dnscrypt boot script for init.d

[uzen]

what you think?

Afwall custom script
Start:
. /system/etc/init.d/99dnscrypt start &
Stop:
. /system/etc/init.d/99dnscrypt stop &

#!/system/bin/sh

# /etc/init.d/99dnscrypt: start and stop the dnscrypt daemon
PATH=/system/bin:/system/xbin
DAEMON=/system/xbin/dnscrypt-proxy
NAME=dnscrypt
DESC="DNSCrypt client proxy"
PIDFILE=/data/local/tmp/dnscrypt-proxy.pid
CONFIG_FILE=/system/etc/dnscrypt-proxy/dnscrypt-proxy.toml
WAITFORDAEMON=30
DAEMON_ARGS=

# Print info
LI="log -p i -t $NAME"

# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0

iptables_rules () {
	case "$1" in
		0)
			$LI "Enabling Iptables Firewall Rules"
			iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:5353
			iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:5353
			;;

		1)
			$LI "Disabling Iptables Firewall Rules"
			iptables -t nat -D OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:5353
			iptables -t nat -D OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:5353
			;;

	esac
}

wait_for_daemon () {
	pid=$1
	sleep 1
	if test -n "$pid"
	then
		if ! kill -0 $pid 2>/dev/null
		then
			cnt=0
			while ! kill -0 $pid 2>/dev/null
			do
				cnt=`expr $cnt + 1`
				if [ $cnt -gt $WAITFORDAEMON ]
				then
					$LI "daemon still not running."
					return 1
				fi
				sleep 1
				[ "`expr $cnt % 3`" != 2 ] || $LI ""
			done
		fi
	fi
	$LI "0"
	return 0
}

case "$1" in
  start)
	if [ ! -s "$CONFIG_FILE" ]; then
		$LI "missing or empconfig file $CONFIG_FILE"
		$LI 1
		exit 0
	fi
    
	$LI "Starting $DESC $NAME"
	nohup $DAEMON -config $CONFIG_FILE -- $DAEMON_ARGS \
		-pidfile=$PIDFILE >/dev/null 2>&1 &
	pid=$! 
	echo $pid > $PIDFILE

	if ! wait_for_daemon $pid; then
   	$LI "daemon failed to start."
   	exit 1
	fi
	iptables_rules 0
	$LI 0
	;;
	
  restart|force-reload|reload)
	# nothing to do
    :
	;;
	
  stop)
	$LI "Stopping $DESC $NAME"
	pid=`cat $PIDFILE 2>/dev/null` || true
	
	if test ! -f $PIDFILE -o -z "$pid"; then
		$LI "not starting daemon."
		exit 0
	fi
	
	if kill $pid 2>/dev/null; then
		iptables_rules 1
		rm $PIDFILE
	else
		$LI "$DAEMON died: process $pid not running; or permission denied."
		exit 1
	fi
	;;
	
  status)
	$DAEMON -service status && exit 2 || exit $?
	;;
	
  *)
	echo "Usage: $0 {start|stop|restart|force-reload|reload}" >&2
	exit 3
	;;
esac

exit 0

[HI54U]

Dear uzen, would be great if you can describe your way how to install/start/stop the proxy in a few words and what userdefined afwall-script works.
Does it works automatically also after shutdown the system?

[uzen]

tested the work on a clean lineage os in 14.1 without any patches. When the system is booted the AFWall+ starts the script from folder init.d. If you stop the firewall the script will be turned off and redirection tables are cleared.

flash zip with v2.0.16 arm + arm64
http://www.mediafire.com/file/fn825bnl9r5n7y5/DNSCRYPT-PROXY.1.1_arm.v2.0.16-20180802.zip/file

AFWall > custom script

Start:
. /system/etc/init.d/99dnscrypt start &
Stop:
. /system/etc/init.d/99dnscrypt stop &

server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
listen_addresses = ['127.0.0.1:5353']
ipv6_servers = false
daemonize = true #not sure this flag works

[uzen]

The proxy server launching in the background. The function wait_for_demon must check its functionality before applying the rules.

[HI54U]

Dear uzen! Thanks for the input! I would recommend activating this in dnscrypt-proxy.toml
On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
the following suite improves performance.
tls_cipher_suite = [52392, 49199]

How do you setup Afwall+ if the fallbackserver needs to be active?
Usually everything going through the proxy
$IPTABLES -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:5353
$IPTABLES -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:5353
Additional I tried also
$IPTABLES -A "afwall" --destination "9.9.9.9" -j RETURN

But I need to activate manual a second afwall-script for letting the fallbackserver through
$IPTABLES -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination [IP]
$IPTABLES -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination [IP]

Is there a way to do this in one script together and everythings working automatically?
if proxy is active -> 127.0.0.1:5353
if fallbackserver is active -> alternative DNS

[admzzz]

@usen,

it'll be better not to trust afwall and add in the beginning of iptables_rules() of your script before case-switch (it's an uncomplete example only, all tables and rules had to be thoroughly cleaned for total block):

IPT=/system/bin/iptables;
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -F mreject
$IPT -N mreject
$IPT -A mreject -j DROP
$IPT -L INPUT | grep -q 'mreject' || $IPT -I INPUT 1 -j "mreject"
$IPT -L OUTPUT | grep -q 'mreject' || $IPT -I OUTPUT 1 -j "mreject"
$IPT -L FORWARD | grep -q 'mreject' || $IPT -I FORWARD 1 -j "mreject"
echo "1" > /proc/sys/net/ipv4/conf/all/disable_policy
echo "1" > /proc/sys/net/ipv4/conf/default/disable_policy
echo "1" > /proc/sys/net/ipv4/conf/$WIFI/disable_policy

thus you'll kill two hares with one shot:

1. you'll have exactly your own rules in the firewall;
2. wifi would be really blocked when afwall is swithched off.

in the case 0) of iptables_rules() after this total deleting all had to be recreated back, of course. ;-)
also, if IPv6 is in use, all had to be repeated for IPT6=/system/bin/iptables6.

and if you'd set logging of init.d execution, you'll find that your 99dnscrypt surprisingly had run twice on every boot. ;-Ъ

[uzen]

and if you'd set logging of init.d execution, you'll find that your 99dnscrypt surprisingly had run twice on every boot. ;-Ъ
my system doesn't run scripts at system startup from the init.d folder.

build repo https://github.com/uzen/dnscrypt-android

@admzzz , so, can you do it by sending a pull-request in my repo?
https://github.com/uzen/dnscrypt-android/blob/master/structure/system/etc/dnscrypt-proxy/iptables-rules

[admzzz]

@uzen,

my system doesn't run scripts at system startup from the init.d folder.

so, your script had to satisfy both type of users (usually, scripts in init.d or su.d ARE executed on system's startup).

hint: scripts with the dot in the name (i.e. afwall.on or afwall.off or dnscrypt. or .halt_tcp) are not executed automatically.

a lot of (a little old, elas) info could be found at https://4pda.ru/forum/index.php?forums[]=284&topics[]=508427&act=search&source=pst&query=afwall (in russian, read backwards, from the oldest to the newest messages).

[uzen]

updated startup script

Start:
. /system/etc/init.d/99dnscrypt.sh start &
Stop:
. /system/etc/init.d/99dnscrypt.sh stop &

https://github.com/uzen/dnscrypt-android/releases/download/1.0.2.1/Installer-1.0.2.1-dnscrypt-proxy-android-2.0.16-20180812-dev.zip

[admzzz]

@uzen ,
it would be better to redirect to /dev/null all outputs, otherwise afwall may never reach the end of your scripts and would not start at all. $-Ъ