Davidc502- wrt1200ac wrt1900acx wrt3200acm wrt32x builds


#3

Thanks for creating this thread @davidc502 ! I feel at home again and not a forum wonderer anymore :slight_smile:


#4

Please consider enabling hardware crypto support in OpenSSL:

CONFIG_OPENSSL_ENGINE_CRYPTO=y
CONFIG_OPENSSL_HARDWARE_SUPPORT=y

Note: Do not enable hardware digest support, since it breaks some of TLS handshakes.


#5

Do we know which commits need to be reverted to support darkmatter again? (was trying to figure that out myself...but perhaps too many? )

Thanks David, glad to see a thread again :slight_smile:


#6

May I ask why? Just curious is all:)


#7

What's the difference between the dnscrypt-proxy bundled with your build and the one in the Wiki? And can the latter not be included in the build to begin with?


#8

dnscrypt-proxy v1 is included with the current davidc502 builds. the wiki is for the dnscrypt-proxy v2. information on difference between the two can be found here, https://github.com/jedisct1/dnscrypt-proxy/wiki/Differences-to-v1

there is active development with the v2 and the latest binary is 2.0.15. i have 2.0.14 installed on an extra router that i'm using as a travel vpn router and it's stable and working great. i will update to 2.0.15 or later when i'm not as busy.


#9

Version 1 is much faster, load balanced and secure.

When deploying something like that for everyone... keep in mind, not everyone uses it, it takes a lot of thought and processes to get it right.. And what I mean by getting it right is not screwing people up... Some people might still prefer Version 1 for example. No thank you.. I don't want the headaches that will be associated with a customization like that. The few people who want it can take 5 minutes, when they upgrade, to get it working again. Since Version 1 isn't viable anymore, at some point it will be pushed to trunk after being thoroughly tested across all the different platforms. Well, I can only hope it is thoroughly tested :slight_smile:


#10

Dear WrtBoy ... looks like you're an expert on dnscrypt-proxy ... i've been using it for ever, but now with the upgrade to v2 as per DavidC502's recommendation, I'm not sure I'm resolving correctly... look at this;:

dnscrypt-proxy -resolve google.com
Resolving [google.com]

Domain exists:  yes, 4 name servers found
Canonical name: google.com.
IP addresses:   64.233.190.139, 64.233.190.138, 64.233.190.101, 64.233.190.102, 64.233.190.113, 64.233.190.100, 2800:3f0:4003:c01::8b
TXT records:    v=spf1 include:_spf.google.com ~all docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e facebook-domain-verification=22rm551cu4k0ab0bxsw536tlds4h95
Resolver IP:    190.8.119.74 (jaspe.gtdinternet.com.)

jaspe.gtdinternet.com is a server at my ISP ... if I do this:

traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 38 byte packets
 1  reverso.190.215.14.operaciones.gtdinternet.com (190.215.14.1)  5.065 ms  5.183 ms  5.626 ms
 2  192.168.50.13 (192.168.50.13)  6.087 ms  5.367 ms  5.662 ms
 3  192.168.50.12 (192.168.50.12)  6.804 ms  5.230 ms  5.908 ms
 4  cn2.ae5.200.agre2MQ.gtdinternet.com (190.196.124.214)  5.632 ms  6.444 ms  5.576 ms
 5  cn1.ae2.20.arbor.gtdinternet.com (190.196.125.22)  29.087 ms  3.313 ms  5.803 ms
 6  190.196.124.147 (190.196.124.147)  5.784 ms  5.443 ms  5.799 ms
 7  1dot1dot1dot1.cloudflare-dns.com (1.1.1.1)  5.903 ms  5.196 ms  5.654 ms

Also weird... nothing in the world can resolve in 5 miliseconds if going outside of my country ( chile ) , unless 1.1.1.1 has a DNSServer co-located with my ISP ( which may be the case, I just don't know )

But... when i go look at the logs of dnscrypt, it is logging the blacklisted domains, and it is actually blocking the requests ... this is the app log:

[2018-06-20 19:21:44] [NOTICE] Source [public-resolvers.md] loaded
[2018-06-20 19:21:44] [NOTICE] dnscrypt-proxy 2.0.14
[2018-06-20 19:21:44] [NOTICE] Loading the set of blocking rules from [/mnt/sdb1/dnslogs/dnscrypt-blacklist-domains.txt]
[2018-06-20 19:21:45] [NOTICE] Now listening to 127.0.0.1:5353 [UDP]
[2018-06-20 19:21:45] [NOTICE] Now listening to 127.0.0.1:5353 [TCP]
[2018-06-20 19:21:45] [NOTICE] [cloudflare] OK (DoH) - rtt: 4ms
[2018-06-20 19:21:45] [NOTICE] Server with the lowest initial latency: cloudflare (rtt: 4ms)
[2018-06-20 19:21:45] [NOTICE] dnscrypt-proxy is ready - live servers: 1

So basically it looks like it's working ... but the "dnscrypt-proxy -resolve google.com" results confused me...

Any ideas?


#11

it appears the proxy is not using the right dns resolver.

ensure your /etc/config/dhcp file does not have the line,

option resolvfile '/tmp/resolv.conf.auto'

but has the line,

list server '127.0.0.1#5353'


#12

@wrtboy, I've checked and I have it correctly configured ... Did test the "leak" with https://www.dnsleaktest.com and it is showing that it's resolving through

|IP            |Hostname      | ISP           |Country|
|172.68.113.41 |none          | Cloudflare    |Chile|

Weird, isn't it?


#13

well the good news is dnsleaktest shows the proxy is properly resolving. i think your setting is fine.


#14

Hi David
Thanks for creating s new thread. Even though your build works flawlessly on my v1 I was really missing following the discussions!


#15

Thanks for this. Running both 1900ACS and WRT32X. No issues as of yet!


#16

I think I have found a bug.

I was messing around earlier, trying to get pub/private ssh keys to work (a whole other world of pain) in the course of my fiddling I switched off "Password Authentication" and "Allow Root Logins with Password."

I now cannot get back in via ssh through Putty / Smartty as they both give me connection refused errors.

I have tried numerous entries/deleting the dropbear instance and recreating it, to no avail. The settings pictured worked fine until I changed it, and are now the same as pictured.... everything is fine except ssh....

This is on a 32X....


#17

Make it look like this:

Untitled


#18

Tried that. Putty Gives me:

Network Error: Connection refused


#19

Make sure you're allowing 22 through the firewall


#20

Should be. I havent changed any firewall settings, it worked before.


#21

Running some good old WAN speed tests on r7210 - and its still maxing out the Gb connection nicely :slight_smile:


#22

That's fair enough. :slight_smile: I have just started using a router with your build and I was pocking around. Hence the noobsih question. :wink: