Topics

I may have suggested this a couple years back but thought I might suggest again.
There was a feature I used a long time ago, I think it was dd-wrt on a 54gl router that would introduce latency to some devices at a certain time. It wasn't in the gui, but a script. Why you might ask? Its real handy as a parental controls to reduce pvp gaming if you use it with a a set time, like add 2000ms from 1am to 7am. This could be added to the 'shaper' section in firewall. I think this can be done in feebsd with a package called dummynet and in linux with tc. There is probably close to 0% interest in this feature but if its easy to add, why not.

I was installing a ip camera today with 1920*1080p. I had 3 streams running from one poe switch to opensense and back on a diffrent switch. My router which is a mini pci from China --> Intel N5105 @ 2.00GHz (4 cores, 4 threads) usually runs hot, around 65-70c but it was holding steady at 90c until I shut those streams down. I put a infared temp probe on the fanless router (black fins) and it said 50c. My equipment sits in a fanless small rack box. Watching top, the cpu sits at 1% with spikes to 9% once in a while.

I think I need to do something. Should I throttle the cpu way down? Check the thermal paste and connection? buy a usb fan?
I usually get nervous with the 85c but for it to peg out so near to t junction has me worried. Maybe there is some setting/operation that the opnsense doesnt need to do when traffic wants to go to deffrent switches (subnets) on my lan.

I have a chinese board with 4 ethernet ports and a intel j1900. If i buy another mini pc with 4 ports can I load the config file from the old one? How similar does the hardware need to be?

Thanks

I'm trying to talk a family member through reinstalling opnsense remotely. Its not going well.

How do you get into single user mode? I'm not getting a command prompt. Nothing that says login. Ctrl + Alt + F1 or F2 does nothing too (sometimes that works in Linux), just messages printed to screen (screeshot) This is 23.1 version.
Spacebar works to pause.

Also tried to install with fresh 23.7 vga img file, copied to thumb drive with dd, installer does not see the ssd drive when logging in via ssh installer@192.168.1.1. , it just shows the usb thumb drive. This is second day of messing around for a couple hours. My device is a qotom j1900 box.

Maybe the ssd is broken?

I keep getting this in the log when updating. I updating over wiregaurd remotely and don't want to brick it.
Anyone know what I should do? I am trying to fix another problem I am having but first thought I would update first.

Code Select Expand

***GOT REQUEST TO UPDATE***
Currently running OPNsense 23.1.5_4 at Sun Jun 25 22:36:17 +07 2023
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (56 candidates): .......... done
Processing candidates (56 candidates): .......... done
Checking integrity... done (0 conflicting)
The following 59 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
easy-rsa: 3.1.5
pkcs11-helper: 1.29.0
py39-tzdata: 2023.3_1

Installed packages to be UPGRADED:
ca_root_nss: 3.89 -> 3.89.1
curl: 7.88.1 -> 8.1.2
dhcp6c: 20200512_1 -> 20230530
glib: 2.76.1,2 -> 2.76.3,2
ifinfo: 13.0 -> 13.0_1
krb5: 1.20.1 -> 1.21
libnghttp2: 1.52.0 -> 1.53.0
libpsl: 0.21.2_2 -> 0.21.2_3
libxml2: 2.10.3_1 -> 2.10.4
lighttpd: 1.4.69 -> 1.4.71
mpd5: 5.9_13 -> 5.9_16
nettle: 3.8.1 -> 3.9.1
nss: 3.89 -> 3.90
ntp: 4.2.8p15_5 -> 4.2.8p17
openssh-portable: 9.2.p1,1 -> 9.3.p1,1
openvpn: 2.5.8 -> 2.6.5
opnsense: 23.1.5_4 -> 23.1.10_1
opnsense-update: 23.1.5 -> 23.1.8_2
os-dnscrypt-proxy: 1.12_1 -> 1.13_1
pftop: 0.8_2 -> 0.8_4
php81: 8.1.17 -> 8.1.20
php81-ctype: 8.1.17 -> 8.1.20
php81-curl: 8.1.17 -> 8.1.20
php81-dom: 8.1.17 -> 8.1.20
php81-filter: 8.1.17 -> 8.1.20
php81-gettext: 8.1.17 -> 8.1.20
php81-ldap: 8.1.17 -> 8.1.20
php81-mbstring: 8.1.17 -> 8.1.20
php81-pdo: 8.1.17 -> 8.1.20
php81-phalcon: 5.2.1 -> 5.2.2
php81-session: 8.1.17 -> 8.1.20
php81-simplexml: 8.1.17 -> 8.1.20
php81-sockets: 8.1.17 -> 8.1.20
php81-sqlite3: 8.1.17 -> 8.1.20
php81-xml: 8.1.17 -> 8.1.20
php81-zlib: 8.1.17 -> 8.1.20
py39-bottleneck: 1.3.6 -> 1.3.7_1
py39-certifi: 2022.12.7 -> 2023.5.7
py39-charset-normalizer: 3.0.1 -> 3.1.0
py39-cython: 0.29.33 -> 0.29.35
py39-dnspython: 2.2.1_1,1 -> 2.3.0,1
py39-idna: 3.4 -> 3.4_1
py39-markupsafe: 2.1.2 -> 2.1.3
py39-numexpr: 2.8.4 -> 2.8.4_1
py39-numpy: 1.24.1,1 -> 1.24.1_4,1
py39-pandas: 1.5.3,1 -> 2.0.2,1
py39-requests: 2.28.2 -> 2.31.0
py39-sqlite3: 3.9.16_7 -> 3.9.17_7
py39-ujson: 5.7.0 -> 5.8.0
py39-urllib3: 1.26.14,1 -> 1.26.16,1
python39: 3.9.16_2 -> 3.9.17
sqlite3: 3.41.0_1,1 -> 3.42.0,1
squid: 5.8 -> 5.9
strongswan: 5.9.10_1 -> 5.9.10_2
suricata: 6.0.9_1 -> 6.0.13
syslog-ng: 3.38.1 -> 4.2.0

Number of packages to be installed: 3
Number of packages to be upgraded: 56

The process will require 6 MiB more space.
[1/59] Upgrading python39 from 3.9.16_2 to 3.9.17...
[1/59] Extracting python39-3.9.17: .......... done
python39-3.9.16_2: missing file /usr/local/lib/python3.9/ensurepip/_bundled/pip-22.0.4-py3-none-any.whl
python39-3.9.16_2: missing file /usr/local/lib/python3.9/lib2to3/Grammar3.9.16.final.0.pickle
python39-3.9.16_2: missing file /usr/local/lib/python3.9/lib2to3/PatternGrammar3.9.16.final.0.pickle
python39-3.9.16_2: missing file /usr/local/share/licenses/python39-3.9.16_2/LICENSE
python39-3.9.16_2: missing file /usr/local/share/licenses/python39-3.9.16_2/PSFL
python39-3.9.16_2: missing file /usr/local/share/licenses/python39-3.9.16_2/catalog.mk
pkg-static: Fail to rename /usr/local/lib/python3.9/test/test_tools/__pycache__/.pkgtemp.test_lll.cpython-39.opt-1.pyc.dRm2Lr8DrAGh -> /usr/local/lib/python3.9/test/test_tools/__pycache__/test_lll.cpython-39.opt-1.pyc:Invalid argument
Starting web GUI...done.
Generating RRD graphs...done.
***DONE***

Been pulling my hair trying to figure out why my test phone is getting dns after I blocked port 53 completely.
Turns out it has a setting "Private DNS" that activates itself once in a while.

Does anyone know if there is a github list that publishes a list of know ip address that run dns over https?

I want my dnscrypt to handle all dns queries, port forward anything on 53 to 5353. Unbound is doing this and port forwarding is also sending port 53 traffic to dnscrypt. My problem is that google and other data mining companies are running https dns resolvers. Firefox and other browsers are defaulting to using this and sending the dns to their buddies resolvers. I want to block these devices on my network that are bypassing my dns settings.

Sorry if this is hard to follow. I keep getting browser updates on computers and the updates change settings that I previous set. They are bypassing my dns even though I block outbound port 53 and port forward 53 to 5353 where dnscrypt is listening. Lets just say I don't think mozzarella, khrome, or edge is on my side and I don't want  them getting list of dns lookups from my network. Someone must have a list like the no ads ones on github.

I am using opnsense wireguard as a peer but,

I can't figure out is getting clients/peers such as phones connected to 10.8.0.0/24 to talk to  192.168.44.0/24

wg0 on opnsense is peer assigned 10.8.0.7, behind that is the LAN 192.168.44.0/24, but I can not ping anything there.

I can not get the two subnets to talk to each other. please suggestions?

wireguard is connected and there is a tiny bit of traffic.

I have had this problem since before the update, maybe even back to v18.
- I have DHCPv4 enabled on LAN2 interface. (This is on every interface but just using LAN2 as example)
- LAN2 subnet is 192.168.44.0
- The dhcp available scope is 192.168.44.5 - 192.168.44.199
- I have been using static ARP outside this range to get my devices network connection to work.
- If I set device to  automatic/dhcp it gets a IP inside the scope, a gateway and a dns address, all seems normal to me.

However the device can not ping the interface/gateway at 192.168.44.1, can not ping internet address such as 8.8.8.8 and shows up in the dhcpv4 leases as device being offline. As mentioned I need to give the device a static IP outside the scope for internet to work. The firewall live view does not show anything (no icmp attempts)

I am trying to figure out the stability for dnscrypt_proxy plugin and I see this in the dnscrypt_proxy log

Code Select Expand

[2019-04-23 13:29:05] [FATAL] listen udp 127.0.0.2:53: bind: address already in use

127.0.0.2 and 192.168.44.4 are virtual IP's (IP Alias )

The system log says it is sshd that is listening there, but it is not listed in the GUI (attached screenshot).

Here is my sshd_config file that I assume gets over written if changed.  /usr/local/etc/ssh/sshd_config

Code Select Expand

# This file was automatically generated by /usr/local/etc/inc/plugins.inc.d/openssh.inc
Port 22
Protocol 2
Compression yes
ClientAliveInterval 30
UseDNS no
X11Forwarding no
PubkeyAuthentication yes
Subsystem sftp internal-sftp
AllowGroups wheel admins
PermitRootLogin yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes
HostKey /conf/sshd/ssh_host_rsa_key
HostKey /conf/sshd/ssh_host_ecdsa_key
HostKey /conf/sshd/ssh_host_ed25519_key
HostKey /conf/sshd/ssh_host_dsa_key
ListenAddress 10.8.1.2
ListenAddress 192.168.45.1
ListenAddress 192.168.44.1
ListenAddress 192.168.44.4
ListenAddress 127.0.0.1
ListenAddress 127.0.0.2
ListenAddress ::1

I would like to remove the virtual Ip addresses. If I restart openssh 127.0.0.2 and 192.168.44.4 re-appears even if removed or commented it out. Any ideas?

Solved: I changed the listen port from 53 to 5353 on the dnscrypt listen addresses and it seems to work now.

Just reporting I had to revert back to 18.7 from 19.1

Not sure where the problem was. My setup is DNSCrypt on 127.0.0.2:53, unbound listen on #53 and

Code Select Expand

do-not-query-localhost: no

      forward-zone:
        name: "."
        forward-addr: 127.0.0.2@53

system dns setting is just 127.0.0.2

For firewall rules I have NAT Port Forward--> "LAN2    TCP/UDP    *    *    ! LAN2 address    53 (DNS)    127.0.0.2    53 (DNS)    DNS (KEEP AT TOP) " for all 3 interfaces.

Also I have for Virtual IP --> "127.0.0.2/32    Loopback    IP Alias    DNSCrypt "

This worked well on 18.7 , forcing every clients to use dnscrypt.
On 19.1 the GUI was locking up a little and it seems unbound was not getting reply from dnscrypt. dnscrypt log said it was listening where it should and could communicate upstream. All services were running. Maybe someone else has the same issues?

Edit: This howto is obsolete since the latest plugin has added blocklists to the gui.

I got domain blocking to work with the new DNSCrypt package that has been recently been added to opnsense. Thanks mimugmail  (m.muenz@gmail.com).

I may have done something incorrectly and poorly so please suggest a better way if you know one.

After you get dnscrypt up and running, and checked that it is working proceed to the shell.

(If your missing nano or wget just type "pkg install wget" or "pkg install nano")

Code Select Expand


mkdir /usr/local/etc/dnscrypt-proxy/generate-domains-blacklists
cd  /usr/local/etc/dnscrypt-proxy/generate-domains-blacklists
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-blacklist.conf
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-blacklist-local-additions.txt
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-time-restricted.txt
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/domains-whitelist.txt
wget https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/utils/generate-domains-blacklists/generate-domains-blacklist.py
chmod a+x generate-domains-blacklist.py


Now is a good time to edit the .conf file.

Code Select Expand

nano domains-blacklist.conf
Remove the hash symbol on the lists you want and comment out the ones you don't want, I added a few of my own at the end of the file, mostly facebook and microsoft domains.

Also edit domains-blacklist-local-additions.txt.

Code Select Expand

nano domains-blacklist-local-additions.txt
I myself did not want to block *.local, *.localdomain or *.workgroup
so comment them out if you want to also.

Now to run the program

Code Select Expand

/usr/local/bin/python2.7 generate-domains-blacklist.py > dnscrypt-blacklist-domains.txt

Try it twice if it fails fetching a adblock list like it did to me.

If you succeed, go up a directory

Code Select Expand

cd ..
and make another file that will point to your new blocklist

Code Select Expand

ln -s generate-domains-blacklists/dnscrypt-blacklist-domains.txt dnscrypt-blacklist-domains.txt

Lastly we need to edit the config file for dnscrypt and tell it about out blacklist

Code Select Expand

nano dnscrypt-proxy.toml

add this to the end -->

Code Select Expand

[blacklist]
  blacklist_file = 'dnscrypt-blacklist-domains.txt'

Go to the router's GUI  -->Services -->DnsCrypt-Proxy, and restart the service.
If it comes back up it should now be blocking those domains. If it doesn't, comment out the

Code Select Expand

blacklist_file = 'dnscrypt-blacklist-domains.txt in the .toml file and double check everything.

Hope this works for you. :-)

Edit: Important, the changes to the .toml file do not stick after you save from the GUI, so you need to edit

Code Select Expand

nano /usr/local/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml

add the blacklist section so it looks like this:

Code Select Expand

[static]

[blacklist]
  blacklist_file = 'dnscrypt-blacklist-domains.txt'

{% if helpers.exists('OPNsense.dnscryptproxy.server.servers.server') %}
{%   for server_list in helpers.toList('OPNsense.dnscryptproxy.server.servers.server') %}
{%     if server_list.enabled == '1' %}
  [static.'{{server_list.name}}']
  stamp = 'sdns://{{server_list.stamp}}'
{%     endif %}
{%   endfor %}
{% endif %}
Just below [static] but above the rest at the end.

Edit#2 Here is a tutorial I found to force DNSCrypt on all your clients https://forum.opnsense.org/index.php?topic=9245.0   Just remember to change 127.0.0.1 in the example to 127.0.0.2.

I have my ISP giving me carrier grade NAT. This broke my openvpn server running on my opnsense box.


So I changed the OpnSense from server to client and connect to a openvpn server with a static IP somewhere else.
I want to have my OpnSense LAN subnet connect as a client to a OpenVPN server that is running lets say in a VPS in some data center. I have client-to-client enabled in the server.conf in the VPS.  The connection from the VPS to my OpnSense client is already established. I just need help or suggestion as when another client connects to the openvpn server I can not ping any devices on my lan.

 Hello,
I am trying to figure out where the trouble is at to get port forwarding to work. I have a ISP fiber GPON modem (Chinese, remotely administered) ,that I assume is in bridge mode, I had asked the ISP to change it bridge mode, they did this from their network, the WAN interface on my OpnSense 18.1 now does the PPPoE credentials. I am confused because the public IP addressed assigned to the WAN as reported by OpnSense is not the same as my IP as reported by the websites I visit.

So my question if anybody knows, when I type from the opnsense terminal # "nc -l WAN_IP_as_reported_by_opnsense 5061" it is listening on the WAN interface and I don't need to make rules and change some obscure settings around right?

I have been using a VPS to SSH into and then use netcat from that to see if the packets arrive to my WAN Interface of OpnSense. So far no luck, I don't know where the failure is at.

Edit: The port forwarding problem is due to Carrier Grade NAT, I think opnsense was listening on the WAN at port 5061 when I asked it to from the terminal.

Thanks devs for still including the scramble patch for openvpn. Still works great for client and server after updating to 17.7
:)

(its not mentioned much, but I still use it)

To anybody wondering what I'm talking about, its a simple way to obfuscate openvpn traffic, otherwise I read openvpn traffic is easier to fingerprint from my understanding.

I am missing the UPnP in services. So in System-->Firmware--> Packages I see miniupnpd was already installed, So I tried to install in plugins --> os-upnp.
It installed and I rebooted, but dnscrypt-proxy no longer worked. (I am using multiple dnscrypt) dnscrypt-proxy would not start, and I could not find anything in the /var/log as to why (I tried to increase verb) - my skills are not that good. UPnP showed up in Services, just like some screen shots I have seen in other posts.

So I removed os-upnp, and after reboot. dnscrypt-proxy started automatically and works again, but Universal Plug and Play is missing in Services (GUI). I have a machine with Steam on it, and on several games the mutiplayer does not work, so I am guessing I need UPnP and allow that machine on the network to open ports? Just wondering if anyone else knows what I did wrong.

I had OpenVPN working previously, but have spent over a day on this with out any luck.
I have the Qotom box with 4 Intel LANs. Not sure how I broke this, but I had 1 whole interface that was routed to OpenVPN (Client to Server) Opnsense was the client.

Well the client connects, however all interfaces are getting routed through the vpn. I have played quite a bit with NAT and Firewall rules, but I still may be missing something. I could post some screen shots if someone on here could help me get this sorted. This kinda stopped working around the time I updated to 17.1

Was getting PHP errors.
Solved it, It was two extensions of the same. openssl and lpad in /usr/local/etc/php/

Had the new separate extension files (ext-20-ldap.ini    & ext-20-openssl.ini) plus the same in the listed in the file extensions.ini

Solved it by removing ext-20-ldap.ini    & ext-20-openssl.ini
No more errors in /tmp/PHP_errors.log

ref. https://forums.freebsd.org/threads/54980/

If anyone else has the same

Here is some quick settings if you want ddns, but you are double NAT'd (example you don't have access to the edge device, or its missing dynamic ddns ). The problem is when your double NAT'd is your lan address gets reported ex. 192.168.0.1. You can see the line "use=web" below, thats what is needed to get your public ip. Use ddclient to update DNS-O-MATIC. DNS-O-MATIC is like a middleman who then updates your other dynamic dns services your are subscribed to. I couldn't find what I needed on 16.7 DynDNS GUI, so I went with the following:

1) Make a account at DNS-O-MATIC

2) SSH into your Opnsense box

Code Select Expand

pkg install ddclient
pkg install nano

3)Edit the config file:

Code Select Expand

nano /usr/local/etc/ddclient.conf

Use your email address (not your login name for DNS-O-MATIC) for the conf file below. (important)
Here is my conf:

Code Select Expand

##
## DNS-O-Matic account-configuration
##
ssl=yes
daemon=300
use=web, web=myip.dnsomatic.com
server=updates.dnsomatic.com,      \
protocol=dyndns2,                  \
login=yourEMAILaddress,          \
password=yourPASS        \
all.dnsomatic.com

5) edit rc.conf

Code Select Expand

nano /etc/rc.conf
add the line:

Code Select Expand

ddclient_enable="YES"

6) test ddclient with:

Code Select Expand

ddclient -daemon=0 -debug -verbose -noquiet
7) Start the client with:

Code Select Expand

service ddclient start
You should be all set.

What took me the longest to figure out was to use my email instead of username. Hope this is helpful.

Hello,
Not sure what I am doing wrong. I have 2 things setup, but can't get them to work together.

--First setup is Guest Network with Captive Portal--
I have followed tutorial "Set up a Guest Network"--> https://docs.opnsense.org/manual/how-tos/guestnet.html
Works great for interface named GUESTNET which is a AP. Very nice.

--Second Setup (Captive Portal disabled) Sending GUESTNET traffic through OpenVPN Client (OVPNC1)--
I have the interface GUESTNET (AP) set up to go through the OVPNC1. That works great.

What am I doing wrong because when I enable captive portal- GUESTNET bypasses it. GUESTNET still uses OPVNC1 interface which is good.
If I change IPv4 * GUESTNET net * * * OVPNC1_VPNV4 to the example in the tutorial, Captive Portal works, but traffic is not sent out through VPN client anymore.



Any suggestions please?

[sudo resolvconf -u]

Hi I'm cake, I wanted multiple dnscrypt-proxy instances for reliability. I like dnscrypt because it eliminates your ISP from keeping a log of all your travels. Some of the dnscrypt providers are not 100 percent uptime, some discontinue, etc. This is for redundancy.  I don't take credit for any of the following, just gathering it all together in one spot for Opnsense 16.7.

So in the terminal-

Code Select Expand

pkg install dnscrypt-proxy
pkg install nano

I got this next script from https://forums.freebsd.org/threads/48250/

Code Select Expand

mv /usr/local/etc/rc.d/dnscrypt-proxy /usr/local/etc/rc.d/dnscrypt-proxy.original
nano /usr/local/etc/rc.d/dnscrypt-proxy

Paste this in: (credit to arabesc)

Code Select Expand

#!/bin/sh
#
# $FreeBSD: head/dns/dnscrypt-proxy/files/dnscrypt-proxy.in 373758 2014-12-02 09:21:49Z xmj $
#
# PROVIDE: dnscrypt_proxy
# REQUIRE: SERVERS cleanvar
# BEFORE: named local_unbound unbound
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf to enable dnscrypt-proxy:
#
# dnscrypt_proxy_instances (str): Set to "dnscrypt_proxy" by default.
#  List of dnscrypt_proxy instance id's,
#  e.g. "dnscrypt_proxy_1 dnscrypt_proxy_2", etc.
# {instance_id}_enable (bool):  Set to NO by default.
#  Set to YES to enable dnscrypt-proxy.
# {instance_id}_uid (str):  Set to "_dnscrypt-proxy" by default.
#      User to switch to after starting.
# {instance_id}_resolver (str):  Set to "opendns" by default.
#      Choose a different upstream resolver.
# {instance_id}_pidfile (str):  default: "/var/run/dnscrypt-proxy.pid"
#      Location of pid file.
# {instance_id}_logfile (str):    default: "/var/log/dnscrypt-proxy.log"
#  Location of log file.
#
# To redirect a local resolver through dnscrypt-proxy, point it at 127.0.0.2
# and add the following to rc.conf:
# ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff"
# dnscrypt_proxy_flags='-a 127.0.0.2'

. /etc/rc.subr

name=dnscrypt_proxy

load_rc_config ${name}

: ${dnscrypt_proxy_instances="${name}"}
: ${dnscrypt_proxy_enable:=NO}

dnscrypt_proxy_enable_tmp=${dnscrypt_proxy_enable}

command=/usr/local/sbin/dnscrypt-proxy
procname=/usr/local/sbin/dnscrypt-proxy

for i in $dnscrypt_proxy_instances; do
  name=${i}

  eval ${name}_enable=${dnscrypt_proxy_enable_tmp}
  rcvar=${name}_enable

  load_rc_config ${i}

  eval dnscrypt_proxy_uid_tmp=\${${i}_uid}
  eval dnscrypt_proxy_resolver_tmp=\${${i}_resolver}
  eval dnscrypt_proxy_pidfile_tmp=\${${i}_pidfile}
  eval dnscrypt_proxy_logfile_tmp=\${${i}_logfile}

:  ${dnscrypt_proxy_uid_tmp:=_dnscrypt-proxy}  # User to run daemon as
:  ${dnscrypt_proxy_resolver_tmp:=opendns}  # resolver to use
:  ${dnscrypt_proxy_pidfile_tmp:=/var/run/${i}.pid} # Path to pid file
:  ${dnscrypt_proxy_logfile_tmp:=/var/log/${i}.log} # Path to log file

  command_args="-d -p ${dnscrypt_proxy_pidfile_tmp} -l ${dnscrypt_proxy_logfile_tmp} -u ${dnscrypt_proxy_uid_tmp} -R ${dnscrypt_proxy_resolver_tmp}"

  pidfile=${dnscrypt_proxy_pidfile_tmp}

  _rc_restart_done=false # workaround for: service dnscrypt-proxy restart

  run_rc_command "$1"
done

Make it executable:

Code Select Expand

chmod a+x /usr/local/etc/rc.d/dnscrypt-proxy

Next:

Code Select Expand

nano /etc/rc.conf

Here is mine as a example: (see next post down for a better way)

Code Select Expand

##  Use other method instead of lo0 alias  ##
##  ifconfig lo0 alias 127.0.0.2/32  ##
##  ifconfig lo0 alias 127.0.0.3/32  ##
##  ifconfig lo0 alias 127.0.0.4/32  ##

dnscrypt_proxy_enable="YES"

dnscrypt_proxy_instances="dnscrypt_proxy_1 dnscrypt_proxy_2 dnscrypt_proxy_3"
dnscrypt_proxy_1_resolver="ipredator"
dnscrypt_proxy_1_flags="-a 127.0.0.2:53 -l /var/log/"
dnscrypt_proxy_2_resolver="dnscrypt.eu-dk"
dnscrypt_proxy_2_flags="-a 127.0.0.3:53 -l /var/log/"
dnscrypt_proxy_3_resolver="d0wn-lu-ns1"
dnscrypt_proxy_3_flags="-a 127.0.0.4:53 -l /var/log/"

You can change the resolvers to whatever you want that is listed in:  /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv
If you want the latest list:

Code Select Expand

pkg install wget
wget -O /usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv]

You might be able to leave out the unbound enable line, since it doesn't appear to be need or is running.

In OpnSense GUI, go to Services-->DNS Forwarder
Enable it, set it to port 53. Specify the interface(s) and set it to strict. Also for testing uncheck Query DNS servers sequentially

EDIT:Use geofflowemn's advice instead of my commented out stuff above (ifconfig...)- go to the GUI - Firewall-->Virtual IP's--->Settings and add:

Virtual IP address    Interface    Type    Description
127.0.0.2/32              LocalHost        IP Alias    dnscrypt-proxy
127.0.0.3/32              LocalHost        IP Alias    dnscrypt-proxy
127.0.0.4/32              LocalHost        IP Alias    dnscrypt-proxy 

EDIT: fix typo, (thanks geofflowemn)

Next go to System-->Setting--->General---> Specify the dns servers at 127.0.0.2 127.0.0.3 and 127.0.0.4
I checked "Do not use the DNS Forwarder as a DNS server for the firewall" and unchecked "Allow DNS server list to be overridden by DHCP/PPP on WAN". I did not specify any dns servers in the dhcp section of services.

To test/start type: service dnscrypt-proxy start (it should load when system boots from now on)
Couple of good websites to test if its working:
https://www.perfect-privacy.com/dns-leaktest/
https://ipleak.net/

When testing: Make sure you disable your browser dns caching, also if your in linux the command sudo resolvconf -u helps when troubleshooting using dig, nslookup, etc. Hope I didn't forget any other tidbits, and your system reboots using your new dnscrypt-proxy settings without anymore user input.

Hope this gathering of info from several places has helped someone else achieve their goal. There is a nice tutorial on using unbound to cache queries for speed. https://blog.ipredator.se/freebsd-dnscrypt-howto.html

It would be a great feature to add this to the GUI in the future!
Edit: Add IP of LAN interface to: Services-->DHCP-->Server--->select interface-->DNS servers
Edit: Fixed some errors (spelling), added some extra. I noticed I messed up my configuration royally and when loading a older saved configuration dnscrypt-proxy gets wiped out (it didn't save my dnscrypt configuration). Had to start from scratch. Noticed a couple omissions in this post. :-0