4 May 2022

Install AdGuard-Home on RaspberryPi

I’ve used Pi-Hole for longer than I can remember, so it’s time to test drive another solution, AdGuard Home, to see how it compares on my network.

To start, as the title suggests you’ll need a RaspberryPi. While not required, I recommend starting with a new fresh image of the RaspbianOS on it. The next thing you’ll want to do, which I won’t cover in this article, is set up your RaspberryPi with a static IP address and then enable SSH on it so that you can connect to it.

Install AdGuard Home

Before you get started make sure to update your RaspberryPi using these two commands. After that you will be ready to get started.

sudo apt-get -y update
sudo apt-get -y upgrade

The easiest way to begin the installation of AdGuard Home and get it ready to go is to copy and paste the command below and then run it. It will take care of everything; downloading the proper version for your RaspberryPi, installing it, starting it as a service on boot. 

curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v

After a few minutes, the installation completes and you are ready to proceed. Towards the bottom of the output from the install, there are a few lines that tell us what IP the RPi is listening on, on port 3000. Open your browser and go to the third entry which should be the same as the static IP address you applied to your RaspberryPi before we got started. Referencing the example in my image above, I would be going to: http://192.168.1.2:3000. You should be greeted by a five-step getting started wizard.

Using my RaspberryPi 3, I prefer to only use my wired ethernet connection. I usually go into the OS and disable the WiFi. So on this page, I will select my ‘eth0’ interface as the one that I want to listen to for DNS calls on.

Create your username and a password.

Time to set up your devices to point their DNS to your “new” AdGuard Home.
At this point, this is when you should be repointing the DNS in your router to now be pointing at your RaspberryPi’s IP address. This will make all of the devices on your network that is pulling a DHCP address from your router start to use AdGuard Home.

Note: This is also when I like to go back into my RaspberryPi’s NIC to statically repoint it’s DNS setting to its own IP address since it is now able to resolve DNS.

The last step is to open the dashboard and login.

Dashboard

The dashboard is what you see as soon as you log into your AdGuard Home. It is where you get to see at a single glance the summary of all of the statistics it has collected. From the number of allowed and blocked DNS queries, to what the top queried and blocked domains are, you can even see which clients are being the “chattiest” and making the most DNS requests. Being the summary page, you can use it as the launchpad to click around and dive deeper into what the devices on your network are doing and who they are talking to.

The only other thing really worth mentioning on the dashboard is the “Disable Protection” button that is near the top of the page next to the ‘Dashboard’ title. If you ever need to troubleshoot an issue with one of the devices on your network, this is how you can easily disable all of the DNS blocking/filters that AdGuard Home is doing so that you can [hopefully] rule it out as the culprit.

Settings

Under ‘General Settings’ I like to enable the longest log and statistic retention. Being that this is for a home network, I’m not too concerned about anonymizing the client IP info.

Under the ‘DNS Settings’ I like to set my upstream DNS servers. I personally use Cisco’s OpenDNS. Here is a link to known DNS providers that you could choose from if you don’t want to use Cisco. I also have it run the requests in parallel for faster results. However, I tend to leave almost everything else set to its default values.

Examples you can set as your Upstream DNS Servers:

  • regular DNS (over UDP) –
    • 94.140.14.140
  • regular DNS (over TCP) –
    • tcp://94.140.14.140
  • encrypted DNS-over-TLS
    • tls://dns-unfiltered.adguard.com
  • encrypted DNS-over-HTTPS
    • https://dns-unfiltered.adguard.com/dns-query
  • encrypted DNS-over-QUIC (experimental) –
    • quic://dns-unfiltered.adguard.com:784
  • DNS Stamps for DNSCrypt or DNS-over-HTTPS resolvers –
    • sdns://...
  • an upstream for specific domains
    • [/example.local/]94.140.14.140
  • a comment –
    • #comment

One of the final ‘DNS Settings’ I like to apply is at the very bottom of the page. I want to limit the use of my DNS to only machines that are on my home network. To do this, under “Allowed clients” I’m adding the CIDR notation for my home network.

I’m adding “192.168.0.0/16” so that it will apply to every address from 192.168.0.0 thru 192.168.255.255. However, while not wrong, this is probably going to be overkill for most home networks that only use a single subnet.

So depending on your home network’s IP address space, you could probably choose to just use a /24 – so it would look more like 192.168.0.0/24. In this example, it would allow all the addresses from 192.168.0.0 thru 192.168.0.255. Again, match up that address space (ie the third octet) to what is in use on your network if you use the /24. If your home network uses a different

Filters

Filters are an easy way to quickly block or allow, many different popular sites and services. For example, if you had a hatred for social media, by flipping a toggle in this menu, you could completely cut off and block all services from Facebook on your network.

Note this is not blocking applications, aka Layer 7, it is simply blocking a list of know domains that are owned and/or used by the specific service or website.

The ‘Filters’ is also where you can add/remove DNS blocklists. AdGuard Home comes with quite a few pre-defined lists that you can choose to enable if desired. To get there, click on ‘Filters’, then ‘DNS blocklists’, then click on the ‘Add blocklist’ at the bottom of the page.

Next, you will click ‘Choose from the list’ to start adding the pre-defined blocklists. Alternatively, if you had a custom list you wanted to add, you could do so right here using the ‘Add a custom list’ button.

Here is where the magic happens. This is where you can select any or all of the pre-defined block lists. When you are done, click the save button.

Query Log

This page is a comprehensive log of everything that AdGuard is doing. You can see what client on your network is making what DNS query. You can filter to see what DNS queries are getting processed or blocked. It is also here that you can see what external resolver answered a particular DNS query. It’s not as snazzy or flashy as the graphs and top charts on the dashboard, but if you are trying to look for the dirty details of whats going on, then your answer is definitely going to be here in this query log.

AdGuard Home service – Start/Stop/Restart/Status

To control the AdGuard Home service and manage it from the command line of your RaspberryPi you can use the following commands.

sudo /opt/AdGuardHome/AdGuardHome -s status
sudo /opt/AdGuardHome/AdGuardHome -s start
sudo /opt/AdGuardHome/AdGuardHome -s stop
sudo /opt/AdGuardHome/AdGuardHome -s restart

Likewise, if you need to you could also uninstall or re-install the AGH service.

sudo /opt/AdGuardHome/AdGuardHome -s uninstall
sudo /opt/AdGuardHome/AdGuardHome -s install

Test if AdGuard Home is working

So your devices should be pointing to AdGuard Home. To test if the ad-blocking is working you have a couple of options.

On your Windows machine open a command prompt, then type this command.

nslookup doubleclick.net

If AdGuard Home is working, it should return “0.0.0.0” as the answer. Meaning that it can not lookup the IP address of the domain “doubleclick.net”.

The other way that you can test your new ad-blocking abilities is by going to a URL and checking how well it blocks ads. A quick google search returned this site as one option to test ad-blocking: https://adblock-tester.com/ I’m sure you can find others…

What is AdGuard Home missing

  • No Layer 7 Application filtering capabilities

AdGuard does not have any packet inspection capability. Because it can not inspect packets it can not actually block or filter based on content or applications. AdGuard relies completely on DNS and the reputation of the actual domain/URL that is being called. Instead of blocking the content itself, it blocks the IP address lookup for the domain being requested. If you need to block/filter content you will need to look into some sort of Next-Gen Firewall as a solution.

  • Blocking all Ads

AdGuard and Pi-Hole both suffer from the inability to block ALL ads. This is because sometimes the advertisements, and the content you are actually wanting, come from the same domain. Because they are coming from the same place we are unable to block the actual domain name.

Some examples of a few sites that serve ads and content from the same domain name include:

  • YouTube
  • Twitter
  • Facebook
  • Instagram.
Category: DNS, Networking, RaspberryPi, Raspbian | LEAVE A COMMENT
18 May 2021

Home WiFi QR code

So I happened across an article the other day which described how to do something that I thought was kind of cool. It walked you through how to create a QR code so that visitors to your house (or business) could simply use the camera in their smart phone to quickly and easily access your guest WiFi network. Yes, it may, be nerdy… But it’s still cool. Here’s how you can do it too!

The greatness of this solution is that scanning the QR code will basically work from any iOS or Android device. However, since I only have Apple mobile devices, I can only show you how easily it is done on an iPhone.

Make the QR code

Get the ‘shortcut’ by clicking this link: https://www.icloud.com/shortcuts/796cd8de4e344ac6a5b6495a8a2fa333
(shortcut originally created by Stephen Robles for AppleInsider).

It will open the ‘Shortcuts’ app on your phone and display all the steps that will happen once you run the shortcut. Scroll all the way to the bottom of the screen and click the red button that is labeled “Add Untrusted Shortcut”. It will now get added to your “My Shortcuts”.

At the bottom of your screen tap on “My Shortcuts”. Run the shortcut called “Generate Wi-Fi QR”.
It will prompt you for a Wi-Fi network/SSID name, and it asks if you want to use the Wi-Fi network you are connected to, or it will let you specify another network and type it in. The next step will prompt you to enter the Wi-Fi password.

Once you hit ‘Done’, it will generate a QR code for you. Tap the icon in the upper right corner to save the QR code as an image.

Display & Connect

You now have an image that looks like this…

Print the image out and post it on your wall at home (or work).

When friends come over they can scan your QR code and connect seamlessly, without you ever having to do anything other than point a finger towards whereever you hang your QR code image.

Category: Apple, Networking | LEAVE A COMMENT
2 December 2020

DNS Tools

Here are a few handy sites to help with DNS-related things…

IP Chicken – Check your IP address
WhatsMyIP – Another check your IP address

DuckDNS – free dynamic DNS service

DNS Traveral Checker – detailed DNS propagation
WhatsMyDNS – Check your DNS propagation
DNSmap – Another global DNS propagation tool

MXToolbox – “swiss army knife” of DNS Tools
DNSChecker – Another DNS “swiss army knife”
ViewDNS – Yet another DNS “swiss army knife”
Google’s Dig – DNS record lookup tool

Dmarcian SPF – SPF record tools
SPF Query Tool – more SPF record tools
DMARC Analyzer SPF checker – even SPF record tools

SecurityTrails DNS history – View DNS history
CompleteDNS DNS history – Another DNS history site
DNSSpy DNS scan – Just another DNS history site

Category: DNS, Networking | LEAVE A COMMENT
28 May 2020

UDM FaceTime Issues

I have a habit, for better or worse, of spending [possibly too much] time on Reddit. It’s so easy to get lost scrolling through articles and comments on just about every topic.

I’ve recently started to follow the r/Ubiquiti sub-reddit and this was something that I found there. Some people report having issues using Apple’s FaceTime over their UDM based Unifi environment, whereas others seems to have no such issues. So take this suggestion at face value and use it if you need it…

Open your UDM’s controller in your browser.

Navigate to: Settings -> Wi-Fi -> Wi-Fi Networks -> Edit each of your network(s).

Scroll down to 802.11 RATE AND BEACON CONTROLS.

Set each network to use these settings:

  • Enable Override DTIM Period.
  • Set DTIM 2G Period to 3.
  • Set DTIM 5G Period to 3.
  • Save your changes.
  • Enable Auto Optimize Network.

Your iOS devices should now work and stay on 5G.

Category: Apple, Ubiquiti | 2 Comments on UDM FaceTime Issues
26 May 2020

DuckDNS on UDM

Updated on 4/09/2022: There was a change in the way the DuckDNS settings get entered in the UDM.

I have set up my Ubiquiti Dream Machine (UDM) and I am loving it. I’m diving into all of the settings that I can configure on my home network and one of the first things I’m setting up is Dynamic DNS (DDNS). This will allow me to reach my device/network remotely, regardless of the IP address that it has been assigned by my ISP.

The UDM can work with lots of different DDNS providers to accomplish this. Some DDNS services are free, whereas many are paid services. A quick google search will show you all the various sites that offer DDNS services. In this article, I am only going to cover how to use DuckDNS which is a free DDNS provider. Note: If you do use their service, I encourage you to support and donate to DuckDNS through any of the links at the bottom of their site.

Open your web browser and go to: https://www.duckdns.org/

Log into their site using your credentials from one of these sites: Twitter, GitHub, Reddit, or Google.

In the center of the page there is a spot to create a DuckDNS subdomain. This is where you will enter the unique name that you would like to use for your network, then click the green “add domain” button.

You will see your subdomain listed below.

In the upper part of the DuckDNS page, you should see a token listed.
Copy this token for later.

In your browser, open up your Unifi Contoller.

On your controller go to “Settings” -> “Advanced Features” -> “Advanced Gateway Settings” -> “Dynamic DNS”

UDM Dynamic DNS

Click on the button to “Create New Dynamic DNS”.
Enter the following settings:

  • interface: WAN
  • service: dyndns
  • hostname: <YourSubdomain>
  • username: nouser
  • password: nopassword
  • server: www.duckdns.org/update?domains=%h&token=<YourDuckDNStoken>

–For hostname, it is just going to be the subdomain name you created on DuckDNS. This field will not include the ‘.duckdns.org’ part at the end.
–For server, replace <YourDuckDNStoken> with your own token from your DuckDNS page.

Then click on “Done” button to save your settings.

UDM Dynamic DNS settings
Category: DNS, Ubiquiti | 4 Comments on DuckDNS on UDM
26 May 2020

My Ubiquiti Network

Ubiquiti makes some interesting gear and they are quite well known for their disrupting the status quo by offering top-notch grade network and wifi devices. Their gear ranges from prosumer to enterprise-grade. Depending on how far down the rabbit hole you go, it can become a bit of an expensive eco-system that you are buying into. On the plus side, if you ever decide to leave any Ubiquiti, it shouldn’t be hard to resell the gear as they have a large community of followers.

I was leaving one job and starting another and decided that it was time to upgrade my home network to allow for some more diverse home-lab options. I decided to jump on the Ubiquiti bandwagon and set-up on their Unifi product line. Being new to Ubiquiti and Unifi I have a lot to learn!

I’m starting off my Unifi environment with a Ubiquiti Dream Machine (UDM), a Unifi 8-port POE switch (US-8-60W), and a Unifi AP (UAP-AC-Lite). I’m starting small. 😂 But who knows how large it’ll grow!

Here are some things I’ve setup in my Unifi environment….

Category: Networking, Ubiquiti | LEAVE A COMMENT
21 May 2020

Enabling SSH on Cisco iOS

While telnet and SSH are both allowed types of connections to Cisco gear, there is honestly no reason why you should be using telnet in today’s world. You should be using SSH for accessing all of your network devices. In very simplistic terms [and while the technologies are different], you can almost think of it as telnet being the equivalent to HTTP and SSH being the equivalent to HTTPS.

Telnet transfers all data in clear plain text and thus your passwords or other credentials are visible to anyone watching. Using SSH, means that all of your data is encrypted between the device and your computer, so no one else can see your sensitive bits like passwords. Anything used in production should be secured, and thus SSH is the obvious preference. So lets look at how to enable SSH on our device. Once SSH is enabled we can then disable telnet.

Open a console or telnet session on your device to get started.

The first thing we need to do is make sure that the device is configured with a hostname and a domain name.

CiscoDevice# conf t
CiscoDevice(config)# hostname PWWF
PWWF(config)# ip domain-name it.playswellwithflavors.com

The next step is to allow users that are configured on the switch to login with SSH or Telnet connections.

PWWF(config)# aaa new-model

Next we generate the cryptographic keys that the device will use.

PWWF(config)# crypto key generate rsa

We then want to enable SSH version 2 on the device. 

PWWF(config)# ip ssh version 2

We will next set the desired SSH authentication timeout (in seconds). This is the amount of time you have to enter the correct user credentials after connecting. The default value is 120 seconds. 

PWWF(config)# ip ssh time-out 60

Then we can change the number of allowed SSH authentication retries that are allowed.

PWWF(config)# ip ssh authentication-retries 3

Next up is to configure all of the line vty (virtual terminal).
We will configure the following :

  • set the input transport to SSH only
  • set the login type to local logins.
  • set the passwords to use strong encryption
  • set a timeout for inactive sessions (in minutes)
PWWF(config)# line vty 0 15
PWWF(config-line)# transport input SSH
PWWF(config-line)# login local
PWWF(config-line)# password 5
PWWF(config-line)# exec-timeout 10
PWWF(config-line)# exit
PWWF(config)# exit
PWWF#

The final step is to save our configuration changes with the following command.

PWWF# write

Now you can close your terminal session and connect to your device over SSH.

You can verify that SSH access is enabled on your device with the following command.

PWWF# sh ip ssh
SSH Enabled - version 1.99
Authentication timeout: 60 secs; Authentication retries: 3

If you have not yet created a user credentials, or if you wish to add a new user, here is the command.

In this example, the user name is “bob” and the password is “Aloha1234”

PWWF# conf t
PWWF(config)# username bob secret Aloha1234
Category: Cisco | LEAVE A COMMENT
16 May 2020

TEI_ASSIGNED

So I’ve had the unlucky experience of having to deal with the PRI connected to a T1 controller card on a Cisco 4321 Integrated Router that fails to come back up “online”, EVERY time the router gets power cycled.

Let me tell you… It is annoying! I don’t even want to try to tell you how many hours have been spent listening to hold music while getting in touch with the provider just to have them “run tests” from their side and say that the layer 1 connection is active, so it’s our problem, not theirs.

Basically, what has been happening is that after the router gets rebooted, the D-channel of the PRI gets locked up and doesn’t want to get in sync with the provider to allow inbound or outbound calls. Whenever we ran “show isdn status”, the layer 2 status would come back as “TEI_ASSIGNED” instead of the desired “MULTIPLE_FRAME_ESTABLISHED”. This PRI is connected to a MGCP gateway and in the end we basically either have to clear counters to reset the interface or rebind and rebuild the MGCP connection before it all comes back up.

Luckily since we have been able replicate the issue on every power cycle (whether or not it was an intentional power cycle), and I kept notes which I’m about to share, we have also been able to repeat the same steps to bring it back “online”.

My disclaimer: This worked for me, in the particular environment I referenced above. I have not tested this in any other environment. YMMV. You copy me at your own risk, and I am not responsible for any changes/damages you cause to your environment. These are purely just my notes for the previously mentioned environment.

From the console run the following command.

4321#show isdn status

Reading the output from the above command, summarized, the desired states are:

  • Layer 1 status: Active
  • Layer 2 status: MULTIPLE_FRAME_ESTABLISHED

If layer 1 is “Active” then it means that the circuit with your provider should be good. If it is not showing as “Active”, then first check that the physical cable is connected and isn’t damaged. If it looks okay, then get on your cell phone and call your provider.

If layer 2 status is “MULTIPLE_FRAME_ESTABLISHED” then you shouldn’t be having problems. Try another test call to verify that everything is working now, then go home. LOL.

However, if you’re in a situation similar to me, then you can’t make any calls and your layer 2 status is showing as “TEI_ASSIGNED”. The first, and easiest, thing to try is to clear the counters. This resets the interface. You can then recheck to see if the layer 2 status has changed. You can use the following command to clear the counters and recheck the ISDN status.

4321#clear counters
4321#show isdn status

If that did not work and your layer 2 status is still “TEI_ASSIGNED” then the next step is to try to restart the T1 controller. Then recheck the ISDN status. Use the following commands to do so.

4321#clear controller t1
4321#conf t
4321(config)#controller t1 0/1/0
4321(config-if)#shutdown
4321(config-if)#no shutdown
4321(config-if)#exit
4321(config)#exit
4321#show isdn status

Did that work for you? Hopefully it did. But if it did not work, then there is one more thing to try. Rebind the layer 3 to call manager and then teardown and rebuild the MGCP connection, and recheck the ISDN. Use the following commands to do so.

4321#conf t
4321(config)#interface serial 0/1/0:23
4321(config-if)#isdn bind-l3 ccm
4321(config-if)#no mgcp
WARNING: no mgcp: Teardown MGCP application may take a while to clean up resources
4321(config-if)#mgcp
4321(config-if)#exit
4321(config)#exit
4321#show isdn status

Okay, now the layer 2 status should be coming back as “MULTIPLE_FRAME_ESTABLISHED” after checking the ISDN status. If it does not, then you really should be beginning to open a TAC case with Cisco to figure out WTF is going on.

Hope this helps someone! Keeping these notes handy has definitely helped me, more than once. Also, FWIW, the one Cisco PDF that I did find somewhat helpful when troubleshooting this was: https://www.cisco.com/c/en/us/support/docs/wan/t1-e1-t3-e3/8131-T1-pri.pdf

Category: Cisco | LEAVE A COMMENT
9 April 2020

Remove PiVPN user/client

To remove a user/client it’s easy. Type the following command.

pivpn remove

You’ll be presented with a list of the clients you have created.
Enter the name of client you wish to remove and press “Enter”.

In my example below, I’m removing the user named “P-W-W-F”.

You’re all done! You have a completed setting up a VPN. You have completed setting up your endpoints. You can manage your VPN users. Congratulations. We’re all done here!

If you’re still itching to do more on your RPi… consider taking a look at my articles on installing ZRAM or installing Fail2Ban.

Category: Linux, RaspberryPi, Raspbian, VPN | LEAVE A COMMENT
9 April 2020

Creating a Split-tunnel user in PiVPN

Okay. So we’ve gone over creating users. In doing so we’ve gone over creating a user that would have a “full” vpn by using the default configuration that happens when you create a user with PiVPN…. But how do we set up a user with a “split-tunnel” vpn, in which only traffic destined for your home network goes thru your RPi?

What exactly is this “split-tunnel”? In a split-tunnel VPN, the endpoint device will be able to make a determination as to where to route it’s traffic, due to changes in the configuration rules. It will route traffic to your home network over the VPN, while routing all other traffic directly out to the Internet.

This split-tunneling actually my ideal setup. It is also ideal if you just wish to use just your Pi-Hole for DNS queries when you are not at home.

Because PiVPN makes things so easy, I currently just create two profiles for my devices. One full and one split-tunnel. However, I seem to be primarily using only the split-tunnel. So who knows… I’ll probably change this practice of mine in the future and just create the one profile, but for now I’m keeping both.

Okay. I’ve talked long enough about split-tunnels. How do we make this magic happen? Lets dive in…

We will add a user just as we did previously, then edit it’s configuration file to allow for the split tunnel. To add your split-tunnel user, type the following command below.

pivpn add

Then add the name of your split-tunnel user.
In my example, my user is named “P-W-W-F-split”

The next step is to open and edit the configuration file with the followign command.

sudo nano /etc/wireguard/configs/P-W-W-F-split.conf

A full tunnel will have the line:

AllowedIPs = 0.0.0.0/0, ::0/0

That is the line we want to change. The split tunnel config would be modified to show the subnet of your home network. This is the magic line that makes this a split-tunnel.

AllowedIPs = 192.168.1.0/24

*Note: It’s been mentioned in the comments that for this split tunnel to work correctly, folks have had to also add the VPN network’s range to the allowed networks for things and work as expected. That updated line is:

Allowed IP addresses: 10.6.0.0/24, 192.168.1.0/24

I’m not going to re-edit the images as I am no longer using this as my VPN solution. I only wanted to leave this note here for those that are following thru my tutorial so that they don’t become stuck.

The updated configs can be copied to the home config directory if you choose. This will make it easier if you are going to manually transferring a config file to a device, but I usually don’t, and just use the QR code mention in the next article.

To copy or backup your configuration files use the following command:

cp /etc/wireguard/configs/P-W-W-F.conf /home/pi/configs/P-W-W-F.conf
cp /etc/wireguard/configs/P-W-W-F-split.conf /home/pi/configs/P-W-W-F-split.conf

Next Article in this series: Part 6: Setup PiVPN Endpoint Device

Category: Linux, RaspberryPi, Raspbian, VPN | 12 Comments on Creating a Split-tunnel user in PiVPN