add community.list. Switched to dnscrypt-proxy2

README.md

@@ -67,6 +67,14 @@ ansible-playbook playbooks/hirkn.yml
 
 После выполнения playbook роутер сразу начнёт выполнять обход блокировок через Wireguard сервер.
 
+# DNSCrypt-proxy2
+
+Если у вас уже стоит dnscrypt-proxy первой версии, его необходимо удалить
+```
+opkg remove dnscrypt-proxy
+```
+Во второй версии есть отказоустойчивость из коробки.
+
 # "DST Root CA X3" issue
 С версии 19* по 20.02.0 есть проблема со скачиванием файлов c https://antifilter.download/. Там используется LE сертификат.
 

playbooks/hirkn.yml

@@ -44,7 +44,7 @@
       
   - name: install dnscrypt
     opkg:
-      name: dnscrypt-proxy
+      name: dnscrypt-proxy2
       state: present
       
 # Hirkn script configure
@@ -232,6 +232,20 @@
          hashsize: 9900000
          maxelem: 9900000
 
+  - name: add ipset for community
+    uci:
+       command: section
+       config: firewall
+       type: ipset
+       find_by:
+         name: vpn_community
+       value:
+         match: dst_net
+         storage: hash
+         loadfile: /tmp/lst/community.lst
+         hashsize: 9900000
+         maxelem: 9900000
+
   - name: add mark rule vpn_subnet
     uci:
        command: section
@@ -264,18 +278,34 @@
          target: MARK
          family: ipv4
 
+  - name: add mark rule vpn_community
+    uci:
+       command: section
+       config: firewall
+       type: rule
+       find_by:
+         name: mark_community
+       value:
+         src: lan
+         dest: "*"
+         proto: all
+         ipset: vpn_community
+         set_mark: "0x1"
+         target: MARK
+         family: ipv4
+
   - name: uci commit firewall
     uci:
       command: commit
       config: firewall
 
-# Configure dnscrypt
+# Configure dnscrypt2
 
-  - name: dnscrypt config
-    template:
-      src: "{{ ansible_template_dir }}openwrt-dnscrypt-proxy.j2"
-      dest: "/etc/config/dnscrypt-proxy"
-      mode: 0644
+  - name: dnscrypt2 enable exact servers
+    lineinfile:
+      path: /etc/dnscrypt-proxy2/dnscrypt-proxy.toml
+      regexp: "# server_names ="
+      line: "server_names = ['google', 'cloudflare', 'scaleway-fr', 'yandex']"
 
   - name: edit dhcp config. resolvfile commented
     lineinfile:
@@ -289,7 +319,7 @@
       insertafter: "#option resolvfile"
       line: "{{ item }}"
     with_items:
-      - "        list server '127.0.0.1#5353'"
+      - "        list server '127.0.0.53#53'"
       - "        list server '/pool.ntp.org/208.67.222.222'"
   
   - name: enable and start dnscrypt-proxy

templates/openwrt-dnscrypt-proxy.j2

@@ -1,4 +0,0 @@
-config dnscrypt-proxy ns1
-        option address '127.0.0.1'
-        option port '5353'
-        option resolver 'scaleway-fr'

templates/openwrt-hirkn.j2

@@ -10,12 +10,14 @@ echo "Run download lists"
 {% if download_utility == "curl" %}
 curl -z $dir/subnet.lst https://antifilter.download/list/subnet.lst --output $dir/subnet.lst
 curl -z $dir/ip.lst https://antifilter.download/list/ip.lst --output $dir/ip.lst
+curl -z $dir/community.lst https://community.antifilter.download/list/community.lst --output $dir/community.lst
 
 {% elif download_utility == "wget" %}
 rm -f /$dir/subnet.lst && wget -P $dir https://antifilter.download/list/subnet.lst
 rm -f /$dir/ip.lst && wget -P $dir https://antifilter.download/list/ip.lst
+rm -f /$dir/community.lst && wget -P $dir https://community.antifilter.download/list/community.lst
 
 {% endif %}
 
 echo "Firewall restart"
-/etc/init.d/firewall restart
+/etc/init.d/firewall restart