Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

enable DOH/DOQ using Let's Encrypt certs out of the box #154

Merged
merged 296 commits into from
May 21, 2024
Merged

Conversation

OniriCorpe
Copy link
Member

@OniriCorpe OniriCorpe commented Dec 26, 2023

Problem

Solution

is someone OK to test this?

PR Status

  • Code finished and ready to be reviewed/tested
  • The fix/enhancement were manually tested (if applicable)

TODO

  • Test package itself
    • scripts: all good
    • Test the config panel
      • enable/disable port 53 exposure
      • enable/disable doh doq ports
      • new password tool
  • Test DoH (reverse proxied by nginx)
  • WIP: Test DoT
  • WIP: Test DoQ
  • WIP: Docs
    • Port 53 (to be rewritten as port 53 MUST be opened, see below)
    • DoH & DoQ ports
    • Explain how to filter requests using AGH's allowlist and CIDR (and maybe rate limiting)
    • French translation
  • Remove public IPs of the config file in the port 53 is not exposed on Internet (else: crash)
    • adapt opened ports according to user's choice
    • declare needs_exposed_ports according to real user need (so the ynh diagnostic doesn't cry about ports not reachable on internet)
  • Add public IPs when port 53 is exposed

Current state

For the package

  • all scripts are fully functional 🎉

For AdGuard Home itself

A screenshot of the AdGuard Home front-end, showing the "Encryption settings", with all things validated

  • the AGH "Encryption settings" (where DoH / DoQ is activated) is fully configured and validated
  • DoH: fully functional 🎉
  • DoT: fully functional 🎉
  • DoQ: fully functional 🎉
  • classic DNS: fully functional 🎉

@yunohost-bot

This comment was marked as outdated.

@yunohost-bot

This comment was marked as outdated.

@yunohost-bot

This comment was marked as outdated.

scripts/install Outdated Show resolved Hide resolved
@yunohost-bot

This comment was marked as outdated.

@OniriCorpe OniriCorpe changed the title enable DOH/DOQ using Let's Encrypt certs out of the box WIP: enable DOH/DOQ using Let's Encrypt certs out of the box Dec 26, 2023
@yunohost-bot

This comment was marked as outdated.

@OniriCorpe

This comment was marked as outdated.

@yunohost-bot

This comment was marked as outdated.

@yunohost-bot

This comment was marked as outdated.

@yunohost-bot

This comment was marked as outdated.

@yunohost-bot

This comment was marked as outdated.

scripts/install Outdated Show resolved Hide resolved
scripts/config Outdated Show resolved Hide resolved
@yunohost-bot

This comment was marked as outdated.

@OniriCorpe
Copy link
Member Author

I feel like Hal changing a light bulb 😓

@yunohost-bot

This comment was marked as outdated.

@OniriCorpe
Copy link
Member Author

OniriCorpe commented Dec 27, 2023

about f65fc16:
dnsmasq uses port 53 on localhost
and AGH uses port 53 on outsides IP (local or public ones if needed)
(you can see this with netstat -tulpn | grep ":53 ")

and that's OK

except for YNH, as dnsmasq uses port 53 on localhost, the port is used and YNH refuses to give it to AGH for outsides IP:
WARNING Failed to provision ports : Port 53 is already used by another process or app.

so I had to remove the port from the manifest.toml and hardcode it in config and scripts
it's OK since port 53 for DNS stuff is mandatory, so it would never change tho

@yunohost-bot

This comment was marked as outdated.

@OniriCorpe
Copy link
Member Author

it's: weird 🙃

i found why the Private DNS setting on Android was working on local but on another network.......
it was because my whitelist only contained my local IP ranges lmao

it's working fine if i deactivate my allowlist!

@OniriCorpe
Copy link
Member Author

OniriCorpe commented May 17, 2024

i think the release is ready, at last to merge in testing branch ^w^

poke @Ddataa

it's lacking android docs and french translations but eh

@tituspijean
Copy link
Member

tituspijean commented May 18, 2024

@OniriCorpe if you wish I can add some docs for Android. ;)

Edit: Maybe it's not worth it, there's already an included guide in the app at __DOMAIN____PATH__/#guide

Edit²: I have just noticed that DoT requests appear to be coming from the router, not the actual client:
image
(192.168.1.254 being my router)
that's normal, the wildcard domain thingy is needed :)

@OniriCorpe
Copy link
Member Author

@OniriCorpe if you wish I can add some docs for Android. ;)

Edit: Maybe it's not worth it, there's already an included guide in the app at __DOMAIN____PATH__/#guide

maybe documenting this could be useful to permit the ClientID usage on Android ?

Intra adds DNS-over-HTTPS support to Android

@yunohost-bot
Copy link
Contributor

🌻
Test Badge

@OniriCorpe

This comment was marked as resolved.

@yunohost-bot
Copy link
Contributor

🌻
Test Badge

@yunohost-bot
Copy link
Contributor

📚 🐛
Test Badge

@OniriCorpe OniriCorpe merged commit aee1f2a into testing May 21, 2024
@OniriCorpe OniriCorpe deleted the DoT branch May 21, 2024 16:34
@OniriCorpe OniriCorpe mentioned this pull request May 22, 2024
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
6 participants