DNScrypt dnscrypt installer for asuswrt

[bigeyes0x0]

@unrealdude24 Probably not related to this script but network or chosen dns server issue.

 

[Stern]

I got the AC87U, and using the software number generator. Is it worth the cash to buy the TrueRNG v3?

 

[bigeyes0x0]

I don't think so, I mostly did it for my tinkering need .

 

[Stern]

Great, as it would have costed me >80$ to import one from USA at Ebay. Would like to show my gratitude for making life easier, by giving us this great script.

 

[Denna]

This is a cost effective option.

https://www.snbforums.com/threads/entropy-pool.34992/page-5#post-323219​

@Fitz Mutch has a build of rtl-entropy for Asuswrt-Merlin.

https://www.snbforums.com/threads/entropy-pool.34992/page-5#post-324299​

 

[eclp]

I like test my internet connection, now after dnscrypt runs, I get the following results:

netalyzr.icsi.berkeley.edu --> Failure:

Direct TCP connections to remote DNS servers (port 53) succeed, but do not receive the expected content.
A DNS proxy or firewall generated a new request rather than passing the client's request unmodified.
A DNS proxy or firewall caused the client's direct DNS request to arrive from another IP address. Instead of your IP address, the request came from 176.56.237.171. (dnscrypt.eu-nl)
---
UDP access to remote DNS servers (port 53) appears to pass through a firewall or proxy. The client was unable to transmit a non-DNS traffic on this UDP port, but was able to transmit a legitimate DNS request, suggesting that a proxy, NAT, or firewall intercepted and blocked the deliberately invalid request.
A DNS proxy or firewall caused the client's direct DNS request to arrive from another IP address. Instead of your IP address, the request came from 176.56.237.171. (dnscrypt.eu-nl)
A DNS proxy or firewall generated a new request rather than passing the client's request unmodified.

netztest.at --> Failure:

TCP Incoming:
It has been attempted to establish an incoming connection on port: 5061.
It has been attempted to establish an incoming connection on port: 8080.
TCP outgoing:
It has been attempted to establish an outgoing connection to the QoS test server on port: 53
UDP Incoming:
It has been attempted to receive packets from the QoS test server on port: 5004 and send them back.
Number of packets requested: 1, received by the client: 0, came back to the server: 0.
Packet loss rate: 100%
It has been attempted to receive packets from the QoS test server on port: 3389 and send them back.
Number of packets requested: 1, received by the client: 0, came back to the server: 0.
Packet loss rate: 100%
UDP Outgoing:
It has been attempted to send packets to the QoS test server on port: 53 and receive them back.
Number of sent packets: 1, received by the server: 0, came back to the client: 0.
Packet loss rate: 100%

Can the wonderful script be improved, perhaps, because of the results? Excuse these Noob questions ...

 

[bigeyes0x0]

@eclp it looks like you're thinking something is wrong but it's mainly because of your specific setup, you're actually using a VPN or some kind of proxy that causes these issues/side effects, these have nothing to do with with this script.

 

[GoNz0]

Just wondering what the Let's Encrypt certificate is for on the latest installer?

 

[bigeyes0x0]

Well it's a function I built into this script to replace the self signed cert our routers generate with let's encrypt valid certificate as well as adding a static hostname inside dnsmasq for the public domain so that we can access the webui with hostname from the internal network with a green https connection.

 

[GoNz0]

Well it's a function I built into this script to replace the self signed cert our routers generate with let's encrypt valid certificate as well as adding a static hostname inside dnsmasq for the public domain so that we can access the webui with hostname from the internal network with a green https connection.

I nearly understand that

Seems having DDNS setup to dnsomatic causes an issue?

Info:  This operation will install Let's Encrypt certificate in place of
 Info:  the self signed certificate to jffs, no other data will be changed.
 Info:  Also some start scripts will be installed/modified as required.

 Info:  You need to use router dns server for this to work.
 =>  Do you want to proceed [y/n]: y
 Info:  Found domain: all.dnsomatic.com
 Info:  Downloading renew
 Info:  Downloading acme.sh
 Info:  No key and certificate found, getting new cert and key
[Mon Jun  5 08:56:10 DST 2017] Run pre hook:'/jffs/cert/renew pre-hook'
 Stopping webui
[Mon Jun  5 08:56:14 DST 2017] Standalone tls mode.
[Mon Jun  5 08:56:18 DST 2017] Registering account
[Mon Jun  5 08:56:21 DST 2017] Registered
[Mon Jun  5 08:56:23 DST 2017] Update success.
[Mon Jun  5 08:56:23 DST 2017] ACCOUNT_THUMBPRINT='***************************'
[Mon Jun  5 08:56:23 DST 2017] Creating domain key
[Mon Jun  5 08:56:26 DST 2017] The domain key is here: /jffs/cert/all.dnsomatic.com/all.dnsomatic.com.key
[Mon Jun  5 08:56:26 DST 2017] Single domain='all.dnsomatic.com'
[Mon Jun  5 08:56:26 DST 2017] Getting domain auth token for each domain
[Mon Jun  5 08:56:26 DST 2017] Getting webroot for domain='all.dnsomatic.com'
[Mon Jun  5 08:56:26 DST 2017] Getting new-authz for domain='all.dnsomatic.com'
[Mon Jun  5 08:56:28 DST 2017] The new-authz request is ok.
[Mon Jun  5 08:56:29 DST 2017] Verifying:all.dnsomatic.com
[Mon Jun  5 08:56:29 DST 2017] Starting tls server.
[Mon Jun  5 08:56:33 DST 2017] Multi domain='DNS:2d348ced05bbcfd8c7ea53f5d2fc76a4.eab4a449fa399a5c1c4ea8a325f9a053.acme.invalid'
[Mon Jun  5 08:56:40 DST 2017] all.dnsomatic.com:Verify error:DNS problem: NXDOMAIN looking up A for all.dnsomatic.com
[Mon Jun  5 08:56:41 DST 2017] Please add '--debug' or '--log' to check more details.
[Mon Jun  5 08:56:41 DST 2017] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Mon Jun  5 08:56:41 DST 2017] Run post hook:'/jffs/cert/renew post-hook'
cp: can't stat '/jffs/cert/all.dnsomatic.com/fullchain.cer': No such file or directory
 Restarting webui
 Info:  Configure dnsmasq.postconf file for dnscrypt
 Info:  Configure init-start file for dnscrypt
 Info:  Setup completed!
 Info:  Please reboot your router for the changes to take effect!
GoNz0@Router:/tmp/home/root#

 

[bigeyes0x0]

Basically if you use router dns caching server on your network (using dnscrypt force you to do this) with dynamic dns, this option helps:
1. Reduce the boot time as the router does not need to generate the self signed certificate at boot.
2. Let you have an actual https connection to your router webui using Let's Encrypt cert.

I will look into the issue with dnsomatic. Maybe I will need to let user enter their domain after all.

 

[GoNz0]

Basically if you use router dns caching server on your network (using dnscrypt force you to do this) with dynamic dns, this option helps:
1. Reduce the boot time as the router does not need to generate the self signed certificate at boot.
2. Let you have an actual https connection to your router webui using Let's Encrypt cert.

I will look into the issue with dnsomatic. Maybe I will need to let user enter their domain after all.

Yeah it would be nice if it asked for a domain or maybe had a 1, use ***** domain that it can see or 2 input your own?

Now it has gone and generated a dnsomatic certificate that I can't connect to do I need to wipe the JFFS folder and stick everything back on?

 

[bigeyes0x0]

Just need to delete this folder /jffs/cert then reboot.

I will fix this in a day or two.

 

[GoNz0]

Just need to delete this folder /jffs/cert then reboot.

I will fix this in a day or two.

Thanks, appreciate the hard work

 

[isamudaison]

Hmm adding let's encrypt seems to have broken NAT loopback?

 

[GoNz0]

Hmm adding let's encrypt seems to have broken NAT loopback?

Under firewall > NAT Loopback

have you tried the other mode?

 

[isamudaison]

Under firewall > NAT Loopback

have you tried the other mode?

Yea, I had it in 'merlin' mode... blew away the /cert dir in jffs and rebooted, loopback started working again.

 

[bigeyes0x0]

Basically the let's encrypt feature masks the public IP of your domain with the private IP of your router. This is so you can use the hostname for the https cert with LAN access to the WebUI (I rather not enable WAN access to the webui just so I can access my router webui without a security exception with router domain name through NAT Loopback). Maybe that's why you have NAT loopback problem. I'll check that and if it's an issue then I might need to remove this feature or at a note, because I rarely use NAT loopback myself.

 

[isamudaison]

Basically the let's encrypt feature masks the public IP of your domain with the private IP of your router. This is so you can use the hostname for the https cert with LAN access to the WebUI (I rather not enable WAN access to the webui just so I can access my router webui without a security exception with router domain name through NAT Loopback). Maybe that's why you have NAT loopback problem. I'll check that and if it's an issue then I might need to remove this feature or at a note, because I rarely use NAT loopback myself.

Yea, I don't know why I decided to add it... I don't expose the router externally and it doesn't even use ssl... I do have a domain name via DDNS (and even my own certs) so I guess I was just dinking around...

 

[GoNz0]

Yea, I don't know why I decided to add it... I don't expose the router externally and it doesn't even use ssl... I do have a domain name via DDNS (and even my own certs) so I guess I was just dinking around...

Same as me, whats this button do?

Oh f**k