Solved Dnscrypt-proxy configuration

U

User7

I set in /etc/rc.conf few command via some instruction:

Code: 
local_unbound_enable="YES"
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_flags="-a 127.0.0.1"
dnscrypt_proxy_resolver="soltysiak"
ifconfig_lo0_alias0="inet 127.0.0.1 netmask 0xffffffff"

After reboot or restart daemon I still must set # dnscrypt-proxy -R soltysiak --local-address=127.0.0.1 manually. It is possible to set this command into some config? Or I must put it into /etc/rc.local ?
 
I change DNS to OpenDNS - it's bigger and I try this:
Code: 
local_unbound_enable="YES"
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_flags="-a 127.0.0.1 -d"

And

local_unbound_enable="YES"
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_flags="dnscrypt-proxy -R opendns --local-address=127.0.0.1"

Still nothing...
 
OK, so I'm looking at the script on SVNWeb (LINK)

It look's like the -R opendns flag gets set by the dnscrypt_proxy_resolver variable. So the way I am reading things, this seems correct.

Code: 
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_resolver="opendns"
dnscrypt_proxy_flags="--local-address=127.0.0.1"

If that doesn't work, are the right flags shown in ps aux?

If the flags don't seem right, then this may help. Lets take a look at the final command that is getting called.

Change:
Code: 
#!/bin/sh
To this:
Code: 
#!/bin/sh -x
Start the service, save/post the output online on a site like Pastebin, and post the link here.
 
The output shows a return 0 at the end. It looks like it starts just fine. I can't replicate any issues with the script that starts it. What about starting it with the exact same command from the script without the -d flag? That's at line 573 in your paste.

/usr/local/sbin/dnscrypt-proxy --local-address=127.0.0.2 -p /var/run/dnscrypt-proxy.pid -l /var/log/dnscrypt-proxy.log -u _dnscrypt-proxy -R opendns
 
I tried everything in files. But why there is no registry in ps aux after start? Registry at ps aux is after start it manually /usr/local/etc/rc.d/dnscrypt-proxy start.
 
OK, so what does this show? Please post the exact output you see.

service dnscrypt-proxy stop
service dnscrypt-proxy start
service dnscrypt-proxy status
ps aux | grep dns
 
After boot:

Code: 
root@handy:/usr/home/handy # service dnscrypt-proxy status
dnscrypt_proxy is not running.
root@handy:/usr/home/handy # ps aux | grep dns
root  1129  0,0  0,0  18804  2260  3  S+  2:02  0:00,00 grep dns

After start:
Code: 
root@handy:/usr/home/handy # service dnscrypt-proxy start
Starting dnscrypt_proxy.
root@handy:/usr/home/handy # ps aux | grep dns
root  1135  0,0  0,0  25540  2656  -  Ss  2:03  0:00,09 /usr/local/sbin/dnscrypt-proxy 127.0.0.1 -a 127.0.0.1 -p /var/run/dnscrypt-proxy.pid -l /var/log/dnscry
_dnscrypt-proxy 1136  0,0  0,0  25540  2936  -  S  2:03  0:00,00 /usr/local/sbin/dnscrypt-proxy 127.0.0.1 -a 127.0.0.1 -p /var/run/dnscrypt-proxy.pid -l /var/log/dnscry
root  1138  0,0  0,0  18804  2260  3  S+  2:03  0:00,00 grep dns
root@handy:/usr/home/handy #

and my rc.conf
Code: 
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_resolver="opendns"
dnscrypt_proxy_pidfile="/var/run/dnscrypt-proxy.pid"
dnscrypt_proxy_logfile="/var/log/dnscrypt-proxy.log"
dnscrypt_proxy_flags="127.0.0.1"
local_unbound_enable="YES"


and /usr/local/etc/rc.d/dnscrypt-proxy

Code: 
#!/bin/sh -x
#
# $FreeBSD: head/dns/dnscrypt-proxy/files/dnscrypt-proxy.in 373758 2014-12-02 09:21:49Z xmj $
#
# PROVIDE: dnscrypt_proxy
# REQUIRE: SERVERS cleanvar
# BEFORE: named local_unbound unbound
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf to enable dnscrypt-proxy:
#
# dnscrypt_proxy_enable (bool): Set to NO by default.
#  Set to YES to enable dnscrypt-proxy.
# dnscrypt_proxy_uid (str):  Set to "_dnscrypt-proxy" by default.
#  User to switch to after starting.
# dnscrypt_proxy_resolver (str):Set to "opendns" by default.
#  Choose a different upstream resolver.
# dnscrypt_proxy_pidfile (str): default: "/var/run/dnscrypt-proxy.pid"
#  Location of pid file.
# dnscrypt_proxy_logfile (str): default: "/var/log/dnscrypt-proxy.log"
#  Location of log file.
#
# To redirect a local resolver through dnscrypt-proxy, point it at 127.0.0.2
# and add the following to rc.conf:
# ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff"
# dnscrypt_proxy_flags='-a 127.0.0.2'

. /etc/rc.subr

name=dnscrypt_proxy
rcvar=dnscrypt_proxy_enable

load_rc_config ${name}
: ${dnscrypt_proxy_enable:=NO}
: ${dnscrypt_proxy_uid=_dnscrypt-proxy} # User to run daemon as
: ${dnscrypt_proxy_resolver=opendns} # resolver to use
: ${dnscrypt_proxy_pidfile=/var/run/dnscrypt-proxy.pid} # Path to pid file
: ${dnscrypt_proxy_logfile=/var/log/dnscrypt-proxy.log} # Path to log file
: ${dnscrypt_proxy_flags="127.0.0.1"}
command=/usr/local/sbin/dnscrypt-proxy
command_args="-a ${dnscrypt_proxy_flags} -p ${dnscrypt_proxy_pidfile} -l ${dnscrypt_proxy_logfile} -u ${dnscrypt_proxy_uid} -R ${dnscrypt_proxy_resolver} -d"
procname=/usr/local/sbin/dnscrypt-proxy
pidfile=${dnscrypt_proxy_pidfile}

run_rc_command "$1"


everything seems to be correct :confused: Even if I restarted it after start manually, deamon will be work, but only in startup doesn't work.
 
Thanks, that all looks perfectly sane. How about:

service dnscrypt-proxy stop
rm /var/log/dnscrypt-proxy.log
shutdown -r now

Post up /var/log/dnscrypt-proxy.log now to show a completely clean slate of messages. Alternately, look for anything unusual and post it. I would say remove the old and get the clean slate so the past restarts aren't tampering with the results and causing any confusing. If the only log entry is from the one after system reboot it should be very clear what is going on.
 
Code: 
root@handy:/home/handy # /usr/local/etc/rc.d/dnscrypt-proxy status
dnscrypt_proxy is not running.
root@handy:/home/handy # tail /var/log/dnscrypt-proxy.log
root@handy:/home/handy # /usr/local/etc/rc.d/dnscrypt-proxy start
Starting dnscrypt_proxy.
root@handy:/home/handy # tail /var/log/dnscrypt-proxy.log
[NOTICE] Starting dnscrypt-proxy 1.4.3
[INFO] Initializing libsodium for optimal performance
[INFO] Generating a new key pair
[INFO] Done
[INFO] Server certificate #1408041567 received
[INFO] This certificate looks valid
[INFO] Chosen certificate #1408041567 is valid from [2014-08-15] to [2015-08-15]
[INFO] Server key fingerprint is 8201:4577:3D75:3934:FC25:B83C:8369:72DC:98A2:1368:AA0A:2C18:6C17:D7B4:30E8:CD63
[NOTICE] Proxying from 127.0.0.1:53 to 208.67.220.220:443
In /etc/rc.conf I have this: hostname="handy" maybe boot don't have permission to run script, and must be run via "root" (but boot run scripts as root) or is some mistake at /usr/local/etc/rc.d/dnscrypt-proxy

https://forums.freebsd.org/threads/problem-to-run-a-bash-script-like-a-daemon-at-boot.9585/
 
Last edited by a moderator:
I was hoping to see if the contents of /var/log/dnscrypt-proxy.log differ when the daemon starts after a reboot. Since we've already established that it works when started from the CLI, we would want to see what the daemon records when it fails to start after booting.
 
I have enabled daemon.log and reboot machine, and I don't have any information about dnscrypt-proxy.
Code: 
Apr 13 15:28:42 <daemon.notice> handy dbus[675]: [system] Activating service name='org.freedesktop.PolicyKit1' (using servicehelper)
Apr 13 15:28:42 <daemon.notice> handy dbus[675]: [system] Activating service name='org.freedesktop.PolicyKit1' (using servicehelper)
Apr 13 15:28:43 <daemon.notice> handy dbus[675]: [system] Successfully activated service 'org.freedesktop.PolicyKit1'
Apr 13 15:28:43 <daemon.notice> handy dbus[675]: [system] Successfully activated service 'org.freedesktop.PolicyKit1'
Apr 13 15:28:43 <daemon.notice> handy dbus[675]: [system] Successfully activated service 'org.freedesktop.ConsoleKit'
Apr 13 15:28:43 <daemon.notice> handy dbus[675]: [system] Successfully activated service 'org.freedesktop.ConsoleKit'
Apr 13 15:29:42 <daemon.notice> handy fsck: fstab: /etc/fstab:3: Inappropriate file type or format
Apr 13 15:29:42 <daemon.notice> handy fsck: fstab: /etc/fstab:3: Inappropriate file type or format
Apr 13 15:30:09 <daemon.notice> handy dbus[675]: [system] Failed to activate service 'org.freedesktop.Avahi': timed out
Apr 13 15:30:09 <daemon.notice> handy dbus[675]: [system] Failed to activate service 'org.freedesktop.Avahi': timed out
 
User7 said:
I have enabled daemon.log and reboot machine, and I don't have any information about dnscrypt-proxy.
Click to expand...

Are you saying that /var/log/dnscrypt-proxy.log does not get created if you delete it and reboot? If the issues you are seeing are at boot then capturing whatever is in that file after a reboot should be the biggest troubleshooting aid.
 
I do that. Show only this:

Code: 
root@handy:/home/handy # /usr/local/etc/rc.d/dnscrypt-proxy status
dnscrypt_proxy is not running.
root@handy:/home/handy # tail /var/log/dnscrypt-proxy.log
root@handy:/home/handy # /usr/local/etc/rc.d/dnscrypt-proxy start
Starting dnscrypt_proxy.
root@handy:/home/handy # tail /var/log/dnscrypt-proxy.log
[NOTICE] Starting dnscrypt-proxy 1.4.3
[INFO] Initializing libsodium for optimal performance
[INFO] Generating a new key pair
[INFO] Done
[INFO] Server certificate #1408041567 received
[INFO] This certificate looks valid
[INFO] Chosen certificate #1408041567 is valid from [2014-08-15] to [2015-08-15]
[INFO] Server key fingerprint is 8201:4577:3D75:3934:FC25:B83C:8369:72DC:98A2:1368:AA0A:2C18:6C17:D7B4:30E8:CD63
[NOTICE] Proxying from 127.0.0.1:53 to 208.67.220.220:443
 
Since it looks like the first thing it does is request the server key, I wonder how sensitive it is to network issues at boot up. Maybe your system is taking a little bit too long to get a lease

How about this in rc.conf.
Code: 
ifconfig_bce0="SYNCDHCP"
 
Still nothing. I configuring now rc_debug from rc.conf()

edit:

Code: 
/etc/rc: DEBUG: checkyesno: dnscrypt_proxy_enable is set to YES.
/etc/rc: DEBUG: checkyesno: rc_startmsgs is set to YES.
Starting dnscrypt_proxy.
/etc/rc: DEBUG: run_rc_command: doit: /usr/local/sbin/dnscrypt-proxy 127.0.0.1 -a 127.0.0.1 -p /var/run/dnscrypt-proxy.pid -l /var/log/dnscrypt-proxy.log -u _dnscrypt-proxy -R opendns -d
Shared object "libsodium.so.13" not found, required by "dnscrypt-proxy"
/etc/rc: WARNING: failed to start dnscrypt_proxy

I don't know how to run dnscrypt-proxy after boot libs, and I do not know if this is possible, so I placed in /etc/rc.conf
Code: 
local_start="YES"
local_unbound_enable="YES"

and rest in /etc/rc.local:

Code: 
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_resolver="opendns"
dnscrypt_proxy_pidfile="/var/run/dnscrypt-proxy.pid"
dnscrypt_proxy_logfile="/var/log/dnscrypt-proxy.log"
dnscrypt_proxy_flags="127.0.0.1"
 
Last edited:
This means something.
Code: 
Shared object "libsodium.so.13" not found, required by "dnscrypt-proxy"

I was going to point this out earlier but it felt out of context. Could this mount item be a factor in where the library is supposed to be found? Can you show the /etc/fstab?
Code: 
Apr 13 15:29:42 <daemon.notice> handy fsck: fstab: /etc/fstab:3: Inappropriate file type or format
Apr 13 15:29:42 <daemon.notice> handy fsck: fstab: /etc/fstab:3: Inappropriate file type or format

That solution is interesting as /etc/rc.local is traditionally just a script, not variables to be sourced. I haven't been able to replicate the original issue you saw nor can I replicate rc.local starting the daemon in the way you have shown.
 
Yes. Must add full path to file: /usr/local/etc/rc.d/dnscrypt-proxy start. I changed /rc.d/ config file to YES therefore it run at default setting. :) Rest of command must be set in /etc/rc.conf, and now it runs correctly.

And this is my /etc/fstab.
Code: 
# Device         Mountpoint  FStype  Options Dump  Pass#
/dev/mfid0p2     /           ufs         rw  1     1
proc             /proc       rw              0     0

How to add libsodium.so.13 to /rc.d/ or run it before start dnscrypt?
 
libsodium.so.13 is just a shared library that gets loaded as the program starts. This is very odd as the library is obviously on your system. The partitioning scheme you show above doesn't put it on a different mount point. As a simple sanity check, what does ls -alh /usr/local/lib/libsodium.* and pkg check --shlibs --checksums return?
 
User7 said:
And this is my /etc/fstab.
Code: 
# Device         Mountpoint  FStype  Options Dump  Pass#
/dev/mfid0p2     /           ufs         rw  1     1
proc             /proc       rw              0     0
Click to expand...

Unrelated to the issue at hand, but fix the fstab error you seen earlier by adding the missing column. It should look like this entry below. This is right out of the top of procfs(5).
Code: 
proc            /proc   procfs  rw 0 0
 
Code: 
root@handy:/usr/home/handy # ls -alh /usr/local/lib/libsodium.*
-rw-r--r--  1 root  wheel  794K 15 kwi 20:23 /usr/local/lib/libsodium.a
lrwxr-xr-x  1 root  wheel  19B 15 kwi 20:23 /usr/local/lib/libsodium.so -> libsodium.so.13.1.0
lrwxr-xr-x  1 root  wheel  19B 15 kwi 20:23 /usr/local/lib/libsodium.so.13 -> libsodium.so.13.1.0
-rwxr-xr-x  1 root  wheel  366K 15 kwi 20:23 /usr/local/lib/libsodium.so.13.1.0
and
Code: 
dnscrypt-proxy-1.4.3: checksum mismatch for /usr/local/etc/rc.d/dnscrypt-proxy
 
Honestly I'm still a bit perplexed by this. The library is obviously there as it's shown when you run the ls command and it's there when it gets started later in the boot process. There's no reason for it to not be there when booting. The only thing I can think of is some trial and error to find out where in the boot process does it start work work.

For example, this is the default in /usr/local/etc/rc.d/dnscrypt-proxy
Code: 
# PROVIDE: dnscrypt_proxy
# REQUIRE: SERVERS cleanvar
# BEFORE: named local_unbound unbound
# KEYWORD: shutdown

Would it start with this?
Code: 
# PROVIDE: dnscrypt_proxy
# REQUIRE: NETWORKING cleanvar
# KEYWORD: shutdown

Or a bit later in the boot process.
Code: 
# PROVIDE: dnscrypt_proxy
# REQUIRE: DAEMON cleanvar
# KEYWORD: shutdown

Or even later in the boot process.
Code: 
# PROVIDE: dnscrypt_proxy
# REQUIRE: LOGIN cleanvar
# KEYWORD: shutdown

You can see the whole boot order with this:
rcorder /etc/rc.d/* /usr/local/etc/rc.d/*

Past that, I haven't been able to replicate the issue and I'm out of ideas.
 
You must log in or register to reply here.
Back
Top