Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How to use OpenVPN with DNSCrypt?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How to use OpenVPN with DNSCrypt?

edited November 2016 in Help

How do I set it up? How can I use DNSCrypt servers as DNS resolver in OpenVPN?

«1

Comments

  • Up.

    20.11.2016

  • Well. I am not familiar with the dnscrypt software. But as far as I know, and just guessing, you should have a dnscrypt resolver available, or install some software somewhere to act as a proxy for the dnscrypt protocol. Probably the normal choice for the second option would be the same openvpn server, listening on the vpn address.

    After getting this part working, you should configure your clients to use that resolver instead of your normal ones.

  • mik997mik997 Member
    edited November 2016

    roll your own dnsdist resolvers with dnscrypt enabled and use dnscrypt client on the endpoint

    https://github.com/PowerDNS/pdns/blob/master/pdns/README-dnsdist.md#dnscrypt

    or use one of the existing public dnscrypt resolvers

    https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

  • edited November 2016

    Hello again,

    I have installed DNSCrypt on the server. (https://github.com/simonclausen/dnscrypt-autoinstall) Then I installed OpenVPN. But when I do DNS resolution, it seems Google's DNS resolvers. IP addresses that are not relevant to the DNSCrypt servers are coming out. @yomero, @mik997

  • I'm not yet clear on whether this is on the OpenVPN client side or the server side.

    But (at the expense of appearing foolish) here goes:

    1. Install dnscrypt-proxy which will then contact one of the public dnscrypt resolvers (you pick) See: https://dnscrypt.org/#dnscrypt-proxy

    2. As documented there you're better off with a local caching dns proxy (either unbound or dnsmasq - unbound seems to be better/more reliable with DNSSEC but recent versions of dnsmasq are also supposed to work fine - I have not used/enabled/forced DNSSEC as yet so don't have any thoughts). Ensure that the local resolver (either unbound or dnsmasq) uses the local version of dnscrypt (127.0.0.1#PORT where PORT is the port you've picked for 1). Once this is working fine, you've got DNS working with caching using dnscrypt. There are plenty of good websites that should help with the basics here See: https://wiki.debian.org/HowTo/dnsmasq#dnsmasq_with_dnscrypt-proxy or https://wiki.archlinux.org/index.php/DNSCrypt

    3. Now add OpenVPN to the mix and do what is needed. On the server as long as resolv.conf uses (2) you should be all set. On a client, assuming you are forcing a default route via the OpenVPN server you should be all set - but again perhaps the OpenVPN experts (or other config suggestions from other threads) can pitch in on the specifics of pushing a DNS server on the server to the client.

    I hope this will at least get you off the ground in a step by step way after which you can refine and lockdown/secure things.

    HTH.

    Thanked by 1mik997
  • Anna_ParkerAnna_Parker Member
    edited November 2016

    @Arttu_Rantanen
    Tested by myself as I'm also using OpenVPN + dnscrypt.

    wget https://raw.githubusercontent.com/simonclausen/dnscrypt-autoinstall/master/dnscrypt-autoinstall --no-check-certificate
    chmod +x dnscrypt-autoinstall.sh
    ./dnscrypt-autoinstall.sh
    

    Then edit /etc/openvpn/server.conf and add these lines:

    push "dhcp-option DNS 127.0.0.1"
    push "dhcp-option DNS 127.0.0.2"
    
  • edited November 2016

    @Anna_Parker, @nullnothere

    Though I tried many times, it never happened. When I run the DNS resolver test, the Google DNS resolvers come out with Dutch and Belgian IP addresses.

    I do this: (1) DNSCrypt is installed. > (2) OpenVPN is installed. During installation, system DNS resolver is selected as DNS resolver. (/etc/resolv.conf) > (3) The OpenVPN connection is performed. > (4) DNS resolver test is done.

    Resolved DNS resolutions:

    ...Google DNS - Netherlands
    
    Google DNS - Belgium...
    

    It is not. :(

  • Anna_ParkerAnna_Parker Member
    edited November 2016

    @Arttu_Rantanen
    Check the /etc/resolv.conf - it should be 127.0.0.1.

    BTW, I've found tutorial which might helps: https://mydarkerego.blogspot.nl/2015/03/dnscrypt-proxy-unbound-openvpn.html

    Thanked by 1couscous
  • just to clarify .. what OpenVPN client OS are you using? Linux or Windows?

  • @mik997 Linux and Android.

  • I tried eight times in the day. But it is not. It does not make any mistakes anywhere. But when I run the DNS resolver test, Google DNS goes out. What is Google DNS? Am I configuring by Google DNS? No. Damn OpenVPN and DNSCrypt. :( @mik997, @Anna_Parker

  • A few more suggestions:

    1. On the VPN Server, can you confirm that DNS is working as you expect (via DNSCrypt etc.)?

    2. On the VPN Client, I assume that DNS works (normally, without DNSCrypt etc.) when you are NOT on VPN.

    3. Once the VPN Client connects to the VPN server, the VPN server should be pushing down default routes as well as DNS servers to the client. If the VPN server pushes 127.0.0.1 to the VPN Client, then the client will use whatever local DNS server (assuming one is setup) to resolve. OTOH, if the VPN server pushes the VPN Server's private VPN server IP to the client, then the client should use that IP which will result in traffic over VPN for DNS. Can you confirm if this is happening?

    4. Independent of everything, please run dig @SERVER-OR-IP some-public-host-somewhere to get confirmation of how dns is resolving with the appropriate SERVER-OR-IP and then fine tune via routes,push etc.

    HTH.

  • I just could not do it. Maybe I have tried fifty times so far but the result is vain. @nullnothere

  • I don't mean to resurrect a zombie thread, but Anna_Parker and her reference to the "mydarkego" page led me to a solution of Arttu_Rantanen's (since banned) problem as to how to construct a distant machine that will act both as a VPN server and also execute encrypt-proxy instructions.

    After reading Anna's ideas and those of her links two years ago, my machine perfectly worked as a VPN server delivering DNS via the encrypted servers. Unfortunately, after I upgraded my Ubuntu servers across the world, everything stopped working.

    Ultimately, I got everything back online, so I decided to communicate to you the hacks that worked for me to have OpenVPN working on a distant server using DNSCrypt-proxy to deal with DNS requests.

    The first step is to install DNSCrypt and dnsmasq on Ubuntu 18.04. Here is the link:

    https://blogging.dragon.org.uk/dnscrypt-and-dnsmasq-on-ubuntu-18-04/

    You can find similar sites for earlier versions, but the main idea is that DNSmasq listens to the traditional DNS port of 53 and that DNSCrypt forwards it to, say port 40, and that DNSCrypt-proxy listens to port 40. As I understand it, computers are much happier with just one service listening to each port, but please correct me if I am wrong. The above link will show you how to verify this connection.

    The next step is to install OPENVPN on your distant computer. It is really quite an adventure for the first time you do it – but isn't this true for the most interesting events in your life?!

    For this chapter, I will direct you to the excellent instructions provided by Digital Oceans. No, I don't work for them:

    For Ubuntu 16: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04

    For Ubuntu 18: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04

    If you have completed these steps, you have DNSCrypt-proxy working on your distant machine. OPENVPN should be working from your home computer via your distant machine. But unfortunately, your DNS requests from home are still unencrypted.

    You need to send your DNS requests encrypted through the VPN to a DNSCrypt provider that you trust. Trust or not to trust – that is entirely your decision. I trust you understand what this question implies.

    ...

    Assuming DNSCrypt, DNSMasq, and OPENVPN are working on your distant machine, these are the adjustments that allowed me to have them working in harmony. To be honest, I don't understand the logic, but it works. If anyone can explain how to do it better (and why), I would be very grateful.

    First: In your /etc/dnsmasq.conf file, include the lines:

    listen-address=127.0.0.1
    listen-address=10.8.0.1
    server=127.0.0.1#2053 [2053 could be any number. After following the first instructions, I chose "40"]

    This means that your machine is listening to information from itself (I have no idea why) and also from 10.8.0.1, which is the server address of your VPN machine.

    It is also serving its DNS requests to 127.0.0.1:2053, (or 127.0.0.1:40, whatever), which is what DNSCrypt-proxy has been configured to listen to. DNSCrypt-proxy then sends your encrypted dns requests to whomever you have trusted them to and deal with them appropriately.

    ...

    My big problem was putting all of this together. Anna Parker gave me a huge clue by sending me to "mydarkego" and his solution.

    My solution, and I would be very happy for any commentators to improve, was to implement the two suggestions above – to – independently – make DNSCrypt-proxy and DNSMasq work on the same distant machine, and to make OPENVPN also work on the same distant machine.

    I was disappointed that this didn't work for me.

    But, in the end, it all came together. I forget where I read the post, and I don't understand the logic, but here is my recipe. If any of you are smart to know the logic of this blow, please let me know.

    Here is the ufw file that works. Please ignore line 4 – although it functions perfectly for my TCP server file, it is not as elegant as line 7 for UDP. I will change it soon.

    To                         Action      From
     --                         ------      ----
    

    [ 1] OpenSSH ALLOW IN Anywhere
    [ 2] 1194/udp ALLOW IN Anywhere
    [ 3] 443/tcp ALLOW IN Anywhere
    [ 4] 10.8.2.1 53 ALLOW IN 10.8.2.0/24
    [ 5] 1111 ALLOW IN Anywhere
    [ 6] 51364 ALLOW IN Anywhere
    [ 7] 10.8.0.1 53 ALLOW IN 10.8.0.6

    ...

    Thank you to Anna and Arttu for giving me a focus of thought. I hope my response will be useful.

    Thanked by 1Anna_Parker
  • Thanks, Anna.

    Here is a link to your original advice:

    https://www.lowendtalk.com/discussion/96020/how-to-use-openvpn-with-dnscrypt

    Thanked by 2uptime Janevski
  • uptimeuptime Member

    nice guy sentient zombie @couscous ...

    welcome to LET, I guess

    Thanked by 1Janevski
  • JanevskiJanevski Member
    edited July 2019

    couscous said: Thanks, Anna.

    Quite likely by now Anna had blossomed, moved on to the next stage of life and lovingly cares for what really matters in life - her own family, hers children, instead of wasting time with some meaningless openvpn config or whatever, but...
    Even through the vastness of time and space, a good deed is thanked for.

    Salud @Anna_Parker! Thank you.
    I sincerely hope the universe treats you nice and life is good for you.
    May this message find you and those around you, well.

    @couscous You did a thoughtful thing.

  • deankdeank Member, Troll
    edited July 2019

    Yeah, looking back...., Anna was such a bitch to deal with. Constant PMSing didn't help, either. Yelling at @WSS for no apparent reason other than disliking his avatar image... and then berating @PieHasNotBeenEaten for not finishing up his pie...
    She also got into a huge argument with @JarLard for not applying enough lard during, ehm, something.
    Then there was an incident between Anna and @FurryET as well, I believe.

    She moved on from LET for a good reason. Of course, she had to be banned to be able to move on, but she moved on regardless.

    Thanked by 2uptime angstrom
  • Anna_ParkerAnna_Parker Member
    edited July 2019

    deank said: Yeah, looking back...., Anna was such a bitch to deal with. Constant PMSing didn't help, either. Yelling at @WSS for no apparent reason other than disliking his avatar image... and then berating @PieHasNotBeenEaten for not finishing up his pie...
    She also got into a huge argument with @JarLard for not applying enough lard during, ehm, something.
    Then there was an incident between Anna and @FurryET as well, I believe.

    She moved on from LET for a good reason. Of course, she had to be banned to be able to move on, but she moved on regardless.

    What's your problem?

    Thanked by 1uptime
  • uptimeuptime Member

    Anna_Parker said: What's your problem?

    Imma guess something something PMS ...

  • @uptime said:
    Imma guess something something PMS ...

    Please what is this PMS system? In my understanding it is used to manage real estate projects, is that right? What is the relationship with the private rodent systems and encrypted? Thank you.

    Thanked by 1uptime
  • angstromangstrom Moderator

    @Piroquinha said:

    @uptime said:
    Imma guess something something PMS ...

    Please what is this PMS system? In my understanding it is used to manage real estate projects, is that right? What is the relationship with the private rodent systems and encrypted? Thank you.

    PMS = Parmesan Mozzarella Swiss

    Thanked by 2uptime ITLabs
  • uptimeuptime Member

    Privileged Male Syncophant chiming in here.

    Now, LET me explain a few things to you ...

    Ah ... nevermind.

    Oooo look - over there - a squirrel!

    Thanked by 2ITLabs Hxxx
  • ITLabsITLabs Member

    @uptime said:

    Oooo look - over there - a squirrel!

    Where?

    Thanked by 1uptime
  • uptimeuptime Member

    Thanked by 1ITLabs
  • @angstrom said:

    @Piroquinha said:

    @uptime said:
    Imma guess something something PMS ...

    Please what is this PMS system? In my understanding it is used to manage real estate projects, is that right? What is the relationship with the private rodent systems and encrypted? Thank you.

    PMS = Parmesan Mozzarella Swiss

    Mr Angstrom I apologize but I believe that you may be wrong because there is no relation between this PMS and pieces of cheese. The only correct reference to PMS is

    Property Management Systems(PMS) or Hotel Operating System(HOS), under business terms may be used in real estate, manufacturing, logistics, intellectual property, government or hospitality accommodation management. They are computerized systems that facilitate the management of properties, personal property, equipment, including maintenance, legalities and personnel all through a single piece of software. They replaced old-fashioned, paper-based methods that tended to be both cumbersome and inefficient. They are often deployed as client/server configurations. Today, most next generation property management systems favour a software-as-a-service (SaaS) model sustained by web and cloud technologies.

    I would respectfully like to understand the relationship of this computer program to the encrypted virtual network object.

    Thank you and my greetings.

    Thanked by 1uptime
  • uptimeuptime Member

    @Piroquinha said: [...]

    HOS got PMS ?

    Thanked by 1ITLabs
  • No it is PMS or HOS. In my understanding it is the same program.

    Thanked by 1uptime
  • PMS = Personal Mobile Service. Everybody hates their cell provider and it causes them to be really hostile and bitchy.

    Thanked by 1uptime
  • ITLabsITLabs Member

    PMS = Peacock Mantis Shrimp. A fusion between HostMantis, PeacockRacks and WootShrimp.

    Thanked by 1uptime
Sign In or Register to comment.