Hi David,

Thanks for the splendid build, along with all the others toiling in the trenches.

Running r6565 on the WRT1900AC v1 with no reboots, which I said I'd get to sometime around Christmas last. Meantime, my daughter had the router, etc etc and now I finally got around to it.

Only had to enable the radios as they didn't carryover on the upgrade.  Applied, saved and rebooted with revamped SSID, encryption, and password.

Logged on with various phones on the 2.4 and 5 Ghz frequencies, logged in with laptop remotely
and it all appears good to go, at least for my purposes.

Thanks again for the tremendous effort in making all things 'old' new again! 

Cheers

i think dropping dnscrypt-proxy v1, including its dependencies, in future builds should suffice for now.  i'm not certain about adding the v2 binaries in future builds since v2 appears to be evolving and downloading the latest version and installing it as an /opt is achievable with an install script antonsamoziv has provided.  no idea on when v2 shall be added to trunk.

I got curious enough with DNS-over-HTTPS and dnscrypt-proxy v2 and I didn't want to move to unbound/stubby, so I created a test package.  Since I see there has been a lot of discussion about this recently I figured I would offer this up -- if you want to create a package to add you can add this to a custom feed and build it for your firmware:

https://github.com/InkblotAdmirer/custo … t-proxy-v2

The package installs as dnscrypt-proxy-v2 so it can be installed alongside the official v1 package, you just don't want to enable both at the same time obviously.  The init script uses procd to run the process as user nobody:nogroup.  I'll likely modify it to run inside a jail but I wasn't sure of dependencies so I held off on that for now.  I'm guessing some will want changes or features, but I'm offering this as-is in the style that I use.

This should remove much of the manual install, but the binary is huge -- it's >6M installed, and will add about 2.6M to the image size.  I'm still on the fence whether I want to move to this.

Even for those using dnscrypt-proxy v2, I highly recommend disabling DNS over HTTPS and only using dnscrypt.

a) DNS over HTTPS is much less secure than dnscrypt (see the comparison of the different protocols here: https://dnscrypt.info/faq)
b) The only resolver that supports DNSSEC with DNS over HTTPS is cloudfire anyway

Nice job!  I'd rather the space be used in the rom than in user memory

Could you edit the init.d script so that adblock will detect that dnscrypt-proxy is running?  If it did that, it would be perfect imo.

(Last edited by starcms on 5 Apr 2018, 07:37)

a) That is subjective... DoH uses the SSL/TLS infrastructure used by HTTPs. And if you use DoH with either google or cloudflare you're essentially using TLS 1.2 with cipher suites that provide forward secrecy (among others, its immune to man-in-the-middle attacks and traffic interception, unless your client app opts to ignore the server certificate...)

b) Google supports it since 2016. (developers.google.com/speed/public-dns). I've been using it on a debian machine (dnss)

(Last edited by Vindicator on 5 Apr 2018, 09:02)

You're an angel! I was feeling very lazy and you basically did this for me(egotistical world view )
You should totally pr openwrt packages just to annoy them.

(Last edited by antonsamoziv on 5 Apr 2018, 11:41)

This is an interesting...

Looking at this got me thinking https://github.com/openwrt/packages/blo … dblock.sh.
dnscrypt-proxy v2 generates it's blacklists like this https://github.com/jedisct1/dnscrypt-pr … acklist.py
Craft your awks right and this could work nicely

You're are using adblock 3.5.1? If so, please change line 171 in /usr/bin/adblock.sh

old:
        dnscrypt-proxy)
new:
        dnscrypt-proxy-v2)

After that, change the adb_dns option in /etc/config/adblock as well and re-run adblock ... should work!

https://www.linksys.com/us/support-arti … Num=156197

It has two different firmwares for v1 and v2, is this relevant? I thought the firmware for the WRT1200 is both the same v1+v2. So lets say I had a V2 (have to check this first), I just download the firmware on that link and do a sysupgrade? Would sysupgrade work? It's not a sysupgrade image, or is it?

From Lede ssh:

cd /tmp
wget http://downloads.linksys.com/downloads/ … 4_prod.img
sysupgrade -v FW_WRT1200ACV2_2.0.5.182144_prod.img

?

Be sure you get the correct Linksys v1 or v2 for your WRT v1 or v2. David's builds use just one file for both versions while Linksys has two versions. Did you see the wiki page? Look for the item titled OpenWrt >> OEM and click the flash tab.
https://wiki.openwrt.org/toh/linksys/wr … ab__flash2

Not in combination with DNSSEC, so to me google is worthless in that regard, as is any and every resolver that doesn't support DNSSEC.

(Last edited by starcms on 5 Apr 2018, 21:25)

Make sure you have the right .img for either V1 or V2 depending on your hardware.  Check the back of the router, they will usually have a tag that identifies if it is a V2 or not.

Flashing back to OEM.   You can try from LuCi Gui, and uncheck the 'keep settings' box. If that doesn't work then after you have downloaded the correct img to /tmp  run the command sysupgrade -n -v /tmp/OEM_NAME.img   

Make sure you use the -n as well so it doesn't try to keep any settings.

No worries about sysupgrade, it will also take you back to OEM.

Ok, I did this, hope all went well:

 -----------------------------------------------------
 Lede SNAPSHOT, r6520-02fba1a181
 -----------------------------------------------------
root@wrtarm:~# firstboot
This will erase all settings and remove any installed packages. Are you sure? [N/y]
y
/dev/ubi0_1 is mounted as /overlay, only erasing files
root@wrtarm:/tmp# reboot

---

Using username "root".


BusyBox v1.27.2 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 Lede SNAPSHOT, r6520-02fba1a181
 -----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:~# cd /tmp
root@OpenWrt:/tmp# sysupgrade -v FW_WRT1200ACV2_2.0.5.182144_prod.img
Image metadata not found
Use sysupgrade -F to override this check when downgrading or flashing to vendor firmware
Image check 'fwtool_check_image' failed.
root@OpenWrt:/tmp# sysupgrade -F FW_WRT1200ACV2_2.0.5.182144_prod.img
Image metadata not found
Image check 'fwtool_check_image' failed but --force given - will update anyway!
Saving config files...
Commencing upgrade. All shell sessions will be closed now.

Did it? I will ship this unit back tomorrow and hope the new replacement router wont have the random reboot issues. If it does... I will report back on it.

(Last edited by makedir on 5 Apr 2018, 23:29)

Just reboot it and see.  If it worked, it'll be back on the Linksys firmware.  Btw, amazon isn't going to check regardless...

No go. (actually instead of editing adblock.sh, I edited the dnscrypt-proxy 2.0 init.d file and removed all references to v2, so same effect)

user.err adblock-[3.5.1]: 'dnscrypt-proxy' not running, DNS backend not found

Edit: See post below

(Last edited by starcms on 6 Apr 2018, 01:16)

if privacy is the objective, which dns resolver offers better privacy?
vpn dns resolver vs. dnscrypt dns resolver

my thoughts are vpn dns resolver may offer better privacy but may not offer dns anti-spoofing.  dnscrypt definite offers dns anti-spoofing but i'm uncertain about its privacy level since the dnscrypt dns resolver has to receive the encrypted data and decrypt the data for the dns lookup to work.  level of privacy would still depend on which dnscrypt dns resolver is selected for use, right?

Ok, I found the problem with adblock and dnscrypt-proxy 2.0.  Adblock runs 4 checks to see if the dns backend (dnscrypt-proxy in this case) is running.  With @InkblotAdmirer's init.d script, it passes 3.

    if [ -z "${adb_dns}" ]     || [ -z "${adb_dnsdeny}" ] || [ ! -d "${adb_dnsdir}" ]
#    || [ ! -x "$(command -v ${adb_dns})" ] 
    then
        f_log "err" "'${adb_dns}' not running, DNS backend not found"
    fi

from the line I commented out, you can guess which it isn't passing.

Until someone comes up with a fix, which I'm sure is a simple entry to be added to the init.d file for dnscrypt-proxy v2, I'll just leave adblock.sh as shown above.  Works great!

Edit2:  I can't understand why the expression [ ! -x "$(command -v ${adb_dns})" ] where ${adb_dns} equals dnscrypt-proxy is returning true in adblock.sh.  If I do "command -v dnscrypt-proxy" at an SSH prompt, I get a response, the directory where dnscrypt-proxy is installed.  I even wrote a simple test script, and the ENTIRE expression returns false everytime:

#/bin/sh

adb_dns=dnscrypt-proxy
adb_dnsdeny="awk '{print \$0}'"
adb_dnsdir="${adb_dnsdir:-"/tmp"}"

echo "starting script"
echo

if [ -z "${adb_dns}" ] || [ -z "${adb_dnsdeny}" ] || [ ! -x "$(command -v ${adb_dns})" ] || [ ! -d "${adb_dnsdir}" ]
then
        echo "it didn't work, dnscrypt-proxy isn't running"
fi

It never outputs "It didn't work, dnscrypt-proxy isn't running" unless I remove an ! or something else to make it return true.  WHY DOES IT WORK HERE BUT NOT IN ADBLOCK.SH??!!?  I'm driving myself crazy.  It's the EXACT same expression and variables.

Just FYI, in the init.d script for dnscyrpt-proxy v2, i changed all references of dnscrypt-proxy-v2 to be simply dnscrypt-proxy.

EDIT3: I'm a dingus!  I figured it out!  For some reason, adblock doesn't use the default system PATH value. Instead it defines it's own PATH near the very top of adblock.sh.  I added the install directory where I have dnscrypt-proxy v2 installed and now it works fine without having to comment out any lines or portions of lines. 

I don't know why they coded it like that, and I hate them for it

So everything is working fine now, with no modifications needed to adblock.sh (except for modifying the PATH variable in adblock.sh if you have dnscrypt-proxy v2 installed in a non-standard location) if you use the init.d file that @InkblotAdmirer wrote here: https://github.com/InkblotAdmirer/custo … y-v2/files as long as you change all references to dnscrypt-proxy-v2 to be dnscrypt-proxy (inversely you can change all references to dnscrypt-proxy in adblock.sh to be dnscrypt-proxy-v2).

What sucess looks like:

Fri Apr  6 00:19:24 2018 user.info adblock-[3.5.1]: start adblock processing (start)
Fri Apr  6 00:19:43 2018 user.notice dnscrypt-proxy: Starting dnscrypt-proxy instance running as nobody
Fri Apr  6 00:19:43 2018 user.info adblock-[3.5.1]: blocklist with overall 61187 domains loaded successfully (Linksys WRT1200AC, Lede SNAPSHOT r6565-fd588dbf6b)
Fri Apr  6 00:19:44 2018 daemon.notice dnscrypt-proxy[4648]: Source [public-resolvers.md] loaded
Fri Apr  6 00:19:44 2018 daemon.notice dnscrypt-proxy[4648]: dnscrypt-proxy 2.0.8
Fri Apr  6 00:19:44 2018 daemon.notice dnscrypt-proxy[4648]: Loading the set of blocking rules from [adb_list.overall]
Fri Apr  6 00:19:46 2018 daemon.notice dnscrypt-proxy[4648]: Now listening to 127.0.0.1:5353 [UDP]
Fri Apr  6 00:19:46 2018 daemon.notice dnscrypt-proxy[4648]: Now listening to 127.0.0.1:5353 [TCP]
Fri Apr  6 00:19:46 2018 daemon.notice dnscrypt-proxy[4648]: [ev-us3] OK (crypto v2) - rtt: 20ms
Fri Apr  6 00:19:47 2018 daemon.notice dnscrypt-proxy[4648]: [opennic-onic] OK (crypto v1) - rtt: 62ms
Fri Apr  6 00:19:47 2018 daemon.notice dnscrypt-proxy[4648]: [soltysiak] OK (crypto v1) - rtt: 152ms
Fri Apr  6 00:19:47 2018 daemon.notice dnscrypt-proxy[4648]: Server with the lowest initial latency: ev-us3 (rtt: 20ms)
Fri Apr  6 00:19:47 2018 daemon.notice dnscrypt-proxy[4648]: dnscrypt-proxy is ready - live servers: 3

(Last edited by starcms on 6 Apr 2018, 06:31)

Try commenting out all lines from if to fi above then all of the checks are bypassed.

No point in commenting out more than I need.  It works fine with just the one commented out as shown.

(Last edited by starcms on 6 Apr 2018, 01:17)

Hi everyone!!! Since the last upgrade, I'm getting this:

/usr/lib/lua/luci/controller/admin/uci.lua:8: attempt to index global 'disp' (a nil value)
stack traceback:
    /usr/lib/lua/luci/controller/admin/uci.lua:8: in function 'v'
    /usr/lib/lua/luci/dispatcher.lua:598: in function 'createtree'
    /usr/lib/lua/luci/dispatcher.lua:256: in function 'dispatch'
    /usr/lib/lua/luci/dispatcher.lua:121: in function </usr/lib/lua/luci/dispatcher.lua:120>

Any suggestions?

Yeah, I got this myself and had to reflash @david's latest build.

I'm assuming you are getting the latest version of the packages from the openwrt/lede snapshot repos?

They pushed a luci update today that completely messed me up and gave that exact error.  I tried reinstalling luci packages from @david's repo, but no go.  They had just had a luci update a couple hours before the one that caused that, so I'm not sure if it's a bug or what.

I've been flashing luci updates basically on a daily basis for well over a year and this is the first time something like this ever happened.  Sometimes one or two odd packages can cause a problem (but its normally always the same few packages like netifd), but reinstalling the version from @david's repo has always fixed it for me.  I don't know wtf this luci update did but it killed my luci and as I said, the only way I could get it working was to reflash the firmware.

Edit: And the best part is these Luci updates are so many in frequency and change practically nothing.  Instead of updating almost everything as I have been doing for months and months and months, I think I'm going to scale back and from now on only update packages that are important (such as Adblock) that can have significant and useful changes that I can track on github before I update.  Not be so cavalier with just updating every available package.

But since I have NEVER had a problem upgrading the LuCi packages (the 17 or so that update every day or two), so either they changed something major (which I didn't see on github) or it's a bug in the latest release.

Edit: I used to know how, but I've been away from this scene for a few months.  Isn't there a way possible to delete user-installed packages from the user partition (which are updates for the built in version), and reboot, and they'll be restored from the rom (firmware) partition?  If so, what directories would this be?  I used to know how, but as I said, it's been a while plus the file structure on openwrt/lede has always been confusing imo.

(Last edited by starcms on 6 Apr 2018, 08:51)

Again? Where are you getting that from? It does. As I said, I've been using DoH with google and with DNSSEC for a long time. And even google states that on the developers page if you care to read it...

For example, sometime ago, I tried using another DoH that already exists in OpenWRT, h(ttps) dns proxy. I used this in combination with dnsmasq plus dnssec (installed the dnsmasq full pkg and enabled dnssec validation).

However, the dnsscec validation queries started failing... But they were working on my debian box with dnss with google... So, what was happening?... The problem was h(ttps) dns proxy that wasn't properly encoding google answers with the dnssec validation information requested by dnsmasq... I even opened an issue at the h(ttps) dns proxy github page.

So to clarify: both cloudflare and google support DNSSEC over DoH. DoH isn't a new form of DNS, it's the same old DNS protocol but encapsulated on a h(ttp) payload... So, unless your client fails to parse something (as it's happening with h(ttps) dns proxy), you shouldn't even be aware of any differences...

h(ttps) dns proxy - doesn't have the ( and ). But I had to post it like this because the forum software thinks they are links...

Edit: Extract from google developers page:

"To address these problems, Google Public DNS offers DNSSEC-validating resolution over an encrypted HTTPS connection using a web-friendly API that does not require browser or OS configuration or installing an extension. DNS-over-HTTPS greatly enhances privacy and security between a client and a recursive resolver, and complements DNSSEC to provide end-to-end authenticated DNS lookups."

(...)

"cd

    boolean, default: false

    The CD (checking disabled) bit. Use cd, cd=1, or cd=true to disable DNSSEC validation; use cd=0, cd=false, or no cd parameter to enable DNSSEC validation.
"

(Last edited by Vindicator on 6 Apr 2018, 09:21)

My mistake, Google does support DNSSEC, but it also keeps logs (I had assumed it didn't support DNSSEC because originally I had dnscrypt-proxy v2 set up to connect to all servers that required DNSSEC and no logging and Google wasn't one of the resolvers it tried to connect to.  For a resolver I require a) no logging, b) DNSSEC support.  I have since settled on server_names = ['ev-us3', 'opennic-onic', 'soltysiak'].  I am considering adding cloudfire back, since it and ev-us3 have by far the lowest pings (15-25ms).  Opennic-onic has about 50ms pings, and I keep soltysiak because I used it on dnscrypt-proxy v1, it's located outside the US (about 100ms pings), and I trust the owner.  Also all 3 of my chosen resolvers fully support DNSv6 (they can connect to other DNS servers using ipv6 as opposed to only ipv4.  Not many do.)

You can see here that Google keeps logs https://dnscrypt.info/public-servers

Also, https://dnscrypt.info/faq lists the pros and cons to all encrypted DNS solutions such as dnscrypt, DNS-over-HTTPS, and many others.

Downsides to DNS-over-HTTPS:

a) Interception/monitoring tools are readily available
b) Allows insecure algorithms and parameters
c) Requires TCP

Anyway, if they support DNSSEC (and no logging), I would consider using a DNS-over-HTTPS server like cloudfire, but no way in heck am I using google since they keep logs.

(Last edited by starcms on 6 Apr 2018, 09:56)

Updated init.d script for dnscrypt-proxy v2, based on @InkblotAdmirer's from https://github.com/InkblotAdmirer/custo … -proxy-v2)

Main changes are name is changed to dnscrypt-proxy (from dnscrypt-proxy-v2) to add compatibility to Adblock plus who knows what other apps.  Only downside to this is that you must uninstall the dnscrypt-proxy packages (the ones that currently come preinstalled, version 1.9.5).  Also fixed some issues with reload, a few other small fixes, and removed some unnecessary things as well.  Did alot of experimenting and START=94 seems to work very well.

It's fully compatible with Adblock being used in dnscrypt-proxy mode as long as dnscrypt-proxy v2 file is installed/placed in /usr/bin as shown in the init.d file.

I'd like to hear feedback, especially from @InkblotAdmirer and see if he will merge it with his github repo.  Then we can put a pull request in and get it merged with the trunk/snapshot builds and deprecate the old 1.9.5 version. That's why I highly recommend not having references to v2 in the init.d file.  Because once 2.0 makes its way in to openwrt/lede packages, no one will be running 1.9.5 anyone.  Plus, Adblock requires it this way to function if you are using dnscrypt-proxy as your resolver (as opposed to dnsmasq) which I highly recommend). 

#!/bin/sh /etc/rc.common

START=94

USE_PROCD=1
NAME=dnscrypt-proxy

which uci > /dev/null 2>&1 && {

    . /lib/functions.sh

    BIN=/usr/bin/dnscrypt-proxy
    PIDLOC=/var/run/dnscrypt-proxy
    CFGFILE=/etc/config/dnscrypt-proxy.toml

    USER=nobody
    GRP=nogroup
}


boot()
{
    rc_procd start_service
}


start_service() {

        mkdir -p $PIDLOC
        chown $USER:$GRP $PIDLOC

        PIDFILE=$PIDLOC/$NAME-$USER.pid

        SERVICE_STRING="${BIN} -config ${CFGFILE}"

        procd_open_instance "$NAME-$USER"
        procd_set_param command ${SERVICE_STRING}

        procd_set_param file "$CFGFILE"
        procd_set_param stdout 1
        procd_set_param stderr 1
        procd_set_param pidfile "$PIDFILE"

        procd_set_param user $USER

        procd_close_instance

        logger -t $NAME "Starting $NAME instance running as $USER"
}


stop_service() {

        PIDFILE=$PIDLOC/$NAME-$USER.pid
        [ -e $PIDFILE ] && {
                kill -9 $( cat $PIDFILE )
                rm -f $PIDFILE
                logger -t $NAME "Stopping $NAME instance running as $USER"
        }
}


reload_service()
{
        stop
        logger -t $NAME "Reloading $NAME instance"
        start
}


restart()
{
        stop
        logger -t $NAME "Restarting $NAME instance"
        start
}

@InkBlot:

I removed

        [ $USER == "root" ] && {
          logger -t $NAME "Warning: ${NAME} running as root!"
        } || {
          chown $USER:$GRP $PIDLOC
        }

because looking at your code, it seems impossible for it to start in any other way besides with USER == nobody.   

Regardless, could you explain the syntax for that portion and your reasoning for adding it?  It seems to be saying If USER == root, then output the warning to the log.  But how/when is the chown statement executed?  I've never seen that syntax before (the part with the chown command added on).

(Last edited by starcms on 6 Apr 2018, 12:36)