Can’t catch IPs for IPSET in router because of DNSCrypt on my PC

have you already stripped LuCI from your build?

I've considered that but it'll be difficult for me time to time configure settings on SSH. I'm still noob in Linux. So I kept it. Btw I'm trying to fit that given dnscrypt package into flash. But is it version 1 or 2? Does it support cloudflare DNS?

Extensibility issues

Barely enough Flash to accommodate OpenWrt firmware image

  • 4MB min (won't be able to install luci web interface) / 8MB better (will fit luci and some other applications)

  • 4MB can work, but are no fun to work with. >4MB will make you happier than 4MB or below.

  • 4MB devices can't fit anything noteworthy unless you use the Image Generator (Image Builder) (that requires a Linux system and some mild experience) or use Extroot. Experienced users creating custom builds may be able to Saving firmware space, but many packages won't ever fit no matter what you do.

  • If you want to be sure you can install at least a few additional software packages, 8MB (or more) of flash and 64MB (or more) of RAM are the only choice.

Most probably, you will not be able to install the following popular packages (and others) on a device with only 4MB flash:

  • VPNs and any other package requiring encryption

[...]

2 Likes

It's true. But I gotta use it for now what I've. Btw guys does that dnscrypt package support Cloudflare DNS? If not then I would just skip dnscrypt until I buy a new router.

I am not familiar with the setup and configuration of DNSCrypt.

I would just send traffic over a VPN or something (I do not trust most of the current companies providing encrypted DNS). You may want to search the forums for others who successfully setup DNSCrypt on their router:

https://forum.openwrt.org/search?q=dnscrypt

I'd personally buy a new router to solve the space issue.

Removing LuCI saves a lot of space!

:open_mouth:

What did you install!?!?

Screenshot%20from%202019-11-19%2013-53-32

What provider did you configure?

Don't panic haha :stuck_out_tongue: I mean protocol version 2
https://dnscrypt.info/protocol/

Edit:

Removing LuCI saves a lot of space!

I know I know but I'm not that tech savvy to change settings time to time without GUI. Luci is completely mandatory :sweat:

OK...I would surmise that DNSCrypt software speaks the DNSCrypt protocol...so I'm not sure how helpful the protocol whitepaper is.

From: https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/README.md

Overview

A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2, DNS-over-HTTPS and Anonymized DNSCrypt.

Feel free to read manuals and README.md files of software you choose to install on your device. There's likely more information on the "Enable Plugin support" button also.

Maybe you can finish major configs - then make a custom firmware to remove it when done.

1 Like

Test build, based on the package list at the beginning of the link you gave, without LuCI

CONFIG_TARGET_ath79=y
CONFIG_TARGET_ath79_tiny=y
CONFIG_TARGET_ath79_tiny_DEVICE_tplink_tl-wr841-v8=y
CONFIG_DEVEL=y
CONFIG_BUILD_LOG=y
CONFIG_CCACHE=y
CONFIG_DOWNLOAD_FOLDER="/home/jeff/devel/openwrt_dl"
CONFIG_LIBSODIUM_MINIMAL=y
CONFIG_PACKAGE_dnscrypt-proxy=y
CONFIG_PACKAGE_dnscrypt-proxy-resolvers=y
CONFIG_PACKAGE_ip-full=y
CONFIG_PACKAGE_ipset=y
CONFIG_PACKAGE_iptables-mod-conntrack-extra=y
CONFIG_PACKAGE_iptables-mod-ipopt=y
CONFIG_PACKAGE_iptables-mod-nat-extra=y
CONFIG_PACKAGE_kmod-asn1-decoder=y
CONFIG_PACKAGE_kmod-crypto-crc32c=y
CONFIG_PACKAGE_kmod-crypto-hash=y
CONFIG_PACKAGE_kmod-ipt-conntrack-extra=y
CONFIG_PACKAGE_kmod-ipt-ipopt=y
CONFIG_PACKAGE_kmod-ipt-ipset=y
CONFIG_PACKAGE_kmod-ipt-nat-extra=y
CONFIG_PACKAGE_kmod-ipt-raw=y
CONFIG_PACKAGE_kmod-lib-crc32c=y
CONFIG_PACKAGE_kmod-lib-textsearch=y
CONFIG_PACKAGE_kmod-netem=y
CONFIG_PACKAGE_kmod-nf-nathelper-extra=y
CONFIG_PACKAGE_kmod-nfnetlink=y
CONFIG_PACKAGE_kmod-sched=y
CONFIG_PACKAGE_kmod-sched-cake=y
CONFIG_PACKAGE_kmod-sched-core=y
CONFIG_PACKAGE_kmod-veth=y
CONFIG_PACKAGE_libcap=y
CONFIG_PACKAGE_libelf=y
CONFIG_PACKAGE_libipset=y
CONFIG_PACKAGE_libmnl=y
CONFIG_PACKAGE_libsodium=y
CONFIG_PACKAGE_zlib=y

You need at least five, free erase blocks for a valid JFFS2 image, 640 kB, if my memory is correct.

TP-Link 4 MB flash allows for a 3904 kB total image, so what you flash can't be larger than 3264 kB (at least as I understand it).

And, in fact, the image fails to build.

[mktplinkfw] *** error: images are too big by 300476 bytes
1 Like

Honestly Jeff that is really helpful for me rn :grin: I got few modifications to make let's see if i can build one with all these modules combined.
I'll update you guys later thanks for being so patient & helpful :smiley:

With ~300 kB or more to save (I don't know if that includes reservation for the erase blocks or not), I think that's going to be quite an uphill battle.

2 Likes

Installed Luci-dnscrypt module & got it running on the router for testing. It doesn't show cloudflare DNS though, and for most servers it gives me dnscrypt-proxy Unable to retrieve server certificates error.

  1. How can I add cloudflare DNS in config?
  2. How can I solve Unable to retrieve server certificates error? (If you guys know I'll google it in mean time)

This is my build config file. I manged to install previous modules + Luci-dnscrypt

CONFIG_TARGET_ar71xx=y
CONFIG_TARGET_ar71xx_tiny=y
CONFIG_TARGET_ar71xx_tiny_DEVICE_tl-wr841-v8=y
# CONFIG_BUSYBOX_DEFAULT_FEATURE_IPV6 is not set
CONFIG_CLEAN_IPKG=y
# CONFIG_DRIVER_11N_SUPPORT is not set
# CONFIG_DRIVER_11W_SUPPORT is not set
# CONFIG_IPV6 is not set
# CONFIG_KERNEL_CRASHLOG is not set
# CONFIG_KERNEL_DEBUG_FS is not set
# CONFIG_KERNEL_IPV6 is not set
# CONFIG_KERNEL_MAGIC_SYSRQ is not set
# CONFIG_KERNEL_PRINTK is not set
# CONFIG_KERNEL_PRINTK_TIME is not set
CONFIG_KERNEL_SQUASHFS_FRAGMENT_CACHE_SIZE=3
CONFIG_LIBSODIUM_MINIMAL=y
CONFIG_LUCI_SRCDIET=y
CONFIG_PACKAGE_adblock=y
CONFIG_PACKAGE_cgi-io=y
CONFIG_PACKAGE_dnscrypt-proxy=y
CONFIG_PACKAGE_dnscrypt-proxy-resolvers=y
# CONFIG_PACKAGE_dnsmasq is not set
CONFIG_PACKAGE_dnsmasq-full=y
CONFIG_PACKAGE_dnsmasq_full_broken_rtc=y
CONFIG_PACKAGE_dnsmasq_full_conntrack=y
CONFIG_PACKAGE_dnsmasq_full_dhcp=y
CONFIG_PACKAGE_dnsmasq_full_ipset=y
CONFIG_PACKAGE_dnsmasq_full_noid=y
CONFIG_PACKAGE_dnsmasq_full_tftp=y
# CONFIG_PACKAGE_hostapd-common is not set
CONFIG_PACKAGE_ip-full=y
CONFIG_PACKAGE_ipset=y
CONFIG_PACKAGE_iptables-mod-conntrack-extra=y
CONFIG_PACKAGE_iptables-mod-extra=y
CONFIG_PACKAGE_iptables-mod-hashlimit=y
CONFIG_PACKAGE_iptables-mod-ipopt=y
CONFIG_PACKAGE_iptables-mod-nat-extra=y
# CONFIG_PACKAGE_iw is not set
# CONFIG_PACKAGE_iwinfo is not set
# CONFIG_PACKAGE_kmod-ath is not set
# CONFIG_PACKAGE_kmod-ath9k is not set
# CONFIG_PACKAGE_kmod-cfg80211 is not set
CONFIG_PACKAGE_kmod-crypto-acompress=y
CONFIG_PACKAGE_kmod-ifb=y
CONFIG_PACKAGE_kmod-ipt-conntrack-extra=y
CONFIG_PACKAGE_kmod-ipt-extra=y
CONFIG_PACKAGE_kmod-ipt-hashlimit=y
CONFIG_PACKAGE_kmod-ipt-ipopt=y
CONFIG_PACKAGE_kmod-ipt-ipset=y
CONFIG_PACKAGE_kmod-ipt-nat-extra=y
# CONFIG_PACKAGE_kmod-ipt-offload is not set
CONFIG_PACKAGE_kmod-ipt-raw=y
CONFIG_PACKAGE_kmod-lib-lz4=y
CONFIG_PACKAGE_kmod-lib-lzo=y
CONFIG_PACKAGE_kmod-lib-textsearch=y
# CONFIG_PACKAGE_kmod-mac80211 is not set
CONFIG_PACKAGE_kmod-nf-conntrack-netlink=y
# CONFIG_PACKAGE_kmod-nf-flow is not set
# CONFIG_PACKAGE_kmod-nf-ipt6 is not set
CONFIG_PACKAGE_kmod-nf-nathelper-extra=y
CONFIG_PACKAGE_kmod-nfnetlink=y
CONFIG_PACKAGE_kmod-sched-cake=y
CONFIG_PACKAGE_kmod-sched-connmark=y
CONFIG_PACKAGE_kmod-sched-core=y
CONFIG_PACKAGE_kmod-zram=y
CONFIG_PACKAGE_libcap=y
CONFIG_PACKAGE_libelf=y
# CONFIG_PACKAGE_libip6tc is not set
CONFIG_PACKAGE_libipset=y
CONFIG_PACKAGE_libiwinfo-lua=y
CONFIG_PACKAGE_liblua=y
CONFIG_PACKAGE_liblucihttp=y
CONFIG_PACKAGE_liblucihttp-lua=y
CONFIG_PACKAGE_libmbedtls=y
CONFIG_PACKAGE_libmnl=y
CONFIG_PACKAGE_libnatpmp=y
CONFIG_PACKAGE_libnetfilter-conntrack=y
CONFIG_PACKAGE_libnfnetlink=y
CONFIG_PACKAGE_librt=y
CONFIG_PACKAGE_libsodium=y
CONFIG_PACKAGE_libubus-lua=y
CONFIG_PACKAGE_libustream-mbedtls=y
CONFIG_PACKAGE_libuuid=y
CONFIG_PACKAGE_lua=y
CONFIG_PACKAGE_luci=y
CONFIG_PACKAGE_luci-app-adblock=y
CONFIG_PACKAGE_luci-app-dnscrypt-proxy=y
CONFIG_PACKAGE_luci-app-firewall=y
CONFIG_PACKAGE_luci-app-opkg=y
CONFIG_PACKAGE_luci-app-sqm=y
CONFIG_PACKAGE_luci-app-upnp=y
CONFIG_PACKAGE_luci-base=y
CONFIG_PACKAGE_luci-compat=y
CONFIG_PACKAGE_luci-lib-httpprotoutils=y
CONFIG_PACKAGE_luci-lib-ip=y
CONFIG_PACKAGE_luci-lib-jsonc=y
CONFIG_PACKAGE_luci-lib-nixio=y
CONFIG_PACKAGE_luci-mod-admin-full=y
CONFIG_PACKAGE_luci-mod-network=y
CONFIG_PACKAGE_luci-mod-status=y
CONFIG_PACKAGE_luci-mod-system=y
CONFIG_PACKAGE_luci-proto-ppp=y
CONFIG_PACKAGE_luci-theme-bootstrap=y
CONFIG_PACKAGE_miniupnpd=y
# CONFIG_PACKAGE_openwrt-keyring is not set
CONFIG_PACKAGE_rpcd=y
CONFIG_PACKAGE_rpcd-mod-file=y
CONFIG_PACKAGE_rpcd-mod-iwinfo=y
CONFIG_PACKAGE_rpcd-mod-luci=y
CONFIG_PACKAGE_rpcd-mod-rrdns=y
CONFIG_PACKAGE_sqm-scripts=y
CONFIG_PACKAGE_tc=y
CONFIG_PACKAGE_uhttpd=y
# CONFIG_PACKAGE_usign is not set
# CONFIG_PACKAGE_wireless-regdb is not set
# CONFIG_PACKAGE_wpad-mini is not set
CONFIG_PACKAGE_zlib=y
# CONFIG_PKG_CHECK_FORMAT_SECURITY is not set
# CONFIG_SIGNATURE_CHECK is not set
# CONFIG_SIGNED_PACKAGES is not set
CONFIG_STRIP_KERNEL_EXPORTS=y
CONFIG_TARGET_SQUASHFS_BLOCK_SIZE=256
CONFIG_USE_MKLIBS=y
CONFIG_ZLIB_OPTIMIZE_SPEED=y
# CONFIG_PACKAGE_dnsmasq_full_auth is not set
# CONFIG_PACKAGE_dnsmasq_full_dnssec is not set
# CONFIG_PACKAGE_libgmp is not set
# CONFIG_PACKAGE_libnettle is not set

CA certs, perhaps?

Okay I'll confirm it. ca-cert is enough right? & not ca-bundle?
Edit: Also how can I add cloudflare DNS in it?

define Package/ca-certificates
  SECTION:=base
  CATEGORY:=Base system
  TITLE:=System CA certificates
  PKGARCH:=all
endef

define Package/ca-bundle
  SECTION:=base
  CATEGORY:=Base system
  TITLE:=System CA certificates as a bundle
  PKGARCH:=all
endef

Basically the same content, installed differently. Bundle should be fine.

1 Like

See Dnscrypt-Proxy section at:

Also see: https://openwrt.org/docs/guide-user/services/dns/dnscrypt_dnsmasq_dnscrypt-proxy

Maybe because there's no DNS server to download/check the certs?

It says

Verify that the dnscrypt-proxy is installed, and at least version 2.0

So guess I can't add cloudflare DNS in this 1.9.5-8 version. Otherwise developer could have added it already, couldn't he?

Okay guys I'll stop here. I can't add ca-bundle says need 94KB extra which I can't afford by removing other modules, also can't add Cloudflare DNS in config too. So ig that's all then. Anyways thank you so much guys for your help! :grin:

I would second recommendation to try https_dns_proxy.

1 Like

Haha I've tried that already but due to lots of dependencies it requires around 94 KB (almost same as before) but thanks for the suggestion :slight_smile:


Followed this post. Used the author's script, did slight modification & installed https_dns_proxy along with all the other modules (Yet have 200 KB > free flash space). Everything works now smooth af.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.