Jump to content
TorGuard

All Activity

This stream auto-updates     

  1. Today
  2. Tama

    Disappointed

    I have been using this just for 5 days and from what i have experienced this isn't what i was expecting. In netflixit doesn't work in us in spain and in any country i tried except japan. Also in amazon prime video in any country worked. And i request 2 things a solution with netflix and amazon prime or the money i expended in this service.
  3. Yesterday
  4. pfsense original post here : https://forum.netgate.com/topic/144992/pfsense-dns-over-tls-updated-now-dead-simple ( also read johnpoz replies ) pfSense DNS OVER TLS UPDATED NOW ! DEAD SIMPLE Dear Community, NOW ! is the time for all of US ( A ) to GET INVLOVED and act with SOUL POWER ! - lyrics to sing along : https://genius.com/James-brown-get-up-get-into-it-get-involved-lyrics plus https://genius.com/James-brown-soul-power-lyrics and video : https://www.youtube.com/watch?v=SmrZRcfYWvA I noticed on https://www.freshports.org/dns/getdns/ that ever since getdns 1.5.2_1 - stubby is included in the package by default. This got me to thinking about how to install DNS Privacy DNS OVER TLS on pfSense ( Special Thanks and Kudos to Ryan Steinmetz aka zi - the port maintainer and developer getdns on FreeBSD ). This is an updated guide / tutorial which explains how to setup adding DNS-Over-TLS support for pfSense - Please disregard and do not use any guides and / or tutorials which pre-date this one which covers installation and configuration of DNS Privacy on pfSense FireWall. I run GetDns and Stubby forwarded to and integrated with Unbound. For those who wish to explore Stubby and GetDns - this method is the one recommended by DNSPRIVACY - see here : https://getdnsapi.net/ https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients#DNSPrivacyClients-Unbound - please read this carefully - you will note that it indicates : Unbound As A DNS TLS Client Features:Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet authenticate upstreams, re-use TCP/TLS connections, be configured for Opportunistic mode or send several of the privacy related options (padding, ECS privacy) etc. Some users combine Unbound (as a caching proxy with other features such as DNS Blacklisting) and Stubby (as a fully featured TLS forwarder). These are the reasons I choose to use GetDns and Stubby with Unbound. Those reasons being so that I can take full advantage of all of the most secure privacy features available when running DNS OVER TLS. What I give you here is the absolute best method of implementation and deployment of DNS OVER TLS. For any and all who may be wondering why DNS OVER TLS is all the rage - read this: https://tenta.com/blog/post/2017/12/dns-over-tls-vs-dnscrypt I always set up DNS OVER TLS first before configuring OpenVPN on pfSense - this DNS solution works flawlessly with OpenVPN. So here we go. So let's get started - just follow these steps below in order to install and configure getdns and stubby on your pfSense FireWall. I did the following and it worked out great. 1 - There are four dependency packages required before actually installing the getdns package. Two are available in the pfSense package repositories and two from the FreeBSD repository. Lastly the getdns package itself is also in the FreeBSD repository. So to begin enter these commands below in the order : A # pkg install libuv B # pkg install libyaml - Go to https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/ as pfSense is based on FreeBSD 11 - C # pkg add https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libev-4.24,1.txz D # pkg add https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libidn-1.35.txz Lastly, install getdns along with stubby E # pkg add https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/getdns-1.5.2_1.txz GetDNS and Stubby are now installed on pfSense FireWall. In order to configure UNBOUND along with stubby ( and getdns ) follow the steps below. 1 - Now Ryan Steinmetz aka zi - the port maintainer and developer of this port was kind enough to include a start up script ( stubby.in ) for this package. See the stubby.in here in the raw : https://svnweb.freebsd.org/ports/head/dns/getdns/files/stubby.in?view=markup. All I had to do was ask him and he did for any and all who elect to use this great piece of FreeBSD software. 2 - Now to put all of this together, The stubby.in file is located here - /usr/local/etc/rc.d/stubby by default. First though Stubby needs Unbound root.key - run this command before getting started: # su -m unbound -c /usr/local/sbin/unbound-anchor Then - A - Issue this command : # mv /usr/local/etc/rc.d/stubby /usr/local/etc/rc.d/stubby.sh Make it executable - I run two commands - it works for me: # chmod 744 /usr/local/etc/rc.d/stubby.sh # chmod a+x /usr/local/etc/rc.d/stubby.sh B - Yes must enable Stubby Daemon in the file - open file by : nano /usr/local/etc/rc.d/stubby.sh go to line 27 - : ${stubby_enable="NO"} change the setting to : ${stubby_enable="YES"} - that is all you have to do to this file. It comes pre-configured. Save and exit. 3 - You can and should also check real time status of DNS Privacy Servers as they are experimental and are not always stable - you can monitor DNS TLS Servers Real Time Status here below: https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/ I have read here: https://www.monperrus.net/martin/randomization-encryption-dns-requests that Also, it is good to set up some servers that listens on port 443 and others on port 853, so as to be resilient if you are on a network with blocked ports. You can also blend IPv4 and IPv6 addresses. Now you must configure Stubby to resolve DNS OVER TLS - nano /usr/local/etc/stubby/stubby.yml VERY IMPORTANT UPDATE: After checking, rechecking and the triple checking on this website mentioned above : https://www.immuniweb.com/ssl/?id=Su8SeUQ4 I have made some very serious discoveries regarding which DNS Privacy Test Servers to use. The bottom line that I strongly suggest you only choose to deploy servers which support the TLSv1.3 protocol. See here for information and importance of TLSv1.3 : https://kinsta.com/blog/tls-1-3/ I will save you some considerable leg work and post below the best configuration for your stubby.yml file. Here it is: nano /usr/local/etc/stubby/stubby.yml resolution_type: GETDNS_RESOLUTION_STUB round_robin_upstreams: 1 tls_authentication: GETDNS_AUTHENTICATION_REQUIRED tls_query_padding_blocksize: 128 edns_client_subnet_private: 1 idle_timeout: 60000 listen_addresses: - [email protected] dns_transport_list: - GETDNS_TRANSPORT_TLS tls_connection_retries: 5 tls_backoff_time: 900 timeout: 2000 upstream_recursive_servers: # IPV4 Servers ### DNS Privacy Test Servers ### #The DNS Warden DNS TLS Primary Server alternate tls_auth_name: adblock-dot.dnswarden.com and dot1.dnswarden.com - address_data: 116.203.70.156 tls_auth_name: "uncensored-dot.dnswarden.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: aPns02lcGrDxnJQcRSHN8Cfx0XG+IXwqy5ishTQtzR0= #The DNS Warden DNS TLS Secondary Server alternate tls_auth_name: adblock-dot.dnswarden.com and dot2.dnswarden.com - address_data: 116.203.35.255 tls_auth_name: "uncensored-dot.dnswarden.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: aPns02lcGrDxnJQcRSHN8Cfx0XG+IXwqy5ishTQtzR0= ### Test servers ### #The BlahDNS German DNS TLS Server - address_data: 159.69.198.101 tls_auth_name: "dot-de.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: RzMGlPVE8DlsiA9DQRuW9CoVkwFBjS8j+we5PZ3eE0c= #The BlahDNS Japan DNS TLS Server - address_data: 108.61.201.119 tls_auth_name: "dot-jp.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: 427fIEGdHRXL9C6i+PzEk+CstsrmNGXJaAnu9ECu+Hk= ## The Surfnet/Sinodun DNS TLS Server - address_data: 145.100.185.18 tls_port: 853 tls_auth_name: "dnsovertls3.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8= # The securedns.eu DNS TLS Server alternate tls_auth_name: ads-dot.securedns.eu - address_data: 146.185.167.43 tls_auth_name: "dot.securedns.eu" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g= #The dns.seby.io - Vultr DNS TLS Server - address_data: 139.99.222.72 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 8A/1KQQiN+aFWenQon076nAINhlZjGkB15C4E/qogGw= #The Primary appliedprivacy.net DNS TLS Server - address_data: 37.252.185.232 tls_auth_name: "dot1.appliedprivacy.net" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: TvTo5uauOH66/Vnxl2QHwBhN9xdU0Zp1Jeqi+byC1p4= #The Secure DNS Project by PumpleX DNS TLS Server - address_data: 51.38.83.141 tls_auth_name: "dns.oszx.co" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: yevnTQfRqEOU1W8rUBABZRgToMgAwRn0eH7zJeBcq0s= #The ibksturm DNS TLS Server - address_data: 178.82.102.190 tls_auth_name: "ibksturm.synology.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: TjpalBJr0Ir27Dr59lXky4PXN0yTAoW92ddF8lBxYBQ= Save and Exit All of these name servers listed above DO NOT log ! repeat DO NOT log ! your DNS queries. In full disclosure some name servers claim to log traffic volume only. See here for details : https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers and look under " Logging " column. Use either or both of these two methods to verify QNAME Minimisation A - Run command : drill txt qnamemintest.internet.nl and / or B - Run command: dig txt qnamemintest.internet.nl +short and / or dig -t txt qnamemintest.internet.nl ( for more complete readout including DNSSEC results ). AD = Authenticated Data (for DNSSEC only; indicates that the data was authenticated) The results in any of these scenarios will show either: "HOORAY - QNAME minimisation is enabled on your resolver :)!” or “NO - QNAME minimisation is NOT enabled on your resolver :(.” Reference https://discourse.pi-hole.net/t/unbound-and-qname-minimisation/10038/4 You will and should get HOORAY ! - if you used the name servers listed in this guide for your Stubby configuration. Note: Starting with Unbound 1.7.2 qname minimisation is enabled by default. However, I still add these settings manually. These settings are entered under Unbound " Custom Options": qname-minimisation: yes qname-minimisation-strict: yes harden-below-nxdomain: yes 4- Now you must configure your Unbound DNS Server to use Stubby for DNS Over TLS. UNBOUND GENERAL SETTINGS Network Interfaces = Select ALL ! Under Custom options enter the following : server: do-not-query-localhost: no forward-zone: name: "." # Allow all DNS queries forward-addr: [email protected] ## END OF ENTRY Outgoing Network Interfaces = Select ALL ! Make Sure to NOT CHECK - DO NOT CHECK - the box for DNS Query Forwarding. Save and Apply Settings Next -Under System > Settings > General Settings Set the first DNS Server to 127.0.0.1 with no gateway selected / Make sure that DNS server option A - Allow DNS server list to be overridden by DHCP/PPP on WAN - Is Not I repeat - Is Not Checked ! and DNS server option B - Do not use the DNS Forwarder/Resolver as a DNS server for the firewall Is Not - I repeat - Is Not Checked ! I now only run 127.0.0.1 ( Localhost ) configured as the only DNS SERVER on my WAN interface. If others were added to WAN, when I ran dig or drill commands /etc/resolv.conf allowed those addresses to be queried. I only want to use Stubby yml Name Servers for DNS TLS , so this was the determinative factor in my reasoning and decision. - Save and Apply Settings C'est Fini C'est Ci Bon C'est Magnifique Reboot your router just to sure. Lastly, you can check your DNS at GRC DNS Nameserver Spoofability Test - DNSLeak.com - or any such service. Your results will render the DNS PRIVACY Name Servers which you selected in your stubby.yml configuration file. You are now running DNS OVER TLS with GETDNS plus STUBBY ( a fully featured TLS forwarder ) along with an Unbound DNS Caching Server. VERY IMPORTANT TIP: Please note that right at the top of the main DNS Privacy Test Servers Homepage ( https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers ) It Ominously Declares: DoT servers The following servers are experimental DNS-over-TLS servers. Note that they are experimental offerings (mainly by individuals/small organisations) with no guarantees on the lifetime of the service, service level provided. The level of logging may also vary (see the individual websites where available) - the information here about logging has not been verified. Also note that the single SPKI pins published here for many of these servers are subject to change (e.g on Certificate renewal) and should be used with care!! For these reasons it is most important to check and verify your SPKI pin(s) for TLS authentication manually yourself from time to time. There are sure fire methods to make sure that you are using the correct value for any upstream nameserver ( aka tls_pubkey_pinset value ) - Go to https://blahdns.com/ and scroll down to the section to the yellow section entitled What is DNS OVER TLS click on it and it will open up. When you do it will state some general information, but what you want to pay attention to is this section: How to get SPKI gnutls-cli --print-cert -p 853 185.49.141.37 - where you must pkg install gnutls OR echo | openssl s_client -connect '185.49.141.37:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 Remember to change port to 443 or port for IPV6 if different than standard 853 where applicable. https://www.dnsleaktest.com/ https://www.perfect-privacy.com/dns-leaktest https://cryptoip.info/dns-leak-test https://www.grc.com/dns/dns.htm https://www.vpninsights.com/dns-leak-test and last but not least https://cmdns.dev.dns-oarc.net/ for a thorough in depth DNS Test https://bash.ws/dnsleak/test/ Now all you need to do is run is a properly configured VPN Service. By doing so, running DNS over TLS with Stubby and GetDns will keep your VPN provider from spying on your encrypted DNS look ups - and also your DNS providers both the ISP ( replaced by encrypted Stubby ) and your Encrypted TLS DNS Service Provider will see your IP as the one from your encrypted tunneled VPN provider. I am convinced this setup is the right strategy for both security and privacy. I think it to be the best practice for all those most serious about multi-layered cyber security. Special thanks to all who helped me with this project. Thank you all and God Bless Always In Peace, ubernupe
  5. Taurean

    TorGuard Client v3.96.0

    This was first requested by someone else more than 3 years ago, though.
  6. Support

    TorGuard Client v3.96.0

    This will come but we have many (essential) features on the go that we want to get out very soon. The fix is included yes as it was in the previous release. Regards
  7. Taurean

    TorGuard Client v3.96.0

    Please add command-line options, at least for disconnection and exit. I need it for my scripts.
  8. tumbleweedsxm

    TorGuard Client v3.96.0

    Hello. Does this update fix the earlier network and certificate issues that was posted sometime earlier within the forums?
  9. Please add command-line options as soon as possible. I don't want to force terminate it in my script.
  10. Support

    TorGuard Client v3.96.0

    Release torguard-v3.96.0, 2019-07-16 ==================================== * All platforms: fixes wobbly windows on connect * All platforms: widgets are now aligned in a unified way * All platforms: show "n/a" in status screen if the current IP could not be detected When the VPN is connected, TorGuard tries to verify the connection, checking the current IP. In a normal situation, the user will see a "Verified!" label. If the IP information is not available, the correct label to show is "n/a" (not available) instead of "Detection Failed". In the latter situation, a tooltip will suggest to retry the IP detection, clicking on the "Refresh" button. Internal changes: ----------------- * QNAP: early stage support Downloads
  11. The torguard app is ever present in my notifications when not in use. I've tried 'minimizing' the notification but it comes right back. I might just be OCD but this is super annoying, enough so that I'm considering uninstalling the app and using something else. How do I remove the torgaurd app notification when it is not connected?
  12. stevman17

    Torguard Windows Client Crash Windows 10 [1803]

    This solution fixed my problem where the TorGuard app wasn't loading at all after an upgrade to Windows 10 from Windows 7. Thanks.
  13. Last week
  14. Dear Community, First you all know the drill by now - " The Intro " we would all have a better world if remembered to practice " Baby Love " lyrics : https://genius.com/Mothers-finest-baby-love-lyrics and video : https://www.youtube.com/watch?v=Z1LCj0Gkq94 Since version OPNsense 18.7 - you may install stubby and getdns on OPNsense by simply issuing command # pkg install getdns ( Special Thanks and Kudos to Franco and the marvelous OPNsense Development Team ) - Please disregard and do not use any guides and / or tutorials which pre-date this one which covers installation and configuration of DNS Privacy on OPNsense FireWall. This is an updated guide / tutorial which explains how to setup adding DNS-Over-TLS support for OPNsense. I run GetDns and Stubby forwarded to and integrated with Unbound. For those who wish to explore Stubby and GetDns - this method is the one recommended by DNSPRIVACY - see here : https://getdnsapi.net/ https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients#DNSPrivacyClients-Unbound - please read this carefully - you will note that it indicates : Unbound As A DNS TLS Client Features:Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet authenticate upstreams, re-use TCP/TLS connections, be configured for Opportunistic mode or send several of the privacy related options (padding, ECS privacy) etc. Some users combine Unbound (as a caching proxy with other features such as DNS Blacklisting) and Stubby (as a fully featured TLS forwarder). These are the reasons I choose to use GetDns and Stubby with Unbound. Those reasons being so that I can take full advantage of all of the most secure privacy features available when running DNS OVER TLS. What I give you here is the absolute best method of implementation and deployment of DNS OVER TLS. For any and all who may be wondering why DNS OVER TLS is all the rage - read this: https://tenta.com/blog/post/2017/12/dns-over-tls-vs-dnscrypt I always set up DNS OVER TLS first before configuring OpenVPN and / or WireGuard on OPNsense - this DNS solution works flawlessly with either VPN protocol. So here we go. So get ahead and issue command # pkg install getdns in order to get started. After installing getdns which includes stubby follow the steps below. 1 - Now Ryan Steinmetz aka zi - the port maintainer and developer of this port was kind enough to include a start up script ( stubby.in ) for this package. See the stubby.in here in the raw : https://svnweb.freebsd.org/ports/head/dns/getdns/files/stubby.in?view=markup. All I had to do was ask him and he did for any and all who elect to use this great piece of FreeBSD software. 2 - Now to put all of this together, The stubby.in file is located here - /usr/local/etc/rc.d/stubby by default. First though Stubby needs Unbound root.key - run this command before getting started: # su -m unbound -c /usr/local/sbin/unbound-anchor Then - A - Issue this command : # mv /usr/local/etc/rc.d/stubby /usr/local/etc/rc.d/stubby.sh Make it executable - I run two commands - it works for me: # chmod 744 /usr/local/etc/rc.d/stubby.sh # chmod a+x /usr/local/etc/rc.d/stubby.sh B - Yes must enable Stubby Daemon in the file - open file by : nano /usr/local/etc/rc.d/stubby.sh go to line 27 - : ${stubby_enable="NO"} change the setting to : ${stubby_enable="YES"} - that is all you have to do to this file. It comes pre-configured. Save and exit. 3 - You can and should also check real time status of DNS Privacy Servers as they are experimental and are not always stable - you can monitor DNS TLS Servers Real Time Status here below: https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/ I have read here: https://www.monperrus.net/martin/randomization-encryption-dns-requests that Also, it is good to set up some servers that listens on port 443 and others on port 853, so as to be resilient if you are on a network with blocked ports. You can also blend IPv4 and IPv6 addresses. Now you must configure Stubby to resolve DNS OVER TLS - nano /usr/local/etc/stubby/stubby.yml VERY IMPORTANT UPDATE: After checking, rechecking and the triple checking on this website mentioned above : https://www.immuniweb.com/ssl/?id=Su8SeUQ4 I have made some very serious discoveries regarding which DNS Privacy Test Servers to use. The bottom line that I strongly suggest you only choose to deploy servers which support the TLSv1.3 protocol. See here for information and importance of TLSv1.3 : https://kinsta.com/blog/tls-1-3/ I will save you some considerable leg work and post below the best configuration for your stubby.yml file. Here it is: nano /usr/local/etc/stubby/stubby.yml resolution_type: GETDNS_RESOLUTION_STUB round_robin_upstreams: 1 tls_authentication: GETDNS_AUTHENTICATION_REQUIRED tls_query_padding_blocksize: 128 edns_client_subnet_private: 1 idle_timeout: 60000 listen_addresses: - [email protected] dns_transport_list: - GETDNS_TRANSPORT_TLS tls_connection_retries: 5 tls_backoff_time: 900 timeout: 2000 upstream_recursive_servers: # IPV4 Servers ### DNS Privacy Test Servers ### #The DNS Warden DNS TLS Primary Server alternate tls_auth_name: adblock-dot.dnswarden.com and dot1.dnswarden.com - address_data: 116.203.70.156 tls_auth_name: "uncensored-dot.dnswarden.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: aPns02lcGrDxnJQcRSHN8Cfx0XG+IXwqy5ishTQtzR0= #The DNS Warden DNS TLS Secondary Server alternate tls_auth_name: adblock-dot.dnswarden.com and dot2.dnswarden.com - address_data: 116.203.35.255 tls_auth_name: "uncensored-dot.dnswarden.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: aPns02lcGrDxnJQcRSHN8Cfx0XG+IXwqy5ishTQtzR0= ### Test servers ### #The BlahDNS German DNS TLS Server - address_data: 159.69.198.101 tls_auth_name: "dot-de.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: RzMGlPVE8DlsiA9DQRuW9CoVkwFBjS8j+we5PZ3eE0c= #The BlahDNS Japan DNS TLS Server - address_data: 108.61.201.119 tls_auth_name: "dot-jp.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: 427fIEGdHRXL9C6i+PzEk+CstsrmNGXJaAnu9ECu+Hk= ## The Surfnet/Sinodun DNS TLS Server - address_data: 145.100.185.18 tls_port: 853 tls_auth_name: "dnsovertls3.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8= # The securedns.eu DNS TLS Server alternate tls_auth_name: ads-dot.securedns.eu - address_data: 146.185.167.43 tls_auth_name: "dot.securedns.eu" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g= #The dns.seby.io - Vultr DNS TLS Server - address_data: 139.99.222.72 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 8A/1KQQiN+aFWenQon076nAINhlZjGkB15C4E/qogGw= #The Primary appliedprivacy.net DNS TLS Server - address_data: 37.252.185.232 tls_auth_name: "dot1.appliedprivacy.net" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: TvTo5uauOH66/Vnxl2QHwBhN9xdU0Zp1Jeqi+byC1p4= #The Secure DNS Project by PumpleX DNS TLS Server - address_data: 51.38.83.141 tls_auth_name: "dns.oszx.co" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: yevnTQfRqEOU1W8rUBABZRgToMgAwRn0eH7zJeBcq0s= #The ibksturm DNS TLS Server - address_data: 178.82.102.190 tls_auth_name: "ibksturm.synology.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: TjpalBJr0Ir27Dr59lXky4PXN0yTAoW92ddF8lBxYBQ= Save and Exit All of these name servers listed above DO NOT log ! repeat DO NOT log ! your DNS queries. In full disclosure some name servers claim to log traffic volume only. See here for details : https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers and look under " Logging " column. Use either or both of these two methods to verify QNAME Minimisation A - Run command : drill txt qnamemintest.internet.nl and / or B - Run command: dig txt qnamemintest.internet.nl +short and / or dig -t txt qnamemintest.internet.nl ( for more complete readout including DNSSEC results ). AD = Authenticated Data (for DNSSEC only; indicates that the data was authenticated) The results in any of these scenarios will show either: "HOORAY - QNAME minimisation is enabled on your resolver !” or “NO - QNAME minimisation is NOT enabled on your resolver .” Reference https://discourse.pi-hole.net/t/unbound-and-qname-minimisation/10038/4 You will and should get HOORAY ! - if you used the name servers listed in this guide for your Stubby configuration. Note: Starting with Unbound 1.7.2 qname minimisation is enabled by default. However, I still add these settings manually. These settings are entered under Unbound " Custom Options": qname-minimisation: yes qname-minimisation-strict: yes harden-below-nxdomain: yes 4 - In order to have OPNsense use default start up script ( /usr/local/etc/rc.d/stubby.sh ) at boot time you will have to create a boot time start up script for it in /etc/rc.conf.d/. Not to prolong this - do the following : # nano /etc/rc.conf.d/stubby - in the new file enter the following two lines: stubby_enable="YES" stubby_bootup_run="/usr/local/etc/rc.d/stubby.sh" Save and exit / then make the file executable - once again - works for me : # chmod 744 /etc/rc.conf.d/stubby # chmod a+x /etc/rc.conf.d/stubby 5- Now you must configure your Unbound DNS Server to use Stubby for DNS Over TLS. UNBOUND GENERAL SETTINGS Network Interfaces = Select ALL ! Under Custom options enter the following : server: do-not-query-localhost: no forward-zone: name: "." # Allow all DNS queries forward-addr: [email protected] ## END OF ENTRY Outgoing Network Interfaces = Select ALL ! Make Sure to NOT CHECK - DO NOT CHECK - the box for DNS Query Forwarding. Save and Apply Settings Next -Under System > Settings > General Settings Set the first DNS Server to 127.0.0.1 with no gateway selected / Make sure that DNS server option A - Allow DNS server list to be overridden by DHCP/PPP on WAN - Is Not I repeat - Is Not Checked ! and DNS server option B - Do not use the DNS Forwarder/Resolver as a DNS server for the firewall Is Not - I repeat - Is Not Checked ! I now only run 127.0.0.1 ( Localhost ) configured as the only DNS SERVER on my WAN interface. If others were added to WAN, when I ran dig or drill commands /etc/resolv.conf allowed those addresses to be queried. I only want to use Stubby yml Name Servers for DNS TLS , so this was the determinative factor in my reasoning and decision. - Save and Apply Settings C'est Fini C'est Ci Bon C'est Magnifique Reboot your router just to sure. Lastly, you can check your DNS at GRC DNS Nameserver Spoofability Test - DNSLeak.com - or any such service. Your results will render the DNS PRIVACY Name Servers which you selected in your stubby.yml configuration file. You are now running DNS OVER TLS with GETDNS plus STUBBY ( a fully featured TLS forwarder ) along with an Unbound DNS Caching Server. VERY IMPORTANT TIP: Please note that right at the top of the main DNS Privacy Test Servers Homepage ( https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers ) It Ominously Declares: DoT servers The following servers are experimental DNS-over-TLS servers. Note that they are experimental offerings (mainly by individuals/small organisations) with no guarantees on the lifetime of the service, service level provided. The level of logging may also vary (see the individual websites where available) - the information here about logging has not been verified. Also note that the single SPKI pins published here for many of these servers are subject to change (e.g on Certificate renewal) and should be used with care!! For these reasons it is most important to check and verify your SPKI pin(s) for TLS authentication manually yourself from time to time. There are sure fire methods to make sure that you are using the correct value for any upstream nameserver ( aka tls_pubkey_pinset value ) - Go to https://blahdns.com/ and scroll down to the section to the yellow section entitled What is DNS OVER TLS click on it and it will open up. When you do it will state some general information, but what you want to pay attention to is this section: How to get SPKI gnutls-cli --print-cert -p 853 185.49.141.37 - where you must pkg install gnutls OR echo | openssl s_client -connect '185.49.141.37:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 Remember to change port to 443 or port for IPV6 if different than standard 853 where applicable. https://www.dnsleaktest.com/ https://www.perfect-privacy.com/dns-leaktest https://cryptoip.info/dns-leak-test https://www.grc.com/dns/dns.htm https://www.vpninsights.com/dns-leak-test and last but not least https://cmdns.dev.dns-oarc.net/ for a thorough in depth DNS Test https://bash.ws/dnsleak/test/ Now all you need to do is run is a properly configured VPN Service. By doing so, running DNS over TLS with Stubby and GetDns will keep your VPN provider from spying on your encrypted DNS look ups - and also your DNS providers both the ISP ( replaced by encrypted Stubby ) and your Encrypted TLS DNS Service Provider will see your IP as the one from your encrypted tunneled VPN provider. I am convinced this setup is the right strategy for both security and privacy. I think it to be the best practice for all those most serious about multi-layered cyber security. Special thanks to all who helped me with this project. Thank you all and God Bless Always In Peace, directnupe
  15. Jay70

    TorGuard Certificate and Network Upgrades

    I don't know if it has been said yet, but I had to use Windows10 to uninstall TOR, then reboot and install it from the EXE again. It did keep my settings though! It just doesn't work when you click to Upgrade, or if you try to run the EXE over top of an installation that is already there. Maybe this will help someone else keep their sanity!
  16. Support

    TorGuard Certificate and Network Upgrades

    Could you submit a ticket and we can maybe have a look for you? https://torguard.net/submitticket.php Please reference this thread. Regards
  17. Donut

    TorGuard Certificate and Network Upgrades

    Did that and I select the certificate and get a 'name the certificate' pop up. I type in a random name and then receive the 'no certificates found' pop up as before. its and endless cycle that gets me nowhere.
  18. Support

    TorGuard Certificate and Network Upgrades

    Hello, The certificate you need is here https://torguard.net/tgcerts.php - the OpenVPN CA, you can also generate configs here https://torguard.net/tgconf.php?action=vpn-openvpnconfig if using the OpenVPN connect app - this will include the latest CA. In regards to the fireTV, clearing your app cache and reinstalling the app should do the trick. If you are using the torguard app on your iPhone, you are not affected - this sues IPSec, if you are using the OpenVPN connect app, regenerate your config here https://torguard.net/tgconf.php?action=vpn-openvpnconfig Please open a ticket so we can check out what's going on with your TG Canada IP. Regards
  19. Brandis

    TorGuard Certificate and Network Upgrades

    Downloaded the latest version of the TorGuard client for MacOS (3.95.1). My US dedicated IP works fine, only can't connect to my Canada dedicated IP.
  20. Fatbelly

    TorGuard Certificate and Network Upgrades

    I am having the same problem on my iPhone. I removed and re-install the latest torguard app. No use, We should fix this ASAP else of asking for a refund. This is so crap
  21. Donut

    TorGuard Certificate and Network Upgrades

    I've been using OpenVPN on my Chromebook and FireTV. When it stopped working I came to check on here to see what the problem was. On my Chromebook I resorted to connecting the L2TP method as that was the only way to get by for the time being. OpenVPN is whats giving me problems. It keeps asking for a certificate now. I went here https://torguard.net/downloads/ta.key and tried to import that but OpenVPN wants a .pfx or .p12 file extension. Tried renaming the file extension to either to see if by chance thatd work but then it asks for a password to extract the certificate. Couldnt get past that as no password I tried worked. Only temporary fix was using the torguard app on the chromebook but the issue ive had with that is that once the app is in the background for a few minutes the connection drops because the app is seen as not active. This is why the OpenVPN app was what I always used since it stays active when in the background. Not sure whats the proper procedure to fix all this. Never had any issues up until recently. I too received no such email noting these network changes. I checked the spam folder and nothing.
  22. slippyslappy

    TorGuard Certificate and Network Upgrades

    Your NAS should have some sort of failsafe. If not that's on you. My Unraid server goes offline when the VPN gets disconnected.
  23. Support

    Stuck on WAIT

    Hi Stu, please reinstall the app from here https://torguard.net/downloads.php this will resolve your problem. Regards
  24. stu111

    Stuck on WAIT

    Hi Guys, on windows 10 there was an update. while starting the laptop. I can not use torguard because it says to every server connection, waiting then reconnecting. Someone said update DNS, how do i do that on the app. nothing under DNS says update?
  25. fiapoco

    TorGuard Certificate and Network Upgrades

    oh yeah, you guys should modify your update notices/emails regarding changes which could potentially cause problems for customers/users so that they must acknowledge the receipt of the update notice/warning and if they don't by the time you are ready to pull the trigger on the actual update, temporarily suspend their service or something equally drastic to prevent their continued use so that they are not unwittingly exposing themselves to the net/isp. Keeping that from happening is the whole reason we are willing to pay for VPN service. Just a thought, Seems like this update/change caused a lot of problems - just trying to help.
  26. fiapoco

    TorGuard Certificate and Network Upgrades

    solved my problem. Thanks folks, TorGuard rocks!
  27. jimy

    TorGuard Certificate and Network Upgrades

    This is probably going to cost me a lot of money. I have installed the VPN on my NAS to be able to download torrents, I trusted that your service will be working. Seriously I'm really pissed with this. I didn't get any alert from you guys. Really disappointing.
  28. fiapoco

    TorGuard Certificate and Network Upgrades

    I am an old pencil-pushing user who pitched a b**** because I couldn't make my brand new installation of Torguard connect and I assumed that I had somehow screwed up the complicated and not overly noobie-user friendly instructions on the update dealies. Turns out the instructions were just fine because I had in fact correctly followed the instructions and all I had to do was go to that link and let the system generate a random userID and password. Bingo! I'm on the innertrawebs!! for you guys/gals having problems connecting after doing this update, just remember some old internet geezer got it right the first time (even tho he didn't know it at the time). Just trust the instructions and let the system generate a lovely random sign-in for you and you'll be on the outerintraweb when you insert the new random sign-in into the appropriate ClientVPN fields. To the folks in TorGuard Support who i totally annoyed yesterday, my sincere apologies. Can you see my red face? I actually had done the whole update thing correctly and just screwed up inputting the user id and p/w. Changing to the random sign-in data solved m rolem.
  1. Load more activity
×