Dnscrypt from opendns
- Thread starter shooter40sw
- Start date
I removed my how-to from the second post, leaving a link to asuswrt-merlin wiki page. After adding fake-hwclock package installation of dnscrypt-proxy is simplified.
Secure DNS queries using DNSCrypt.
Make sure there is no errors in syslog after reboot:
Secure DNS queries using DNSCrypt.
Make sure there is no errors in syslog after reboot:
Code:
...
Jan 1 03:00:15 pppd[315]: Connect: ppp0 <--> eth0
...
Jan 1 03:00:20 custom script: Running /jffs/scripts/post-mount (args: /tmp/mnt/OPT)
...
Aug 26 11:05:07 admin: Started dnscrypt-proxy from .
...
Aug 26 11:06:06 pppd[315]: System time change detected.
ASAT
Senior Member
Use the toolchain included with the Asuswrt-Merlin firmware to compile dnscrypt-proxy. Then you copy the binaries to /jffs/bin. No Optware or Entware required.
Calisro
Senior Member
Or grab one compiled by @lancethepants . Don't forget to thank him.
http://files.lancethepants.com/Binaries/dnscrypt-proxy/
RogueSpear
Occasional Visitor
It seems some of the previous steps are either not necessary anymore or they were forgotten in the re-write? For starters, I'm not sure how to configure dual resolvers anymore, but more importantly, this doesn't seem to be working for me. I'm just not resolving anything. I just signed up with Perfect Privacy to see if I get better performance than PIA has been giving me lately. They allegedly have some sort of secure DNS solution, so I think I'll give that a shot until this gets fleshed out a little more again.
wheelq
Regular Contributor
I have sued this manual, no internet after reboot and in the lgos I can see issues with certificates...(same as in one of the first posts in this thread)
ASAT
Senior Member
Here's my wiki mod. No Optware or Entware required.
/jffs/scripts/wan-start
Code:
#!/bin/sh
logger -t $(basename $0) "started [$$]"
/bin/pidof dnscrypt-proxy > /dev/null 2>&1 || \
(
# Now resolve DNS name for NTP server
ntp_name=$(nvram get ntp_server0)
grep "$ntp_name" /jffs/configs/hosts.add > /dev/null 2>&1 || \
for ip in $(/jffs/bin/hostip $ntp_name)
do
echo $ip $ntp_name >> /jffs/configs/hosts.add
done
# restart NTP client to eliminate 4-5 mins delay
killall ntp
sleep 1
service restart_dnsmasq
service restart_ntpc
sleep 5
# wait up to 5 minutes to make sure the router has the correct time
tmax=300
i=0
while [ $i -le $tmax ]
do
if [ "$(nvram get ntp_ready)" -eq "1" ]
then
break
fi
logger "Waiting for correct time to be set."
sleep 1
i=`expr $i + 1`
done
# dnscrypt-proxy requires the correct time for certificate validation
/jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:60053 --ephemeral-keys --resolver-name=dnscrypt.org-fr --resolvers-list=/jffs/bin/dnscrypt-resolvers.csv --daemonize
/jffs/bin/dnscrypt-proxy --local-address=127.0.0.1:60054 --ephemeral-keys --resolver-name=soltysiak --resolvers-list=/jffs/bin/dnscrypt-resolvers.csv --daemonize
)/jffs/configs/dnsmasq.conf.add
Code:
...
### dnscrypt
no-resolv
server=127.0.0.1#60053 # dnscrypt
server=127.0.0.1#60054 # dnscrypt
...Calisro
Senior Member
If you are okay with the entware approach, then follow the wiki.This little "how-to" spans over 13 pages now! Can somebody try to clarify this procedure and/or duplicate it consistently with success? I'm at a loss between one set of scripts and another, remove this, that, and the other...
https://github.com/RMerl/asuswrt-merlin/wiki/Secure-DNS-queries-using-DNSCrypt
If you do not want to depend on entware, then you can probably use the post right above yours ASAT wrote.
Calisro
Senior Member
@ILMostro I see you updated that wiki. The steps you added shouldn't be neccessaary. With fak-hwclock the existing ntp will work fine as it will take the existing time from before the reboot and dnscrypt won't fail on the cert verification any longer.
#!/bin/sh
for ip in $(/opt/bin/hostip $(nvram get ntp_server0))
do
echo $ip $(nvram get ntp_server0) >> /etc/hosts
done
#!/bin/sh
for ip in $(/opt/bin/hostip $(nvram get ntp_server0))
do
echo $ip $(nvram get ntp_server0) >> /etc/hosts
done
Calisro
Senior Member
Since you're going to use entware, here is how it should work and I agree the wiki could use some updates considering it is entirely missing the actual configuration set up for dnscrypt-proxy itself.
1) Install fa ke_hwclock
2) After you install fak e-hwclock. You should reboot and verify from your /tmp/syslog.log that the clock was set very quickly after boot.
3) Now set up dnscrypt. For this you need to edit the config files for dnscrypt in /opt. check the /tmp/syslog.log to verify its working.
4) Once the dnscrypt daemon is working (check the /tmp/syslog.log to verify) change dnsmasq to use it as a resolver like so:
echo "no-resolv" > /jffs/configs/dnsmasq.conf.add
echo "server=127.0.0.1#65053" >> /jffs/configs/dnsmasq.conf.add
5) Then you reboot and verify again.
I'd update the wiki but I am running a slightly modified version of this with static binaries rather than entware itself but the premise is hte same.
1) Install fa ke_hwclock
2) After you install fak e-hwclock. You should reboot and verify from your /tmp/syslog.log that the clock was set very quickly after boot.
3) Now set up dnscrypt. For this you need to edit the config files for dnscrypt in /opt. check the /tmp/syslog.log to verify its working.
4) Once the dnscrypt daemon is working (check the /tmp/syslog.log to verify) change dnsmasq to use it as a resolver like so:
echo "no-resolv" > /jffs/configs/dnsmasq.conf.add
echo "server=127.0.0.1#65053" >> /jffs/configs/dnsmasq.conf.add
5) Then you reboot and verify again.
I'd update the wiki but I am running a slightly modified version of this with static binaries rather than entware itself but the premise is hte same.
ILMostro
Occasional Visitor
My problem might be stemming from my PATH variable. `dnscrypt` updates the PATH to prepend /opt/bin:/opt/sbin, but then "/opt/bin:/opt/sbin" is appended to the PATH at the end by default. So, prepending the custom directory might not have any effect if it's called again AFTER the primary system's bin directories again.
Code:
PATH=/opt/bin:/opt/sbin:/bin:/usr/bin:/sbin:/usr/sbin:/home/ilmostro:/mmc/sbin:/mmc/bin:/mmc/usr/sbin:/mmc/usr/bin:/opt/sbin:/opt/bin:/opt/usr/sbin:/opt/usr/binCalisro
Senior Member
I haven't/can't update the wiki as I am running a very different config than standard... My comments above though is essentially it. The fa ke-hwclock makes it pretty easy after the first reboot.
My suggestion is to do it all in phases starting fa_ke-hwclock. Verify that is functioning before playing with dnscrypt.
ILMostro
Occasional Visitor
In terms of customizing the dnscrypt-related files in "/opt/", I'm not sure what, if anything, should be changed.
Code:
:/# cat /opt/etc/init.d/S09dnscrypt-proxy
#!/bin/sh
ENABLED=yes
PROCS=dnscrypt-proxy
ARGS="--local-address=127.0.0.1:65053 --daemonize -R opendns"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.funcCalisro
Senior Member
That looks fine if you want to use opendns. you can change it later. For now verify on boot that your clock is set correctly very early in your syslog.log after boot. That way we know the fa_ke-hwclock.is working. That is neccessary dependency.
Similar threads
Similar threads
| Thread starter | Title | Forum | Replies | Date |
|---|---|---|---|---|
| B | (solved) Dnscrypt blocked-names.txt automatically deleted upon modification | Asuswrt-Merlin | 4 |
Similar threads
-
(solved) Dnscrypt blocked-names.txt automatically deleted upon modification
- Started by Boji
- Replies: 4