Installing AdGuard Home on PFSense

Today I will show how to install AdGuard Home on PFSense. While I haven’t tested this on OPNSense. The binary for FreeBSD (PFSense) may work on HardendBSD (OPNSense).

Why use AdGuard Home?​

Screenshot-2020-10-13-102928.png


  • Pretty UI: While PFBlockerNG can do DNS Blocking, it has a much more complex UI.
  • AdGuard Home UI is easier to use
  • Built in Encrypted DNS: AdGuard Home supports build in encrypted DNS (DNS over TLS, DNS over HTTPS).
  • Different methods of querying: AdGuard Home supports Parallel Querying where multiple servers are queried at once. This is especially good if you have a unreliable network.
  • FreeBSD Support: AdGuard Home supports FreeBSD so you won’t have to virtualize anything.
  • Modify DNS TTL to keep DNS Records in cache for longer.
Screenshot-2020-10-13-103046.png

Step 1: Change the Port of your PFSense DNS Resolver​


1.png

2.png


Login to your PFSense Firewall web UI and go to Service> DNS Resolver and change the "Listen Port" from port 53 to some other port, I chose 6666. Set Network Interfaces to localhost, there is no need for the pfsense resolver to listen on LAN interface.

To enable rDNS lookups and hostname lookups for devices on your LAN, enable " DHCP Registration" and " Static DHCP" in DNS Resolver settings.

Step 2: Go to AdGuard home releases page and get the FreeBSD Version:​

adguardreleases.png


Go to Releases · AdguardTeam/AdGuardHome

Then get the latest version of AdGuard for FreeBSD (as PFSense runs on FreeBSD). Most likely you will have 64Bit version of PFSense so you need AdGuardHome_freebsd_amd64.tar.gz . However if you have 32 Bit PFSense you need AdGuardHome_freebsd_386.tar.gz.

Step 3: SSH into your PFSense box​

Right click and copy the link of the release.

SSH into your PFSense box using Putty or SSH on WSL and enter the following commands:

Code:
cd /
mkdir opt
cd opt
fetch https://github.com/AdguardTeam/AdGuardHome/releases/download/v0.104.0-beta2/AdGuardHome_freebsd_amd64.tar.gz

Make sure to change the url in fetch to the one you got on Step 2 to get latest version.
Code:
tar -xvf AdGuardHome_freebsd_amd64.tar.gz
cd AdGuardHome
./AdGuardHome

This command executes AdGuardHome so that we can do initial configuration in the browser.

Step 4: Initial Configuration​


Screenshot-2020-10-13-113123.png

Go to your router URL with port 3000 on your browser. In my case its http://192.168.5.1:3000 . Replace 192.168.5.1 to your PFSense Address.

It should open the web interface of AdGuard Home.

Click on Get Started.

Now you will see a screen asking to setup interfaces for AdGuard UI and Resolver to run on. You need to set both the Admin Interface and DNS Server Interface to your LAN Interface. In my case it is igb3. It will also show the IP of the Interface next to it to help you identify easily. In my case it is 192.168.5.1 which is the IP Address of my router.
Screenshot-2021-01-07-134022.png

Set the same interface for DNS Server.

Also, make sure to change the Port of web interface from 80 to something that is unlikely to be used on the network. Lets say port 12838. Choose any high port that isn’t likely to conflict with your other applications.

Next enter a username and password for your AdGuard Home. Make sure to use a strong password.

Click on Next and then Open Dashboard.

Now that initial configuration of AdGuard is done. Go back to PFSense SSH and terminate AdGuard using Ctrl+C.

Step 5: Installing some extra packages:​

To make sure that AdGuard gets filters without errors, you will need to install ca_root_nss

Run this command on the PFSense SSH
Code:
pkg install ca_root_nss

Next you will need to install screen so that you can run AdGuard even when ssh is closed.

Code:
pkg install screen

Lets also install nano text editor so we can write and edit simple text files.

Code:
pkg install nano

Install shellcmd PFSense Package from WebUI. Its under System>Package Manager>Installed Packages:
Screenshot-2020-11-14-103402.png


Step 6: Making AdGuard Home start on boot:​

Go to Services>shellcmd and click Add

Command: /usr/local/bin/screen -S AdGuardHome_screen -d -m /opt/AdGuardHome/AdGuardHome
Shellcmd Type: shellcmd
Description: AdGuard

Screenshot-2020-11-14-104100.png

Click Save
Reboot PFSense and AdGuardHome will start up.

Step 7: Set Filters and DNS Resolvers for AdGuard Home:​



Go to the Web UI of AdGuard Home. It is at http://192.168.5.1:12838 . Where 192.168.5.1 is the IP of your PFSense and 12838 is the Port of Web Interface of AdGuard which we set in Step 4.

Login with your username and password which you set in Step 4.

Now go to Settings>DNS Settings

Use the upstream DNS Server of your choice. These are my resolvers

Code:
https://dns10.quad9.net/dns-query
tls://dns.google
tls://1.1.1.1
https://doh.opendns.com/dns-query
Screenshot-2020-10-13-120812.png

Find more Encrypted DNS Resolvers at DNS Privacy Public Resolvers - DNS Privacy Project - Global Site

Set the query mode to “Parralel Requests” for faster queries.

By default AdGuard Home only uses “AdGuard DNS filter” however you can add your own filters such as

https://www.malwaredomainlist.com/hostslist/hosts.txt

https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

and enable the filters Disabled by default.

However, keep in mind, higher the number of domains higher the likelihood of false positives.

Step 8: Set PFSense to use the AdGuard DNS:​


Go to System> General Setup in PFSense Web Interface and set the DNS Server to 192.168.5.1 and remove any other resolvers.
Screenshot-2020-10-13-121135.png

That’s it AdGuard Home is up and running on PFSense


Step 9: Test AdGuard​



Go to your PFSense SSH and type in:

Code:
dig @192.168.5.1 google.com

Where 192.168.5.1 is the IP of your router

It should output the IP Address of Google.
dig @192.168.5.1 google.com

; <<>> DiG 9.16.1-Ubuntu <<>> @192.168.5.1 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 946
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 10 IN A 74.125.130.147

;; Query time: 0 msec
;; SERVER: 192.168.5.1#53(192.168.5.1)
;; WHEN: Thu Jan 07 16:34:08 IST 2021
;; MSG SIZE rcvd: 44

On Windows you can do

Code:
nslookup google.com 192.168.5.1

to test the resolver
 
Last edited:
Messages
485
Location
Patna, Bihar
ISP
Airtel Xstream, Railwire, Siti, Airtel 4G, Jio 4G
@JB701 Yes. I had tried Zapret also. It's mode nfqws. I installed it on OpenWRT. I am not sure how to run it after the installation as it's not working automatically.
After installation, Do I need to start any service or run anything? My router is still set up to use my VPS IP as DNS.
 
Messages
468
Location
Bolpur, WB
ISP
Alliance BB (AS23860)
I had adguard home set up on my oracle VPS. Strangely, DoT stopped working on each of my mobile phones. I thought maybe it was due to the let's encrypt root certificate expiration. So, I renewed the certificate but that didn't solve the problem. I installed adguard home on a new VPS and flushed all iptables rules to make sure it was not interfering. DoH and simple DNS work fine. But DoT still doesn't work.
 
Last edited:
Messages
468
Location
Bolpur, WB
ISP
Alliance BB (AS23860)
Yes, telnet to port 853 is working fine.

Update:

Okay, so I tested again and it seems telnet over port 853 is working fine with ipv6. But it's not working with ipv4. I wonder what the issue is!!

Update 2:

Flushed iptables again and I can telnet on ipv4. But DoT is still down.
 
Last edited:
Messages
468
Location
Bolpur, WB
ISP
Alliance BB (AS23860)
Code:
AdGuardHo  758            root   14u  IPv6  28541      0t0  TCP *:80 (LISTEN)
AdGuardHo  758            root   25u  IPv6  36271      0t0  TCP *:443 (LISTEN)
AdGuardHo  758            root   29u  IPv6  36726      0t0  TCP *:53 (LISTEN)
AdGuardHo  758            root   30u  IPv6  36727      0t0  TCP *:853 (LISTEN)

Seems like it is.
 
Messages
236
Location
UP
ISP
BSNL Fiber 1277 & Airtel LTE Failover
I had adguard home set up on my oracle VPS. Strangely, DoT stopped working on each of my mobile phones. I thought maybe it was due to the let's encrypt root certificate expiration. So, I renewed the certificate but that didn't solve the problem. I installed adguard home on a new VPS and flushed all iptables rules to make sure it was not interfering. DoH and simple DNS work fine. But DoT still doesn't work.
Hey


This is happening because a Root CA used by letsencrypt expired on 30th September. Android's DoT implementation doesn't trust system/user trust store and uses their own thing.

To make sure letsencrypt certificates are widely compatible(Pre ios 10, android 7), they tried to cross sign it with some other certificate and that backfired and now it's broken.

The only way to resolve this right now is here, Android devices with DoT configured; interaction with new default chain

TL;DR; Regenerate certificate with,
Code:
--preferred-chain="ISRG Root X1"
 
Messages
468
Location
Bolpur, WB
ISP
Alliance BB (AS23860)
@ishanjain28

Thanks, that was my first hypothesis. So, I regenerated the certificate. But I have already been using the ISRG Root X1 root certificate. It shows up in Google Chrome when I open the adguard home web UI over HTTPS.
 
Messages
236
Location
UP
ISP
BSNL Fiber 1277 & Airtel LTE Failover
@royalroy

1. If you have a iOS device, Have you tested with a DoT profile in iOS? Is it also broken in ios?
2. Check the certificate chain using,
Code:
openssl s_client <endpoint>:853

Do you see,
Code:
i:O = Digital Signature Trust Co., CN = DST Root CA X3
 
Messages
468
Location
Bolpur, WB
ISP
Alliance BB (AS23860)
So, I was facing an error similar to this:

Code:
certbot: error: unrecognized arguments: --preferred-chain ISRG Root X1


Followed the advice and removed the last certificate from fullchain.pem but the issue is still there. I'll use namecheap certificate for now.

@ishanjain28 :

Code:
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = domain.my
verify return:1
---
Certificate chain
 0 s:CN = domain.my
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 
Messages
468
Location
Bolpur, WB
ISP
Alliance BB (AS23860)
I used an SSL from Namecheap (Sectigo reseller) which I had received for free in the github student developer pack and it is working just fine. The issue is definitely with Let's Encrypt certificates.