In a previous post dnscrypt-proxy: Installing on Debian / Raspbian Jessie, I went through the steps to install dnscrypt-proxy and its dependency using checkinstall, so that they can be managed with dpkg. I’ve recently discovered an alternative installation method, which a fair bit easier, and possibly a better practice.
On my Raspberry Pis, I have a few packages that are not from the Debian / Raspbian stable repository. These include:
- fail2ban
fail2ban is is in Debian stable, but you can see that the version in Jessie (stable) is way behind the version in Stretch (testing). The testing version includes big feature changes such as ban persistence, which I needed. - rclone
Rclone is not in Debian stable. - dnscrypt-proxy
dnscrypt-proxy is not in Debian stable.
When installing fail2ban, I followed this suggestion to download the latest Debian testing package, install it with dpkg, and then resolve the missing dependencies. Now, installing testing packages on Debian stable is something Debian strongly recommend against – FrankenDebian they call it. Personally my takeaway from this is that you do so at your own risk, you need to pay (more) attention whenever you run a dist-upgrade, and the more a package ties into a system, and the more dependencies a package has (especially if those dependencies are not in Debian stable), the riskier it is. But also I believe that 99% of the risk they speak of is using any software outside Debian Stable – and that whether you compile it from source, download a standalone binary, or use Debian testing packages is neither here-nor-there. Well in that case, I’m keen to have my packages managed by the system as much as possible. “If you’re going to do something wrong, do it right”.
I felt that fail2ban was not too risky a package to mix; it’s not really tied into the system, and it didn’t require any dependencies outside Debian stable. But for some reason, rclone and dnscrypt-proxy I have installed the raw source / binaries rather than using their Debian testing packages. I believe the only reason for this is that originally installed them before fail2ban, and simply wasn’t aware of the technique.
I have removed my manually installed rclone and dnscrypt-proxy and used the Debian testing packages. rclone is even easier than fail2ban – it only has one dependency with version in Debian stable and is likely already installed (libc6), so I won’t go into that. But dnscrypt-proxy requires a bit more effort – it has two dependencies for which the versions in stable are too old, so you need the testing packages.
The packages required are:
- libltdl7 (2.4.6 or higher)
Info: Debian Stretch package
Download: Debian repo folder or Raspbian repo folder - libsodium18 (1.0.10 or higher)
Info: Debian Stretch package
Download: Debian repo folder or Raspbian repo folder - dnscrypt-proxy (At the time of writing we’re using 1.9.4-1)
Info: Debian Stretch package
Download: Debian repo folder or Raspbian repo folder
All of dnscrypt-proxy’s other direct dependencies’ versions are in Debian stable and are probably already installed. Similarly, libltdl7 and libsodium18 only have one dependency (libc6) with versions in Debian stable, probably already installed.
First, if you have dnscrypt-proxy and libsodium installed using checkinstall as per my previous post, remove them using dpkg. This is so easy that it really goes to show you why using checkinstall was a good idea over make install.
> sudo dpkg -r dnscrypt-proxy libsodium
Then we download the packages. For example in Raspbian:
> wget http://mirrordirector.raspbian.org/raspbian/pool/main/libt/libtool/libltdl7_2.4.6-2_armhf.deb > wget http://mirrordirector.raspbian.org/raspbian/pool/main/libs/libsodium/libsodium18_1.0.11-1_armhf.deb > wget http://mirrordirector.raspbian.org/raspbian/pool/main/d/dnscrypt-proxy/dnscrypt-proxy_1.9.1-1_armhf.deb
We install one-by-one with dpkg, ensuring we get no errors.
> sudo dpkg -i libltdl7_2.4.6-2_armhf.deb > sudo dpkg -i libsodium18_1.0.11-1_armhf.deb > sudo dpkg -i dnscrypt-proxy_1.9.1-1_armhf.deb
We ask apt to resolve / install any other missing dependencies. I did not have anything further to install with dnscrypt-proxy (I did with fail2ban).
> sudo apt-get -f install
At this point you can begin configuring dnscrypt-proxy. Now the debian package actually includes a default systemd unit, which, rather than taking options from the command line, reads from a config file /etc/dnscrypt-proxy/dnscrypt-proxy.conf. (I believe config file functionality didn’t exist when I originally installed dnscrypt-proxy version 1.6, hence why I didn’t use this previously).
[Unit] Description=DNSCrypt client proxy Documentation=man:dnscrypt-proxy(8) Requires=dnscrypt-proxy.socket After=network.target Before=nss-lookup.target [Install] Also=dnscrypt-proxy.socket WantedBy=multi-user.target [Service] Type=notify NonBlocking=true User=_dnscrypt-proxy ExecStart=/usr/sbin/dnscrypt-proxy /etc/dnscrypt-proxy/dnscrypt-proxy.conf Restart=always ProtectSystem=strict ProtectHome=true ProtectKernelModules=true ProtectKernelTunables=true ProtectControlGroups=true MemoryDenyWriteExecute=true RestrictRealtime=true
So if you just want to set up the one resolver, you can go ahead and configure dnscrypt-proxy by editing /etc/dnscrypt-proxy/dnscrypt-proxy.conf. There is a sample / template configuration file at /usr/share/doc/dnscrypt-proxy/examples/dnscrypt-proxy.conf.gz.
For me requiring two resolvers, I don’t believe you can configure multiple resolvers in a single config file, so I would need to create a second custom systemd unit anyway. Since both my existing custom systemd units work fine, I didn’t see a need to use the built-in one, and so I disabled it.
# Stop the service sudo systemctl stop dnscrypt-proxy.service sudo systemctl stop dnscrypt-proxy.socket # Disable it from starting automatically on startup sudo systemctl disable dnscrypt-proxy # Mask it to prevent it from being started manually or in any way. sudo systemctl mask dnscrypt-proxy.service sudo systemctl mask dnscrypt-proxy.socket
In my opinion this is the “better” method to install dnscrypt-proxy on Debian or Raspbian, and is what I intend to use moving forward.