How too install and use DNSCrypt with Gargoyle

Want to share your OpenWrt / Gargoyle knowledge? Implemented a new feature? Let us know here.

Moderator: Moderators

Lantis
Moderator
Posts: 6735
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: How too install and use DNSCrypt with Gargoyle

Post by Lantis »

No.

I just disable the firewall rule like I described above, which leads to the consequences as listed.
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

SirDrexl
Posts: 24
Joined: Wed Sep 28, 2011 8:16 pm

Re: How too install and use DNSCrypt with Gargoyle

Post by SirDrexl »

tapper wrote:Hi i am stil on CC but i use opendns for dns will I still need to use that file?
Well, the ones that start with cisco are the OpenDNS resolvers. Note that there are options for the one with the family shield and the one for IPv6 if you use that.

Actually, the one called "cisco-port53" might solve the adblock problem since it would use port 53.

GarGoy
Posts: 10
Joined: Fri Apr 05, 2019 8:09 am

Re: How too install and use DNSCrypt with Gargoyle

Post by GarGoy »

Im having trouble installing DNSCrypt on my router;
gargoyle_1.10.0-ar71xx-generic-tl-wdr4300-v1

Here's what i have tried
installed webshell plugin
ran

Code: Select all

opkg update
(success - outputs list of databases updated)
ran

Code: Select all

opkg install dnscrypt-proxy
webshell optput says "success", but nothing else.
when i explore router file system with WinSCP, i cant find dnscrypt
I then tried to install via Putty SSH.

Code: Select all

opkg install dnscrypt-proxy
get the following error
ERROR: No package named dnscrypt-proxy found, try updating your package lists
So i tried following this to add repository
https://oldwiki.archive.openwrt. org/inbox/dnscrypt
using Putty ran,

Code: Select all

cd /tmp
wget 'http://exopenwrt.roland.black/exopenwrt.pub'
opkg-key add exopenwrt.pub
here i experinced another error:
"opkg-key: not found"
I then tried to install the "opkg-key" packege but got error
ERROR: No package named opkg-key found, try updating your package lists
So i what i did was use WinSCP was rename the file to "1a929a1dd62138c1" (removing the .pub extenstion)
and copied file to "/etc/opkg/keys/"

Code: Select all

cat /etc/opkg/keys/1a929a1dd62138c1
returns,
untrusted comment: exOpenWrt key
RWQakpod1iE4wYP4nkF7h9+spVBuFAq/mP7N2zkF/DCHrPtf847m8EG/
I then continued with with instruction from openwrt page using Putty;

Code: Select all

echo '/etc/opkg/keys/1a929a1dd62138c1' >> /etc/sysupgrade.conf
echo 'src/gz exopenwrt http://exopenwrt.roland.black/chaos_calmer/15.05.1/ar71xx/packages/exopenwrt' >> /etc/opkg.conf
Now when i run

Code: Select all

opkg update
i get the an error on one of the respositories
Downloading package list for exopenwrt source...
WARNING: Could not retrieve package list for exopenwrt.
So now im STUCK... :oops:
What am i doing wrong :?:
BTW, with the ever increasing spy state, would be nice to have encrypted dns as a standard feature please :mrgreen:

Lantis
Moderator
Posts: 6735
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: How too install and use DNSCrypt with Gargoyle

Post by Lantis »

I don't know what guide you're following, but it is taking you down a very convoluted direction...

dnscrypt-proxy is already available as a package at:
https://archive.openwrt.org/chaos_calme ... /packages/

I expect that you have not read this post: viewtopic.php?f=5&t=11432
and therefore with old repository links you won't find ANY packages.

But you might run into Kernel incompatibilities, which would mean you need to compile your own version and include dnscrypt-proxy in your build.

Additionally, if you are really security inclined, you should be moving to 1.11.x rather than sticking with 1.10.0, otherwise encrypted DNS is the least of your concerns.
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

GarGoy
Posts: 10
Joined: Fri Apr 05, 2019 8:09 am

Re: How too install and use DNSCrypt with Gargoyle

Post by GarGoy »

Hey Lantis,
Thanks for the fast reply.
I was following the OP, and the openwrt page i linked in my previous post,
then trying to problem solve myself.

I found a typo in my "/etc/opkg.conf"
That FIXED the update problem for the repository i added.
i was still WASNT able to install via the webshell plugin,
but WAS able to install via Putty :D
Ive just updated "/etc/config/dhcp" as per the OP.
Current Problem:
in windows CMD i run

Code: Select all

ipconfig /flushdns
then

Code: Select all

nslookup -type=txt debug.opendns. com.
the OP says,
One of the entries should be "dnscrypt enabled (<number>)".
I dont see this in the CMD output tho.
Here is the CMD output
C:\Users\home>nslookup -type=txt debug.opendns. com
Server: Gargoyle.lan
Address: 192.168.1.1

opendns. com
primary name server = auth1.opendns. com
responsible mail addr = noc.opendns. com
serial = 1554471595
refresh = 16384 (4 hours 33 mins 4 secs)
retry = 2048 (34 mins 8 secs)
expire = 1048576 (12 days 3 hours 16 mins 16 secs)
default TTL = 2560 (42 mins 40 secs)
(root) ??? unknown type 41 ???
Is there another way to test if the encrypted dns is working :?:

FYI, i left off "list rebind_domain 'free.aero2. net. pl'" because i dont know what it did..? and url seems kind scammy?
Lantis wrote:I expect that you have not read this post: viewtopic.php?f=5&t=11432
your correct, i hadn't seen that.
i will change "downloads.openwrt" to "archive.openwrt" in the /etc/opkg.conf
Lantis wrote:Additionally, if you are really security inclined, you should be moving to 1.11.x rather than sticking with 1.10.0, otherwise encrypted DNS is the least of your concerns.
Oh i wasnt aware 1.10 had vulnrubilities, i usually always wait for the stable, but now i know i will make the transition. thanks.

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: How too install and use DNSCrypt with Gargoyle

Post by RomanHK »

GarGoy wrote:webshell optput says "success", but nothing else.
Unfortunately, this plugin will execute commands regardless of the error message in the background.

You should just overwrite /etc/opkg.conf with this:

Code: Select all

src/gz chaos_calmer_base http://archive.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base
src/gz chaos_calmer_management http://archive.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/management
src/gz chaos_calmer_packages http://archive.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/packages
src/gz chaos_calmer_routing http://archive.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/routing
src/gz chaos_calmer_telephony http://archive.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/telephony

src/gz gargoyle http://www.gargoyle-router.com/packages/gargoyle-1.10.0/ar71xx/default

dest root /
dest ram /tmp
dest plugin_root /plugin_root
lists_dir ext /var/opkg-lists
option overlay_root /overlay

Step by step:
1) If you want to install your own package, try this as follows (I recommend using PuTTY):

Code: Select all

wget 'http://exopenwrt.roland.black/chaos_calmer/15.05.1/ar71xx/packages/exopenwrt/libsodium_1.0.11-1.E_ar71xx.ipk' -P /tmp/
wget 'http://exopenwrt.roland.black/chaos_calmer/15.05.1/ar71xx/packages/exopenwrt/dnscrypt-proxy-resolvers_1.7.0-1.E-2016-08-01-22ff30b_ar71xx.ipk' -P /tmp/
wget 'http://exopenwrt.roland.black/chaos_calmer/15.05.1/ar71xx/packages/exopenwrt/dnscrypt-proxy_1.7.0-1.E_ar71xx.ipk' -P /tmp/
opkg install /tmp/libsodium_1.0.11-1.E_ar71xx.ipk
opkg install /tmp/dnscrypt-proxy-resolvers_1.7.0-1.E-2016-08-01-22ff30b_ar71xx.ipk
opkg install /tmp/dnscrypt-proxy_1.7.0-1.E_ar71xx.ipk

2) To edit /etc/config/dnscrypt-proxy (e.g. yandex):

Code: Select all

config dnscrypt-proxy ns1
	option address         '127.0.0.1'
	option port            '5353'
	option resolver       'yandex'
	option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
	# Ephemeral keys option requires extra CPU cycles and can cause huge system load.
	#option ephemeral_keys '0'

#config dnscrypt-proxy ns2
#	option address         '127.0.0.1'
#	option port            '5454'
#	#option resolver       'd0wn-random-ns1'
#	#option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
#	#option ephemeral_keys '0'

3) Set DNS from ISP by screenshot:
Image

4) Insert rows into /etc/dnsmasq.conf configuration:

Code: Select all

no-resolv
server="127.0.0.1#5353"
and reboot the router.

After rebooting:

Code: Select all

root@Gargoyle:~# ping -c4 google.com
PING google.com (173.194.222.138): 56 data bytes
64 bytes from 173.194.222.138: seq=0 ttl=39 time=56.158 ms
64 bytes from 173.194.222.138: seq=1 ttl=39 time=52.780 ms
64 bytes from 173.194.222.138: seq=2 ttl=39 time=53.448 ms
64 bytes from 173.194.222.138: seq=3 ttl=39 time=53.272 ms

--- google.com ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 52.780/53.914/56.158 ms
root@Gargoyle:~#

root@Gargoyle:~# nslookup gargoyle.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost

Name:      gargoyle.com
Address 1: 199.59.242.151
root@Gargoyle:~#

root@Gargoyle:~# ps | grep dnscrypt-proxy
 1444 nobody    1384 S    /usr/sbin/dnscrypt-proxy -u nobody -S -a 127.0.0.1:5
 2849 root      1356 S    grep dnscrypt-proxy
root@Gargoyle:~#

root@Gargoyle:~# logread | grep dnscrypt-proxy
Fri Apr  5 20:01:02 2019 daemon.notice dnscrypt-proxy[1444]: Starting dnscrypt-proxy 1.7.0
Fri Apr  5 20:01:02 2019 daemon.info dnscrypt-proxy[1444]: Generating a new session key pair
Fri Apr  5 20:01:02 2019 daemon.info dnscrypt-proxy[1444]: Done
Fri Apr  5 20:01:02 2019 daemon.info dnscrypt-proxy[1444]: Server certificate with serial #1547797595 received
Fri Apr  5 20:01:02 2019 daemon.info dnscrypt-proxy[1444]: This certificate is valid
Fri Apr  5 20:01:02 2019 daemon.info dnscrypt-proxy[1444]: Chosen certificate #1547797595 is valid from [2019-01-18] to [2020-01-18]
Fri Apr  5 20:01:02 2019 daemon.info dnscrypt-proxy[1444]: Server key fingerprint is 8DF9:C0B3:1881:1DFB:0518:E1DF:9FC1:5571:881D:E465:87F5:72C9:187D:9E24:866A:1321
Fri Apr  5 20:01:02 2019 daemon.notice dnscrypt-proxy[1444]: Proxying from 127.0.0.1:5353 to 77.88.8.78:15353
root@Gargoyle:~#

root@Gargoyle:~# logread | grep dnsmasq
Fri Apr  5 20:00:18 2019 daemon.info dnsmasq[1829]: started, version 2.78 cachesize 150
Fri Apr  5 20:00:18 2019 daemon.info dnsmasq[1829]: DNS service limited to local subnets
Fri Apr  5 20:00:18 2019 daemon.info dnsmasq[1829]: compile time options: no-IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC no-ID loop-detect inotify
Fri Apr  5 20:00:18 2019 daemon.warn dnsmasq[1829]: warning: ignoring resolv-file flag because no-resolv is set
Fri Apr  5 20:00:18 2019 daemon.info dnsmasq-dhcp[1829]: DHCP, IP range 192.168.2.100 -- 192.168.2.249, lease time 12h
Fri Apr  5 20:00:18 2019 daemon.info dnsmasq[1829]: using local addresses only for domain lan
Fri Apr  5 20:00:18 2019 daemon.info dnsmasq[1829]: using nameserver 127.0.0.1#5353
Fri Apr  5 20:00:18 2019 daemon.info dnsmasq[1829]: read /etc/hosts - 2 addresses
Fri Apr  5 20:00:18 2019 daemon.info dnsmasq[1829]: read /tmp/hosts/dhcp - 1 addresses
Fri Apr  5 20:00:18 2019 daemon.info dnsmasq-dhcp[1829]: read /etc/ethers - 0 addresses
All functional, tested on TL-WR1043ND v2 with Gargoyle 1.10.0 = confirm functionality.
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

GarGoy
Posts: 10
Joined: Fri Apr 05, 2019 8:09 am

Re: How too install and use DNSCrypt with Gargoyle

Post by GarGoy »

Thanks for the help guys,
got it working.
Not having the repositories fixed is what caused all the trouble

I ended up having to reflash on gargoyle to undo all the mess i made,
With the correct repositories everything went a lot smoother.

Something odd tho,
says im running version 1.4.3
but on this github page it says latest version is 2.0.22 ??
https://github. com/jedisct1/dnscrypt-proxy

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: How too install and use DNSCrypt with Gargoyle

Post by RomanHK »

GarGoy wrote:Something odd tho,
says im running version 1.4.3
but on this github page it says latest version is 2.0.22 ??
https://github. com/jedisct1/dnscrypt-proxy
I got your post with the address http://exopenwrt.roland.black/, so the tested version is 1.7.0.

To explain:
Gargoyle 1.10.0 = DNSCrypt v1.4.3 from the OpenWrt 15.05 repository.
Gargoyle 1.11.0 = DNSCrypt v1.9.5 from the OpenWrt 18.06-SNAPSHOT repository.
DNSCrypt v2.0.22 not yet officially in the OpenWrt repository.
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

GarGoy
Posts: 10
Joined: Fri Apr 05, 2019 8:09 am

Re: How too install and use DNSCrypt with Gargoyle

Post by GarGoy »

RomanHK wrote:
GarGoy wrote:Something odd tho,
says im running version 1.4.3
but on this github page it says latest version is 2.0.22 ??
https://github. com/jedisct1/dnscrypt-proxy
I got your post with the address http://exopenwrt.roland.black/, so the tested version is 1.7.0.

To explain:
Gargoyle 1.10.0 = DNSCrypt v1.4.3 from the OpenWrt 15.05 repository.
Gargoyle 1.11.0 = DNSCrypt v1.9.5 from the OpenWrt 18.06-SNAPSHOT repository.
DNSCrypt v2.0.22 not yet officially in the OpenWrt repository.
Thanks for your detailed and excellent replies RomanHK.
I've successfully upgraded to Gargoyle 1.11.0 on my WDR4300.

Rignt now im using succesfully using Yandex dns with dnscrypt-proxy,
but would like a server with DNSSEC support, outside the 14 eyes, without data retention laws.
Looking at the '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
I see ONE possible candidate
d0wn-cz-ns1
but sites stop loading when i put 'd0wn-cz-ns1' in /etc/config/dnscrypt-proxy

Code: Select all

config dnscrypt-proxy
	option address '127.0.0.1'
	option port '5353'
	#option resolver 'yandex'
	option resolver 'd0wn-cz-ns1'
	#option resolver 'd0wn-ro-ns1'
	#option resolver 'opendns'
	#option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
is the server down?
or my config wrong?

One last thing, that may or maynot be a problem.
when i run

Code: Select all

logread | grep -n "using nameserver"
i get the following huge output, which includs all the nameservers in the '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
root@Gargoyle:~# logread | grep -n "using nameserver"
2:Fri Feb 15 20:53:45 2019 daemon.info dnsmasq[2556]: using nameserver 95.142.171.235#53 for domain micro
3:Fri Feb 15 20:53:45 2019 daemon.info dnsmasq[2556]: using nameserver 95.211.32.162#53 for domain micro
4:Fri Feb 15 20:53:45 2019 daemon.info dnsmasq[2556]: using nameserver 66.244.95.20#53 for domain micro
5:Fri Feb 15 20:53:45 2019 daemon.info dnsmasq[2556]: using nameserver 95.142.171.235#53 for domain oss
6:Fri Feb 15 20:53:45 2019 daemon.info dnsmasq[2556]: using nameserver 95.211.32.162#53 for domain oss
7:Fri Feb 15 20:53:45 2019 daemon.info dnsmasq[2556]: using nameserver 66.244.95.20#53 for domain oss
8:Fri Feb 15 20:53:45 2019 daemon.info dnsmasq[2556]: using nameserver 95.142.171.235#53 for domain null
9:Fri Feb 15 20:53:45 2019 daemon.info dnsmasq[2556]: using nameserver 95.211.32.162#53 for domain null
10:Fri Feb 15 20:53:45 2019 daemon.info dnsmasq[2556]: using nameserver 66.244.95.20#53 for domain null

**(removed hundreds of lines of simular entires)**

432:Tue Apr 9 14:32:27 2019 daemon.info dnsmasq[5404]: using nameserver 66.244.95.20#53 for domain bbs
629:Tue Apr 9 14:47:52 2019 daemon.info dnsmasq[7334]: using nameserver 208.67.222.222#53 for domain pool.ntp.org
630:Tue Apr 9 14:47:52 2019 daemon.info dnsmasq[7334]: using nameserver 127.0.0.1#5353
678:Tue Apr 9 15:10:02 2019 daemon.info dnsmasq[7595]: using nameserver 208.67.222.222#53 for domain pool.ntp.org
679:Tue Apr 9 15:10:02 2019 daemon.info dnsmasq[7595]: using nameserver 127.0.0.1#5353
726:Tue Apr 9 15:14:16 2019 daemon.info dnsmasq[7731]: using nameserver 208.67.222.222#53 for domain pool.ntp.org
727:Tue Apr 9 15:14:16 2019 daemon.info dnsmasq[7731]: using nameserver 127.0.0.1#5353
This didnt happen when i was running the old version of dnscrypt-proxy??
I used to get a two line output,
One for pool.ntp.org
one for nameserver
Have i got something else wrong in my config?

RomanHK
Posts: 794
Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik

Re: How too install and use DNSCrypt with Gargoyle

Post by RomanHK »

In the /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv file, there are servers that provide DNSCrypt (a lot of them don't work, yandex works for me). d0wn-cz-ns1 = not working

If it is only for certain domains, it should work:

Code: Select all

4: Fri Feb 15 20:53:45 2019 daemon.info dnsmasq [2556]: 66.244.95.20 # 53 for domain micro
An important parameter is this:

Code: Select all

630:Tue Apr 9 14:47:52 2019 daemon.info dnsmasq[7334]: using nameserver 127.0.0.1#5353
DNSSEC is a little more complicated.

It's good to write configurations here, especially about:
/etc/config/dhcp
/etc/dnsmasq.conf
/etc/config/dnscrypt-proxy


When I get home, I'll test Gargoyle 1.11.X and step by step again.
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0

http://gargoyle.romanhk.cz custom builds by gargoyle users

Post Reply