How do I setup dnscrypt-proxy2 on OpenWRT?

tom1995 · April 30, 2026, 10:28pm

Hello everyone.

Could you please tell me how to set up dnscrypt-proxy2 on OpenWRT?
I’ve set up dnscrypt-proxy2 on my PC, but I’m not entirely sure how to set it up on OpenWRT – there seem to be some differences.

I also cannot see luci-app-dnscrypt-proxy2 (the GUI for dnscrypt-proxy2) in the repository.I found it to be a very well-designed and user-friendly programme for graphic design. https://github.com/peter-tank/luci-app-dnscrypt-proxy2

How did you configure and install dnscrypt-proxy2?

What did I do, and why won’t dnscrypt-proxy2 start for me?))

I installed the packages using the command:

# opkg update

# opkg install nano dnscrypt-proxy2

Next, I configure the configuration file. Here are the main settings I’ve applied to test the programme’s functionality.

# nano /etc/dnscrypt-proxy/dnscrypt-proxy.toml

listen_addresses = ['127.0.0.1:5053']

server_names =  ['scaleway-fr', 'cs-belgium', 'cs-finland', 'cs-hungary', 'cs-md', 'nwps.fi']

ipv6_servers = false

bootstrap_resolvers = [

"9.9.9.9:53",      # Quad9

]

netprobe_address = '9.9.9.9:53'

routes = [
{ server_name='scaleway-fr', via=['anon-scaleway', 'anon-cs-austria'] },
{ server_name='cs-belgium', via=['anon-cs-barcelona', 'anon-cs-berlin'] },
{ server_name='cs-finland', via=['anon-scaleway', 'anon-cs-ch'] },
{ server_name='cs-hungary', via=['anon-ibksturm', 'anon-scaleway-ams'] },
{ server_name='cs-md', via=['anon-cs-fr', 'anon-cs-hungary'] },
{ server_name='nwps.fi', via=['anon-cs-md', 'anon-cs-nl'] },
]

Next, I set up call DNS forwarding (using the command line)

# uci add_list dhcp.@dnsmasq[0].server='127.0.0.1#5053'

# uci commit dhcp

# /etc/init.d/dnsmasq restar

Start and enable the service

# /etc/init.d/dnscrypt-proxy2 restart

# /etc/init.d/dnsmasq restart

Next, I check the settings:

# dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml  -check

# dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml -resolve gnu.org

# netstat -lnup | grep 5053  I can see it on the dnscrypt-proxy port

# service dnscrypt-proxy2 status  #service running

# logread -e dnscrypt   # I can also see the dnscrypt-proxy program running

# cat /etc/resolv.conf

search lan
nameserver 127.0.0.1

But when I enter the command to check:

# dig @127.0.0.1 ``gnu.org

I see:

SERVER: 127.0.0.1#53(127.0.0.1)

instead of

SERVER: 127.0.0.1#5053(127.0.0.1)

Where might further configuration be required? I’d appreciate any advice.

dave14305 · April 30, 2026, 11:01pm

dnsmasq listens on port 53 and dnsmasq forwards to dnscrypt-proxy2 at port 5053. So the dig output is correct. Was the query successful?

RuralRoots · May 1, 2026, 2:24am

FWIW, I put this up on @davidc502’s forum thread many years ago and I still pretty well follow the same recipe. TBH, I haven’t revisited the config .toml since.
(Davidc502- wrt1200ac wrt1900acx wrt3200acm wrt32x builds - #5310 by RuralRoots)

These are my current returns:

Summary

root@RuralRoots:/etc/config# head -20 dhcp

config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '0'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option noresolv '1'
option localuse '1'
option confdir '/tmp/dnsmasq.d'
option sequential_ip '1'
option cachesize '0'
list server '127.0.0.53'
list interface 'lan'
list addnmount '/var/run/pbr.dnsmasq'

root@RuralRoots:~# dnscrypt-proxy -config /etc/dnscrypt-proxy2/dnscrypt-proxy.toml -check
[2026-04-30 22:13:22] [NOTICE] Using default Weighted Power of Two (WP2) load balancing strategy
[2026-04-30 22:13:22] [NOTICE] Source [public-resolvers] loaded
[2026-04-30 22:13:22] [NOTICE] Source [relays] loaded
[2026-04-30 22:13:22] [NOTICE] Configuration successfully checked

root@RuralRoots:~# dnscrypt-proxy -config /etc/dnscrypt-proxy2/dnscrypt-proxy.toml -resolve gnu.org
Resolving [gnu.org] using 127.0.0.53 port 53

Resolver : 165.99.9.209 (static.209-9-99-165.webhorizon.net.)

Canonical name: gnu.org.

IPv4 addresses: 209.51.188.116
IPv6 addresses: 2001:470:142:5::116

Name servers : ns4.gnu.org., ns1.gnu.org., ns2.gnu.org.
DNSSEC signed : no
Mail servers : 1 mail server found

HTTPS alias : -
HTTPS info : -

Host info : -
TXT records : v=spf1 ip4:209.51.188.0/24 ip4:74.94.156.208/28 ip6:2001:470:142::/48 ip6:2603:3005:71a:2e00::/64 ~all

root@RuralRoots:~# dig @127.0.0.1 ``gnu.org

; <<>> DiG 9.20.18 <<>> @127.0.0.1 gnu.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16110
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;gnu.org. IN A

;; ANSWER SECTION:
gnu.org. 2400 IN A 209.51.188.116

;; Query time: 260 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Apr 30 22:14:58 EDT 2026
;; MSG SIZE rcvd: 52

rexbinary · May 1, 2026, 3:04am

These are the best docs I have found for setting up DNSCrypt-Proxy2 on OpenWRT.

tom1995 · May 2, 2026, 8:11pm

@dave14305 @RuralRoots @rexbinary Hello.

Thank you very much for your answers.

I will study a lot of information and return to you with an answer, I am sure that this topic is of interest to a lot of people.

tom1995 · May 8, 2026, 8:37pm

@dave14305 @RuralRoots @rexbinary Hello everyone.

I’ve tested the instructions, and they work. Thank you for your links and posts!

I made a mistake with the dnsmasq configuration; the default listen_addresses is set correctly in the configuration file.

I have a couple of questions for you, if you don’t mind answering them

Could the ISP be blocking the dnscrypt-proxy? I’m getting a TIMEOUT error
Is it possible to replace dnsmasq with dhcpcd?

rexbinary · May 9, 2026, 2:22am

I doubt your ISP is blocking dnscrypt-proxy2. I would suggest running though the docs I linked for you again step by step and double check your work. I don’t have any experience with dnsmasq.

tom1995 · May 10, 2026, 1:30pm

Hi. I’ve gone through the instructions several times; it’s definitely not a mistake.

I’m sure that’s the case. Could you send me the test commands (without any personal details)? I’ll show you that it’s a block imposed by the provider.

I’ll post a full guide on how I set it up a bit later, so you can see for yourself that I’ve done everything correctly.

RuralRoots · May 10, 2026, 3:12pm

By any chance is your pc running dnscrypt-proxy as well? You said it works fine on your pc so that would say your isp isn’t blocking the service.

Please post the return from head -25 dhcp just need the config dnsmasq stanza. Also post cat *toml | grep -n -A 75 -B 1 "Global settings" from where ever your dnscrypt-proxy.toml resides.

rexbinary · May 10, 2026, 5:11pm

Oh, no need to prove anything to me. I am just trying to help. Going back though the installation guide is what I myself would do. (And did actually when I was setting it up myself.) I hope you get it working. Maybe your ISP is blocking your DNS. Sharing your config will help everyone help you.