Messages

Good morning,
I am having issues getting DNSCrypt running.  I am seeing different things.  Why do folks not leverage the WebUI to configure DNScrypt? It seems like people are using the manual way to run DNScrypt why is that?  Are there issue with the WebUI correctly modifying the toml file?  It also appears that this service collects servers on the fly and you try to pair down the server list?  What is the difference between the server entries on the setup versus the servers on the servers tab for DNSCrypt.  Should one disable Unbound when leveraging DNSCrypt. My apologies as I am a newb.  Any information would be greatly appreciated.  Is there a definative guide on setting up DNSCrypt?

Thanks,
Jim

Going to bed, but the actual logs were from when I first started to try to get this running on 10-12.  No updates in the logs when I try to start the service.  I am confused and tired at this point.  DOT is running for now.  If there is a simple step by step you can refer me to.  If i can use the WEBui or manual way.

I tried to use this and it fails, I also renamed the ,sample to .toml and it does the same thing loads the servers then exists.
# DNSCrypt-proxy configuration file

# List of DNSCrypt or DoH servers to use
server_names = [
    # Primary unfiltered servers (Unfiltered, DNSSEC, No logging)
   
    # NextDNS (Unfiltered, DNSSEC, No logging)
    "sdns://AgcAAAAAAAAACjQ1LjkwLjMwLjAgmjo09yfeubylEAPZzpw5-PJ92cUkKQHCurGkTmNaAhkWYW55Y2FzdC5kbnMubmV4dGRucy5pbwovZG5zLXF1ZXJ5", 
   
    # DNSCry.pt Ashburn (Unfiltered, DNSSEC, No logging)
    "sdns://AQcAAAAAAAAACzQ1LjExLjIzMC44IMGyYyUUH-ohVO5gxPJoOoTQYe6WeqqivutZK9FR5v2eGTIuZG5zY3J5cHQtY2VydC5kbnNjcnkucHQ", 
   
    # DNSCry.pt Allentown (Unfiltered, DNSSEC, No logging)
    "sdns://AQcAAAAAAAAADTIzLjEzNy4yNTMuMjQg3Z0YI7udXIjKWcPC5GdTm4Uk6D1x2DuyYuj2OZz2cKQZMi5kbnNjcnlwdC1jZXJ0LmRuc2NyeS5wdA", 
   
    # Plan9 DNS NJ (Unfiltered, DNSSEC, No logging)
    "sdns://AQcAAAAAAAAAEjIwNy4yNDYuODcuOTY6ODQ0MyCwmQlIDpKk8SiiyrJbPgKhHxCrBJLb8ZWlu6tvr1KvkyQyLmRuc2NyeXB0LWNlcnQua3Jvbm9zLnBsYW45LWRucy5jb20", 
   
    # Fallback server (Filtered, DNSSEC, No logging) - Quad9
    # Quad9 (Filtered, DNSSEC, No logging)
    "sdns://aqmaaaaaaaaaddkuos45ljk6odq0mybnyee4yhwm0sakvuo-dwdg3ztfhytac4xha2jfgh2gphkylmruc2nyexb0lwnlcnqucxvhzdkubmv0"
]

# Listen on these addresses for DNS queries (localhost on port 5353)
listen_addresses = ['127.0.0.1:5353']

# Max number of simultaneous clients
max_clients = 250

# Enable DNS caching for performance improvement
cache = true
cache_size = 512

# Enable DNSSEC to ensure all servers provide DNSSEC validation
require_dnssec = true

# Disable the use of IPv6 servers (optional)
ipv6_servers = false

# Set fallback resolver to avoid DNS outages if all selected servers fail
fallback_resolver = '9.9.9.9:53'

# Block IPv6 entirely if not in use
block_ipv6 = true

# Set the path for log files
log_file = '/var/log/dnscrypt-proxy/dnscrypt-proxy.log'
log_level = 2  # Log only warnings and errors

# Use DNSCrypt with ephemeral keys for privacy
dnscrypt_ephemeral_keys = true

# Set load-balancing strategy (p2 = prefer lowest-latency servers)
lb_strategy = 'p2'

# Disable TLS session tickets for better security
tls_disable_session_tickets = true
tls_cipher_suite = [52392, 49199]

# Optional: Enable anonymized DNS if you need extra privacy
anon_routes = []

# Control whether to block relays with malicious content
block_relay = true

i am having the same problem when I was trying to use the WebUi.  The service Starts finds 146 servers and then stops.  Am i missing something stupid ?

Most of my issues were relating to not understanding the service does dynamic server selection.  I was completing the server list in two places.  I was definitely confused by the reference material concerning this service.  I read through the forums and it looked like configuring via the Webui might be problematic.  During my reading it seemed as though going the manual route was the way to go.  Part of my reading I kept coming accross issues where the toml file gets overwritten so I actually leverage chatgpt with helping with this code.  I will do some research on the link you provided.  Thanks.  I updated the script a bit as there were some errors, but the script runs as expected.  I just have to figure out where to put it.

First I am very new to this stuff.  I am working on getting DNSCrypt working in opnsense.  I was having trouble getting it to work via the web interface.  I went through removing the GUI package and adding the package from the command line (pkg install dnscrypt-proxy2).  I was seeing that folks have potential issue with the toml file especially after firmware upgrades with the toml potentially being over written.

Would the following work.

1.  Make a backup of the working file.
     cp /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml /usr/local/etc/dnscrypt-proxy/temp/dnscrypt-proxy.toml.backup

2.  Create a hash of this backup.
     sha256 /usr/local/etc/dnscrypt-proxy/temp/dnscrypt-proxy.toml.backup > /usr/local/etc/dnscrypt-proxy/temp/dnscrypt-proxy.toml.hash


3.  Create a script called pre-dsncrypt.sh  which essentially compare the hash of the backup to the current file and if they are different copy the backup file over the current file.
      #!/bin/sh

# Paths to the working config, backup, and hash in the correct directory
WORKING_FILE="/usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml"
BACKUP_FILE="/usr/local/etc/dnscrypt-proxy/temp/dnscrypt-proxy.toml.backup"
HASH_FILE="/usr/local/etc/dnscrypt-proxy/temp/dnscrypt-proxy.toml.hash"

# Determine if sha256 or sha256sum is available
if command -v sha256 >/dev/null 2>&1; then
    HASH_CMD="sha256 -q"
elif command -v sha256sum >/dev/null 2>&1; then
    HASH_CMD="sha256sum"
else
    echo "Error: Neither sha256 nor sha256sum found on this system."
    exit 1
fi

# Generate the current hash of the working file
CURRENT_HASH=$($HASH_CMD "$WORKING_FILE" | awk '{print $1}')

# Retrieve the known-good hash from the backup
KNOWN_HASH=$(cat "$HASH_FILE")

echo "Current Hash: $CURRENT_HASH"
echo "Known Hash: $KNOWN_HASH"

# Compare the hashes
if [ "$CURRENT_HASH" != "$KNOWN_HASH" ]; then
    echo "DNSCrypt config is corrupted or overwritten, restoring from backup..."
    cp "$BACKUP_FILE" "$WORKING_FILE"
    # Regenerate the hash after restoring
    $HASH_CMD "$BACKUP_FILE" | awk '{print $1}' > "$HASH_FILE"
else
    echo "DNSCrypt config is valid, no need for restore."
fi


4.  Add this script to the startup script for /usr/local/etc/rc.d/dnscrypt-proxy
     start_cmd="${name}_start"

# Run the pre-startup script before starting DNSCrypt-proxy
/usr/local/bin/pre_dnscrypt_start.sh

dnscrypt_proxy_start()
{
    echo "Starting dnscrypt-proxy..."
    ${command} ${dnscrypt_proxy_flags}
}

Good afternoon,
I am using DOT and and using a NAT rule to forward from all interfaces any port any source to all interfaces.net port 53 to 127.0.0.1 port 53 [Redirect internal DNS to internal DNS Resolver].  I see a message in the firewall for 127.0.0.1 Redirect internal DNS to internal DNS Resolver but from the address of the interface it is blank.  Is this normal behavior?   Thanks in advance for any advice or assistance.  I am new to this, been a nice learning experience so far.

Jim

Good morning,
I have a question.  Is there a way to turn off IPv6?  Each interface is set to none for IPv6.  I dont see an option in Advanced to turn off Ipv6.  Is there a file(s) that can be modified to turn off IPv6?  Thanks in advance for your input.

Jim

good morning,
I am looking for a good recommendation for an m.2 a+e card to add an ethernet port to a new build.  I am thinking that the intel i225v b3 should be ok but the other option is RTL 8111e/f.  Any recommendations what will work right out of the box.  Thank you in advance for your assistance.

First let me say I am hot a html coder by any means, but I have been working with chat GPT for a bit on developing seasonal and holiday based pages for home guest network.  I actually with the help of chat gpt developed a calendar to display a theme or holiday based login page.  Went back and forth making modifications, but came down to making simple changes in the index and style file, but always seems to get a 404 once you click login.  I am unsure if it is some sort of redirection or coding being missed.  Any insight?

I will be connecting WAN to Xfinity and obtaining a public IP.

Background, just built a m720q tiny intel 8500t 16 mb ram 256gig SSD and bringing up Tplink TL-SG1016DE.  I am a newb and scheduling cut over before my family wakes up on Saturday morning.  I need to make sure Plex, IP CAM, printing, and Consoles work as expected.  Once wired network is verified working I will convert ASUS GT AX 11000 to AP Mode.  OPNsense will be connected to Xfininty Internet and get a public IP.

So far created VLANs with some rules
Lan :192.168.1.1/24      Where network equipment will reside - main PC will be moved once all working to USER Vln
Plex:192.168.10.1/24    This is where my Plex server will reside created Alias called Plex
User:192.168.20.1/24   This is where all PC equipment will be located
IOT: 192.168.30.1/24    This is where all my phones, streaming devices, printer, and gaming consoles live Alias for consoles and printer
Guest: 192.168.40.1/24  All Guest devices will connect here
IPCam: 192.168.50.1/24 IP camera lives here alias IPCam
https://photos.app.goo.gl/3syMwEqEujLw6Mbg8    LAN
https://photos.app.goo.gl/9FzFpDpLALsahjzX8    User VLAN
https://photos.app.goo.gl/peZFfcdAbdiy5sqX6     Plex VLAN
https://photos.app.goo.gl/edGse7WBfuAaL7fJ8   IOT VLAN   
https://photos.app.goo.gl/3ESN8CXKLrhVjRqA6   Guest VLAN     
https://photos.app.goo.gl/LujiihVcQqmH8cGM7    IPCam VLAN


https://photos.app.goo.gl/kK9z6zJyk1Y5nw7u5   NAT Type 2 Rule     

The next question is DNS should I start open and then try DOT?
DOT https://homenetworkguy.com/how-to/configure-dns-over-tls-unbound-opnsense/
Force local resolver https://homenetworkguy.com/how-to/redirect-all-dns-requests-to-local-dns-resolver/     

After I verify that all is working should I attempt to implement:
Antivirus https://docs.opnsense.org/manual/how-tos/proxyicapantivirusinternal.html
IP Block and GEO Block https://windgate.net/opnsense-ip-blocklists-and-geo-ip-block-to-enhance-security-against-malicious-attacks/           

First thanks for verifying my thinking as I am really new and trying to learn things quickly.  Thanks for taking the time and sharing your knowledge with me.  Lastly my apologies as I could not figure out how to get the images to post so I added links to them.  Again I greatly appreciate your help so will my family when things are working.

I was trying to follow this how to from homenetwork guy.
https://homenetworkguy.com/how-to/set-up-a-fully-functioning-home-network-using-opnsense/

I guess got duped in a way.  all my ports are 1GB ports. 

I have a home network with let than 25 devices.  So I bought into this potentially assisting with kind of load balancing traffic.  I am coming from a ASUS GT ax11000 and a unmanaged switch setup to my proposed network in the first post.  SO I guess go with everything except LAGG :)

First let me say that I am a first time to creating my own router and network setup.  I am going with a lenovo m720q 8500t 16gm RAM, ASUS AX11000(WAP mode), and tplink tl-sg1016de setup.  I am going to setup a few Vlans as such:
1-default, 10 Server, 20 User, 30 IOT, 40 Guest, 50 IPCam.  My first question is the LAGG protocol.  From my reading of this switch it will only support a static LAGG as it does not support LACP so I would chose loadbalance protocol.  Can someone explain if I am interpreting this correctly and the benefits of doing so.
My next question is that I select tagged port on the switch being 1 UPlink port, the two LAGG ports, the WAP port and untagged port(s) for the specific VLAN. 

I appreciate your response and thanks in advance for the insight.  Forgive my ignorance as I am a NEWB.