openwrt-adguard-setup/setup-checklist.md

OpenWRT & AdGuard Setup - Quick Checklist

Pre-Setup Information

• Note current network gateway: 10.0.0.254 (TPLink)
• Note current DNS: 10.0.0.55 (HomeAssistant/AdGuard)
• OpenWRT target IP: 10.0.0.246
• New AdGuard IP: 10.0.0.245
• DHCP range: 10.0.0.1 - 10.0.0.200

---

Phase 1: OpenWRT Initial Setup (15 minutes)

Step 1: First Connection

• Connect Ethernet cable to OpenWRT LAN port
• Access default IP: http://192.168.1.1
• Login as root (no password on first boot)

Step 2: Set Security

• System → Administration → Router Password
• Set strong root password: _________________
• Save the password in your password manager

Step 3: Configure LAN Interface

• Network → Interfaces → LAN → Edit
• IPv4 address: 10.0.0.246
• IPv4 netmask: 255.255.255.0
• IPv4 gateway: 10.0.0.254
• Use custom DNS: 10.0.0.245
• Save & Apply
• Reconnect to http://10.0.0.246

---

Phase 2: DHCP Configuration (10 minutes)

Step 4: Basic DHCP

• Network → DHCP and DNS
• DNS forwardings: 10.0.0.245
• Save

Step 5: DHCP Range

• Network → Interfaces → LAN → Edit → DHCP Server
• Enable DHCP server: ✓
• Start: 1
• Limit: 200
• Lease time: 12h
• Save & Apply

Step 6: Static Leases

• Network → DHCP and DNS → Static Leases
• Add lease: HomeAssistant → MAC: ____________ → IP: 10.0.0.55
• Add lease: New AdGuard → MAC: ____________ → IP: 10.0.0.245
• Add lease: TPLink Router → MAC: ____________ → IP: 10.0.0.254
• Add other critical devices as needed

---

Phase 3: AdGuard Home Setup (20 minutes)

Step 7: Install AdGuard

Choose your installation method:

• Option A: Docker installation on ___________
• Option B: Native Linux installation on ___________
• Option C: Windows installation on ___________

Step 8: Initial Configuration

• Access: http://10.0.0.245:3000
• Complete setup wizard
• Admin interface port: 3000
• DNS server port: 53
• Set admin username: _________________
• Set admin password: _________________
• Save credentials in password manager

Step 9: Configure Upstream DNS

• Settings → DNS settings
• Add upstream servers:
  • https://dns.cloudflare.com/dns-query
  • https://dns.google/dns-query
  • 1.1.1.1
  • 8.8.8.8
• Enable parallel queries
• Save

Step 10: Add Blocklists

• Filters → DNS blocklists
• Add OISD Big List: https://big.oisd.nl/
• Add AdGuard DNS: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
• Add Steven Black: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
• Save and Apply

Step 11: Local DNS Entries

• Filters → DNS rewrites
• Add: openwrt.local → 10.0.0.246
• Add: adguard.local → 10.0.0.245
• Add: homeassistant.local → 10.0.0.55
• Add: router.local → 10.0.0.254

---

Phase 4: Access Control Setup (15 minutes)

Step 12: Install Required Packages

SSH to OpenWRT (ssh root@10.0.0.246):

opkg update
opkg install luci-app-firewall iptables-mod-extra

• Packages installed successfully

Step 13: Copy Device Control Script

• Upload device-control.sh to /root/
• Run: chmod +x /root/device-control.sh
• Run: /root/device-control.sh init

Step 14: Configure Persistence

• Edit /etc/firewall.user
• Add these lines:

ipset create blocked_devices hash:ip timeout 0 comment -exist
iptables -I FORWARD -m set --match-set blocked_devices src -j REJECT

• Save and exit
• Run: /etc/init.d/firewall restart

---

Phase 5: Testing (20 minutes)

Step 15: Test DHCP

• Connect test device to network
• Verify IP received in range 10.0.0.1-200
• Verify DNS server shows as 10.0.0.245
• Verify gateway is 10.0.0.254 or 10.0.0.246

Step 16: Test DNS Resolution

From test device:

nslookup google.com 10.0.0.245

• DNS query successful
• Response received

Step 17: Test AdGuard Filtering

• Access http://10.0.0.245:3000
• Dashboard → Query Log
• Browse to a website from test device
• Verify queries appear in log
• Try accessing known ad domain
• Verify ads are blocked

Step 18: Test Access Control

• Get test device IP: _________________
• Run: /root/device-control.sh block [IP] "Test Device"
• Verify internet access is blocked
• Run: /root/device-control.sh unblock [IP]
• Verify internet access restored

Step 19: Verify Static Leases

• Check each static device is getting correct IP
• HomeAssistant: 10.0.0.55 ✓
• New AdGuard: 10.0.0.245 ✓
• TPLink Router: 10.0.0.254 ✓

---

Phase 6: Backup & Documentation (10 minutes)

Step 20: Create Backups

• OpenWRT: System → Backup/Flash → Generate Archive
• Save backup file: openwrt-backup-[DATE].tar.gz
• AdGuard: Settings → General → Export Settings
• Save backup file: adguard-backup-[DATE].yaml

Step 21: Document Your Setup

Create a file with:

• OpenWRT admin password
• AdGuard admin credentials
• List of static IP assignments
• List of blocked devices (if any)
• Any custom firewall rules
• Backup file locations

---

Post-Setup Verification

Final Checks

• All devices can get DHCP leases
• DNS resolution working through AdGuard
• Internet access working for allowed devices
• AdGuard dashboard accessible
• OpenWRT web interface accessible
• Device blocking working correctly
• Static leases all functioning
• Local DNS names resolving (openwrt.local, etc.)

Performance Checks

• Run speed test from multiple devices
• Verify DNS response times in AdGuard
• Check for any connection issues
• Monitor AdGuard query log for problems

---

Common Device Management Commands

Block/Unblock Devices

# Block a device
/root/device-control.sh block 10.0.0.100 "Kids Tablet"

# Unblock a device
/root/device-control.sh unblock 10.0.0.100

# List all blocked devices
/root/device-control.sh list

# Check device status
/root/device-control.sh status 10.0.0.100

Monitor System

# View DHCP leases
cat /tmp/dhcp.leases

# View system log
logread

# Check DNS traffic
tcpdump -i br-lan port 53

# Restart services
/etc/init.d/dnsmasq restart
/etc/init.d/firewall restart

---

Troubleshooting Reference

Issue: Can't access OpenWRT web interface

/etc/init.d/uhttpd restart
netstat -tulpn | grep :80

Issue: DHCP not giving out addresses

/etc/init.d/dnsmasq restart
logread | grep -i dhcp

Issue: DNS not resolving

nslookup google.com 10.0.0.245
ping 10.0.0.245

Issue: Device blocking not working

ipset list blocked_devices
iptables -L FORWARD -v -n
/etc/init.d/firewall restart

---

Maintenance Schedule

Weekly

• Check AdGuard query logs for anomalies
• Review blocked devices list
• Check OpenWRT system log for errors

Monthly

• Update AdGuard blocklists
• Review and update static leases
• Check for OpenWRT updates: System → Software
• Create fresh backups

Quarterly

• Review all firewall rules
• Audit device access permissions
• Update OpenWRT firmware if available
• Test backup restoration procedure

---

Emergency Contacts & Resources

Reset Instructions

OpenWRT Hard Reset:

• Press and hold reset button for 10 seconds
• Default IP will be 192.168.1.1

AdGuard Reset:

• Stop AdGuard service
• Delete config files
• Restart and run setup wizard

Support Resources

• OpenWRT Forum: https://forum.openwrt.org/
• AdGuard Forum: https://forum.adguard.com/
• This documentation folder: ________________

---

Completion Sign-off

Setup completed by: _________________ Date: _________________ Time taken: _______ minutes

All phases completed successfully: ☐ YES ☐ NO

Notes/Issues encountered:

---

---

---

Next review date: _________________