Dnscrypt from opendns

[joegreat]

Could someone please help me out? I tried it for several hours.

Well, I still think you have a timing issue: You need to find out when to do the job (wan-start seems to early to me).

I run my ntp-server.sh script in the post-mout user script. Why?
Simple: For dns-crypt (and host-ip) you need Entware! For Entware you need your USB thumb drive to be mounted first - ergo: post-mount is the one to use - just before the Entware start!

This works for me like a charm!

ntp-server.sh:

#!/bin/sh
#
export TZ=$(cat /etc/TZ)
#
# Wait up to 15 seconds to make sure /opt partition is mounted
#
i=0
while [ $i -le 15 ]
do
    if [ -d /opt/tmp ]
    then
        break
    fi
  sleep 1
  i=`expr $i + 1`
  echo $i
done
#
# Now resolve DNS name for NTP server
ntp_name=$(nvram get ntp_server0)
grep "$ntp_name" /etc/hosts > /dev/null 2>&1 || \
for ip in $(/opt/bin/hostip $ntp_name)
do
    echo $ip $ntp_name >> /etc/hosts
done
#
# and restart NTP client to eliminate 4-5 mins delay
killall ntp && sleep 1
service restart_ntpc

 

[bmn1]

This problem can be fixed with real-time clock inside the router.

1. Open the router and identify where the serial console port is.

2. Buy this pieces on eBay:

• Arduino Nano
• DS3231 real-time clock
• Bi-directional TTL logic level shifter for interface between the router's 3.3V TTL serial console port and the Arduino Nano's 5V TTL serial port.

3. Write an Arduino sketch to wait for serial console port to receive this data, "Hit ENTER for console...". Now wait for 2 seconds, then send the Linux command over the serial console to set the current date/time from the real-time clock. Will it work?

4. Now whenever you reboot the router, the clock should get set very early in the Linux kernel boot process.

And you may still use NTP, if you wish.

Thanks for your answer.

Is this what was needed to get it work on your router, too?
Because the script seemed to work well for you.

I'm shocked that it's that complicated to get ntp working...

@joegreat:
It seemed to be possible without entware for some people, which is what I prefer.
I want to use jffs instead an usb media.

 

[ASAT]

Is this what was needed to get it work on your router, too?

I have two routers. One for home and another for travel. The way I just described is for my travel router. It uses the console port on the circuit board to automatically set the clock using an Ardiono Nano. However, the router must be opened up, using a credit card, and the required components must be put in.

My home router uses a modified version of the Asuswrt-Merlin with a fixed GPS receiver to set the clock. That script you quoted is from a long time ago and it worked well at the time. However, I no longer use the ASUS NTP client. In fact, in my firmware modification, I have disabled it.

Joegreat is correct about the timing issue. I remember something about a 3-4 min delay with NTP if you do not restart dnsmasq.

Here's my last wan-start script before I switched to GPS time synchronization.

/jffs/scripts/wan-start

#!/bin/sh
/usr/bin/logger -t $(/usr/bin/basename $0) "custom script started [$$]"
finish()  {
  /usr/bin/logger -t $(/usr/bin/basename $0) "custom script ended [$$]"
}
trap finish EXIT

# cache some IP addresses for the NTP server
ntp_name="pool.ntp.org"
local_ntp_name="-$ntp_name"
hostip_cmd="/jffs/bin/hostip"
N=1
/bin/grep -q -F -e "$local_ntp_name" /jffs/configs/hosts.add > /dev/null 2>&1
if [ $? -ne 0 ]; then
  for ip in $($hostip_cmd $ntp_name) $($hostip_cmd 0.$ntp_name) $($hostip_cmd 1.$ntp_name) $($hostip_cmd 2.$ntp_name) $($hostip_cmd 3.$ntp_name) $($hostip_cmd $ntp_name) $($hostip_cmd 0.$ntp_name) $($hostip_cmd 1.$ntp_name) $($hostip_cmd 2.$ntp_name) $($hostip_cmd 3.$ntp_name) $($hostip_cmd $ntp_name) $($hostip_cmd 0.$ntp_name) $($hostip_cmd 1.$ntp_name) $($hostip_cmd 2.$ntp_name) $($hostip_cmd 3.$ntp_name)
  do
    /bin/grep -q -F -e "$ip" /jffs/configs/hosts.add > /dev/null 2>&1
    if [ $? -ne 0 ]; then
      /bin/echo "$ip $N$local_ntp_name" >> /jffs/configs/hosts.add
      let N++
    fi
  done
fi

# restart NTP client to eliminate 4-5 mins delay
/usr/bin/killall ntp
/bin/sleep 1
/sbin/service restart_dnsmasq
/sbin/service restart_ntpc
/bin/sleep 5

# start dnscrypt-proxy
/bin/pidof dnscrypt-proxy > /dev/null 2>&1
if [ $? -ne 0 ]; then
  /jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:65053 --ephemeral-keys --resolver-name=dnscrypt.me --resolvers-list=/jffs/bin/dnscrypt-resolvers.csv --daemonize
  /jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:65054 --ephemeral-keys --resolver-name=cloudns-syd --resolvers-list=/jffs/bin/dnscrypt-resolvers.csv --daemonize
  /jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:65055 --ephemeral-keys --resolver-name=dnscrypt.eu-dk --resolvers-list=/jffs/bin/dnscrypt-resolvers.csv --daemonize
  /jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:65056 --ephemeral-keys --resolver-name=dnscrypt.org-fr --resolvers-list=/jffs/bin/dnscrypt-resolvers.csv --daemonize
  /jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:65057 --ephemeral-keys --resolver-name=soltysiak --resolvers-list=/jffs/bin/dnscrypt-resolvers.csv --daemonize
fi

 

[XIII]

Simple: For dns-crypt (and host-ip) you need Entware!

Not if you're using standalone binaries like bmn1 does (and I do).

My setup does indeed suffer from the several minutes delay using NTP like @ASAT mentions. Since I normally only reboot the router when I upgrade the firmware that's acceptable for me.

 

[bmn1]

Thanks for your script, ASAT.

I tried it, but hosts.add is just an empty file it seems. There are no entries appended to the /etc/hosts file:

127.0.0.1 localhost.localdomain localhost
192.168.1.1 router.asus.com
192.168.1.1 www.asusnetwork.net
192.168.1.1 www.asusrouter.com
192.168.1.1 RT-AC68U-8FC8. RT-AC68U-8FC8

NTP is also starting too late (probably because the host entries are missing, how should it resolve?)

Aug  1 02:00:20 custom script: Running /jffs/scripts/wan-start (args: 0)
Aug  1 02:00:20 rc_service: udhcpc 533:notify_rc start_firewall
Aug  1 02:00:20 dnsmasq[442]: read /etc/hosts - 5 addresses
Aug  1 02:00:20 kernel: csw_retry 100
Aug  1 02:00:20 kernel: Initializing USB Mass Storage driver...
Aug  1 02:00:20 kernel: usbcore: registered new interface driver usb-storage
Aug  1 02:00:20 kernel: USB Mass Storage support registered.
Aug  1 02:00:20 wan: finish adding multi routes
Aug  1 02:00:20 rc_service: udhcpc 533:notify_rc stop_upnp
Aug  1 02:00:20 rc_service: waitting "start_firewall" via udhcpc ...
Aug  1 02:00:20 WAN Connection: WAN was restored.
Aug  1 02:00:20 start_nat_rules: apply the nat_rules(/tmp/nat_rules)!
Aug  1 02:00:20 kernel: Tuxera FAT 12/16/32 driver version 3015.1.29 [Flags: R/W MODULE].
Aug  1 02:00:20 kernel: Built against headers 2.6.36.4brcmarm #1 SMP PREEMPT Tue May 19 11:31:15 CST 2015 arm
Aug  1 02:00:20 kernel: Running on kernel 2.6.36.4brcmarm #2 SMP PREEMPT Thu Dec 24 14:06:13 EST 2015 armv7l
Aug  1 02:00:21 kernel: Tuxera NTFS driver 3015.1.29 [Flags: R/W MODULE].
Aug  1 02:00:21 kernel: Tuxera HFS+ driver 3014.7.28
Aug  1 02:00:21 kernel: xhci_hcd 0000:00:0c.0: xHCI Host Controller
Aug  1 02:00:21 kernel: xhci_hcd 0000:00:0c.0: new USB bus registered, assigned bus number 1
Aug  1 02:00:21 kernel: xhci_hcd 0000:00:0c.0: irq 112, io mem 0x18023000
Aug  1 02:00:21 kernel: xhci_hcd 0000:00:0c.0: Failed to enable MSI-X
Aug  1 02:00:21 kernel: xhci_hcd 0000:00:0c.0: failed to allocate MSI entry
Aug  1 02:00:21 kernel: usb usb1: No SuperSpeed endpoint companion for config 1  interface 0 altsetting 0 ep 129: using minimum values
Aug  1 02:00:21 kernel: hub 1-0:1.0: USB hub found
Aug  1 02:00:21 kernel: hub 1-0:1.0: 1 port detected
Aug  1 02:00:21 kernel: [xhci-hub] usb2mode:[0]
Aug  1 02:00:21 kernel: ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
Aug  1 02:00:21 kernel: ehci_hcd 0000:00:0b.1: EHCI Host Controller
Aug  1 02:00:21 kernel: ehci_hcd 0000:00:0b.1: new USB bus registered, assigned bus number 2
Aug  1 02:00:21 kernel: ehci_hcd 0000:00:0b.1: irq 111, io mem 0x18021000
Aug  1 02:00:21 kernel: ehci_hcd 0000:00:0b.1: USB 0.0 started, EHCI 1.00
Aug  1 02:00:21 kernel: hub 2-0:1.0: USB hub found
Aug  1 02:00:21 kernel: hub 2-0:1.0: 2 ports detected
Aug  1 02:00:21 kernel: ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
Aug  1 02:00:21 kernel: ohci_hcd 0000:00:0b.0: OHCI Host Controller
Aug  1 02:00:21 kernel: ohci_hcd 0000:00:0b.0: new USB bus registered, assigned bus number 3
Aug  1 02:00:21 kernel: ohci_hcd 0000:00:0b.0: irq 111, io mem 0x18022000
Aug  1 02:00:21 kernel: hub 3-0:1.0: USB hub found
Aug  1 02:00:21 kernel: hub 3-0:1.0: 2 ports detected
Aug  1 02:00:21 kernel: usbcore: registered new interface driver usblp
Aug  1 02:00:21 kernel: usbcore: registered new interface driver asix
Aug  1 02:00:21 kernel: usbcore: registered new interface driver cdc_ether
Aug  1 02:00:21 kernel: usbcore: registered new interface driver rndis_host
Aug  1 02:00:21 kernel: cdc_ncm: 14-Mar-2012
Aug  1 02:00:21 kernel: usbcore: registered new interface driver cdc_ncm
Aug  1 02:00:21 kernel: usbcore: registered new interface driver cdc_wdm
Aug  1 02:00:21 kernel: usbcore: registered new interface driver qmi_wwan
Aug  1 02:00:21 kernel: cdc_mbim: loaded
Aug  1 02:00:21 kernel: usbcore: registered new interface driver cdc_mbim
Aug  1 02:00:22 start_nat_rules: apply the nat_rules(/tmp/nat_rules_vlan2_vlan2)!
Aug  1 02:00:25 kernel: nf_conntrack_rtsp v0.6.21 loading
Aug  1 02:00:25 kernel: nf_nat_rtsp v0.6.21 loading
Aug  1 02:00:25 rc_service: udhcpc 533:notify_rc start_upnp
Aug  1 02:00:25 rc_service: waitting "stop_upnp" via udhcpc ...
Aug  1 02:00:26 dhcp client: bound 109.192.212.178 via 109.192.212.1 during 3600 seconds.
Aug  1 02:00:27 ntp: start NTP update

 

[ASAT]

I tried it, but hosts.add is just an empty file it seems. There are no entries appended to the /etc/hosts file

Here's a script that just outputs the NTP server addresses. And I fixed the wan-start so kills and restarts the ntpc service.

/jffs/home/show-ntp-servers

#!/bin/sh
# cache some IP addresses for the NTP server
ntp_name="pool.ntp.org"
local_ntp_name="-$ntp_name"
hostip_cmd="/jffs/bin/hostip"
N=1

for ip in $($hostip_cmd $ntp_name) $($hostip_cmd 0.$ntp_name) $($hostip_cmd 1.$ntp_name) $($hostip_cmd 2.$ntp_name) $($hostip_cmd 3.$ntp_name) $($hostip_cmd $ntp_name) $($hostip_cmd 0.$ntp_name) $($hostip_cmd 1.$ntp_name) $($hostip_cmd 2.$ntp_name) $($hostip_cmd 3.$ntp_name) $($hostip_cmd $ntp_name) $($hostip_cmd 0.$ntp_name) $($hostip_cmd 1.$ntp_name) $($hostip_cmd 2.$ntp_name) $($hostip_cmd 3.$ntp_name)
do
  /bin/echo "$ip $N$local_ntp_name"
  let N++
done

/jffs/configs/hosts.add

108.61.73.243 1-pool.ntp.org
50.116.36.122 2-pool.ntp.org
107.170.224.8 3-pool.ntp.org
129.250.35.251 4-pool.ntp.org
173.255.246.13 5-pool.ntp.org
107.170.242.27 6-pool.ntp.org
204.9.54.119 7-pool.ntp.org
108.59.2.24 8-pool.ntp.org
198.60.22.240 9-pool.ntp.org
209.208.79.69 10-pool.ntp.org
216.244.65.162 11-pool.ntp.org
129.6.15.29 12-pool.ntp.org
166.70.136.35 13-pool.ntp.org
216.218.254.202 14-pool.ntp.org
50.116.36.122 15-pool.ntp.org
129.6.15.29 16-pool.ntp.org
50.116.52.97 17-pool.ntp.org
24.56.178.140 18-pool.ntp.org
138.236.128.36 19-pool.ntp.org
45.79.78.173 20-pool.ntp.org
208.53.158.34 21-pool.ntp.org
132.163.4.102 22-pool.ntp.org
45.79.10.228 23-pool.ntp.org
204.9.54.119 24-pool.ntp.org
173.255.246.13 25-pool.ntp.org
107.170.242.27 26-pool.ntp.org
204.9.54.119 27-pool.ntp.org
108.59.2.24 28-pool.ntp.org
198.60.22.240 29-pool.ntp.org
104.232.3.3 30-pool.ntp.org
104.131.53.252 31-pool.ntp.org
204.9.136.253 32-pool.ntp.org
108.61.194.85 33-pool.ntp.org
107.20.168.69 34-pool.ntp.org
108.61.56.35 35-pool.ntp.org
69.167.160.102 36-pool.ntp.org
173.255.227.205 37-pool.ntp.org
24.56.178.140 38-pool.ntp.org
132.163.4.102 39-pool.ntp.org
204.2.134.164 40-pool.ntp.org
108.61.73.243 41-pool.ntp.org
50.116.36.122 42-pool.ntp.org
107.170.224.8 43-pool.ntp.org
129.250.35.251 44-pool.ntp.org
52.10.158.52 45-pool.ntp.org
97.107.129.217 46-pool.ntp.org
209.244.0.4 47-pool.ntp.org
50.116.55.65 48-pool.ntp.org
129.6.15.29 49-pool.ntp.org
208.53.158.34 50-pool.ntp.org
204.9.136.253 51-pool.ntp.org
38.229.71.1 52-pool.ntp.org
108.61.194.85 53-pool.ntp.org
209.244.0.4 54-pool.ntp.org
129.250.35.250 55-pool.ntp.org
108.61.73.244 56-pool.ntp.org
138.236.128.36 57-pool.ntp.org
131.107.13.100 58-pool.ntp.org
137.190.2.4 59-pool.ntp.org
74.117.238.11 60-pool.ntp.org

 

[harningt]

Looking for thoughts / already-solved items / caveats...
I'm looking to setup 2 sets of dnscrypt configurations such that 'parental controls' can be applied for one set of machines (MAC identified like the standard GUI allows) and the rest of the machines flow through another dnscrypt set.... and have the DNS requests cached as well.

Setup:

• All other machines
  • standard dnsmasq => dnscrypt (unfiltered list)
• Child machines
  • dnsmasq purely for cache => dnscrypt (opendns-familyshield)
  • IPTables rule forcing all DNS requests (port 53 requests) to point to the familyshield-based dnsmasq

It would be nice to have the standard dnsmasq be able to be consulted for the DHCP lease-based hostname lookup (as it would still be managing DHCP on the router) but nothing else... but not a huge deal as the /etc/hosts and /etc/hosts.dnsmasq entries are sufficient for local lookup

Perhaps there is a different DNS caching mechanism that could resolve to different dnscrypt servers based on source IP / mac and always resolve entries w/o domainname (purely hostname) using dnsmasq?

 

[bmn1]

Well, I still can't get it to work. Even with your updated scripts, ASAT.

The script is not writing any hosts.add entries, that seems to be the problem.
I guess it's because the nameservers get set to 127.0.0.1 and nothing can be resolved.

So I tried to copy all your hosts.add entries to my hosts.add manually, the resolving should be working then.
The entries indeed are appended to my /etc/hosts file, but there's still no update. I get following error:
* Reminder: The system time has not been synchronized with an NTP server.

That's what I did:
1. Updating the Asus RT-AC68U through firmware restoration mode, cleared the NVRAM and installed the latest Asuswrt Merlin Firmware 380.57
2. Checking to format the JFFS partition on the next boot, allow scripts and SSH
3. Created a folder /jffs/bin and added the compiled dnscrypt-proxy, hostip and dnscrypt-resolvers.csv from lancethepants
4. Creating a file /jffs/config/dnsmasq.conf.add with following entries:

no-resolv
server=127.0.0.1#65053
server=127.0.0.1#65054

Those lines are correctly appended to /etc/dnsmasq.conf
5. Creating a file /jffs/config/hosts.add with touch, this file is empty (also tried it without this file) - None of the scripts above write anything into it.
6. Creating a file /jffs/scripts/wan-start and tried several of your scripts, for sure I made this file executable.
7. Set "Connect to DNS server automatically" to "no" and clear both lines.
8. Restart the router

The wan-start script gets executed on boot, but NTP resolving is not working. No matter if I add those files manually to the hosts.add or to the hosts file directly.

Does someone have a clue what's wrong here? I'm trying to get this working for days and just can't.
Tried all your scripts, nothing works. I'm really embarassed.

Edit: To everyone saying I should try Entware, that's what I did before and it was the same result.
Would like to get this done without Entware, because this is my only use case.

Edit 2: Is it needed to clear the NTP-server entry add the webui?
Edit 3: Tried it, didn't help.

 

[faria]

Well, I still can't get it to work. Even with your updated scripts, ASAT.

The script is not writing any hosts.add entries, that seems to be the problem.
I guess it's because the nameservers get set to 127.0.0.1 and nothing can be resolved.

So I tried to copy all your hosts.add entries to my hosts.add manually, the resolving should be working then.
The entries indeed are appended to my /etc/hosts file, but there's still no update. I get following error:
* Reminder: The system time has not been synchronized with an NTP server.

That's what I did:
1. Updating the Asus RT-AC68U through firmware restoration mode, cleared the NVRAM and installed the latest Asuswrt Merlin Firmware 380.57
2. Checking to format the JFFS partition on the next boot, allow scripts and SSH
3. Created a folder /jffs/bin and added the compiled dnscrypt-proxy, hostip and dnscrypt-resolvers.csv from lancethepants
4. Creating a file /jffs/config/dnsmasq.conf.add with following entries:

no-resolv
server=127.0.0.1#65053
server=127.0.0.1#65054

Those lines are correctly appended to /etc/dnsmasq.conf
5. Creating a file /jffs/config/hosts.add with touch, this file is empty (also tried it without this file) - None of the scripts above write anything into it.
6. Creating a file /jffs/scripts/wan-start and tried several of your scripts, for sure I made this file executable.
7. Set "Connect to DNS server automatically" to "no" and clear both lines.
8. Restart the router

The wan-start script gets executed on boot, but NTP resolving is not working. No matter if I add those files manually to the hosts.add or to the hosts file directly.

Does someone have a clue what's wrong here? I'm trying to get this working for days and just can't.
Tried all your scripts, nothing works. I'm really embarassed.

Edit: To everyone saying I should try Entware, that's what I did before and it was the same result.
Would like to get this done without Entware, because this is my only use case.

Edit 2: Is it needed to clear the NTP-server entry add the webui?
Edit 3: Tried it, didn't help.

add the ip of NTP-server to the webui to avoid :
* Reminder: The system time has not been synchronized with an NTP server.
Dnscrypt wont work until the * Reminder: is gone.

 

[ASAT]

Well, I still can't get it to work. Even with your updated scripts, ASAT.

OK, here's a different way. I have no way to test it because the ASUS NTP client is removed in my firmware.

This technique separates NTP clock synchronization from the DNS lookup of the NTP server name. It stores the IP addresses of the NTP servers in a file. Every 10 days it will refresh the IP addresses. However, you must call the ntp-cache script to initially create the file, and then periodically to update it. There is a sample file of IP address below, for testing purposes.

/jffs/scripts/wan-start

#!/bin/sh
/usr/bin/logger -t $(/usr/bin/basename $0) "custom script started [$$]"
finish()  {
  /usr/bin/logger -t $(/usr/bin/basename $0) "custom script ended [$$]"
}
trap finish EXIT

export TZ=$(cat /etc/TZ)

# sychronize the router clock with an Internet time source
source /jffs/home/ntp-sync

# start dnscrypt-proxy
/bin/pidof dnscrypt-proxy > /dev/null 2>&1
if [ $? -ne 0 ]; then
  /jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:65053 --ephemeral-keys --resolver-name=dnscrypt.me --resolvers-list=/jffs/bin/dnscrypt-resolvers.csv --daemonize
  /jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:65054 --ephemeral-keys --resolver-name=cloudns-syd --resolvers-list=/jffs/bin/dnscrypt-resolvers.csv --daemonize
  /jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:65055 --ephemeral-keys --resolver-name=dnscrypt.eu-dk --resolvers-list=/jffs/bin/dnscrypt-resolvers.csv --daemonize
  /jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:65056 --ephemeral-keys --resolver-name=dnscrypt.org-fr --resolvers-list=/jffs/bin/dnscrypt-resolvers.csv --daemonize
  /jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:65057 --ephemeral-keys --resolver-name=soltysiak --resolvers-list=/jffs/bin/dnscrypt-resolvers.csv --daemonize
fi

/jffs/home/ntp-sync

#!/bin/sh
# sychronize the router clock with an Internet time source
NTP_CACHE_FILE="/jffs/home/ntp-ip-cache.txt"

source /jffs/home/ntp-cache

if [ -f "${NTP_CACHE_FILE}" ]; then
  while [ "$(/usr/sbin/nvram get ntp_ready)" != "1" ]; do
    while read IP; do
      /usr/sbin/nvram set ntp_server0=${IP}
      /usr/sbin/nvram set ntp_server1=${IP}
      /usr/sbin/nvram unset ntp_server_tried
      /usr/bin/killall ntp; /bin/sleep 1; /sbin/service restart_ntpc; /bin/sleep 5
      [ "$(/usr/sbin/nvram get ntp_ready)" == "1" ] && break;
    done < "${NTP_CACHE_FILE}"
  done
fi

/jffs/home/ntp-cache

#!/bin/sh
# Call this script to accumlate IP addresses of NTP servers in the background, whenever DNS is available.
NTP_NAME="pool.ntp.org"
NTP_CACHE_FILE="/jffs/home/ntp-ip-cache.txt"
NTP_CACHE_FILE_TMP="/tmp/ntp-ip-cache.txt"
HOSTIP_CMD="/jffs/bin/hostip"
UPDATE_CMD="/jffs/home/file-cache"
CACHE_LIFETIME="10d"   # cache lifetime is 10 days

# update cache with some more IP addresses of Internet NTP servers
N=0
for IP in $($HOSTIP_CMD $NTP_NAME) $($HOSTIP_CMD 0.$NTP_NAME) $($HOSTIP_CMD 1.$NTP_NAME) $($HOSTIP_CMD 2.$NTP_NAME) $($HOSTIP_CMD 3.$NTP_NAME) $($HOSTIP_CMD $NTP_NAME) $($HOSTIP_CMD 0.$NTP_NAME) $($HOSTIP_CMD 1.$NTP_NAME) $($HOSTIP_CMD 2.$NTP_NAME) $($HOSTIP_CMD 3.$NTP_NAME) $($HOSTIP_CMD $NTP_NAME) $($HOSTIP_CMD 0.$NTP_NAME) $($HOSTIP_CMD 1.$NTP_NAME) $($HOSTIP_CMD 2.$NTP_NAME) $($HOSTIP_CMD 3.$NTP_NAME)
do
  /bin/grep -q -F -e "$IP" "${NTP_CACHE_FILE_TMP}" > /dev/null 2>&1
  if [ $? -ne 0 ]; then
    /bin/echo "$IP" >> "${NTP_CACHE_FILE_TMP}"
    let N++
  fi
done

[ $N -gt 0 ] && /bin/echo Added $N new IP addresses.

# when the old cache expires replace it
${UPDATE_CMD} "${NTP_CACHE_FILE_TMP}" "${NTP_CACHE_FILE}" "${CACHE_LIFETIME}"

/jffs/home/file-cache

#!/bin/sh
# Implements a file cache by comparing the file timestamps to check age.
finish()  {
  if [ $? -eq 1 ]; then
    /bin/echo -e "
Usage: $SCRIPT_NAME SOURCE DEST [T]

Copy file SOURCE to file DEST, but only when SOURCE is older
than DEST by an optional amount of time T that may have a
suffix of (s)econds, (m)inutes, (h)ours, or (d)ays
"
  fi
}
trap finish EXIT

SCRIPT_NAME=$(basename "${0##/*/}")
FILE_SOURCE="$1"
FILE_TARGET="$2"
FILE_AGE="$3"

if [ "$FILE_SOURCE" == "" ] || [ "$FILE_TARGET" == "" ]; then
  /bin/echo "missing argument"
  exit 1
fi

if [ ! -f "$FILE_SOURCE" ]; then
  /bin/echo "source file not found"
  exit 1
fi

# parse the time argument
N=${FILE_AGE%[^0-9]}
U=${FILE_AGE#$N}

# normalize the time value to seconds
case $U in
  "" | "s")
    FILE_AGE_SECONDS=$N
    ;;
  "m" )
    FILE_AGE_SECONDS=$(expr $N '*' 60)
    ;;
  "h")
    FILE_AGE_SECONDS=$(expr $N '*' 3600)
    ;;
  "d")
    FILE_AGE_SECONDS=$(expr $N '*' 86400)
    ;;
  *)
    /bin/echo "invalid time suffix"
    exit 1
    ;;
esac

if [ -f "$FILE_SOURCE" ]; then
  if [ ! -f "$FILE_TARGET" ] || [ $(/usr/bin/expr $(/bin/date -r "$FILE_SOURCE" +%s) - $(/bin/date -r "$FILE_TARGET" +%s)) -gt $FILE_AGE_SECONDS ];  then
    /bin/mv -f "$FILE_SOURCE" "$FILE_TARGET"
    /bin/echo "cache updated"
  else
    /bin/echo "cache not updated"
  fi
fi

/jffs/home/ntp-ip-cache.txt

209.118.204.201
66.228.42.59
204.9.54.119
74.123.28.4
38.229.71.1
132.163.4.102
198.211.106.151
66.228.59.187
45.79.111.114
129.6.15.28
69.28.90.107
174.133.168.194
63.211.239.58
209.244.0.3
50.116.52.97
67.18.187.111
209.244.0.4
45.79.10.228
108.61.73.244
104.131.51.97
208.75.88.4
142.54.181.202
45.79.78.173
208.75.89.4
69.167.160.102
69.41.163.31
74.117.238.11
64.113.44.54
198.110.48.12
50.116.36.122
208.74.136.34
64.71.128.26
24.56.178.140
4.53.160.75
148.167.132.201
66.232.97.8
198.100.30.94
199.233.236.226
108.61.73.243
208.53.158.34
129.6.15.30
173.230.144.109
198.60.73.8
204.2.134.164
216.152.240.220
69.164.201.165
74.120.8.2
209.177.158.38
71.19.145.222
198.55.111.5
108.61.194.85
199.233.217.27
97.107.129.217
204.145.237.18
204.2.134.162
108.61.56.35
108.59.2.24
198.60.22.240
209.208.79.69
209.114.111.1
129.250.35.251
198.55.111.50
138.236.128.36
64.6.144.6
171.66.97.126
50.116.38.157
173.44.32.10
107.170.224.8
74.117.214.3
131.107.13.100
128.138.141.172
204.2.134.163
24.23.190.188
128.113.28.67
74.123.29.4
52.0.56.137
97.107.128.58
129.6.15.29
66.220.10.2
208.88.126.226
104.131.53.252
192.155.90.13
173.255.246.13
206.209.110.2
199.223.248.101
208.69.120.201
66.79.167.34
129.250.35.250
73.37.183.90
69.164.194.139
66.96.99.10
208.79.89.249
50.4.108.222
52.6.191.28
198.100.156.225
104.232.3.3
132.163.4.101
216.229.0.50
198.169.208.142
66.96.98.9
162.243.63.11
152.2.133.52
96.244.96.19
173.230.235.13
107.20.168.69
76.191.88.3
216.218.220.101
107.170.242.27

 

[finite9]

so just to be clear, is the wiki article on GitHub totally misleading ( https://github.com/RMerl/asuswrt-merlin/wiki/Secure-DNS-queries-using-DNSCrypt ). Or do many people actually get this to work using those very simple instructions?

I have an N68U with a usb stick, Entware and Merlin asuswrt 378.56_02

 

[ASAT]

do many people actually get this to work using those very simple instructions?

I think Yes. However, Entware-ng depends on the USB storage. And my USB storage mounts properly most of the time. Most of the time my router boots up without needing a human intervention to power cycle it.

The fake hardware clock piece is good for beginners. Just install the app and it works. However, a fake clock isn't that complicated to require Entware-ng. So, you could try this instead, to set the system clock without dependence on Entware-ng. It will probably work. Haven't tried it yet.

/jffs/scripts/init-start

#!/bin/sh
[ -f /jffs/clock-seconds-saved ] && /bin/date -u -s 197001010000.$(($(/bin/cat /jffs/clock-seconds-saved) + 10))

/jffs/scripts/services-stop

#!/bin/sh
[ "$(/usr/sbin/nvram get ntp_ready)" == "1" ] && /bin/date -u +%s > /jffs/clock-seconds-saved

 

[finite9]

ho-hum. It didn't work with the simple instructions. I had no dns on reboot because "dnscrypt-proxy[nnn]: unable to retreive server certificates" or some such, so I reverted, and i'll have to do some more digging when I get time. Maybe it was due to the dns provider I choose in the list during installation, that was down or didnt configure correctly. I've had that problem with some providers in the past when installing dnscrypt on Fedora.

 

[finite9]

okee dokee, figured it out now. btw, im using an ASUS RT-AC68U with Merlin 378.56_02 and Entware installed on USB3 16GB ext4 pendrive.

I followed the Wiki install guide only and did not deviate from it one bit. I chose an OpenNIC server when prompted (an SE server).

# after install, I was getting this error in system log
Jan 14 11:26:58 dnscrypt-proxy[1080]: Unable to retrieve server certificates

# the standard installation according to the wiki set these arguments to the dnscrypt-proxy
/opt/etc/init.d/S09dnscrypt-proxy

#!/bin/sh

ENABLED=yes
PROCS=dnscrypt-proxy
ARGS="--local-address=127.0.0.1:65053 --daemonize -R opennic-fvz-rec-se-ab-01"
PREARGS=""
DESC=
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

# But those ARGS do not set the --provider-key or --provider-name which are or seem to be mandatory!

# i log into router, kill the dnscrypt-proxy process and start it manually with correct args
/opt/sbin/dnscrypt-proxy --local-address=127.0.0.1:65053 --daemonize --provider-key=3748:5585:E3B9088:FD25:AD36:B037:01F5:520C648:9E9AD52:1457:4955:9F0A:9955 --provider-name=2.dnscrypt-cert.resolver2.dnscrypt.eu --resolver-address=77.66.84.233:443


# now get correct result in system log:
Jan 14 10:41:03 dnscrypt-proxy[5456]: Starting dnscrypt-proxy 1.6.0
Jan 14 10:41:03 dnscrypt-proxy[5456]: Proxying from 127.0.0.1:65053 to 77.66.84.233:443


# I check the current CSV provider list and opennic-fvz-rec-se-ab-01 is not on the list, so the installation script is using an old list maybe?

I have not rebooted router yet as im at work and do not fancy losing connectivity, but will see if it works fully when I get home. No more posts if all works as expected!

 

[ASAT]

im using Merlin 378.56_02

My fake clock (above) sets the system clock very early in the boot process, unlike Entware-ng fake-hwclock. It may fix the issue, or not. However, here's more info on the topic.

http://www.snbforums.com/threads/rt-ac68u-wont-sync-ntp-v-378-56.27872/page-2

What does it show?
nvram get link_internet

 

[Sanya IV Litvyak]

I can't seem to find the instructions for adding a second resolver? Anyone that knows?

Edit: found the instructions by going to an archive site, to save others the trouble (if they have the same issue) I'm quoting below. Hope you don't mind that I'm bringing back seemingly deleted information but I think it's very useful to have.

If you want to use two resolvers:
We need to run another dnscrypt-proxy instance on another port:

echo "server=127.0.0.1#65054" >> /jffs/configs/dnsmasq.conf.add
cd /opt/sbin
ln -s dnscrypt-proxy dnscrypt-proxy1
cd /opt/etc/init.d/
cp S09dnscrypt-proxy S09dnscrypt-proxy1

and edit following fields in /opt/etc/init.d/S09dnscrypt-proxy1:

#!/bin/sh

ENABLED=yes
PROCS=dnscrypt-proxy[COLOR="Red"]1[/COLOR]
ARGS="--local-address=127.0.0.1:6505[COLOR="Red"]4[/COLOR] --daemonize -R [COLOR="Red"]dnscrypt.eu-dk[/COLOR]"
PREARGS=""
DESC=
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

dnscrypt.eu-dk is server from this list, picked just for example.

Reboot router to apply new settings. A boot log with two resolvers is here, just in case.

 

[bayern1975]

dnscrypt.me dnscrypt proxy not working from yesterday....can someone fix it?

sent from Kodi 17 Krypton

 

[octopus]

dnscrypt.me dnscrypt proxy not working from yesterday....can someone fix it?

sent from Kodi 17 Krypton

Have you checked if service is up at dnscrypt?

 

[bayern1975]

Have you checked if service is up at dnscrypt?

i do not know how to check? if i put dnscrypt.me in browser nothing open....it is strange, all best dnscrypt stoping working....first dnsmachine.de now dnscrypt.me.....

 

[Cake]

My method is for Dnscrypt that you compile yourself using an ARM cross compiler included with the Asuswrt-Merlin firmware, and copy to /jffs/bin.

If you can't get it to compile, then use Entware. It should be easy. The Dnscrypt service startup script is in /opt/etc/init.d. If you need multiple instances of Dnscrypt, I think you could just copy the service startup script and edit to change the startup parameters for the 2nd instance.

If problems persist, then telnet/ssh to the router and "cat /tmp/syslog.log" to see what's going on.

The Entware install script is stuck on Info: Modifying start scripts... for me. (I'm trying HGG's firmware)
Can I copy /tmp/mnt/sda1/entware/sbin/dnsycrypt-proxy from my old entware installation and place into /jffs/bin?
EDIT: figured it out, my ip was blocked, I am back to using entware.