Jump to content
TorGuard

Leaderboard

  1. Support

    Support

    Administrators


    • Points

      158

    • Content Count

      2,304


  2. TorGuard

    TorGuard

    Members


    • Points

      20

    • Content Count

      179


  3. TorGuard Admin

    TorGuard Admin

    Members


    • Points

      14

    • Content Count

      85


  4. 19807409

    19807409

    Members


    • Points

      13

    • Content Count

      48



Popular Content

Showing content with the highest reputation since 11/06/2014 in all areas

  1. 4 points
    I have successfully used wireguard to connect to the "wireguard" servers listed in the support page; however, I am looking to connect via wireguard to one of the dedicated IP servers I have on my account. Is anyone aware if this is available now and, if so, how to set it up, or if there is any timeline on when it will be available?
  2. 3 points
    READ ENTIRE GUIDE BEFORE YOU BEGIN This Tutorial / Guide Was Updated on Jan 15 2020 in order to keep you in step with changes on packages needed for OpenWrt 19.07.0 First you all know the drill by now - " The Intro " we would all have a better world if we remember to practice the concept that - NOW ! is the time for all of US ( A ) to GET UP & GET INVLOVED and act with SOUL POWER ! - lyrics to sing along : https://genius.com/James-brown-get-up-get-into-it-get-involved-lyrics plus https://genius.com/James-brown-soul-power-lyrics and video : https://www.youtube.com/watch?v=1pvIarW3xHg Bonus JB : https://www.youtube.com/watch?v=v8TvBPshngE See here for GETDNS AND STUBBY on OPENWRT / LEDE: https://github.com/openwrt/packages/blob/master/net/stubby/files/README.md - this page is designed for DNS OVER TLS with DNSMASQ but it still is useful and informative . See Here For OPENWRT STUBBY DNS OVER TLS USING DNSMASQ-FULL FOR DNSSEC & CACHING https://forum.openwrt.org/t/stubby-dns-over-tls-using-dnsmasq-full-for-dnssec-caching/19107 UPDATED GUIDE For UNBOUND: ( IF YOU NEED IT ! ) https://torguard.net/forums/index.php?/topic/1509-updated-guide-for-getdns-142-2-stubby-023-3-and-unbound-181-2/ Why I am so damn serious about DNS Privacy ( just watch these when you have time - all at once or in intervals - very educational 😞 https://dnsprivacy.org/wiki/display/DP/IETF+DNS+Privacy+Tutorial https://www.youtube.com/watch?v=2JeYIecfwdc https://www.youtube.com/watch?v=JnxE5RPnyiE Active work is also underway at the IETF on DNS-over-HTTP (DOH) but today the only method standardized by the IETF is DNS-over-TLS. In the world of encryption, it's always safer to go with standardized protocols that have gone through a rigorous review process. Unfortunately DNSCrypt has not been standardized yet, and some of the ways it uses cryptography are unusual. If you need more storage and swap memory for your router see here: http://ediy.com.my/index.php/blog/item/118-how-to-increase-storage-on-tp-link-tl-mr3020-with-extroot and here: https://samhobbs.co.uk/2013/11/more-space-for-packages-with-extroot-on-your-openwrt-router For partitioning USB external flash drives I personally prefer GParted Live and / or MiniTool Partition Wizard 9.1 Boot Iso and both work great - found here: https://gparted.org/download.php and here respectively https://www.chip.de/downloads/Partition-Wizard-Bootable-CD_38297298.html For all of those who are using UNBOUND with tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # For OpenWrt option: found here This will have to wait until OpenSSL 1.1.x .From Unbound Recursive DNS Server with UCI found here: https://github.com/openwrt/packages/blob/master/net/unbound/files/README.md And Look for section at the bottom entitled HOW TO: TLS Over DNS read this: NOTICE: Unbound requires openssl-1.1.0 to verify host certificates. OpenWrt at present is configured with openssl-1.0.2. Connections will be over TLS, but theoretically, certificates may not be from a trusted source. See report https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658 When this is resolved, it will be recommended again to install ca-bundle, maintain it, and be sure to include the TLS certificate domain index with the host addresses. For all the doubters and naysayers concerning GETDNS and STUBBY - they are developed by NLnet Labs - the same folks who bring us Unbound, NSD, OPENDNSSEC and now GETDNS ( and STUBBY ) see here: https://www.nlnetlabs.nl/ https://www.nlnetlabs.nl/projects/getdns/ Yes I run GETDNS and STUBBY. For those who wish to explore GETDNS and STUBBY - this method is the one recommended by DNSPRIVACY - see here : https://getdnsapi.net/ 5 https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby 2 https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients#DNSPrivacyClients-Unbound 3 - please read this carefully - you will note that it indicates : Unbound As A DNS TLS Client Features: Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet authenticate upstreams, re-use TCP/TLS connections, be configured for Opportunistic mode or send several of the privacy related options (padding, ECS privacy) etc. Some users combine Unbound (as a caching proxy with other features such as DNS Blacklisting) and Stubby (as a fully featured TLS forwarder). These are the reasons I choose to use GETDNS and STUBBY with Unbound. Those reasons being so that I can take full advantage of all of the most secure privacy features available when running DNS OVER TLS. What I give you here is the absolute best method of implementation and deployment of DNS OVER TLS. For any and all who may be wondering why DNS OVER TLS is all the rage - read this: https://tenta.com/blog/post/2017/12/dns-over-tls-vs-dnscrypt So here we go. I was asked by a still skeptical devotee of DOH " What makes this way better than just running the DNS-over-https-proxy ? My answer was : Read this and make your decisions and conclusions concerning DOH vs DOT . Here is the article below : https://www.netmeister.org/blog/doh-dot-dnssec.html Bottom Line Conclusion From Jan Schaumann - The Author of This Blog Entry : For that, my current preference is quite clearly DNS-over-TLS: I fear a bifurcation of DNS resolution by apps combined with the push for using public resolvers with DoH will lead to a more complex environment and threat model for many users. Short Synopsis of DOH: In other words , ( with DOH ) we gain the same protections as with DoT for our web applications, but leaves all other DNS traffic vulnerable. Subsequently, as a matter of fact and in practice with DNS OVER TLS ALL DNS traffic is invulnerable and protected.This is why I run DOT and eschew DOH on my OPNsense Router. Further, Personally, I run GETDNS STUBBY and UNBOUND as described here along with ( wait for it ) FireFox DOH along with Encrypted SNI - plus TLS v 1.3 in Stubby and naturally a properly configured and encrypted VPN - FYI, David Mora aka iamperson347 the developer and maintainer of GETDNS and STUBBY package for OpenWRT / LEDE assisted me in putting this all together. Dave strongly suggested using DNSMASQ for DHCP and UNBOUND and STUBBY for DNS OVER TLS. Dave's reason was that OpenWrt / Lede performs best when configured in this fashion. Directly from David Mora aka iamperson347 the developer and maintainer of GETDNS and STUBBY and I quote: "I recommend running Unbound to utilize the caching. Sometimes the connections from stubby to the resolver can have a little but of lag, so caching + prefetch helps minimize the effects." Unbound is a recursive caching DNS Resolver - which by design and definition speeds up your DNS RESOLUTION. DNS addresses are stored in the cache and called upon and directed to almost IMMEDIATELY ! ( Query time: 0 msec ) resolve dns addresses in subsequent DNS look ups after your first visit to cached objects. A small number has questioned DNS OVER TLS and the supposed complexity of this setup vis a’ vis DNSCrypt. DNSCrypt has always been suggested to best deployed when forwarded to Unbound as a Caching Server. In effect, this methodology simply drops Stubby and GetDns in place instead of DNSCrypt. The use of DNSMasq for DHCP is particular to OpenWRT / LEDE. However, it is a fairly simple and straightforward task to setup DNSMasq for purposes of DHCP and well described and referenced in this tutorial. Lastly, GetDns and Stubby do allow for TLS OVER Port 443 and I have amended this guide to reflect that option for those who may worry about being blocked behind a firewall while using TLS OVER Port 853. https://www.nlnetlabs.nl/projects/unbound/about/ This method combines Unbound (as a caching proxy) and Stubby (as fully featured TLS forwarder). Stubby is essential - please read the following: Stubby' is an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy. Stubby is developed by the getdns project. Stubby is essential - please read the following: https://dnsprivacy.org/wiki/display/DP/About+Stubby I run GETDNS and STUBBY with Unbound DNS and Dnsmasq for DHCP. You can use odhcpd which will handle both DNS and DHCP where you disable and/ or remove DNSMASQ - but you will experience a performance hit. This why I use Unbound/ STUBBY for DNS and Dnsmasq for DHCP . Here is a basic guide as to how to do it - https://blog.grobox.de/2018/what-is-dns-privacy-and-how-to-set-it-up-for-openwrt/ 5 However a few modifications are necessary in order to to have GetDns and Stubby up and running and successfully integrated with Unbound DNS and Dnsmasq for DHCP. I will write up a guide here - but don’t give me a hard time later on. Directly From DNS Privacy Website: Stubby is an experimental implementation of a DNS Privacy enabled stub resolver. It is currently suitable for advanced/technical users - all feedback is welcome! Also see https://dnsprivacy.org/ for more information on DNS Privacy. I have read here: https://www.monperrus.net/martin/randomization-encryption-dns-requests that Also, it is good to set up some servers that listens on port 443 and others on port 853, so as to be resilient if you are on a network with blocked ports. You can also blend IPv4 and IPv6 addresses. By the way I run Davidc502 LEDE Snapshots - Moderately Customized LEDE Development Builds for Linksys 1900ac v.1 and 1900ac v.2, 1900acs v.1 v.2, 3200acm, WRT32X and 1200ac v.1 v.2 series routers. These builds keep up to date package repositories.. GetDns and Stubby are included. Dave's Builds have many other pre-installed common packages as well.. Check out homepage and downloads here: https://davidc502sis.dynamic-dns.net/ and downloads here: https://davidc502sis.dynamic-dns.net/snapshots/ . In addition, there is a very informative, instructive and active thread ( forum ) for Dave's builds and discussion of many OpenWrt / Lede packages, features, and issues. In short great technical advice and assistance can be found here: https://forum.openwrt.org/t/davidc502-wrt1200ac-wrt1900acx-wrt3200acm-wrt32x-builds/ Dave releases new updated builds every two weeks - near the middle and first of each month. - As always - opkg update first and foremost Prerequisite You have a ca cert bundle installed on your router. You can do this by running the following opkg install ca-certificates Now Let’s Move On 1 - opkg update ; opkg install unbound-daemon-heavy unbound-control unbound-control-setup luci-app-unbound unbound-anchor unbound-host unbound-checkconf odhcpd 2 - opkg update ; opkg install stubby getdns 3- My WORKING CONFIGS /etc/unbound/unbound_srv.conf ( Must Adjust For Your Router - I Run WRT1900ACS and WRT3200ACM So I Have Plenty Of Ram, Storage and 2 CPU's ) You should " Optimize Unbound " - especially increase size of cache among other things see guide here and adjust for your router's memory , number of cores and so on- see here: https://nlnetlabs.nl/documentation/unbound/howto-optimise/ for basic guide ( Simply Copy and Paste Into Your SSH Session and Hit Enter ) cat >> /etc/unbound/unbound_srv.conf <<UNBOUND_SERVER_CONF server: # use all CPUs num-threads: 2 # power of 2 close to num-threads msg-cache-slabs: 4 rrset-cache-slabs: 4 infra-cache-slabs: 4 key-cache-slabs: 4 # more cache memory, rrset=msg*2 rrset-cache-size: 256m msg-cache-size: 128m # more outgoing connections # depends on number of cores: 1024/cores - 50 outgoing-range: 8192 # Larger socket buffer. OS may need config. so-rcvbuf: 4m so-sndbuf: 4m cache-min-ttl: 3600 cache-max-ttl: 86400 hide-identity: yes hide-version: yes hide-trustanchor: yes harden-glue: yes harden-dnssec-stripped: yes infra-cache-numhosts: 100000 num-queries-per-thread: 4096 max-udp-size: 3072 minimal-responses: yes rrset-roundrobin: yes use-caps-for-id: no do-ip6: no do-ip4: yes do-tcp: yes do-udp: yes prefetch: yes prefetch-key: yes qname-minimisation: yes qname-minimisation-strict: yes harden-below-nxdomain: yes aggressive-nsec: yes so-reuseport: yes unwanted-reply-threshold: 10000000 interface-automatic: yes verbosity: 1 private-domain: "your.domain" ## put your domain here do-not-query-localhost: no harden-referral-path: yes target-fetch-policy: "0 0 0 0 0" val-clean-additional: yes ip-ratelimit: 300 ip-ratelimit-factor: 10 incoming-num-tcp: 100 edns-buffer-size: 1472 UNBOUND_SERVER_CONF As per guide :# Don’t let each server know the next recursion Enter via SSH command line: uci set ‘[email protected][0].query_minimize=1’ I choose to use the /etc/stubby/stubby.yml file to configure STUBBY. My reasons for preferring to configure Stubby with the /etc/stubby/stubby.yml file instead of the now default UCI system /etc/config/stubby file are for several reasons. I found that I have more control over the security options which DNS OVER TLS is intended to provide. Like padding - 853 or 443 port and so on. So in order to use /etc/stubby/stubby.yml file, you must change a default setting in the /etc/config/stubby file to allow manual configuration. To keep this simple - go into default UCI STUBBY file which is /etc/config/stubby by entering nano /etc/config/stubby and then set option manual '1' - if you leave it at default setting of option manual 'o' you will not be able to use the /etc/stubby/stubby.yml file in order to configure STUBBY as before. So, after changing option manual '1' in the /etc/config/stubby file - configure /etc/stubby/stubby.yml as follows : 4 - My WORKING CONFIG /etc/stubby/stubby.yml I prefer to run these DNS TLS SERVERS as they tend to be stable most all of the time. However, even if you run ssl-upstream with Unbound you still will need to monitor real time status of DNS Privacy Test Servers. So, Stubby is still the full featured way to go. See all DNS TLS SERVERS here if you choose to run others: DNS Privacy Test Servers https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers You can and should also check real time status of DNS Privacy Servers as they are experimental and are not always stable - you can monitor Dns Servers Real Time Status here below: https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/ Here is a list of all DNS Privacy Servers in the raw. Add ( tls_port: 853 ) after ( - address_data: ) entry: https://raw.githubusercontent.com/getdnsapi/stubby/develop/stubby.yml.example See here for how to configure Stubby: https://github.com/getdnsapi/stubby DNS OVER TLS ABSOLUTE BEST CONFIGURATION FOR STUBBY FOR THE REASONS DETAILED BELOW: nano /etc/stubby/stubby.yml - replace contents of file with configuration below: VERY IMPORTANT UPDATE: After checking, rechecking and the triple checking on this website mentioned above : https://www.immuniweb.com/ssl/?id=Su8SeUQ4 I have made some very serious discoveries regarding which DNS Privacy Test Servers to use. The bottom line that I strongly suggest you only choose to deploy servers which support the TLSv1.3 protocol. See here for information and importance of TLSv1.3 : https://kinsta.com/blog/tls-1-3/ 1 I will save you some considerable leg work and post below the best configuration for your stubby.yml file. Here it is: # All DNS Privacy Servers Below Tested and Updated On May 26 2020 With A+ Rating - # 100% Perfecto Configuration on website: https://www.immuniweb.com/ssl/?id=Su8SeUQ4n # These servers support the most recent and secure TLS protocol version of TLS 1.3 ** # Good configuration - These server configurations support only TLSv1.2 and TLSv1.3 protocols - current most secure encryption. # Also I have added the Country Locations of These DNS PRIVACY Servers using the Alpha 3 Code Format # see country code lists here : # https://www.nationsonline.org/oneworld/country_code_list.htm or https://www.iban.com/country-codes # Use as many or as few depending on your specific needs # Note: by default on OpenWRT stubby configuration is handled via # the UCI system and the file /etc/config/stubby. If you want to # use this file to configure stubby, then set "option manual '1'" # in /etc/config/stubby. resolution_type: GETDNS_RESOLUTION_STUB round_robin_upstreams: 1 appdata_dir: "/var/lib/stubby" tls_authentication: GETDNS_AUTHENTICATION_REQUIRED tls_query_padding_blocksize: 128 edns_client_subnet_private: 1 idle_timeout: 9000 listen_addresses: - [email protected] dns_transport_list: - GETDNS_TRANSPORT_TLS tls_connection_retries: 5 tls_backoff_time: 900 timeout: 2000 tls_ca_path: "/etc/ssl/certs/" upstream_recursive_servers: ### IPV4 Servers ### ### DNS Privacy DOT Test Servers ### ## 1 - The getdnsapi.net DNS TLS Server A+ ( NLD ) - address_data: 185.49.141.37 tls_auth_name: "getdnsapi.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= ## 2 - The Surfnet/Sinodun DNS TLS Server #3 A+ ( NLD ) - address_data: 145.100.185.18 tls_port: 853 tls_auth_name: "dnsovertls3.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8= ## 3 - The dns.cmrg.net DNS TLS Server A+ ( CAN ) - address_data: 199.58.81.218 tls_auth_name: "dns.cmrg.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo= ## 4 - The BlahDNS Japan DNS TLS Server A+ ( JPN ) - address_data: 45.32.55.94 tls_auth_name: "dot-jp.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: gIoiNFxX1Nw+7/pVsmUKBU941bMBYjEYuB2T9drULOM= ## 5 - The BlahDNS German DNS TLS Server A+ ( USA Hosted In DEU ) - address_data: 159.69.198.101 tls_auth_name: "dot-de.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: YZeyeJf/suAR2fMHLc9RDPkcQi/e8EEnzk5Y1N90QQE= ## 6 - The BlahDNS Finland DNS TLS Server A+ ( FIN ) - address_data: 95.216.212.177 tls_auth_name: "dot-fi.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: PID8ufrN/lfloA6y/C+mpR8MT53GG6GkAd8k+RmgTwc= ## 7 - The dns.neutopia.org DNS TLS Server A+ ( FRA ) - address_data: 89.234.186.112 tls_auth_name: "dns.neutopia.org" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= ## 8 - The Foundation for Applied Privacy DNS TLS Server #1 A+ ( AUT ) - address_data: 94.130.106.88 tls_auth_name: "dot1.applied-privacy.net" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: 2x9bg3D2uUv/aR3P22pDS2OGyKRXxDQFY+EjY3u2o+w= ## 9 - The Foundation for Applied Privacy DNS TLS Server #2 A+ ( AUT ) - address_data: 93.177.65.183 tls_auth_name: "dot1.applied-privacy.net" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: +qcX6xelJzGg5+0jn1j05vrssAueYej9XrnhL9+NKXo= ## 10 - The Secure DNS Project by PumpleX DNS TLS Server #1 A+ ( GBR ) - address_data: 51.38.83.141 tls_auth_name: "dns.oszx.co" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 1qxET6WIHQ/oEG4c8xgBWoVFA7JQMamvNCIP3hVg7Hw= ## 11 - The Rubyfish Internet Tech DNS TLS Server A+ ( CHN ) - address_data: 115.159.131.230 tls_auth_name: "dns.rubyfish.cn" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: DBDigty3zDS7TN/zbQOmnjZ0qW+qbRVzlsDKSsTwSxo= ## 12 - The Lorraine Data Network DNS TLS Server A+ ( FRA ) - address_data: 80.67.188.188 tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM= ## This certificate is currently expired which ## does not pose any concerns in SPKI mode ## (in practice with Stubby) ## Source : https://ldn-fai.net/serveur-dns-recursif-ouvert/ ## 13 - The DNSPRIVACY.at TLS Server #1 A+ ( DEU ) - address_data: 94.130.110.185 tls_auth_name: "ns1.dnsprivacy.at" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: MjA0IXWNt3+LCmuKT9ewjX3PwJxNqs2RoTa/NmzPHwI= ## 14 - The DNSPRIVACY.at TLS Server #2 A+ ( DEU ) - expired 2020-04-01 - address_data: 94.130.110.178 tls_auth_name: "ns2.dnsprivacy.at" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 68MH4G5hipbK1xYATBFgA+/DNLDd333oXr22QyB/RRo= # 15 - The ibksturm.synology.me DNS TLS Server A+ ( CHE ) - address_data: 85.5.93.230 tls_auth_name: "ibksturm.synology.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: npNOnBcLbvZWZgdmcuFaEqYJbaGjBlHMf9DknDoIkgg= ## 16 - The dns.flatuslifir.is DNS TLS Server A+ ( ISL ) - address_data: 46.239.223.80 tls_auth_name: "dns.flatuslifir.is" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 3QPTZIcJdZFCx5t3tZiqdCBYpigUX+1Gwz+iQfLXrJE= ### Publicly Available DOT Test Servers ### ## 17 - The ContainerPI.com - CPI DNS TLS Server A+ ( JPN ) - address_data: 45.77.180.10 tls_auth_name: "dns.containerpi.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: xz8kGlumwEGkPwJ3QV/XlHRKCVNo2Fae8bM5YqlyvFs= ## 18 - The FEROZ SALAM DNS TLS Server A+ ( GBR ) - address_data: 46.101.66.244 tls_auth_name: "doh.li" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: VEjC/umyfulb4CbLZ6mIyEqHPbwv0D6osfrUbi8Dm28= ## 19 - The Andrews & Arnold DNS TLS Server #1 A+ ( GBR ) - address_data: 217.169.20.23 tls_auth_name: "dns.aa.net.uk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 41OknyzhvFDNZqlvTs4mFTWSkAXSPXWQ4wRgky5Qyzc= ## 20 - The Andrews & Arnold DNS TLS Server #2 A+ ( GBR ) - address_data: 217.169.20.22 tls_auth_name: "dns.aa.net.uk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 7edzTURJQoFlhpbT1OMAj2ZYSx+bi5B1eyRjEFsXseI= ## 21 - The dns.seby.io - Vultr DNS TLS Server A+ ( AUS ) - address_data: 45.76.113.31 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: H13Su1659zEn0ZIblEShwjZO+M5gxKK2wXpVKQHgibM= ## 22 - The dns.seby.io - OVH DNS TLS Server A+ ( AUS ) - address_data: 139.99.222.72 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 8A/1KQQiN+aFWenQon076nAINhlZjGkB15C4E/qogGw= ## 23 - The Digitale Gesellschaft DNS TLS Server #1 A+ ( CHE ) - address_data: 185.95.218.43 tls_auth_name: "dns.digitale-gesellschaft.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: S+DuqASQtCTm8qr4G9z53uLEy230lIDgbHl9AtId0Yw= ## 24 - The Digitale Gesellschaft DNS TLS Server #2 A+ ( CHE ) - address_data: 185.95.218.42 tls_auth_name: "dns.digitale-gesellschaft.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: bthpji8smy3f2lSvweu5hXpb/6hLrk3Txh6euWztF5Q= ## 25 - The Antoine Aflalo DNS TLS Server #1 A+ ( USA ) - address_data: 168.235.81.167 tls_auth_name: "dns-nyc.aaflalo.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: kjMUEH0kNEaZ4cDn3SQV/vANgycPm0qRPMU2yd4OlT0= ## 26 - The Antoine Aflalo DNS TLS Server #2 A+ ( NLD ) - address_data: 176.56.236.175 tls_auth_name: "dns.aaflalo.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 31ooUIF2se7S3ycqCx1FgffSNG70x8thaQ15g4bR6Uo= ## 27 - The Privacy-First DNS TLS Server #1 A+ ( JPN ) - address_data: 172.104.93.80 tls_auth_name: "jp.tiar.app" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 7CcU1rk7OmdjZg+oz+c8N4fguYlYdnJuYcdNvM/I+/E= ## 28 - The Privacy-First DNS TLS Server #2 A+ ( SGP Hosted In USA ) - address_data: 174.138.29.175 tls_auth_name: "dot.tiar.app" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 5hG9dlXtWeLWdCfE4QdNWlalxlFITtt8c2YgZVaCNWQ= ## 29 - The ibuki.cgnat.net DNS TLS Server A+ ( USA ) - address_data: 35.198.2.76 tls_auth_name: "ibuki.cgnat.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: OcRaI3p/xMjnj5+LlSpXP1aCnEgtRs5g38QQi7PbIO8= ## 30 - The PI-DNS.COM West USA DNS TLS Server A+ ( USA ) - address_data: 45.67.219.208 tls_auth_name: "dot.westus.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: M+nrb/hd9eMJuPWeFht/k1dc1/jVc5BBfh+CYCliAJ4= ## 31 - The PI-DNS.COM DNS TLS East USA Server A+ ( USA ) - address_data: 185.213.26.187 tls_auth_name: "dot.eastus.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: zxgnoyq2tM5LwFUFTmXFp8iHKen7hf0KcIHbRtanQAs= ## 32 - The PI-DNS.COM Central Europe DNS TLS Server A+ ( DEU ) - address_data: 88.198.91.187 tls_auth_name: "dot.centraleu.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: ujlSlfFb2vMMwl3nCNHF2MJ36d2+3KGbSbuuAYH+N1U= ## 33 - The PI-DNS.COM North Europe DNS TLS Server A+ ( FIN ) - address_data: 95.216.181.228 tls_auth_name: "dot.northeu.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: TFadmV6S2C1WerCF+NY+/cHBjDS2iWRHZpT7JqktSpk= ## 34 - The Snopyta DNS TLS Server A+ ( FIN ) - address_data: 95.216.24.230 tls_auth_name: "fi.dot.dns.snopyta.org" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: gLV9UKZ+FNO0AI+W5g3qvOkHqyX4wrJ70MWtioCNXM8= ## 35 - The NixNet Uncensored Las Vegas DNS TLS Server A+ ( USA ) ## - or use ( tls_auth_name: "adblock.lv1.dns.nixnet.xyz" ) - address_data: 209.141.34.95 tls_auth_name: "uncensored.lv1.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Wd/+3VJW7Xu904nJC35EBocuVs9XQNAnIOPoda848NQ= ## 36 - The NixNet Uncensored New York DNS TLS Server A+ ( USA ) ## - or use ( tls_auth_name: "adblock.ny1.dns.nixnet.xyz" ) - address_data: 199.195.251.84 tls_auth_name: "uncensored.ny1.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: cXriM10X2+lW6V8NOrMZd2nssgC1TeW2DutGlmMn5fc= ## 37 - The NixNet Uncensored Luxembourg DNS TLS Server A+ ( LUX ) ## - or use ( tls_auth_name: "adblock.lux1.dns.nixnet.xyz" ) - address_data: 104.244.78.231 tls_auth_name: "uncensored.lux1.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 7cOZUgpjYw3Qy5K97ww3APnMau8zHrIEbC0znGgEGyw= ## 38 - The Lelux.fi DNS TLS Server A+ ( FRA Hosted In GBR ) - address_data: 51.158.147.50 tls_auth_name: "resolver-eu.lelux.fi" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: JXWEabtuBageRVNeJFedi4nhi7XCmS78N10NWQHA/eA= ## 39 - The Lightning Wire Labs DNS TLS Server A+ ( DEU ) - address_data: 81.3.27.54 tls_auth_name: "recursor01.dns.lightningwirelabs.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: jVdEaKPP27O6wPq6wbvXrTtDsDEiOoVdyTY9uUHXDJ0= ## 40 - The Hostux DNS TLS Server A+ ( LUX ) - address_data: 185.26.126.37 tls_auth_name: "dns.hostux.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: P0gaP31TQQzAIN3DomM5vXS3+8oCgYcTA/ZJ09Jw4QE= ## 41 - The dnsforge.de DNS TLS Servers A+ ( DEU ) - address_data: 176.9.1.117 tls_auth_name: "dnsforge.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw= - address_data: 176.9.93.198 tls_auth_name: "dnsforge.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw= # 42 - The Freifunk München DNS TLS Server A+ ( DEU ) - address_data: 195.30.94.28 tls_auth_name: "doh.ffmuc.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 1swf1Y7mDE9KBYARlBG00o5sQ7zZjOGSb0ahWpaKV5M= # 43 - The doh.defaultroutes.de DNS TLS Server A+ ( DEU ) - address_data: 5.45.107.88 tls_auth_name: "doh.defaultroutes.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: p7t6DDebAlM1rwkrJgZJ6CDkuJG0Ff5PKYZ8bUPQCM0= ## 44 - The CIRA Canadian Shield DNS TLS Servers A+ ( CAN ) - address_data: 149.112.121.10 tls_auth_name: "private.canadianshield.cira.ca" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: sXmZXPsnkbQMw68THpV0Tgh9zCe12TtXIinSTf7lkkw= - address_data: 149.112.122.10 tls_auth_name: "private.canadianshield.cira.ca" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: sXmZXPsnkbQMw68THpV0Tgh9zCe12TtXIinSTf7lkkw= # 45 - The dns.dnshome.de DNS TLS Servers A+ ( DEU ) - address_data: 185.233.106.232 tls_auth_name: "dns.dnshome.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: q5AkxgnWVCVjCUNUKl3aIBpGTfXF5GahE0RcncwbZoc= - address_data: 185.233.107.4 tls_auth_name: "dns.dnshome.de" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: q5AkxgnWVCVjCUNUKl3aIBpGTfXF5GahE0RcncwbZoc= ### Anycast Publicly Available DOT Test Servers ### ## 46 - The NixNet Uncensored Anycast DNS TLS Servers ( Anycast ) - address_data: 198.251.90.114 tls_auth_name: "uncensored.any.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Ryhjf7K6V9/Fw/7XU7fqzrVJVEOyPtlHR/rFetOXrug= - address_data: 198.251.90.89 tls_auth_name: "adblock.any.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Ryhjf7K6V9/Fw/7XU7fqzrVJVEOyPtlHR/rFetOXrug= ## 47 - The DNSlify DNS TLS Servers A+ ( Anycast ) - address_data: 185.235.81.1 tls_auth_name: "doh.dnslify.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: w5AEEaNvoBOl4+QeDIuRaaL6ku+nZfrhZdB2f0lSITM= - address_data: 185.235.81.2 tls_auth_name: "doh.dnslify.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: w5AEEaNvoBOl4+QeDIuRaaL6ku+nZfrhZdB2f0lSITM= ### DNS Privacy Anycast DOT Public Resolvers ### ## 48 - The DNS.SB DNS TLS Servers A+ ( Anycast ) - address_data: 185.222.222.222 tls_auth_name: "dns.sb" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /qCm+kZoAyouNBtgd1MPMS/cwpN4KLr60bAtajPLt0k= - address_data: 185.184.222.222 tls_auth_name: "dns.sb" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /qCm+kZoAyouNBtgd1MPMS/cwpN4KLr60bAtajPLt0k= # 49 - The Tenta DNS OpenNIC TLS Servers A+ ( Anycast ) - address_data: 99.192.182.101 tls_auth_name: "opennic.tenta.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: IWL0sIdCNA9qM+elnfSMN1arzEDeptcN4uHnsWhtQW8= - address_data: 99.192.182.100 tls_auth_name: "opennic.tenta.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: IWL0sIdCNA9qM+elnfSMN1arzEDeptcN4uHnsWhtQW8= # 50 Quad9 'secure' service - Filters, does DNSSEC, doesn't send ECS ## ( NOTE: recommend reducing idle_timeout to 9000 if using Quad9 ) - address_data: 149.112.112.112 tls_auth_name: "dns.quad9.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg= - address_data: 9.9.9.9 tls_auth_name: "dns.quad9.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg= # Set the acceptable ciphers for DNS over TLS. With OpenSSL 1.1.1 this list is # for TLS1.2 and older only. Ciphers for TLS1.3 should be set with the # tls_ciphersuites option. This option can also be given per upstream. # tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20" # Set the acceptable cipher for DNS over TLS1.3. OpenSSL >= 1.1.1 is required # for this option. This option can also be given per upstream. tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" # Set the minimum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. # This option can also be given per upstream. tls_min_version: GETDNS_TLS1_3 # Set the maximum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. # This option can also be given per upstream. # tls_max_version: GETDNS_TLS1_3 Save and Exit In order for TLSv1.3 protocol to work properly ( read at all ) in your Stubby instance, OpenWrt must have OpenSSL 1.1.1 active and configured in the kernel. Any OpenWrt 18.06 Build does not offer OpenSSL 1.1.1 in any shape, form or fashion. OpenWrt 19.07.0 Release Candidates and Snapshots do provide OpenSSL 1.1.1 support. As I have mentioned, I run Davidc502 OpenWrt Snapshots - moderately customized Builds for Linksys wrt1200ac wrt1900acx wrt3200acm wrt32x Routers found here: https://dc502wrt.org/ - These Builds come out approximately every two weeks with the latest Linux Kernels, software packages and other bleeding edge features including OpenSSL 1.1.1 with TLSv1.3 support. Once you have OpenSSL 1.1.1 with TLSv1.3 simply follow the guide above in order to set Stubby to implement TLS1.3. The operative lines necessary are these two specifically found at the bottom of the stubby.yml file above: tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" tls_min_version: GETDNS_TLS1_3 See below for TLS1.3 Support Check SSH Commands - openssl s_client 168.235.81.167:853 OR - openssl s_client 159.69.198.101:443 Read Out Will Be Verified By These Lines Below: Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_CHACHA20_POLY1305_SHA256 OR : Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Depending on Configuration on Tested DOT Server Lastly, you can and should take advantage of this new DNS OVER TLS provider. You need to sign up and use configured settings in order to use it. NextDNS is a free service - ANYCAST and pretty much cutting edge. ANYCAST speeds up your DNS - Here it is: NextDNS https://my.nextdns.io/signup or feel free to use and test NextDNS " Try it now for free " Feature go to : https://nextdns.io/ I also strongly encourage you to subscribe to blockerDNS found here : https://blockerdns.com/ This new DOH / DNS OVER TLS provider is the fastest I have run across. blockerDNS is run by Tambe Barsbay a seasoned, thorough and extremely proficient tech practitioner. blockerDNS is based in the U.S. and its infrastructure is hosted on Google Cloud Platform and DigitalOcean. You can view blockerDNS subscription options here : https://blockerdns.com/tryit - Most significantly, Tambe stands by his claim that he offers " Instant support by phone or email ". Overall blockerDNS is a great DNSPRIVACY DNS Service. Tip : The Mobile $0.99 per month option should suffice for most home users. Links : https://tambeb.com/ https://blockerdns.com/blog https://blockerdns.com/support https://blockerdns.com/overview All of these name servers listed above DO NOT log ! repeat DO NOT log ! your DNS queries. In full disclosure some name servers claim to log traffic volume only. See here for details : https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers and look under " Logging " column. DNS query name minimisation to improve privacy, along with DNS resolution speed and accuracy - Run Test After Completing Full Setup These name servers listed above help to consistently ensure QNAME Minimisation functions as designed within UNBOUND ( The idea is to minimise the amount of data sent from the DNS resolver to the authoritative name server. ) Use either or both of these two methods to verify QNAME Minimisation A - You need to opkg install drill and - then run command : drill txt qnamemintest.internet.nl and / or B - opkg install bind-dig or opkg install bind-tools with command: dig txt qnamemintest.internet.nl +short and / or dig -t txt qnamemintest.internet.nl ( for more complete readout including DNSSEC results ). AD = Authenticated Data (for DNSSEC only; indicates that the data was authenticated) The results in any of these scenarios will show either: "HOORAY - QNAME minimisation is enabled on your resolver :)!” or “NO - QNAME minimisation is NOT enabled on your resolver :(.” Reference https://discourse.pi-hole.net/t/unbound-and-qname-minimisation/10038/4 You will and should get HOORAY ! - if you used the name servers listed in this guide for your Stubby configuration. Note: Starting with Unbound 1.7.2 qname minimisation is enabled by default. However, I still add these settings manually. These settings are entered in " /etc/unbound/unbound_srv.conf " file. qname-minimisation: yes qname-minimisation-strict: yes harden-below-nxdomain: yes See configuration above in Step # 3 . 5 - MY WORKING CONFIG /etc/unbound/unbound_ext.conf ( Simply Copy and Paste Into Your SSH Session and Hit Enter ) cat >> /etc/unbound/unbound_ext.conf <<UNBOUND_FORWARD_CONF forward-zone: name: "." # Allow all DNS queries forward-addr: [email protected] # Forward Unbound To Stubby Address/Port UNBOUND_FORWARD_CONF 6 - From The Guide referred to in the link above - self explanatory: # Move dnsmasq to port 53535 where it will still serve local DNS from DHCP# Network -> DHCP & DNS -> Advanced Settings -> DNS server port to 53535 Enter via SSH command line: uci set ‘[email protected][0].port=53535’ uci add_list “dhcp.lan.dhcp_option=option:dns-server,$(uci get network.lan.ipaddr)” uci set ‘[email protected][0].dhcp_link=dnsmasq’ uci commit /etc/init.d/unbound restart 7 - From https://github.com/openwrt/packages/tree/master/net/unbound/files HOW TO Integrate with DHCP Parallel DNSMASQ /etc/config/dhcp After Some Reflection and Observations - Fine Tuning Your DNS Resolver After reading System Logs I realized that there is a need to amend DNSMASQ ( DHCP ) after implementing option noresolv ‘1’ in /etc/config/dhcp configuration file. This dawned on me from my years of running DNSCRYPT Proxy on OpenWrt. I referred to this guide: Go to this section near bottom of page. Use specific DNS server to lookup one or more host names https://www.leowkahman.com/2016/05/23/openwrt-encrypted-dns-lookup-using-multiple-dnscrypt-servers/ option noresolv ‘1’ is to prevent using any upstream DNS server other than those specified in this file # this file being: /etc/config/dhcp Solution is as follows add these two lines to /etc/config/dhcp: nano /etc/config/dhcp - enter these lines before / option domain ‘yourdomain’ list server '127.0.0.1#5453' # Stubby/Unbound Default Address/Port option noresolv ‘1’ # Make sure to change this as indicated or Via Uci uci add_list [email protected][-1].server='127.0.0.1#5453' uci set [email protected][-1].noresolv=1 uci commit && reload_config 7A - Disable Sending DNS Requests to ISP Provided DNS Servers uci set network.wan.peerdns='0' uci set network.wan.dns='127.0.0.1' uci commit && reload_config After you complete all the steps in this tutorial and restart your Router Check Status > System Log - You will find an entry like the one below: daemon.info dnsmasq[8532]: using nameserver 127.0.0.1#5453 - which indicates that your OpenWrt Router is using Unbound and Stubby for Encrypted DNS Resolution 8 - Working /etc/config/unbound file nano /etc/config/unbound config unbound option add_extra_dns '0' option add_local_fqdn '1' option add_wan_fqdn '0' option dhcp4_slaac6 '0' option dns64 '0' option dns64_prefix '64:ff9b::/96' option domain "your.domain" ## put your domain here option domain_type 'static' option edns_size '1280' option extended_stats '1' option hide_binddata '1' option extended_luci '1' option luci_expanded '1' option listen_port '53' option localservice '1' option manual_conf '0' option protocol 'ip4_only' option query_min_strict '1' option rebind_localhost '0' option rebind_protection '1' option recursion 'default' option resource 'medium' option root_age '28' option ttl_min '120' option unbound_control '2' option validator '1' option validator_ntp '1' option verbosity '2' list trigger_interface 'lan' list trigger_interface 'wan' option query_minimize '1' option dhcp_link 'dnsmasq' VERY IMPORTANT STEP: Now run /etc/init.d/unbound restart one more time. When you do this you will see that your unbound root.key will be installed to /var/lib/unbound/root.key and also it will install root.key to /etc/unbound/root.key. This will automatically configure DNSSEC on your router. The function also lists your auto-trust anchor in your /var/lib/unbound/unbound.conf file. You will now be running DNS OVER TLS with GETDNS and Stubby on LEDE / OpenWrt Make sure to follow this guide precisely and it works GREAT!!! You can check logs under Services > Recursive DNS > Status > Log - you will see that you have a caching encrypted DNS Resolver !!! You can install - opkg install bind-dig or opkg install bind-tools in order to be able to issue dig commands in order to check DNS resolution if you opt to - as you test you will see that your cache is working also. Bonus Setup Option ( Highly Recommended ) - Install WatchCat http://www.ibuyopenwrt.com/index.php/2-uncategorised/224-watchcat-reboot-on-internet-drop I set "Reboot on Internet Connection Lost" option. I have WatchCat set to ping Fourth Estate DNS address - 179.43.139.226 - every 20 minutes. This will keep your router up and running consistently. Now all you need to do is run is a properly configured VPN Service. By doing so, running DNS over TLS with Stubby and GetDns will keep your VPN provider from spying on your encrypted DNS look ups - and also your DNS providers both the ISP ( replaced by encrypted Stubby ) and your Encrypted TLS DNS Service Provider will see your IP as the one from your encrypted tunneled VPN provider. I am convinced this setup is the right strategy for both security and privacy. I think it to be the best practice for all those most serious about multi-layered cyber security. Lastly, you can check your DNS at GRC Spoofability Test - DNS Leak - or any of such service. Your results will render the DNS PRIVACY Name Servers which you selected in your stubby.yml configuration file. You are now running DNS OVER TLS with GETDNS plus STUBBY ( a fully featured TLS forwarder ) along with an Unbound DNS Caching Server. VERY IMPORTANT TIP: Please note that right at the top of the main DNS Privacy Test Servers Homepage ( https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers ) It Ominously Declares: DoT servers The following servers are experimental DNS-over-TLS servers. Note that they are experimental offerings (mainly by individuals/small organisations) with no guarantees on the lifetime of the service, service level provided. The level of logging may also vary (see the individual websites where available) - the information here about logging has not been verified.Also note that the single SPKI pins published here for many of these servers are subject to change (e.g on Certificate renewal) and should be used with care!! For these reasons it is most important to check and verify your SPKI pin(s) for TLS authentication manually yourself from time to time. There are sure fire methods to make sure that you are using the correct value for any upstream nameserver ( aka tls_pubkey_pinset value ) - Go to https://blahdns.com/ and scroll down to the section to the yellow section entitled What is DNS OVER TLS click on it and it will open up. When you do it will state some general information, but what you want to pay attention to is this section: How to get SPKI Most Simple and Direct Method: gnutls-cli --print-cert -p 853 159.69.198.101 | grep "pin-sha256" | head -1 And / Or With Adjustment For SSL Port and Address Being Tested gnutls-cli --print-cert -p 443 159.69.198.101 | grep "pin-sha256" | head -1 - where you must opkg install gnutls-utils OR echo | openssl s_client -connect '185.49.141.37:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 There is also a third option. kdig -d @185.49.141.37 +tls-ca +tls-host=getdnsapi.net example.com - where you must install knot-dig / opkg install knot-dig This is my personal favorite as the readout from this command will list the certificate specifically like so: ;; DEBUG: #1, CN=getdnsapi.net ;; DEBUG: SHA-256 PIN: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= and let you know that the certificate is valid like so: ;; DEBUG: TLS, The certificate is trusted. Remember to change port to 443 or port for IPV6 if different than standard 853 where applicable. To use kdig certificate verification method on an alternate port example: kdig -d @199.58.81.218 -p 443 +tls-ca +tls-host=dns.cmrg.net example.com https:/www.dnsleaktest.com/ https://www.perfect-privacy.com/dns-leaktest/ https://www.grc.com/dns/dns.htm http://www.vpninsights.com/dns-leak-test and last but not least https://cmdns.dev.dns-oarc.net/ for a thorough in depth DNS Test https://bash.ws/dnsleak/test/ See here for TorGuard Open VPN Setup https://torguard.net/forums/index.php?/topic/1247-lede-openwrt-torguard-vpn-setup/ And now you are cooking with plenty of Gas - c'est fini c'est manifique c'est ci bon
  3. 3 points
    ====================================== TorGuard v3.85.0 Release ====================================== ChangeLog: * All platforms: Direct IP Cache more robust Sometimes, more often in MacOSX, it was possible that the Direct IP Cache file was not properly saved. With this patch, we improve the code with a double check. * All platforms: Warning dialogue when Log to File is active Recently a new option was added, to write a Debugging Log File. This option was intended only for debugging purpose and it is disabled by default. With this patch a warning will be shown when saving the settings, asking confirmation to the user. * Windows: installer improved The TAP driver installer was left behind after uninstalling the program. The bug is fixed with this patch. * MacOSX: Auto start on boot With this option checked, TorGuard will be automatically started on System boot. This option is equivalent to manually change the System Preferences -> Users & Groups -> Login Items * MacOSX: Bug fix: Hide from Dock option repaired In the last version, the Hide from Dock option was broken. With this patch we fixed the bug. ========================================== Downloads
  4. 3 points
    Hey there, 2048 bit RSA is more than adequate today, however, we are going to offer the option to choose between both very soon. Regards
  5. 2 points
    Interim further testing indicates you need to connect to your chosen VPN server on port 1912 for port forwarding to work - despite being able to choose from all connecting ports (1194, 1195 etc) for establishing your VPN on the port forwarding setup form. Obviously you can choose any unused port to forward. Don't forget you'll likely need to forward the same port as both TCP and UDP for torrenting.
  6. 2 points
    At the moment it is not possible bit but rest assured we will get some WireGuard servers going very soon Regards
  7. 2 points
  8. 2 points
    Protocol: TCP is more reliable, bypasses firewalls that ban UDP traffic. Use if A: You are behind a restricted network(School, Government, Corporate Business), or B: You only surf the web/check emails, or various other light tasks that don't require speed). UDP is more faster, best for downloading, streaming, gaming. Use this if you have no issues connecting to stuff and require fastest speeds. Cipher: Cipher is the level of encryption the VPN will use, which will basically scramble your data in a unreadable format so if someone is spying on your network connections they won't be able to see what you are accessing/visiting(Your ISP for example). Which is important to use if you are going to be accessing questionable material. AES-256-CBC will provide with the highest level of encryption. Use this if you are paranoid. SLOWEST. BF-CBC (Blowfish), offers better encryption than AES-128 with minor speed difference, this is my go to cipher. SLOW. AES-128-CBC will provide minimum level of encryption, good for most people. FAST. No Cipher - You never want to use this as it doesn't encrypt your data at all, so people can see what you are doing online. FASTEST. Note: You won't notice much difference between the highest level and lowest level of encryption unless you do a lot of downloading. You can play online games, stream content without much difference on BF-CBC or AES-256-CBC. Fastest to Slowest: No Cipher >> AES-128-CBC >> BF-CBC >> AES-256-CBC Fastest to Slowest: HMAC-SHA1 >> HMAC-SHA256 >> HMAC-SHA512 You can see all the encryption ciphers here: https://torguard.net/tgspec.php Checks to make sure the adapter is installed. It's for the killswitch feature, if you lose connection to the VPN you can instruct torguard to disable your main network device, then have it re-enabled when you try to connect again. You can leave this disabled, I think it increases the quality of the TorGuard menu if on a higher resolution monitor. I never had to use it. Cipher Warning is when you don't set an encryption level as explained above. Network tab is where you will be able to set which device you want TorGuard to disable when you lose connection. There is also various other things, like webrtc/dns leak prevention on that tab. It's rather straight forward, if there is something in particular you don't understand feel free to ask. Proxy TAB is for STEALTH connections to bypass restrictive firewalls (School, Government, Corporate and Government networks like China). Generally you shouldn't have to worry about that tab. The last tab is for dedicated ip's that you purchase through TorGuard. Set: Cipher AES-128-CBC STEALTH Protocol TCP Enable DNS Leak Prevention Enable Webrtc Leak Prevention Enable IPV6 Leak Prevention Set DNS servers to OpenDNS or Level3 or Torguard You shouldn't rely on others to give you "best" settings, as it depends on what you need the VPN to do and should be tweaked accordingly by you for best results. The proxy service gives you access to Socks5/HTTP/HTTPS/SSH proxies, which is useful for torrenting or added protection, if you don't know what a proxy is: look it up. It's just an extension for Chrome that uses SSL proxies which doesn't offer the same level of security as TorGuards VPN client. Explained above. Umm, not sure what you mean by "proxy servers from Google", I am going to assume you mean the DNS servers settings for: Google, OpenDNS. Which in that case, it's for preventing IP leaks, so you don't use your ISP's dns servers which will pass on all your hostname queries to your ISP which is bad. Google is bad pick for DNS servers if you care about privacy. Use openDNS or TorGuards servers. Hopefully that helped explain things better.
  9. 1 point
    @Support Diito from me. Any update? Or is there a way to configure the linux supplicant natively. I only connect to my dedicated IPs, so I'd happily do without the TGClient
  10. 1 point
  11. 1 point
    Same. California fixed IP not connecting.
  12. 1 point
    Release torguard-v3.98.0, 2020-02-27 ==================================== * All platforms: Upgrade to QT 5.12.6 and OpenSSL 1.1 Internal changes: ----------------- * Windows: Updated build chain Update to Visual Studio 2017 und Ninja build * Mac: Use hardened runtime The hardened runtime is now required for Apple to notarize the app. Downloads P.S. This is the last of internal changes before we start adding all the good features our users want.
  13. 1 point
    TorGuard Overlords, With the allowance of 5 simultaneous logins per account, is there any scope to create a unique username/password for these logins? Having the ability to add sub-logins would allow family members/etc to be given VPN access which can easily be revoked at a later date should the need arise. Currently, requiring the primary account holder to do a password reset to achieve the same outcome is a nuisance and requires additional overhead that could be removed with this new feature. For your consideration eikcam
  14. 1 point
    Any updates to this issue? I find this very interesting, instead of having to share master credentials.
  15. 1 point
    Release torguard-v3.97.0, 2019-12-13 ==================================== * All platforms: Use internal DNS resolver for server name lookups TorGuard now uses a full DNS resolver for looking up host names. When connected to the VPN TorGuard does not need to query a forwarding DNS server. During the initial connect and reconnects when internet connection is restricted and firewall rules block DNS TorGuard will query the DNS server configured by the system. * Windows: Fix a crash caused by 'Block Outside DNS' * MacOS: Notarize the app through Apple, so it can pass Apples GatekeeperInternal changes: ---------------- * Support secureconnect.me domains* Upgraded MacOS build chain. A complete update of the build chain (MacOS Mojave, XCode) was required due to the new notarization policy enforced by Apple. Downloads
  16. 1 point
    Hello, We are not dropping Paypal, Paypal are dropping us, there is nothing you have to do over Paypal, no ones account will end, you just pay over a different payment method. Regards
  17. 1 point
    We are working on it Amir - this won't be a whole complete design change, it will be be a more modern and smoother look though, a bit like our new Android UI. Regards
  18. 1 point
    Check out this TG openVPN install guide on an Asus with Merlin: https://x3mtek.com/torguard-openvpn-2-4-client-setup-for-asuswrt-merlin-firmware/
  19. 1 point
    Try a different server perhaps or use the client and see if theres any differences. The client uses openvpn too. Ive found some servers are bad for me, see your latency of 200ms? ALSO TRY TCP...
  20. 1 point
    I just need the Tap Version not the installer, I use Open VPN. I'll google it.
  21. 1 point
    I had similar issues and it was related to using "proxy.torguard.org" because using that uses a POOL of random ip's and after awhile if your torrents become inactive or for whatever reason the proxy ip changes... it causes the connection to "time out" because the tracker is expecting a connection from the initial IP but the proxy ip has changed which causes connectivity issues as the tracker is expecting a connection from the first ip you had but your ip has changed timing out the connection. Rebooting utorrent is a fix but only temporary until the timeout happens again changing the proxy ip causing a disconnection/timeout. The fix for this was to instead use a "specific" proxy IP address xxx.xxx.xxx.xxx instead of proxy.torguard.org which fixes the timeout issue and utorrent stays connected, using a specific ip address makes the connection much more stable!.
  22. 1 point
    I have been using Torguard now for 2-3 years and it has been working Flawlessly. I use it every single day and I i NEVER experience any significant problems. You are likely Configuring something wrong, if it is not working then you have configured it wrong, i say that because i use socks5 proxy and VPN everyday flawlessly without any problems for years. The forums is not the fastest way to ask for help, if you need support or help configuring something i would suggest going through the proper channels of opening a support ticket or talking to live chat and i am sure they will assist you ASAP! I have gone into live chat a few times over the years for general questions and they always reply to me Very quickly and Professionally. Torguard is a very Professionally run VPN service with good stability/security and the support has always been top notch in my opinion. I have tested other vpn services and Torguard surely rates at the Top. It is a No logs VPN service so 5 eyes? Nothing is logged so no information can be given if asked therefore 5 eyes is of no real concern. 5 eyes can ask for something yes but with No logs they will receive no info so there is no concern. I would suggest asking your question By opening a support ticket or going through live chat.
  23. 1 point
    Hi, did you upgrade from a much older build by chance? Can I ask that you do the following so we can make sure you start fresh? 1) Go to more settings --> general tab --> click "restore defaults" and then hit save (if you can't do this move to the next step) 2) Delete the Torguard app from the applications folder and empty your trash 3) Remove this folder: /users/user/Library/Application Support/VPNetworkLLC/TorGuard 4) Flush DNS >> https://torguard.net/knowledgebase.php?action=displayarticle&catid=71&id=227 5) Reboot 6) Reinstall TG Client latest version here https://torguard.net/downloads.php Let me know how you go.
  24. 1 point
    Anyconnect worked for me a month ago. The speed was slow, but worked.
  25. 1 point
    support answer was "To be honest, there's nothing to fix here, a WAIT status doesn't indicate a problem with the client, it normally means for some reason you cannot reach the server to connect or your ISP regularly filters UDP on specific ports - does this happen with all servers/ports or just the one?" If it does happen to you then try to use other ports, i will keep in touch with support if its happening again in the future.
  26. 1 point
    Archive.is not loading is due to the site administrator's hardline policy on how some DNS servers work (or do not, according to him). CloudFlare appears to be the default choice for TG VPN users, and it is incompatible with how archive.today (aka archive.li/archive.is etc) operates their DNS. From the admin: "unlike other public DNS services, 1.1.1.1 does not support EDNS Client Subnet." The site will simply fail to load for any CloudFlare DNS users. CloudFlare support thread about this problem: https://community.cloudflare.com/t/archive-is-error-1001/18227/12 I would try setting your DNS to Google DNS. Also FWIW, archive.is admin is also recommending to stop using archive.is and use archive.today or one of his other domains instead.
  27. 1 point
    Hello, OpenDNS does keep logs of the sites you visit, we don't so i would recommend you use TG public DNS or endpoint DNS if you can. In regards to captcha's on our own IP's, we can't exactly whitelist any Vpn IP's of which thousands of users will be using, if we whitelist them then we effectively let potential hackers do as they please on the site, brute force, dos etc unchecked. We also have to protect ourselves... Regards
  28. 1 point
    Hello, I've seen many different configurations and I've asked several times in chat. What is the ideal configuration for Torguard? See attachments for what I have set. Is that safe?
  29. 1 point
    Hi. Is there any update on Wireguard Servers? @Support The main reason i interested to this Technology is very little battery usage on smartphones. OVPN usually destroy battery life. I'm testing Wireguard on my own server and battery usage close to Zero. Can you guys provide any ETA for Wireguard servers? Thanks
  30. 1 point
    Hi, I love torguard, it's very fast. I'm using it for some time now. But something I couldn't figure out is the desktop software keeps shutting down on its own 5-10 times a day for some reason. Fortunately I made the firewall block settings, and internet shuts down too, otherwise I would be exposed. I'm using the latest version. If you want me to send you some logs etc. I'll be happy to do it, but you're gonna have to tell me how because logs folder is empty in appdata. I'm using Windows 10 64bit btw.
  31. 1 point
    I have requested it for a while now. TG has assured me that this feature will be live in the next Android client release. So, you can hold your breath if you want!
  32. 1 point
    HI there Balexter The New York one is the same as you have or can use, About the streaming ip it was move from Arizona to Michigan, after it was done I did get a better speed out of it. but as you have try it I am not sure, it will help you It can also be that your ISP are throttling you when using VPN, I have been trying out difference VPN providers, and did come back to torguard as I got the best streaming speed I did try out one where then speed I got out of New York, as the was the streaming ip was only good for SD but at the same time a friend got the speed I was after. But I never got that. So after 20 days I ask for a refund
  33. 1 point
    I second that! Made feature requests with the same issues...
  34. 1 point
    Hello, I currently have gigabit internet through Rogers in Canada. I have always had much slower than my available internet problems with Tor(on different ISPs/Different internet packages/tested every server Tor has at various times) but it's starting to become ludicrously slow. I did a couple tests to various servers at various times and it's obvious that you have your service choked to around 70-85mbit down and perhaps 12 up? When is Torguard going to upgrade its servers to reflect the general increase in speed to home users to 300 megabits and gigabit? I've been patiently riding the 70-85mbit wave for a couple years now, however, nothing is advancing. Oh, please don't bother with a "we have no network issues in your area to that server blah blah" deal because I know for sure that it's you choking your servers to a set speed. Other Torguard servers/testing times/testing servers are all tested and I get the same speeds to every server Torguard has. When I'm not running Torguard, I get 850-900mbit down and 50 up so I think you can understand that my VPN not changing with the rest of the world has become very obvious and bothersome. Getting ten or less percent of my available bandwidth even with the ultra low price I pay with Tor really isn't a decision as far as continuing my service with Tor unless there's going to be network speed increases soon. A billion Tor servers across the world including Kuala Lumpur is certainly an interesting feature but the core value of a VPN is a> security/blocking yourself b> a> being at a speed that's decent relative to your network speeds. Tor certainly does an excellent job of providing security and options of servers/ips however unlike a number of the other providers, the speed isn't increasing with the times. It's bad enough that I don't even engage my VPN at a lot of times because it's just choked to be too slow. PLEASE UNDERSTAND. I've been with Torguard for a LONG time. I not only have no interest in changing providers for my VPN but I would strongly hate being forced to do so. I love the client, love all the servers, love the simplicity, love the price and ease of use...I honestly love every last thing about your service other than the speed. Unfortunately though, being choked down to less than 10 percent of my max speeds including being the best-priced VPN overwrites the rest while I'm trying to upload files to and from work. Can you offer me some information on when/if Torguard plans on upgrading network speeds? Even if you have a timetable for it, I would be interested in knowing it. I LOVE Torguard, I just can't keep watching my speeds slowwwwllly ease up or down.
  35. 1 point
    Release torguard-v3.88.0, 2018-08-22 ==================================== * All platforms: New Loading Screen This version introduces a new loading screen beeing displayed, while the VPN is started. It unifies the user interaction during the "VPN startup phase" and replaces various dialog boxes. The "VPN startup phase" begins when the user clicks on the "Connect" button and lasts until OpenVPN or OpenConnect has been successfully started. During the "VPN startup phase" network interfaces, routes, DNS, etc. are being prepared and configured. The new screen will display step by step what is going on during the "VPN startup phase". It should help the user understanding why a the connection process might take long or does not proceed. Some steps, e.g. enabling an interface that was disabled by the Internet Kill Switch or waiting for the default route, can be skipped by the user but then must also be fixed by the user. Previous versions did allow the user to skip the same steps by displaying a dialog box after a certain timeout. Warning: Using the skip function might leave the function partly uninitialized and should be used carefully. But that has been true for previous versions too. Internal Changes: ----------------- * All platforms: Refactor connect method These internal changes prepare the application for being divided into a backend service and a separate frontend. Downloads
  36. 1 point
    Hey so i paid for a Proxy specifically. After I completed the purchase... I downloaded it, and only have the option of running a VPN. I was needing a proxy though. Can someone please help me figure this out.? Thank you, Trevor.
  37. 1 point
    Hi Sam A streaming IP will work for streaming services, not all but most - they normally come from regular cloud or IP providers, they do not support torrents A Residential IP will likely work for almost anything, streaming, online gaming you name it, they appear from providers such as Time Warner so they look like an IP you would receive from your home ISP - they appear to be more legit and far less likely to be blocked - they also do not support torrents. Regards
  38. 1 point
    It won't be an overhaul just a general improvement at first Security, speed and functionality are most important to us. Regards
  39. 1 point
    Marco - thanks for the feedback - yes the next release will have the VPN reconnect if the screen goes off, it is already done in the next release We also have Always-On on our dev list and will look into that option for our next release also. Regards
  40. 1 point
    Seeing this feature abandoned for so long is making me question if I should be seeking another VPN provider.
  41. 1 point
    Thanks, Marco - we are looking into this. Regards
  42. 1 point
    This is coming yes, im sorry for the delayed reply to your thread but this has been noted down for net release Regards
  43. 1 point
    Both are good options - the shadowsocks (stealth proxy) will be removed in our next release - we find it slower than stunnel and less adequate at bypassing certain firewalls. Regards
  44. 1 point
  45. 1 point
    Hi Robyn If you use many different Wifi hotspots it may be that on some of them block the ports required for IKEv2 but not plain ipsec or vice versa, IKEv2 is commonly blocked on some networks. What version of the iOS are you running just now? have you tried the on-demand option, is this checked?
  46. 1 point
    I don't have much knowledge on the subject and need someone to explain certain aspects to me. I have done some research but online research isn't very friendly to someone who has limited knowledge on the subject in the first place. This thread could also be a future reference to others who use the VPN but are not very informed on what certain aspects are. - What's the different between OpenVPN and OpenVPN V2.4? -What's the different between enabling STunnel and not enabling it on the Torguard Client? -Should I be using STunnel? -Does stealth actually hide what VPN server i'm connecting to (NY, LA, Etc.), or does it only disguise my traffic to look like normal traffic from said server? -Is there any way around websites which specifically block the use of VPN's or proxies? Stealth connections don't seem to work all the time, at least for me.
  47. 1 point
    Torguard pls. respond to this inquiry.
  48. 1 point
    As we use TLS Auth using SHA1 via openvpn is fine - port 443 is a good port to use. Direct IP bypass DNS lookups on our hostnames, this helps if our hostnames are DNS blocked in the network you are connecting through. Our VPN DNS should be faster but i would test those for yourself. Regards
  49. 1 point
    Please try flush your DNS cache and reboot - then retest, if you still have problems go to more settings >> network tab >> set a new DNS option for when the VPN is "connected". Then connect and retest. Regards
  50. 1 point
    Uk Manchester other providers have manchester
×
×
  • Create New...