DNScrypt dnscrypt installer for asuswrt

[pattiri]

This morning I woke up to this;

May 29 07:54:26 admin: Warning: dnscrypt-proxy is dead
May 29 07:54:26 admin: Start dnscrypt-proxy
May 29 07:54:26 dnscrypt-proxy[7925]: Unable to use source [public-resolvers]: [read udp x.x.x.x:40267->1.1.1.1:53: read: connection refused]
May 29 07:54:26 dnscrypt-proxy[7925]: No servers configured

I didn't changed anything, router can ping 1.1.1.1.

 

[Treadler]

This morning I woke up to this;

May 29 07:54:26 admin: Warning: dnscrypt-proxy is dead
May 29 07:54:26 admin: Start dnscrypt-proxy
May 29 07:54:26 dnscrypt-proxy[7925]: Unable to use source [public-resolvers]: [read udp x.x.x.x:40267->1.1.1.1:53: read: connection refused]
May 29 07:54:26 dnscrypt-proxy[7925]: No servers configured

I didn't changed anything, router can ping 1.1.1.1.

Do you have the latest version installed? (2.0.14)
I think the last release has some sort of self check/auto restart function built in.

 

[unsynaps]

Ver 2.0.14
When I use Cloudflare DNS (1.1.1.1/1.0.0.1) or Google DNS (8.8.8.8/8.8.4.4) after of reboot, the internet is dead, I have to Format JFFS partition and Reboot the router to have internet again.

I get these errors:

Feb 14 00:00:31 dnscrypt-proxy[179]: Get https://dns.cloudflare.com/dns-query?body=yv4BAAABAAAAAAABAAACAAEAACkQAAAAgAAAAA&ct=&dns=yv4BAAABAAAAAAABAAACAAEAACkQAAAAgAAAAA&random_padding=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: x509: certificate has expired or is not yet valid
Feb 14 00:00:31 dnscrypt-proxy[179]: dnscrypt-proxy is waiting for at least one server to be reachable

Feb 14 00:00:31 dnscrypt-proxy[180]: Get https://dns.google.com/experimental?body=yv4BAAABAAAAAAABAAACAAEAACkQAAAAgAAAAA&ct=&dns=yv4BAAABAAAAAAABAAACAAEAACkQAAAAgAAAAA&random_padding=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: x509: certificate has expired or is not yet valid
Feb 14 00:00:31 dnscrypt-proxy[180]: dnscrypt-proxy is waiting for at least one server to be reachable

Spam

Feb 13 18:01:14 ntp: start NTP update
Feb 13 18:01:14 ntp: start NTP update
Feb 13 18:01:59 ntp: start NTP update

@bigeyes0x0

Answer is right there in the error: certificate has expired or is not yet valid
Your router time is Feb 14th. The cert is not cleared as valid cause your router time is off.
Because you cant lookup DNS ntp cant fix the time.

So either:
Install fake-hwclock
Or use IP addresses for your ntp server instead of DNS names.

Personally fake-hwclock is the better method.

 

[SMS786]

Just set my dns to Cloudflare through this script.

Does anyone know a way to test if dns over HTTPS/TLS is working? Does the script default to one of these?

 

[owine]

Manually updated the installer to install 2.0.15 last night and noticed the process consistently dying and being restarted by the monitor only to die within a couple of minutes. Reinstalling 2.0.14 brought things back to normal. YMMV

Rt-AC3100 on 384.5

 

[skeal]

@bigeyes0x0 I thought you may be able to shed some light on this rather unique problem. My system dns was set to 1.1.1.1 now I know dnscrypt should ignore this setting but I'm, not so sure anymore. I had issues with adds showing up on some pages mainly snbforums and a weather site. I tried everything with ab-solution that I could figure. No help. I reconfigured my browser and still no help. I set my system dns to my routers address boom no more adds. Everything works so thus my question is dnscrypt sometimes not ignoring system dns? Is another script in conflict with yours? I run the scripts listed in my signature. Can anyone shed some light on this please? Thanks in advance.

 

[pattiri]

Do you have the latest version installed? (2.0.14)
I think the last release has some sort of self check/auto restart function built in.

Sorry, I've missed your answer. Yes it was 2.0.14. I've fixed this problem with manually editing "dnscrypt-proxy.toml". I've changed fallback_resolver from 1.1.1.1 to 8.8.8.8. I don't know why but my router wasn't able to connect 1.1.1.1 till I've changed it to 8.8.8.8 and dnscrypt downloaded public-resolvers.md. The weird thing is I use server_names = ['cloudflare', 'cisco'] with no problem

 

[DonnyJohnny]

@bigeyes0x0 I thought you may be able to shed some light on this rather unique problem. My system dns was set to 1.1.1.1 now I know dnscrypt should ignore this setting but I'm, not so sure anymore. I had issues with adds showing up on some pages mainly snbforums and a weather site. I tried everything with ab-solution that I could figure. No help. I reconfigured my browser and still no help. I set my system dns to my routers address boom no more adds. Everything works so thus my question is dnscrypt sometimes not ignoring system dns? Is another script in conflict with yours? I run the scripts listed in my signature. Can anyone shed some light on this please? Thanks in advance.

Unless you have installed with the ignore system dns option using the installer which add a iptable to divert all port 53 queries to the dnscrypt port. If not, when there is system dns defined, it will follow system dns.

Alternatively, like what you had did, change system dns to router ip.

 

[joe scian]

no

Manually updated the installer to install 2.0.15 last night and noticed the process consistently dying and being restarted by the monitor only to die within a couple of minutes. Reinstalling 2.0.14 brought things back to normal. YMMV

Rt-AC3100 on 384.5

no problem here updated to 2.0.15 on an AC5300 using amtm on 384.5

 

[skeal]

Unless you have installed with the ignore system dns option using the installer which add a iptable to divert all port 53 queries to the dnscrypt port. If not, when there is system dns defined, it will follow system dns.

Alternatively, like what you had did, change system dns to router ip.

Thanks for confirming this I thank you for your reply!

 

[Goobi]

Just installed dnscrypt but it will not start. If I try and start it manually with this command:

/jffs/dnscrypt/manager dnscrypt-start

It just generates this in the log but does not start:

Jun 8 23:20:38 router: Start dnscrypt-proxy

No other messages and the process does not start. Tried reinstalling but same issue. Is there some way to start dnscrypt in the foreground? Perhaps a log file outside of the syslog? Trying to find anything that could shed some light on the problem. Thanks!

 

[slobodan]

Just installed dnscrypt but it will not start. If I try and start it manually with this command:

/jffs/dnscrypt/manager dnscrypt-start

It just generates this in the log but does not start:

Jun 8 23:20:38 router: Start dnscrypt-proxy

No other messages and the process does not start. Tried reinstalling but same issue. Is there some way to start dnscrypt in the foreground? Perhaps a log file outside of the syslog? Trying to find anything that could shed some light on the problem. Thanks!

Have you configured it? Use amtm for installing it. Also set time zone. If you cannot, then set your router to ETC/Zulu. Is your time synced?

 

[Goobi]

Have you configured it? Use amtm for installing it. Also set time zone. If you cannot, then set your router to ETC/Zulu. Is your time synced?

I used the dnscrypt installer. I am able to get it working if I do the following:

1. Option 9 to uninstall everything
2. Option 5 to set timezone
3. Option 1 to install dnscrypt
4. Option 4 to set timezone
5. Reboot

However, what I noted was that ab-solution, Skynet, and entware commands were not working. It appears that the above changed my mount point name from “/tmp/mnt/USBDisk3” to “/tmp/mnt/USBDisk3 (3)” if I remount it with the correct name, ab-solution, Skynet, and entware commands work, but dnscrypt dies and I am back to the same problem.

I have tried numerous times and reproduced the issue each time. Kind of stumped why dnscrypt is concerned with the usb disk as I thought all its files are on jffs. Also, not sure why setting the timezone in the installer appends () with some number to the original name.

Right now, I have to go with the correct mount point name to get all of the above items working at the expense of dnscrypt, but I would like it to work with the same mount point name that is used by the above items. Open to any suggestions. Thanks.

 

[Treadler]

So to solve all the problems with installing dnscrypt with entware (or similar) then setting up various scripts to handle dnscrypt-proxy starting up including the ntp issue, I made my own installer for dnscrypt-proxy.

Requirements:
- ARM or MIPSEL based ASUS routers
- asuswrt-merlin firmwares or compatible
- jffs support and script enabled

Incompatibilities:
- No known issue

Current features:
- dnscrypt-proxy version 2 with DoH and DNSCrypt version 2 protocols, multiple resolvers, and other features
- Running as nobody through nonroot binary (using --user requires change to passwd)
- Support ARM and MIPSEL based routers
- Support OpenDNS dynamic IP update by entering your OpenDNS account information
- Handling ntp update at router boot up by starting dnscrypt-proxy with cert_ignore_timestamp option
- Redirect all DNS queries on your network to dnscrypt if user chooses to
- Install haveged/rngd for better speed with dnscrypt and other cryptographic applications
- Support various HW RNG such as TrueRNG (tested with v3), TrueRNGpro, OneRNG, EntropyKey
- Ability to setup a swap file
- Ability to setup timezone file (/etc/localtime) used by dnscrypt-proxy and other apps
- Ability to reconfigure dnscrypt-proxy without reinstalling unlike previous installer for dnscrypt-proxy version 1.x.x

Changelog:
https://github.com/thuantran/dnscrypt-asuswrt-installer/commits/master

Install/Update/Reconfig/Uninstall:
Run this command from ssh shell and following the prompt for dnscrypt-proxy version 2:

curl -L -s -k -O https://raw.githubusercontent.com/thuantran/dnscrypt-asuswrt-installer/master/installer && sh installer ; rm installer

User can safely update from dnscrypt-proxy version 1 to version 2 with above command.

If you want to use dnscrypt-proxy version 1, run this command:

curl -L -s -k -O https://raw.githubusercontent.com/thuantran/dnscrypt-asuswrt-installer/dnscrypt-proxy-v1/installer && sh installer dnscrypt-proxy-v1; rm installer

How to check if it works
If you use OpenDNS, run this command on Windows cmd

nslookup -type=txt debug.opendns.com

You should see something like

"dnscrypt enabled (717473654A614970)"

in result.
Otherwise running this command:

pidof dnscrypt-proxy

will return a number.

How to report issue:
I need following directory and files:

/jffs/dnscrypt
/jffs/scripts/dnsmasq.postconf
/jffs/scripts/firewall-start
/jffs/scripts/wan-start

One can use this command to create a tar archive of these files:

echo .config > exclude-files; tar -cvf dnscrypt.tar -X exclude-files /jffs/dnscrypt /jffs/scripts/dnsmasq.postconf /jffs/scripts/firewall-start /jffs/scripts/wan-start ; rm exclude-files

in current directory and send me the archive for debug.

I also need follwoing information:
- Which dns server you selected during dnscrypt installtion
- Which router you're using
- Firmware and its version

How I made this:
- Use dnscrypt-proxy binary packages from https://github.com/jedisct1/dnscrypt-proxy
- Compiling and stripping required binaries using firmware building toolchain from asuswrt-merlin
- Write the installer script with stuffs inspired from entware-setup.sh from asuswrt-merlin
- You can look at all the stuffs here https://github.com/thuantran/dnscrypt-asuswrt-installer

Please pardon my ignorance, can dnscrypt now be installed on standard OE Asus firmware?

 

[DonnyJohnny]

Please pardon my ignorance, can dnscrypt now be installed on standard OE Asus firmware?

No. U need Custom firmware

 

[Treadler]

No. U need Custom firmware

Thanks DonnyJohnny!
I thought as much, I just wanted to confirm.

 

[SMS786]

Just configured to the Cloudflare dns resolver. Is there any way to test that DOH is enabled and working?

 

[DonnyJohnny]

Just configured to the Cloudflare dns resolver. Is there any way to test that DOH is enabled and working?

If u kill dnscrypt-proxy, then dns don’t work. Mean dnscrypt is working. But in order to prove that it is on doh, you may need a switch in between the router and modem and use a pc between them installed with wire shark to see the packet. The queries should be encrypted and you shouldn’t see it in port 53 coz it will be going thru 443.

 

[AZDNice]

Ok, newbie question here so forgive me in advance. What is (P) RNG and should I have it installed?
Thanks in advance!

 

[skeal]

Ok, newbie question here so forgive me in advance. What is (P) RNG and should I have it installed?
Thanks in advance!

You need it. In order to generate a value randomly you can use a hardware (rng) or like most of us software (rng). RNG stands for "random number generator".