Just an update - OPNsense 23.1 released this week & includes some better reporting tools for the built-in UnboundDNS resolver: opnsense.org/opnsense-23-1-released/ For some, this may be enough to prefer Unbound over AdGuard. Just up to your preference!
At first I thought 'wow, how could it take almost half an hour to explain how to do this', now I must say, this is probably the most valuably instructive video I've ever seen 🥺
Hello - and thank you so much for the comment! I feel like I struggle sometimes with thinking "oh this should be quick" - then wind up wanting to explain or give more examples, which extends the length of the video. It sometimes makes me worry that they end up too long for most people. I really appreciate your feedback 😊
@@0x2142 I get that. It's definitely more work, but maybe it's worth seperating content into two videos: a 5-8 min direct approach (e.g. add repo, install adguard; to get the views) and a seperate video for the advanced stuff (ad lists, custom filters, seperate DNS etc; for the viewers who want more). Just an idea though :)
Do you if it is possible to still show the client IP address in AdGuard when using both Unbound and AdGuard? With the query forwarding all traffic in AdGuard is coming from the interface IP. Is there a way to still forward the traffic but keep the client IP address?
A missed opportunity, a nice little joke would have been when he clicked on block UA-cam, his video went to a black screen. Or a good way to have had to end the video. LOL
set all of this up ti discover in the end that if I have my amneziavpn (wireguard client with obfuscation) on, service blocks dont work:) prolly none of the other filtering too? haven't checke danything yet. just discovered:)
For me it only works if the machine has auto dns, if I put manual dns in the machine for example google or other then the blocks go away, how can I make the opnsense machine dns authoritative thru the whole network
Once i selected my blocked services, I can still access these sites?? Is there a step I need to configure in Opnsense to block them?I followed along with everything that was mentioned in the step-by-step. But still can access the sites. Someone please help.
Thank you so much for this.. with this step will I be able to see all my opn sense client in adguard instead of just open sense ip.m I have pf sense currently and I have tried everything possible but it only shows my pf sense ip ad.. ty
Thanks for this! I have a quick question/suggestion about the last section of your video: If you want to use Unbound together with AdGuard, then you must set Unbound's IP and port (192.168.1.1:53 in your example) in AdGuard > DNS Settings > Upstream DNS Servers. Also, in this case, you can leave blank the Services > DHCPv4 > [LAN] > DNS Servers field in OPNsense (15:11). Please correct me if I'm wrong...
awesome video. got this up and running on my home lan during my lunch break. but can you intercept doh ? because this works well and good until someone turns on secure dns via DoH or DoT. I'm wondering about how to deal with those scenarios. I presume you can't just redirect the request, because it's just https. can opnsense detect doh and redirect it ?
Hi, Sorry my bad English. Could you please help me? My adguardhome service in opnsense suddenly stopped working after a firewall reboot because of energy cut off in my house. When I try to restart the service it keeps shutting down right away. I also tried reinstalling adguardhome to its default config and it works, but when I replace my config .yaml file, it stops working again. How could I verify what the problem is?
I can't connect to the adguard port for some reason. The page isn’t redirecting properly Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
Is there any real reason to use this over the built in Unbound service? Seems like Unbound supports everything you could want from AdGuard including blocklists, custom rules, DoT etc. Using Unbound also has the advantage of integrating with the DHCP server so you can get your static mappings into DNS for free.
Hi there! Yeah it mostly depends on what you are comfortable & the specific features you need. Most of these products can do the job these days. Unbound definitely supports a lot more advanced configuration options than AdGuard - but I think AdGuard is much easier for someone to use who might not understand all that stuff. AdGuard is real easy to set up & get going, and the reporting/dashboards are easier to use. That being said - It's just up to what works for your use case.
Honestly, it's better to just use unbound as backup via a configuration file becomes more difficult from my last experience. If the repo being used is third party, the configuration file might not be able to be use, it might load but you might run into issues. EDIT: Just adding, you would not be getting a nice dashboard with Unbound as far as I know.
Awesome Informative video, clear voice, easy to follow, thank you so much. I've had my OPNsense server for a couple of years and only now am I finding out how powerful it is, in fact I'm wondering based on this if I should setup a pihole docker container on my synology NAS docker and forward unbound to that. maybe, maybe not, this seems nice an easy to remember.
Hi, I set this up following your guide but after the initial setup on 3000, i cannot get to the web interface, this seems to make some sense as you show to configure it on the listen interface of the router but at port 80, this is surely the opnsense admin web interface so that is somewhat expected? I can't seem to uninstall and reinstall to reset the settings to try a different port now so seems to just be stuck running on a used port and not reachable to change
Hi there - you can still edit the port that the Web UI runs on, but you'll have to SSH into the OPNsense box & edit the configuration file manually. Check the video here: ua-cam.com/video/7RC7q5WOYC0/v-deo.htmlsi=8hM4cmDbo30RhId1&t=1248 or written instructions on my blog here: 0x2142.com/how-to-set-up-adguard-on-opnsense/#how-do-i-change-the-interface-port-for-the-web-ui-or-dns
Works well as per the guide. Only problem I am encountering is, on AdGuardHome, only the IP address of the Opnsense DNS is showing in the logs, not by the individual IPs conntected on the network. Is there any workaround on this? Thanks.
It sounds like you have Unbound forwarding the queries to AdGuard. In that case, as far as AdGuard knows, it's only the Unbound service (running on the same box) that's doing any queries. This video should have mentioned that configuring it this way will result in losing the ability to do custom unblocking per client, or logging per client activity in general, since all queries to AdGuard come from your OPNsense box itself.
Hey there! Pi-hole is absolutely an option, just depends on what you want out of it. Both products do pretty much the same just in different ways & they both work great. For this video, I focused on AdGuard Home because it can be loaded directly on an OPNsense firewall - rather than needing to install it separately. This could be helpful for people who might already be running OPNsense, but not have additional compute to run Pi-Hole or AdGuard elsewhere.
Thanks for the guide. I followed it leaving unbound enabled. AdGuard is working except the reporting only lists my OPNsense IP. It never shows which client made the request. Any ideas on why this is happening?
Hmm - Curious if the clients are on the same subnet? My only thought here is that perhaps the client address is hitting a NAT before reaching the AdGuard IP.
@@0x2142 I have no idea how it would be hitting a NAT before AdGuard. Its a new OPNsense install and the only thing I added to it is AdGuard so far. Everything is on same subnet and the computers Im testing this with are connected with ethernet to an unmanaged switch that is connected directly to the OPNsense LAN port. Its been driving me crazy trying to get this working.
Great video! I currently have my Adguard setup on my TrueNAS. I wanted to get Adguard off my TrueNAS as it will be blasted away soon. I recently purchased one of the little firewall machines and have installed proxmox with OPNsense (PCIe passthrough for WAN interface) and an adguard container. I just tried this with my OPNsense and got Adguard installed on it. But when I updated Adguard it just sits there with the spinning icon. Even removing the service and installing it again, I have the same issue. So it looks like it is just not there yet.
Huh, that's odd. When I was recording this video - I went through the install/setup process a few times. Usually the upgrade was fairly quick, but I did have once or twice where it did spin for a while - though it always completed eventually!
Hi there - OPNsense is an open source product that you can download here: opnsense.org/download/ . While they do have some hardware appliances that you can buy with OPNsense pre-installed, generally most people will buy their own hardware. In addition, you can also buy some level of business support from OPNsense, but there is also free community-based support via their forums, etc. If you're interested in looking at some hardware or what the install / setup process looks like, I posted a video that covers this: ua-cam.com/video/ppS6IhKSkfY/v-deo.html
Great Video. As a recent convert to OPNsense from pfsense, I was looking for a replacement to pfblockerNG. AdGuard seems to do the trick. I do have a couple of questions though. I have a similar problem to someone else who commented. I only see the IP of my OPNsense interface in the dashboard. I have multiple vlans/subnets and I have the DHCP servers all pointing to the IP of the OPNsense. I also created the Query forwarding entry as instructed near the end of the video. I am curious, do I need to the IP addresses of all the subnets in the bind section of the yaml file for it to recognize all of the IPs in the dashboard? My other question is the use of 5353. Another user commented that this is used for mDNS. I use Apple products and I know it needs to be able to use mDNS for AirPlay and bonjour. Should I be using a different port other than 5353? Thanks in advance for your help.
![[How To] Set up WireGuard VPN on OPNsense (& Client Config Examples)](http://i.ytimg.com/vi/b58PpuIsQ3A/mqdefault.jpg)
![[How To] Set up WireGuard VPN on OPNsense (& Client Config Examples)](/img/tr.png)
Just an update - OPNsense 23.1 released this week & includes some better reporting tools for the built-in UnboundDNS resolver: opnsense.org/opnsense-23-1-released/
For some, this may be enough to prefer Unbound over AdGuard. Just up to your preference!
great!
At first I thought 'wow, how could it take almost half an hour to explain how to do this', now I must say, this is probably the most valuably instructive video I've ever seen 🥺
Hello - and thank you so much for the comment! I feel like I struggle sometimes with thinking "oh this should be quick" - then wind up wanting to explain or give more examples, which extends the length of the video. It sometimes makes me worry that they end up too long for most people. I really appreciate your feedback 😊
@@0x2142 I get that. It's definitely more work, but maybe it's worth seperating content into two videos: a 5-8 min direct approach (e.g. add repo, install adguard; to get the views) and a seperate video for the advanced stuff (ad lists, custom filters, seperate DNS etc; for the viewers who want more). Just an idea though :)
Do you if it is possible to still show the client IP address in AdGuard when using both Unbound and AdGuard? With the query forwarding all traffic in AdGuard is coming from the interface IP. Is there a way to still forward the traffic but keep the client IP address?
up for this. can't still figure it out a solution.
how would you get this to work with unbound dns over tls?
A missed opportunity, a nice little joke would have been when he clicked on block UA-cam, his video went to a black screen. Or a good way to have had to end the video. LOL
Use something other than 5353, as that is used for MDNS and needed if you want to relay mDNS across multiple networks.
set all of this up ti discover in the end that if I have my amneziavpn (wireguard client with obfuscation) on, service blocks dont work:) prolly none of the other filtering too? haven't checke danything yet. just discovered:)
Just wondering if there is a way to use Adguard together with OPNSense while DNS over TLS in OPNSense?
For me it only works if the machine has auto dns, if I put manual dns in the machine for example google or other then the blocks go away, how can I make the opnsense machine dns authoritative thru the whole network
Once i selected my blocked services, I can still access these sites?? Is there a step I need to configure in Opnsense to block them?I followed along with everything that was mentioned in the step-by-step. But still can access the sites. Someone please help.
Did I miss something all Adguard trafic is from my gateway ip (the unbound i guess) Is there a way to see all diferent trafic comming from?
Thank you so much for this.. with this step will I be able to see all my opn sense client in adguard instead of just open sense ip.m I have pf sense currently and I have tried everything possible but it only shows my pf sense ip ad.. ty
If you're already on the console, you can just use `sudo service network-manager restart` instead to reconnect your NIC.
can't you also renew your IP? :)
Great great video! Thank you so much. Can you make a detailed video about Netmaker?
Hi there - Thanks for the suggestion! I've not heard of Netmaker before - but it looks like an awesome project! I'll see what I can do 👍
a este video le faltan likes, gracias!
Thank you for this tutorial.
Thanks for this! I have a quick question/suggestion about the last section of your video:
If you want to use Unbound together with AdGuard, then you must set Unbound's IP and port (192.168.1.1:53 in your example) in AdGuard > DNS Settings > Upstream DNS Servers.
Also, in this case, you can leave blank the Services > DHCPv4 > [LAN] > DNS Servers field in OPNsense (15:11).
Please correct me if I'm wrong...
I'd use NextDns (with adguard privacy list selected) with Unbound DNS over TLS instead - that way you do not need to play with unsupported pluggins...
may I ask are this option done 1 device installed opnsense? no need for virtual machines? or extra devices?
awesome video. got this up and running on my home lan during my lunch break. but can you intercept doh ? because this works well and good until someone turns on secure dns via DoH or DoT. I'm wondering about how to deal with those scenarios. I presume you can't just redirect the request, because it's just https. can opnsense detect doh and redirect it ?
OH YEAH !!! Nice video !! Easy to follow too !
Thanks man!! Appreciate the enthusiasm 😁
Question from a semi noob, do I need AdGuard to listen on WAN if I’m using WireGuard to access my server remotely or does that still count as LAN?
Hi, Sorry my bad English. Could you please help me? My adguardhome service in opnsense suddenly stopped working after a firewall reboot because of energy cut off in my house.
When I try to restart the service it keeps shutting down right away. I also tried reinstalling adguardhome to its default config and it works, but when I replace my config .yaml file, it stops working again. How could I verify what the problem is?
How to change the interface for Adguard without reinstalling Adguard?
I can't connect to the adguard port for some reason.
The page isn’t redirecting properly
Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
Is there any real reason to use this over the built in Unbound service? Seems like Unbound supports everything you could want from AdGuard including blocklists, custom rules, DoT etc. Using Unbound also has the advantage of integrating with the DHCP server so you can get your static mappings into DNS for free.
Hi there! Yeah it mostly depends on what you are comfortable & the specific features you need. Most of these products can do the job these days. Unbound definitely supports a lot more advanced configuration options than AdGuard - but I think AdGuard is much easier for someone to use who might not understand all that stuff. AdGuard is real easy to set up & get going, and the reporting/dashboards are easier to use. That being said - It's just up to what works for your use case.
Honestly, it's better to just use unbound as backup via a configuration file becomes more difficult from my last experience.
If the repo being used is third party, the configuration file might not be able to be use, it might load but you might run into issues.
EDIT: Just adding, you would not be getting a nice dashboard with Unbound as far as I know.
Would It be wise to disable unbound if I choose to setup AdGuard instead?
Excellent tutorial. :)
great explanation
I got most of this installed but I can't seem to get it to block anything
Awesome Informative video, clear voice, easy to follow, thank you so much. I've had my OPNsense server for a couple of years and only now am I finding out how powerful it is, in fact I'm wondering based on this if I should setup a pihole docker container on my synology NAS docker and forward unbound to that. maybe, maybe not, this seems nice an easy to remember.
Hi, I set this up following your guide but after the initial setup on 3000, i cannot get to the web interface, this seems to make some sense as you show to configure it on the listen interface of the router but at port 80, this is surely the opnsense admin web interface so that is somewhat expected? I can't seem to uninstall and reinstall to reset the settings to try a different port now so seems to just be stuck running on a used port and not reachable to change
Hi there - you can still edit the port that the Web UI runs on, but you'll have to SSH into the OPNsense box & edit the configuration file manually.
Check the video here: ua-cam.com/video/7RC7q5WOYC0/v-deo.htmlsi=8hM4cmDbo30RhId1&t=1248
or written instructions on my blog here: 0x2142.com/how-to-set-up-adguard-on-opnsense/#how-do-i-change-the-interface-port-for-the-web-ui-or-dns
hi. i added unbound upstream but it doesnt seem to go through adguard
How does this compare to PI-Hole?
Make one for DNS over SSL!!
Works well as per the guide. Only problem I am encountering is, on AdGuardHome, only the IP address of the Opnsense DNS is showing in the logs, not by the individual IPs conntected on the network. Is there any workaround on this? Thanks.
It sounds like you have Unbound forwarding the queries to AdGuard. In that case, as far as AdGuard knows, it's only the Unbound service (running on the same box) that's doing any queries. This video should have mentioned that configuring it this way will result in losing the ability to do custom unblocking per client, or logging per client activity in general, since all queries to AdGuard come from your OPNsense box itself.
@@ytmadpoo found a solution in reddit. thanks,
Why not use Pi-Hole?
Hey there! Pi-hole is absolutely an option, just depends on what you want out of it. Both products do pretty much the same just in different ways & they both work great.
For this video, I focused on AdGuard Home because it can be loaded directly on an OPNsense firewall - rather than needing to install it separately. This could be helpful for people who might already be running OPNsense, but not have additional compute to run Pi-Hole or AdGuard elsewhere.
Adguard has more features & Encrypted DNS too..
@@JasonsLabVideos no need for that use Unbound.
Pi-Hole maybe cant Handel my Gigabit Ethernet, and absolutely Not the 5gig Connection in my company
@@omid4861 Thats not a pi-hole issue, thats a resource issue.. Actually..
Thanks for the guide. I followed it leaving unbound enabled. AdGuard is working except the reporting only lists my OPNsense IP. It never shows which client made the request. Any ideas on why this is happening?
Hmm - Curious if the clients are on the same subnet? My only thought here is that perhaps the client address is hitting a NAT before reaching the AdGuard IP.
@@0x2142 I have no idea how it would be hitting a NAT before AdGuard. Its a new OPNsense install and the only thing I added to it is AdGuard so far. Everything is on same subnet and the computers Im testing this with are connected with ethernet to an unmanaged switch that is connected directly to the OPNsense LAN port. Its been driving me crazy trying to get this working.
Can you tell me how to check if unbound is actually blocking?
log level 2 and show on the logs.
Great video! I currently have my Adguard setup on my TrueNAS. I wanted to get Adguard off my TrueNAS as it will be blasted away soon. I recently purchased one of the little firewall machines and have installed proxmox with OPNsense (PCIe passthrough for WAN interface) and an adguard container. I just tried this with my OPNsense and got Adguard installed on it. But when I updated Adguard it just sits there with the spinning icon. Even removing the service and installing it again, I have the same issue. So it looks like it is just not there yet.
Huh, that's odd. When I was recording this video - I went through the install/setup process a few times. Usually the upgrade was fairly quick, but I did have once or twice where it did spin for a while - though it always completed eventually!
@@0x2142 Thanks. I managed to get it working. I had to blow away my opnsense install and try again. I must have hit a small bug somewhere.
How I get opnese is it a router brand like Cisco or
Hi there - OPNsense is an open source product that you can download here: opnsense.org/download/ . While they do have some hardware appliances that you can buy with OPNsense pre-installed, generally most people will buy their own hardware. In addition, you can also buy some level of business support from OPNsense, but there is also free community-based support via their forums, etc.
If you're interested in looking at some hardware or what the install / setup process looks like, I posted a video that covers this: ua-cam.com/video/ppS6IhKSkfY/v-deo.html
I install opnsense on Oracle Virtual Box, Its oke to install this plugin on that?
Haven't tried it myself, but it should work all the same!
@@0x2142 thx for the answer, im ask to in your Website. If you dont mind, please answer that .. thank you verymuch🙏🏻🙏🏻
brilliant description. Thank you!
why you put unbound before the filter? It should be the other way around
Great Video. As a recent convert to OPNsense from pfsense, I was looking for a replacement to pfblockerNG. AdGuard seems to do the trick. I do have a couple of questions though. I have a similar problem to someone else who commented. I only see the IP of my OPNsense interface in the dashboard. I have multiple vlans/subnets and I have the DHCP servers all pointing to the IP of the OPNsense. I also created the Query forwarding entry as instructed near the end of the video. I am curious, do I need to the IP addresses of all the subnets in the bind section of the yaml file for it to recognize all of the IPs in the dashboard? My other question is the use of 5353. Another user commented that this is used for mDNS. I use Apple products and I know it needs to be able to use mDNS for AirPlay and bonjour. Should I be using a different port other than 5353? Thanks in advance for your help.
Couldn't have said it better myself 🐔