Dnscrypt from opendns

[hardtotell]

What?

Sorry, let me clarify this. Your script works 100%. However, if /opt cannot be mounted or disconnects for any reason, then it breaks DNS resolution for the entire network. I was responding to the other poster about copying dnscrypt-proxy to the /jffs partition for better reliability.

 

[ryzhov_al]

However, if /opt cannot be mounted or disconnects for any reason, then it breaks DNS resolution for the entire network.

I've re-compiled dnscrypt-proxy to avoid using /opt folder, did I missed something?

 

[lancethepants]

If for some reason the USB attached storage becomes disconnected or doesn't mount, it will result in broken internet access if dnscrypt does not start.

Storing the dnscrypt binary in jffs ensures that it will always start despite conditions of mass storage media issues.

 

[hardtotell]

I've re-compiled dnscrypt-proxy to avoid using /opt folder, did I missed something?

Very nice. How did you compile this? The only dependency is /lib/ld-uClibc.so.0?

My changes:
mv /jffs/scripts/wan-start /jffs/scripts/nat-start # for Repeater mode operation
chown -R `nvram get http_username`:root /jffs/*

 

[GoNz0]

I've re-compiled dnscrypt-proxy to avoid using /opt folder, did I missed something?

I used to use this but couldn't see how to add a 2nd resolver so I followed the instructions on the 1st page for my 68u

I would rather go back to this as I prefer not to have a usb stick plugged in, could you tell me how please?

 

[ryzhov_al]

Very nice. How did you compile this? The only dependency is /lib/ld-uClibc.so.0?

Yep. There is no any dependencies, except firmware itself.

# wget -O - http://files.ryzhov-al.ru/Routers/asuswrt-merlin/dnscrypt-proxy/dnscrypt-proxy-asuswrt-merlin-mipsel.tgz | tar -C /opt/tmp -xz
# ldd /opt/tmp/jffs/bin/dnscrypt-proxy
  libdl.so.0 => /lib/libdl.so.0 (0x2aabf000)
  libm.so.0 => /lib/libm.so.0 (0x2aad2000)
  libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x2aae9000)
  libc.so.0 => /lib/libc.so.0 (0x2ab08000)
  ld-uClibc.so.0 => /lib/ld-uClibc.so.0 (0x2aaa8000)

I used to use this but couldn't see how to add a 2nd resolver so I followed the instructions on the 1st page for my 68u

I would rather go back to this as I prefer not to have a usb stick plugged in, could you tell me how please?

I can't describe every possible configs, sorry. There is HOW-TO use two resolvers in the second post and /opt-independent files here. You can combine it, if you wish.

 

[hardtotell]

Yep. There is no any dependencies, except firmware itself.

# wget -O - http://files.ryzhov-al.ru/Routers/asuswrt-merlin/dnscrypt-proxy/dnscrypt-proxy-asuswrt-merlin-mipsel.tgz | tar -C /opt/tmp -xz
# ldd /opt/tmp/jffs/bin/dnscrypt-proxy
  libdl.so.0 => /lib/libdl.so.0 (0x2aabf000)
  libm.so.0 => /lib/libm.so.0 (0x2aad2000)
  libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x2aae9000)
  libc.so.0 => /lib/libc.so.0 (0x2ab08000)
  ld-uClibc.so.0 => /lib/ld-uClibc.so.0 (0x2aaa8000)

Can you please show the Makefile to build it? Did you use the ARM toolchain here?

 

[ryzhov_al]

Can you please show the Makefile to build it?

There is no any special Makefile.

Did you use the ARM toolchain here?

I just deployed firmware toolchains (both MIPS anr ARM) and passed CC=/opt/brcm/... variable to ./configure scripts twice: for building libsodium and dnscrypt-proxy itself.

 

[hardtotell]

There is no any special Makefile.
I just deployed firmware toolchains (both MIPS anr ARM) and passed CC=/opt/brcm/... variable to ./configure scripts twice: for building libsodium and dnscrypt-proxy itself.

Success. I compiled Dnscrypt 1.4.3 for ARM, dependent only on the firmware, just like yours. Are these file sizes too big? Can you please say how did you remove the bloat? Do my './configure' lines have too many unnecessary switches? I used the ARM toolchain of the Asuswrt-Merlin firmware.

File Sizes

-rwxrwxrwx    1 admin    root        376740 May 22 09:42 dnscrypt-proxy
-rwxrwxrwx    1 admin    root        133258 May 22 09:42 hostip

Build Libsodium

./configure '--host=arm-brcm-linux-uclibcgnueabi' '--build=' '--disable-ssp' '--disable-asm' '--enable-minimal=yes' AR="arm-brcm-linux-uclibcgnueabi-ar" CC="arm-brcm-linux-uclibcgnueabi-gcc" GCC="arm-brcm-linux-uclibcgnueabi-gcc" AS="arm-brcm-linux-uclibcgnueabi-gcc -c -O2 -pipe -march=armv7-a -mtune=cortex-a9 -fno-caller-saves -mfloat-abi=soft -std=gnu99"  LD=arm-brcm-linux-uclibcgnueabi-ld NM="arm-brcm-linux-uclibcgnueabi-nm" CXX="arm-brcm-linux-uclibcgnueabi-g++" RANLIB="arm-brcm-linux-uclibcgnueabi-ranlib" STRIP=arm-brcm-linux-uclibcgnueabi-strip OBJCOPY=arm-brcm-linux-uclibcgnueabi-objcopy OBJDUMP=arm-brcm-linux-uclibcgnueabi-objdump SIZE=arm-brcm-linux-uclibcgnueabi-size CFLAGS="-O2 -pipe -march=armv7-a -mtune=cortex-a9 -fno-caller-saves -mfloat-abi=soft -std=gnu99 " CXXFLAGS="-O2 -pipe -march=armv7-a -mtune=cortex-a9 -fno-caller-saves -mfloat-abi=soft -std=gnu99 "

make

Build Dnscrypt

./configure '--host=arm-brcm-linux-uclibcgnueabi' '--build=' '--disable-ssp' '--disable-asm' '--enable-minimal=yes' '--enable-static-libsodium' '--with-libsodium-dir=$HOME/libsodium-1.0.2/src/libsodium' --with-libsodium=$HOME/libsodium-1.0.2 --with-libsodium-include-dir=$HOME/libsodium-1.0.2/src/libsodium/include --with-libsodium-lib-dir=$HOME/libsodium-1.0.2/src/libsodium/.libs AR="arm-brcm-linux-uclibcgnueabi-ar" CC="arm-brcm-linux-uclibcgnueabi-gcc" GCC="arm-brcm-linux-uclibcgnueabi-gcc" AS="arm-brcm-linux-uclibcgnueabi-gcc -c -O2 -pipe -march=armv7-a -mtune=cortex-a9 -fno-caller-saves -mfloat-abi=soft -std=gnu99"  LD=arm-brcm-linux-uclibcgnueabi-ld NM="arm-brcm-linux-uclibcgnueabi-nm" CXX="arm-brcm-linux-uclibcgnueabi-g++" RANLIB="arm-brcm-linux-uclibcgnueabi-ranlib" STRIP=arm-brcm-linux-uclibcgnueabi-strip OBJCOPY=arm-brcm-linux-uclibcgnueabi-objcopy OBJDUMP=arm-brcm-linux-uclibcgnueabi-objdump SIZE=arm-brcm-linux-uclibcgnueabi-size CFLAGS="-static -O2 -pipe -march=armv7-a -mtune=cortex-a9 -fno-caller-saves -mfloat-abi=soft -std=gnu99 -I$HOME/libsodium-1.0.2/src/libsodium/include" CXXFLAGS="-O2 -pipe -march=armv7-a -mtune=cortex-a9 -fno-caller-saves -mfloat-abi=soft -std=gnu99 " LDFLAGS="-L$HOME/libsodium-1.0.2/src/libsodium/.libs"

make

 

[ryzhov_al]

Can you please say how did you remove the bloat?

The easiest way is to strip debugging symbols from produced binaries by:

arm-brcm-linux-uclibcgnueabi-strip <binary>

Also, you can tell compiler to link only those code sections (from libraries), which is really needed. Add following compiler\linker flags:

CFLAGS=-ffunction-sections -fdata-sections
LDFLAGS=-Wl,--gc-sections

 

[hardtotell]

The easiest way is to strip debugging symbols from produced binaries by:

arm-brcm-linux-uclibcgnueabi-strip <binary>

Also, you can tell compiler to link only those code sections (from libraries), which is really needed. Add following compiler\linker flags:

CFLAGS=-ffunction-sections -fdata-sections
LDFLAGS=-Wl,--gc-sections

It works good. Thank you.

File Sizes

-rwxrwxrwx    1 admin    root        262144 May 22 20:17 dnscrypt-proxy
-rwxrwxrwx    1 admin    root         79228 May 22 20:17 hostip

 

[ledge]

I have tried updating my running dnscrypt with your script but i get no internet on rt-a87u.
I have notice that your script does not contain dnscrypt-cert provider-key, can you expand on that?

When the wan-start script runs dnscrypt-proxy, the config file /jffs/configs/dnscrypt-resolvers.csv is passed to dnscrypt-proxy. There is no need to pass dnscrypt keys as they are referenced in the config file. Only the dnscrypt provider's name needs to be passed along with the config file.
The dnscrypt config file needs to be copied to that location. The config file can be found in the official dnscrypt archive.

 

[InsaneInsured]

What to do when DNScrypt suddenly stops working:

For those people who's DNScrypt stops working.
Please note that the predefined servers sometimes go down, or the certificates expire and get replaced with new servers.
In your router logs it will say that the certificate is not valid or something similar.

In order to fix this go to this file and empty it completely:

/opt/share/dnscrypt-proxy/dnscrypt-resolvers.csv

Then go here:

https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv

Copy everything and paste into the now empty:

/opt/share/dnscrypt-proxy/dnscrypt-resolvers.csv

Save.

Now open this file:

/opt/etc/init.d/S09dnscrypt-proxy

You will see something like this:

ARGS="--local-address=127.0.0.1:65054 --daemonize -R dnscrypt.eu-dk"

Remove dnscrypt.eu-dk (or whatever server name is there)

Replace with one of the new servers found in the first column here:

https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

For example:

ARGS="--local-address=127.0.0.1:65054 --daemonize -R opennic-fvz-rec-us-ca-02"

Save.

Reboot router and check log to see if all went well.
If something goes wrong, try a different server.

 

[spalife]

After a bit of a struggle and going through the entire thread, dnscrypt is up and running now.

Issues encountered:
1. ntp time resolving issue before dnscrypt started
2. ddns before dnscrypt started
3. dnscrypt not starting at all

The forum and this thread have been really helpful, especially thanks to ryzhov_al and other members of this thread with their issues / resolutions & workarounds.

My Working Running Scripts below
(hopefully will help someone else trying to enable dnscrypt on their router, mine is N66U)

Total Scripts needed to be updated/added/needed for entware and dnscrypt
1. /jffs/scripts/wan-start
2. /jffs/scripts/services-start
3. /jffs/scripts/services-stop
4. /jffs/scripts/post-mount
5. /opt/etc/init.d/rc.unslung

 

[spalife]

#Added $ACTION = start to

rc.unslung not a scripter but thought it maybe needed

 

[spalife]

One issue still persistent is

/jffs/configs/hosts.add file never gets created or updated after wan-start runs

 

[spalife]

Forgot to mention /etc/hosts file initially being populated with ntp servers list,
reverts / looses their values sometime during the uptime of the router.

That might be the reason for /jffs/configs/hosts.add file not being populated with values.

Though this does not seem to affect the dnscrypt once it is up and running.

I guess one of the stop / restart of the services in the custom scripts, recreates the /etc/hosts file again

 

[spalife]

Moved from ASUS 6117 beta firmware to Merlin's 378.54_2 firmware
for dnscrypt, entware installation.

Next activity will be to try out Adblock with privoxy

 

[GoNz0]

Nothing seems to work with merlins latest beta 378.55_beta1 on my ac-68u

I have tried the install from the front page using a couple of DNS server then the recompiled single command install but still the same after several resets.

 

[XIII]

Where can I find the 1.5.0 standalone dnscrypt binaries for MIPS?

I think that my RT-AC66U needs those and it looks like Lance only updated the ARM binaries:

http://files.lancethepants.com/Binaries/dnscrypt-proxy/