OpenVPN and Dnscrypt-proxy

SquirrelCoder commented 8 years ago

Hello,

Thank you for this awesome script, it does work great on Ubuntu 14.04 however I am trying to force my OpenVPN clients to use dnscrypt-proxy as their DNS resolver too, but this doesn't work. I have put the two DNS addresses (127.0.0.1 & 127.0.0.2) under "VPN Settings" in OpenVPN Access Server admin page, but now it doesn't open any page, the error is "dns_probe_finished_nxdomain"

whenever I run the command "tail -n 200 /var/log/syslog" the output is:

Mar 11 07:22:24 localhost dnscrypt-proxy[19237]: Starting dnscrypt-proxy 1.6.1 Mar 11 07:22:24 localhost dnscrypt-proxy[19237]: Ephemeral keys enabled - generating a new seed Mar 11 07:22:24 localhost dnscrypt-proxy[19237]: Done Mar 11 07:22:24 localhost dnscrypt-proxy[19237]: Server certificate #808464433 received Mar 11 07:22:24 localhost dnscrypt-proxy[19237]: This certificate is valid Mar 11 07:22:24 localhost dnscrypt-proxy[19237]: Chosen certificate #808464433 is valid from [2015-09-11] to [2016-09-10] Mar 11 07:22:24 localhost dnscrypt-proxy[19237]: Server key fingerprint is E7AC:5C21:A4E6:6A90:B254:DD73:5229:3BA1:5BE9:8EB3:4E8F:E538:52DE:A2FB:DDB6:1357 Mar 11 07:22:24 localhost dnscrypt-proxy[19237]: Proxying from 127.0.0.2:53 to 176.56.237.171:443 Mar 11 07:22:24 localhost dnscrypt-proxy[19235]: Server certificate #808464433 received Mar 11 07:22:24 localhost dnscrypt-proxy[19235]: This certificate is valid Mar 11 07:22:24 localhost dnscrypt-proxy[19235]: Chosen certificate #808464433 is valid from [2015-09-11] to [2016-09-10] Mar 11 07:22:24 localhost dnscrypt-proxy[19235]: Server key fingerprint is 164E:1AD6:4356:777D:2019:F2F9:D389:2DDB:BC75:8AF0:9172:8E0C:A874:10C7:3BE8:423B Mar 11 07:22:24 localhost dnscrypt-proxy[19235]: Proxying from 127.0.0.1:53 to 77.66.84.233:443 Mar 11 07:23:09 localhost dnscrypt-proxy[18584]: Refetching server certificates Mar 11 07:23:09 localhost dnscrypt-proxy[18584]: Server certificate #808464433 received Mar 11 07:23:09 localhost dnscrypt-proxy[18584]: This certificate is valid Mar 11 07:23:09 localhost dnscrypt-proxy[18584]: Chosen certificate #808464433 is valid from [2015-09-11] to [2016-09-10] Mar 11 07:23:09 localhost dnscrypt-proxy[18584]: Server key fingerprint is E7AC:5C21:A4E6:6A90:B254:DD73:5229:3BA1:5BE9:8EB3:4E8F:E538:52DE:A2FB:DDB6:1357

and this is my /etc/resolv.conf output: nameserver 127.0.0.1 nameserver 127.0.0.2 nameserver 8.8.8.8 nameserver 8.8.4.4

so it does look good, right? Don't know what to do :(

simonclausen commented 8 years ago

When you tell OpenVPN to push 127.0.0.1 and 127.0.0.2 as DNS resolvers to your clients, they will try to connect to those IPs when doing DNS lookups.

As they are localhost addresses the lookups will be unsuccessful, unless your clients happen to have a DNS server running locally.

What you need to do is make sure that dnscrypt-proxy is listening on the VPN IP of the server and direct clients to use this.

SquirrelCoder commented 8 years ago

hmm... you are right Sir, could you please guide me how to do this (make dnscrypt-proxy listen to the VPN IP)? for example my VPS static IP is: 10.20.30.40. Unfortunately I couldn't find any tutorial on the Internet :(

Thanks a lot Sir

simonclausen commented 8 years ago

Edit the init script or systemd files to make dnscrypt listen on the IP you want. Alternatively set up BIND, unbound or some other DNS server as a forwarder and have that listen on the VPN IP and forward the requests to dnscrypt-proxy. The last option gives you the benefit of a cache closer to the clients as well.

SquirrelCoder commented 8 years ago

Thanks for the reply,

this is my Unbound config file:

# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.

server:
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    auto-trust-anchor-file: "/var/lib/unbound/root.key"
server:
    logfile: "/var/log/unbound.log"
    log-time-ascii: yes
    module-config: "iterator"
    do-not-query-localhost: no
    interface: 127.0.0.1
    #interface: 10.8.0.1
    access-control: 127.0.0.1 allow
    access-control: 10.8.0.1/24 allow
forward-zone:
   name: "."
   forward-addr: 127.0.0.1@40
   forward-first: no

remote-control:
       control-enable: no

and this is dnscrypt-proxy config file:

PATH=/usr/sbin:/usr/bin:/sbin:/bin
DAEMON=/usr/local/sbin/dnscrypt-proxy
NAME=dnscrypt-proxy
ADDRESS1=77.66.84.233
ADDRESS2=176.56.237.171
PNAME1=2.dnscrypt-cert.resolver2.dnscrypt.eu
PNAME2=2.dnscrypt-cert.resolver1.dnscrypt.eu
PKEY1=3748:5585:E3B9:D088:FD25:AD36:B037:01F5:520C:D648:9E9A:DD52:1457:4955:9F0A:9955
PKEY2=67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66

case "$1" in
  start)
    echo "Starting $NAME"
    $DAEMON --daemonize --ephemeral-keys --user=dnscrypt --local-address=127.0.0.1:40 --resolver-address=$ADDRESS1 --provider-name=$PNAME1 --provider-key=$PKEY1
        $DAEMON --daemonize --ephemeral-keys --user=dnscrypt --local-address=127.0.0.2 --resolver-address=$ADDRESS2 --provider-name=$PNAME2 --provider-key=$PKEY2
    ;;
  stop)
    echo "Stopping $NAME"
    pkill -f $DAEMON
    ;;
  restart)

    $0 stop
    $0 start
    ;;
  *)
    echo "Usage: /etc/init.d/dnscrypt-proxy {start|stop|restart}"
    exit 1
    ;;
esac

exit 0

I have changed the first address to 127.0.0.1:40 and now I am lost, don't know what do to :( Edit: I have searched and found this link http://serverfault.com/questions/655143/openvpn-dnscrypt this person doesn't use unbound, but he got it working ...

SquirrelCoder commented 8 years ago

Thank you sir, I got it working and everything works perfectly and Outstanding Script.

simonclausen / dnscrypt-autoinstall

OpenVPN and Dnscrypt-proxy #77