Hello can you please add support for Tomato firmware. It have jffs too, but start and init script locate in other places. thanks.

When you install dnscrypt cleanly, an error occurs in dnscrypt-proxy.toml and it becomes dnscrypt-proxy.toml.err

https://dropmefiles.com/UiZce

Hi. Thank you for installer that brings dnscrypt-proxy v2 to asuswrt routers.
I've installed dnscrypt-proxy with your installer script on ASUSWRT-Merlin RT-N66U 380.69-2
Getting error

[FATAL] listen udp 127.0.0.1:65053: errno -9

And is it possible to install it to entware partition instead of jffs?

Hi,

i installed dnscrypt on my RT-AX58U, but it does not start up and i can't uninstall it.
Since that my guest wifi's with VPN (YazFi) are not working anymore :-/
Can you help me how to uninstall it manually?

Thanks!

Merlin 388.2_2
dnscrypt 2.4.8

Hi

I just installed your script on my RT-3200 and everything installed without errors.
My Problem now is i can't get DNS over TLS to work when using 1.1.1.1 as a DNS server,
the communication is over port 53.
Cloudflare DNS over TLS

Nevertheless, awesome script and very easy to install!

dig google.com

; <<>> DiG 9.9.7-P3 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22250
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		216	IN	A	172.217.22.46

;; Query time: 4 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Jun 24 20:09:39 CEST 2018
;; MSG SIZE  rcvd: 55

Just wanted to say thanks to you for making this script :)
All working well so far with RT-AC5300.
Needed to reboot router for dnscrypt to become effective and then 'nslookup -type=txt debug.opendns.com' was working using opendns familyshield.

Sorry if posted in wrong section as wasnt aware where to say thanks!

https://github.com/jedisct1/dnscrypt-proxy/releases/tag/2.0.22

I visited Cloudflare website (https://www.cloudflare.com/ssl/encrypted-sni/)
and said it is using 1.1.1.1 (well in fact 1.1.1.2 for security), but not over a secure dns query.
Just wondering how can we enable DNS over HTTPS?

Hi,
After installing dnscrypt on my RT-AC86U using your script I found myself in the same position as the SNBForum user Andy1932.

After doing some tests I found out that both the nonroot and haveged binaries don't work. When executing them individually the shell returns:

admin@RT-AC86U-6208:/jffs/dnscrypt# /jffs/dnscrypt/nonroot
-sh: /jffs/dnscrypt/nonroot: not found
admin@RT-AC86U-6208:/jffs/dnscrypt# /jffs/dnscrypt/haveged
-sh: /jffs/dnscrypt/haveged: not found

Which means that the start of dnscrypt, line 35 of the file manager, will always fail:

admin@RT-AC86U-6208:/jffs/dnscrypt# /jffs/dnscrypt/nonroot nobody /jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml
-sh: /jffs/dnscrypt/nonroot: not found

And the same applies for the line 101 when executing haveged.

Note that the binaries are in the folder:

admin@RT-AC86U-6208:/jffs/dnscrypt# ls -l /jffs/dnscrypt
-rw-r--r--    1 admin    root           818 Feb 27 08:54 LICENSE
-rwxr-xr-x    1 admin    root       6547488 Feb 27 09:01 dnscrypt-proxy
-rw-r--r--    1 admin    root         10524 Mar  2 13:45 dnscrypt-proxy.toml
-rw-r--r--    1 admin    root           782 Feb 27 08:54 example-blacklist.txt
-rw-r--r--    1 admin    root           731 Feb 27 08:54 example-cloaking-rules.txt
-rw-r--r--    1 admin    root         10354 Feb 27 08:54 example-dnscrypt-proxy.toml
-rw-r--r--    1 admin    root           496 Feb 27 08:54 example-forwarding-rules.txt
-rwxr-xr-x    1 admin    root        109272 Mar  2 13:27 haveged
-rw-r--r--    1 admin    root          3453 Jan 24 06:55 localtime
-rwxr-xr-x    1 admin    root          3085 Mar  2 14:39 manager
-rwxr-xr-x    1 admin    root          3568 Mar  2 13:25 nonroot
-rw-r--r--    1 nobody   nobody       18658 Mar  2 13:25 public-resolvers.md
-rw-r--r--    1 nobody   nobody         307 Mar  2 13:25 public-resolvers.md.minisig

Temporary I've changed the manager's script so dnscrypt is executed but with admin privileges, making everything work as supposed but I'd like to run it with non root privileges.

Thank you very much.

Hi, would it be possible to change the installation path for /jffs to allow installation to /opt?
Thanks

https://github.com/jedisct1/dnscrypt-proxy/releases/tag/2.0.23

I just installed this in my AC-66U but can't seem to get dnscrypt to start

I get a fatal error:
[FATAL] listen udp 127.0.0.1:65053: errno -9

Changing the port makes no difference :/ Also tried to reinstall and still see the same... any idea why this would happen ?

Allow route relays to route Anonymized and ODoH servers simultaneously

Enable cache for better latency.
512m

On dnscrypt-proxy.toml:

`##################################

Global settings

##################################

dnscrypt_servers = true
doh_servers = false
odoh_servers = true
require_dnssec = false
require_nolog = true
require_nofilter = true

#########################

Servers

#########################

[sources]

Allow all server and relay's

################################

Anonymized DNS

################################

[anonymized_dns]

routes = [
{ server_name='', via=[''] }
]
`

When I try to install the script through amtm on the latest version of merlin on hardware gt-ax6000
I hit 1 to install
=> Do you want to install dnscrypt-proxy to /jffs? [y/n]: y

*** Error: Unable to detect the Internet!
Info: Operation aborted. You can quit or continue

Any ideas?

First I wanted to thank you for this awesome piece of software you wrote. Setting up DNSCrypt on the router is super awesome.

What I wanted to do is to setup Caching on the level of DNSCrypt and not on the level of DNSMasq this is because I wanna use the Cloaking feature extensively and constantly change or add new hosts.

Would appreciate if you could help me with this.

How did you include haveged into your installer ?

How does it interface with dnscrypt-proxy and other cryptographic applications ?

In other words, all ASUS routers support

(I thank) It would be better to edit dnsmasq.conf.add and dnsmasq.postconf instead of editing dnsmasq.conf directly in "/jffs/dnscrypt/manager". Thanks.

https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files

You are the best!

Info: Downloading dnscrypt-proxy-linux_mipsle-2.0.3.tar.gz
installer: line 809: echo: Bad address
Info: Downloading public-resolvers.md
installer: line 809: echo: Bad address

doing fresh install.

on google dns 8.8.8.8/8.8.4.4 tried also on isp dns
rt-n66u
john's fork of merlin firmware
374.43_30E3j9527

Hi,
I've found out that DNSSEC is being validated by dnsmasq (if enabled in the UI) instead of dnscrypt-proxy.
To change this behavior we have to append to dnsmasq.conf the option proxy-dnssec, to do that we edit the line 86 of the file manager like this:

append_on_demand /etc/dnsmasq.conf "no-resolv" "proxy-dnssec" "server=127.0.0.1#65053"

Then we have to disable DNSSEC in the UI to prevent it from adding the option dnssec to dnsmasq.conf:

LAN (Advanced Settings) → DHCP Server → DNS and WINS Server Setting → Enable DNSSEC support = No

And then we reboot the router.

I know that this proxy-dnssec option is not well known and does not appear in every manual but it's the way to take advantage of dnscrypt's full potential.

You can read about proxy-dnssec here and it's recommended in the Arch Wiki.

While running the installer's configuration, I answered the following prompts accordingly:

Do you want to use DNS server over IPv6 (yes only if your connection has IPv6)? [y/n]: n
Choose how your DNS servers are selected: 1) Automatically
Use only servers that support the DNSCrypt protocol [y/n]: n
Use only servers that support the DNS-over-HTTPS protocol [y/n]: y
Use only servers that support DNSSEC [y/n]: y
Use only servers that do not log user's queries [y/n]: y
Use only servers that do not filter result [y/n]: y
Do you want to choose which servers to disable (this can be a long process)? [y/n]: y

Result: 175 servers listed, including IPv6, including filtering (against ads/malware/etc) enabled, including without DNSSEC, including DNSCrypt servers (not providing DoH).

I would have expected the list to ONLY include those that fulfill the criteria of being known to not filter anything at all, not log anything, provide DoH service with DNSSEC capability and to exclude all IPv6-servers.
I would also expect those answers to result in exclusion from the list those whose service is unknown, e.g. if they do not explicitly declare to not filter anything.
Deselecting DNSCrypt in the criteria above was done as a test for this GitHub issue, as I actually DO want those too, but whether I chose "yes" or "no" to that question, they always show up in the list.

This is on an RT-AC86U running Asuswrt-Merlin version 384.19 and "dnscrypt installer" version 2.1.7 (but also the previous version) as installed by amtm version 3.1.8.

There are references to the URL_ARCH variable in the installer script however it is not defined.

I cannot install HAVAGE through the script as it fails to download.

Running a RT-AX58U latest asuswrt-merlin firmware.

Please update to latest.

I'm seeing my ISP (TWC) DNS servers along with the chosen DNScrypt server at https://www.dnsleaktest.com after reboots and a reinstall on an RT-AC88u. Can anyone else confirm?

https://www.snbforums.com/threads/release-dnscrypt-installer-for-asuswrt.36071/page-30#post-378723

This user has moved the file dnscrypt-resolvers.csv to the /v1/ subdirectory.
Line 148 in installer needs updating.

It would be great to have the installer and the menu have a new option to choose between Anonymized DNS servers

https://github.com/DNSCrypt/dnscrypt-proxy/releases/tag/2.0.29-beta.2

I download from dnscrypt-proxy 2 release download page.
but two version all not working.

dnscrypt-proxy-linux_mips

admin@RT-AC66U-F2F0:/tmp/home/root# ./dnscrypt-proxy
./dnscrypt-proxy: line 1: syntax error: unexpected "("

dnscrypt-proxy-linux_mipsle

admin@RT-AC66U-F2F0:/tmp/home/root# ./dnscrypt-proxy
fatal error: runtime: out of memory

Following is my asus info:

admin@RT-AC66U-F2F0:/tmp/home/root# uname -a
Linux RT-AC66U-F2F0 2.6.22.19 #1 Sun Apr 8 14:05:29 EDT 2018 mips ASUSWRT-Merlin

admin@RT-AC66U-F2F0:/tmp/home/root# cat /proc/cpuinfo 
system type             : Broadcom BCM5300 chip rev 1
processor               : 0
cpu model               : MIPS 74K V4.9
BogoMIPS                : 299.82
wait instruction        : no
microsecond timers      : yes
tlb_entries             : 64
extra interrupt vector  : no
hardware watchpoint     : yes
ASEs implemented        : mips16 dsp
shadow register sets    : 1
VCED exceptions         : not available
VCEI exceptions         : not available

unaligned_instructions  : 12485664
dcache hits             : 2147483648
dcache misses           : 0
icache hits             : 2147483648
icache misses           : 0
instructions            : 2147483648

admin@RT-AC66U-F2F0:/tmp/home/root# cat /proc/meminfo 
MemTotal:       239524 kB
MemFree:         78196 kB
Buffers:          7604 kB
Cached:         115352 kB
SwapCached:          0 kB
Active:          94416 kB
Inactive:        41392 kB
HighTotal:      131072 kB
HighFree:         7388 kB
LowTotal:       108452 kB
LowFree:         70808 kB
SwapTotal:           0 kB
SwapFree:            0 kB
Dirty:               0 kB
Writeback:           0 kB
AnonPages:       12860 kB
Mapped:           6832 kB
Slab:            16468 kB
SReclaimable:     2068 kB
SUnreclaim:      14400 kB
PageTables:        616 kB
NFS_Unstable:        0 kB
Bounce:              0 kB
CommitLimit:    119760 kB
Committed_AS:   105552 kB
VmallocTotal:  1015800 kB
VmallocUsed:      6428 kB
VmallocChunk:  1006964 kB

Hi,

Will the RT-AC86U be supported?

/Tom

Device: ASUS RT-AC87U
Firmware: Merlin 384.7_2
Debug: https://drive.google.com/open?id=1GWOPGPgAA8NOuxHz2UsRVIV_IEPBaOwR

I need to run the following scripts manually after a reboot, because the services aren't starting automatically:

jffs/scripts/dnsmasq.postconf
jffs/scripts/firewall-start
jffs/scripts/wan-start

Do I need to set settings like DNS and WINS Server Setting and/or WAN DNS Setting?

Thanks for providing this script, it works fine so far apart from the start on boot not working.

Hi

Issue to install dnscrypt-asuswrt because a folder is write-protected (line 12).

USERNAME@RT-AC87U:/tmp/home/root#_ wget --no-check-certificate -O installer https://raw.githubusercontent
.com/thuantran/dnscrypt-asuswrt-installer/master/installer && sh installer ; rm installer
--2018-06-13 14:18:56-- https://raw.githubusercontent.com/thuantran/dnscrypt-asuswrt-installer/master/installer
Resolving raw.githubusercontent.com... 151.101.84.133
Connecting to raw.githubusercontent.com|151.101.84.133|:443... connected.
WARNING: cannot verify raw.githubusercontent.com's certificate, issued by '/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA':
Unable to locally verify the issuer's authority.
HTTP request sent, awaiting response... 200 OK
Length: 28588 (28K) [text/plain]
Saving to: 'installer'

installer 100%[====================================>] 27.92K --.-KB/s in 0.01s

2018-06-13 14:18:57 (2.40 MB/s) - 'installer' saved [28588/28588]

installer: readonly: line 12: TARG_DIR: is read only
USERNAME@RT-AC87U:/tmp/home/root#

---> I try to install on a ASUS RT-AC87U (firmware Version 3.0.0.4.382.50010 (2018/01/25)). Use Cloudflare DNS (and want to use DNS over HTTPS (DoH)).

https://github.com/jedisct1/dnscrypt-proxy/releases/tag/2.0.22

(original author no longer maintains it_@thuantran_) hi and thanks for your installer
I'm using Dnscrypt-proxy in my Asus router as DNS resolver for PiHole running on a Raspebrry Pi in the LAN.
Every device in my LAN should point to PiHole IP as its DNS server.

I achieve that the following way

1. DHCP options, DNS servers 1 & 2 set to PiHole IP
2. "Advertise router's IP in addition to user-specified DNS" disabled
3. WAN DNS1 to PiHole IP, WAN DNS2 blank
4. DNS filter set to PiHole IP for any device that ignores DHCP DNS (eg Google Home devices use hardcoded Google DNS servers)
5. DNS filter off for PiHole Device so it can resolve dns queries using dnscrypt proxy running on the Asus router.

This way PiHole shows me precise statistics for every "DHCP compliant" device with the minor inconvenience that any device that ignores DHCP DNS is showed as Router IP due to the fact that the query is redirected by DNS filter.

The problem is that your script resets DHCP DNS1, DHCP DNS2 and enables "Advertise router's IP in addition to user-specified DNS"
in installer#L183-185

I think this behavior should be optional, user selectable with an option during the installation process.

Do you think it can be possible?

For the moment I solved my issue commenting those lines and everything work as expected.

Just released: https://github.com/jedisct1/dnscrypt-proxy/releases/tag/2.0.20

I have an RT-N66W running Merlin 380.70

Version 2 failed and said "Unsupported Platform". Version 1 stops at "Choose a DNS server" without listing any options:

admin@router:/jffs/dns_over_https# sh installer dnscrypt-proxy-v1
 Info:  Detected MIPSEL architecture.
 Info:  JFFS custom scripts and configs are already enabled
 Info:  Choose what you want to do:
  1) Install dnscrypt and (P)RNG
  2) Install (P)RNG only
 =>  Please enter the number designates your selection or any other key to exit: 1
 Info:  This operation will install dnscrypt-proxy and related files (<1MB)
 Info:  to jffs, no other data will be changed.
 Info:  Also some start scripts will be installed/modified as required.

 =>  Do you want to install dnscrypt-proxy to /jffs [y/n]: y
 Info:  Downloading dnscrypt-resolvers.csv
 Info:  manager is up to date. Skipping...
 Info:  dnscrypt-proxy is up to date. Skipping...
 Info:  nonroot is up to date. Skipping...
 Info:  dnsmasq.postconf file already configured
 Info:  wan-start file already configured
 Info:  Available DNS servers: 
 =>  Please choose DNS server
[1-0]: 1
 *** Error:  Chosen DNS server number is not in range! Retrying...
 =>  Please choose DNS server
[1-0]: 0
 *** Error:  Chosen DNS server number is not in range! Retrying...
 =>  Please choose DNS server
[1-0]: 
admin@router:/jffs/dns_over_https# 

I see that /jffs/dnscrypt/dnscrypt-resolvers.csv is an empty file, so that seems to be the problem:

dnscrypt-resolvers.csv.gz

Is it possible to add support for an option to send device names from the router to the dns server so services like nextdns can see individual devices on the lan I know the nextdns cli can do this but it’s buggy