DNScrypt with Ubuntu 14.04 on RPi 2

Got this working on a Raspberry Pi 2 by using several sets of instructions… All commands are done on the command line in a terminal instance.

    1. These instructions got the actual software onto my machine. Since there is no build for ubuntu, the code must be compiled on the local machine – starting with the dependent encryption suite ‘libsodium’ first .
      • From the linked instructions “I also recommend installing the build-essential packages in case you’re missing compilers.”
        apt-get install build-essential
      • Download the libsodium to a useable directory, I used /media/libsodium which I created first using
        sudo mkdir /media/libsodium
        cd /media/libsodium

        Then used wget for the latest tarball release here

        sudo wget https://download.libsodium.org/libsodium/releases/libsodium-1.0.3.tar.gz

        Untar the libsodium package and install

            tar -xvzf libsodium-1.0.3.tar.gz
            cd libsodium-1.0.3
            sudo ./configure
            sudo make
            sudo make install

        These instructions say
        “I personally have to run “make install” twice. No clue why.”

    2. Setting Up A DNSCrypt User – as from here
      sudo adduser --system --quiet --home /run/dnscrypt --shell /bin/false --group --disabled-password --disabled-login dnscrypt

      That’s all one command. This is so that DNSCrypt can run as another user with no rights, and chroot itself into the directory.

    3. Now we can compile and install DNSCrypt, download the DNSCrypt to a useable directory, I used /media/dnscrypt which I created first using
      sudo mkdir /media/dnscrypt
      cd /media/dnscrypt

      Then used wget for the latest tarball release here

      sudo wget https://download.dnscrypt.org/dnscrypt-proxy/LATEST.tar.gz

      Here is a method to authenticate the download

      dig +dnssec TXT dnscrypt-proxy-1.6.0.tar.bz2.download.dnscrypt.org
      • Untar the DNSCrypt package and install
            tar -xvzf dnscrypt-proxy-1.6.0.tar.gz
            cd dnscrypt-proxy-1.6.0
            sudo ./configure
            sudo make
            sudo make install
    4. Now you can test the install:
      If there is a problem with certificate validity, check step 6.

      sudo reboot
      sudo mkdir /run/dnscrypt
      
      sudo dnscrypt-proxy --user=dnscrypt --ephemeral-keys --resolver-name=cloudns-syd --test=0

      Edit: I had an error

      dnscrypt-proxy: error while loading shared libraries: libsodium.so.18: cannot open shared object file: No such file or directory

      fixed with this command:

      sudo ldconfig

      Settings for DNSCrypt are here.

    5. If this is working (YAY) we can set it to run on boot as a daemon, edit /etc/rc.local
      sudo nano /etc/rc.local

      These were my /etc/rc.local settings:

      mkdir /run/dnscrypt
      sudo dnscrypt-proxy -a 192.168.1.190 --user=dnscrypt --ephemeral-keys --resolver-name=cisco --daemonize
      
      exit 0

      using “-a 192.168.1.190” sets the listening address for DNSCrypt, I set it to the machines static local IP address, this allows other devices on the local network (eg the wifi router) to use this machine for DNS.

    6. I found that when the machine boots DNSCrypt doesn’t work as it needs the time set – which requires a DNS request for the time server… I added a couple static DNS IPs in the hosts file so the machine can access time servers on boot:
      sudo nano /etc/hosts
      • I added these lines to the hosts file: ( which i tried to find as static IPs)
        203.14.0.250 tic.ntp.telstra.net
        203.14.0.251 toc.ntp.telstra.net
        24.56.178.140  www.nist.gov
        216.229.0.179 time.nist.gov
      • Then I added those servers to the NTP client as described here:
        sudo nano /etc/ntp.conf
      • server tic.ntp.telstra.net
        server toc.ntp.telstra.net
        server  www.nist.gov
        server time.nist.gov
    7. Note that the local DNS settings are set here:
      sudo nano /etc/network/interfaces

      This is mine:

      # The primary network interface
      allow-hotplug eth0
      iface eth0 inet static
       address 192.168.1.190
       netmask 255.255.255.0
       gateway 192.168.1.1
       dns-nameservers 192.168.1.190
      
      
      #auto eth0:0
      #iface eth0:0 inet dhcp

      In the end I didn’t want to turn off DHCP due to ease of use etc, but I was able to set a custom DNS setting on my Mikrotik router using winbox. I used code 6, as here.

Leave a Reply

Your email address will not be published. Required fields are marked *