GHz)
SSID: YourNetworkName-5G
Channel: 36, 40, 44, 48, 149, 153, 157, 161
Channel Width: 80MHz (or 160MHz if supported)
Mode: 802.11ax (WiFi 6)
Max Tx Rate: 2402 Mbps (80MHz) or 4804 Mbps (160MHz)
Enable Wireless: ✓
Enable SSID Broadcast: ✓
Enable OFDMA: ✓
Enable MU-MIMO: ✓
Enable BSS Coloring: ✓
Enable Target Wake Time: ✓
Enable Smart Connect: ✗ (disable unless needed)

Step 26: WiFi Security (both bands)

Wireless → Wireless Security
Version: WPA3-Personal or WPA2/WPA3-Mixed
Encryption: AES
Wireless Password: [Strong password 12+ characters]
Group Key Update Period: 3600 seconds

Phase 7: Backup & Documentation (10 minutes)

Step 27: Create Backups

  • OpenWRT: System → Backup/Flash → Generate Archive
  • Save backup file: openwrt-backup-[DATE].tar.gz
  • AdGuard: Settings → General → Export Settings
  • Save backup file: adguard-backup-[DATE].yaml

Step 28: Document Your Setup

Create a file with:

  • OpenWRT admin password
  • AdGuard admin credentials
  • List of static IP assignments
  • List of blocked devices (if any)
  • Any custom firewall rules
  • Backup file locations

Post-Setup Verification

Final Checks

  • All devices can get DHCP leases
  • DNS resolution working through AdGuard
  • Internet access working for allowed devices
  • AdGuard dashboard accessible
  • OpenWRT web interface accessible
  • Device blocking working correctly
  • Static leases all functioning
  • Local DNS names resolving (openwrt.local, etc.)
  • Dual DNS configuration working (both 10.0.0.245 and 10.0.0.254)

Performance Checks

  • Run speed test from multiple devices
  • Verify DNS response times in AdGuard
  • Check for any connection issues
  • Monitor AdGuard query log for problems

Common Device Management Commands

Block/Unblock Devices

# Block a device
/root/device-control.sh block 10.0.0.100 "Kids Tablet"

# Unblock a device
/root/device-control.sh unblock 10.0.0.100

# List all blocked devices
/root/device-control.sh list

# Check device status
/root/device-control.sh status 10.0.0.100

Monitor System

# View DHCP leases
cat /tmp/dhcp.leases

# View system log
logread

# Check DNS traffic
tcpdump -i br-lan port 53

# Restart services
/etc/init.d/dnsmasq restart
/etc/init.d/firewall restart

Troubleshooting Reference

Issue: Can't access OpenWRT web interface

/etc/init.d/uhttpd restart
netstat -tulpn | grep :80

Issue: DHCP not giving out addresses

/etc/init.d/dnsmasq restart
logread | grep -i dhcp

Issue: DNS not resolving

nslookup google.com 10.0.0.245
ping 10.0.0.245

Issue: Device blocking not working

ipset list blocked_devices
iptables -L FORWARD -v -n
/etc/init.d/firewall restart

Maintenance Schedule

Weekly

  • Check AdGuard query logs for anomalies
  • Review blocked devices list
  • Check OpenWRT system log for errors

Monthly

  • Update AdGuard blocklists
  • Review and update static leases
  • Check for OpenWRT updates: System → Software
  • Create fresh backups

Quarterly

  • Review all firewall rules
  • Audit device access permissions
  • Update OpenWRT firmware if available
  • Test backup restoration procedure

Emergency Contacts & Resources

Reset Instructions

OpenWRT Hard Reset:

  • Press and hold reset button for 10 seconds
  • Default IP will be 192.168.1.1

AdGuard Reset:

  • Stop AdGuard service
  • Delete config files
  • Restart and run setup wizard

Support Resources

Completion Sign-off

Setup completed by: _________________ Date: _________________ Time taken: ________ minutes

All phases completed successfully: ☐ YES ☐ NO

Notes/Issues encountered:

Next review date: _________________

Reference in New Issue View Git Blame Copy Permalink