Thanks for creating this thread @davidc502 ! I feel at home again and not a forum wonderer anymore
Please consider enabling hardware crypto support in OpenSSL:
Note: Do not enable hardware digest support, since it breaks some of TLS handshakes.
Do we know which commits need to be reverted to support darkmatter again? (was trying to figure that out myself...but perhaps too many? )
Thanks David, glad to see a thread again
May I ask why? Just curious is all:)
What's the difference between the dnscrypt-proxy bundled with your build and the one in the Wiki? And can the latter not be included in the build to begin with?
dnscrypt-proxy v1 is included with the current davidc502 builds. the wiki is for the dnscrypt-proxy v2. information on difference between the two can be found here, https://github.com/jedisct1/dnscrypt-proxy/wiki/Differences-to-v1
there is active development with the v2 and the latest binary is 2.0.15. i have 2.0.14 installed on an extra router that i'm using as a travel vpn router and it's stable and working great. i will update to 2.0.15 or later when i'm not as busy.
Version 1 is much faster, load balanced and secure.
When deploying something like that for everyone... keep in mind, not everyone uses it, it takes a lot of thought and processes to get it right.. And what I mean by getting it right is not screwing people up... Some people might still prefer Version 1 for example. No thank you.. I don't want the headaches that will be associated with a customization like that. The few people who want it can take 5 minutes, when they upgrade, to get it working again. Since Version 1 isn't viable anymore, at some point it will be pushed to trunk after being thoroughly tested across all the different platforms. Well, I can only hope it is thoroughly tested
Dear WrtBoy ... looks like you're an expert on dnscrypt-proxy ... i've been using it for ever, but now with the upgrade to v2 as per DavidC502's recommendation, I'm not sure I'm resolving correctly... look at this;:
dnscrypt-proxy -resolve google.com Resolving [google.com] Domain exists: yes, 4 name servers found Canonical name: google.com. IP addresses: 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 2800:3f0:4003:c01::8b TXT records: v=spf1 include:_spf.google.com ~all docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e facebook-domain-verification=22rm551cu4k0ab0bxsw536tlds4h95 Resolver IP: 18.104.22.168 (jaspe.gtdinternet.com.)
jaspe.gtdinternet.com is a server at my ISP ... if I do this:
traceroute to 22.214.171.124 (126.96.36.199), 30 hops max, 38 byte packets 1 reverso.190.215.14.operaciones.gtdinternet.com (188.8.131.52) 5.065 ms 5.183 ms 5.626 ms 2 192.168.50.13 (192.168.50.13) 6.087 ms 5.367 ms 5.662 ms 3 192.168.50.12 (192.168.50.12) 6.804 ms 5.230 ms 5.908 ms 4 cn2.ae5.200.agre2MQ.gtdinternet.com (184.108.40.206) 5.632 ms 6.444 ms 5.576 ms 5 cn1.ae2.20.arbor.gtdinternet.com (220.127.116.11) 29.087 ms 3.313 ms 5.803 ms 6 18.104.22.168 (22.214.171.124) 5.784 ms 5.443 ms 5.799 ms 7 1dot1dot1dot1.cloudflare-dns.com (126.96.36.199) 5.903 ms 5.196 ms 5.654 ms
Also weird... nothing in the world can resolve in 5 miliseconds if going outside of my country ( chile ) , unless 188.8.131.52 has a DNSServer co-located with my ISP ( which may be the case, I just don't know )
But... when i go look at the logs of dnscrypt, it is logging the blacklisted domains, and it is actually blocking the requests ... this is the app log:
[2018-06-20 19:21:44] [NOTICE] Source [public-resolvers.md] loaded [2018-06-20 19:21:44] [NOTICE] dnscrypt-proxy 2.0.14 [2018-06-20 19:21:44] [NOTICE] Loading the set of blocking rules from [/mnt/sdb1/dnslogs/dnscrypt-blacklist-domains.txt] [2018-06-20 19:21:45] [NOTICE] Now listening to 127.0.0.1:5353 [UDP] [2018-06-20 19:21:45] [NOTICE] Now listening to 127.0.0.1:5353 [TCP] [2018-06-20 19:21:45] [NOTICE] [cloudflare] OK (DoH) - rtt: 4ms [2018-06-20 19:21:45] [NOTICE] Server with the lowest initial latency: cloudflare (rtt: 4ms) [2018-06-20 19:21:45] [NOTICE] dnscrypt-proxy is ready - live servers: 1
So basically it looks like it's working ... but the "dnscrypt-proxy -resolve google.com" results confused me...
it appears the proxy is not using the right dns resolver.
ensure your /etc/config/dhcp file does not have the line,
option resolvfile '/tmp/resolv.conf.auto'
but has the line,
list server '127.0.0.1#5353'
|IP |Hostname | ISP |Country| |184.108.40.206 |none | Cloudflare |Chile|
Weird, isn't it?
well the good news is dnsleaktest shows the proxy is properly resolving. i think your setting is fine.
Thanks for creating s new thread. Even though your build works flawlessly on my v1 I was really missing following the discussions!
Thanks for this. Running both 1900ACS and WRT32X. No issues as of yet!
I think I have found a bug.
I was messing around earlier, trying to get pub/private ssh keys to work (a whole other world of pain) in the course of my fiddling I switched off "Password Authentication" and "Allow Root Logins with Password."
I now cannot get back in via ssh through Putty / Smartty as they both give me connection refused errors.
I have tried numerous entries/deleting the dropbear instance and recreating it, to no avail. The settings pictured worked fine until I changed it, and are now the same as pictured.... everything is fine except ssh....
This is on a 32X....
Make it look like this:
Tried that. Putty Gives me:
Network Error: Connection refused
Make sure you're allowing 22 through the firewall
Should be. I havent changed any firewall settings, it worked before.
Running some good old WAN speed tests on r7210 - and its still maxing out the Gb connection nicely
That's fair enough. I have just started using a router with your build and I was pocking around. Hence the noobsih question.