AdGuardHome
AdGuardHome copied to clipboard
AdguardTeam
DHCP Server do not works when running AdGuard with non-priviledged user
I found some tips to run AdGuard Home with non-priviledged user.
After install it with
curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sudo sh -s -- -v
I accessed the web interface, made all configurations and then
sudo chown -R admin:admin /opt/AdGuardHome /var/log/AdGuardHome*
followed by changing /etc/systemd/system/AdGuardHome.service to
[Unit]
Description=AdGuard Home: Network-level blocker
ConditionFileIsExecutable=/opt/AdGuardHome/AdGuardHome
After=syslog.target network-online.target
[Service]
User=admin
Group=admin
StartLimitInterval=5
StartLimitBurst=10
ExecStartPre=+/sbin/setcap CAP_NET_BIND_SERVICE=+eip /opt/AdGuardHome/AdGuardHome
ExecStart=/opt/AdGuardHome/AdGuardHome "-s" "run"
WorkingDirectory=/opt/AdGuardHome
StandardOutput=file:/var/log/AdGuardHome.out
StandardError=file:/var/log/AdGuardHome.err
Restart=always
RestartSec=10
EnvironmentFile=-/etc/sysconfig/AdGuardHome
[Install]
WantedBy=multi-user.target
Rebooted and everything works fine except the DHCP server. None of my devices can get an IP address.
I reverted to the original /etc/systemd/system/AdGuardHome.service because I need the DHCP server working.
Any ideas of what can be the problem?
admin@proxmox:/opt/AdGuardHome$ ll
total 35M
-rwxrwxrwx 1 admin admin 35M Jul 13 10:16 AdGuardHome
-rw-rw-rw- 1 admin admin 331 Jul 13 10:16 AdGuardHome.sig
-rw-r--r-- 1 root root 4.8K Jul 18 16:18 AdGuardHome.yaml
-rw-r--r-- 1 admin admin 44K Jul 13 10:16 CHANGELOG.md
drwxr-xr-x 3 admin admin 4.0K Jul 18 02:18 data
-rw-r--r-- 1 root root 1.3K Jul 18 16:36 leases.db
-rw-r--r-- 1 admin admin 35K Jul 13 10:16 LICENSE.txt
-rw-r--r-- 1 admin admin 23K Jul 13 10:16 README.md
admin@proxmox:/opt/AdGuardHome$
admin@proxmox:/opt/AdGuardHome$ ./AdGuardHome -v --version
AdGuard Home
Version: v0.107.8
Channel: release
Go version: go1.17.12
Commit time: 2022-07-13 09:24:17 -0300 -03
GOOS: linux
GOARCH: amd64
Race: false
Dependencies:
github.com/AdguardTeam/[email protected] (sum: h1:E777KfQAi+VurOoWEdGQ5iqjSOOAzzbTfLOEzj8heCs=)
github.com/AdguardTeam/[email protected] (sum: h1:diU9gP9qG1qeLbAkzIwfUerpHSqzR6zaBgzvRMR/m6Q=)
github.com/AdguardTeam/[email protected] (sum: h1:IO29m+ZyQuuOnPLTzHuXj35V1DZOp1Dcryl576P2syg=)
github.com/NYTimes/[email protected] (sum: h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=)
github.com/aead/[email protected] (sum: h1:KjTM2ks9d14ZYCvmHS9iAKVt9AyzRSqNU1qabPih5BY=)
github.com/aead/[email protected] (sum: h1:52m0LGchQBBVqJRyYYufQuIbVqRawmubW3OFGqK1ekw=)
github.com/ameshkov/dnscrypt/[email protected] (sum: h1:X9UP5AHtwp46Ji+sGFfF/1Is6OPI/SjxLqhKpx0P5UI=)
github.com/ameshkov/[email protected] (sum: h1:Srzik+J9mivH1alRACTbys2xOxs0lRH9qnTA7Y1OYVo=)
github.com/beefsack/[email protected] (sum: h1:0b2vaepXIfMsG++IsjHiI2p4bxALD1Y2nQKGMR5zDQM=)
github.com/cheekybits/[email protected] (sum: h1:uGGa4nei+j20rOSeDeP5Of12XVm7TGUd4dJA9RDitfE=)
github.com/digineo/go-ipset/[email protected] (sum: h1:k6skY+0fMqeUjjeWO/m5OuWPSZUAn7AucHMnQ1MX77g=)
github.com/fsnotify/[email protected] (sum: h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI=)
github.com/go-ping/[email protected] (sum: h1:dhy9OQKGBh4zVXbjwbxxHjRxMJtLXj3zfgpBYQaR4Q4=)
github.com/google/[email protected] (sum: h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o=)
github.com/google/[email protected] (sum: h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=)
github.com/google/[email protected] (sum: h1:Lh/jXZmvZxb0BBeSY5VKEfidcbcbenKjZFzM/q0fSeU=)
github.com/google/[email protected] (sum: h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=)
github.com/insomniacslk/[email protected] (sum: h1:Yg3n3AI7GoHnWt7dyjsLPU+TEuZfPAg0OdiA3MJUV6I=)
github.com/josharian/[email protected] (sum: h1:Ts/E8zCSEsG17dUqv7joXJFybuMLjQfWE04tsBODTxk=)
github.com/kardianos/[email protected] (sum: h1:AYndMsehS+ywIS6RB9KOlcXzteWUzxgMgBymJD7+BYk=)
github.com/lucas-clemente/[email protected] (sum: h1:sOw+4kFSVrdWOYmUjufQ9GBVPqZ+tu+jMtXxXNmRJyk=)
github.com/marten-seemann/[email protected] (sum: h1:DQjHPq+aOzUeh9/lixAGunn6rIOQyWChPSI4+hgW7jc=)
github.com/mdlayher/[email protected] (sum: h1:2oDp6OOhLxQ9JBoUuysVz9UZ9uI6oLUbvAZu0x8o+vE=)
github.com/mdlayher/[email protected] (sum: h1:rOHX5yl7qnlpiVkFWoqccueppMtXzeziFjWAjLg6sz0=)
github.com/mdlayher/[email protected] (sum: h1:MHcTarUMC4sFA7eiyR8IEJ6j2PgmgXR+B9X2IIMjh7A=)
github.com/mdlayher/[email protected] (sum: h1:XZA2X2TjdOwNoNPVPclRCURoX/hokBY8nkTmRZFEheM=)
github.com/miekg/[email protected] (sum: h1:qe0mQU3Z/XpFeE+AEBo2rqaS1IPBJ3anmqZ4XiZJVG8=)
github.com/patrickmn/[email protected]+incompatible (sum: h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=)
github.com/pkg/[email protected] (sum: h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=)
github.com/ti-mo/[email protected] (sum: h1:rTN1nBYULDmMfDeBHZpKuNKX/bWEXQUhe02a/10orzg=)
github.com/u-root/[email protected] (sum: h1:hl6sK6aFgTLISijk6xIzeqnPzQcsLqqvL6vEfTPinME=)
go.etcd.io/[email protected] (sum: h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU=)
golang.org/x/[email protected] (sum: h1:kUhD7nTDoI3fVd9G4ORWrbV5NY0liEs/Jg2pv5f+bBA=)
golang.org/x/[email protected] (sum: h1:HVyaeDAYux4pnY+D/SiwmLOR36ewZ4iGQIIrtnuCjFA=)
golang.org/x/[email protected] (sum: h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ=)
golang.org/x/[email protected] (sum: h1:xHms4gcpe1YE7A3yIllJXP16CMAGuqwO2lX1mTyyRRc=)
golang.org/x/[email protected] (sum: h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=)
gopkg.in/natefinch/[email protected] (sum: h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8=)
gopkg.in/[email protected] (sum: h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=)
howett.net/[email protected] (sum: h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=)
admin@proxmox:/opt/AdGuardHome$
admin@proxmox:/opt/AdGuardHome$ neofetch
.://:` `://:. admin@proxmox
`hMMMMMMd/ /dMMMMMMh` -------------
`sMMMMMMMd: :mMMMMMMMs` OS: Proxmox VE 7.2-7 x86_64
`-/+oo+/:`.yMMMMMMMh- -hMMMMMMMy.`:/+oo+/-` Host: Nitro AN515-51 V1.22
`:oooooooo/`-hMMMMMMMyyMMMMMMMh-`/oooooooo:` Kernel: 5.15.39-1-pve
`/oooooooo:`:mMMMMMMMMMMMMm:`:oooooooo/` Uptime: 7 hours, 20 mins
./ooooooo+- +NMMMMMMMMN+ -+ooooooo/. Packages: 697 (dpkg)
.+ooooooo+-`oNMMMMNo`-+ooooooo+. Shell: bash 5.1.4
-+ooooooo/.`sMMs`./ooooooo+- Resolution: 1920x1080
:oooooooo/`..`/oooooooo: Terminal: /dev/pts/0
:oooooooo/`..`/oooooooo: CPU: Intel i7-7700HQ (8) @ 3.800GHz
-+ooooooo/.`sMMs`./ooooooo+- GPU: NVIDIA GeForce GTX 1050 Ti Mobile
.+ooooooo+-`oNMMMMNo`-+ooooooo+. GPU: Intel HD Graphics 630
./ooooooo+- +NMMMMMMMMN+ -+ooooooo/. Memory: 1210MiB / 15886MiB
`/oooooooo:`:mMMMMMMMMMMMMm:`:oooooooo/`
`:oooooooo/`-hMMMMMMMyyMMMMMMMh-`/oooooooo:`
`-/+oo+/:`.yMMMMMMMh- -hMMMMMMMy.`:/+oo+/-`
`sMMMMMMMm: :dMMMMMMMs`
`hMMMMMMd/ /dMMMMMMh`
`://:` `://:`
Apologies for the delay. Can you configure AdGuard Home to collect logs by setting verbose to true and inspect them for dhcp errors? Also, are you sure that no firewall is blocking ports 57 and 58?
Apologies for the delay.
No problem!
Can you configure AdGuard Home to collect logs by setting
verbosetotrueand inspect them fordhcperrors?
Sure, will do this later.
Also, are you sure that no firewall is blocking ports 57 and 58?
I suppose no, because if it were firewall, blocking will occur with either user as AdGuard do not mess with firewall
I am reinstalling my Proxmox server.
At the moment DHCP server is running on my router but I will reinstall and activate DHCP on AdguardHome to try to get more info with the logs.
Obviously I will disable DHCP on my router to conduct the tests.
Just tried "Check for DHCP servers" and got "operation not permitted".
Nothing on log file.
admin@pve:~$ clear ; tail -f /tmp/aghlog.txt
2022/10/10 20:05:11.023657 795#47 [debug] started POST adguard.local:5353 /control/dhcp/find_active_dhcp
2022/10/10 20:05:11.024235 795#47 [debug] DHCPv6: Listening to udp6 [fe80::9a29:a6ff:fe46:31e]:546
2022/10/10 20:05:11.024617 795#47 [debug] github.com/AdguardTeam/AdGuardHome/internal/aghnet.tryConn6(): dhcpv6: waiting 3s for an answer
2022/10/10 20:05:14.024901 795#47 [debug] dhcpv6: didn't receive dhcp response
2022/10/10 20:05:14.025089 795#47 [debug] finished POST adguard.local:5353 /control/dhcp/find_active_dhcp in 3.001439429s
admin@pve:/opt/AdGuardHome$ cat AdGuardHome.yaml
bind_host: 0.0.0.0
bind_port: 5353
beta_bind_port: 0
users:
- name: agh
password: $2a...
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
debug_pprof: false
web_session_ttl: 720
dns:
bind_hosts:
- 0.0.0.0
port: 53
statistics_interval: 1
querylog_enabled: true
querylog_file_enabled: true
querylog_interval: 2160h
querylog_size_memory: 1000
anonymize_client_ip: false
protection_enabled: true
blocking_mode: default
blocking_ipv4: ""
blocking_ipv6: ""
blocked_response_ttl: 10
parental_block_host: family-block.dns.adguard.com
safebrowsing_block_host: standard-block.dns.adguard.com
ratelimit: 20
ratelimit_whitelist: []
refuse_any: true
upstream_dns:
- https://dns10.quad9.net/dns-query
upstream_dns_file: ""
bootstrap_dns:
- 9.9.9.10
- 149.112.112.10
- 2620:fe::10
- 2620:fe::fe:10
all_servers: false
fastest_addr: false
fastest_timeout: 1s
allowed_clients: []
disallowed_clients: []
blocked_hosts:
- version.bind
- id.server
- hostname.bind
trusted_proxies:
- 127.0.0.0/8
- ::1/128
cache_size: 0
cache_ttl_min: 0
cache_ttl_max: 0
cache_optimistic: false
bogus_nxdomain: []
aaaa_disabled: false
enable_dnssec: false
edns_client_subnet: false
max_goroutines: 300
handle_ddr: true
ipset: []
ipset_file: ""
filtering_enabled: true
filters_update_interval: 24
parental_enabled: false
safesearch_enabled: false
safebrowsing_enabled: false
safebrowsing_cache_size: 1048576
safesearch_cache_size: 1048576
parental_cache_size: 1048576
cache_time: 30
rewrites: []
blocked_services: []
upstream_timeout: 10s
private_networks: []
use_private_ptr_resolvers: true
local_ptr_upstreams: []
serve_http3: false
use_http3_upstreams: false
tls:
enabled: false
server_name: ""
force_https: false
port_https: 443
port_dns_over_tls: 853
port_dns_over_quic: 853
port_dnscrypt: 0
dnscrypt_config_file: ""
allow_unencrypted_doh: false
strict_sni_check: false
certificate_chain: ""
private_key: ""
certificate_path: ""
private_key_path: ""
filters:
- enabled: true
url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
name: AdGuard DNS filter
id: 1
- enabled: false
url: https://adaway.org/hosts.txt
name: AdAway Default Blocklist
id: 2
whitelist_filters: []
user_rules: []
dhcp:
enabled: false
interface_name: ""
local_domain_name: lan
dhcpv4:
gateway_ip: ""
subnet_mask: ""
range_start: ""
range_end: ""
lease_duration: 86400
icmp_timeout_msec: 1000
options: []
dhcpv6:
range_start: ""
lease_duration: 86400
ra_slaac_only: false
ra_allow_slaac: false
clients:
runtime_sources:
whois: true
arp: true
rdns: true
dhcp: true
hosts: true
persistent: []
log_file: "/tmp/aghlog.txt"
log_max_backups: 0
log_max_size: 100
log_max_age: 3
log_compress: false
log_localtime: false
verbose: true
os:
group: ""
user: ""
rlimit_nofile: 0
schema_version: 14
admin@pve:/opt/AdGuardHome$ sudo cat /etc/systemd/system/AdGuardHome.service
[Unit]
Description=AdGuard Home: Network-level blocker
ConditionFileIsExecutable=/opt/AdGuardHome/AdGuardHome
After=syslog.target network-online.target
[Service]
User=admin
Group=admin
StartLimitInterval=5
StartLimitBurst=10
ExecStartPre=+/sbin/setcap CAP_NET_BIND_SERVICE=+eip /opt/AdGuardHome/AdGuardHome
ExecStart=/opt/AdGuardHome/AdGuardHome "-s" "run"
WorkingDirectory=/opt/AdGuardHome
StandardOutput=file:/var/log/AdGuardHome.out
StandardError=file:/var/log/AdGuardHome.err
Restart=always
RestartSec=10
EnvironmentFile=-/etc/sysconfig/AdGuardHome
[Install]
WantedBy=multi-user.target
Using AdGuardHome v0.107.16.
I'm not sure what could be the reason, sorry. It's most likely some setting in the system. I've added the help wanted label, so perhaps other people could chime in.
I'm not sure what could be the reason
Yes, I am curious about what can be the problem. I think that is not a firewall problem because only variable is the user (root / not root) and this do not change firewall rules.
I suspect something about the ExecStartPre=+/sbin/setcap CAP_NET_BIND_SERVICE=+eip /opt/AdGuardHome/AdGuardHome.
I will also ask in Proxmox forum -> AdGuardHome running alongside Proxmox 7.2
You need CAP_NET_BIND_SERVICE for opening ports <1024 (DNS server, for example).
But DHCP additionally requires a raw socket (I'm unsure whether this is always the case or just specific to AGH). These require CAP_NET_RAW as capability (For more information on capabilities, check this page). So you'd need to add this capability to the AdGuardHome binary, as well.
But I want to add another thing: systemd allows setting capabilities within the [Service] section using AmbientCapabilities:
AmbientCapabilities=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_RAW
With these, I was able to resolve the problem. For me, the pointer was the MAC address in your screenshot, where you'd normally expect an IP address (due to it mentioning sockets).
