DNScrypt dnscrypt installer for asuswrt

[skeal]

Most likely a timing issue with the DNSCRYPT and the scripts: As DNSCRYPT starts quite late (with Entware) the earlier starting scripts do not find a DNS...

This is correct. Dnscrypt also prevented privacy-filter from doing its comunication with the Internet. Also when updating settings on something else and applying would mess things up and required reboot to get things back to normal.

Edit: I also tried your uninstall procedure and it doesn't uninstall all versions and there are jffs script calls that need to be cleaned up as well. Just a heads up!

Edit: To be fair I completely removed all traces of dnscrypt rebooted and I will install latest version....to be continued...lol.

 

[steelskinz]

Okay like ntp ?

 

[skeal]

Okay like ntp ?

Yes screws up timing of the call of this service as well.

I was wrong! After rooting out the old version of dnscrypt and replacing with new install script things are working just fine. This is good I like the concept of dnscrypt I'm glad this finally works for me. Sorry for the bad PR.

 

[redhat27]

BTW, I've never has any issue with dnscrypt with pixelserv-tls and adblocking. I've mentioned this on the pixelserv-tls thread.

 

[skeal]

Hey @redhat27 I can't figure out why I have two prerouting entries in my forwarding log. Both identical to each other. Both allowing traffic on port 53 tcp and udp. But why a total of four lines? Are the prerouting instructions being read twice? Just wondering it is not affecting operations that I can see.

 

[redhat27]

I have two entries myself on nat PREROUTING, but they are not identical at all:
*nat
-A PREROUTING -d <router-ext-ip> -j VSERVER (added by UI port-forwarding)
-A PREROUTING -i br0 -p udp -m multiport --dports 53,123 -j DNAT --to-destination <router-int-ip> (manually added by me as I wanted to trap udp/53 for clients not using routers dns, also I have udp/123 redirected to router as I have a local ntpd on router as well)

I have two prerouting entries in my forwarding log

I'm afraid I did not fully understand: Maybe you can post relevant sections of your iptables-save output?
Also you can check your /jffs/scripts/firewall-start to see if somethings awry

 

[steelskinz]

Yes screws up timing of the call of this service as well.

You can add the ip of your ntp server in hosts.add to bypass such problem

 

[joegreat]

You can add the ip of your ntp server in hosts.add to bypass such problem

Or use the more advanced approach as outlined here!

 

[redhat27]

@joegreat That approach is what @steelskinz suggested. I myself use that. The link you provided creates the /jffs/configs/hosts.add on each router boot. In order to do that, the router must wait for entware to be available (to use hostip). If you just have /jffs/configs/hosts.add prefilled with your ntp-server ip, you can even get ntp to work before pre-mount

 

[skeal]

I have two entries myself on nat PREROUTING, but they are not identical at all:
*nat
-A PREROUTING -d <router-ext-ip> -j VSERVER (added by UI port-forwarding)
-A PREROUTING -i br0 -p udp -m multiport --dports 53,123 -j DNAT --to-destination <router-int-ip> (manually added by me as I wanted to trap udp/53 for clients not using routers dns, also I have udp/123 redirected to router as I have a local ntpd on router as well)


I'm afraid I did not fully understand: Maybe you can post relevant sections of your iptables-save output?
Also you can check your /jffs/scripts/firewall-start to see if somethings awry

I have a Rt-AC68U running 380.65_4 under system log>port forwarding you can see the prerouting results from your last boot. In my case I have 4 entries. 2 for tcp port 53 and 2 for udp port 53 the chain is prerouting the destination is "all" in all occurances. One entry for udp and one for tcp would be sufficient but for some reason I have 2. I'm wondering if the prerouting instruction is being ran twice or is it because I run 2 dnscrypt servers?

Edit: If you need a screen shot still let me know.

 

[redhat27]

I see what you mean now. If you have not setup any rule yourself under WAN->Virtual Server/Port Forwarding, then most likely the install script mentioned in the OP is inserting the 2 iptables rules each time for each of your dnscrypt servers.

Note: I use dnscrypt, but have not used the installer myself.

 

[skeal]

I see what you mean now. If you have not setup any rule yourself under WAN->Virtual Server/Port Forwarding, then most likely the install script mentioned in the OP is inserting the 2 iptables rules each time for each of your dnscrypt servers.

Note: I use dnscrypt, but have not used the installer myself.

I'm also getting this in my logs every 24 hours:
Apr 12 09:02:53 dnscrypt-proxy[2144]: Unable to retrieve server certificates
Apr 12 09:03:09 dnscrypt-proxy[2144]: Unable to retrieve server certificates
Apr 12 09:03:27 dnscrypt-proxy[2144]: Unable to retrieve server certificates
Can you guys tell me what is wrong here please?

Edit: When I run pidof dnscrypt-proxy it gives me two numbers.....2144 and 2137. It would appear that 2144 has the problem and 2137 is ok.

 

[redhat27]

Can you post the resolver and ip of your resolvers?
Hint: Use the script on this post.

Can you ping the resolvers?

 

[skeal]

Can you post the resolver and ip of your resolvers?
Hint: Use the script on this post.

Can you ping the resolvers?

my resolvers are:
cs usnorth 173.234.56.115
cs uswest4 23.105.70.204

Got the info by reading the .csv file in my install.
I have a hunch its a problem with the cs uswest4 resolver so I changed to cs ussouth and will test.

 

[redhat27]

you can also run some preliminary tests on the resolver you are using on its ssl port to see if your router can access it.

 

[skeal]

you can also run some preliminary tests on the resolver you are using on its ssl port to see if your router can access it.

Ping results from the router are good on port 443 which is listed as the port in the .csv for cs us west4. So not a contact issue. Maybe a certificate issuance problem from that server?

 

[redhat27]

I don't think so. I just changed my /opt/etc/init.d/S09dnscrypt-proxy to use that resolver (-R cs-uswest4) and restarted dnscrypt-proxy. It seems to work fine. This is in the syslog after restart:

Apr 12 11:35:43 dnscrypt-proxy[915]: Stopping proxy
Apr 12 11:35:43 admin: Started dnscrypt-proxy from .
Apr 12 11:35:43 dnscrypt-proxy[10592]: Starting dnscrypt-proxy 1.9.1
Apr 12 11:35:43 dnscrypt-proxy[10592]: Proxying from 127.0.0.1:65053 to 23.105.70.204:443

Check your /etc/dnsmasq.conf to see if you have both servers mentioned:
For example:
server=127.0.0.1#65053
server=127.0.0.1#65054
for both your local addresses in your S09dnscrypt-proxy* files ARGS= line

 

[skeal]

I don't think so. I just changed my /opt/etc/init.d/S09dnscrypt-proxy to use that resolver (-R cs-uswest4) and restarted dnscrypt-proxy. It seems to work fine. This is in the syslog after restart:

Apr 12 11:35:43 dnscrypt-proxy[915]: Stopping proxy
Apr 12 11:35:43 admin: Started dnscrypt-proxy from .
Apr 12 11:35:43 dnscrypt-proxy[10592]: Starting dnscrypt-proxy 1.9.1
Apr 12 11:35:43 dnscrypt-proxy[10592]: Proxying from 127.0.0.1:65053 to 23.105.70.204:443

Check your /etc/dnsmasq.conf to see if you have both servers mentioned:
For example:
server=127.0.0.1#65053
server=127.0.0.1#65054
for both your local addresses in your S09dnscrypt-proxy* files ARGS= line

sorry for sounding dumb but where is this file S09dnscrypt-proxy* files ARGS= line ? I can't find it.

 

[redhat27]

It should be in your /opt/etc/init.d/S09dnscrypt-proxy* files.

 

[skeal]

It should be in your /opt/etc/init.d/S09dnscrypt-proxy* files.

Problem....I have that directory there are files in it but no file named S09dnscrypt-proxy.

Edit: Can I create it or?