enable DOH/DOQ using Let's Encrypt certs out of the box

[OniriCorpe]

Problem

• for now, using the Let's Encrypt certificate for DOH/DOQ use is tedious
• port 53 is exposed on Internet by default, see whether or not to open the Adguard Home instance on the Internet by default on the YNH package installation #135

Solution

• implementing the @mh4ckt3mh4ckt1c4s's solution and some improvements
• apply the same logic as DoH/DoQ ports to port 53 (opened if it's the user's choice, else closed)

is someone OK to test this?

PR Status

• Code finished and ready to be reviewed/tested
• The fix/enhancement were manually tested (if applicable)

TODO

• Test package itself
  • scripts: all good
  • Test the config panel
    • enable/disable port 53 exposure
    • enable/disable doh doq ports
    • new password tool
• Test DoH (reverse proxied by nginx)
• WIP: Test DoT
• WIP: Test DoQ
• WIP: Docs
  • Port 53 (to be rewritten as port 53 MUST be opened, see below)
  • DoH & DoQ ports
  • Explain how to filter requests using AGH's allowlist and CIDR (and maybe rate limiting)
  • French translation
• Remove public IPs of the config file in the port 53 is not exposed on Internet (else: crash)
  • adapt opened ports according to user's choice
  • declare needs_exposed_ports according to real user need (so the ynh diagnostic doesn't cry about ports not reachable on internet)
• Add public IPs when port 53 is exposed

Current state

For the package

• all scripts are fully functional 🎉

For AdGuard Home itself

A screenshot of the AdGuard Home front-end, showing the "Encryption settings", with all things validated

• the AGH "Encryption settings" (where DoH / DoQ is activated) is fully configured and validated
• DoH: fully functional 🎉
• DoT: fully functional 🎉
• DoQ: fully functional 🎉
• classic DNS: fully functional 🎉

[OniriCorpe]

I feel like Hal changing a light bulb 😓

[OniriCorpe]

about f65fc16:
dnsmasq uses port 53 on localhost
and AGH uses port 53 on outsides IP (local or public ones if needed)
(you can see this with netstat -tulpn | grep ":53 ")

and that's OK

except for YNH, as dnsmasq uses port 53 on localhost, the port is used and YNH refuses to give it to AGH for outsides IP:
WARNING Failed to provision ports : Port 53 is already used by another process or app.

so I had to remove the port from the manifest.toml and hardcode it in config and scripts
it's OK since port 53 for DNS stuff is mandatory, so it would never change tho

[OniriCorpe]

it's: weird 🙃

i found why the Private DNS setting on Android was working on local but on another network.......
it was because my whitelist only contained my local IP ranges lmao

it's working fine if i deactivate my allowlist!

[OniriCorpe]

i think the release is ready, at last to merge in testing branch ^w^

poke @Ddataa

it's lacking android docs and french translations but eh

[tituspijean]

@OniriCorpe if you wish I can add some docs for Android. ;)

Edit: Maybe it's not worth it, there's already an included guide in the app at __DOMAIN____PATH__/#guide

Edit²: I have just noticed that DoT requests appear to be coming from the router, not the actual client:

(192.168.1.254 being my router) that's normal, the wildcard domain thingy is needed :)

[OniriCorpe]

@OniriCorpe if you wish I can add some docs for Android. ;)

Edit: Maybe it's not worth it, there's already an included guide in the app at __DOMAIN____PATH__/#guide

maybe documenting this could be useful to permit the ClientID usage on Android ?

Intra adds DNS-over-HTTPS support to Android

[yunohost-bot]

🌻

[yunohost-bot]

🌻

[yunohost-bot]

📚 🐛