Messages

1

19.1 Legacy Series / [solved] How do I edit sshd_config

« on: April 23, 2019, 09:03:37 am »

I am trying to figure out the stability for dnscrypt_proxy plugin and I see this in the dnscrypt_proxy log

Code: [Select]

[2019-04-23 13:29:05] [FATAL] listen udp 127.0.0.2:53: bind: address already in use
127.0.0.2 and 192.168.44.4 are virtual IP's (IP Alias )

The system log says it is sshd that is listening there, but it is not listed in the GUI (attached screenshot).

Here is my sshd_config file that I assume gets over written if changed.  /usr/local/etc/ssh/sshd_config

Code: [Select]

# This file was automatically generated by /usr/local/etc/inc/plugins.inc.d/openssh.inc
Port 22
Protocol 2
Compression yes
ClientAliveInterval 30
UseDNS no
X11Forwarding no
PubkeyAuthentication yes
Subsystem sftp internal-sftp
AllowGroups wheel admins
PermitRootLogin yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes
HostKey /conf/sshd/ssh_host_rsa_key
HostKey /conf/sshd/ssh_host_ecdsa_key
HostKey /conf/sshd/ssh_host_ed25519_key
HostKey /conf/sshd/ssh_host_dsa_key
ListenAddress 10.8.1.2
ListenAddress 192.168.45.1
ListenAddress 192.168.44.1
ListenAddress 192.168.44.4
ListenAddress 127.0.0.1
ListenAddress 127.0.0.2
ListenAddress ::1
I would like to remove the virtual Ip addresses. If I restart openssh 127.0.0.2 and 192.168.44.4 re-appears even if removed or commented it out. Any ideas?

Solved: I changed the listen port from 53 to 5353 on the dnscrypt listen addresses and it seems to work now.

2

Tutorials and FAQs / Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6

« on: April 19, 2019, 01:41:17 am »

Yes it does switch, maybe I have a setting wrong or some other configuration.
Here is a bit of a log, you can see at first 3 have a timeout, and 6 hours later 11 servers are timeout.

Code: [Select]

[2019-04-18 19:56:57] [NOTICE] Source [public-resolvers.md] loaded
[2019-04-18 19:56:57] [NOTICE] dnscrypt-proxy 2.0.19
[2019-04-18 19:56:57] [NOTICE] Loading the set of whitelisting rules from [whitelist.txt]
[2019-04-18 19:56:57] [NOTICE] Loading the set of blocking rules from [blacklist.txt]
[2019-04-18 19:56:57] [NOTICE] Loading the set of cloaking rules from [cloaking-rules.txt]
[2019-04-18 19:56:57] [NOTICE] Loading the set of forwarding rules from [forwarding-rules.txt]
[2019-04-18 19:56:57] [NOTICE] Now listening to 127.0.0.2:53 [UDP]
[2019-04-18 19:56:57] [NOTICE] Now listening to 127.0.0.2:53 [TCP]
[2019-04-18 19:56:57] [NOTICE] Now listening to 192.168.44.4:53 [UDP]
[2019-04-18 19:56:57] [NOTICE] Now listening to 192.168.44.4:53 [TCP]
[2019-04-18 19:56:58] [NOTICE] [arvind-io] OK (crypto v2) - rtt: 256ms
[2019-04-18 19:56:58] [NOTICE] [bottlepost-dns-nl] OK (crypto v2) - rtt: 286ms
[2019-04-18 19:57:00] [NOTICE] [charis] TIMEOUT
[2019-04-18 19:57:00] [NOTICE] [cpunks-ru] OK (crypto v1) - rtt: 313ms
[2019-04-18 19:57:01] [NOTICE] [cs-ch] OK (crypto v2) - rtt: 312ms
[2019-04-18 19:57:01] [NOTICE] [cs-swe] OK (crypto v2) - rtt: 293ms
[2019-04-18 19:57:01] [NOTICE] [cs-nl] OK (crypto v2) - rtt: 213ms
[2019-04-18 19:57:01] [NOTICE] [cs-nl2] OK (crypto v2) - rtt: 169ms
[2019-04-18 19:57:02] [NOTICE] [cs-fi] OK (crypto v2) - rtt: 200ms
[2019-04-18 19:57:02] [NOTICE] [cs-pl] OK (crypto v2) - rtt: 295ms
[2019-04-18 19:57:02] [NOTICE] [cs-dk] OK (crypto v2) - rtt: 206ms
[2019-04-18 19:57:02] [NOTICE] [cs-it] OK (crypto v2) - rtt: 170ms
[2019-04-18 19:57:02] [NOTICE] [cs-fr] OK (crypto v2) - rtt: 158ms
[2019-04-18 19:57:03] [NOTICE] [cs-fr2] OK (crypto v2) - rtt: 160ms
[2019-04-18 19:57:03] [NOTICE] [cs-pt] OK (crypto v2) - rtt: 211ms
[2019-04-18 19:57:03] [NOTICE] [cs-hk] OK (crypto v2) - rtt: 361ms
[2019-04-18 19:57:03] [NOTICE] [cs-ro] OK (crypto v2) - rtt: 191ms
[2019-04-18 19:57:03] [NOTICE] [cs-mo] OK (crypto v2) - rtt: 205ms
[2019-04-18 19:57:04] [NOTICE] [cs-lv] OK (crypto v2) - rtt: 202ms
[2019-04-18 19:57:04] [NOTICE] [cs-uk] OK (crypto v2) - rtt: 165ms
[2019-04-18 19:57:04] [NOTICE] [cs-de] OK (crypto v2) - rtt: 162ms
[2019-04-18 19:57:04] [NOTICE] [cs-de2] OK (crypto v2) - rtt: 169ms
[2019-04-18 19:57:04] [NOTICE] [cs-ca] OK (crypto v2) - rtt: 218ms
[2019-04-18 19:57:05] [NOTICE] [cs-ca2] OK (crypto v2) - rtt: 291ms
[2019-04-18 19:57:05] [NOTICE] [cs-usny] OK (crypto v2) - rtt: 274ms
[2019-04-18 19:57:05] [NOTICE] [cs-usil] OK (crypto v2) - rtt: 274ms
[2019-04-18 19:57:05] [NOTICE] [cs-usnv] OK (crypto v2) - rtt: 216ms
[2019-04-18 19:57:08] [NOTICE] [cs-uswa] TIMEOUT
[2019-04-18 19:57:08] [NOTICE] [cs-usdc] OK (crypto v2) - rtt: 264ms
[2019-04-18 19:57:08] [NOTICE] [cs-ustx] OK (crypto v2) - rtt: 242ms
[2019-04-18 19:57:08] [NOTICE] [cs-usga] OK (crypto v2) - rtt: 250ms
[2019-04-18 19:57:09] [NOTICE] [cs-usnc] OK (crypto v2) - rtt: 258ms
[2019-04-18 19:57:09] [NOTICE] [cs-usca] OK (crypto v2) - rtt: 209ms
[2019-04-18 19:57:09] [NOTICE] [cs-usor] OK (crypto v2) - rtt: 272ms
[2019-04-18 19:57:09] [NOTICE] [d0wn-is-ns2] OK (crypto v1) - rtt: 235ms
[2019-04-18 19:57:10] [NOTICE] [d0wn-tz-ns1] OK (crypto v1) - rtt: 392ms
[2019-04-18 19:57:10] [NOTICE] [de.dnsmaschine.net] OK (crypto v2) - rtt: 204ms
[2019-04-18 19:57:10] [NOTICE] [dnscrypt.ca-1] OK (crypto v2) - rtt: 297ms
[2019-04-18 19:57:11] [NOTICE] [dnscrypt.ca-2] OK (crypto v2) - rtt: 288ms
[2019-04-18 19:57:11] [NOTICE] [dnscrypt.eu-dk] OK (crypto v2) - rtt: 205ms
[2019-04-18 19:57:11] [NOTICE] [dnscrypt.eu-nl] OK (crypto v1) - rtt: 301ms
[2019-04-18 19:57:11] [NOTICE] [dnscrypt.me] OK (crypto v2) - rtt: 180ms
[2019-04-18 19:57:11] [NOTICE] [dnscrypt.nl-ns0] OK (crypto v2) - rtt: 196ms
[2019-04-18 19:57:12] [NOTICE] [dnscrypt.uk-ipv4] OK (crypto v2) - rtt: 282ms
[2019-04-18 19:57:12] [NOTICE] [ev-va] OK (crypto v2) - rtt: 274ms
[2019-04-18 19:57:12] [NOTICE] [ev-to] OK (crypto v2) - rtt: 270ms
[2019-04-18 19:57:12] [NOTICE] [freetsa.org] OK (crypto v1) - rtt: 256ms
[2019-04-18 19:57:13] [NOTICE] [ibksturm] OK (crypto v2) - rtt: 453ms
[2019-04-18 19:57:13] [NOTICE] [ipredator] OK (crypto v1) - rtt: 194ms
[2019-04-18 19:57:13] [NOTICE] [opennic-ethservices] OK (crypto v1) - rtt: 261ms
[2019-04-18 19:57:14] [NOTICE] [opennic-ethservices2] OK (crypto v1) - rtt: 259ms
[2019-04-18 19:57:14] [NOTICE] [opennic-luggs] OK (crypto v1) - rtt: 284ms
[2019-04-18 19:57:14] [NOTICE] [opennic-luggs2] OK (crypto v1) - rtt: 287ms
[2019-04-18 19:57:14] [NOTICE] [publicarray-au] OK (crypto v2) - rtt: 176ms
[2019-04-18 19:57:17] [NOTICE] [qag.me] TIMEOUT
[2019-04-18 19:57:17] [NOTICE] [quad9-dnscrypt-ip4-nofilter-pri] OK (crypto v1) - rtt: 160ms
[2019-04-18 19:57:17] [NOTICE] [quad9-dnscrypt-ip4-nofilter-alt] OK (crypto v1) - rtt: 158ms
[2019-04-18 19:57:19] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-18 19:57:19] [NOTICE] [scaleway-fr] OK (crypto v2) - rtt: 162ms
[2019-04-18 19:57:19] [NOTICE] [securedns] OK (crypto v1) - rtt: 284ms
[2019-04-18 19:57:20] [NOTICE] [soltysiak] OK (crypto v1) - rtt: 280ms
[2019-04-18 19:57:20] [NOTICE] [suami] OK (crypto v2) - rtt: 161ms
[2019-04-18 19:57:20] [NOTICE] [trashvpn.de] OK (crypto v2) - rtt: 169ms
[2019-04-18 19:57:20] [NOTICE] [ventricle.us] OK (crypto v2) - rtt: 275ms
[2019-04-18 19:57:22] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-18 19:57:22] [NOTICE] [opennic-R4SAS] OK (crypto v2) - rtt: 191ms
[2019-04-18 19:57:22] [NOTICE] Server with the lowest initial latency: cs-fr (rtt: 158ms)
[2019-04-18 19:57:22] [NOTICE] dnscrypt-proxy is ready - live servers: 61
[2019-04-18 20:57:25] [NOTICE] [charis] TIMEOUT
[2019-04-18 20:57:31] [NOTICE] [cs-uswa] OK (crypto v2) - rtt: 289ms
[2019-04-18 20:57:40] [NOTICE] [qag.me] TIMEOUT
[2019-04-18 20:57:42] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-18 20:57:46] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-18 20:58:01] [NOTICE] Server with the lowest initial latency: cs-fr (rtt: 158ms)
[2019-04-18 21:58:04] [NOTICE] [charis] TIMEOUT
[2019-04-18 21:58:18] [NOTICE] [qag.me] TIMEOUT
[2019-04-18 21:58:20] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-18 21:58:24] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-18 21:58:39] [NOTICE] Server with the lowest initial latency: cs-fr (rtt: 158ms)
[2019-04-18 22:58:42] [NOTICE] [charis] TIMEOUT
[2019-04-18 22:58:57] [NOTICE] [qag.me] TIMEOUT
[2019-04-18 22:58:59] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-18 22:59:02] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-18 22:59:17] [NOTICE] Server with the lowest initial latency: scaleway-fr (rtt: 159ms)
[2019-04-18 23:59:19] [NOTICE] [charis] TIMEOUT
[2019-04-18 23:59:25] [NOTICE] [cs-lv] TIMEOUT
[2019-04-18 23:59:27] [NOTICE] [cs-de] TIMEOUT
[2019-04-18 23:59:38] [NOTICE] [qag.me] TIMEOUT
[2019-04-18 23:59:40] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-18 23:59:44] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-18 23:59:50] [NOTICE] [cs-lv] TIMEOUT
[2019-04-18 23:59:52] [NOTICE] [cs-de] TIMEOUT
[2019-04-19 00:00:02] [NOTICE] Server with the lowest initial latency: cs-fr2 (rtt: 158ms)
[2019-04-19 01:00:05] [NOTICE] [charis] TIMEOUT
[2019-04-19 01:00:10] [NOTICE] [cs-lv] TIMEOUT
[2019-04-19 01:00:12] [NOTICE] [cs-de] TIMEOUT
[2019-04-19 01:00:16] [NOTICE] [cs-uswa] TIMEOUT
[2019-04-19 01:00:25] [NOTICE] [qag.me] TIMEOUT
[2019-04-19 01:00:27] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-19 01:00:30] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-19 01:00:37] [NOTICE] [cs-lv] TIMEOUT
[2019-04-19 01:00:39] [NOTICE] [cs-de] TIMEOUT
[2019-04-19 01:00:51] [NOTICE] [cs-uswa] TIMEOUT
[2019-04-19 01:00:51] [NOTICE] Server with the lowest initial latency: cs-fr2 (rtt: 158ms)
[2019-04-19 02:00:54] [NOTICE] [charis] TIMEOUT
[2019-04-19 02:01:00] [NOTICE] [cs-lv] TIMEOUT
[2019-04-19 02:01:02] [NOTICE] [cs-de] TIMEOUT
[2019-04-19 02:01:05] [NOTICE] [cs-uswa] TIMEOUT
[2019-04-19 02:01:12] [NOTICE] [ibksturm] TIMEOUT
[2019-04-19 02:01:16] [NOTICE] [qag.me] TIMEOUT
[2019-04-19 02:01:18] [NOTICE] [qualityology.com] TIMEOUT
[2019-04-19 02:01:22] [NOTICE] [opennic-bongobow] TIMEOUT
[2019-04-19 02:01:28] [NOTICE] [cs-lv] TIMEOUT
[2019-04-19 02:01:30] [NOTICE] [cs-de] TIMEOUT
[2019-04-19 02:01:42] [NOTICE] [cs-uswa] TIMEOUT

3

Tutorials and FAQs / Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6

« on: April 18, 2019, 03:04:41 pm »

Does anybody get server timeouts after a few days or so?  I start dnscrypt and after a couple days most servers are timeout according to the log. Not sure how to investigate. Maybe I start with making the log more verbose?

4

19.1 Legacy Series / problem updating

« on: February 03, 2019, 08:55:23 am »

Just reporting I had to revert back to 18.7 from 19.1

Not sure where the problem was. My setup is DNSCrypt on 127.0.0.2:53, unbound listen on #53 and

Code: [Select]

do-not-query-localhost: no

      forward-zone:
        name: "."
        forward-addr: 127.0.0.2@53
system dns setting is just 127.0.0.2

For firewall rules I have NAT Port Forward--> "LAN2    TCP/UDP    *    *    ! LAN2 address    53 (DNS)    127.0.0.2    53 (DNS)    DNS (KEEP AT TOP) " for all 3 interfaces.

Also I have for Virtual IP --> "127.0.0.2/32    Loopback    IP Alias    DNSCrypt "

This worked well on 18.7 , forcing every clients to use dnscrypt.
On 19.1 the GUI was locking up a little and it seems unbound was not getting reply from dnscrypt. dnscrypt log said it was listening where it should and could communicate upstream. All services were running. Maybe someone else has the same issues?

5

Tutorials and FAQs / Domain blocking with DNSCrypt v2 tutorial 18.7 (obsolete)

« on: January 25, 2019, 10:06:40 am »

Edit: This howto is obsolete since the latest plugin has added blocklists to the gui.

I got domain blocking to work with the new DNSCrypt package that has been recently been added to opnsense. Thanks mimugmail  (m.muenz@gmail.com).

I may have done something incorrectly and poorly so please suggest a better way if you know one.

After you get dnscrypt up and running, and checked that it is working proceed to the shell.

(If your missing nano or wget just type "pkg install wget" or "pkg install nano")

Code: [Select]

mkdir /usr/local/etc/dnscrypt-proxy/generate-domains-blacklists
cd  /usr/local/etc/dnscrypt-proxy/generate-domains-blacklists
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-blacklist.conf
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-blacklist-local-additions.txt
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-time-restricted.txt
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-whitelist.txt
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/generate-domains-blacklist.py
chmod a+x generate-domains-blacklist.py

Now is a good time to edit the .conf file.

Code: [Select]

nano domains-blacklist.confRemove the hash symbol on the lists you want and comment out the ones you don't want, I added a few of my own at the end of the file, mostly facebook and microsoft domains.

Also edit domains-blacklist-local-additions.txt.

Code: [Select]

nano domains-blacklist-local-additions.txtI myself did not want to block *.local, *.localdomain or *.workgroup
so comment them out if you want to also.

Now to run the program

Code: [Select]

/usr/local/bin/python2.7 generate-domains-blacklist.py > dnscrypt-blacklist-domains.txt
Try it twice if it fails fetching a adblock list like it did to me.

If you succeed, go up a directory

Code: [Select]

cd ..and make another file that will point to your new blocklist

Code: [Select]

ln -s generate-domains-blacklists/dnscrypt-blacklist-domains.txt dnscrypt-blacklist-domains.txt
Lastly we need to edit the config file for dnscrypt and tell it about out blacklist

Code: [Select]

nano dnscrypt-proxy.toml
add this to the end -->

Code: [Select]

[blacklist]
  blacklist_file = 'dnscrypt-blacklist-domains.txt'
Go to the router's GUI  -->Services -->DnsCrypt-Proxy, and restart the service.
If it comes back up it should now be blocking those domains. If it doesn't, comment out the

Code: [Select]

blacklist_file = 'dnscrypt-blacklist-domains.txt in the .toml file and double check everything.

Hope this works for you. :-)

Edit: Important, the changes to the .toml file do not stick after you save from the GUI, so you need to edit

Code: [Select]

nano /usr/local/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
add the blacklist section so it looks like this:

Code: [Select]

[static]

[blacklist]
  blacklist_file = 'dnscrypt-blacklist-domains.txt'

{% if helpers.exists('OPNsense.dnscryptproxy.server.servers.server') %}
{%   for server_list in helpers.toList('OPNsense.dnscryptproxy.server.servers.server') %}
{%     if server_list.enabled == '1' %}
  [static.'{{server_list.name}}']
  stamp = 'sdns://{{server_list.stamp}}'
{%     endif %}
{%   endfor %}
{% endif %}
Just below [static] but above the rest at the end.

Edit#2 Here is a tutorial I found to force DNSCrypt on all your clients https://forum.opnsense.org/index.php?topic=9245.0   Just remember to change 127.0.0.1 in the example to 127.0.0.2.

6

Tutorials and FAQs / Re: HOWTO - DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6

« on: January 25, 2019, 04:23:02 am »

This is great! Many thanks to the dev mimugmail (m.muenz@gmail.com) and for the tutorial!
I had a little trouble with it not starting when I entered some dns servers in the list at https://dnscrypt.info/public-servers/
I ended up looking at the log located in

Code: [Select]

cat /var/log/dnscrypt-proxy/dnscrypt-proxy.log and choosing 3 of the resolvers that worked. I am wondering if one of the resolvers goes down, will this stop dnsproxy from starting at boot?

I went a different route from the tutorial in first post, I set up a Virtual IP in Firewall --> Virtual IP
I used: IP Alias | loopback | 127.0.0.2
Then configured the DNSCrypt plugin to use 127.0.0.2:53 (and deleted the default ones)
Lastly I headed over to  System --> Settings --> General and put 127.0.0.2 in the in the DNS Server box.

My test at https://www.dnsleaktest.com showed my dns queries are using dnscrypt. :-)

One feature request is to be able edit the verb for the log and also to show the log in the GUI.
Thanks again for this plugin!

7

18.7 Legacy Series / Re: [SOLVED] openvpn client-to-client tutorial/help needed

« on: January 03, 2019, 10:14:03 am »

Thanks Bart,
I struggled through it, got it done today.
Works grrreat! I used the tutorial https://backreference.org/2009/11/15/openvpn-and-iroute/, printed it out, studied it, scribbled on it and then deployed it.
It sorta makes sense to me and does indeed enable me to access my network from remote, even when my home network is behind carrier grade NAT.

Also thank opnsense devs for still including the scramble patch. :-)

8

18.7 Legacy Series / [SOLVED] openvpn client-to-client tutorial/help needed

« on: December 27, 2018, 07:28:11 am »

I have my ISP giving me carrier grade NAT. This broke my openvpn server running on my opnsense box.


So I changed the OpnSense from server to client and connect to a openvpn server with a static IP somewhere else.
I want to have my OpnSense LAN subnet connect as a client to a OpenVPN server that is running lets say in a VPS in some data center. I have client-to-client enabled in the server.conf in the VPS.  The connection from the VPS to my OpnSense client is already established. I just need help or suggestion as when another client connects to the openvpn server I can not ping any devices on my lan.

9

18.1 Legacy Series / [solved] Port Forwarding / troubleshooting with netcat

« on: June 07, 2018, 05:02:49 am »

 Hello,
I am trying to figure out where the trouble is at to get port forwarding to work. I have a ISP fiber GPON modem (Chinese, remotely administered) ,that I assume is in bridge mode, I had asked the ISP to change it bridge mode, they did this from their network, the WAN interface on my OpnSense 18.1 now does the PPPoE credentials. I am confused because the public IP addressed assigned to the WAN as reported by OpnSense is not the same as my IP as reported by the websites I visit.

So my question if anybody knows, when I type from the opnsense terminal # "nc -l WAN_IP_as_reported_by_opnsense 5061" it is listening on the WAN interface and I don't need to make rules and change some obscure settings around right?

I have been using a VPS to SSH into and then use netcat from that to see if the packets arrive to my WAN Interface of OpnSense. So far no luck, I don't know where the failure is at.

Edit: The port forwarding problem is due to Carrier Grade NAT, I think opnsense was listening on the WAN at port 5061 when I asked it to from the terminal.

10

Tutorials and FAQs / Re: Multiple dnscrypt-proxy Opnsense 16.7 / 17.1 / 17.7 / 18.1 :-)

« on: February 05, 2018, 01:53:04 pm »

I noticed I did something wrong because dnscrypt-proxy does not start after reboot. I must type in "service dnscrypt-proxy start" in the shell. Not sure what I did wrong. lol

/etc/rc.conf is root:wheel and not executable (I think that is correct)

If anybody else knows let me know :-) I may just use a cron job @reboot because my skills are poor.

Cake, did you read this post?

Thanks, It worked!
I did read your post, I must be getting a little alzheimer's. So I guess the tutorial on the first post is now a little wrong?  I'll try and edit it tomorrow, but it sounds like the whole thing may be out of date as w2712663 mentions there is a updated version. yay!
Thanks again.

11

Tutorials and FAQs / Re: Multiple dnscrypt-proxy Opnsense 16.7 / 17.1 / 17.7 / 18.1 :-)

« on: February 01, 2018, 12:08:08 am »

I noticed I did something wrong because dnscrypt-proxy does not start after reboot. I must type in "service dnscrypt-proxy start" in the shell. Not sure what I did wrong. lol

/etc/rc.conf is root:wheel and not executable (I think that is correct)

If anybody else knows let me know :-) I may just use a cron job @reboot because my skills are poor.

Yes Franco a plugin would be nice. Cheers

12

Tutorials and FAQs / Re: Multiple dnscrypt-proxy Opnsense 16.7 / 17.1 / 17.7 / 18.1 :-)

« on: January 31, 2018, 01:14:56 am »

Upgraded to 18.1 this morning.
The upgrade went fine, then after reboot no dns. (drill example.com)
Went to System --> Settings --> General and changed everything to 8.8.8.8 and 8.8.4.4 just for a while.
SSH into shell and checked ping and drill, working, followed from first post again.

Code: [Select]

mv /usr/local/etc/rc.d/dnscrypt-proxy /usr/local/etc/rc.d/dnscrypt-proxy.original
nano /usr/local/etc/rc.d/dnscrypt-proxy
And pasted this in again

Code: [Select]

#!/bin/sh
#
# $FreeBSD: head/dns/dnscrypt-proxy/files/dnscrypt-proxy.in 373758 2014-12-02 09:21:49Z xmj $
#
# PROVIDE: dnscrypt_proxy
# REQUIRE: SERVERS cleanvar
# BEFORE: named local_unbound unbound
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf to enable dnscrypt-proxy:
#
# dnscrypt_proxy_instances (str): Set to "dnscrypt_proxy" by default.
#  List of dnscrypt_proxy instance id's,
#  e.g. "dnscrypt_proxy_1 dnscrypt_proxy_2", etc.
# {instance_id}_enable (bool):  Set to NO by default.
#  Set to YES to enable dnscrypt-proxy.
# {instance_id}_uid (str):  Set to "_dnscrypt-proxy" by default.
#      User to switch to after starting.
# {instance_id}_resolver (str):  Set to "opendns" by default.
#      Choose a different upstream resolver.
# {instance_id}_pidfile (str):  default: "/var/run/dnscrypt-proxy.pid"
#      Location of pid file.
# {instance_id}_logfile (str):    default: "/var/log/dnscrypt-proxy.log"
#  Location of log file.
#
# To redirect a local resolver through dnscrypt-proxy, point it at 127.0.0.2
# and add the following to rc.conf:
# ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff"
# dnscrypt_proxy_flags='-a 127.0.0.2'

. /etc/rc.subr

name=dnscrypt_proxy

load_rc_config ${name}

: ${dnscrypt_proxy_instances="${name}"}
: ${dnscrypt_proxy_enable:=NO}

dnscrypt_proxy_enable_tmp=${dnscrypt_proxy_enable}

command=/usr/local/sbin/dnscrypt-proxy
procname=/usr/local/sbin/dnscrypt-proxy

for i in $dnscrypt_proxy_instances; do
  name=${i}

  eval ${name}_enable=${dnscrypt_proxy_enable_tmp}
  rcvar=${name}_enable

  load_rc_config ${i}

  eval dnscrypt_proxy_uid_tmp=\${${i}_uid}
  eval dnscrypt_proxy_resolver_tmp=\${${i}_resolver}
  eval dnscrypt_proxy_pidfile_tmp=\${${i}_pidfile}
  eval dnscrypt_proxy_logfile_tmp=\${${i}_logfile}

:  ${dnscrypt_proxy_uid_tmp:=_dnscrypt-proxy}  # User to run daemon as
:  ${dnscrypt_proxy_resolver_tmp:=opendns}  # resolver to use
:  ${dnscrypt_proxy_pidfile_tmp:=/var/run/${i}.pid} # Path to pid file
:  ${dnscrypt_proxy_logfile_tmp:=/var/log/${i}.log} # Path to log file

  command_args="-d -p ${dnscrypt_proxy_pidfile_tmp} -l ${dnscrypt_proxy_logfile_tmp} -u ${dnscrypt_proxy_uid_tmp} -R ${dnscrypt_proxy_resolver_tmp}"

  pidfile=${dnscrypt_proxy_pidfile_tmp}

  _rc_restart_done=false # workaround for: service dnscrypt-proxy restart

  run_rc_command "$1"
done

Make it executable

Code: [Select]

chmod a+x /usr/local/etc/rc.d/dnscrypt-proxy
Update the resolver list with this new place on github

Code: [Select]

wget -O /usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv https://github.com/dyne/dnscrypt-proxy/raw/master/dnscrypt-resolvers.csv
Change the resolvers to the one you want

Code: [Select]

nano /etc/rc.confMine looks like this:

Code: [Select]

ddclient_enable="YES"
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_instances="dnscrypt_proxy_1 dnscrypt_proxy_2 dnscrypt_proxy_3"
dnscrypt_proxy_1_resolver="ipredator"
dnscrypt_proxy_1_flags="-a 127.0.0.2:53 -l /var/log/"
dnscrypt_proxy_2_resolver="soltysiak"
dnscrypt_proxy_2_flags="-a 127.0.0.3:53 -l /var/log/"
dnscrypt_proxy_3_resolver="dnscrypt.eu-dk"
dnscrypt_proxy_3_flags="-a 127.0.0.4:53 -l /var/log/"Then start dnscrypt

Code: [Select]

service dnscrypt-proxy restart
Lastly I went back to System --> Settings --> General and changed the list back to 127.0.0.2 ; 127.0.0.3 and 127.0.0.4 for the WAN gateway.

Checked to make sure all is working with https://ipleak.net/

Big Thanx to the devs and the people making and improving opnsense.

13

17.7 Legacy Series / openvpn obfuscate

« on: August 09, 2017, 12:17:54 am »

Thanks devs for still including the scramble patch for openvpn. Still works great for client and server after updating to 17.7
 

(its not mentioned much, but I still use it)

To anybody wondering what I'm talking about, its a simple way to obfuscate openvpn traffic, otherwise I read openvpn traffic is easier to fingerprint from my understanding.

14

Tutorials and FAQs / Re: Multiple dnscrypt-proxy Opnsense 16.7 / 17.1 :-)

« on: August 06, 2017, 11:44:06 pm »

I just did a update from 17.1 to 17.7 as well. So far I had only minor trouble with update, I started the update from the GUI, and got held up on a r2 after it rebooted until I went and changed System-->Settings-->General--DNS to google's 8.8.8.8 from 127.0.0.1 ....... just temporarily.
Then I went back to firmware and tried again. I got to update to 17.7  , (I was stuck on a r2 update with a end of life message also was failing to check updates due to system dns set to 127.0.0.1 .....) After the final upgrade I changed  System-->Settings-->General--DNS back to 127.0.0.1, 127.0.0.2 and 127.0.0.3 (what I had earlier)

I thought I had nsookup and dig available, but I see there is  a tool I never used before in its place -> drill. I also had to re-paste from 1st post back into  /usr/local/etc/rc.d/dnscrypt-proxy and chmod a+x

After that it dnscrypt works like a charm again.

15

17.1 Legacy Series / [SOLVED] UPnP

« on: February 18, 2017, 02:43:17 am »

I am missing the UPnP in services. So in System-->Firmware--> Packages I see miniupnpd was already installed, So I tried to install in plugins --> os-upnp.
It installed and I rebooted, but dnscrypt-proxy no longer worked. (I am using multiple dnscrypt) dnscrypt-proxy would not start, and I could not find anything in the /var/log as to why (I tried to increase verb) - my skills are not that good. UPnP showed up in Services, just like some screen shots I have seen in other posts.

So I removed os-upnp, and after reboot. dnscrypt-proxy started automatically and works again, but Universal Plug and Play is missing in Services (GUI). I have a machine with Steam on it, and on several games the mutiplayer does not work, so I am guessing I need UPnP and allow that machine on the network to open ports? Just wondering if anyone else knows what I did wrong.