AdGuard

[tobiaskitsune]

I installed AdGuardHome on port 53 and disabled Unbound. All is running fine. But since this about. 50% of the services are not re-starting after OPNsense reboot. OPNsense is running 21.1.1.

[mimugmail]

Can you plug a display and look for errors during reboot?

[tobiaskitsune]

I tested again. The stats of the running services is about 30 - 40 min after reboot.
Here some errors from different logs. To me it all looks timeout errors due to no connection or no name resolution.

2021-02-21T20:59:17 configd.py[98545] unable to sendback response [OK ] for [dyndns][reload][None] {6a079ad8-f781-4440-8591-d4ac780e153e}, message was Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 202, in run self.connection.sendall(('%s\n' % result).encode()) BrokenPipeError: [Errno 32] Broken pipe 2021-02-21T20:41:58 opnsense[42917] /usr/local/etc/rc.newwanip: Curl error occurred: Resolving timed out after 15004 milliseconds 2021-02-21T19:54:17 opnsense[810] /usr/local/etc/rc.bootup: Curl error occurred: Resolving timed out after 15012 milliseconds 2021-02-21T19:53:44 /update_tables.py[90709] unable to resolve sls.update.microsoft.com for alias Windows_Update 2021-02-21T19:52:45 opnsense[810] /usr/local/etc/rc.bootup: The command '/usr/local/sbin/radvd -p /var/run/radvd.pid -C /var/etc/radvd.conf -m syslog' returned exit code '1', the output was '/var/etc/radvd.conf:14 error: syntax error' 2021-02-21T19:52:34 opnsense[810] /usr/local/etc/rc.bootup: The command '/usr/sbin/ngctl msg 'igb0': setautosrc 1' returned exit code '71', the output was 'ngctl: send msg: No such file or directory'

[21-Feb-2021 19:55:46 Asia/Tokyo] PHP Warning: Invalid argument supplied for foreach() in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 838

2021/02/21 20:38:01 [warn] 66907#100320: "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org" in the certificate "/usr/local/etc/nginx/key/xxxxxxx.de.pem"

All services started directly by manual start except of these: I was no able to start nginx, to start letsencrypt and to restart dyndns. But I could not find helpful information in the log. Also login to web interface and to ssh was delayed and times out. But after about additional 10 min the hanging services suddenly started all is running smooth. Doing again a reboot, same happen again.

[mimugmail]

If you want to protect your internal clients you can set any external nameserver in System : Settings : General, this will fix it

[tobiaskitsune]

Thank you. It helped partially. The timeout errors are gone. But still the services did not came up automatically.

I will do some more testing the next days. Maybe it was not related to AdGuardHome. I cannot remember if I ever did a reboot since last OPNsense update.

I found some more errors. Ngine needs al ong time to start. Is it possible that there is an binding issue for port 80 or 443 in combination with AdGuard? On purpose I use port 3000 for AdGuard and 4443 for the SSL port. Nor forwarding from http to https. But still.

But looks like my issue is more nginx related than AdGuard.

[21-Feb-2021 23:04:30 Asia/Tokyo] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 29364224 bytes) in /usr/local/opnsense/scripts/nginx/read_log.php on line 55 [21-Feb-2021 23:04:36 Asia/Tokyo] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 29364224 bytes) in /usr/local/opnsense/scripts/nginx/read_log.php on line 55 [21-Feb-2021 23:04:48 Asia/Tokyo] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 41943040 bytes) in /usr/local/opnsense/scripts/nginx/read_log.php on line 84

[tobiaskitsune]

I did some more testing.

When I disable AdGuardHome and enable Unbound again on port 53 re-boot works fine. After 90 sec. my internet connection is up, I can get access to OPNsense via Webinterface using OPNsense itself as DNS for the host name. It takes a couple of more minutes and 100% of all services are up. When I change back, disable Unbound and enable AdGuardHome again on port 53 it is hanging again and services will not come up even after 1 hour.

I do not yet know what is the root cause. It may not be AdGuard. But currently it is the "switch" to let the system run or not.

[mimugmail]

Then just let it listen on port 5353 and add a port forwarding on LAN interface, with source LAN net and destination LAN address with port 53, portforward to localhost port 5353.
Your system will boot up as usual and internal clients get forwarded to AGH

[tobiaskitsune]

OK. This is working. But seems to be not the clean way. Its more like a hack.

Both unbound and dnsmasq allow to specify the interface to bind to. Only in AdGuard it seems to be not yet implemented to bind to more specific interfaces. Either 0.0.0.0 or one specific, but not multiple. As soon this will be the case you could add the bind host feature to the configuration page.

[mimugmail]

No, because AGH has it's own UI for management and it would conquer with OPNsense, so there will only be an Enable checkbox. But you can jump to AdGuard project at github and ask for this feature over there?

[tobiaskitsune]

The topic "bind to multiple networks" I already found on GitHub #1401 AdguardTeam/AdGuardHome#1401

Me personally I will be fine to edit the config file. on OPNsense.

[mimugmail]

Closing since upstream needs to work in this

[meichthys]

@mimugmail I'm noticing the same issue. For me, during startup OPNSense is trying to configure Dynamic DNS Clients:

It seems to hang here since Dynamic DNS Clients require DNS which is currently being handled by AGH which isn't running yet - a bit of a catch 22. Is there a way to have OPNSense start AGH before trying to configure Dynamic DNS Clients?

[meichthys]

To follow up on this, I was able to get around the catch 22 by providing a 'fall-back' dns server (1.1.1.1) in System > Settings > General. Now after reboots, OPNSense seems to use 1.1.1.1 as the upstream DNS server until AdGuardHome starts, after which everything seems to work as expected. 👍

[mimugmail]

DNS in System : Settings : General is used by local generated packets (like the process for dyndns), AGH is used by clients in your LAN so this should be ok