enable DOH/DOQ using Let's Encrypt certs out of the box

[OniriCorpe]

Problem

• for now, using the Let's Encrypt certificate for DOH/DOQ use is tedious
• port 53 is exposed on Internet by default, see #135

Solution

• implementing the @mh4ckt3mh4ckt1c4s's solution and some improvements
• apply the same logic as DoH/DoQ ports to port 53 (opened if it's the user's choice, else closed)

is someone OK to test this?

PR Status

• [x] Code finished and ready to be reviewed/tested
• [x] The fix/enhancement were manually tested (if applicable)

TODO

• [x] Test package itself
  • [x] scripts: all good
  • [x] Test the config panel
  • [x] enable/disable port 53 exposure
  • [x] enable/disable doh doq ports
  • [x] new password tool
• [x] Test DoH (reverse proxied by nginx)
• [x] WIP: Test DoT
• [x] WIP: Test DoQ
• [x] WIP: Docs
  • [x] Port 53 (to be rewritten as port 53 MUST be opened, see below)
  • [x] DoH & DoQ ports
  • [x] Explain how to filter requests using AGH's allowlist and CIDR (and maybe rate limiting)
  • [x] French translation
• [x] Remove public IPs of the config file in the port 53 is not exposed on Internet (else: crash)
  • [x] adapt opened ports according to user's choice
  • [x] declare needs_exposed_ports according to real user need (so the ynh diagnostic doesn't cry about ports not reachable on internet)
• [x] Add public IPs when port 53 is exposed

Current state

For the package

• all scripts are fully functional 🎉

For AdGuard Home itself

A screenshot of the AdGuard Home front-end, showing the "Encryption settings", with all things validated

• the AGH "Encryption settings" (where DoH / DoQ is activated) is fully configured and validated
• DoH: fully functional 🎉
• DoT: fully functional 🎉
• DoQ: fully functional 🎉
• classic DNS: fully functional 🎉

[OniriCorpe]

Eeeh that’s weird because yesterday I was debugging this shit using my old android phone and I checked this …

my instance is configured with: TLS: 853 QUIC: 784

with the same ports in the package settings and the app settings

DoT is working while I’m testing it with my PC, but the Android phone refuses it

[Thovi98]

Tried the upgrade yesterday, had the exaxt same issue as @tituspijean and after applying his suggestions it works! Android 12

Congrats and thanks for all your work here @OniriCorpe!

[OniriCorpe]

it's: weird 🙃

[Ddataa]

Thanks a lot for your work on this app OniriCorpe !!

I have tested in one server (local RPI) but still have to do in the main one (VPS exposed to internet)

"But since since YunoHost can't handle wildcard domain names" have you find out why and how ?

[OniriCorpe]

"But since since YunoHost can't handle wildcard domain names" have you find out why and how ?

I know it because I'm beginning to know the system pretty well And I'm also part of the core team ^w^

You can take a look at the corresponding issue here: https://github.com/YunoHost/issues/issues/2089

[Ddataa]

thanks for the details of the issue, I didnt mean more than that & I know how valuable you are to the community :)

[OniriCorpe]

it's: weird 🙃

i found why the Private DNS setting on Android was working on local but on another network....... it was because my whitelist only contained my local IP ranges lmao

it's working fine if i deactivate my allowlist!

[OniriCorpe]

i think the release is ready, at last to merge in testing branch ^w^

poke @Ddataa

it's lacking android docs and french translations but eh

[tituspijean]

@OniriCorpe if you wish I can add some docs for Android. ;)

Edit: Maybe it's not worth it, there's already an included guide in the app at __DOMAIN____PATH__/#guide

~~Edit²: I have just noticed that DoT requests appear to be coming from the router, not the actual client: (192.168.1.254 being my router)~~ that's normal, the wildcard domain thingy is needed :)

[OniriCorpe]

@OniriCorpe if you wish I can add some docs for Android. ;)

Edit: Maybe it's not worth it, there's already an included guide in the app at __DOMAIN____PATH__/#guide

maybe documenting this could be useful to permit the ClientID usage on Android ?

Intra adds DNS-over-HTTPS support to Android

[yunohost-bot]

:sunflower:

[OniriCorpe]

I have to fix the “upgrade from ancient version” bug

[yunohost-bot]

:sunflower:

[yunohost-bot]

:books: :bug: