How to install Adguard Home on your OpenWrt router

AdGuard Home is a network-wide software for blocking ads & tracking. After you set it up, it’ll cover ALL your home devices, and you don’t need any client-side software for that.

It operates as a DNS server that re-routes tracking domains to a “black hole”, thus preventing your devices from connecting to those servers.

Compared to Pi-Hole, Adguard Home doesn’t requires additional dependencies so you can run it on OpenWrt without problems. It also supports DNS caching and encryption without additional software.

System requirements

A router with a recent version of OpenWrt installed
At least 100MB of free RAM
At least 20MB of free disk space

For this guide I’m going to use a Belkin RT3200 / Linksys E8450

Installation

This router has an arm64 processor but you may need to replace it with the architecture that matches your router (eg armv7, mips, etc), SSH into your router and run:


opkg update && opkg install wget
mkdir /opt/ && cd /opt/
wget -c https://static.adguard.com/adguardhome/release/AdGuardHome_linux_arm64.tar.gz
tar xfvz AdGuardHome_linux_arm64.tar.gz
rm AdGuardHome_linux_arm64.tar.gz
/opt/AdGuardHome/AdGuardHome -s install

Initial configuration

If your router is not at 192.168.1.1 then replace the IP address accordingly

Go to 192.168.1.1:3000
Setup the admin web interface to listen in 192.168.1.1 at port 8080
Set DNS server to listen in 192.168.1.1 at port 5353
Create an user and choose a strong password

Make your devices use AdGuard Home

Now that AGH is up and running we need to make our devices use it as their DNS server:

Navigate to LuCi and go to Network -> DHCP and DNS
Add 192.168.1.1#5353 into DNS forwardings, then click Save & Apply
Navigate to Resolv and Hosts Files tab and check the Ignore resolv file option to prevent the router from using the DNS servers provided by your ISP

Intercept all DNS traffic

This step is optional, however there are apps and devices that ship with a harcoded DNS server (such as 8.8.8.8) making our filtering rules useless unless we redirect those queries to our AGH instance.

Navigate to LuCI → Network → Firewall → Port Forwards
Click Add and specify:
- Name: Intercept-DNS
- Protocol: TCP, UDP
- Source zone: lan
- External port: 53
- Destination zone: unspecified
- Internal IP address: any
- Internal port: any
Then click Save & Apply

CLI instructions


# Intercept DNS traffic
uci -q delete firewall.dns_int
uci set firewall.dns_int="redirect"
uci set firewall.dns_int.name="Intercept-DNS"
uci set firewall.dns_int.src="lan"
uci set firewall.dns_int.src_dport="53"
uci set firewall.dns_int.proto="tcp udp"
uci set firewall.dns_int.target="DNAT"
# Also intercept IPv6 DNS traffic
uci set firewall.dns_int.family="any"
uci commit firewall
/etc/init.d/firewall restart

Final notes

Now that you have AdGuard Home up and running feel free to play with the settings, here are some of my recommendations:

DNS

Choose the DNS providers of your choice (Adguard Home supports both regular unencrypted DNS and encrypted DNS protocols such as DoH, DoH3, DoT and DoQ out of the box):

Upstream DNS servers:

h3://cloudflare-dns.com/dns-query h3://dns.google/dns-query quic://dns.nextdns.io [/lan/]127.0.0.1 [//]127.0.0.1
Parallel requests: enabled (improves performance)
Private reverse DNS servers (for client names resolution):

127.0.0.1
Rate limit: 0 (if this is your LAN I don't see any reason to limit the number of requests)
Optimistic caching: enabled (dramatically improves performance)

Filters

Adguard Home supports hosts and adblock style blocklists, you can choose from the ones provided by default or add your own.

Personally, I use the HaGeZi Light blocklist but OISD Big is another good alternative for a set and forget setup.

Enjoy happy and safe browsing!