-
Notifications
You must be signed in to change notification settings - Fork 1k
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Thread] Running dnscrypt-proxy on Android #41
Comments
Exactly how do you build it with gomobile? I tried and it makes an apk which doesn't work. I was thinking of just making a magisk module. It's either that or a root app and I don't know how to make apps. I already updated this unmaintained v1 module for the latest magisk version and some extra improvements, It should be simple enough to adapt to v2. I just need a way to make the binaries. |
It requires an |
Well the linux arm64 variant works seems to fine on my phone. Maybe we don't need android specific binaries after all. Also I have a request, I don't know if it's possible but could you add an option to have paths relative to dnscrypt-proxy.toml? It would be useful since I'm separating the binary from the config files (can't well keep them in /system/xbin). Otherwise every path in dnscrypt-proxy.toml must be a hardcoded absolute path. |
This is the binary file from release page,running on termux.(arm64) Edit:Works fine when I use self-compiled binary.(set port to 5353.) edit(2019.11.03):.
|
Hi, I am trying the arm binaries on my phone and they seem to work fine.
Here is my dnscrypt-proxy.toml: https://pastebin.com/c5HM2SMW |
Is your network usable? |
Ok thank you, the problem was that just after starting dnscrypt-proxy i tryed to divert all dns requests to localhost: iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1 Unfortunately, i don't know how to configure my phone to use 127.0.0.1 as dns server after starting dnscrypt-proxy :( |
I added a guide to building the Android version on a non-Android OS, if anyone's interested. https://github.com/jedisct1/dnscrypt-proxy/wiki/Building-the-Android-version-on-non-Android-OS |
This is fantastic, thank you @Sporif! |
@Sporif are you still planning to release a Magisk module for 15+? |
@JERW86 Yeah I am, it's just going to be a while. Still writing the script that calls dnscrypt-proxy. |
System: Android LOS 7.1.2 latest, amd64 compiled, root, Afwall+ (on/off) moved the folder dnscrypt-proxy to data/local/tmp, all files 777 privileges I encountered the following error while starting it with ./dnscrypt-proxy: I changed the standard configuration file: listen_addresses = ['127.0.0.1:53', '[::1]:53'] If not I got an error that there's no UDP connection possible require_dnssec = false SSH: How can I fix this and run dnscrypt-proxy permantly? |
Looks like you are listening to the same IP and port twice. |
Ok, changed it again to the standard listen addresses gemini:/ $ su |
Try a single address, then: listen_addresses = ['127.0.0.1:53'] |
Could you sent me a copy of your compiled dns crypt? Cant get it wo work :( |
@HI54U
Where To remove the rules it's the same command except use |
@Teyro what have you tried so far? |
@jedisct1 @Teyro @Sporif What is the best way to start dnscrypt-proxy automatic and not manual in a shell for Android 7.1.2? Init.d script? |
Yes an init.d script, or if you use magisk add the script to |
ok, made a simple userinit script in system/etc/init.d 99userinit.sh #!/system/bin/sh then started it with universal init.d |
The afwall script should be |
|
Restart |
VPN filtering occurs on per UID basis. Run |
May be I'm not getting what you want to achieve. You need to handle UIDs, not interfaces (unless you want to do something specifically to interfaces). It covers all possible cases including WiFi, Mobile Data and VPN with any of the both.
Routing on Android is far more complex than on an ordinary Linux PC. With VPN, it becomes even more complicated. There are UID ranges and SOcket_MARKs involved. With network events |
Don't say ever to Linus Torvalds that |
Is there any easy way to run dnscrypt with an unique UID? Are there plans to realize this from an update of dnscrypt-android itself? |
The link in the comment you mentioned explains in very detail how to run |
It should be noted that the directions for adding a sepolicy mentioned above require Magisk. It would be nicer if the directions above did not require Magisk. Magisk is overwriting "neverallow" sepolicy. |
I just used Magisk's |
Don't get me wrong. It's an impressive tutorial which I tried before, but could only get it to work in setting SELinux permissive on boot by adding a line temporarily to dnscrypt-proxy.rc. I am hanging atm in step 4 of you tutorial That seems to work for me output: "Load policy from: /sys/fs/selinux/policy" Step 5. Save and load policy file. supolicy --save /sys/fs/selinux/policy Would be great to get this working :) |
|
Yes, if you want to go the hard way, following something proposed 4 years back. What I proposed recently in How to manually root a phone? goes like this:
Also what has been written in your linked answer isn't applicable (at least fully) today. Android's SELinux implementation is very near to mainline Linux kernel now. And all tools designed for the latter also work on Android. I use |
Why are you patching |
Step 4 I did in an adb shell supolicy --live 'allow dns_crypt system_file dir { read open }' supolicy --live 'allow dns_crypt node tcp_socket { node_bind }' supolicy --live 'allow dns_crypt proc_net file { open read }' got after every rule "Load policy from: /sys/fs/selinux/policy" Step 5. Save and load policy file supolicy --save /sys/fs/selinux/policy added to dnscrypt-proxy.rc #enforcing custom SELinux policy loading after reboot After a reboot it works like before, but now I have a separate UID 999 for Dnscrypt and disabled Apps as root (0) permission and got Internet Access. But :) |
So if I can't patch it "live" with supolicy in Android system I need to patch it with magiskinit from PC Android supolicy errors supolicy --live 'allow init dns_crypt process *' supolicy --save /sys/fs/selinux/policy Followed the description here for patchin supolicy on PC (Linux) but supolicy --load policy --save policy.patched 'create dns_crypt' supolicy --load policy --save policy.patched 'create dns_crypt' 'allow init dns_crypt process *' 'allow dns_crypt dns_crypt * *' 'allow dns_crypt system_file dir { read open }' 'allow dns_crypt system_file file { lock entrypoint execute_no_trans }' 'allow dns_crypt node tcp_socket { node_bind }' 'allow dns_crypt node udp_socket { node_bind }' 'allow dns_crypt port tcp_socket { name_bind name_connect }' 'allow dns_crypt port udp_socket { name_bind }' 'allow dns_crypt proc_net file { open read }' 'allow dns_crypt proc_stat file { read }' 'allow dns_crypt properties_device dir { read }' 'allow dns_crypt devpts chr_file { open read write }' Load policy from: policy Can someone please help to patch policy. |
It seems that's not a policy problem, because if I run dnscrypt in permissive mode by adding in the rc-script there's no difference. I've got Internet access, but not through dnscrypt-proxy. AfWall grant access through UID999 (custom script): rc-script adding:
[2020-06-20 10:42:54] [NOTICE] dnscrypt-proxy 2.0.44 I copied the files manual to the /system/etc/dnscrypt-proxy directory and dnscrypt is running as a service [2020-06-20 11:21:15] [NOTICE] dnscrypt-proxy 2.0.44
I got Internet access, but not through dnscrypt-proxy. How should I configure AfWall and dnscrypt to get the Internet access through dnscrypt again and that's the resolver can update the files properly. |
@mirfatif |
There is an issue with DNSCrypt not letting phone to go to sleep and as far as I know you can't solve with any exiting methods, it has to be implemented on the application side. |
AFWall+ anti-leaking boot script - Fallback resolver stuck (HELP NEEDED) Probably you know about anti-leaking script that AFWall+ can put into startup directory and make the OS booting much safer. I have tried some workarounds like granting the access through the extra IPTABLES rules (additional script), but they didn't work for me. It would be nice to find a way making this script working in conjunction with the dnscrypt-proxy. AFWall+ v3.4.0 - Anti-leaking boot script
P.S. Interensting fact (over the years): if I have any kind of troubles with Fallback resolver, manual launching dnscrypt-proxy using adb always works... It would be nice to have the equal reliability by default... I need your help, freinds. |
Before I can configure it (I had dnscrypt-proxy v1 running with custom init/config scripts just fine on my OnePlus), I need to have it built / build it for Android ARM7. My current toolchain is deprecated (OSX & go is depreicated), and I cannot build it in a VM for the same reason. Can someone please build for Android ARM7 and post? Thanks. |
@tehcog - for Arm7, would the alpine build work? |
Hey, I try to run dnscrypt-proxy without root privileges ( dnscrypt-proxy user in
Any ideas how to resolve this? |
Use |
The binary need to have |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Current status:
gomobile
This is fantastic, but not enough for most Android users to easily install and use it.
Since my knowledge of Android is fairly limited, help would be welcome!
The text was updated successfully, but these errors were encountered: