Hey, I hope it's ok to post issues of non-developers here.

I've used this script before and it worked perfectly, now it stops short before it installs anything due to an error as follows:

Importing key with ID: 1CDEA439
gpg: requesting key 1CDEA439 from hkp server keys.gnupg.net
gpg: key 1CDEA439: "Jedi/Sector One <[email protected]>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (35) Unknown SSL      protocol error in connection to download.libsodium.org:443 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (35) Unknown SSL     protocol error in connection to download.libsodium.org:443 
Verifying signature of: libsodium-0.4.5.tar.gz
gpg: can't open `libsodium-0.4.5.tar.gz.sig'
gpg: verify signatures failed: file open error
Error verifying signature

How do I fix it?

I did Google the problem and couldn't find a solution. I'm sorry if this isn't supposed to be posted here.

Thank you for your efforts writing this, and dedicating your time for random people!

Notes:
OS: Kali Linux (this script has worked before).
When I failed, I reinstalled the entire OS thinking it was some tinkering I did yesterday on the root folder and system files, so I just tried again after clean install and still failed. I see it's something about the GPG signature.

Hi, i wonder-why does dnscrypt-autoinstaller let me continue installation if I dont have sudo installed/set .. and only reports error at the end with sudo: command not found

dnscrypt-proxy 1.5.0 has a new ephemeral key feature, thus enabling forward secrecy for every DNS query — a big privacy improvement. This can be enabled with a simple -E or --ephemeral-keys flag when calling dnscrypt-proxy. dnscrypt-autoinstall will need to be updated to use dnscrypt-proxy 1.5.0 or later first.

For example, the init-scripts can call:
$DAEMON --daemonize --user=dnscrypt -R OpenDNS --ephemeral-keys
instead of:
$DAEMON --daemonize --user=dnscrypt -R OpenDNS

Possible topic for discussion:
Should dnscrypt-autoinstall offer the user an option about whether to enable ephemeral keys during initial setup, or should this feature be turned on by default with no option? I don't see why anyone would want it off, so my vote is for on by default with no option.

Of note: the Mac client, dnscrypt-osxclient, recently implemented ephemeral keys in version 1.0.6.

From the dnscrypt-proxy technotes:

Ephemeral key pair mode:

• The proxy always generates a new, in-memory session key at startup.
• This session key and the client nonce are used to derive an ephemeral key
  pair for each query.

From the dnscrypt-proxy manpage:

-E, --ephemeral-keys: By default, queries are always sent with the same public key, allowing providers to link this public key to the different IP addresses you are using. This option requires extra CPU cycles, but mitigates this by computing an ephemeral key pair for every query.

The problem came when DNScrypt unable to resolve my DNS request few days ago, so I uninstall it. Now when I try to install it in my ubuntu 14.04 laptops again and always had fail GPG request.

Hello,

Thank you for this awesome script, it does work great on Ubuntu 14.04 however I am trying to force my OpenVPN clients to use dnscrypt-proxy as their DNS resolver too, but this doesn't work. I have put the two DNS addresses (127.0.0.1 & 127.0.0.2) under "VPN Settings" in OpenVPN Access Server admin page, but now it doesn't open any page, the error is "dns_probe_finished_nxdomain"

whenever I run the command "tail -n 200 /var/log/syslog" the output is:

Mar 11 07:22:24 localhost dnscrypt-proxy[19237]: Starting dnscrypt-proxy 1.6.1
Mar 11 07:22:24 localhost dnscrypt-proxy[19237]: Ephemeral keys enabled - generating a new seed
Mar 11 07:22:24 localhost dnscrypt-proxy[19237]: Done
Mar 11 07:22:24 localhost dnscrypt-proxy[19237]: Server certificate #808464433 received
Mar 11 07:22:24 localhost dnscrypt-proxy[19237]: This certificate is valid
Mar 11 07:22:24 localhost dnscrypt-proxy[19237]: Chosen certificate #808464433 is valid from [2015-09-11] to [2016-09-10]
Mar 11 07:22:24 localhost dnscrypt-proxy[19237]: Server key fingerprint is E7AC:5C21:A4E6:6A90:B254:DD73:5229:3BA1:5BE9:8EB3:4E8F:E538:52DE:A2FB:DDB6:1357
Mar 11 07:22:24 localhost dnscrypt-proxy[19237]: Proxying from 127.0.0.2:53 to 176.56.237.171:443
Mar 11 07:22:24 localhost dnscrypt-proxy[19235]: Server certificate #808464433 received
Mar 11 07:22:24 localhost dnscrypt-proxy[19235]: This certificate is valid
Mar 11 07:22:24 localhost dnscrypt-proxy[19235]: Chosen certificate #808464433 is valid from [2015-09-11] to [2016-09-10]
Mar 11 07:22:24 localhost dnscrypt-proxy[19235]: Server key fingerprint is 164E:1AD6:4356:777D:2019:F2F9:D389:2DDB:BC75:8AF0:9172:8E0C:A874:10C7:3BE8:423B
Mar 11 07:22:24 localhost dnscrypt-proxy[19235]: Proxying from 127.0.0.1:53 to 77.66.84.233:443
Mar 11 07:23:09 localhost dnscrypt-proxy[18584]: Refetching server certificates
Mar 11 07:23:09 localhost dnscrypt-proxy[18584]: Server certificate #808464433 received
Mar 11 07:23:09 localhost dnscrypt-proxy[18584]: This certificate is valid
Mar 11 07:23:09 localhost dnscrypt-proxy[18584]: Chosen certificate #808464433 is valid from [2015-09-11] to [2016-09-10]
Mar 11 07:23:09 localhost dnscrypt-proxy[18584]: Server key fingerprint is E7AC:5C21:A4E6:6A90:B254:DD73:5229:3BA1:5BE9:8EB3:4E8F:E538:52DE:A2FB:DDB6:1357

and this is my /etc/resolv.conf output:
nameserver 127.0.0.1
nameserver 127.0.0.2
nameserver 8.8.8.8
nameserver 8.8.4.4

so it does look good, right?
Don't know what to do :(

add the option of --logfile to the init scripts would be a nice default

ex) --logfile=/var/logs/dnscrypt

I love this script!
It is failing to verify libsodium-1.0.1.tar.gz.sig :(

I vaguely remember having and overcoming this issue about 6 months ago. Not having as much luck this morning.

This is a gpg issue with Frank DENIS (Jedi/Sector One). Looks like it was solved a while back by pulling from github but thats not working any longer. Any pointers greatly appreciated.

Thank you

The script should verify both libsodium-$LSODIUMVER.tar.gz and dnscrypt-proxy-$DNSCRYPTVER.tar.gz.

The sigs are available on both download pages.

gpg: key 1CDEA439: public key "Jedi/Sector One [email protected]"

Moved from todo list in readme/script header.

Hi,

I have always installed this script on Debian 8 Jessie, and every time after the installation has finished I checked /etc/resolv.conf entries, and there was some warning below the screen "Permission Denied" , so I think this script makes /etc/resolv.conf file "immutable" so it doesn't get after each reboot written, BUT now I wanted to test Ubuntu 15.10 and this file isn't "immutable" , and I can edit it, so I think, that this may bring issues after the server reboots. I think it would be better, if we make this file immutable?
sudo chattr +i /etc/resolv.conf
UPDATE_1: So I wanted to configure the servers and these are the 2 errors:

chattr: Operation not supported while reading flags on /etc/resolv.conf
chattr: Operation not supported while reading flags on /etc/resolv.conf

so I assume you have added this command to the script but it doesn't work somehow!

pi@Pi3:~ $ uname -a
Linux Pi3 4.4.9-v7+ #884 SMP Fri May 6 17:28:59 BST 2016 armv7l GNU/Linux
pi@Pi3:~ $ ./dnscrypt-autoinstall.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 185 100 185 0 0 88 0 0:00:02 0:00:02 --:--:-- 88
100 8810 0 8810 0 0 3560 0 --:--:-- 0:00:02 --:--:-- 4301k
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 185 100 185 0 0 89 0 0:00:02 0:00:02 --:--:-- 89
100 3815 0 3815 0 0 792 0 --:--:-- 0:00:04 --:--:-- 2768

Error!

It looks like there is already a DNS server
or forwarder installed and listening on 127.0.0.1.

To use DNSCypt, you need to either uninstall it
or make it listen on another IP than 127.0.0.1.

To uninstall DNSCrypt, try running this script
again with the 'forcedel' argument. For example:
./dnscrypt-autoinstall.sh

forcedel

Two solutions as I see it:

1. Check for port 53 in use on 127.0.0.1 and 127.0.0.1. If port is in use halt installation and instruct user to fix before rerunning install.
2. Default to 127.0.0.2 and 127.0.0.3, for instance, minimizing the risk of a conflict. (Still check if the port is in use, of course)

There are new version of dnscrypt and libsodium, please update your script.

Moreover, have you thought to include an option to upgrade dnscrypt/libsodium?

Thanks

when i run "./dnscrypt-autoinstall.sh" in debian 8.3 give a message:
++++++++++++++++++
Error!

It looks like there is already a DNS server
or forwarder installed and listening on 127.0.0.1.

To use DNSCypt, you need to either uninstall it
or make it listen on another IP than 127.0.0.1.

To uninstall DNSCrypt, try running this script
again with the 'forcedel' argument. For example:
./dnscrypt-autoinstall.sh forcedel
+++++++++++++++++++
I haven't any installed dnscrypt now, Beacuse installing from source code not succeeded.
I run " netstat -ulnp | grep ":53 " " and see this output:
udp 0 0 127.0.0.1:53 0.0.0.0:* 1015/unbound
udp6 0 0 ::1:53 :::* 1015/unbound

How can I fix it?

Hallo! At the end of the installation there was an error regarding wrong certificate of the website (raw.github.com against www.github.com). When trying to rerun the script no I get the following error message:

"Error!

It seems like DNSCrypt is already installed but
not configured by this script.

Remove DNSCrypt and it's configuration completely
from the system and run this script again.

Quitting"

How do I now remove DNSCrypt and its configuration? And how can I avoid the installation error? I put the parameter --no-check-certificate in the beginning, but it seems that doesn't work at the end of the script.

curl attempts to resolve download.libsodum.org and download.dnscrypt.org when executing using the forcedel option while dnscrypt is configured but broken...does not need to do this to delete the installation. Gives the impression that the removal did not work. Also spits out "userdel: /etc/dnscrypt/run not owned by dnscrypt, not removing" this makes the removal also appear not to work further- yet when you look for /etc/dnscrypt it has been removed...

LSODIUMVER=1.0.2
LSODIUMURL="https://github.com/jedisct1/libsodium/releases/download/1.0.1" -> ~/1.0.2

When trying to select a server...tried a few different choices and when the script finishes dnscrypt is not working...

[ERROR] No resolver named [OpenDNS] found in the [/usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv] list

Appears to maybe be a problem with the format/mapping of the names in the .csv?
Seems to be a problem with some of the OpenNIC servers as well.

Better yet, how about we add the choice to manually specify a dnscrypt supported server of our choosing and type in the IP manually during the script execution if we so choose??

Moved from todo list in readme/script header.

See #31 and #33

The sudo bash cludgery was introduced because of #10, as running gpg as sudo would break the permissions on the user gpg folder. A better solution would be to fully separate unprivileged sections by building with fakeroot, leaving root to move over (e.g wtith rsync) files to system locations and run ldconfig on fedora. This has the added benefit that users have a compiled tarball at their disposal, and don't run sudo make install.

http://www.linuxfromscratch.org/hints/downloads/files/fakeroot.txt

Done

• Exit on errors (#24)
• Build and download as dedicated user
• Remove sudo dependency (#69)
• Create packages with fakeroot
• Configure resolver with resolvers.csv (#62)
• systemd service (#43)
• sysvinit service (CentOS 6, Debian 7)
• Remove installed files
• Check for running DNS server
• Retrieve newest libsodium version (#82)
• Use absolute path for resolv.conf (#79)
• Restore resolv.conf backup
• Configure resolver after installation
• Add MIT license (#86)
• Additional download checks (#70)
• Option for unencrypted DNS (#35)
• Remove systemd configuration on uninstall

Todo

• Verify resolvers.csv signature
• Start services depending on distribution / sysvinit support
• Detect libsodium version / query deletion (#56)
• Run backup resolver
• Use different service name? (dnscrypt-autoinstall.service)
• Improve file removal routine

Debian script: needs installation of curl/build-essential

Hello,

I've been using dnscrypt for months but today the dns service stopped working.
So I decided to download your script again and reinstall it.
I'm running linux mint 17.1 64bits
With the previous of your script, everything went ok but with the last one the install stops with this error :
./dnscrypt-autoinstall: line 483: systemctl: command not found
Can you help me or provide me the old version of your script ?
Thank you

Hi!

I have a problem with run the script dnscrypt-autoinstall.

The pastebin is:

http://pastebin.com/4QfWAXNv

But the user have all privileges of sudo.

Where is the problem?

On Arch, the dnscrypt-proxy is now compiled with systemd support, which means it now provide its own systemd scripts, which have the same name as dnscrypt-autoinstall one.

Since systemd support is available in dnscrypt-proxy, shouldn't the scripts from dnscrypt-autoinstall be removed?

Depends on #61, as we would currently not really be able to do any meaningful testing.

I have a vague recollection of GPL2, but right now there's no mention of it in the repo. If it can be something else, I'd suggest the X11 license (aka MIT license).

./dnscrypt-autoinstall.sh:
(errors)
mkdir: cannot create directory ‘./dnscrypt-autoinstall’: Permission denied
./dnscrypt-autoinstall.sh: line 224: pushd: ./dnscrypt-autoinstall: No such file or directory
Importing key with ID: 1CDEA439
gpg: requesting key 1CDEA439 from hkp server keys.gnupg.net
gpg: key 1CDEA439: "Jedi/Sector One [email protected]" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 398 0 398 0 0 1062 0 --:--:-- --:--:-- --:--:-- 1064
Warning: Failed to create the file libsodium-1.0.0.tar.gz: Permission denied
1 1502k 1 16384 0 0 19734 0 0:01:17 --:--:-- 0:01:17 19734
curl: (23) Failed writing body (0 != 16384)
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0Warning: Failed to create the file libsodium-1.0.0.tar.gz.sig: Permission
Warning: denied
100 72 100 72 0 0 68 0 0:00:01 0:00:01 --:--:-- 68
curl: (23) Failed writing body (0 != 72)
Verifying signature of: libsodium-1.0.0.tar.gz
gpg: can't open `libsodium-1.0.0.tar.gz.sig'
gpg: verify signatures failed: file open error
Error verifying signature

Tried running the script inside a root shell (sudo -i), this gives:
You should not run this script directly as root.

The method in the debian/ubuntu script is not best practice

The following would be recommended to be changed

    # Set up init script
    config_do

    # Set up resolv.conf to use dnscrypt
    sudo bash <<EOF
    mv /etc/resolv.conf /etc/resolv.conf-dnscryptbak
    echo "nameserver 127.0.0.1" > /etc/resolv.conf
    echo "nameserver 127.0.0.2" >> /etc/resolv.conf

    # Dirty but dependable
    chattr +i /etc/resolv.conf

Resolve.conf alert the following:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

chattr as stated is a dirty solution.

i would recommend reviewing https://raam.org/2009/configuring-static-dns-with-dhcp-on-debianubuntu/
where dhcpclient.conf is modified instead and then use "supersede"

ex) supersede domain-name-servers 8.8.8.8, 8.8.4.4;

also possible option is to append /etc/resolvconf/resolv.conf.d/tail which would append additions to resolv.conf

There are many applications that can overwrite resolv.conf (network-manager, dhcpcd, netctl, etc.), so instead of handling each one how about making the file immutable? (chattr +i) On removal you'd undo it again (chattr -i)

Hi guys,

Thanks for the great script! Ii have 2 requests:

1. Would it be possible to add an option/entry in the menu to switch to non-encrypted dns without having to uninstall? And back again? Like some sort of pause/resume option.
   I sometimes cannot use encrypted dns when I need to connect to a company vpn. I can connect to the vpn server but this does not understand the encrypted dns requests...
2. Is a ppa an idea?

Bye
Hans

Moved from todo list in readme/script header.

I'm using this on Debian Jessie and the Script only downloads the 1.0.9 of libsodium.
But theres are newer Version on the DL-Site:
https://download.libsodium.org/libsodium/releases/libsodium-1.0.10.tar.gz

This would require a big rework of the scripts, but I'm clearing my head: the idea is now here in black on white,

sudo sh ./dnscrypt-autoinstall-redhat.sh
Error!

You should not run this script directly as root.

Specific example is SolydK running tempfs for /var/run

I am currently unable to use the dnscrypt-autoinstall script to install dnscrypt. I've tried on both Kubuntu 16.10 and Fedora 25, and I get the same error after it resolves the dependencies:

gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.

dnscrypt-proxy.service has more than one ExecStart= setting, which is only allowed for Type=oneshot services. Refusing.

I get a lot of time outs and the errors below

As you see at the bottom "/etc/init.d/dnscrypt-proxy: line 1: 404:: command not found", basically it replaces the content of the script with 404. Thank goodness I had a copy of the original script. I tried this multiple times and it always replaced the content with that bogus line.

I am using Debian Testing 64bit.

Welcome to dnscrypt-autoinstall script.

It seems like DNSCrypt was installed and configured by this script.

What would you like to do?

1. Configure another DNSCrypt service
2. Uninstall DNSCrypt and remove the auto-startup config
3. Exit

Select an option [1-3]: 1

Which DNSCrypt service would you like to use?

1. DNSCrypt.eu (Europe - no logs, DNSSEC)
2. OpenDNS (Anycast)
3. CloudNS (Australia - no logs, DNSSEC)
4. OpenNIC (Japan - no logs)
5. OpenNIC (Europe - no logs)
6. Soltysiak.com (Europe - no logs, DNSSEC)

Select an option [1-6]: 5
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:18 --:--:-- 0
100 15 0 15 0 0 0 0 --:--:-- 0:00:19 --:--:-- 15
Stopping dnscrypt-proxy
insserv: script zfs: service zfs already provided!
insserv: warning: script 'dnscrypt-proxy' missing LSB tags and overrides
insserv: script zfs: service zfs already provided!
/etc/init.d/dnscrypt-proxy: line 1: 404:: command not found
Reconfig done. Quitting.

hello,

got the problem when i run installation script

gpg: Signature made Sun 31 Jul 2016 11:09:59 PM WIB using RSA key ID 2B6F76DA
gpg: requesting key 2B6F76DA from hkp server gpg.gpupg.net
gpg: keyserver timed out
gpg: Can't check signature: public key not found

The way the script currently works, there's no way for users to ever get updated versions of libsodium. This is because the script doesn't uninstall it and because it won't install a newer version if an older one is currently installed. For example:

1. User has never installed dnscrypt-proxy or libsodium before.
2. User runs dnscrypt-autoinstall.sh for the first time, installs dnscrypt-proxy X.X.1 and libsodium Y.Y.1.
3. Newer versions of the software are released and dnscrypt-autoinstall.sh is updated to use these versions: dnscrypt-proxy X.X.2 and libsodium Y.Y.2.
4. User wants to get the software updates, so gets the latest copy of dnscrypt-autoinstall.sh, runs it, and selects the option to uninstall. dnscrypt-proxy X.X.1 is removed, but libsodium Y.Y.1 remains installed because the script doesn't remove it.
5. User runs dnscrypt-autoinstall.sh again. Because the script detects that libsodium Y.Y.1 is installed, it leaves it untouched, but continues installing the new dnscrypt-proxy X.X.2.
6. User now has dnscrypt-proxy X.X.2 and libsodium Y.Y.1, even though libsodium Y.Y.2 is available. There's no easy way for the user to get libsodium Y.Y.2.

This could be fixed by uninstalling libsodium when running the config_del uninstallation function, or by automatically uninstalling right before the script is about to install a newer version, or by asking the user if they want to uninstall the old version and install the newer one like in #32, or all of the above.

I wonder: why are we currently avoiding touching libsodium? Are we trying to avoid uninstalling it so we don't break other potentially-installed software that may be using it? I couldn't find any past discussion about this.

I run this script on my raspberry pi, keep getting this gpgkey verification error again and again, so is there something wrong?

Currently, the only resolver in the script that serves North America is OpenDNS, the rest are all in Europe, Australia, and Japan. OpenDNS is also the only one that keeps logs. It would be useful to add some more North American options, including ones that don't keep logs.

Also relevant: yesterday, OpenDNS announced they're being acquired by Cisco. We should update the name in the script to "Cisco OpenDNS" to reflect this change (dnscrypt-osxclient and the list of resolvers in dnscrypt-proxy have already done so). Also, OpenNIC anticipates the acquisition will be bad news for OpenDNS users' privacy.

Hello,

nc in CentOS 7 was replaced by nmap-ncat, so they have different params(e.g. -z skipped) and autoinstall script does not work on CentOS 7. BTW, script still works if /usr/bin/nc is not found.

Hi,

Would you be interested in merging scripts for other distributions? E.g dnscrypt-autoinstall-fedora.sh

After my dnscrypt-autoinstall from september 12 broke, I tried uninstalling and reinstalling the same version to get
Warning: Failed to create the file dnscrypt-proxy-1.7.0.tar.gz: Permission Warning: denied 0 1674k 0 16366 0 0 2633 0 0:10:51 0:00:06 0:10:45 4418 curl: (23) Failed writing body (0 != 16366)
I cloned the latest version from github to get the exact same error. is this an error caused by curl itself? I'm using fedora 24, kernel 4.8.4-200.fc24.x86_64 and curl version 7.47.1-8.fc24

Would it make sense to give users the ability to run the script with parameters instead of interacting with a GUI?

The script does not work with reboot of Linux . I have to always run it manually after the restart.
This is the log which I gets once I run the script manually.
Starting dnscrypt-proxy
chattr: Operation not supported while reading flags on /etc/resolv.conf
chattr: Operation not supported while reading flags on /etc/resolv.conf
Reconfiguration done. Quitting

Using Ubuntu 15.10
The install process seems to work fine but after reboot, it is no longer active.

As mentioned in #80

gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 54A2 B889 2CC3 D6A5 97B9 2B6C 2106 27AA BA70 9FE1
Subkey fingerprint: 0C79 83A8 FD9A 104C 6231 72CB 62F2 5B59 2B6F 76DA
/xxxxx/dnscrypt-autoinstall/libsodium-1.0.8 /xxxxx/dnscrypt-autoinstall /xxxxx
checking build system type... mkdir: cannot create directory './dnscrypt-autoinstall/cg9021-426': No such file or directory
mkdir: cannot create directory './dnscrypt-autoinstall/cg-9021': No such file or directory
config.guess: cannot create a temporary directory in ./dnscrypt-autoinstall
configure: error: cannot guess build type; you must specify one
/xxxxx/dnscrypt-autoinstall /xxxxx
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed