Messages

1

19.1 Production Series / problem updating

« on: February 03, 2019, 08:55:23 am »

Just reporting I had to revert back to 18.7 from 19.1

Not sure where the problem was. My setup is DNSCrypt on 127.0.0.2:53, unbound listen on #53 and

Code: [Select]

do-not-query-localhost: no

      forward-zone:
        name: "."
        forward-addr: 127.0.0.2@53
system dns setting is just 127.0.0.2

For firewall rules I have NAT Port Forward--> "LAN2    TCP/UDP    *    *    ! LAN2 address    53 (DNS)    127.0.0.2    53 (DNS)    DNS (KEEP AT TOP) " for all 3 interfaces.

Also I have for Virtual IP --> "127.0.0.2/32    Loopback    IP Alias    DNSCrypt "

This worked well on 18.7 , forcing every clients to use dnscrypt.
On 19.1 the GUI was locking up a little and it seems unbound was not getting reply from dnscrypt. dnscrypt log said it was listening where it should and could communicate upstream. All services were running. Maybe someone else has the same issues?

2

Tutorials and FAQs / Domain blocking with DNSCrypt v2 tutorial 18.7 (obsolete)

« on: January 25, 2019, 10:06:40 am »

Edit: This howto is obsolete since the latest plugin has added blocklists to the gui.

I got domain blocking to work with the new DNSCrypt package that has been recently been added to opnsense. Thanks mimugmail  (m.muenz@gmail.com).

I may have done something incorrectly and poorly so please suggest a better way if you know one.

After you get dnscrypt up and running, and checked that it is working proceed to the shell.

(If your missing nano or wget just type "pkg install wget" or "pkg install nano")

Code: [Select]

mkdir /usr/local/etc/dnscrypt-proxy/generate-domains-blacklists
cd  /usr/local/etc/dnscrypt-proxy/generate-domains-blacklists
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-blacklist.conf
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-blacklist-local-additions.txt
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-time-restricted.txt
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-whitelist.txt
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/generate-domains-blacklist.py
chmod a+x generate-domains-blacklist.py

Now is a good time to edit the .conf file.

Code: [Select]

nano domains-blacklist.confRemove the hash symbol on the lists you want and comment out the ones you don't want, I added a few of my own at the end of the file, mostly facebook and microsoft domains.

Also edit domains-blacklist-local-additions.txt.

Code: [Select]

nano domains-blacklist-local-additions.txtI myself did not want to block *.local, *.localdomain or *.workgroup
so comment them out if you want to also.

Now to run the program

Code: [Select]

/usr/local/bin/python2.7 generate-domains-blacklist.py > dnscrypt-blacklist-domains.txt
Try it twice if it fails fetching a adblock list like it did to me.

If you succeed, go up a directory

Code: [Select]

cd ..and make another file that will point to your new blocklist

Code: [Select]

ln -s generate-domains-blacklists/dnscrypt-blacklist-domains.txt dnscrypt-blacklist-domains.txt
Lastly we need to edit the config file for dnscrypt and tell it about out blacklist

Code: [Select]

nano dnscrypt-proxy.toml
add this to the end -->

Code: [Select]

[blacklist]
  blacklist_file = 'dnscrypt-blacklist-domains.txt'
Go to the router's GUI  -->Services -->DnsCrypt-Proxy, and restart the service.
If it comes back up it should now be blocking those domains. If it doesn't, comment out the

Code: [Select]

blacklist_file = 'dnscrypt-blacklist-domains.txt in the .toml file and double check everything.

Hope this works for you. :-)

Edit: Important, the changes to the .toml file do not stick after you save from the GUI, so you need to edit

Code: [Select]

nano /usr/local/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
add the blacklist section so it looks like this:

Code: [Select]

[static]

[blacklist]
  blacklist_file = 'dnscrypt-blacklist-domains.txt'

{% if helpers.exists('OPNsense.dnscryptproxy.server.servers.server') %}
{%   for server_list in helpers.toList('OPNsense.dnscryptproxy.server.servers.server') %}
{%     if server_list.enabled == '1' %}
  [static.'{{server_list.name}}']
  stamp = 'sdns://{{server_list.stamp}}'
{%     endif %}
{%   endfor %}
{% endif %}
Just below [static] but above the rest at the end.

Edit#2 Here is a tutorial I found to force DNSCrypt on all your clients https://forum.opnsense.org/index.php?topic=9245.0   Just remember to change 127.0.0.1 in the example to 127.0.0.2.

3

Tutorials and FAQs / Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6

« on: January 25, 2019, 04:23:02 am »

This is great! Many thanks to the dev mimugmail (m.muenz@gmail.com) and for the tutorial!
I had a little trouble with it not starting when I entered some dns servers in the list at https://dnscrypt.info/public-servers/
I ended up looking at the log located in

Code: [Select]

cat /var/log/dnscrypt-proxy/dnscrypt-proxy.log and choosing 3 of the resolvers that worked. I am wondering if one of the resolvers goes down, will this stop dnsproxy from starting at boot?

I went a different route from the tutorial in first post, I set up a Virtual IP in Firewall --> Virtual IP
I used: IP Alias | loopback | 127.0.0.2
Then configured the DNSCrypt plugin to use 127.0.0.2:53 (and deleted the default ones)
Lastly I headed over to  System --> Settings --> General and put 127.0.0.2 in the in the DNS Server box.

My test at https://www.dnsleaktest.com showed my dns queries are using dnscrypt. :-)

One feature request is to be able edit the verb for the log and also to show the log in the GUI.
Thanks again for this plugin!

4

18.7 Legacy Series / Re: [SOLVED] openvpn client-to-client tutorial/help needed

« on: January 03, 2019, 10:14:03 am »

Thanks Bart,
I struggled through it, got it done today.
Works grrreat! I used the tutorial https://backreference.org/2009/11/15/openvpn-and-iroute/, printed it out, studied it, scribbled on it and then deployed it.
It sorta makes sense to me and does indeed enable me to access my network from remote, even when my home network is behind carrier grade NAT.

Also thank opnsense devs for still including the scramble patch. :-)

5

18.7 Legacy Series / [SOLVED] openvpn client-to-client tutorial/help needed

« on: December 27, 2018, 07:28:11 am »

I have my ISP giving me carrier grade NAT. This broke my openvpn server running on my opnsense box.


So I changed the OpnSense from server to client and connect to a openvpn server with a static IP somewhere else.
I want to have my OpnSense LAN subnet connect as a client to a OpenVPN server that is running lets say in a VPS in some data center. I have client-to-client enabled in the server.conf in the VPS.  The connection from the VPS to my OpnSense client is already established. I just need help or suggestion as when another client connects to the openvpn server I can not ping any devices on my lan.

6

18.1 Legacy Series / [solved] Port Forwarding / troubleshooting with netcat

« on: June 07, 2018, 05:02:49 am »

 Hello,
I am trying to figure out where the trouble is at to get port forwarding to work. I have a ISP fiber GPON modem (Chinese, remotely administered) ,that I assume is in bridge mode, I had asked the ISP to change it bridge mode, they did this from their network, the WAN interface on my OpnSense 18.1 now does the PPPoE credentials. I am confused because the public IP addressed assigned to the WAN as reported by OpnSense is not the same as my IP as reported by the websites I visit.

So my question if anybody knows, when I type from the opnsense terminal # "nc -l WAN_IP_as_reported_by_opnsense 5061" it is listening on the WAN interface and I don't need to make rules and change some obscure settings around right?

I have been using a VPS to SSH into and then use netcat from that to see if the packets arrive to my WAN Interface of OpnSense. So far no luck, I don't know where the failure is at.

Edit: The port forwarding problem is due to Carrier Grade NAT, I think opnsense was listening on the WAN at port 5061 when I asked it to from the terminal.

7

Tutorials and FAQs / Re: Multiple dnscrypt-proxy Opnsense 16.7 / 17.1 / 17.7 / 18.1 :-)

« on: February 05, 2018, 01:53:04 pm »

I noticed I did something wrong because dnscrypt-proxy does not start after reboot. I must type in "service dnscrypt-proxy start" in the shell. Not sure what I did wrong. lol

/etc/rc.conf is root:wheel and not executable (I think that is correct)

If anybody else knows let me know :-) I may just use a cron job @reboot because my skills are poor.

Cake, did you read this post?

Thanks, It worked!
I did read your post, I must be getting a little alzheimer's. So I guess the tutorial on the first post is now a little wrong?  I'll try and edit it tomorrow, but it sounds like the whole thing may be out of date as w2712663 mentions there is a updated version. yay!
Thanks again.

8

Tutorials and FAQs / Re: Multiple dnscrypt-proxy Opnsense 16.7 / 17.1 / 17.7 / 18.1 :-)

« on: February 01, 2018, 12:08:08 am »

I noticed I did something wrong because dnscrypt-proxy does not start after reboot. I must type in "service dnscrypt-proxy start" in the shell. Not sure what I did wrong. lol

/etc/rc.conf is root:wheel and not executable (I think that is correct)

If anybody else knows let me know :-) I may just use a cron job @reboot because my skills are poor.

Yes Franco a plugin would be nice. Cheers

9

Tutorials and FAQs / Re: Multiple dnscrypt-proxy Opnsense 16.7 / 17.1 / 17.7 / 18.1 :-)

« on: January 31, 2018, 01:14:56 am »

Upgraded to 18.1 this morning.
The upgrade went fine, then after reboot no dns. (drill example.com)
Went to System --> Settings --> General and changed everything to 8.8.8.8 and 8.8.4.4 just for a while.
SSH into shell and checked ping and drill, working, followed from first post again.

Code: [Select]

mv /usr/local/etc/rc.d/dnscrypt-proxy /usr/local/etc/rc.d/dnscrypt-proxy.original
nano /usr/local/etc/rc.d/dnscrypt-proxy
And pasted this in again

Code: [Select]

#!/bin/sh
#
# $FreeBSD: head/dns/dnscrypt-proxy/files/dnscrypt-proxy.in 373758 2014-12-02 09:21:49Z xmj $
#
# PROVIDE: dnscrypt_proxy
# REQUIRE: SERVERS cleanvar
# BEFORE: named local_unbound unbound
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf to enable dnscrypt-proxy:
#
# dnscrypt_proxy_instances (str): Set to "dnscrypt_proxy" by default.
#  List of dnscrypt_proxy instance id's,
#  e.g. "dnscrypt_proxy_1 dnscrypt_proxy_2", etc.
# {instance_id}_enable (bool):  Set to NO by default.
#  Set to YES to enable dnscrypt-proxy.
# {instance_id}_uid (str):  Set to "_dnscrypt-proxy" by default.
#      User to switch to after starting.
# {instance_id}_resolver (str):  Set to "opendns" by default.
#      Choose a different upstream resolver.
# {instance_id}_pidfile (str):  default: "/var/run/dnscrypt-proxy.pid"
#      Location of pid file.
# {instance_id}_logfile (str):    default: "/var/log/dnscrypt-proxy.log"
#  Location of log file.
#
# To redirect a local resolver through dnscrypt-proxy, point it at 127.0.0.2
# and add the following to rc.conf:
# ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff"
# dnscrypt_proxy_flags='-a 127.0.0.2'

. /etc/rc.subr

name=dnscrypt_proxy

load_rc_config ${name}

: ${dnscrypt_proxy_instances="${name}"}
: ${dnscrypt_proxy_enable:=NO}

dnscrypt_proxy_enable_tmp=${dnscrypt_proxy_enable}

command=/usr/local/sbin/dnscrypt-proxy
procname=/usr/local/sbin/dnscrypt-proxy

for i in $dnscrypt_proxy_instances; do
  name=${i}

  eval ${name}_enable=${dnscrypt_proxy_enable_tmp}
  rcvar=${name}_enable

  load_rc_config ${i}

  eval dnscrypt_proxy_uid_tmp=\${${i}_uid}
  eval dnscrypt_proxy_resolver_tmp=\${${i}_resolver}
  eval dnscrypt_proxy_pidfile_tmp=\${${i}_pidfile}
  eval dnscrypt_proxy_logfile_tmp=\${${i}_logfile}

:  ${dnscrypt_proxy_uid_tmp:=_dnscrypt-proxy}  # User to run daemon as
:  ${dnscrypt_proxy_resolver_tmp:=opendns}  # resolver to use
:  ${dnscrypt_proxy_pidfile_tmp:=/var/run/${i}.pid} # Path to pid file
:  ${dnscrypt_proxy_logfile_tmp:=/var/log/${i}.log} # Path to log file

  command_args="-d -p ${dnscrypt_proxy_pidfile_tmp} -l ${dnscrypt_proxy_logfile_tmp} -u ${dnscrypt_proxy_uid_tmp} -R ${dnscrypt_proxy_resolver_tmp}"

  pidfile=${dnscrypt_proxy_pidfile_tmp}

  _rc_restart_done=false # workaround for: service dnscrypt-proxy restart

  run_rc_command "$1"
done

Make it executable

Code: [Select]

chmod a+x /usr/local/etc/rc.d/dnscrypt-proxy
Update the resolver list with this new place on github

Code: [Select]

wget -O /usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv https://github.com/dyne/dnscrypt-proxy/raw/master/dnscrypt-resolvers.csv
Change the resolvers to the one you want

Code: [Select]

nano /etc/rc.confMine looks like this:

Code: [Select]

ddclient_enable="YES"
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_instances="dnscrypt_proxy_1 dnscrypt_proxy_2 dnscrypt_proxy_3"
dnscrypt_proxy_1_resolver="ipredator"
dnscrypt_proxy_1_flags="-a 127.0.0.2:53 -l /var/log/"
dnscrypt_proxy_2_resolver="soltysiak"
dnscrypt_proxy_2_flags="-a 127.0.0.3:53 -l /var/log/"
dnscrypt_proxy_3_resolver="dnscrypt.eu-dk"
dnscrypt_proxy_3_flags="-a 127.0.0.4:53 -l /var/log/"Then start dnscrypt

Code: [Select]

service dnscrypt-proxy restart
Lastly I went back to System --> Settings --> General and changed the list back to 127.0.0.2 ; 127.0.0.3 and 127.0.0.4 for the WAN gateway.

Checked to make sure all is working with https://ipleak.net/

Big Thanx to the devs and the people making and improving opnsense.

10

17.7 Legacy Series / openvpn obfuscate

« on: August 09, 2017, 12:17:54 am »

Thanks devs for still including the scramble patch for openvpn. Still works great for client and server after updating to 17.7
 

(its not mentioned much, but I still use it)

To anybody wondering what I'm talking about, its a simple way to obfuscate openvpn traffic, otherwise I read openvpn traffic is easier to fingerprint from my understanding.

11

Tutorials and FAQs / Re: Multiple dnscrypt-proxy Opnsense 16.7 / 17.1 :-)

« on: August 06, 2017, 11:44:06 pm »

I just did a update from 17.1 to 17.7 as well. So far I had only minor trouble with update, I started the update from the GUI, and got held up on a r2 after it rebooted until I went and changed System-->Settings-->General--DNS to google's 8.8.8.8 from 127.0.0.1 ....... just temporarily.
Then I went back to firmware and tried again. I got to update to 17.7  , (I was stuck on a r2 update with a end of life message also was failing to check updates due to system dns set to 127.0.0.1 .....) After the final upgrade I changed  System-->Settings-->General--DNS back to 127.0.0.1, 127.0.0.2 and 127.0.0.3 (what I had earlier)

I thought I had nsookup and dig available, but I see there is  a tool I never used before in its place -> drill. I also had to re-paste from 1st post back into  /usr/local/etc/rc.d/dnscrypt-proxy and chmod a+x

After that it dnscrypt works like a charm again.

12

17.1 Legacy Series / [SOLVED] UPnP

« on: February 18, 2017, 02:43:17 am »

I am missing the UPnP in services. So in System-->Firmware--> Packages I see miniupnpd was already installed, So I tried to install in plugins --> os-upnp.
It installed and I rebooted, but dnscrypt-proxy no longer worked. (I am using multiple dnscrypt) dnscrypt-proxy would not start, and I could not find anything in the /var/log as to why (I tried to increase verb) - my skills are not that good. UPnP showed up in Services, just like some screen shots I have seen in other posts.

So I removed os-upnp, and after reboot. dnscrypt-proxy started automatically and works again, but Universal Plug and Play is missing in Services (GUI). I have a machine with Steam on it, and on several games the mutiplayer does not work, so I am guessing I need UPnP and allow that machine on the network to open ports? Just wondering if anyone else knows what I did wrong.

13

17.1 Legacy Series / Re: [solved] OpenVPN selective routing

« on: February 16, 2017, 12:12:16 am »

Thank you very much djGrrr. Your suggestion to update from 17.1 to 17.1.1 fixed it. Now it all (firewall rules) makes sense again! lol

14

17.1 Legacy Series / [solved] OpenVPN selective routing

« on: February 15, 2017, 09:24:07 am »

I had OpenVPN working previously, but have spent over a day on this with out any luck.
I have the Qotom box with 4 Intel LANs. Not sure how I broke this, but I had 1 whole interface that was routed to OpenVPN (Client to Server) Opnsense was the client.

Well the client connects, however all interfaces are getting routed through the vpn. I have played quite a bit with NAT and Firewall rules, but I still may be missing something. I could post some screen shots if someone on here could help me get this sorted. This kinda stopped working around the time I updated to 17.1

15

Development and Code Review / Re: PHP errors [solved]

« on: January 02, 2017, 11:00:39 am »

Franco Thanks

I was a version behind on everything. I feel like a dummy.
Updated-- all better!


Cheers!