How too install and use DNSCrypt with Gargoyle

[Lantis]

No.

I just disable the firewall rule like I described above, which leads to the consequences as listed.

[SirDrexl]

Hi i am stil on CC but i use opendns for dns will I still need to use that file?

Well, the ones that start with cisco are the OpenDNS resolvers. Note that there are options for the one with the family shield and the one for IPv6 if you use that.

Actually, the one called "cisco-port53" might solve the adblock problem since it would use port 53.

[GarGoy]

Im having trouble installing DNSCrypt on my router;
gargoyle_1.10.0-ar71xx-generic-tl-wdr4300-v1

Here's what i have tried
installed webshell plugin
ran

Code: Select all

opkg update

(success - outputs list of databases updated)
ran

Code: Select all

opkg install dnscrypt-proxy

webshell optput says "success", but nothing else.
when i explore router file system with WinSCP, i cant find dnscrypt
I then tried to install via Putty SSH.

Code: Select all

opkg install dnscrypt-proxy

get the following error

ERROR: No package named dnscrypt-proxy found, try updating your package lists

So i tried following this to add repository
https://oldwiki.archive.openwrt. org/inbox/dnscrypt
using Putty ran,

Code: Select all

cd /tmp
wget 'http://exopenwrt.roland.black/exopenwrt.pub'
opkg-key add exopenwrt.pub

here i experinced another error:

"opkg-key: not found"

I then tried to install the "opkg-key" packege but got error

ERROR: No package named opkg-key found, try updating your package lists

So i what i did was use WinSCP was rename the file to "1a929a1dd62138c1" (removing the .pub extenstion)
and copied file to "/etc/opkg/keys/"

Code: Select all

cat /etc/opkg/keys/1a929a1dd62138c1

returns,

untrusted comment: exOpenWrt key
RWQakpod1iE4wYP4nkF7h9+spVBuFAq/mP7N2zkF/DCHrPtf847m8EG/

I then continued with with instruction from openwrt page using Putty;

Code: Select all

echo '/etc/opkg/keys/1a929a1dd62138c1' >> /etc/sysupgrade.conf
echo 'src/gz exopenwrt http://exopenwrt.roland.black/chaos_calmer/15.05.1/ar71xx/packages/exopenwrt' >> /etc/opkg.conf

Now when i run

Code: Select all

opkg update

i get the an error on one of the respositories

Downloading package list for exopenwrt source...
WARNING: Could not retrieve package list for exopenwrt.

So now im STUCK...
What am i doing wrong
BTW, with the ever increasing spy state, would be nice to have encrypted dns as a standard feature please

[Lantis]

I don't know what guide you're following, but it is taking you down a very convoluted direction...

dnscrypt-proxy is already available as a package at:
https://archive.openwrt.org/chaos_calme ... /packages/

I expect that you have not read this post: viewtopic.php?f=5&t=11432
and therefore with old repository links you won't find ANY packages.

But you might run into Kernel incompatibilities, which would mean you need to compile your own version and include dnscrypt-proxy in your build.

Additionally, if you are really security inclined, you should be moving to 1.11.x rather than sticking with 1.10.0, otherwise encrypted DNS is the least of your concerns.

[GarGoy]

Hey Lantis,
Thanks for the fast reply.
I was following the OP, and the openwrt page i linked in my previous post,
then trying to problem solve myself.

I found a typo in my "/etc/opkg.conf"
That FIXED the update problem for the repository i added.
i was still WASNT able to install via the webshell plugin,
but WAS able to install via Putty
Ive just updated "/etc/config/dhcp" as per the OP.
Current Problem:
in windows CMD i run

Code: Select all

ipconfig /flushdns

then

Code: Select all

nslookup -type=txt debug.opendns. com.

the OP says,

One of the entries should be "dnscrypt enabled (<number>)".

I dont see this in the CMD output tho.
Here is the CMD output

C:\Users\home>nslookup -type=txt debug.opendns. com
Server: Gargoyle.lan
Address: 192.168.1.1

opendns. com
primary name server = auth1.opendns. com
responsible mail addr = noc.opendns. com
serial = 1554471595
refresh = 16384 (4 hours 33 mins 4 secs)
retry = 2048 (34 mins 8 secs)
expire = 1048576 (12 days 3 hours 16 mins 16 secs)
default TTL = 2560 (42 mins 40 secs)
(root) ??? unknown type 41 ???

Is there another way to test if the encrypted dns is working

FYI, i left off "list rebind_domain 'free.aero2. net. pl'" because i dont know what it did..? and url seems kind scammy?

I expect that you have not read this post: viewtopic.php?f=5&t=11432

your correct, i hadn't seen that.
i will change "downloads.openwrt" to "archive.openwrt" in the /etc/opkg.conf

Additionally, if you are really security inclined, you should be moving to 1.11.x rather than sticking with 1.10.0, otherwise encrypted DNS is the least of your concerns.

Oh i wasnt aware 1.10 had vulnrubilities, i usually always wait for the stable, but now i know i will make the transition. thanks.

[RomanHK]

webshell optput says "success", but nothing else.

Unfortunately, this plugin will execute commands regardless of the error message in the background.

You should just overwrite /etc/opkg.conf with this:

Code: Select all

src/gz chaos_calmer_base http://archive.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base
src/gz chaos_calmer_management http://archive.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/management
src/gz chaos_calmer_packages http://archive.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/packages
src/gz chaos_calmer_routing http://archive.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/routing
src/gz chaos_calmer_telephony http://archive.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/telephony

src/gz gargoyle http://www.gargoyle-router.com/packages/gargoyle-1.10.0/ar71xx/default

dest root /
dest ram /tmp
dest plugin_root /plugin_root
lists_dir ext /var/opkg-lists
option overlay_root /overlay

Step by step:
1) If you want to install your own package, try this as follows (I recommend using PuTTY):

Code: Select all

wget 'http://exopenwrt.roland.black/chaos_calmer/15.05.1/ar71xx/packages/exopenwrt/libsodium_1.0.11-1.E_ar71xx.ipk' -P /tmp/
wget 'http://exopenwrt.roland.black/chaos_calmer/15.05.1/ar71xx/packages/exopenwrt/dnscrypt-proxy-resolvers_1.7.0-1.E-2016-08-01-22ff30b_ar71xx.ipk' -P /tmp/
wget 'http://exopenwrt.roland.black/chaos_calmer/15.05.1/ar71xx/packages/exopenwrt/dnscrypt-proxy_1.7.0-1.E_ar71xx.ipk' -P /tmp/
opkg install /tmp/libsodium_1.0.11-1.E_ar71xx.ipk
opkg install /tmp/dnscrypt-proxy-resolvers_1.7.0-1.E-2016-08-01-22ff30b_ar71xx.ipk
opkg install /tmp/dnscrypt-proxy_1.7.0-1.E_ar71xx.ipk

2) To edit /etc/config/dnscrypt-proxy (e.g. yandex):

Code: Select all

config dnscrypt-proxy ns1
	option address         '127.0.0.1'
	option port            '5353'
	option resolver       'yandex'
	option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
	# Ephemeral keys option requires extra CPU cycles and can cause huge system load.
	#option ephemeral_keys '0'

#config dnscrypt-proxy ns2
#	option address         '127.0.0.1'
#	option port            '5454'
#	#option resolver       'd0wn-random-ns1'
#	#option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
#	#option ephemeral_keys '0'

3) Set DNS from ISP by screenshot:


4) Insert rows into /etc/dnsmasq.conf configuration:

Code: Select all

no-resolv
server="127.0.0.1#5353"

and reboot the router.

After rebooting:

Code: Select all

root@Gargoyle:~# ping -c4 google.com
PING google.com (173.194.222.138): 56 data bytes
64 bytes from 173.194.222.138: seq=0 ttl=39 time=56.158 ms
64 bytes from 173.194.222.138: seq=1 ttl=39 time=52.780 ms
64 bytes from 173.194.222.138: seq=2 ttl=39 time=53.448 ms
64 bytes from 173.194.222.138: seq=3 ttl=39 time=53.272 ms

--- google.com ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 52.780/53.914/56.158 ms
root@Gargoyle:~#

root@Gargoyle:~# nslookup gargoyle.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost

Name:      gargoyle.com
Address 1: 199.59.242.151
root@Gargoyle:~#

root@Gargoyle:~# ps | grep dnscrypt-proxy
 1444 nobody    1384 S    /usr/sbin/dnscrypt-proxy -u nobody -S -a 127.0.0.1:5
 2849 root      1356 S    grep dnscrypt-proxy
root@Gargoyle:~#

root@Gargoyle:~# logread | grep dnscrypt-proxy
Fri Apr  5 20:01:02 2019 daemon.notice dnscrypt-proxy[1444]: Starting dnscrypt-proxy 1.7.0
Fri Apr  5 20:01:02 2019 daemon.info dnscrypt-proxy[1444]: Generating a new session key pair
Fri Apr  5 20:01:02 2019 daemon.info dnscrypt-proxy[1444]: Done
Fri Apr  5 20:01:02 2019 daemon.info dnscrypt-proxy[1444]: Server certificate with serial #1547797595 received
Fri Apr  5 20:01:02 2019 daemon.info dnscrypt-proxy[1444]: This certificate is valid
Fri Apr  5 20:01:02 2019 daemon.info dnscrypt-proxy[1444]: Chosen certificate #1547797595 is valid from [2019-01-18] to [2020-01-18]
Fri Apr  5 20:01:02 2019 daemon.info dnscrypt-proxy[1444]: Server key fingerprint is 8DF9:C0B3:1881:1DFB:0518:E1DF:9FC1:5571:881D:E465:87F5:72C9:187D:9E24:866A:1321
Fri Apr  5 20:01:02 2019 daemon.notice dnscrypt-proxy[1444]: Proxying from 127.0.0.1:5353 to 77.88.8.78:15353
root@Gargoyle:~#

root@Gargoyle:~# logread | grep dnsmasq
Fri Apr  5 20:00:18 2019 daemon.info dnsmasq[1829]: started, version 2.78 cachesize 150
Fri Apr  5 20:00:18 2019 daemon.info dnsmasq[1829]: DNS service limited to local subnets
Fri Apr  5 20:00:18 2019 daemon.info dnsmasq[1829]: compile time options: no-IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC no-ID loop-detect inotify
Fri Apr  5 20:00:18 2019 daemon.warn dnsmasq[1829]: warning: ignoring resolv-file flag because no-resolv is set
Fri Apr  5 20:00:18 2019 daemon.info dnsmasq-dhcp[1829]: DHCP, IP range 192.168.2.100 -- 192.168.2.249, lease time 12h
Fri Apr  5 20:00:18 2019 daemon.info dnsmasq[1829]: using local addresses only for domain lan
Fri Apr  5 20:00:18 2019 daemon.info dnsmasq[1829]: using nameserver 127.0.0.1#5353
Fri Apr  5 20:00:18 2019 daemon.info dnsmasq[1829]: read /etc/hosts - 2 addresses
Fri Apr  5 20:00:18 2019 daemon.info dnsmasq[1829]: read /tmp/hosts/dhcp - 1 addresses
Fri Apr  5 20:00:18 2019 daemon.info dnsmasq-dhcp[1829]: read /etc/ethers - 0 addresses

All functional, tested on TL-WR1043ND v2 with Gargoyle 1.10.0 = confirm functionality.

[GarGoy]

Thanks for the help guys,
got it working.
Not having the repositories fixed is what caused all the trouble

I ended up having to reflash on gargoyle to undo all the mess i made,
With the correct repositories everything went a lot smoother.

Something odd tho,
says im running version 1.4.3
but on this github page it says latest version is 2.0.22 ??
https://github. com/jedisct1/dnscrypt-proxy

[RomanHK]

Something odd tho,
says im running version 1.4.3
but on this github page it says latest version is 2.0.22 ??
https://github. com/jedisct1/dnscrypt-proxy

I got your post with the address http://exopenwrt.roland.black/, so the tested version is 1.7.0.

To explain:
Gargoyle 1.10.0 = DNSCrypt v1.4.3 from the OpenWrt 15.05 repository.
Gargoyle 1.11.0 = DNSCrypt v1.9.5 from the OpenWrt 18.06-SNAPSHOT repository.
DNSCrypt v2.0.22 not yet officially in the OpenWrt repository.

[GarGoy]

Something odd tho,
says im running version 1.4.3
but on this github page it says latest version is 2.0.22 ??
https://github. com/jedisct1/dnscrypt-proxy

I got your post with the address http://exopenwrt.roland.black/, so the tested version is 1.7.0.

To explain:
Gargoyle 1.10.0 = DNSCrypt v1.4.3 from the OpenWrt 15.05 repository.
Gargoyle 1.11.0 = DNSCrypt v1.9.5 from the OpenWrt 18.06-SNAPSHOT repository.
DNSCrypt v2.0.22 not yet officially in the OpenWrt repository.

Thanks for your detailed and excellent replies RomanHK.
I've successfully upgraded to Gargoyle 1.11.0 on my WDR4300.

Rignt now im using succesfully using Yandex dns with dnscrypt-proxy,
but would like a server with DNSSEC support, outside the 14 eyes, without data retention laws.
Looking at the '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
I see ONE possible candidate

d0wn-cz-ns1

but sites stop loading when i put 'd0wn-cz-ns1' in /etc/config/dnscrypt-proxy

Code: Select all

config dnscrypt-proxy
	option address '127.0.0.1'
	option port '5353'
	#option resolver 'yandex'
	option resolver 'd0wn-cz-ns1'
	#option resolver 'd0wn-ro-ns1'
	#option resolver 'opendns'
	#option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'

is the server down?
or my config wrong?

One last thing, that may or maynot be a problem.
when i run

Code: Select all

logread | grep -n "using nameserver"

i get the following huge output, which includs all the nameservers in the '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'

root@Gargoyle:~# logread | grep -n "using nameserver"
2:Fri Feb 15 20:53:45 2019 daemon.info dnsmasq[2556]: using nameserver 95.142.171.235#53 for domain micro
3:Fri Feb 15 20:53:45 2019 daemon.info dnsmasq[2556]: using nameserver 95.211.32.162#53 for domain micro
4:Fri Feb 15 20:53:45 2019 daemon.info dnsmasq[2556]: using nameserver 66.244.95.20#53 for domain micro
5:Fri Feb 15 20:53:45 2019 daemon.info dnsmasq[2556]: using nameserver 95.142.171.235#53 for domain oss
6:Fri Feb 15 20:53:45 2019 daemon.info dnsmasq[2556]: using nameserver 95.211.32.162#53 for domain oss
7:Fri Feb 15 20:53:45 2019 daemon.info dnsmasq[2556]: using nameserver 66.244.95.20#53 for domain oss
8:Fri Feb 15 20:53:45 2019 daemon.info dnsmasq[2556]: using nameserver 95.142.171.235#53 for domain null
9:Fri Feb 15 20:53:45 2019 daemon.info dnsmasq[2556]: using nameserver 95.211.32.162#53 for domain null
10:Fri Feb 15 20:53:45 2019 daemon.info dnsmasq[2556]: using nameserver 66.244.95.20#53 for domain null

**(removed hundreds of lines of simular entires)**

432:Tue Apr 9 14:32:27 2019 daemon.info dnsmasq[5404]: using nameserver 66.244.95.20#53 for domain bbs
629:Tue Apr 9 14:47:52 2019 daemon.info dnsmasq[7334]: using nameserver 208.67.222.222#53 for domain pool.ntp.org
630:Tue Apr 9 14:47:52 2019 daemon.info dnsmasq[7334]: using nameserver 127.0.0.1#5353
678:Tue Apr 9 15:10:02 2019 daemon.info dnsmasq[7595]: using nameserver 208.67.222.222#53 for domain pool.ntp.org
679:Tue Apr 9 15:10:02 2019 daemon.info dnsmasq[7595]: using nameserver 127.0.0.1#5353
726:Tue Apr 9 15:14:16 2019 daemon.info dnsmasq[7731]: using nameserver 208.67.222.222#53 for domain pool.ntp.org
727:Tue Apr 9 15:14:16 2019 daemon.info dnsmasq[7731]: using nameserver 127.0.0.1#5353

This didnt happen when i was running the old version of dnscrypt-proxy??
I used to get a two line output,
One for pool.ntp.org
one for nameserver
Have i got something else wrong in my config?

[RomanHK]

In the /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv file, there are servers that provide DNSCrypt (a lot of them don't work, yandex works for me). d0wn-cz-ns1 = not working

If it is only for certain domains, it should work:

Code: Select all

4: Fri Feb 15 20:53:45 2019 daemon.info dnsmasq [2556]: 66.244.95.20 # 53 for domain micro

An important parameter is this:

Code: Select all

630:Tue Apr 9 14:47:52 2019 daemon.info dnsmasq[7334]: using nameserver 127.0.0.1#5353

DNSSEC is a little more complicated.

It's good to write configurations here, especially about:
/etc/config/dhcp
/etc/dnsmasq.conf
/etc/config/dnscrypt-proxy

When I get home, I'll test Gargoyle 1.11.X and step by step again.