AdGuard Home requires ports 53 (DNS) and 80 (Web Interface), but OpenWrt’s core services (Dnsmasq and LuCI) already use them. Use the following steps via SSH to fix the conflicts.
1. Resolve Port 53 Conflict (DNS)
We move OpenWrt’s Dnsmasq server from port 53 to port 5353, allowing AGH to take the standard port 53.
Stop AGH: /etc/init.d/adguardhome stop
Move Dnsmasq to Port 5353 (Execute these three lines): uci set dnsmasq.@dnsmasq[0].port=’5353′ uci commit dnsmasq /etc/init.d/dnsmasq reload
Configure AGH DNS Port: During the AGH welcome screen setup, set its DNS server port to 53.
2. Resolve Port 80 Conflict (Web Interface)
Since port 80 is used by LuCI and your reverse proxy, we change the AGH dashboard port.
Configure AGH Web Port: During the AGH welcome screen setup, change the Web interface port from 80 to an available port like 8080 or 81.
Access: You will access the AGH dashboard via http://[OpenWrt_IP]:8080 (or the port you chose).
3. Finalize Traffic Redirection
Once AGH is set up and listening on port 53, you must redirect all DNS traffic hitting the router (which goes to Dnsmasq on port 5353) back to AGH on port 53.
Add a Forward Rule and Restart Dnsmasq (Execute these three lines): uci set dnsmasq.@dnsmasq[0].server=’127.0.0.1#53′ uci commit dnsmasq /etc/init.d/dnsmasq restart
4. Verification
Check the AGH dashboard at your chosen port (e.g., http://[OpenWrt_IP]:8080).
This guide resolves issues encountered when installing the TP-Link TX21/Realtek RTL8125 driver on a Debian-based system (like Proxmox) that already has an older Realtek NIC using the built-in r8169 driver.
Prerequisites
Console Access: Since network connectivity will be interrupted, you must have physical access (keyboard/monitor) or IPMI/iDRAC/vPro access.
Latest Driver: Ensure you download the latest Linux driver tarball for the RTL8125 chip directly from the Realtek website to avoid compilation errors with newer kernels.
Kernel Headers & DKMS: Install the necessary packages for compiling the driver:Bash
The installer (autorun.sh) will hang because the kernel’s default r8169 driver is actively in use by another NIC.
A. Identify and Disable the Conflicting Interface
Find the Physical Interface and Bridge: Use ip a to identify the active interface using the r8169 driver (e.g., enp6s0) and the corresponding Proxmox bridge (e.g., vmbr1).
Bring Down the Network: This will stop the driver’s process, allowing the installer to unload it.
ifdown vmbr1 # Bring down the bridge (crucial for Proxmox)
ip link set enp6s0 down # Bring down the physical interface
Manually Unload the Old Driver:
rmmod r8169
B. Run the Installation
Navigate to the new driver directory (e.g., cd r8125-9.011.00).
Execute the installer:
./autorun.sh
If successful, the script will compile the new r8125 module using DKMS and install it.
Reboot:
reboot
2. Resolve NIC Conflict (Missing Interfaces)
After installation, the new r8125 driver often aggressively claims both the new NIC and the older onboard NIC, leaving the older one unusable.
The solution is to bind the custom r8125 driver only to the new card, leaving the old card for the kernel’s r8169 driver.
A. Identify the New Card’s PCI Address
List PCI devices and find the new Realtek card: Look for the device actively using the r8125 driver and note its PCI address (e.g., 04:00.0).
lspci -nnk | grep -i realtek -A3
B. Create a Driver Binding Rule
Create the configuration file: This uses the install directive to tell the system to load r8125 but only bind it to the specified PCI address.
# REPLACE [NEW_CARD_PCI_ADDRESS] with your actual address (e.g., 04:00.0)
echo 'install r8125 /sbin/modprobe --ignore-install r8125; /usr/bin/echo "[NEW_CARD_PCI_ADDRESS]" > /sys/bus/pci/drivers/r8125/bind' > /etc/modprobe.d/r8125-bind.conf
Update Initramfs: This applies the new binding rule before the kernel loads drivers.
update-initramfs -u -k all
and reboot now.
3. Final Verification
After the final reboot, both network interfaces should be present and active:
Check all interfaces:Bash
ip a
Verify drivers:
The new TX21 card should show driver: r8125.
The old onboard NIC (e.g., enp6s0) should show driver: r8169.
The core task was installing the correct drivers and firmware for your MediaTek MT7610U chipset (Vendor ID 0b05:17d1).
Driver: Installed the kernel module responsible for the MT76x0 series USB chips:
opkg install kmod-mt76x0u
Firmware: Installed the required binary data for the chip to function (named for a similar chip in the family):
opkg install mt7601u-firmware
AP Management: Installed the daemon necessary to run a Wi-Fi Access Point and handle modern encryption:
opkg install hostapd-wolfssl (Chosen for full WPA3 support with a lightweight security library.)
2. 🔒 Wireless Security (Encryption)
You selected the strongest security suitable for a simple, password-based AP.
Protocol Choice:WPA3-SAE (Simultaneous Authentication of Equals).
Reasoning:
Simplicity: Uses a passphrase, eliminating the need for a complex RADIUS server (which would be required by WPA3-EAP/Enterprise).
Security: Provides modern protection against offline dictionary attacks, which WPA2-PSK is vulnerable to.
3. 📶 Wireless Mode & Compatibility
You successfully configured the AP to run on the 2.4 GHz band while maintaining compatibility for legacy devices.
Band:2.4 GHz (Chosen for better range and penetration for remote management).
Mode:N (802.11n).
Compatibility: Selecting N mode allows all modern 802.11n devices to connect, while simultaneously enabling 802.11g mode, ensuring your older 2.4 GHz-only client can connect successfully.
Channel Width: (Implicitly or explicitly set to) 20 MHz (HT20) for maximum stability and compatibility in the congested 2.4 GHz band.
Don’t trust password managers? Well you can encrypt that txt file full of complicated passwords and give it a master password that hopefully only you will know about.
Encrypting a File with Explicit Cipher:
gpg --symmetric --cipher-algo AES256 file.txt
In this example, AES256 is used as the cipher algorithm, providing strong encryption.
To further enhance security, you can also add the --s2k-cipher-algo, --s2k-digest-algo, and --s2k-mode options for passphrase hashing. For example:
--cipher-algo AES256: Specifies the symmetric encryption algorithm (AES256 in this case).
--s2k-cipher-algo AES256: Specifies the cipher algorithm for the passphrase-to-key conversion.
--s2k-digest-algo SHA512: Specifies the hash algorithm used for passphrase-to-key conversion.
--s2k-mode 3: Iterated and salted passphrase-to-key conversion.
Remember, the goal is to balance security with usability. Stronger encryption and hashing algorithms may increase security but could also impact performance.
When decrypting, GPG will automatically use the appropriate algorithms based on the information stored in the encrypted file.
Feel free to adjust the options based on your security requirements, and always ensure that the recipients of the encrypted file can decrypt it with the chosen settings.
2. CCRYPT COMMAND
Another super easy method is to use ccrypt. It’s simple and fast and if you forget the password there is no way to decrypt or crack ope the file AFAIK.
Here is how with some simple steps I changed the metric of an internet connection in order to give priority to a usb dongle so its set as the default interface for internet traffic in my personal laptop. The laptop’s integrated wifi interface does not support 5 Ghz connections so every time I boot up the system I had to manually disconnect the integrated interface and reconnect it so its metric changes to a higher value:
First one needs to see the internet connections managed by the NetworkManager service in order to get the name of the internet connection we need to modify:
nmcli connection show
The list shows the 2 wifi connections I currently use. One is for General internet traffic and the other one to manage an openwrt device:
NAME UUID TYPE DEVICE
Connection_1 0711f8ae-049e-4e4f-8800-3cffc70b458f wifi wlp3s0
Connection_2 b2c7835e-69ac-4520-b401-f7120a456d65 wifi wlx3xvre3db545
To verify the current metric for both interfaces we use ip route:
default via 192.168.1.1 dev wlp3s0 proto dhcp src 192.168.1.111 metric 600
default via 192.168.5.1 dev wlx3xvre3db545 proto dhcp src 192.168.5.198 metric 601
As we can see the internet traffic has a default route through the slower wifi interface. We can change this by changing the metric:
Once the service is back up we verify the metric again:
default via 192.168.5.1 dev wlx3xvre3db545 proto dhcp src 192.168.3.198 metric 100
default via 192.168.1.1 dev wlp3s0 proto dhcp src 192.168.1.111 metric 602
Setup passwordless authentication with the servers you want to manage
This is useful if you want to automate processes via ssh without intervening by having to input the password to the remote server.
sshcopy-id user@ip_address
Setup passwordless sudo commands
In the server you want to manage with ansible, you’ll have to allow the sudo user to execute commands without a password. Since in this example we want to automate the updates-upgrades of the system, each time ansible sends the order to do an apt update (or other command with superuser privileges) the sudo password will be asked demanding a human interaction and ansible will not be able to successfully send the order to the remote server. There are 2 ways to do this. One is by typing visudo in debian to ope the configuration file /etc/sudoers and the other ways is by creating a new file inside /etc/sudoers.d/[name of your sudo user]. Once inside that file we need to add the following line:
# Allow admin user to run specific scripts and commands with superuser privileges
# without needing a password.
admin ALL=(ALL) NOPASSWD: ALL
If you want to be less permissive and only allow certain commands to be executed without a password these are the ones used in the playbooks in this example:
# Allow admin user to run specific scripts and commands with superuser privileges
# without needing a password.
Cmnd_Alias UPDATE_PKGS = /usr/bin/apt update, \
/usr/bin/apt upgrade, \
/usr/bin/apt dist-upgrade, \
/usr/bin/apt autoremove, \
/usr/bin/apt autoclean, \
admin ALL=(ALL) NOPASSWD: UPDATE_PKGS
Define where your ansible files are going to be placed
Given that this example will be tested in proxmox, I will locate them in /etc/ansible if is not created by defect. Furthermore, having the ansible configuration directtory in the main sever will ensure comms with all vms running inside unless the server is shut down.
Create an inventory file that includes your Proxmox VMs (or other servers you want to manage). For example, /etc/ansible/hosts:
---
- name: Monthly Maintenance Tasks
hosts: webservers
become: yes
tasks:
- name: Upgrade all installed packages (standard)
apt:
upgrade: safe # Upgrades packages without removing any
- name: Full upgrade of all installed packages (including system upgrades)
apt:
upgrade: dist # Allows removal of obsolete packages and installation of new dependencies
There are mainly two ways to get a Freedombox running. The first one would be to install Debian first and then the Freedombox package or the alternative to download the Freedombox image designed for your desired system.
1- Install Debian
Ideally you won’t need a desktop environment to run your debian with freedombox installed as all management tasks are done via its web interface.
Give sudo privileges to your user account. Change to root user:
su -
usermod -aG sudo user
Reboot your system for the changes to apply.
Configure power management
Disable auto sleep-hibernate otherwise otherwise your server might go to sleep in 20 mins regardless of what you have chosen in your power management settings. The reason is because when your server reboots next time and you log in only remotely, the power settings will default to system-wide options. We don’t want that to happen when managing a remote server specially if you want to have also a desktop environment. Let’s play safe and disable the relevant power management options:
or if you want to configure slapd and get your secret (a random string you have to use post installation in the freedombox web install)
sudo apt install freedombox
Open a web browser and go to the local ip address of your server. Finish the installation. Enter the secret password provided during the installation, log in and start installing apps. Recommended to start with wordpress to get your domain working with your new self hosted home page.
Ensure the secondary ssd (if you have one installed) is configured to be auto mounted with the same drive id if your server reboots. Log in to plinth and go to cockpit –> drives. This is where the backups are going to be stored. Change the options to enable auto mounting and changing the name of the permanent mount to something easier like /media/root/backup.
Log in to plinth
Setup automatic Backups before anything else.
Obtain an ssl certificates for your domain (if you bought one) or get a free domain at ddns.freedombox.org
Log in to your DNS service provider and map your domain name to the public ip of your edge router. Use ‘curl ifconfig.me’ for Linux and Windows or ‘Invoke-RestMethod ifconfig.me’ for windows to know your public ip. Freedombox also provides a free domain of your choice like yourdomain.fbx.one or domain.freedombox.rocks.
Go to system –> Configure. Remove you first domain and type the other one you have. Update the configuration. You should loose connection to the freedombox site momentarily . Log back in with your private ip address and go to Configure –> Let’s Encrypt and click to obtain the certificate for your second domain. If you have your dns records setup correctly, both domain names should reach your freedombox.
Go to system –> Let’s Encrypt and click “obtain” to get your certificate. Now you should go to your_domain instead of the ip address. If you have more subdomains now its the time to get those certificates as well.
If you want to get your free domain: Go to system –> Dynamic DNS Client and complete the information required but first visit ddns.freedombox.org and create an account. The information to access that account will be necessary to configure your ddns settings.
Install Packages
Other necessary packages might be needed depending on the services your server will provide.
mariadb-server – Necessary to install other packages like wordpress. The installation will also configure phpmyadmin to manage the databases in the web browser.
php8.2 – Check for more updated available versions.
Go to https://freedombox.org/download/ and select the qemu image to install it in a Proxmox virtual machine. In this example we’ll choose the quemu/kvmamd64. Copy the download link address to use it later.
Import qcow2 disk to VM
Overview: Create a vm with parameters you want. The disk will be detached and deleted later so you have attach the qcow2 disk to it. Download the qcow2 image to your proxmox then move the virtual disk to the location where the virtual disks are stored for your VMs. You have to assign the id number of the vm of interest to the disk when doing the import. Proxmox won’t be able to download the image using its own agent to pull the image to the default destination folder because its compressed. Instead, open a shell in proxmox and go to the following location and download it using wget and decompress using [xz -d image_file.xz].
Default folder of downloaded iso images: /var/lib/vz/template/iso/
Now you are able to import the image to your VM (make sure your vm does not have a any disks to avoid any confusion)
qm importdisk [vm id number] freedombox-bookworm_all-amd64.qcow2 local-lvm
Back in Proxmox web UI, select the VM you just created and attach the disk to the VM in the hardware section and continue in options and make it bootable. After that you can turn on the VM to access its web interface to complete the setup process. Once finished its ready to use and install apps.
To enhance compatibility with USB 3.0 mass storage devices on OpenWRT, you may need to install specific kernel modules and packages. Here are the general steps to maximize compatibility:
USB 3.0 support may require additional kernel modules. Install the appropriate package based on your hardware. For many systems, the kmod-usb3 package is relevant:
opkg install kmod-usb3
Install File System Support:
Ensure that your OpenWRT device supports the file systems commonly used by USB storage devices, such as vfat (FAT32) and ext4. Install the relevant file system packages:
opkg install kmod-fs-vfat kmod-fs-ext4
Install USB Utilities:
opkg install usbutils
Reboot Your OpenWRT Device:
reboot
Check for USB Device Recognition:
lsusb
With that you should be able to see the device in the list of usb connected devices.
Keep in mind that the package names and availability may vary based on the specific OpenWRT version and the hardware architecture of your device. Verify the compatibility of packages with your OpenWRT version and target hardware.
If you encounter issues or have specific hardware requirements, consider checking the OpenWRT forums or documentation for device-specific recommendations and community support.
List the interfaces on your system for proper identification. The ip command will inform the names and states of them.
ip a
Execute ethtool with the name of the interface that must be configured to wake on lan.
sudo ethtool [interface]
To enable WOL on an interface (non-persistent) type:
sudo ethtool -s [interface] wol g
To make a persistent change in the interface edit the /etc/network/interfaces.d/eth0 (or modify the global interface config file /etc/network/interfaces):
auto eth0
iface eth0 inet dhcp
ethernet-wol g
OR
auto eth0
iface eth0 inet dhcp
post-up ethtool -s [interface] wol g
Another way is to edit the main configuration file and add the following instruction at the end of the file:
post-up /usr/sbin/ethtool -s [interface] wol g
The post-up command will trigger the execution of the ethtool command on the selected interface after the interface has been initialized.
Using WireGuard on Debian involves several steps, including installing the WireGuard package, configuring the interface, and setting up the necessary keys. Here’s a basic guide to help you set up WireGuard on Debian using the command line:
Install WireGuard:
Update the package list and install wireguard:
sudo apt updatesudo apt install wireguard
Generate WireGuard Keys:
Generate a private and public key pair for the server:
wg genkey | sudo tee /etc/wireguard/privatekey-server | wg pubkey | sudo tee /etc/wireguard/publickey-server
Generate a private and public key pair for the client:
wg genkey | sudo tee /etc/wireguard/privatekey-client | wg pubkey | sudo tee /etc/wireguard/publickey-client
Confirm that your keys are only available for the root user by checking the file permissions (chmod 600).
Configure WireGuard Server:
Create a configuration file for the WireGuard interface (e.g., /etc/wireguard/wg0.conf) and edit it with your preferred text editor:
sudo nano /etc/wireguard/wg0-server.conf
Add the following configuration, replacing placeholders with your actual IP addresses, private keys, and port numbers:
[Interface]
Address = 10.0.0.1/24 # Server IP address
PrivateKey = SERVER_PRIVATE_KEY
ListenPort = 51820
[Peer]PublicKey = CLIENT_A_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32 # Client A IP address
PersistentKeepalive = 25[Peer]PublicKey = CLIENT_B_PUBLIC_KEY
AllowedIPs = 10.0.0.3/32 # Client B IP address
PersistentKeepalive = 25
Replace SERVER_PRIVATE_KEY and CLIENT_PUBLIC_KEY with the corresponding keys generated earlier.
Start the WireGuard Server Interface:
Start the WireGuard interface:
sudo wg-quick up wg0-server
Enable the interface to start on boot:
sudo systemctl enable wg-quick@wg0-server
Client Configuration:
Create a configuration file for the client (e.g., /etc/wireguard/wg0-client.conf):
[Interface] Address = 10.0.0.2/32 # Client IP address (As assigned by the server)
PrivateKey = CLIENT_PRIVATE_KEY
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_PUBLIC_IP:51820 # A domain name can be setup here as well
AllowedIPs = 10.0.0.0/24 # Allow traffic for the assigned subnet
Replace CLIENT_PRIVATE_KEY, SERVER_PUBLIC_KEY, and SERVER_PUBLIC_IP with the corresponding keys and server’s public IP or domain name.
Import the client configuration into the WireGuard client.
Start the WireGuard Client Interface:
Start the WireGuard interface:
sudo wg-quick up wg0-client
Enable the interface to start on boot:
sudo systemctl enable wg-quick@wg0-server
Notes:
Adjust firewall settings to allow traffic on the WireGuard port (default is 51820).
Adjust routing and forwarding if you want the server to act as a gateway.
Always consider security best practices, especially when handling private keys.
This is a basic setup, and you may need to customize it based on your specific requirements and network topology. Always refer to the official WireGuard documentation for comprehensive details and updates.
