DNScrypt dnscrypt installer for asuswrt

[redhat27]

How are you running dnscrypt-proxy? I use it as a service. I have my /opt/etc/init.d/S09dnscrypt-proxy as follows:

#!/bin/sh

ENABLED=yes
PROCS=dnscrypt-proxy
ARGS="--local-address=127.0.0.1:65053 --daemonize -R cisco"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

Make it executable. and dnscrypt-proxy will auto start when your router boots.

If you are planning to use more than one revolver, create multiple files: S09dnscrypt-proxy1, S09dnscrypt-proxy2, S09dnscrypt-proxy3 etc.
each with

ARGS="--local-address=127.0.0.1:65053 --daemonize -R resolver1"
ARGS="--local-address=127.0.0.1:65054 --daemonize -R resolver2"
ARGS="--local-address=127.0.0.1:65055 --daemonize -R resolver3"

and also make sure your /jffs/configs/dnsmasq.conf.add has the lines:

no-resolv
server=127.0.0.1#65053
server=127.0.0.1#65054
server=127.0.0.1#65055

 

[skeal]

How are you running dnscrypt-proxy? I use it as a service. I have my /opt/etc/init.d/S09dnscrypt-proxy as follows:

#!/bin/sh

ENABLED=yes
PROCS=dnscrypt-proxy
ARGS="--local-address=127.0.0.1:65053 --daemonize -R cisco"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

Make it executable. and dnscrypt-proxy will auto start when your router boots.

If you are planning to use more than one revolver, create multiple files: S09dnscrypt-proxy1, S09dnscrypt-proxy2, S09dnscrypt-proxy3 etc.
each with

ARGS="--local-address=127.0.0.1:65053 --daemonize -R resolver1"
ARGS="--local-address=127.0.0.1:65054 --daemonize -R resolver2"
ARGS="--local-address=127.0.0.1:65055 --daemonize -R resolver3"

and also make sure your /jffs/configs/dnsmasq.conf.add has the lines:

no-resolv
server=127.0.0.1#65053
server=127.0.0.1#65054
server=127.0.0.1#65055

Great this looks do-able. Can I ask why cisco has a mention in this code?

 

[redhat27]

Great this looks do-able. Can I ask why cisco has a mention in this code?

That is my content posted as is. I use cisco (opendns) resolver, You don't need to

 

[skeal]

That is my content posted as is. I use cisco (opendns) resolver, You don't need to

So substitute my cs us north in the Cisco spot?
Edit: cs usnorth

 

[redhat27]

You'd need to use the exact name in the /opt/share/dnscrypt-proxy/dnscrypt-resolvers.csv file. No spaces. I think it would be cs-usnorth

 

[skeal]

You'd need to use the exact name in the /opt/share/dnscrypt-proxy/dnscrypt-resolvers.csv file. No spaces. I think it would be cs-usnorth

Yes sir I think you are absolutely correct!

 

[joegreat]

How are you running dnscrypt-proxy? I use it as a service. I have my /opt/etc/init.d/S09dnscrypt-proxy as follows:

#!/bin/sh

ENABLED=yes
PROCS=dnscrypt-proxy
ARGS="--local-address=127.0.0.1:65053 --daemonize -R cisco"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

Make it executable. and dnscrypt-proxy will auto start when your router boots.

If you are planning to use more than one revolver, create multiple files: S09dnscrypt-proxy1, S09dnscrypt-proxy2, S09dnscrypt-proxy3 etc.
each with

But only one works - the 2nd/3rd returns an error:
Starting ... already running.

Update: Got the solution by using the suggestion/solution from here - the symbolic links for new names of the executable's did the trick!

 

[skeal]

Yes sir I think you are absolutely correct!

Before I make these files I must say the difference between me and you is that you have version 1.9.1 I have version 1.9.3 or 1.9.4 I reinstalled dnscrypt and no errors. Pidof returns to numbers...ipleak.net shows both servers...I really have no reason to think it's not working. It's just updating certificate that it has problems with.

How can I manually call for a certificate update to test what I have. Do I have to wait 24 hours?

 

[redhat27]

Good point, @joegreat I do not use more than one instance, so I never actually faced this. So @skeal, please follow the post @joegreat referenced for multiple dnscrypt resolvers

 

[skeal]

Good point, @joegreat I do not use more than one instance, so I never actually faced this. So @skeal, please follow the post @joegreat referenced for multiple dnscrypt resolvers

The dnscrypt page 1 install scrypt of this post allows for two resolvers. You get asked which ones during the install. Then it asks if you want all dns to go through dnscrypt.

Sorry I don't think the comprehensive guide is my answer. My dnscrypt works! The installer looks after multiple instances it's the certificate update feature seems broken when using the two resolvers I use. My dns basically is not broken it's the cert renewal that fails. What do you think of this @bigeyes0x0 ?

 

[john9527]

Before I make these files I must say the difference between me and you is that you have version 1.9.1 I have version 1.9.3 or 1.9.4 I reinstalled dnscrypt and no errors. Pidof returns to numbers...ipleak.net shows both servers...I really have no reason to think it's not working. It's just updating certificate that it has problems with.

How can I manually call for a certificate update to test what I have. Do I have to wait 24 hours?

I don't believe it's anything to be concerned about....it gets retried automatically. I see it occasionally as well. My guess is it's one of two things.....
- the dnscrypt server is just busy and the command timed out
- dnscrypt just happens to be starting when something else is starting on the router that temporarily blocks communication.....like a restart of dnsmasq or the firewall.

 

[spalife]

The dnscrypt page 1 install scrypt of this post allows for two resolvers. You get asked which ones during the install. Then it asks if you want all dns to go through dnscrypt.

Sorry I don't think the comprehensive guide is my answer. My dnscrypt works! The installer looks after multiple instances it's the certificate update feature seems broken when using the two resolvers I use. My dns basically is not broken it's the cert renewal that fails. What do you think of this @bigeyes0x0 ?

You can try with --test option
to see if certificates are getting generated properly for the provider you have selected,
if not switch to a different dnscrypt-proxy provider.

Try the below replacing the values with your installation details and provider of your choice

dnscrypt-proxy --local-address=127.0.0.1:65053 --ephemeral-keys --daemonize -ZDnsCryptProxy1 -Rdnscrypt.eu-dk --test=10080

After running the command, type the below in your ssh shell
echo $?

Meaning of the value displayed by the echo command
0 if a valid certificate can be used
2 if no valid certificates can be used
3 if a timeout occurred, and
4 if a currently valid certificate is going to expire before the margin.

Check in syslog to see if any issue with configuration or certificates for the provider

 

[Rudi Pittman]

If I have a vpn client enabled and have all traffic going through the vpn is dnscrypt still used for the dns lookups? Do I want it to be? If not enabled what changes would have to be made to make dnscrypt work through the vpn and what would I need to change on the vpn client page?

Thank you.

 

[spalife]

If you have configured to pass everything through the VPN...then even DNS resolutions would be handled by your VPN provider.

below threads discuss the usage of dnscrypt, vpn
https://www.snbforums.com/threads/important-tip-for-vpn-services-on-openvpn.38494/
2.
https://www.snbforums.com/threads/wan-dns-vs-dnscrypt-vs-vpn-client-dns-confusion.28181/
3.
https://www.snbforums.com/threads/vpn-question.31659/
4.
https://www.snbforums.com/threads/h...ia-and-other-vpn-providers-10-15-fixed.30851/

 

[Denna]

@bigeyes0x0,

Have you considered using dnscrypt-proxy.conf to configure dnscrypt-proxy instead of using command-line options ?​

 

[bigeyes0x0]

As I'm having problem with MIPS based router, for now the script switches to use entware-ng dnscrypt-proxy binaries.

@bigeyes0x0,

Have you considered using dnscrypt-proxy.conf to configure dnscrypt-proxy instead of using command-line options ?​

I don't think that's required because there's nothing to config there at least from my setup used here in the script.

 

[eclp]

Hello ... I still have these messages in the syslog and dnscrypt does not work. What can I do? Please help!

.........ac87u: dnscrypt-proxy started for boot services
dnscrypt-proxy: Clock might be off - Pretending that this certificate is valid no matter what
.........ac87u: OpenDNS: Update IP succeeded
.........ac87u: Restart dnscrypt-proxy for normal operations
dnscrypt-proxy: Unable to retrieve server certificates

 

[skeal]

Hello ... I still have these messages in the syslog and dnscrypt does not work. What can I do? Please help!

.........ac87u: dnscrypt-proxy started for boot services
dnscrypt-proxy: Clock might be off - Pretending that this certificate is valid no matter what
.........ac87u: OpenDNS: Update IP succeeded
.........ac87u: Restart dnscrypt-proxy for normal operations
dnscrypt-proxy: Unable to retrieve server certificates

This is worth the shot. Change your resolvers to something different and test. Sometimes resolvers get busy with the requests...if you have picked like cs-usnorth selection 31 in the setup...and it's not working for you try a different one like 36 I believe it is cs-ussouth. As a for instance I'm saying.

 

[steelskinz]

Is there a reason why there isn't the second opendns server ? (208.67.222.222) I can't do failover from
208.67.220.220 to 208.67.222.222.. :/

 

[skeal]

Is there a reason why there isn't the second opendns server ? (208.67.222.222) I can't do failover from
208.67.220.220 to 208.67.222.222.. :/

All I know is the installer script asks your preferences for dns servers whether it 1 or 2 resolvers. It's a pretty painless setup...