Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DHCP Server do not works when running AdGuard with non-priviledged user #4760

Open
peracchi opened this issue Jul 18, 2022 · 8 comments
Open

DHCP Server do not works when running AdGuard with non-priviledged user #4760

peracchi opened this issue Jul 18, 2022 · 8 comments
Labels
cannot reproduce help wanted

Comments

@peracchi
Copy link

I found some tips to run AdGuard Home with non-priviledged user.

After install it with

curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sudo sh -s -- -v

I accessed the web interface, made all configurations and then

sudo chown -R admin:admin /opt/AdGuardHome /var/log/AdGuardHome*

followed by changing /etc/systemd/system/AdGuardHome.service to

[Unit]
Description=AdGuard Home: Network-level blocker
ConditionFileIsExecutable=/opt/AdGuardHome/AdGuardHome
After=syslog.target network-online.target

[Service]
User=admin
Group=admin
StartLimitInterval=5
StartLimitBurst=10
ExecStartPre=+/sbin/setcap CAP_NET_BIND_SERVICE=+eip /opt/AdGuardHome/AdGuardHome
ExecStart=/opt/AdGuardHome/AdGuardHome "-s" "run"

WorkingDirectory=/opt/AdGuardHome

StandardOutput=file:/var/log/AdGuardHome.out
StandardError=file:/var/log/AdGuardHome.err

Restart=always

RestartSec=10
EnvironmentFile=-/etc/sysconfig/AdGuardHome

[Install]
WantedBy=multi-user.target

Rebooted and everything works fine except the DHCP server. None of my devices can get an IP address.

I reverted to the original /etc/systemd/system/AdGuardHome.service because I need the DHCP server working.

Any ideas of what can be the problem?

admin@proxmox:/opt/AdGuardHome$ ll
total 35M
-rwxrwxrwx 1 admin admin  35M Jul 13 10:16 AdGuardHome
-rw-rw-rw- 1 admin admin  331 Jul 13 10:16 AdGuardHome.sig
-rw-r--r-- 1 root  root  4.8K Jul 18 16:18 AdGuardHome.yaml
-rw-r--r-- 1 admin admin  44K Jul 13 10:16 CHANGELOG.md
drwxr-xr-x 3 admin admin 4.0K Jul 18 02:18 data
-rw-r--r-- 1 root  root  1.3K Jul 18 16:36 leases.db
-rw-r--r-- 1 admin admin  35K Jul 13 10:16 LICENSE.txt
-rw-r--r-- 1 admin admin  23K Jul 13 10:16 README.md
admin@proxmox:/opt/AdGuardHome$
admin@proxmox:/opt/AdGuardHome$ ./AdGuardHome -v --version
AdGuard Home
Version: v0.107.8
Channel: release
Go version: go1.17.12
Commit time: 2022-07-13 09:24:17 -0300 -03
GOOS: linux
GOARCH: amd64
Race: false
Dependencies:
        github.com/AdguardTeam/dnsproxy@v0.43.1 (sum: h1:E777KfQAi+VurOoWEdGQ5iqjSOOAzzbTfLOEzj8heCs=)
        github.com/AdguardTeam/golibs@v0.10.8 (sum: h1:diU9gP9qG1qeLbAkzIwfUerpHSqzR6zaBgzvRMR/m6Q=)
        github.com/AdguardTeam/urlfilter@v0.16.0 (sum: h1:IO29m+ZyQuuOnPLTzHuXj35V1DZOp1Dcryl576P2syg=)
        github.com/NYTimes/gziphandler@v1.1.1 (sum: h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=)
        github.com/aead/chacha20@v0.0.0-20180709150244-8b13a72661da (sum: h1:KjTM2ks9d14ZYCvmHS9iAKVt9AyzRSqNU1qabPih5BY=)
        github.com/aead/poly1305@v0.0.0-20180717145839-3fee0db0b635 (sum: h1:52m0LGchQBBVqJRyYYufQuIbVqRawmubW3OFGqK1ekw=)
        github.com/ameshkov/dnscrypt/v2@v2.2.3 (sum: h1:X9UP5AHtwp46Ji+sGFfF/1Is6OPI/SjxLqhKpx0P5UI=)
        github.com/ameshkov/dnsstamps@v1.0.3 (sum: h1:Srzik+J9mivH1alRACTbys2xOxs0lRH9qnTA7Y1OYVo=)
        github.com/beefsack/go-rate@v0.0.0-20220214233405-116f4ca011a0 (sum: h1:0b2vaepXIfMsG++IsjHiI2p4bxALD1Y2nQKGMR5zDQM=)
        github.com/cheekybits/genny@v1.0.0 (sum: h1:uGGa4nei+j20rOSeDeP5Of12XVm7TGUd4dJA9RDitfE=)
        github.com/digineo/go-ipset/v2@v2.2.1 (sum: h1:k6skY+0fMqeUjjeWO/m5OuWPSZUAn7AucHMnQ1MX77g=)
        github.com/fsnotify/fsnotify@v1.5.4 (sum: h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI=)
        github.com/go-ping/ping@v0.0.0-20211130115550-779d1e919534 (sum: h1:dhy9OQKGBh4zVXbjwbxxHjRxMJtLXj3zfgpBYQaR4Q4=)
        github.com/google/go-cmp@v0.5.7 (sum: h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o=)
        github.com/google/gopacket@v1.1.19 (sum: h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=)
        github.com/google/renameio@v1.0.1 (sum: h1:Lh/jXZmvZxb0BBeSY5VKEfidcbcbenKjZFzM/q0fSeU=)
        github.com/google/uuid@v1.3.0 (sum: h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=)
        github.com/insomniacslk/dhcp@v0.0.0-20220405050111-12fbdcb11b41 (sum: h1:Yg3n3AI7GoHnWt7dyjsLPU+TEuZfPAg0OdiA3MJUV6I=)
        github.com/josharian/native@v1.0.0 (sum: h1:Ts/E8zCSEsG17dUqv7joXJFybuMLjQfWE04tsBODTxk=)
        github.com/kardianos/service@v1.2.1 (sum: h1:AYndMsehS+ywIS6RB9KOlcXzteWUzxgMgBymJD7+BYk=)
        github.com/lucas-clemente/quic-go@v0.27.1 (sum: h1:sOw+4kFSVrdWOYmUjufQ9GBVPqZ+tu+jMtXxXNmRJyk=)
        github.com/marten-seemann/qtls-go1-17@v0.1.1 (sum: h1:DQjHPq+aOzUeh9/lixAGunn6rIOQyWChPSI4+hgW7jc=)
        github.com/mdlayher/ethernet@v0.0.0-20220221185849-529eae5b6118 (sum: h1:2oDp6OOhLxQ9JBoUuysVz9UZ9uI6oLUbvAZu0x8o+vE=)
        github.com/mdlayher/netlink@v1.6.0 (sum: h1:rOHX5yl7qnlpiVkFWoqccueppMtXzeziFjWAjLg6sz0=)
        github.com/mdlayher/raw@v0.0.0-20211126142749-4eae47f3d54b (sum: h1:MHcTarUMC4sFA7eiyR8IEJ6j2PgmgXR+B9X2IIMjh7A=)
        github.com/mdlayher/socket@v0.2.3 (sum: h1:XZA2X2TjdOwNoNPVPclRCURoX/hokBY8nkTmRZFEheM=)
        github.com/miekg/dns@v1.1.49 (sum: h1:qe0mQU3Z/XpFeE+AEBo2rqaS1IPBJ3anmqZ4XiZJVG8=)
        github.com/patrickmn/go-cache@v2.1.0+incompatible (sum: h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=)
        github.com/pkg/errors@v0.9.1 (sum: h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=)
        github.com/ti-mo/netfilter@v0.4.0 (sum: h1:rTN1nBYULDmMfDeBHZpKuNKX/bWEXQUhe02a/10orzg=)
        github.com/u-root/uio@v0.0.0-20220204230159-dac05f7d2cb4 (sum: h1:hl6sK6aFgTLISijk6xIzeqnPzQcsLqqvL6vEfTPinME=)
        go.etcd.io/bbolt@v1.3.6 (sum: h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU=)
        golang.org/x/crypto@v0.0.0-20220411220226-7b82a4e95df4 (sum: h1:kUhD7nTDoI3fVd9G4ORWrbV5NY0liEs/Jg2pv5f+bBA=)
        golang.org/x/net@v0.0.0-20220425223048-2871e0cb64e4 (sum: h1:HVyaeDAYux4pnY+D/SiwmLOR36ewZ4iGQIIrtnuCjFA=)
        golang.org/x/sync@v0.0.0-20210220032951-036812b2e83c (sum: h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ=)
        golang.org/x/sys@v0.0.0-20220422013727-9388b58f7150 (sum: h1:xHms4gcpe1YE7A3yIllJXP16CMAGuqwO2lX1mTyyRRc=)
        golang.org/x/text@v0.3.7 (sum: h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=)
        gopkg.in/natefinch/lumberjack.v2@v2.0.0 (sum: h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8=)
        gopkg.in/yaml.v2@v2.4.0 (sum: h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=)
        howett.net/plist@v1.0.0 (sum: h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=)
admin@proxmox:/opt/AdGuardHome$
admin@proxmox:/opt/AdGuardHome$ neofetch
         .://:`              `://:.            admin@proxmox
       `hMMMMMMd/          /dMMMMMMh`          -------------
        `sMMMMMMMd:      :mMMMMMMMs`           OS: Proxmox VE 7.2-7 x86_64
`-/+oo+/:`.yMMMMMMMh-  -hMMMMMMMy.`:/+oo+/-`   Host: Nitro AN515-51 V1.22
`:oooooooo/`-hMMMMMMMyyMMMMMMMh-`/oooooooo:`   Kernel: 5.15.39-1-pve
  `/oooooooo:`:mMMMMMMMMMMMMm:`:oooooooo/`     Uptime: 7 hours, 20 mins
    ./ooooooo+- +NMMMMMMMMN+ -+ooooooo/.       Packages: 697 (dpkg)
      .+ooooooo+-`oNMMMMNo`-+ooooooo+.         Shell: bash 5.1.4
        -+ooooooo/.`sMMs`./ooooooo+-           Resolution: 1920x1080
          :oooooooo/`..`/oooooooo:             Terminal: /dev/pts/0
          :oooooooo/`..`/oooooooo:             CPU: Intel i7-7700HQ (8) @ 3.800GHz
        -+ooooooo/.`sMMs`./ooooooo+-           GPU: NVIDIA GeForce GTX 1050 Ti Mobile
      .+ooooooo+-`oNMMMMNo`-+ooooooo+.         GPU: Intel HD Graphics 630
    ./ooooooo+- +NMMMMMMMMN+ -+ooooooo/.       Memory: 1210MiB / 15886MiB
  `/oooooooo:`:mMMMMMMMMMMMMm:`:oooooooo/`
`:oooooooo/`-hMMMMMMMyyMMMMMMMh-`/oooooooo:`
`-/+oo+/:`.yMMMMMMMh-  -hMMMMMMMy.`:/+oo+/-`
        `sMMMMMMMm:      :dMMMMMMMs`
       `hMMMMMMd/          /dMMMMMMh`
         `://:`              `://:`
@ainar-g
Copy link
Contributor

ainar-g commented Jul 28, 2022
edited

Apologies for the delay. Can you configure AdGuard Home to collect logs by setting verbose to true and inspect them for dhcp errors? Also, are you sure that no firewall is blocking ports 57 and 58?

@ainar-g ainar-g added the waiting for data Waiting for users to provide more data. label Jul 28, 2022
@peracchi
Copy link
Author

Apologies for the delay.

No problem!

Can you configure AdGuard Home to collect logs by setting verbose to true and inspect them for dhcp errors?

Sure, will do this later.

Also, are you sure that no firewall is blocking ports 57 and 58?

I suppose no, because if it were firewall, blocking will occur with either user as AdGuard do not mess with firewall

@yscialom
Copy link

yscialom commented Aug 2, 2022

Might be related (whild guess): #4728

@peracchi
Copy link
Author

I am reinstalling my Proxmox server.

At the moment DHCP server is running on my router but I will reinstall and activate DHCP on AdguardHome to try to get more info with the logs.

Obviously I will disable DHCP on my router to conduct the tests.

@peracchi
Copy link
Author

Just tried "Check for DHCP servers" and got "operation not permitted".

ksnip_20221010-202151

Nothing on log file.

admin@pve:~$ clear ; tail -f /tmp/aghlog.txt
2022/10/10 20:05:11.023657 795#47 [debug] started POST adguard.local:5353 /control/dhcp/find_active_dhcp
2022/10/10 20:05:11.024235 795#47 [debug] DHCPv6: Listening to udp6 [fe80::9a29:a6ff:fe46:31e]:546
2022/10/10 20:05:11.024617 795#47 [debug] github.com/AdguardTeam/AdGuardHome/internal/aghnet.tryConn6(): dhcpv6: waiting 3s for an answer
2022/10/10 20:05:14.024901 795#47 [debug] dhcpv6: didn't receive dhcp response
2022/10/10 20:05:14.025089 795#47 [debug] finished POST adguard.local:5353 /control/dhcp/find_active_dhcp in 3.001439429s

admin@pve:/opt/AdGuardHome$ cat AdGuardHome.yaml
bind_host: 0.0.0.0
bind_port: 5353
beta_bind_port: 0
users:
  - name: agh
    password: $2a...
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
debug_pprof: false
web_session_ttl: 720
dns:
  bind_hosts:
    - 0.0.0.0
  port: 53
  statistics_interval: 1
  querylog_enabled: true
  querylog_file_enabled: true
  querylog_interval: 2160h
  querylog_size_memory: 1000
  anonymize_client_ip: false
  protection_enabled: true
  blocking_mode: default
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_response_ttl: 10
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  ratelimit: 20
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
    - https://dns10.quad9.net/dns-query
  upstream_dns_file: ""
  bootstrap_dns:
    - 9.9.9.10
    - 149.112.112.10
    - 2620:fe::10
    - 2620:fe::fe:10
  all_servers: false
  fastest_addr: false
  fastest_timeout: 1s
  allowed_clients: []
  disallowed_clients: []
  blocked_hosts:
    - version.bind
    - id.server
    - hostname.bind
  trusted_proxies:
    - 127.0.0.0/8
    - ::1/128
  cache_size: 0
  cache_ttl_min: 0
  cache_ttl_max: 0
  cache_optimistic: false
  bogus_nxdomain: []
  aaaa_disabled: false
  enable_dnssec: false
  edns_client_subnet: false
  max_goroutines: 300
  handle_ddr: true
  ipset: []
  ipset_file: ""
  filtering_enabled: true
  filters_update_interval: 24
  parental_enabled: false
  safesearch_enabled: false
  safebrowsing_enabled: false
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  rewrites: []
  blocked_services: []
  upstream_timeout: 10s
  private_networks: []
  use_private_ptr_resolvers: true
  local_ptr_upstreams: []
  serve_http3: false
  use_http3_upstreams: false
tls:
  enabled: false
  server_name: ""
  force_https: false
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 853
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: false
  strict_sni_check: false
  certificate_chain: ""
  private_key: ""
  certificate_path: ""
  private_key_path: ""
filters:
  - enabled: true
    url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
    name: AdGuard DNS filter
    id: 1
  - enabled: false
    url: https://adaway.org/hosts.txt
    name: AdAway Default Blocklist
    id: 2
whitelist_filters: []
user_rules: []
dhcp:
  enabled: false
  interface_name: ""
  local_domain_name: lan
  dhcpv4:
    gateway_ip: ""
    subnet_mask: ""
    range_start: ""
    range_end: ""
    lease_duration: 86400
    icmp_timeout_msec: 1000
    options: []
  dhcpv6:
    range_start: ""
    lease_duration: 86400
    ra_slaac_only: false
    ra_allow_slaac: false
clients:
  runtime_sources:
    whois: true
    arp: true
    rdns: true
    dhcp: true
    hosts: true
  persistent: []
log_file: "/tmp/aghlog.txt"
log_max_backups: 0
log_max_size: 100
log_max_age: 3
log_compress: false
log_localtime: false
verbose: true
os:
  group: ""
  user: ""
  rlimit_nofile: 0
schema_version: 14

admin@pve:/opt/AdGuardHome$ sudo cat /etc/systemd/system/AdGuardHome.service
[Unit]
Description=AdGuard Home: Network-level blocker
ConditionFileIsExecutable=/opt/AdGuardHome/AdGuardHome
After=syslog.target network-online.target

[Service]
User=admin
Group=admin
StartLimitInterval=5
StartLimitBurst=10
ExecStartPre=+/sbin/setcap CAP_NET_BIND_SERVICE=+eip /opt/AdGuardHome/AdGuardHome
ExecStart=/opt/AdGuardHome/AdGuardHome "-s" "run"

WorkingDirectory=/opt/AdGuardHome

StandardOutput=file:/var/log/AdGuardHome.out
StandardError=file:/var/log/AdGuardHome.err

Restart=always

RestartSec=10
EnvironmentFile=-/etc/sysconfig/AdGuardHome

[Install]
WantedBy=multi-user.target

Using AdGuardHome v0.107.16.

@ainar-g ainar-g added cannot reproduce help wanted and removed waiting for data Waiting for users to provide more data. labels Oct 11, 2022
@ainar-g
Copy link
Contributor

ainar-g commented Oct 11, 2022

I'm not sure what could be the reason, sorry. It's most likely some setting in the system. I've added the help wanted label, so perhaps other people could chime in.

@peracchi
Copy link
Author

peracchi commented Oct 11, 2022
edited

I'm not sure what could be the reason

Yes, I am curious about what can be the problem. I think that is not a firewall problem because only variable is the user (root / not root) and this do not change firewall rules.

I suspect something about the ExecStartPre=+/sbin/setcap CAP_NET_BIND_SERVICE=+eip /opt/AdGuardHome/AdGuardHome.

I will also ask in Proxmox forum -> AdGuardHome running alongside Proxmox 7.2

@CRTified
Copy link

CRTified commented Jan 1, 2023

You need CAP_NET_BIND_SERVICE for opening ports <1024 (DNS server, for example).

But DHCP additionally requires a raw socket (I'm unsure whether this is always the case or just specific to AGH). These require CAP_NET_RAW as capability (For more information on capabilities, check this page). So you'd need to add this capability to the AdGuardHome binary, as well.

But I want to add another thing: systemd allows setting capabilities within the [Service] section using AmbientCapabilities:

AmbientCapabilities=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_RAW

With these, I was able to resolve the problem. For me, the pointer was the MAC address in your screenshot, where you'd normally expect an IP address (due to it mentioning sockets).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cannot reproduce help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@yscialom @peracchi @CRTified @ainar-g