Comments (61)
Just wanted to leave a note with my experience here. EdgeOS 2.x is based on Debian stretch which has "apt" and other commands used in the script.
The UniFi USG runs EdgeOS 1.x which is based on Debian wheezy (no apt, only apt-get).
The script currently detects the OS incorrectly as Debian and not EdgeOS because the version string in /etc/version
is different than the regex in the install script:
cat /etc/version
UniFiSecurityGateway.ER-e120.v4.4.50.5272448.200215.0243
I modified the install script locally to detect it as EdgeOS and use binary install rather than debian packages and was able to get up and running. Still working through testing reboot/reprovision persistence. Note, using the "router" mode automatic setup, will bind to 5432 to not interfere with dnsmasq. You will need to update your config.gateway.json overrides in the UniFi Controller (e.g. CloudKey) to match so that reprovision doesn't wipe stuff out. If you're enabling device names, there's a couple extra options which I found in the nextdns client source here:
Router mode seems to rewrite the dnsmasq config directly, ignoring what's in the edgeos configuration.
https://github.com/nextdns/nextdns/blob/master/router/edgeos/setup.go#L74-L78
In recent controller versions (I'm running 5.12.66) the controller DNS settings seem to override anything you put in config.gateway.json (ironic, right?). So to ensure that everything goes through the NextDNS CLI, I've set them to 127.0.0.1 in the UniFi controller as well, though that still doesn't quite seem right, since you cannot specify an alternate port number in the UI, nor does it seem like you can override it in config.gateway.json anymore.
from nextdns.
I can try it in a bit. Do we know if the Unifi USG will keep the config or will it get overwritten on a reboot/upgrade/provision operation from the controller?
PS - keep up the great work, been telling everyone i know in IT to test the service!
from nextdns.
I have a backup USG-3 I can test on with a re-provisioning as well before I push it to my production USG. I keep that smaller spare on hand for isolated testing like this. I will report back.
from nextdns.
@rs woot woot!
PS - nice job adding the block page option too!
from nextdns.
Is there any progress on this? I would love to be able to run this on a USG as well.
from nextdns.
Can you guys please test the installer on USG and report any issue?
from nextdns.
Yes please contact us on chat.
from nextdns.
The mips64 detection was broken. Can you please test with:
sh -c "$(curl -sL https://raw.githubusercontent.com/nextdns/nextdns/master/install.sh)"
from nextdns.
I tested as a standalone. It should survive reboots and upgrades, not sure about controller provisioning.
from nextdns.
well bugger, my spare USG-3 seems to be dead....hmm....don't have another one to test on besides my production USG-Pro. I gave it a try anyhow and got this:
Welcome to EdgeOS on UniFi Security Gateway!
********************** WARNING! **********************
* Configuration changes made here are not persistent. *
* They will be overwritten by the controller on next *
* provision. Configuration must be done in controller. *
********************************************************
Last login: Sat Jan 4 11:52:28 2020 from 192.168.100.162
admin@Gateway:~$ sh -c "$(curl -sL https://github.com/nextdns/nextdns/blob/master/install.sh)"
sh: -c: line 6: syntax error near unexpected token `newline'
sh: -c: line 6: `<!DOCTYPE html>'
My experience with the Unifi stuff is depending on the change too it needs to be in a JSON file on the controller to remain persistent but I can always see if it removes the settings with a forced provision if we can get the installer to work.
from nextdns.
however, now the original commands work seem to run but wget is missing....these USG's are finicky...
did you test on an EdgeRouter or a USG? Just curious
admin@Gateway:~$ sh -c 'sh -c "$(curl -sL https://nextdns.io/install)"' INFO: OS: debian INFO: GOARCH: mips64 INFO: GOOS: linux i) Install NextDNS q) Quit Choice (default=i): i INFO: Installing NextDNS... sh: line 148: wget: command not found gpg: no valid OpenPGP data found. deb https://nextdns.io/repo/deb stable main sudo: apt: command not found sudo: apt: command not found sudo: apt: command not found ERROR: install: exit 0
from nextdns.
EdgeRouter. Isn’t curl installed on your router? It should not use wget.
from nextdns.
The mips64 detection was broken. Can you please test with:
sh -c "$(curl -sL https://github.com/nextdns/nextdns/blob/master/install.sh)"
This should be the raw link:
https://raw.githubusercontent.com/nextdns/nextdns/master/install.sh
from nextdns.
Correct, sorry about that
from nextdns.
The installer uses wget to install the deb signing key. I will fix that and use curl when available.
Can you confirm curl is installed and working with https? If not, is openssl command?
from nextdns.
Curl is installed on a USG...yes
admin@Gateway:~$ curl curl: try 'curl --help' or 'curl --manual' for more information admin@Gateway:~$
I did try to hack some packages on the USG, broke it, reset it and re-provisioned it got it back online.....The upside to Unifi devices I guess :)
from nextdns.
Now I wish that backup spare wasn't dead so I don't bring down the whole house LOL
from nextdns.
so maybe we need to figure out the Unifi side of things separately than the Edgerouter. I am pretty sure if the installer works Unifi upgrades will wipe the install.
While Unifi Runs EdgeOS they configure very differently especially with :"installed" items directly on the router. Worst case the installer needs to be re-run each time the router is rebooted or at least upgraded. A reboot on unifi will trigger a re-provision so that is easily tested.
from nextdns.
I've run into a couple issues while attempting to use the setup script.
USG does not have the apt
alias/helper, though apt-get
works. I replaced that in the script but ran up against another error. While running apt-get update
I get a TLS error, upon investigation I believe the OS doesn't support SNI.
xxx@ubnt:/usr/bin$ sudo apt-get update
Ign https://nextdns.io stable Release.gpg
Ign https://nextdns.io stable Release
Err https://nextdns.io stable/main mips Packages
gnutls_handshake() failed: A TLS fatal alert has been received.
Ign https://nextdns.io stable/main Translation-en
W: Failed to fetch https://nextdns.io/repo/deb/dists/stable/main/binary-mips/Packages gnutls_handshake() failed: A TLS fatal alert has been received.
E: Some index files failed to download. They have been ignored, or old ones used instead.
yyy@ubnt:~$ openssl s_client -connect nextdns.io:443
CONNECTED(00000003)
2002551960:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:757:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 290 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1579274310
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
zzz@ubnt:~$ openssl s_client -tls1_2 -connect nextdns.io:443
CONNECTED(00000003)
1994589336:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:348:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1579274347
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
from nextdns.
@notsureifkevin I still believe this code is only written for the EdgeRouter line NOT the Unifi Line. For this to work it has to be completely different fort Unifi Security Gateway (USG). I too am a USG user and need this integrated into that line not the EdgeRouter Line.
from nextdns.
I'm not familiar with USG. How can I test it using an EdgeRouter?
from nextdns.
@rs you can't they are two distinctly different products from Ubiquiti...
USG does not support directly installing applications (there is work arounds), but it's a JSON based config push from a controller
https://www.ui.com/unifi-routing/usg/
EdgeRouter as you have seen supports directly installing applications.
https://www.ui.com/edgemax/edgerouter-lite/
from nextdns.
I would also love to be able to use this on the USG.
from nextdns.
I need an USG setup to test it with. Since you have experience with it, do you know if there is a way to simulate it?
from nextdns.
They may have a simulator for development if you contact them but other wise you just have to buy one or borrow one from someone. I had a spare but it died on me a while back :/
Ubiquiti Unifi Security Gateway (USG) https://www.amazon.com/dp/B00LV8YZLK/ref=cm_sw_r_cp_api_i_Si-qEbTPJWKYE
from nextdns.
@rs do we need to pitch in to buy you a USG? :)
from nextdns.
Done already but thx :)
from nextdns.
Same I know a bunch of people using the USG
from nextdns.
Same! Excited to move on nextdns with my USG :)
from nextdns.
Yes, the setup-router
mode is an automated setup of routers so you don't have to edit things yourself. The idea is to change settings on startup and restore then on exit.
from nextdns.
Side question, is it correct to only see the padlock and tool tip in the NextDNS dashboard logs section for DNS-over-HTTPS (NextDNS CLI) for IPv4 networks? For IPv6 queries I usually see the device ID but no indicator of DNS-over-HTTPS or the NextDNS CLI.
from nextdns.
No it is not, contact us on our live chat for that.
from nextdns.
Also, apt
is not supposed to be used by machines, only apt-get
is.
The
apt
command is meant to be pleasant for end users and does not need to be backward compatible like apt-get(8).
from nextdns.
Can confirm it worked for me:
- USG Pro 4
- Using dnsmasq instead of default
- Dual WAN with Load Balancing
admin@sidewinder:~$ uname -ar
Linux sidewinder 3.10.107-UBNT #1 SMP Sat Feb 15 05:22:22 UTC 2020 mips64 GNU/Linux
from nextdns.
Worked for me with the standard (non pro) USG.
$ uname -ar
Linux SecurityGateway 3.10.107-UBNT #1 SMP Sat Feb 15 02:47:59 UTC 2020 mips64 GNU/Linux
I had to upgrade to the latest USG firmware; the installer failed until I did that with the error tar: short read
from nextdns.
I tested this on a Dream Machine Pro and ran into the following error:
# uname -ar
Linux gasteiz 4.1.37-v1.6.6.2431-b2007c3 #1 SMP Fri Mar 27 20:17:42 UTC 2020 aarch64 GNU/Linux
# sh -c 'DEBUG=1 sh -c "$(curl -sL https://nextdns.io/install)"'
ERROR: Unsupported OS: Linux
INFO: OS:
INFO: GOARCH: arm64
INFO: GOOS: linux
ERROR: Cannot detect running environment.
# sh -c "$(curl -sL https://raw.githubusercontent.com/nextdns/nextdns/master/install.sh)"
ERROR: Unsupported OS: Linux
INFO: OS:
INFO: GOARCH: arm64
INFO: GOOS: linux
ERROR: Cannot detect running environment.
This device is fairly new so I'm happy to help test things as needed.
from nextdns.
I can test later today on a USG pro. Do we know if it survives an upgrade/reprovison?
from nextdns.
What do you get for cat /etc/version
on UDM?
from nextdns.
@ChrisColotti I doubt it.
from nextdns.
from nextdns.
Note that if you enable caching it will disable dnsmasq dns and bind port 53 directly since 1.5 (recommended). This might ignore some dns related functions of ubiquity tho, but they should be easy to replicate with the cli if needed.
from nextdns.
Well installer seemed to work fine and logs are reporting MANY more device names....which is a GOOD thing, and some are now showing DNSoHTTPS but not all. In some cases the same client shows both HTTPS and non-HTTPS.
Also with this implementation are the controller WAN DNS servers no longer in use? Just trying to understand how the config changes on the USG itself as a router I've been more used to the local clients only this is the first "router" client I have not.
from nextdns.
Are those clients windows machines by any chance? Let’s discuss that over chat as it is not related to this issue.
from nextdns.
from nextdns.
from nextdns.
Please upgrade to 1.5.2 first.
from nextdns.
Hi! I just ran the installer on my EdgeRouter PoE running EdgeOS 2.0.1 as mentioned on the wiki. I completed the setup and gave it my NextDNS configuration ID. When I check my dashboard, though, NextDNS says I'm still using Cloudflare for DNS resolving.
If I remember correctly I had previously set up dnsmasq to cache locally with 1.1.1.1/1.0.0.1 as the upstream resolvers. Will the NextDNS install/configuration disable that or do I need to do it?
from nextdns.
Ah nevermind, I'm seeing activity and stats showing up. I bet the Cloudflare info was cached somewhere. I'll be more patient 😄
from nextdns.
Does this works on a UniFi Dream Machine Pro? I'm currently running it on a Raspberry Pi with no issues but I will like to have a one Device solution if possible.
from nextdns.
What do you get for
cat /etc/version
on UDM?
# cat /etc/version
cat: can't open '/etc/version': No such file or directory
I can also send you guys an email or chat about this – definitely don't wanna take over the USG discussion! Should I just open a new issue?
from nextdns.
Successfully installed on a UniFi Security Gateway 3P running firmware 4.4.50.5272448.
$ cat /etc/version
UniFiSecurityGateway.ER-e120.v4.4.50.5272448.200215.0243
Forced a provision and NextDNS still reports running:
$ /config/nextdns/nextdns status
running
@ChrisColotti @rs However, I can confirm the duplicate entries from the same device, one encrypted and the other not. In my case it is Apple devices (iMac). This seems to happen for all devices, including the USG itself (when trying to resolve ping.ubnt.com).
from nextdns.
Here’s an example. It’s an Nvidia shield TV but same for Apple and amazon devices.
Not sure if that’s a bug that it’s making 2 requests
from nextdns.
@ChrisColotti For me it's different. I have the device name in one entry, and the ID in the other:
The tooltip for both the entries show the same originating IP address.
from nextdns.
@eproxus I have some that show that in the example I happened to grab it was the same device and ID but I do have some that the name/device ID is the same. I was looking more at the source IP to confirm it is in fact the same device making both calls.
@rs thoughts? While it is working it should only make the secure calls and only once right?
Oddly that NVIDIA device on my network does have a system name on it that most other things see, but the USG has an odd way of managing local DNS entries from DHCP as well....not sure if that's part of this.
The upside is I can at least track client IP's for block rules now that are not natively running the client so this is progress! :)
I will say in the last 24 hours since adding this Secure DNS Calls overall increased 25%, from 25.6% of calls to 49.8% of calls, but one would think at some point now everything behind the USG with or without the client should result in 100% Secure DNS lookups :)
from nextdns.
from nextdns.
@kunickiaj ibwas curious about the actual Controller wan DNS settings as those still have the NextDNS servers assigned. It would make sense this would have to be changed. If that’s the case @rs should be documented for the USG setup.
The thread has gotten pretty long some short consolidated setup instructions might be good now.
from nextdns.
Do you guys have cache enabled? When caching is enabled, dnsmasq dns is disable (with port=0 dnsmasq param). With such setup, this behavior should not happen if I understand the issue correctly.
from nextdns.
Can confirm that enabling caching disables dnsmasq. Problem with that for me is that it then breaks LAN name resolution for me which was previously handled by dnsmasq.
I previously had caching disabled and this line in my nextdns.conf
forwarder my-local-domain.xyz.=127.0.0.1:53
To clarify, the setup that is working best for me is actually kind of funky which has caching disabled, upstream forwarding to dnsmasq, which has upstream forwarding back to nextdns. This doesn't seem like a valid configuration but works for me.
/config/nextdns/nextdns.conf
forwarder my-local-domain.xyz.=127.0.0.1:53
log-queries false
cache-size 0
cache-max-age 0s
detect-captive-portals false
bogus-priv true
setup-router true
listen localhost:53
report-client-info true
max-ttl 5s
hardened-privacy false
use-hosts true
timeout 0s
auto-activate true
config abcdef
dnsmasq.conf contains the line server=127.0.0.1
and /etc/dnsmasq.d/nextdns.conf
contains the lines
# Configuration generated by NextDNS
no-resolv
server=127.0.0.1#5342
add-mac
add-subnet=32,128
from nextdns.
My caching is whatever the OOB config is which I think is caching enabled
from nextdns.
@kunickiaj the solution would be to implement lan host resolution in cli. Should be trivial.
from nextdns.
ubnt@USG:~$ cat /config/nextdns/nextdns.conf
cache-max-age 0s
detect-captive-portals false
hardened-privacy false
bogus-priv true
report-client-info true
use-hosts true
setup-router true
cache-size 0
timeout 5s
auto-activate true
listen localhost:53
config c0ffee
log-queries false
max-ttl 0s
ubnt@USG:~$ cat /etc/dnsmasq.d/nextdns.conf
# Configuration generated by NextDNS
no-resolv
server=127.0.0.1#5342
add-mac
add-subnet=32,128
from nextdns.
Related Issues (20)
- Wrong ultralow for past 2 years HOT 7
- UniFi native(-ish) DNSCrypt handling? HOT 3
- UniFi UXG Pro Device Firmware Version 3.1.16 Failure Bug HOT 4
- Support authentication with GitHub in installer script for increased rate-limits HOT 1
- NextDNS CLI on pfSense: "sudo nextdns log" Returns "Error: exit status 1" HOT 1
- Identify Client Correctly HOT 2
- Conditional config and device name reporting stops working HOT 2
- UnifiOS UDM SE NextDNS CLI Unreliable HOT 15
- NextDNS Latency Discrepancy: Salvador vs. Rio de Janeiro HOT 3
- UDM SE update to 3.2.12 rerunning 1.42.0 installer does not work. HOT 8
- DNS64 support HOT 5
- UDM (or UDR) with Firmware 3.1.16 and Network 8.0.28 cannot install HOT 9
- NextDNS package not reinstalled on UDM/UXP firmware upgrade HOT 13
- Add the possibility to hide the taskbar icon on Windows 1x HOT 7
- Install without Tray Icon & still setup profiles HOT 3
- Online Installer no longer working on Unifi Dream Machine HOT 19
- NextDNS Install does not persist after UDM Firmware Update HOT 3
- cant read
- Fritzbox+CLI Device Names Missing HOT 1
- Peaking CPU high load issue on Unify UDM Base during suricate updates HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nextdns.