jessikitty/openwrt-adguard-setup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
952851cc257eaf35780a18a1fa082a6565163a94
openwrt-adguard-setup/setup-checklist.md
jessikitty 952851cc25 Update IP configuration and add dual DNS setup 
Changes:
- OpenWRT IP changed from 10.0.0.246 to 10.0.0.254
- TP-Link AX72 IP changed from 10.0.0.254 to 10.0.0.246 (swapped)
- Added Step 6: Advanced DHCP Options with dual DNS configuration
- Added dual DNS verification in Step 15
- Updated all IP references throughout checklist
- Added TP-Link AX72 Pro WiFi 6 configuration phase
2025-12-15 11:19:05 +11:00

409 lines
10 KiB
Markdown
Raw Blame History

# OpenWRT & AdGuard Setup - Quick Checklist
## Pre-Setup Information
- [ ] Note current network gateway: **10.0.0.246** (TP-Link AP)
- [ ] Note current DNS: **10.0.0.55** (HomeAssistant/AdGuard)
- [ ] OpenWRT target IP: **10.0.0.254**
- [ ] New AdGuard IP: **10.0.0.245**
- [ ] New TP-Link AP IP: **10.0.0.246**
- [ ] DHCP range: **10.0.0.1 - 10.0.0.200**
---
## Phase 1: OpenWRT Initial Setup (15 minutes)
### Step 1: First Connection
- [ ] Connect Ethernet cable to OpenWRT LAN port
- [ ] Access default IP: http://192.168.1.1
- [ ] Login as root (no password on first boot)
### Step 2: Set Security
- [ ] System → Administration → Router Password
- [ ] Set strong root password: _________________
- [ ] Save the password in your password manager
### Step 3: Configure LAN Interface
- [ ] Network → Interfaces → LAN → Edit
- [ ] IPv4 address: `10.0.0.254`
- [ ] IPv4 netmask: `255.255.255.0`
- [ ] IPv4 gateway: `10.0.0.254`
- [ ] Use custom DNS: `10.0.0.245`
- [ ] Save & Apply
- [ ] Reconnect to http://10.0.0.254
---
## Phase 2: DHCP Configuration (10 minutes)
### Step 4: Basic DHCP
- [ ] Network → DHCP and DNS
- [ ] DNS forwardings: `10.0.0.245`
- [ ] Save
### Step 5: DHCP Range
- [ ] Network → Interfaces → LAN → Edit → DHCP Server
- [ ] Enable DHCP server: ✓
- [ ] Start: `1`
- [ ] Limit: `200`
- [ ] Lease time: `12h`
- [ ] Save & Apply
### Step 6: Advanced DHCP Options
- [ ] Network → DHCP and DNS → Advanced
- [ ] Add DHCP Options:
- [ ] Dual DNS: `6,10.0.0.245,10.0.0.254`
- [ ] Domain: `15,home.local`
- [ ] NTP Server: `42,10.0.0.254`
- [ ] Save & Apply
### Step 7: Static Leases
- [ ] Network → DHCP and DNS → Static Leases
- [ ] Add lease: HomeAssistant → MAC: _______________ → IP: 10.0.0.55
- [ ] Add lease: New AdGuard → MAC: _______________ → IP: 10.0.0.245
- [ ] Add lease: TPLink Router → MAC: _______________ → IP: 10.0.0.246
- [ ] Add other critical devices as needed
---
## Phase 3: AdGuard Home Setup (20 minutes)
### Step 7: Install AdGuard
Choose your installation method:
- [ ] Option A: Docker installation on __________
- [ ] Option B: Native Linux installation on __________
- [ ] Option C: Windows installation on __________
### Step 8: Initial Configuration
- [ ] Access: http://10.0.0.245:3000
- [ ] Complete setup wizard
- [ ] Admin interface port: `3000`
- [ ] DNS server port: `53`
- [ ] Set admin username: _________________
- [ ] Set admin password: _________________
- [ ] Save credentials in password manager
### Step 9: Configure Upstream DNS
- [ ] Settings → DNS settings
- [ ] Add upstream servers:
- [ ] `https://dns.cloudflare.com/dns-query`
- [ ] `https://dns.google/dns-query`
- [ ] `1.1.1.1`
- [ ] `8.8.8.8`
- [ ] Enable parallel queries
- [ ] Save
### Step 10: Add Blocklists
- [ ] Filters → DNS blocklists
- [ ] Add OISD Big List: `https://big.oisd.nl/`
- [ ] Add AdGuard DNS: `https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt`
- [ ] Add Steven Black: `https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts`
- [ ] Save and Apply
### Step 11: Local DNS Entries
- [ ] Filters → DNS rewrites
- [ ] Add: `openwrt.local``10.0.0.254`
- [ ] Add: `adguard.local``10.0.0.245`
- [ ] Add: `homeassistant.local``10.0.0.55`
- [ ] Add: `tplink.local``10.0.0.246`
---
## Phase 4: Access Control Setup (15 minutes)
### Step 12: Install Required Packages
SSH to OpenWRT (ssh root@10.0.0.254):
```bash
opkg update
opkg install luci-app-firewall iptables-mod-extra
```
- [ ] Packages installed successfully
### Step 13: Copy Device Control Script
- [ ] Upload device-control.sh to /root/
- [ ] Run: `chmod +x /root/device-control.sh`
- [ ] Run: `/root/device-control.sh init`
### Step 14: Configure Persistence
- [ ] Edit /etc/firewall.user
- [ ] Add these lines:
```bash
ipset create blocked_devices hash:ip timeout 0 comment -exist
iptables -I FORWARD -m set --match-set blocked_devices src -j REJECT
```
- [ ] Save and exit
- [ ] Run: `/etc/init.d/firewall restart`
---
## Phase 5: Testing (20 minutes)
### Step 15: Test DHCP
- [ ] Connect test device to network
- [ ] Verify IP received in range 10.0.0.1-200
- [ ] Verify DNS servers show 10.0.0.245 and 10.0.0.254
- [ ] Verify gateway is 10.0.0.254
### Step 16: Test DNS Resolution
From test device:
```bash
nslookup google.com 10.0.0.245
```
- [ ] DNS query successful
- [ ] Response received
### Step 17: Test AdGuard Filtering
- [ ] Access http://10.0.0.245:3000
- [ ] Dashboard → Query Log
- [ ] Browse to a website from test device
- [ ] Verify queries appear in log
- [ ] Try accessing known ad domain
- [ ] Verify ads are blocked
### Step 18: Test Access Control
- [ ] Get test device IP: _________________
- [ ] Run: `/root/device-control.sh block [IP] "Test Device"`
- [ ] Verify internet access is blocked
- [ ] Run: `/root/device-control.sh unblock [IP]`
- [ ] Verify internet access restored
### Step 19: Verify Static Leases
- [ ] Check each static device is getting correct IP
- [ ] HomeAssistant: 10.0.0.55 ✓
- [ ] New AdGuard: 10.0.0.245 ✓
- [ ] TPLink Router: 10.0.0.246 ✓
---
## Phase 6: TP-Link AX72 Pro Configuration (AP Mode)
### Step 20: Connect to TP-Link
- [ ] Connect computer directly to TP-Link LAN port
- [ ] Access: `http://192.168.0.1` or `http://tplinwifi.net`
- [ ] Login: `admin/admin` (or on sticker)
### Step 21: Change Operation Mode
- [ ] Advanced → System Tools → Operation Mode
- [ ] Select: "Access Point Mode"
- [ ] Click "Save"
### Step 22: Set Static IP
```
Advanced → Network → LAN
IP address: 10.0.0.246
Subnet Mask: 255.255.255.0
Gateway: 10.0.0.254
Primary DNS: 10.0.0.245
Secondary DNS: 10.0.0.254
Save
```
- [ ] Configuration saved
- [ ] Device will reboot
### Step 23: Reconnect After Reboot
- [ ] New address: `http://10.0.0.246`
- [ ] Login with same credentials
### Step 24: Configure WiFi 6 (2.4GHz)
```
Wireless → Wireless Settings (2.4GHz)
SSID: YourNetworkName
Channel: 1, 6, or 11
Channel Width: 20MHz or 40MHz (20MHz recommended)
Mode: 802.11ax (WiFi 6)
Max Tx Rate: 574 Mbps
Enable Wireless: ✓
Enable SSID Broadcast: ✓
Enable OFDMA: ✓
Enable MU-MIMO: ✓
Enable BSS Coloring: ✓
Enable Target Wake Time: ✓
Enable Beamforming: ✓
```
### Step 25: Configure WiFi 6 (5GHz)
```
Wireless → Wireless Settings (5GHz)
SSID: YourNetworkName-5G
Channel: 36, 40, 44, 48, 149, 153, 157, 161
Channel Width: 80MHz (or 160MHz if supported)
Mode: 802.11ax (WiFi 6)
Max Tx Rate: 2402 Mbps (80MHz) or 4804 Mbps (160MHz)
Enable Wireless: ✓
Enable SSID Broadcast: ✓
Enable OFDMA: ✓
Enable MU-MIMO: ✓
Enable BSS Coloring: ✓
Enable Target Wake Time: ✓
Enable Smart Connect: ✗ (disable unless needed)
```
### Step 26: WiFi Security (both bands)
```
Wireless → Wireless Security
Version: WPA3-Personal or WPA2/WPA3-Mixed
Encryption: AES
Wireless Password: [Strong password 12+ characters]
Group Key Update Period: 3600 seconds
```
---
## Phase 7: Backup & Documentation (10 minutes)
### Step 27: Create Backups
- [ ] OpenWRT: System → Backup/Flash → Generate Archive
- [ ] Save backup file: openwrt-backup-[DATE].tar.gz
- [ ] AdGuard: Settings → General → Export Settings
- [ ] Save backup file: adguard-backup-[DATE].yaml
### Step 28: Document Your Setup
Create a file with:
- [ ] OpenWRT admin password
- [ ] AdGuard admin credentials
- [ ] List of static IP assignments
- [ ] List of blocked devices (if any)
- [ ] Any custom firewall rules
- [ ] Backup file locations
---
## Post-Setup Verification
### Final Checks
- [ ] All devices can get DHCP leases
- [ ] DNS resolution working through AdGuard
- [ ] Internet access working for allowed devices
- [ ] AdGuard dashboard accessible
- [ ] OpenWRT web interface accessible
- [ ] Device blocking working correctly
- [ ] Static leases all functioning
- [ ] Local DNS names resolving (openwrt.local, etc.)
- [ ] Dual DNS configuration working (both 10.0.0.245 and 10.0.0.254)
### Performance Checks
- [ ] Run speed test from multiple devices
- [ ] Verify DNS response times in AdGuard
- [ ] Check for any connection issues
- [ ] Monitor AdGuard query log for problems
---
## Common Device Management Commands
### Block/Unblock Devices
```bash
# Block a device
/root/device-control.sh block 10.0.0.100 "Kids Tablet"
# Unblock a device
/root/device-control.sh unblock 10.0.0.100
# List all blocked devices
/root/device-control.sh list
# Check device status
/root/device-control.sh status 10.0.0.100
```
### Monitor System
```bash
# View DHCP leases
cat /tmp/dhcp.leases
# View system log
logread
# Check DNS traffic
tcpdump -i br-lan port 53
# Restart services
/etc/init.d/dnsmasq restart
/etc/init.d/firewall restart
```
---
## Troubleshooting Reference
### Issue: Can't access OpenWRT web interface
```bash
/etc/init.d/uhttpd restart
netstat -tulpn | grep :80
```
### Issue: DHCP not giving out addresses
```bash
/etc/init.d/dnsmasq restart
logread | grep -i dhcp
```
### Issue: DNS not resolving
```bash
nslookup google.com 10.0.0.245
ping 10.0.0.245
```
### Issue: Device blocking not working
```bash
ipset list blocked_devices
iptables -L FORWARD -v -n
/etc/init.d/firewall restart
```
---
## Maintenance Schedule
### Weekly
- [ ] Check AdGuard query logs for anomalies
- [ ] Review blocked devices list
- [ ] Check OpenWRT system log for errors
### Monthly
- [ ] Update AdGuard blocklists
- [ ] Review and update static leases
- [ ] Check for OpenWRT updates: System → Software
- [ ] Create fresh backups
### Quarterly
- [ ] Review all firewall rules
- [ ] Audit device access permissions
- [ ] Update OpenWRT firmware if available
- [ ] Test backup restoration procedure
---
## Emergency Contacts & Resources
### Reset Instructions
**OpenWRT Hard Reset:**
- Press and hold reset button for 10 seconds
- Default IP will be 192.168.1.1
**AdGuard Reset:**
- Stop AdGuard service
- Delete config files
- Restart and run setup wizard
### Support Resources
- OpenWRT Forum: https://forum.openwrt.org/
- AdGuard Forum: https://forum.adguard.com/
- This documentation folder: _________________
---
## Completion Sign-off
Setup completed by: _________________
Date: _________________
Time taken: ________ minutes
All phases completed successfully: ☐ YES ☐ NO
Notes/Issues encountered:
_____________________________________________
_____________________________________________
_____________________________________________
Next review date: _________________
Reference in New Issue View Git Blame Copy Permalink