Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Thread] Running dnscrypt-proxy on Android #41

Closed
jedisct1 opened this issue Jan 27, 2018 · 130 comments
Closed

[Thread] Running dnscrypt-proxy on Android #41

jedisct1 opened this issue Jan 27, 2018 · 130 comments

Comments

@jedisct1
Copy link
Member

Current status:

  • The proxy compiles without any changes using gomobile
  • It also compiles and runs fine on Termux

This is fantastic, but not enough for most Android users to easily install and use it.

Since my knowledge of Android is fairly limited, help would be welcome!

@jedisct1 jedisct1 added the help wanted Extra attention is needed label Jan 27, 2018
@Sporif
Copy link

Sporif commented Jan 28, 2018

Exactly how do you build it with gomobile? I tried and it makes an apk which doesn't work.

I was thinking of just making a magisk module. It's either that or a root app and I don't know how to make apps. I already updated this unmaintained v1 module for the latest magisk version and some extra improvements, It should be simple enough to adapt to v2. I just need a way to make the binaries.

@jedisct1
Copy link
Member Author

It requires an app.Main() function, that can just call the (actual) main function. That's all I know :)

@Sporif
Copy link

Sporif commented Jan 28, 2018

Well the linux arm64 variant works seems to fine on my phone. Maybe we don't need android specific binaries after all.

Also I have a request, I don't know if it's possible but could you add an option to have paths relative to dnscrypt-proxy.toml? It would be useful since I'm separating the binary from the config files (can't well keep them in /system/xbin). Otherwise every path in dnscrypt-proxy.toml must be a hardcoded absolute path.

@Sak94664
Copy link

Sak94664 commented Jan 28, 2018

./dnscrypt-proxy
[2018-01-28 15:10:08] [CRITICAL] Unable use source [public-resolvers]: [Get http://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md: dial tcp: lookup download.dnscrypt.info on [::1]:53: read udp [::1]:44259->[::1]:53: read: connection refused]
[2018-01-28 15:10:08] [NOTICE] Starting dnscrypt-proxy 2.0.0beta11
[2018-01-28 15:10:08] [NOTICE] Now listening to 127.0.0.1:5353 [UDP]
[2018-01-28 15:10:08] [NOTICE] Now listening to 127.0.0.1:5353 [TCP]
[2018-01-28 15:10:08] [NOTICE] Now listening to [::1]:5353 [UDP]
[2018-01-28 15:10:08] [NOTICE] Now listening to [::1]:5353 [TCP]
[2018-01-28 15:10:08] [ERROR] Head https://dns.google.com/experimental: dial tcp: lookup dns.google.com on [::1]:53: read udp [::1]:43670->[::1]:53: read: connection refused
[2018-01-28 15:10:08] [NOTICE] dnscrypt-proxy is waiting for at least one server to be reachable
^C[2018-01-28 15:10:58] [NOTICE] Stopped.``

This is the binary file from release page,running on termux.(arm64)
But when I use self-compiled binary,it works fine.
(Maybe it's because I run it without setting the port to 53?Set port 5353 ).
Android 7.1.2

Edit:Works fine when I use self-compiled binary.(set port to 5353.)
And I found a similar issue on another project.It said that the software will not run on android if the domain name is set,but it can run if the ip is set
issue:fatedier/frp#633 (Chinese)

edit(2019.11.03):.
it seems that this problem occurs when /etc/resolv.conf is missing
and Android absolutely don't have this file in that exact place.
a chroot or proot may do the trick.(use proot image or just execute dnscrypt proxy right after termux-chroot is ok,e.g. termux-chroot ./dnscrypt-proxy )

  • if you are using termux-chroot please don't forget to add ~/../usr/etc/resolv.conf and edit it.

  • You can just download linux-arm or linux-arm64 version from releases page and use it.

@ghost
Copy link

ghost commented Feb 7, 2018

Hi, I am trying the arm binaries on my phone and they seem to work fine.
However i have a problem with configuration, since i receive this error:

Starting dnscrypt-proxy...
[2018-02-07 13:53:31] [NOTICE] System DNS configuration not usable yet, exceptionally resolving [download.dnscrypt.info] using fallback resolver [9.9.9.9:53]
[2018-02-07 13:53:31] [NOTICE] System DNS configuration not usable yet, exceptionally resolving [download.dnscrypt.info] using fallback resolver [9.9.9.9:53]
[2018-02-07 13:53:31] [CRITICAL] Unable use source [public-resolvers]: [read udp 10.102.21.149:50517->9.9.9.9:53: read: connection refused]
[2018-02-07 13:53:31] [FATAL] No servers configured

Here is my dnscrypt-proxy.toml: https://pastebin.com/c5HM2SMW

@jedisct1
Copy link
Member Author

jedisct1 commented Feb 7, 2018

Is your network usable? connection refused is pretty self-explanatory; it looks like the phone doesn't have access to the internet, or that something is blocking outgoing DNS connections.

@ghost
Copy link

ghost commented Feb 7, 2018

Ok thank you, the problem was that just after starting dnscrypt-proxy i tryed to divert all dns requests to localhost:

iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1

Unfortunately, i don't know how to configure my phone to use 127.0.0.1 as dns server after starting dnscrypt-proxy :(

@Sporif
Copy link

Sporif commented Feb 11, 2018

I added a guide to building the Android version on a non-Android OS, if anyone's interested.

https://github.com/jedisct1/dnscrypt-proxy/wiki/Building-the-Android-version-on-non-Android-OS

@jedisct1
Copy link
Member Author

This is fantastic, thank you @Sporif!

@JERW86
Copy link

JERW86 commented Feb 17, 2018

@Sporif are you still planning to release a Magisk module for 15+?

@jedisct1 jedisct1 reopened this Feb 17, 2018
@Sporif
Copy link

Sporif commented Feb 17, 2018

@JERW86 Yeah I am, it's just going to be a while. Still writing the script that calls dnscrypt-proxy.

@jedisct1 jedisct1 changed the title Help wanted: Android support [Thread] Running dnscrypt-proxy on Android Feb 20, 2018
@HI54U
Copy link

HI54U commented Feb 20, 2018

System: Android LOS 7.1.2 latest, amd64 compiled, root, Afwall+ (on/off) moved the folder dnscrypt-proxy to data/local/tmp, all files 777 privileges

I encountered the following error while starting it with ./dnscrypt-proxy:
[FATAL] listen udp 127.0.0.1:5353: bind: address already in use

I changed the standard configuration file:

listen_addresses = ['127.0.0.1:53', '[::1]:53']
to
listen_addresses = ['127.0.0.1:53', '127.0.0.1:53']

If not I got an error that there's no UDP connection possible

require_dnssec = false
to
require_dnssec = true

SSH:
gemini:/data/local/tmp/dnscrypt-proxy # ./dnscrypt-proxy
[2018-02-20 16:57:11] [NOTICE] Source [https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md] loaded
[2018-02-20 16:57:11] [NOTICE] dnscrypt-proxy 2.0.1
[2018-02-20 16:57:11] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
[2018-02-20 16:57:11] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
[2018-02-20 16:57:11] [FATAL] listen udp 127.0.0.1:53: bind: address already in use
255|gemini:/data/local/tmp/dnscrypt-proxy #

How can I fix this and run dnscrypt-proxy permantly?

@jedisct1
Copy link
Member Author

listen_addresses = ['127.0.0.1:53', '127.0.0.1:53']

Looks like you are listening to the same IP and port twice.

@HI54U
Copy link

HI54U commented Feb 20, 2018

Ok, changed it again to the standard listen addresses
But then getting an error again:

gemini:/ $ su
gemini:/data/local/tmp/dns/dnscrypt-proxy <
[2018-02-20 18:03:30] [NOTICE] Source [https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md] loaded
[2018-02-20 18:03:30] [NOTICE] dnscrypt-proxy 2.0.1
[2018-02-20 18:03:30] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
[2018-02-20 18:03:30] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
[2018-02-20 18:03:30] [FATAL] listen udp [::1]:53: bind: cannot assign requested address
255|gemini:/data/local/tmp/dnsc,rypt-proxy #

@jedisct1
Copy link
Member Author

Try a single address, then:

listen_addresses = ['127.0.0.1:53']

@Teyro
Copy link

Teyro commented Feb 20, 2018

Could you sent me a copy of your compiled dns crypt? Cant get it wo work :(

@Sporif
Copy link

Sporif commented Feb 20, 2018

@HI54U
If you haveen't already, you also need to set the dns server with iptables.

iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination $ipv4address 
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination $ipv4address

Where $ipv4address is the ipv4 address used in listen_addresses

To remove the rules it's the same command except use iptables -t nat -D instead of iptables -t nat -A.

@Sporif
Copy link

Sporif commented Feb 20, 2018

@Teyro what have you tried so far?

@HI54U
Copy link

HI54U commented Feb 20, 2018

@jedisct1
thank you, that works now, no errors.

@Teyro
amd64 V2.0.1
https://files.fm/u/f9w8h4gg

@Sporif
thank you for the advice, already changed the Afwall+ startup script

What is the best way to start dnscrypt-proxy automatic and not manual in a shell for Android 7.1.2? Init.d script?

@Sporif
Copy link

Sporif commented Feb 20, 2018

Yes an init.d script, or if you use magisk add the script to /sbin/.core/img/.core/service.d

@HI54U
Copy link

HI54U commented Feb 20, 2018

ok, made a simple userinit script in system/etc/init.d

99userinit.sh

#!/system/bin/sh
cd data/local/tmp/dnscrypt-proxy
./dnscrypt-proxy

then started it with universal init.d

@ghost
Copy link

ghost commented Apr 19, 2020

The afwall script should be
iptables -t nat -A OUTPUT -p tcp ! -d 9.9.9.9 --dport 53 -j DNAT --to-destination 127.0.0.1:53
iptables -t nat -A OUTPUT -p udp ! -d 9.9.9.9 --dport 53 -j DNAT --to-destination 127.0.0.1:53
The fallback resolver 9.9.9.9 is not reachable from certain place, try changing to 1.1.1.1

@Cnqu6doa2bn
Copy link

Cnqu6doa2bn commented Apr 19, 2020

The afwall script should be
iptables -t nat -A OUTPUT -p tcp ! -d 9.9.9.9 --dport 53 -j DNAT --to-destination 127.0.0.1:53
iptables -t nat -A OUTPUT -p udp ! -d 9.9.9.9 --dport 53 -j DNAT --to-destination 127.0.0.1:53
The fallback resolver 9.9.9.9 is not reachable from certain place, try changing to 1.1.1.1
Thank you! Exactly, it's working now as it should be :)

@mirfatif
Copy link

mirfatif commented May 19, 2020

How can I force running DNSCrypt to re-read blacklist (or config) on Android? Is the a signal I can send to it, because "service" functionality wont work (I'm running it through init.rc as custom service)

Restart init service:
setprop ctl.restart <service_name>

@mirfatif
Copy link

but the dnscrypt binary itself is now gonna send quires through VPN as well

VPN filtering occurs on per UID basis. Run dnscrypt with non-root UID and filter that using iptables -m owner. See #866 (comment) and https://android.stackexchange.com/a/207647/218526

@mirfatif
Copy link

how would I make a generic rule that targets every VPN interface + cover both mobile/wifi ?

May be I'm not getting what you want to achieve. You need to handle UIDs, not interfaces (unless you want to do something specifically to interfaces). It covers all possible cases including WiFi, Mobile Data and VPN with any of the both.

That's gotta be routing, I cant just use iptabels here?

Routing on Android is far more complex than on an ordinary Linux PC. With VPN, it becomes even more complicated. There are UID ranges and SOcket_MARKs involved. With network events netd keeps on creating and destroying routing tables and RPDB rules. main table is not used at all.
So you don't need to indulge in this whole mess without any purpose. NetFilter (iptables) comes on top of VPN (TUN interfaces) in OSI model. So former is never bypassed whether you are using VPN or not. Updating iptables rules on network events is simpler (just add custom AFWall+ script) than updating routing tables and policies. And you are already using iptables for NATing DNS queries. So there's no need to manipulate routing.

@mirfatif
Copy link

mirfatif commented Jun 3, 2020

nslookup and dig both return responses from 8.8.8.8 which defeats the point of having DNScrypt if it can be so easily bypassed

Don't say ever to Linus Torvalds that nslookup and dig are bypassing iptables NAT. He may get really upset

@Cnqu6doa2bn
Copy link

Is there any easy way to run dnscrypt with an unique UID? Are there plans to realize this from an update of dnscrypt-android itself?
#41 (comment)
#1149 (comment)
#1149 (comment)

@mirfatif
Copy link

mirfatif commented Jun 10, 2020

Is there any easy way to run dnscrypt with an unique UID? Are there plans to realize this from an update of dnscrypt-android itself?
#41 (comment)

The link in the comment you mentioned explains in very detail how to run dnscrypt as init service with any non-root UID, dropped Linux capabilities and restricted SELinux context: https://android.stackexchange.com/a/207647/218526. It works, I've been using it since long. However one may not find it easy.

@syphyr
Copy link
Contributor

syphyr commented Jun 10, 2020

Is there any easy way to run dnscrypt with an unique UID? Are there plans to realize this from an update of dnscrypt-android itself?
#41 (comment)

The link in the comment you mentioned explains in very detail how to run dnscrypt as init service with any non-root UID, dropped Linux capabilities and restricted SELinux context: https://android.stackexchange.com/a/207647/218526. It works, I've been using it since long. However one may not find it easy.

It should be noted that the directions for adding a sepolicy mentioned above require Magisk. It would be nicer if the directions above did not require Magisk. Magisk is overwriting "neverallow" sepolicy.

@mirfatif
Copy link

mirfatif commented Jun 10, 2020

It should be noted that the directions for adding a sepolicy mentioned above require Magisk. It would be nicer if the directions above did not require Magisk. Magisk is overwriting "neverallow" sepolicy.

I just used Magisk's supolicy tool (in step 4 here) to inject my own custom context (named u:r:dns_crypt:s0) to SELinux policy. Using supolicy or magiskpolicy tool doesn't require rooting the device. You can patch SELinux policy file on PC too. Another similar (but less efficient) tool is sepolicy-inject. And another helpful resource is How to manually root a phone?. But rooting the device is not required at all to run dnscrypt-proxy as init service. iptables redirection of port 53 may also be controlled from within init's .rc file, though with some complexity (to handle changes on network events).

@Cnqu6doa2bn
Copy link

Cnqu6doa2bn commented Jun 10, 2020

Don't get me wrong. It's an impressive tutorial which I tried before, but could only get it to work in setting SELinux permissive on boot by adding a line temporarily to dnscrypt-proxy.rc.

I am hanging atm in step 4 of you tutorial
https://android.stackexchange.com/questions/207484/how-to-fix-selinux-avc-denied-errors-when-launching-dnscrypt-as-init-d-script/207647#207647

That seems to work for me
supolicy --live 'create dns_crypt' # create new context
supolicy --live 'allow init dns_crypt process *' # let init handle the service
supolicy --live 'allow dns_crypt dns_crypt * *' # allow mutual love
supolicy --live 'allow dns_crypt system_file dir { read open }'
supolicy --live 'allow dns_crypt system_file file { lock entrypoint execute_no_trans }'
supolicy --live 'allow dns_crypt node tcp_socket { node_bind }'
supolicy --live 'allow dns_crypt node udp_socket { node_bind }'
supolicy --live 'allow dns_crypt port tcp_socket { name_bind name_connect }'
supolicy --live 'allow dns_crypt port udp_socket { name_bind }'
supolicy --live 'allow dns_crypt proc_net file { open read }'
supolicy --live 'allow dns_crypt proc_stat file { read }'
supolicy --live 'allow dns_crypt properties_device dir { read }'
supolicy --live 'allow dns_crypt devpts chr_file { open read write }'

output: "Load policy from: /sys/fs/selinux/policy"

Step 5. Save and load policy file.
I set /sys/fs/selinux/policy from permission 444 to 666

supolicy --save /sys/fs/selinux/policy
output:
Load policy from: /sys/fs/selinux/policy
**** write failed with 22: Invalid argument ****

Would be great to get this working :)

@Kein
Copy link

Kein commented Jun 11, 2020

You can patch SELinux policy file on PC too.

The whole process does not sound pleasant

@mirfatif
Copy link

mirfatif commented Jun 11, 2020

The whole process does not sound pleasant

Yes, if you want to go the hard way, following something proposed 4 years back. What I proposed recently in How to manually root a phone? goes like this:

  • Download latest magiskinit (static) binary for x86 from here: https://github.com/topjohnwu/Magisk/releases
  • Create a symlink supolicy to magiskinit.
  • Copy loaded policy /sys/fs/selinux/policy or policy file /sepolicy or wherever it is on your phone to PC.
  • Run
    supolicy --load policy --save policy.patched 'create my_custom_context' 'allow my_custom_context ...' 'allow ...' 'allow ...'
    
    and so on.
  • Put policy.patched file back to your phone where it's supposed to be loaded on boot.

Also what has been written in your linked answer isn't applicable (at least fully) today. Android's SELinux implementation is very near to mainline Linux kernel now. And all tools designed for the latter also work on Android. I use sesearch regularly on my phone. So please learn and take things practically, don't suppose theoratically.

@mirfatif
Copy link

open: /etc/selinux/sepolicy failed with 30: Read-only file system

Why are you patching /etc/selinux/sepolicy? Patch loaded policy file /sys/fs/selinux/policy using supolicy --live ... statements.

@Cnqu6doa2bn
Copy link

Step 4 I did in an adb shell
supolicy --live 'create dns_crypt'
supolicy --live 'allow init dns_crypt process *'
supolicy --live 'allow dns_crypt dns_crypt * *'

supolicy --live 'allow dns_crypt system_file dir { read open }'
supolicy --live 'allow dns_crypt system_file file { lock entrypoint execute_no_trans }'

supolicy --live 'allow dns_crypt node tcp_socket { node_bind }'
supolicy --live 'allow dns_crypt node udp_socket { node_bind }'
supolicy --live 'allow dns_crypt port tcp_socket { name_bind name_connect }'
supolicy --live 'allow dns_crypt port udp_socket { name_bind }'

supolicy --live 'allow dns_crypt proc_net file { open read }'
supolicy --live 'allow dns_crypt proc_stat file { read }'
supolicy --live 'allow dns_crypt properties_device dir { read }'
supolicy --live 'allow dns_crypt devpts chr_file { open read write }'

got after every rule "Load policy from: /sys/fs/selinux/policy"

Step 5. Save and load policy file

supolicy --save /sys/fs/selinux/policy
Load policy from: /sys/fs/selinux/policy
**** write failed with 22: Invalid argument ****

added to dnscrypt-proxy.rc

#enforcing custom SELinux policy loading after reboot
on property:init.svc.netd=running
exec u:r:magisk:s0 root root -- /system/bin/load_policy /sys/fs/selinux/policy
start dnscrypt-proxy

After a reboot it works like before, but now I have a separate UID 999 for Dnscrypt and disabled Apps as root (0) permission and got Internet Access.

But :)
Is this normal that I got this write failed & "Load policy from: /sys/fs/selinux/policy"?
What can I do to verify that the custom rules are written to the policy rules?

@Cnqu6doa2bn
Copy link

So if I can't patch it "live" with supolicy in Android system I need to patch it with magiskinit from PC

Android supolicy errors
supolicy --live 'create dns_crypt'
Load policy from: /sys/fs/selinux/policy
Error in: create dns_crypt

supolicy --live 'allow init dns_crypt process *'
Load policy from: /sys/fs/selinux/policy

supolicy --save /sys/fs/selinux/policy
Load policy from: /sys/fs/selinux/policy
write failed with 22: Invalid argument

Followed the description here for patchin supolicy on PC (Linux)
#41 (comment)

but

supolicy --load policy --save policy.patched 'create dns_crypt'
Load policy from: policy
Error in: create dns_crypt

supolicy --load policy --save policy.patched 'create dns_crypt' 'allow init dns_crypt process *' 'allow dns_crypt dns_crypt * *' 'allow dns_crypt system_file dir { read open }' 'allow dns_crypt system_file file { lock entrypoint execute_no_trans }' 'allow dns_crypt node tcp_socket { node_bind }' 'allow dns_crypt node udp_socket { node_bind }' 'allow dns_crypt port tcp_socket { name_bind name_connect }' 'allow dns_crypt port udp_socket { name_bind }' 'allow dns_crypt proc_net file { open read }' 'allow dns_crypt proc_stat file { read }' 'allow dns_crypt properties_device dir { read }' 'allow dns_crypt devpts chr_file { open read write }'

Load policy from: policy
target type dns_crypt does not exist
Error in: allow init dns_crypt process (null)
source type dns_crypt does not exist

Can someone please help to patch policy.

@Cnqu6doa2bn
Copy link

Cnqu6doa2bn commented Jun 20, 2020

It seems that's not a policy problem, because if I run dnscrypt in permissive mode by adding in the rc-script there's no difference. I've got Internet access, but not through dnscrypt-proxy.

AfWall grant access through UID999 (custom script):
iptables -I OUTPUT -m owner --uid-owner 999 -j ACCEPT

rc-script adding:
on property:init.svc.netd=running
exec u:r:magisk:s0 root root -- /system/bin/setenforce 0
start dnscrypt-proxy

  1. Resolver problem
    dnscrypt-proxy -check -config /system/etc/dnscrypt-proxy/dnscrypt-proxy.toml

[2020-06-20 10:42:54] [NOTICE] dnscrypt-proxy 2.0.44
[2020-06-20 10:42:54] [NOTICE] Network not available yet -- waiting...
[2020-06-20 10:43:26] [NOTICE] Network connectivity detected
[2020-06-20 10:43:26] [NOTICE] System DNS configuration not usable yet, exceptionally resolving [raw.githubusercontent.com] using fallback resolvers over tcp
[2020-06-20 10:43:27] [NOTICE] Fallback resolvers didn't respond - Trying with the system resolver as a last resort
[2020-06-20 10:43:27] [ERROR] Unable to resolve [raw.githubusercontent.com] - Make sure that the system resolver works, or that fallback_resolver has been set to a resolver that can be reached
[2020-06-20 10:43:27] [NOTICE] System DNS configuration not usable yet, exceptionally resolving [download.dnscrypt.info] using fallback resolvers over tcp
[2020-06-20 10:43:28] [NOTICE] Fallback resolvers didn't respond - Trying with the system resolver as a last resort
[2020-06-20 10:43:28] [ERROR] Unable to resolve [download.dnscrypt.info] - Make sure that the system resolver works, or that fallback_resolver has been set to a resolver that can be reached
[2020-06-20 10:43:28] [CRITICAL] Unable to retrieve source [public-resolvers]: [lookup download.dnscrypt.info: No address associated with hostname]
[2020-06-20 10:43:28] [FATAL] lookup download.dnscrypt.info: No address associated with hostname
Setting up different resolvers doesn't solve it.

I copied the files manual to the /system/etc/dnscrypt-proxy directory and dnscrypt is running as a service

[2020-06-20 11:21:15] [NOTICE] dnscrypt-proxy 2.0.44
[2020-06-20 11:21:15] [NOTICE] Network connectivity detected
[2020-06-20 11:21:15] [NOTICE] Source [public-resolvers] loaded
[2020-06-20 11:21:15] [NOTICE] Source [relays] loaded
[2020-06-20 11:21:15] [NOTICE] Anonymized DNS: routing everything via [anon-]
[2020-06-20 11:21:15] [NOTICE] Configuration successfully checked

  1. AfWall
    custom script: iptables -I OUTPUT -m owner --uid-owner 999 -j ACCEPT
    Internet access to root apps (0) off

I got Internet access, but not through dnscrypt-proxy. How should I configure AfWall and dnscrypt to get the Internet access through dnscrypt again and that's the resolver can update the files properly.

@ghost
Copy link

ghost commented Jul 29, 2020

@mirfatif
Can you elaborate on how to make dnscrypt bypass VPN using iptables/AFWall+? I dont understand what is to target besides the userid, like, VPN, when established, does not add any special rules. I can target dncrypt owner id but what for?

@jedisct1 jedisct1 removed the help wanted Extra attention is needed label Jul 29, 2020
@Kein
Copy link

Kein commented Aug 9, 2020

There is an issue with DNSCrypt not letting phone to go to sleep and as far as I know you can't solve with any exiting methods, it has to be implemented on the application side.

@iWARR
Copy link

iWARR commented Aug 27, 2020

AFWall+ anti-leaking boot script - Fallback resolver stuck (HELP NEEDED)

Probably you know about anti-leaking script that AFWall+ can put into startup directory and make the OS booting much safer.
This is realy effective thing, but main disadvantage is a breakage of the Fallback resolver. As soon as the script located inside the startup directory for the scripts, then fallback resolver is unable to resolve [raw.githubusercontent.com], [download.dnscrypt.info] and other errors like "write: operation not permitted".

I have tried some workarounds like granting the access through the extra IPTABLES rules (additional script), but they didn't work for me. It would be nice to find a way making this script working in conjunction with the dnscrypt-proxy.

AFWall+ v3.4.0 - Anti-leaking boot script

#!/system/bin/sh

export PATH=/system/bin

if [ -e /data/data/dev.ukanth.ufirewall/app_bin/iptables ]; then
  path="dev.ukanth.ufirewall"
elif [ -e /data/data/dev.ukanth.ufirewall.donate/app_bin/iptables ]; then
  path="dev.ukanth.ufirewall.donate"
else
  log -p i -t afwall "AFWall does not seem to be installed, waited for $((endDt-startDt)) seconds."
  exit
fi

doit() {
  for i in "$@"
  do
    if [ -x "$i" ]
    then
      "$i" -w -P INPUT DROP
      "$i" -w -P OUTPUT DROP
      "$i" -w -P FORWARD DROP
      return
    fi
  done
}

doit /system/bin/iptables /data/data/$path/app_bin/iptables
doit /system/bin/ip6tables /data/data/$path/app_bin/ip6tables
log -p i -t afwall "IPv4/6 policy set to DROP"

P.S. Interensting fact (over the years): if I have any kind of troubles with Fallback resolver, manual launching dnscrypt-proxy using adb always works... It would be nice to have the equal reliability by default...


I need your help, freinds.
May be correct IPTABLES allow rules (new script)? Or may be some edits just inside the AFWall+ anti-leaking script?

@tehcog
Copy link

tehcog commented Oct 22, 2020

Before I can configure it (I had dnscrypt-proxy v1 running with custom init/config scripts just fine on my OnePlus), I need to have it built / build it for Android ARM7. My current toolchain is deprecated (OSX & go is depreicated), and I cannot build it in a VM for the same reason. Can someone please build for Android ARM7 and post? Thanks.

@ianbashford
Copy link
Contributor

@tehcog - for Arm7, would the alpine build work?
Latest stable has 2.0.42. https://uk.alpinelinux.org/alpine/latest-stable/community/armv7/
Edge has 2.0.44 https://uk.alpinelinux.org/alpine/edge/community/armv7/
APKs should just untar. armhf is available there too.

@ghost
Copy link

ghost commented Dec 29, 2020

Hey,

I try to run dnscrypt-proxy without root privileges (sudo dnscrypt-proxy -config dnscrypt-proxy.toml -netprobe-timeout 0)
Details about my installation and config can be found from #1563.

dnscrypt-proxy user in inet group with <permission name="android.permission.INTERNET" /> permission, but the proxy fails to connect as seen from log:

...
dial udp <ip>:443: socket: permission denied.
dnscrypt-proxy is waiting for at least one server to be reachable
...

Any ideas how to resolve this?

@Kein
Copy link

Kein commented Dec 30, 2020

Use dmesg and see where selinux restricts it, then add exception to policy or permission? Though, if you are wrapping dnscrypt binaries into your own user-app you must understand what it only will wrap user-queries (that go through user-defined VPN, since this is the only way you can route them that way), all system queries and built-in google spyware will go through whatever is currently defined and used by the system.

@ghost
Copy link

ghost commented Jan 1, 2021

Hey,

I try to run dnscrypt-proxy without root privileges (sudo dnscrypt-proxy -config dnscrypt-proxy.toml -netprobe-timeout 0)
Details about my installation and config can be found from #1563.

dnscrypt-proxy user in inet group with <permission name="android.permission.INTERNET" /> permission, but the proxy fails to connect as seen from log:

...
dial udp <ip>:443: socket: permission denied.
dnscrypt-proxy is waiting for at least one server to be reachable
...

Any ideas how to resolve this?

The binary need to have cap_net_raw+ep capability for an unprivileged user to be able to run it. Now it works just fine.

@DNSCrypt DNSCrypt locked and limited conversation to collaborators Apr 26, 2021
@jedisct1 jedisct1 unpinned this issue Sep 10, 2021

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Projects
None yet
Development

No branches or pull requests