What's new

Dnscrypt from opendns

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Changed the NTP server to an IP et voila!!......SUCCESS!:D

Finally had a chance to try this again with my wife out shopping and maxxing the CC.

Here is my setup:
1 - Used non-entware on AC56U (arm)
2 - OpenDNS Servers on router gui
3 - DNSOMATIC DDNS (OpenDNS account)

Connected within a minute with a valid certificate

Cheers!
Whcih of the pool.ntp.org public IP address did you use, cos I tried this before with asus ddns and it failed, so it could be that it does not work with asus ddns
 
Whcih of the pool.ntp.org public IP address did you use, cos I tried this before with asus ddns and it failed, so it could be that it does not work with asus ddns
I used 208.73.56.29
 
Cool -
Please can you confirm if-
(1) You selected dnsomatic.com as your ddns via the router gui
(2) Did you previoulsy have download master installed and if yes, did you delete the asusware folder before/after installing entware
(3) Did you install transmission via entware
(4) Which dnscrypt server option did you select during installation
(5) you just renamed the wan_start and boom all started working :)?

Im starting to do it again from scratch and I´ll tell you.
1- Yes I have it dnsomatic from de gui
2- I hade download master but I uninstalled it, and started from scratch on a 16Gb USB drive formated en ext2
3- early I did install trasmission via entware and it worked, but in IMHO is much of a hassle and I dont want it starting in boot time... but I did not test it using dnscrypt.
4- I chose the normal Opendns, number 17.
5. Yes thats all I did.

Im doing everything from scratch, first I will try with dnscrypt then I´ll go with transmission. I will let you know.
 
From Scratch, and yes, in my case, maybe if you just add the hosts.add, mine has this inside 64.4.10.33 time.windows.com. You dont even have to creat the wan-start script, because I created it but did not work at all, but that script created the host.add file that as not there before..., after that I changed the name of the script to wan-start.old and rebooted, that was it it started to work, all this on entware. So hope this works for you,
Transmission works too, no issues..

:04 dnscrypt-proxy[536]: Chosen certificate #1380734687 is valid from [2013-10-03] to [2014-10-03]
Jun 13 22:04:04 dnscrypt-proxy[536]: Server key fingerprint is 227C:xxxxxxxxxxxxxxxxxxxx
Jun 13 22:04:04 dnscrypt-proxy[536]: Proxying from 127.0.0.1:65053 to 208.67.220.220:443
Jun 13 22:04:05 ddns update: connected to updates.dnsomatic.com (67.215.92.215) on port 80.
Jun 13 22:04:05 ddns update: request successful
Jun 13 22:04:05 ddns update: asusddns_update: 0
Jun 13 22:04:05 ddns: ddns update ok
 
Last edited:
1 - Used non-entware on AC56U (arm)
Cool!

Did the package ryzhov_al provided work out of the box for you?

If not, what manual changes did you apply?


General question to all:

I was hoping to extract the minimal required files from the working Entware setup (the dnscrypt-proxy and hostip binaries plus the 4 libraries that they load according to ldd and the configuration/script files), but I'm not sure how to configure the router to load the required libraries (is there such a thing as LD_LIBRARY_PATH?).

Any tips on how to perform this?
 
General question to all:

I was hoping to extract the minimal required files from the working Entware setup (the dnscrypt-proxy and hostip binaries plus the 4 libraries that they load according to ldd and the configuration/script files), but I'm not sure how to configure the router to load the required libraries (is there such a thing as LD_LIBRARY_PATH?).
Yes, you can export LD_LIBRARY_PATH for Entware binaries, but IMHO it's not an optimal way, you'll loose ability to chose desired DNSCrypt server.

Precompiled dnscrypt-proxy binary is working, it's a question of configuration.
 
I used 208.73.56.29

Have tried with dnsomatic with IP address for NTP sever but still can't connect. If I enable my astrill Openvpn I can access the internet. I just dont understand what is it am missing here. Below is my cat /etc/hosts
PS - I even tried using one of the IPS specified within the host.add file but still no joy

ASUSWRT-Merlin RT-AC66U_3.0.0.4 Fri Jun 6 20:31:04 UTC 2014
admin@RT-AC66U:/tmp/home/root# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.1.1 router.asus.com
192.168.1.1 www.asusnetwork.net
192.168.1.1 www.asusrouter.com
192.168.1.1 RT-AC66U. RT-AC66U
91.207.136.55 pool.ntp.org
194.190.168.1 pool.ntp.org
188.134.15.192 pool.ntp.org
85.21.78.8 pool.ntp.org
admin@RT-AC66U:/tmp/home/root#
 
After installing and uninstalling Entware I have 2 syslog.log files in /jffs:

Code:
-rw-rw-rw-    1 admin    root        208402 Jun 14 14:21 syslog.log
-rw-rw-rw-    1 admin    root        262152 Jun 14 14:21 syslog.log-1

Is this normal?

If not, what's the proper way to solve this?
 
Cool!

Did the package ryzhov_al provided work out of the box for you?

If not, what manual changes did you apply?

The package works out of the box. I just needed to change the NTP server on my router to an IP, wouldn't work using the NTP name (POOL.NTP.ORG)

Cheers!
 
I'm not sure what "Lancethepants" did different, but his binaries (also with their own version of libsodium) seem to support server selection.

I installed your package again, but this time replaced the 2 binaries by those found here:

http://files.lancethepants.com/Binaries/dnscrypt-proxy/

Then I changed the last line of /jffs/scripts/wan-start to look like this:

Code:
/jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:65053 --daemonize --resolver-address=176.56.237.171:443 --provider-name=2.dnscrypt-cert.resolver1.dnscrypt.eu  --provider-key=67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66

Now DNSCrypt is working without Entware using resolver1 from DNSCrypt.eu!

So thanks again for your help; I got it working based on your knowledge and support!
 
The package works out of the box. I just needed to change the NTP server on my router to an IP, wouldn't work using the NTP name (POOL.NTP.ORG)

Cheers!

I have reset my router now to default and started without using any saved settings. So now back to merlin build .43 - I am going to start all over now with these -

No Entware installed - going to use the script for standalone DNScrypt
(1) Download Master installed
(2) no reference of Opendns servers in gui
(3) DDNS set to asus ddns
(4) NTP Sever - IP address [one from the host.add] file
Will post the result

OK - still not able to connect to the internet after running the script - not sure what else to do. I have restarted the router several times to still the same result. I even tried without setting any DDNS within the router, removed all USB Application setting from gui
 
Last edited:
Finally got the dnscrypt working with the standalone script - my configuration

(1) Asus DDNS enabled via gui
(2) NTP Server = pool.ntp.org
(3) Pinged pool.org.ntp several times to obtain different IP addresses and replaced it in host.add file
(4) Went to http://files.lancethepants.com/ and copied [dnscrypt-proxy and hostip binaries] and replaced with the existing ones and also set permission to 0777, also set same to other files
(4) Restarted wan-start using "/jeffs/scripts/wan-start" and immediately saw message that Server certificate # received and valid and was able to connect to internet. Lastly - I restated router to see if the connection to asus ddns & dnscrypt server will still connect and YES they did, so not sure if it was the permissions to the files or change of the two binary files to made it to connect without any hassle! any ways thanks all for your help & comments. I can now sit and enjoy the world cup :)

PS - Verified welcome.opendns.com and got the tick -
WELCOME TO OPENDNS!
Your Internet is safer, faster, and smarter
because you’re using OpenDNS.
 
EDIT:
Nevermind followed your lead it´s working now with the binaries! thanks, but IMHO entware is cool, the transmission web works great....
Thanks

----
Can you give us the path for where the binaries must be?

Finally got the dnscrypt working with the standalone script - my configuration

(1) Asus DDNS enabled via gui
(2) NTP Server = pool.ntp.org
(3) Pinged pool.org.ntp several times to obtain different IP addresses and replaced it in host.add file
(4) Went to http://files.lancethepants.com/ and copied [dnscrypt-proxy and hostip binaries] and replaced with the existing ones and also set permission to 0777, also set same to other files
(4) Restarted wan-start using "/jeffs/scripts/wan-start" and immediately saw message that Server certificate # received and valid and was able to connect to internet. Lastly - I restated router to see if the connection to asus ddns & dnscrypt server will still connect and YES they did, so not sure if it was the permissions to the files or change of the two binary files to made it to connect without any hassle! any ways thanks all for your help & comments. I can now sit and enjoy the world cup :)

PS - Verified welcome.opendns.com and got the tick -
WELCOME TO OPENDNS!
Your Internet is safer, faster, and smarter
because you’re using OpenDNS.
 
Last edited:
Great, worked for me too, following the instructions from the wiki. https://github.com/RMerl/asuswrt-merlin/wiki/Secure-DNS-queries-using-DNSCrypt

Stupid newbie question: Where can i change the resolver (i would like to change to an opennic one instead of opendns). Searched for it, and this https://wiki.archlinux.org/index.php/DNSCrypt says it should be located at /etc/conf.d/dnscrypt-proxy , but there it wasn't..

i recently updated/upgraded entware and when i installed dnscrypt, it presented me with a list of resolvers selectable by typing the corresponding number. i switched from opendns to opendns-ipv6 :D not for any reason in particular
 
Last edited:
Precompiled binaries for asuswrt-merlin fixed too. To install DNSCrypt-proxy without Optware/Entware, please do:
1) Make sure JFFS is enabled from WebUI, you need to reboot after enabling JFFS,
2) Install precompiled dnscrypt binaries with start script from SSH/telnet console.
  • on MIPS-based routers (RT-N16, RT-N66U, RT-AC66U):
    Code:
    wget -O - http://files.ryzhov-al.ru/Routers/asuswrt-merlin/dnscrypt-proxy/dnscrypt-proxy-asuswrt-merlin-mipsel.tgz | tar -C / -xvz
  • on ARM-based routers (RT-AC56U, RT-AC68U):
    Code:
    wget -O - http://files.ryzhov-al.ru/Routers/asuswrt-merlin/dnscrypt-proxy/dnscrypt-proxy-asuswrt-merlin-arm.tgz | tar -C / -xvz
3) Reboot router.
The OpenDNS dnscrypt server will be used, if you wish to choose another one (from the list above), please install full package from Entware.


I'm not sure what "Lancethepants" did different, but his binaries (also with their own version of libsodium) seem to support server selection.

I installed your package again, but this time replaced the 2 binaries by those found here:

http://files.lancethepants.com/Binaries/dnscrypt-proxy/


For me, the problem was getting the entware-less package to work at all. Can confirm that the binaries from lancethepants work. I am interested in what the differences are between the two packages from ryzhov_al and lancethepants. They're elf binaries..

In System Log, using ryzhov_al package, it seemed to stop at the time disparity. For some reason, it was not attempting to refetch.
crond[333]: time disparity of 1816669 minutes detected

Using lancethepants package, it refetches the server certificates:
crond[333]: time disparity of 1816669 minutes detected
dnscrypt-proxy[464]: Refetching server certificates
dnscrypt-proxy[464]: Server certificate #XXXXXXXXX received
dnscrypt-proxy[464]: This certificate looks valid
dnscrypt-proxy[464]: Chosen certificate #XXXXXXXXX is valid from [2013-10-03] to [2014-10-03]
dnscrypt-proxy[464]: Server key fingerprint is XXXX:XXXX:.........

Using latest fw (374.43_0) with hard reset. In both cases, I did an nslookup of pool.ntp.org and updated hosts.add. Using dnscrypt in wan-start, as in ryzhov_al package.
 
Code:
# Wait up to 15 seconds to make sure /opt partition is mounted
i=0
while [ $i -le 15 ]
do
    if [ -d /opt/tmp ]
    then
        break
    fi
    sleep 1
    i=`expr $i + 1`
done

or
Code:
sleep 10
/opt/etc/init.d/rc.unslung start



For those that lose internet connection/ddns after installing Dnscrypt make sure you remove the above lines of code from the wan-start file if you have them,
Dnscrypt started working once i deleted those lines in my case.
 
Last edited:
I have tried the Entware method and the automated script (wget -O - http://files.ryzhov-al.ru/Routers/a...roxy/dnscrypt-proxy-asuswrt-merlin-mipsel.tgz | tar -C / -xvz) method by Ryzhov-al but I still get a non-working internet connection after rebooting. In between these attempts, I formatted the JFFS to ensure a fresh start.

I have tried adding the ip address of the NTP server directly in the GUI and in the host file before without any difference. This is on a fresh RT-N66U just flashed with Merlin's latest FW and NVRAM reset.

Any help would be much appreciated for this newbie. Below is the system log after rebooting from using the automated Entware-less package.

Dec 31 17:00:12 RT-N66U: start httpd
Dec 31 17:00:12 crond[333]: crond: crond (busybox 1.20.2) started, log level 8
Dec 31 17:00:12 syslog: Generating SSL certificate...
Dec 31 17:00:16 disk monitor: be idle
Dec 31 17:00:17 Samba Server: daemon is started
Dec 31 17:00:17 kernel: Attempt to kill tasklet from interrupt
Dec 31 17:00:17 kernel: br0: port 1(vlan1) entering disabled state
Dec 31 17:00:17 kernel: vlan1: dev_set_promiscuity(master, 1)
Dec 31 17:00:17 kernel: br0: port 1(vlan1) entering listening state
Dec 31 17:00:17 kernel: br0: port 1(vlan1) entering learning state
Dec 31 17:00:17 kernel: br0: topology change detected, propagating
Dec 31 17:00:17 kernel: br0: port 1(vlan1) entering forwarding state
Dec 31 17:00:17 dnsmasq[317]: read /etc/hosts - 9 addresses
Dec 31 17:00:18 dnsmasq[317]: read /etc/hosts - 9 addresses
Dec 31 17:00:18 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Dec 31 17:00:18 dnsmasq[317]: exiting on receipt of SIGTERM
Dec 31 17:00:18 wan-start: started [0]
Dec 31 17:00:18 rc_service: service 425:notify_rc restart_dnsmasq
Dec 31 17:00:18 rc_service: service 426:notify_rc restart_ntpc
Dec 31 17:00:18 rc_service: waitting "restart_dnsmasq" via ...
Dec 31 17:00:18 dnsmasq[443]: started, version 2.69 cachesize 1500
Dec 31 17:00:18 dnsmasq[443]: warning: ignoring resolv-file flag because no-resolv is set
Dec 31 17:00:18 dnsmasq[443]: asynchronous logging enabled, queue limit is 5 messages
Dec 31 17:00:18 dnsmasq-dhcp[443]: DHCP, IP range 192.168.1.2 -- 192.168.1.254, lease time 1d
Dec 31 17:00:18 dnsmasq-dhcp[443]: DHCP, sockets bound exclusively to interface br0
Dec 31 17:00:18 dnsmasq[443]: using nameserver 127.0.0.1#65053
Dec 31 17:00:18 dnsmasq[443]: read /etc/hosts - 9 addresses
Dec 31 17:00:19 kernel: nf_conntrack_rtsp v0.6.21 loading
Dec 31 17:00:19 kernel: nf_nat_rtsp v0.6.21 loading
Dec 31 17:00:19 rc_service: udhcpc 399:notify_rc stop_upnp
Dec 31 17:00:19 rc_service: udhcpc 399:notify_rc start_upnp
Dec 31 17:00:19 rc_service: udhcpc 399:notify_rc stop_ntpc
Dec 31 17:00:19 rc_service: udhcpc 399:notify_rc start_ntpc
Dec 31 17:00:19 rc_service: waitting "stop_ntpc" via udhcpc ...
Dec 31 17:00:19 miniupnpd[465]: HTTP listening on port 47917
Dec 31 17:00:19 miniupnpd[465]: Listening for NAT-PMP/PCP traffic on port 5351
Dec 31 17:00:19 dnscrypt-proxy[468]: Starting dnscrypt-proxy 1.4.0
Dec 31 17:00:19 dnscrypt-proxy[468]: Initializing libsodium for optimal performance
Dec 31 17:00:19 dnscrypt-proxy[468]: Generating a new key pair
Dec 31 17:00:20 dhcp client: bound 174.0.101.180 via 174.0.100.1 during 172800 seconds.
Dec 31 17:00:22 WAN Connection: WAN was restored.
Jun 25 14:26:31 rc_service: ntp 467:notify_rc restart_upnp
Jun 25 14:26:31 rc_service: ntp 467:notify_rc restart_diskmon
Jun 25 14:26:31 rc_service: waitting "restart_upnp" via ntp ...
Jun 25 14:26:31 miniupnpd[465]: shutting down MiniUPnPd
Jun 25 14:26:31 miniupnpd[478]: HTTP listening on port 49432
Jun 25 14:26:31 miniupnpd[478]: Listening for NAT-PMP/PCP traffic on port 5351
 
Last edited:
I installed the Ryzhov's script and then replaced the binaries with Lancethepants and now it works fine. No need to change the IP of the NTP server either so I think the culprit is in the modules somewhere.
 
Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top