Dnscrypt from opendns

[shooter40sw]

Hi guys i would like to install dnscrypt i use 354.29 Merlin on N66u great Job! ... I know tomato with a checkmark can be done as i saw in Google... Is there a way to do it without much hassle? A guide? Thanks for the help

 

[ryzhov_al]

How to use dnscrypt.

Instructions from this post was moved to this how-to.

 

[TeHashX]

After rebooting router I don't have access to internet, in router's ui pppoe connection is on

 

[ryzhov_al]

Is dnscrypt-proxy started?

 

[TeHashX]

Wasn't started, I do it manually but won't stay started and no internet connection to pc.

 

[ryzhov_al]

Oh, my! Looks like I misunderstood Frank Denis in Issue#3. Please, update dnscrypt-proxy:

/opt/etc/init.d/S09dnscrypt-proxy stop
opkg update
opkg upgrade

And start it again:

/opt/etc/init.d/S09dnscrypt-proxy start

 

[TeHashX]

Same thing, did you tried on your router and works?

 

[ryzhov_al]

Same thing, did you tried on your router and works?

Yes! You should see those strings when dnscrypt-proxy started:

cat /tmp/syslog.log
…
Jun 26 16:52:16 admin: Started dnscrypt-proxy from .
Jun 26 18:47:14 dnscrypt-proxy[20159]: Initializing libsodium for optimal performance
Jun 26 18:47:14 dnscrypt-proxy[20159]: Generating a new key pair
Jun 26 18:47:14 dnscrypt-proxy[20159]: Done
Jun 26 18:47:14 admin: Started dnscrypt-proxy from .
Jun 26 18:47:14 dnscrypt-proxy[20159]: Server certificate #1369080797 received
Jun 26 18:47:14 dnscrypt-proxy[20159]: This certificate looks valid
Jun 26 18:47:14 dnscrypt-proxy[20159]: Server key fingerprint is 915C:9A0C:5F0F:5EB4:784E:E450:FE8B:C115:B1DE:5538:7718:25D5:C305:CCB7:9532:0309
Jun 26 18:47:14 dnscrypt-proxy[20159]: Proxying from 127.0.0.1:65053 to 208.67.220.220:443

and those one when dnsmasq is started:

cat /tmp/syslog.log
…
Jun 26 18:48:27 dnsmasq[20280]: started, version 2.65 cachesize 1500
Jun 26 18:48:27 dnsmasq[20280]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack
Jun 26 18:48:27 dnsmasq[20280]: warning: ignoring resolv-file flag because no-resolv is set
Jun 26 18:48:27 dnsmasq[20280]: asynchronous logging enabled, queue limit is 5 messages

Just for sure, here is my dnsmasq custom config:

# cat /jffs/configs/dnsmasq.conf.add
…
### Dnscrypt
no-resolv
server=127.0.0.1#65053

I think I'm bit lucky here because there was other guys, caught by following deadlock:

• dnscrypt-proxy can't accept received certificate because of wrong system date/time,
• ntp client can't receive right time because DNS resolver (dnscrypt-proxy) is not working.

To avoid this deadlock, add following content to /jffs/scripts/post-mount

#!/bin/sh

for ip in $(/opt/sbin/dnscrypt-proxy-hostip $(nvram get ntp_server0))
do
echo $ip $(nvram get ntp_server0) >>  /etc/hosts
done

and make it executable:

chmod +x /jffs/scripts/post-mount

 

[TeHashX]

http://pastebin.com/JSXZzZqv

 

[ryzhov_al]

Yes, this is it. This is exactly those deadlock I've told

 

[ryzhov_al]

Please, provide output of:

cat /etc/hosts

 

[TeHashX]

NVM, was just for testing...

admin@RT-AC66U:/tmp/home/root# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.1.1 router.asus.com
192.168.1.1 www.asusnetwork.net
192.168.1.1 www.asusrouter.com
192.168.1.1 RT-AC66U. RT-AC66U
::1 localhost6.localdomain6 localhost6

 

[ryzhov_al]

Hm-m-m, strange. After running:

for ip in $(/opt/sbin/dnscrypt-proxy-hostip $(nvram get ntp_server0))
do
echo $ip $(nvram get ntp_server0) >>  /etc/hosts
done

there must be following strings:

83.169.43.165 pool.ntp.org
178.63.14.131 pool.ntp.org
131.234.137.23 pool.ntp.org
129.70.132.37 pool.ntp.org

 

[TeHashX]

Yes, something wrong with the script

admin@RT-AC66U:/tmp/home/root# sh /jffs/scripts/post-mount
[: /tmp/mnt/sda1: unknown operand
/jffs/scripts/post-mount: line 11: /opt/sbin/dnscrypt-proxy-hostip: not found
admin@RT-AC66U:/tmp/home/root#

 

[TeHashX]

In /opt/sbin/ is only dnscrypt-proxy so I changed the script from

for ip in $(/opt/sbin/dnscrypt-proxy-hostip $(nvram get ntp_server0))

to

for ip in $(/opt/sbin/dnscrypt-proxy $(nvram get ntp_server0))

and after reboot

admin@RT-AC66U:/tmp/home/root# sh /jffs/scripts/post-mount
[: /tmp/mnt/sda1: unknown operand
[INFO] Initializing libsodium for optimal performance
[INFO] Generating a new key pair
[INFO] Done
[ERROR] Unable to bind (UDP) [Address already in use]
admin@RT-AC66U:/tmp/home/root#

I'm done for today, my hdd will blow up

admin@RT-AC66U:/tmp/home/root# tune2fs -l /dev/sda1 | grep 'Mount count'
Mount count: 61

Thanks

 

[ryzhov_al]

Yes, something wrong with the script

My bad again. You have to install another part of dnscrypt-proxy — a standalone DNS resolver:

opkg install dnscrypt-proxy-hostip

 

[TeHashX]

Still not working, should I put the script in wan-start maybe?

With wan-start script it's working but it takes 4-5 minutes to start
http://pastebin.com/zJV0jriG

 

[ryzhov_al]

With wan-start script it's working but it takes 4-5 minutes to start
http://pastebin.com/zJV0jriG

Fine! Take a look at your log: dnscrypt started successful just when right system time was received. The last thing we may tweak is to restart ntp client immediately to eliminate this 4-5 min. delay.

Still not working, should I put the script in wan-start maybe?

We may, but careful. There may be a race condition: we can't say what will happen earlier: WAN start or USB mount.

Give me a few minutes to write final solution.

 

[ryzhov_al]

Ok, starting over.

1. Install Entware,
2. Install dnscrypt:

   opkg install dnscrypt-proxy dnscrypt-proxy-hostip

3. Tell router to use it:
   

   echo "no-resolv" > /jffs/configs/dnsmasq.conf.add
   echo "server=127.0.0.1#65053" >> /jffs/configs/dnsmasq.conf.add

4. Put this content to /jffs/scripts/wan-start:
   

   #!/bin/sh
   
   # Wait up to 15 seconds to make sure /opt partition is mounted
   i=0
   while [ $i -le 15 ]
   do
       if [ -d /opt/tmp ]
       then
           break
       fi
       sleep 1
       i=`expr $i + 1`
   done
   
   # Now resolve DNS name for NTP server
   ntp_name=$(nvram get ntp_server0)
   grep "$ntp_name" /etc/hosts > /dev/null 2>&1 || \
   for ip in $(/opt/sbin/dnscrypt-proxy-hostip $ntp_name)
   do
       echo $ip $ntp_name >>  /etc/hosts
   done
   
   # and restart NTP client to eliminate 4-5 mins delay
   killall ntp && sleep 1
   service restart_ntpc

   and make it executable:
   

   chmod +x /jffs/scripts/wan-start

5. Reboot router and make sure it works.

Here is boot log, look OK: dnscrypt-proxy started after 25 seconds of booting. Waiting for confirmation before changing first post.

 

[TeHashX]

Working...

Go ahead, started after 59 seconds of booting
Thanks