What's new

[Release] dnscrypt installer for asuswrt

bigeyes0x0

Senior Member
So to solve all the problems with installing dnscrypt with entware (or similar) then setting up various scripts to handle dnscrypt-proxy starting up including the ntp issue, I made my own installer for dnscrypt-proxy.

Requirements:
- ARM or MIPSEL based ASUS routers
- asuswrt-merlin firmwares or compatible
- jffs support and script enabled

Incompatibilities:
- No known issue

Current features:
- dnscrypt-proxy version 2 with DoH and DNSCrypt version 2 protocols, multiple resolvers, and other features
- Running as nobody through nonroot binary (using --user requires change to passwd)
- Support ARM and MIPSEL based routers
- Support OpenDNS dynamic IP update by entering your OpenDNS account information
- Handling ntp update at router boot up by starting dnscrypt-proxy with cert_ignore_timestamp option
- Redirect all DNS queries on your network to dnscrypt if user chooses to
- Install haveged/rngd for better speed with dnscrypt and other cryptographic applications
- Support various HW RNG such as TrueRNG (tested with v3), TrueRNGpro, OneRNG, EntropyKey
- Ability to setup a swap file
- Ability to setup timezone file (/etc/localtime) used by dnscrypt-proxy and other apps
- Ability to reconfigure dnscrypt-proxy without reinstalling unlike previous installer for dnscrypt-proxy version 1.x.x

Changelog:
https://github.com/thuantran/dnscrypt-asuswrt-installer/commits/master

Install/Update/Reconfig/Uninstall:
Run this command from ssh shell and following the prompt for dnscrypt-proxy version 2:
Code:
curl -L -s -k -O https://raw.githubusercontent.com/thuantran/dnscrypt-asuswrt-installer/master/installer && sh installer ; rm installer
User can safely update from dnscrypt-proxy version 1 to version 2 with above command.

If you want to use dnscrypt-proxy version 1, run this command:
Code:
curl -L -s -k -O https://raw.githubusercontent.com/thuantran/dnscrypt-asuswrt-installer/dnscrypt-proxy-v1/installer && sh installer dnscrypt-proxy-v1; rm installer

How to check if it works

If you use OpenDNS, run this command on Windows cmd
Code:
nslookup -type=txt debug.opendns.com
You should see something like
Code:
"dnscrypt enabled (717473654A614970)"
in result.
Otherwise running this command:
Code:
pidof dnscrypt-proxy
will return a number.

How to report issue:
I need following directory and files:
Code:
/jffs/dnscrypt
/jffs/scripts/dnsmasq.postconf
/jffs/scripts/firewall-start
/jffs/scripts/wan-start
One can use this command to create a tar archive of these files:
Code:
echo .config > exclude-files; tar -cvf dnscrypt.tar -X exclude-files /jffs/dnscrypt /jffs/scripts/dnsmasq.postconf /jffs/scripts/firewall-start /jffs/scripts/wan-start ; rm exclude-files
in current directory and send me the archive for debug.

I also need follwoing information:
- Which dns server you selected during dnscrypt installtion
- Which router you're using
- Firmware and its version

How I made this:
- Use dnscrypt-proxy binary packages from https://github.com/jedisct1/dnscrypt-proxy
- Compiling and stripping required binaries using firmware building toolchain from asuswrt-merlin
- Write the installer script with stuffs inspired from entware-setup.sh from asuswrt-merlin
- You can look at all the stuffs here https://github.com/thuantran/dnscrypt-asuswrt-installer
 
Last edited:

thelonelycoder

Part of the Furniture
A warning to AB-Solution users: This would break your installation as it replaces /jffs/scripts/dnsmasq.postconf
If you use pixelserve-tls, it will add (according to the script) some entries to /jffs/scripts/wan-start


Edit: @bigeyes0x0 made changes to the installer, I can confirm this is working seamlessly with AB-Solution 3 and the addon pixelserv-tls (ps).
Thanks bigeyes0x0!
 
Last edited:

bigeyes0x0

Senior Member
A warning to AB-Solution users: This would break your installation as it replaces /jffs/scripts/dnsmasq.postconf
If you use pixelserve-tls, it will add (according to the script) some entries to /jffs/scripts/wan-start
Thanks for the heads up, added incompatibilities section.
 

thelonelycoder

Part of the Furniture
Thanks for the heads up, added incompatibilities section.
I do my best I can with AB to not simply replace an existing file in jffs.
I would hope that others start to do the same. Append the file instead of replacing it.
Build in some checks if your content is there. Think about non technical users that use this 'as is' and start coding from there.
Thanks.
 

bigeyes0x0

Senior Member
I know because I made this for these non technical users specifically. This is why it's in TODO and the thing is BETA now. Will work on this first.

This release is meant for those that can live with BETA as I want to know that at least for the current feature set, it does work.
 

thelonelycoder

Part of the Furniture
I know because I made this for these non technical users specifically. This is why it's in TODO and the thing is BETA now. Will work on this first.
My comprehensive jffs check is the write_jffsfile() function starting on line 1552 in ab-solution.sh...
It won't work for you, but will get you an idea how serious I take it.
 

bigeyes0x0

Senior Member

thelonelycoder

Part of the Furniture
Last edited:

thelonelycoder

Part of the Furniture
@bigeyes0x0 made changes to the installer, I can confirm this is working seamlessly with AB-Solution 3 and the addon pixelserv-tls (ps).
Thanks bigeyes0x0!
 

bigeyes0x0

Senior Member
Well lots of changes have been made internally. Externally now it does not quit after a single wrong input during prompts and you can also select to redirect all your DNS queries on your network to go through dnscrypt regardless of client config.
 

GoNz0

Very Senior Member
Thanks, seems to be installed and working fine for me (now I put the right password in the OpenDNS section)
 

bigeyes0x0

Senior Member
MIPSEL support added but I can't test this as I don't have a router with MIPSEL chipset, appreciate if someone can test this and tell me the result.
 
Last edited:

RacerRon

Regular Contributor
This is working great on my ac88u. I put in my OpenDNS username and pass during install but ip has not changed yet to see if it updates. Tested Dnscrypt function from a network connected windows machine with

nslookup -type=txt debug.opendns.com

The bottom line says all is well. Thank you for the simple install.

Sent from my Nexus 5X using Tapatalk
 

bigeyes0x0

Senior Member
Thanks for the info, even if your IP hasn't changed you can check your router log to see if it's working or not. For example, a complete log showing the script is working here:
Code:
Dec  4 14:33:09 admin: OpenDNS: Update IP succeeded
Dec  4 14:33:09 admin: dnscrypt-proxy started
Dec  4 14:33:10 rc_service: service 756:notify_rc restart_dnsmasq
Dec  4 14:33:10 dnsmasq[452]: exiting on receipt of SIGTERM
Dec  4 14:33:10 custom script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
Dec  4 14:33:10 dnsmasq[1009]: started, version 2.76 cachesize 1500
...
Dec  4 14:33:10 dnsmasq[1009]: using nameserver 127.0.0.1#65053
For OpenDNS IP update, it's the first line if it's successful. For dnsmasq with dnscrypt-proxy it's the last line.
 

RacerRon

Regular Contributor
I have a silly question. By adding my DynDNS account login during the install, when my dynamic IP changes , will it auto update with DynDNS ? Or will the update only happen on router boot ?

Sent from my Nexus 5X using Tapatalk
 

bigeyes0x0

Senior Member
No, it will update automatically after every new wan connection established, as that's my plan.

For my PPPoE connection that means every time I lost connection to ISP and reconnect. I don't know about those on cables in the US with DHCP connection, would appreciate a test but I do have an idea how to fix it if it's an issue.
 

RacerRon

Regular Contributor
Ok cool....I am at work now but will be home soon and suspect my ip did change based on stats page on DynDNS.... It appears that stats stopped updating a little bit ago so, I will check when I get home in an hour or so. Thanks.

Sent from my Nexus 5X using Tapatalk
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top