[Guide] AdGuard Home + Unbound + DNSCrypt under OPNsense (Part 2)

Hello guys! For those of you that want MOOORE stuff to maintain, today I’m gonna show you how to spice up your AGH+Unbound setup with DNSCrypt.

Your new setup will look like: Client > OPNsense > AdGuard Home > Unbound > DNSCrypt > External Provider.

Maybe some day we will add NextDNS to the chain (Yes 4-5 or even more DNS servers sound very good, remember there is LANcache and more…)

Some parts of this guide come from: GitHub - trinib/AdGuard-WireGuard-Unbound-DNScrypt: Linux ultimate self-hosted network security guide ║ Linux 终极自托管网络安全指南 ║ Guía definitiva de seguridad de red autohospedada de Linux ║ लिनक्स परम स्व-होस्टेड नेटवर्क सुरक्षा गाइड ║ Окончательное руководство по безопасности собственной сети Linux

First things first, you need to do everything from this guide: https://forums.serverbuilds.net/t/guide-how-to-run-adguard-home-under-opnsense/

Let’s begin the journey!

1.1 Go to System: Firmware: Plugins
1.2 Install os-dnscrypt-proxy

So far so good…

Now I have chosen a CLI way to set up this plugin so that’s how I’m gonna show it.

2.1 Go to Services: DNSCrypt-Proxy: Configuration: General, tick “Enable DNSCrypt-Proxy”, click “Save” on the bottom, reload this page and “Stop” this service.
2.2 SSH to your OPNsense
2.3 Switch to root sudo su

2.4 Choose 8. Shell
2.5 Start editing dnscrypt-proxy.toml sudo nano /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml

This is code from my setup. Feel free to edit stuff for your liking. You can follow this example: Install DNScrypt proxy (DoH)(oDoH)(Anonymized DNS) · trinib/AdGuard-WireGuard-Unbound-DNScrypt Wiki · GitHub

# I'm using Quad9 Servers
server_names = ['quad9-doh-ip4-port5053-filter-ecs-pri','quad9-doh-ip6-port5053-filter-ecs-pri','quad9-dnscrypt-ip4-filter-pri','quad9-dnscrypt-ip6-filter-pri']

disabled_server_names = ['resolve']

# Now i'm using 53530 for Unbound so here I just set 53531
listen_addresses = ['','[::1]:53531']

max_clients = 250
ipv4_servers = true
ipv6_servers = true
dnscrypt_servers = false
doh_servers = true
require_dnssec = false
require_nolog = true
require_nofilter = false
force_tcp = false
timeout = 2500
keepalive = 30

log_level = 2
log_file = '/var/log/dnscrypt-proxy/dnscrypt-proxy.log'
use_syslog = false

cert_refresh_delay = 240
dnscrypt_ephemeral_keys = false
tls_disable_session_tickets = false
fallback_resolver = ''
ignore_system_dns = true

netprobe_timeout = 30
log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1
# If you want to be sure you don't use IPv6 change this setting to "true"
block_ipv6 = false

forwarding_rules = 'forwarding-rules.txt'
cloaking_rules = 'cloaking-rules.txt'

# Just disable it... Why do you need more caching if you have Unbound?
cache = false

  file = '/var/log/dnscrypt-proxy/query.log'
  format = 'tsv'

  file = '/var/log/dnscrypt-proxy/nx.log'
  format = 'tsv'

  allowed_names_file = 'whitelist.txt'
  log_file = '/var/log/dnscrypt-proxy/whitelisted.log'
  log_format = 'tsv'

  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
  cache_file = 'public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

  ## Anonymized DNS relays

  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/relays.md']
  cache_file = 'relays.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

routes = [
    { server_name='odoh-cloudflare', via=['odohrelay-koki-ams', 'odohrelay-crypto-sx']}

### ODoH (Oblivious DoH) servers and relays ###
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md']
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  cache_file = 'odoh-servers.md'
  refresh_delay = 72
  prefix = ''
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md']
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  cache_file = 'odoh-relays.md'
  refresh_delay = 72
  prefix = ''


Save the file. Now you can close the connection to your OPNsense CLI.

2.6 Go to Services: DNSCrypt-Proxy: Configuration: General and click “Start” on top.

WARNING!!! Don’t click Save on the bottom! This is going override your setup! (Probably)

Now we can jump to our Unbound and change some stuff:

3.1 Go to Services: Unbound DNS: General and change your Outgoing Network Interfaces to All or to those allowed to use Unbound
3.2 Go to Services: Unbound DNS: DNS over TLS and “Disable” your custom forwarding.
3.3 Go to Services: Unbound DNS: Query Forwarding and add 2 new entrys for DNSCrypt: (Remember to adjust your port if you have a different one set up in 2.5 step.

Server IP:
Server port: 53531 


Server IP: ::1
Server port: 53531

3.3 Save and reload.

Voila! You should have working DNSCrypt.
As an additional step, you should disable Cache on AdGuard Home, because your Unbound setup probably has this set up.

If you are not sure if it’s working, you can go to Services: DNSCrypt-Proxy: Log / General and here you will see something like " [NOTICE] dnscrypt-proxy is ready - live servers: 2 " (just remember to filter logs, to notice or Multiselect everything)
If you are still not sure, go to Services: DNSCrypt-Proxy: Log / Queries and here you will see all your queries.

If you have any problems you should visit serverbuilds discord! Link: serverbuilds.net
You can also PM me on Discord: Vrozaksen#1360