The simplified sequence diagram really helps to picture it. I'll PM you with the logs.
Routing DNSCrypt through the Tor network should, in theory, anonymize DNS queries. This configuration would result in the DNS resolver observing the IP address of the Tor exit node rather than my actual IP address, thus hiding my identity from the resolver. I'm not sure why the actual request to the site would go to the IP directly.
For implementing DNS over HTTPS (DoH) via Tor, I followed the guidelines from this GitHub repository and translated them into my current approach.
I've gone through DNSCrypt's logs, but nothing really stood out. I'm a bit lost with Wireshark - there's so much data even if I filter it by DNS or Tor Socks Port (From my relay).
While you asked about the basis for my conclusions, it's worth noting that if the Tor proxy were working as intended, I would also anticipate a considerable increase in latency. There's a huge difference when I enter https://one.one.one.one/help/ normally with "Use system proxy settings" in my browser and when I enter it with a "Manual proxy configuration" with the SOCKS Host set up and "Proxy DNS when using SOCKS v5" checked on.
It's not hiding my real ip from websites such as https://whatismyipaddress.com/. If it was torrified, I'd expect something changing on "am i using tor" websites as well.
dnscrypt-proxy2 routed through tor
I'm attempting to configure an anonymized DNS service using dnscrypt-proxy2, routed through the Tor network. I believe I have everything needed for it to work, but that does not seem to be the case. The DNS resolution is fine, but it's not being proxied through Tor as desired.
```nix services.resolved.enable = false; services.dnscrypt-proxy2 = { enable = true; settings = { ipv6_servers = config.networking.enableIPv6; block_ipv6 = !(config.networking.enableIPv6); listen_addresses = ["127.0.0.1:53" "[::1]:53"]; force_tcp = true;
use_syslog = false; odoh_servers = true; require_dnssec = true; require_nolog = false; require_nofilter = true;
anonymized_dns = { routes = [ { server_name = "*"; via = ["anon-plan9-dns" "anon-v.dnscrypt.up-ipv4"]; } ]; skip_incompatible = true; };
sources.public-resolvers = { urls = [ "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" ]; cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md"; minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; };
block_unqualified = true; block_undelegated = true; proxy = "socks5://127.0.0.1:9050"; }; };
systemd.services.dnscrypt-proxy2.serviceConfig = {
StateDirectory = "dnscrypt-proxy";
};
nix
useDHCP = false;
enableIPv6 = true;
nameservers = [
"127.0.0.1"
"::1"
];
networkmanager.enable = true;
networkmanager.dns = "none";
nix
services.tor = {
enable = true;
enableGeoIP = false;
torsocks.enable = true;
client = {
enable = true;
};
};
```
I'm using Cloudflare and I get no output from dig 1.0.0.1.email.teatastic.org +short which should mean that my dns is not blocked. Additionally, I discovered that my self hosted email just appeared as a destination address on Cloudflare. The problem is that it's "Pending verification", yet I don't receive any mails to actually confirm it.
I've tried to email myself from both proton and gmail, but no emails appear in Roundcube. Since I have no prior experience with this, I might be overlooking something important, yet I'm not sure what.
Simple-Nixos-Mailserver: Sending emails fails
I've been trying to achieve a working mail setup on nixos by using simple-nixos-mailserver. ``` mailserver = { enable = true; certificateScheme = "acme-nginx"; enableManageSieve = true; fqdn = "email.teatastic.org"; domains = ["teatastic.org"]; mailboxes = { Drafts = { auto = "subscribe"; specialUse = "Drafts"; }; Junk = { auto = "subscribe"; specialUse = "Junk"; }; Sent = { auto = "subscribe"; specialUse = "Sent"; }; Trash = { auto = "no"; specialUse = "Trash"; }; };
loginAccounts = { "[email protected]" = { hashedPasswordFile = config.sops.secrets.password.path; aliases = ["[email protected]"]; }; };
fullTextSearch = { enable = false; enforced = "body"; indexAttachments = true; memoryLimit = 512; };
enableImap = true; enablePop3 = true; enableImapSsl = true; enablePop3Ssl = true;
virusScanning = false; }; services.roundcube = { enable = true; package = pkgs.roundcube.withPlugins ( plugins: [ plugins.carddav plugins.contextmenu plugins.custom_from plugins.persistent_login plugins.thunderbird_labels ] ); plugins = [ "attachment_reminder" # Roundcube internal plugin "carddav" "contextmenu" "custom_from" "managesieve" # Roundcube internal plugin "newmail_notifier" # Roundcube internal plugin "persistent_login" "thunderbird_labels" "zipdownload" # Roundcube internal plugin ]; #dicts = with pkgs.aspellDicts; [en]; hostName = config.mailserver.fqdn; maxAttachmentSize = 100; extraConfig = '' $config['smtp_server'] = "tls://${config.mailserver.fqdn}"; $config['smtp_user'] = "%u"; $config['smtp_pass'] = "%p"; ''; };
security.acme = {
acceptTerms = true;
defaults.email = "[email protected]";
};
firewall = {
enable = true;
allowedTCPPorts = [
25 587 143 993 110 995 # Email
80 # Nginx
];
};
```
I'm logging in through roundcube, which works as expected. However, when I get to the point of composing an email to somebody, it just starts a "Sending message..." loop without actually sending anything.
I've forwarded the aforementioned ports on my router, yet it fails.
NAT and Port Triggering
To increase the security of my NAT configuration, I opted to implement port triggering instead of the traditional port forwarding on my router. I chose this approach in order to configure it from my nix configuration.
Specifically, I have enabled port 443 triggering on my router and included the following configuration:
nftables = { enable = true; ruleset = '' table ip nat { chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; iifname "wlp2s0" tcp dport 443 dnat to 10.100.0.3:443 } } ''; }; nat = { enable = true; internalInterfaces = ["lo"]; externalInterface = "wlp2s0"; forwardPorts = [ { sourcePort = 443; proto = "tcp"; destination = "10.100.0.3:443"; } ]; };
Now, after rebuilding, it still does not work and I'm left to wonder why. Are both the NAT and nftables settings even meant to run at the same time?
Awesome, you were right! Thank you!
systemd.services.nginx.serviceConfig.ProtectHome = false;
users.groups.searx.members = [ "nginx" ];
For anyone looking to test it out, it's https://search.teatastic.org/
Yeah, good point about the localhost. The ports are fine however. The actual error that I'm getting is coming from nginx: *1 connect() to unix:/run/searx/searx.sock failed (13: Permission denied) while connecting to upstream. I have added the searx and nginx groups to my main user (which I have to find a workout for anyway, since it might prove to be a security problem), yet it still does not work.
SearXNG Instance on NixOS
I've been trying to create a public instance of SearXNG by using NixOS, Cloudflare and Nginx, but I can't seem to make it open to the internet and I've ran out of ideas. Is there anything I'm overlooking? ``` services.searx = { enable = true; redisCreateLocally = true; limiterSettings = { real_ip = { x_for = 1;
ipv4_prefix = 32; ipv6_prefix = 56; }; botdetection = { ip_limit = { filter_link_local = true; link_token = true; }; ip_lists = { pass_ip = [ "192.168.0.0/16" "fe80::/10" ]; pass_searxng_org = true; }; }; }; runInUwsgi = true; uwsgiConfig = { socket = "/run/searx/searx.sock"; http = ":8888"; chmod-socket = "660"; disable-logging = true; }; settings = { general = { debug = false; instance_name = "SearXNG Instance"; donation_url = false; contact_url = false; enable_metrics = false; };
ui = { static_use_hash = true; theme_args.simple_style = "dark"; query_in_title = true; center_alignment = true; results_on_new_tab = false; };
search = { safe_search = 2; autocomplete_min = 2; autocomplete = "duckduckgo"; };
server = { port = 8888; bind_address = "0.0.0.0"; secret_key = config.sops.secrets.searx.path; image_proxy = true; method = "GET";
default_locale = "en";
default_lang = "en-US";
base_url = "https://myinstance.org";
public_instance = true;
};
engines = lib.mapAttrsToList (name: value: {inherit name;} // value) {
"duckduckgo".disabled = false;
"brave".disabled = true;
};
outgoing = {
request_timeout = 5.0;
max_request_timeout = 15.0;
pool_connections = 100;
pool_maxsize = 15;
enable_http2 = true;
};
};
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"myinstance.org" = {
forceSSL = true;
sslCertificate = config.sops.secrets."SSL-Certificates/Cloudflare/Cert".path;
sslCertificateKey = config.sops.secrets."SSL-Certificates/Cloudflare/Key".path;
locations = {
"/" = {
extraConfig = ''
uwsgi_pass unix:${config.services.searx.uwsgiConfig.socket};
'';
};
};
};
};
};
```