I had a poke around in the GL.iNet software to try and work out where the current behaviour of Adguard was implemented, which is that you must login to the router webui to access the Adguard interface.
This is problematic for a number of reasons, and a behaviour that many people have asked be changed.
As a new GL.iNet Marble owner I needed an easy way for others in the household to be able to toggle Adguard blocking on and off without requiring them to login to the router, especially as they all had an established "workflow" of clicking a browser bookmark and toggling it from my previous implementation of Adguard on a raspberry pi.
Examining the init routine so we understand how the current behaviour is implemented.
Examining the init routine, specifically the one relevant line, which can be output to the terminal with the following command.
cat /etc/init.d/adguardhome | grep command
Which outputs:
procd_set_param command /usr/bin/AdGuardHome --glinet --no-check-update -c /etc/AdGuardHome/config.yaml -w /etc/AdGuardHome -l syslog
I noticed a specific runtime flag --glinet
so I wondered what would happen if I removed it and found removing this does two things:
- It allows you to access the Adguard Home webui without logging into the GL.iNet device (and add optional username/password authentication - see further down)
- It breaks the router webui integration for Adguard home, so it's no longer possible to view the stats in the router webui.
Now that we understand how the current authorisation is implemented, we can now go about modifying the behaviour.
This can be done in the webui without resorting to ssh but has a few downsides.
- No backups are created of the modified file.
- So if you wish to revert the behaviour you will need to either restore firmware or resort to using ssh
- It's not possible to implement username/password protection of the Adguard webui as editing the relevant file is only possible via ssh
- A reboot is required to implement the change.
If you still wish to use this method then skip to the section titled Modifying the init routine via webui
Modifying the init routine via ssh and implementing username/password in Adguard Home
Connect via SSH
On a Linux machine this is possible with
ssh -o HostkeyAlgorithms=ssh-rsa root@router-ip
use your webui admin password to obtain access.
Of note, the model I have (Marble) only accepts the ssh-rsa
cipher so needs the -o HostkeyAlgorithms=ssh-rsa
, I don't know if this is true for other models.
I'm afraid I'm not a Windows or Mac user and don't own any Windows or Mac machines to test so you'll have to work out how to obtain a ssh connection from either of those before proceeding.
Create a backup of the files before modifying
cp /etc/AdGuardHome/config.yaml /etc/AdGuardHome/config.yaml.backup
cp /etc/init.d/adguardhome /etc/init.d/adguardhome.backup
Install necessary packages
We're going to install two packages
- Apache
- Nano
Apache is a webserver but it contains the binary htpasswd
which we need to create a hash of our password later to use in the Adguard config.
Nano is a text editor which is easier to use than the already installed vi, which is tricky to use if you're unfamiliar with it.
We're going to install these with
opkg update
opkg install apache nano
Implementing the changes without a reboot
Run the following commands to remove the --glinet
parameter from the init routine of Adguard and then restart the service.
sed -e "s/--glinet //g" /etc/init.d/adguardhome
service adguardhome restart
You should now be able to go directly to the Adguard webui by going to
http://router-ip:3000
Modifying the init routine so it's persistent across reboots
There's a file that's run at the end of the router boot process which can be used to customise things. We're going to edit that to remove --glinet
from /etc/init.d/adguardhome
on each reboot or firmware upgrade.
Edit the file with:
nano /etc/rc.local
& add the follow two lines
ABOVE exit 0
sed -e "s/--glinet //g" /etc/init.d/adguardhome
service adguardhome restart
Save this in nano by pressing ctrl
+x
then pressing y
Now at each boot the init file will be searched for the --glinet
parameter and removed if present, then the adguard service is restarted to ensure that the change is implemented.
Add username & password
First of all you need to generate a bcrypted hash of your desired password. The tool to do so is the Apache package which we installed earlier and this can be created with the following command, replacing USERNAME
and PASSWORD
with your desired values.
htpasswd -B -C 10 -n -b USERNAME PASSWORD
generates:
root@GL-B3000:~# htpasswd -B -C 10 -n -b USERNAME PASSWORD
USERNAME:$2y$10$hEhnJx8RtjmZXedwUCsxNek8cyjENlZZJA4IZPPYr3Ostnz4zBukS
Now we need to use this info in our AdguardHome config.yaml
file.
nano /etc/AdGuardHome/config.yaml
Replace this section
users: []
with
users:
- name: USERNAME
password: $2y$10$hEhnJx8RtjmZXedwUCsxNek8cyjENlZZJA4IZPPYr3Ostnz4zBukS
Remember yaml is indent sensitive so the spaces are VERY important.
Save the file by pressing ctrl
+x
and then pressing y
Now restart the service once again with
service adguardhome restart
Go to http://router-ip:3000
and you should be prompted to login
Remove Apache and it's dependencies
We no longer need Apache installed, so remove it and it's two dependencies.
opkg remove apache libaprutil libexpat
Modifying the init routine via webui
Warning
If using this method instead of ssh there are a number of downsides.
- No backups are created of the modified file.
- So if you wish to revert the behaviour you will need to either restore firmware or resort to using ssh
- It's not possible to implement username/password protection of the Adguard webui as editing the relevant file is only possible via ssh
- A reboot is required to implement the change.
Edit the /etc/rc.local
file in the luci webui by going to
http://router-ip/cgi-bin/luci/admin/system/startup
then- Clicking the tab marked "Local Startup"
Adding the following lines ABOVE exit 0
sed -e "s/--glinet //g" /etc/init.d/adguardhome
service adguardhome restart
Save this and then at each boot the init file will be searched for the --glinet
parameter and removed if present, then the adguard service is restarted to ensure that the change is implemented.
After a reboot you should now be able to go to http://ip-address:3000 and access the Adguardhome Webui.