The issue is cross compiling dnscrypt-proxy v2. It is very popular and am sure the dev's would have already made it a "make option" within OpenWrt, if it could be done.
There is a way I could just load it on everyone's router at first boot, but that would steal space, so I definitely want to give people the option to install it or not depending on what they like.
does anyone have the following showing in the kernel log
nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.Just done a complete clean install after going to stock and back to the latest version of OpenWRT-DC502 builds and this is the only error now showing in the Kernel log.
Good deal. Give it a shot. I do know v2's performance is far better than v1, and if 1.1.1.1 is used, is smoking fast.
Safe to ignore, and actually this is a good thing. Conntrack helpers are no longer loaded anymore due to security reasons.
Thank you for the info was just going for perfection on the network with 0 error hunt.
This new build of yours is great, just slight tweaking on SQM to be done now and i can call the network a day.
Even managed to get rid of the extra VLAN's i used to use as well for 2 AP that was isolated (don't ask my config was a mess hence redoing the whole config from scratch).
I take it even with that error uPNP works or am i going to need to port forward for all the games i have (I know its lazy not to Port Forward, but i have port forwards for important things just CBA'd with doing games)
Dear Dave and Those Who May Be In The Know,
Hello and I hope that you are well. I am trying to setup TorGuard VPN with WireGuard. There is a guide on their website entitled " How to Setup WireGuard on a GLI OpenWRT Router "
found here : https://torguard.net/article/250/how-to-setup-wireguard-on-the-gli-gl-ar750s-openwrt-router.html However, I am a bit befuddled concerning how to adapt this suggested setup to standard OpenWrt Firmware Build. The creation of the Interface, FireWall Rules, Client Config files and so on. So, if someone can point me in the right direction, I would be most appreciative.
Also, on this last build - 2019-03-16 r9614 - the encryption engine available in the compiled Kernel was only " dynamic " - on the previous build - 2019-03-02 r9506 - both " dynamic " and " devcrypto " were available. From this page on OpenWrt Wiki : Cryptographic Hardware Accelerators : https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators -
Openssl supports hardware crypto acceleration through an engine. You may find out what engines are available, along with the enabled algorithms, and configuration commands by running openssl engine -t -c:
For openssl-1.0.2 and earlier, the engine was called cryptodev. It was renamed to devcrypto in openssl 1.1.0.
So, my question is did you enable devcrypto as I believe that openssl 1.1.0 is now being deployed in Openwrt. I would advise all users of OPENVPN clients to check engine with openssl engine -t -c command prior to setting option engine in your OPENVPN client configuration file.
Thanks and I await any and all help with Torguard Wireguard inquiry.
Always In Peace and God's Grace,
directnupe
I have zero experience with Wireguard, but still have that link to what you wrote about setting up Torguard on OpenWrt -- https://forums.torguard.net/index.php?/topic/1247-lede-openwrt-torguard-vpn-setup/
As to crypto acceleration, over the years I've never found any form of devcrypto/cryptodev to be any better than dynamic, so I stopped searching for the golden goose of cyrpto hardware acceleration. Since there appears to be a change with openssl I'll take a look at devcrypto.
Thanks,
David
EDIT I just enabled devcrypto in the .config and will run a test build to see if it works.
Can someone redirect me here. I am running davids latest build for the wrtc1200ac router. I am trying to get private internet access working on it. I followed a couple guides since the one for lede on private internet access site doesn't quite fit.
My problem is, when I start the private internet access openVPN config, it doesn't start. Ok, so I'll go look for the log. A site tells me it should be in /temp/openVPN.log. Well it's not there. Where might I find the log? It's almost like openVPN is not even starting. I think it's there.
If anyone uses PIA and would not mind helping a bit, you could message me.
If this is not the right place, I'd appreciate a nudge to tell me where to ask.
Thanks.
@N3kf
Do you have the openvpn.log option included in your config?
In my case I do have log /tmp/openvpn.log and status /tmp/openvpn-status.log in my config and have no problem to read the log file (e.g. cat /tmp/openvpn-status.log via console).
@Kherby
No I don't. I noticed some cap errors thanks to autocorrect and correcting those got openvpn running. The logging it's going into the system log, so now I got clues. Getting a tls clear text error, so got to go fight through that one.
Where do you enable the logging options?
OK, figured out how to get the logging going. Back to trying to figure out what the tls error is
Latest r9614 build haveing same issue, but I've changed TOR config to listen on LAN ip instead of localhost and replace DNAT rule and now it works OK.
I do not know why old rule is broken in recent iptables...
I have issue with openvpn client getting "Failed to obtain WebVPN cookie" error.
The issue was with libgnutls.so.30 file, so I have "dirty" way to resolve it by using "old" versoin of this file.
With latest build r9614 this trick does not work any longer, but it does not required as well. With current openconnect - 8.01-1 and libgnutls - 3.6.5-1 I didn't get this error anymore.
I have devcrypto enabled, but it killed LuCi. My guess is LuCi uses SSL and some value was changed, so I'm unable to run it. Will investigate.
root@lede:~# openssl engine -t -c
(dynamic) Dynamic engine loading support
[ unavailable ]
(devcrypto) /dev/crypto engine
[DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-ECB, AES-192-ECB, AES-256-ECB]
[ available ]
Next, I need to test to see if it actually makes ANY difference running this engine vs. dynamic.
Dear Dave,
Hello - as I said to you earlier on the previous build - 2019-03-02 r9506 - both " dynamic " and " devcrypto " were available. So, Luci worked and everything worked fine. I believe that this was the first time that openssl 1.1.0 was introduced.
I am reminding you of how r9506 was configured and built because maybe you can take a look at that Build and retrace your steps or at least get some clues as to what is going on with this issue.
Finally RE: your intent : Next, I need to test to see if it actually makes ANY difference running this engine vs. dynamic - you may wish to run your tests on Build r9506 as this Build has both engines working already and r9506 was already in production with Luci working
Peace,
DIT
You may want to check to see what you get, but on my system devcrypto performs no better than dynamic. I'm still getting around 70/120mbps Definitely running around the same CPU % as well -- around 40%-60% peak. Part of why I'm not getting better speeds could be due to the VPN provider.
Another test running Torguard client on the linux workstation I'm getting 180/200mbps.
Edit
I will make sure devcrypto is baked into the next build though.
@Kherby
Ok, I got it working. Helps if you use the right port for the security protocol. Kind of sad that the private Internet Access KB article tells you the wrong port to use in their setup instructions!
Thanks for your help!
Ok, looking for some info. I'm running David's build r9614-b61495409b on a WRT1200AC. When I sign into luci, I get a security error cause https is not working. I can live with that, but I just configured a VPN and used the config tables as much as possible, but when I didn't and used luci, half the time or more when I saved my changes it just goes to loading and sits there forever. I eventually fought through it, but is this a known issue? Thanks.
Dear N3kf,
Hello and I hope that you are well. First off I want to apologize to you if you were following the PIA VPN tutorial I authored. Found here: PIA OPENVPN on OpenWrt / Lede -
As general caveats, you should read through the tutorial PLUS comments in the threads as changes do occur. Also, VPN providers do from time to time change how their services work ( such as encryption protocols, ports , servers and so on ). For example TorGuard is now offering WireGuard and I am trying to figure out how to set this up on OpenWrt.
The reason that I have been communicating with Dave about the hardware acceleration engine in openssl 1.1.0 is due to the fact that if you set the option engine 'cryptodev' in your openvpn config file - then the service will not start as that is obsolete . Additionally, if you set the option engine 'devcrypto' ( which is the correct setting in openssl 1.1.0 ) - it still will not work with OpenVpn if it is not configured and enabled in the kernel build.
However, the guide's should be updated. But if you do your due diligence as you seem to have done - the tutorials still are a good jumping off point to lead you towards successfully getting your VPN service up and running.
I always look at several sources when trying to make sense as to how to proceed on a project of the nature that you have just undertaken. This is still after all open source software and thus reliant upon shared knowledge and work of hobbyists, enthusiasts and often volunteers.
I for one am grateful for the efforts and work of these individuals and enterprises - and realize that things may not always run as smoothly as many of us may wish or like. However, understandably this comes with the territory. In any event, I am glad that you have had success -
Peace,
directnupe
So Linux kernel 4.19 support is showing signed off. Think things are going to get interesting soon for us 