1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

DNSCrypt-Proxy version 2 and STUBBY add-ons for R7800/R9000

Discussion in 'NETGEAR AC Wireless' started by Voxel, Aug 20, 2018.

Tags:
  1. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,234
    DNSCrypt-Proxy 2

    About:

    This is DNSCrypt-proxy version 2 add-on for Netgear R7800 X4S running Voxel firmware.
    More detailed info re: DNSCrypt:
    https://dnscrypt.info/

    Installation:
    1. Enable telnet:
    http://routerlogin.net/debug.htm

    2. Login to the router using telnet:
    Code:
    telnet routerlogin.net
    
    3. Download the two installation packages:
    Code:
    wget --no-check-certificate https://www.voxel-firmware.com/Downloads/Voxel/R7800-Voxel-firmware/DNSCrypt-Proxy-2/ca-certificates_20180409_all.ipk
    wget --no-check-certificate https://www.voxel-firmware.com/Downloads/Voxel/R7800-Voxel-firmware/DNSCrypt-Proxy-2/dnscrypt-proxy-2_2.0.16-1_ipq806x.ipk
    
    4. Install both of them:
    Code:
    /bin/opkg install ca-certificates_20180409_all.ipk
    /bin/opkg install dnscrypt-proxy-2_2.0.16-1_ipq806x.ipk
    
    5. Enable dnscrypt-proxy-2 init script (to start it automatically after reboot):
    Code:
    /etc/init.d/dnscrypt-proxy-2 enable
    
    6. Reboot your router:
    Code:
    reboot
    
    or start the daemon manually:
    Code:
    /etc/init.d/dnscrypt-proxy-2 start
    
    Log file is /var/log/dnscrypt-proxy-2.log. Check it if something is wrong.

    Configuration (optional):
    You may customize your config file of DNSCrypt-proxy-2 (/etc/dnscrypt-proxy-2.toml). It contains very detailed comments inside re: what to do. Probably most interesting is to choose concrete public servers from this list:

    https://dnscrypt.info/public-servers

    i.e. line in the file:
    Code:
    # server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
    
    Uninstall:
    Code:
    /etc/init.d/dnscrypt-proxy-2 stop
    /etc/init.d/dnscrypt-proxy-2 disable
    /bin/opkg remove dnscrypt-proxy-2
    
    NOTE: it is recommended to disable dnscrypt-proxy version 1 if it is already used. I.e. to remove /etc/ dnscrypt.conf file if it exists.

    STUBBY

    About

    Stubby is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy.

    Installation:

    R7800
    https://www.voxel-firmware.com/Downloads/Voxel/R7800-Voxel-firmware/Stubby/readme.txt

    R9000
    https://www.voxel-firmware.com/Downloads/Voxel/R9000-Voxel-firmware/Stubby/readme.txt

    Voxel.
     
    Last edited: Sep 14, 2018
    Murtaza12, W1lliam, GaselK and 3 others like this.
  2. xBryan

    xBryan Occasional Visitor

    Joined:
    Jul 26, 2018
    Messages:
    10
    OMG thanks for this, been wanting forever! Hopefully you can update to 2.0.16 soon as .14 had some issues :)

    So got an odd issue I got following your guide.

    It works for a few minutes and stop after that.
    It's using the correct DNS provider and dns leak test shows that however few minutes later it stops serving DNS to clients flat out and i have to restart the service to work again which repeats and only last a few min.

    Thoughts?
     
  3. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,234
    Hard to say. Maybe just a bug in this version 2.0.14. It works for me second day, no issues. OK, maybe it has a sense to try 2.0.16. But not right now.

    dnscrypto-proxy 2 is written using "Go" language vs first version using "C". I am not expert in "Go". And to say true I like version 1 :). "Go" produces huge binary and eats resources.

    Voxel.
     
    kamoj likes this.
  4. xBryan

    xBryan Occasional Visitor

    Joined:
    Jul 26, 2018
    Messages:
    10
    So few more findings.

    For starts I decided to factory reset router since I'd been through a few upgrades on your firmware anyway and like to start clean.
    Doing so I learned that doesn't undo stuff like this. For example the config had remained intact, the add-on etc. same for the debug one... Beyond uninstalling them how would one do a true clean factory reset to revert to ONLY what the firmware has? would just be a re-flash?

    On the DNSCrypt part it seems to be related to cloudflare-ipv6 or ipv6 itself.
    I enabled it in the config file, my provider has native ipv6 and it works using only that on the old dnscrypt with opendns (that one doesn't support cloudflare)

    On this one it starts off working and within 30-60 seconds stops. restarting the service repeats this cycle.
    I disabled ipv6 in config and left the normal cloudflare and it seems to be working.

    Do you have a way to test v6 with? Not sure if it's a dnscrypt bug or some integration issue when using v6.

    I also found if I put cloudflare and cisco as the two it seems to bounce between when doing dnsleak test. Which is odd because I thought only the best one was grabbed. This is prob more dnscrypt related though. It even has the require no logging flag on yet let cisco work despite they are flagged as logging lol.

    Anyway I'm more interested in the v6 part though if we can figure that sucker out

    Thanks again for all your efforts!

    FWIW I'd say rip V1 out of your next release fw (if you plan to keep separate) also or replace with v2 since v1 is EOL/no longer maintained and doesn't work with any of the newer providers/methods.
     
    Last edited: Aug 21, 2018
    kamoj likes this.
  5. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,234
    Flashing the same version will not erase your data. So there should be some manual actions such as format overlay partition: "mtd erase overlay_volume: from telnet login. And hard reset.

    ipv6. Well, unfortunately I do not have the possibility to test it. OK, let's check later with latest version (.16?).

    V2 has significant disadvantage: it requires to use "Go" compiler and

    (a) It is additional headache to put it into toolchain (compilation tools).
    (b) Resulting binary is very huge (file size). 6.7MB vs 140KB (v2 vs v1). It is too big to include it into FW when most of people just do not use dnscrypt at all. I have to drop some other package including it into FW. So I plan to keep it as an add-on. (Untill v3 will be released :)).

    BTW as you can see OpenWRT/LEDE are using v1 still.

    Voxel.
     
    kamoj likes this.
  6. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,234
    rbird2 and kamoj like this.
  7. xBryan

    xBryan Occasional Visitor

    Joined:
    Jul 26, 2018
    Messages:
    10
    Thanks for the newer ver.
    Seems to not fix it sadly :(

    It is definitely an IPv6 issue, I tried all the providers and fail yet all v4 work.
    The only thing in the log is it fails to communicate with them/time out.

    So I did some more testing.

    While telnet on router I can NOT ping ipv6 address, however clients can access IPv6 addresses.
    I can ping IPv4 on router though. So something is blocking v6 on the router itself I suspect is the issue?
     
  8. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,234
    Probably you are right.

    Voxel.
     
  9. gobble

    gobble Occasional Visitor

    Joined:
    Oct 5, 2012
    Messages:
    28
    Apologies in advanced for my novice questions... Completely understand the concept of DNScrypt and vaguelly when I looked at enabling this cloudflare (1.1.1.1, 1.0.0.1) didn't support it.

    Does this version support it?
    Is it easy to enable if it does?
    Lastly any downsides (latency overhead e.g.)
     
  10. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,234
    No problem gobble. We all were novices starting with this. And IMO I am still a novice with v.2 ;-)

    cloudflare:
    It is easy. You should just edit a bit /etc/dnscrypt-proxy-2.toml file. Find the string:

    Code:
    # server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
    
    and add your cloudflare here, i.e. change to:

    Code:
    server_names = ['cloudflare']
    
    NOTE: "#" symbol is removed.

    After this just reboot your router.

    Voxel.
     
    kamoj and gobble like this.
  11. gobble

    gobble Occasional Visitor

    Joined:
    Oct 5, 2012
    Messages:
    28
    Do I need to be on version 2 to enable it for cloudflare?
     
  12. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,234
    Yes.

    Voxel.
     
    gobble likes this.
  13. owencool1

    owencool1 New Around Here

    Joined:
    Aug 23, 2018
    Messages:
    5
    What’s the difference between the dnscrypt that u post and dnscrypt 2.0.14-1 in ur entware repository?
     
    kamoj likes this.
  14. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,234
    This version is prepared especially as an add-on for my firmware and it does not require Entware installation (standalone). E.g. could be installed even w/o USB disk. Entware version need in some re-configuration in conjunction with say dnsmasq. And Entware version works only if minimal Entware is installed.

    Voxel.
     
    owencool1 and kamoj like this.
  15. Arnout Verbeken

    Arnout Verbeken New Around Here

    Joined:
    Aug 31, 2018
    Messages:
    7
    Hello,

    I saw that this package is also in the R9000 folder on your firmware page. Can we use DNScrypt2 also on r9000 using the same procedure as above, but with the package in the R9000 folder?

    It seems to miss the certificates though....
     
  16. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,234
    You can use it, sure. Certificates are already included into firmware. Similar installation.

    Voxel.
     
  17. HowIFix

    HowIFix Guest

    Joined:
    Jul 17, 2018
    Messages:
    261
    Last edited: Sep 8, 2018
  18. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,234
    Why do you ask him (XVortex) is my thread?

    Voxel.
     
  19. HowIFix

    HowIFix Guest

    Joined:
    Jul 17, 2018
    Messages:
    261
    sorry is that both have the same name.

    I was asking you @Voxel
     
  20. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,234
    Voxel meaning of the term:

    https://en.wikipedia.org/wiki/Voxel

    (X)Vortex meaning of the term:

    https://en.wikipedia.org/wiki/Mister_X_(Vortex)

    or

    https://en.wikipedia.org/wiki/Vortex

    I do not see any similarity. These three identical characters V O and X? I do use my nick since 1992 as a remembrance of my first login to Unix SGI workstation using this name. And as a remembrance of my sensei and friend who is passed away. Well, no details.

    You know, I do make the custom firmware builds for NETGEAR routers. Using GPL source codes published by NETGEAR according to GPL license requirement. It is absolutely legal stuff to use these codes for own version of firmware with own changes if the last (changes of source codes) are published. My changes are there:

    https://github.com/SVoxel

    Other thing if somebody uses the job done by third party and modifies theirs pre-built binaries (hacking) instead of changes in codes violating many proprietary licenses and laws. So for me such a mess in naming sounds offending.

    Now, your question. I have no doubts in DNSCrypt 2 advantages. It is good, I do use it myself. Preferring vs other alternatives and as a test. I have doubts only in the way of concrete implementation used by author (respect to him of course). For me C/C++ is preferable way. But not Go for embedded devices.

    Voxel.
     
    Last edited: Sep 8, 2018
    W1lliam, kamoj and HowIFix like this.