How do I setup dnscrypt-proxy2 on OpenWRT?

Installing and Using OpenWrt
1

Hello everyone.

Could you please tell me how to set up dnscrypt-proxy2 on OpenWRT?
I’ve set up dnscrypt-proxy2 on my PC, but I’m not entirely sure how to set it up on OpenWRT – there seem to be some differences.

I also cannot see luci-app-dnscrypt-proxy2 (the GUI for dnscrypt-proxy2) in the repository.I found it to be a very well-designed and user-friendly programme for graphic design. https://github.com/peter-tank/luci-app-dnscrypt-proxy2

How did you configure and install dnscrypt-proxy2?

What did I do, and why won’t dnscrypt-proxy2 start for me?))

I installed the packages using the command:

# opkg update

# opkg install nano dnscrypt-proxy2

Next, I configure the configuration file. Here are the main settings I’ve applied to test the programme’s functionality.

# nano /etc/dnscrypt-proxy/dnscrypt-proxy.toml

listen_addresses = ['127.0.0.1:5053']

server_names =  ['scaleway-fr', 'cs-belgium', 'cs-finland', 'cs-hungary', 'cs-md', 'nwps.fi']

ipv6_servers = false

bootstrap_resolvers = [

"9.9.9.9:53",      # Quad9

]

netprobe_address = '9.9.9.9:53'

routes = [
{ server_name='scaleway-fr', via=['anon-scaleway', 'anon-cs-austria'] },
{ server_name='cs-belgium', via=['anon-cs-barcelona', 'anon-cs-berlin'] },
{ server_name='cs-finland', via=['anon-scaleway', 'anon-cs-ch'] },
{ server_name='cs-hungary', via=['anon-ibksturm', 'anon-scaleway-ams'] },
{ server_name='cs-md', via=['anon-cs-fr', 'anon-cs-hungary'] },
{ server_name='nwps.fi', via=['anon-cs-md', 'anon-cs-nl'] },
]

Next, I set up call DNS forwarding (using the command line)

# uci add_list dhcp.@dnsmasq[0].server='127.0.0.1#5053'

# uci commit dhcp

# /etc/init.d/dnsmasq restar

Start and enable the service

# /etc/init.d/dnscrypt-proxy2 restart

# /etc/init.d/dnsmasq restart

Next, I check the settings:

# dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml  -check

# dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml -resolve gnu.org

# netstat -lnup | grep 5053  I can see it on the dnscrypt-proxy port

# service dnscrypt-proxy2 status  #service running

# logread -e dnscrypt   # I can also see the dnscrypt-proxy program running

# cat /etc/resolv.conf

search lan
nameserver 127.0.0.1

But when I enter the command to check:

# dig @127.0.0.1 ``gnu.org

I see:

SERVER: 127.0.0.1#53(127.0.0.1)

instead of

SERVER: 127.0.0.1#5053(127.0.0.1)

Where might further configuration be required? I’d appreciate any advice.

2

dnsmasq listens on port 53 and dnsmasq forwards to dnscrypt-proxy2 at port 5053. So the dig output is correct. Was the query successful?

3

FWIW, I put this up on @davidc502’s forum thread many years ago and I still pretty well follow the same recipe. TBH, I haven’t revisited the config .toml since.
(Davidc502- wrt1200ac wrt1900acx wrt3200acm wrt32x builds - #5310 by RuralRoots)

These are my current returns:

Summary

root@RuralRoots:/etc/config# head -20 dhcp

config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '0'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option noresolv '1'
option localuse '1'
option confdir '/tmp/dnsmasq.d'
option sequential_ip '1'
option cachesize '0'
list server '127.0.0.53'
list interface 'lan'
list addnmount '/var/run/pbr.dnsmasq'

root@RuralRoots:~# dnscrypt-proxy -config /etc/dnscrypt-proxy2/dnscrypt-proxy.toml -check
[2026-04-30 22:13:22] [NOTICE] Using default Weighted Power of Two (WP2) load balancing strategy
[2026-04-30 22:13:22] [NOTICE] Source [public-resolvers] loaded
[2026-04-30 22:13:22] [NOTICE] Source [relays] loaded
[2026-04-30 22:13:22] [NOTICE] Configuration successfully checked

root@RuralRoots:~# dnscrypt-proxy -config /etc/dnscrypt-proxy2/dnscrypt-proxy.toml -resolve gnu.org
Resolving [gnu.org] using 127.0.0.53 port 53

Resolver : 165.99.9.209 (static.209-9-99-165.webhorizon.net.)

Canonical name: gnu.org.

IPv4 addresses: 209.51.188.116
IPv6 addresses: 2001:470:142:5::116

Name servers : ns4.gnu.org., ns1.gnu.org., ns2.gnu.org.
DNSSEC signed : no
Mail servers : 1 mail server found

HTTPS alias : -
HTTPS info : -

Host info : -
TXT records : v=spf1 ip4:209.51.188.0/24 ip4:74.94.156.208/28 ip6:2001:470:142::/48 ip6:2603:3005:71a:2e00::/64 ~all

root@RuralRoots:~# dig @127.0.0.1 ``gnu.org

; <<>> DiG 9.20.18 <<>> @127.0.0.1 gnu.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16110
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;gnu.org. IN A

;; ANSWER SECTION:
gnu.org. 2400 IN A 209.51.188.116

;; Query time: 260 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Apr 30 22:14:58 EDT 2026
;; MSG SIZE rcvd: 52

4

These are the best docs I have found for setting up DNSCrypt-Proxy2 on OpenWRT.

5

@dave14305 @RuralRoots @rexbinary Hello.

Thank you very much for your answers.

I will study a lot of information and return to you with an answer, I am sure that this topic is of interest to a lot of people.

6

@dave14305 @RuralRoots @rexbinary Hello everyone.

I’ve tested the instructions, and they work. Thank you for your links and posts!

I made a mistake with the dnsmasq configuration; the default listen_addresses is set correctly in the configuration file.

I have a couple of questions for you, if you don’t mind answering them

  1. Could the ISP be blocking the dnscrypt-proxy? I’m getting a TIMEOUT error

  2. Is it possible to replace dnsmasq with dhcpcd?

7

I doubt your ISP is blocking dnscrypt-proxy2. I would suggest running though the docs I linked for you again step by step and double check your work. I don’t have any experience with dnsmasq.

8

Hi. I’ve gone through the instructions several times; it’s definitely not a mistake.

I’m sure that’s the case. Could you send me the test commands (without any personal details)? I’ll show you that it’s a block imposed by the provider.

I’ll post a full guide on how I set it up a bit later, so you can see for yourself that I’ve done everything correctly.

9

By any chance is your pc running dnscrypt-proxy as well? You said it works fine on your pc so that would say your isp isn’t blocking the service.

Please post the return from head -25 dhcp just need the config dnsmasq stanza. Also post cat *toml | grep -n -A 75 -B 1 "Global settings" from where ever your dnscrypt-proxy.toml resides.

10

Oh, no need to prove anything to me. I am just trying to help. Going back though the installation guide is what I myself would do. (And did actually when I was setting it up myself.) I hope you get it working. Maybe your ISP is blocking your DNS. Sharing your config will help everyone help you.

11

@rexbinary @RuralRoots Hello.

Thanks for your answers.

I will publish the setup so that it is clear whether I configured it correctly or not. If everything is configured correctly then you need to check something else.

$ ssh ``root@192.168.1.1

  1. date check

date

2.Update program installation

opkg update

opkg install nano dnscrypt-proxy2
  1. Set up the configuration file.

nano /etc/dnscrypt-proxy2/dnscrypt-proxy.toml

listen_addresses = ['127.0.0.53:53']

server_names =  ['scaleway-fr', 'cs-belgium', 'cs-finland', 'cs-hungary', 'cs-md', 'nwps.fi']

ipv6_servers = false
block_undelegated = true

#bootstrap_resolvers = [

"9.9.9.9:53",      # I don't use it, I commented it out

]

#netprobe_address = '9.9.9.9:53'   I don't use it, I commented it out

routes = [
{ server_name='scaleway-fr', via=['anon-scaleway', 'anon-cs-austria'] },
{ server_name='cs-belgium', via=['anon-cs-barcelona', 'anon-cs-berlin'] },
{ server_name='cs-finland', via=['anon-scaleway', 'anon-cs-ch'] },
{ server_name='cs-hungary', via=['anon-ibksturm', 'anon-scaleway-ams'] },
{ server_name='cs-md', via=['anon-cs-fr', 'anon-cs-hungary'] },
{ server_name='nwps.fi', via=['anon-cs-md', 'anon-cs-nl'] },
]
  1. Let's start the service
/etc/init.d/dnscrypt-proxy enable

/etc/init.d/dnscrypt-proxy start

5.Configuring dnsmasq

nano /etc/config/dhcp

Add the following lines to the section => config dnsmasq

option cachesize '0'
option boguspriv '1'
option localuse '1'
option noresolv '1'
list server '127.0.0.53'

  1. Let's restart dnsmasq and apply the new configuration
/etc/init.d/dnsmasq restart

logread -l 100 | grep dnsmasq

We should see the following output:

daemon.info dnsmasq[PID]: using nameserver 127.0.0.53#53

  1. Create Firewall Rules

nano /etc/config/firewall ## Add the following to the end of the configuration file:

config redirect
option name 'Divert-DNS, port 53'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'

config redirect
option name 'Divert-DNS, port 853'
option src 'lan'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'

config redirect
option name 'Divert-DNS, port 5353'
option src 'lan'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
  1. Let's reload firewall

/etc/init.d/firewall reload

At this stage, everything should be working

Checking Settings

cat /etc/dnscrypt-proxy2/dnscrypt-proxy.toml  | grep  listen_addresses

listen_addresses = ['127.0.0.53:53']

cat /etc/config/dhcp | grep 'list server'

list server '127.0.0.53'

dnscrypt-proxy -config /etc/dnscrypt-proxy2/dnscrypt-proxy.toml -check

dnscrypt-proxy -config /etc/dnscrypt-proxy2/dnscrypt-proxy.toml -resolve ``gnu.org

cat /etc/resolv.conf

search lan
nameserver 127.0.0.1

 /usr/sbin/dnsmasq --test

dnsmasq: syntax check OK.

12

When I mentioned configuring it on a PC, I meant the changes I made to the configuration file; right now, I don't have DNScrypt-proxy on my PC.

When I turn it on DNScrypt-proxy, I get logs like this

logread -e dnscrypt

Sun May  3 20:28:02 2026 daemon.err dnscrypt-proxy[7715]: [2026-05-03 20:28:02] [NOTICE] Anonymizing queries for [cs-hungary] via [anon-scaleway-ams]
Sun May  3 20:28:02 2026 daemon.err dnscrypt-proxy[7715]: [2026-05-03 20:28:02] [NOTICE] Anonymizing queries for [scaleway-fr] via [anon-cs-austria]
Sun May  3 20:28:02 2026 daemon.err dnscrypt-proxy[7715]: [2026-05-03 20:28:02] [NOTICE] Anonymizing queries for [nwps.fi] via [anon-cs-nl]
Sun May  3 20:28:02 2026 daemon.err dnscrypt-proxy[7715]: [2026-05-03 20:28:02] [NOTICE] Anonymizing queries for [cs-md] via [anon-cs-fr]
Sun May  3 20:28:02 2026 daemon.err dnscrypt-proxy[7715]: [2026-05-03 20:28:02] [NOTICE] Anonymizing queries for [cs-belgium] via [anon-cs-barcelona]
Sun May  3 20:28:02 2026 daemon.err dnscrypt-proxy[7715]: [2026-05-03 20:28:02] [NOTICE] Anonymizing queries for [cs-finland] via [anon-cs-ch]
Sun May  3 20:28:13 2026 daemon.err dnscrypt-proxy[7715]: [2026-05-03 20:28:13] [NOTICE] [scaleway-fr] TIMEOUT
Sun May  3 20:28:13 2026 daemon.err dnscrypt-proxy[7715]: [2026-05-03 20:28:13] [NOTICE] [cs-hungary] TIMEOUT
Sun May  3 20:28:13 2026 daemon.err dnscrypt-proxy[7715]: [2026-05-03 20:28:13] [NOTICE] [nwps.fi] TIMEOUT
Sun May  3 20:28:13 2026 daemon.err dnscrypt-proxy[7715]: [2026-05-03 20:28:13] [NOTICE] [cs-md] TIMEOUT
Sun May  3 20:28:13 2026 daemon.err dnscrypt-proxy[7715]: [2026-05-03 20:28:13] [NOTICE] [cs-belgium] TIMEOUT
Sun May  3 20:28:13 2026 daemon.err dnscrypt-proxy[7715]: [2026-05-03 20:28:13] [NOTICE] [cs-finland] TIMEOUT
Sun May  3 20:28:23 2026 daemon.err dnscrypt-proxy[7715]: [2026-05-03 20:28:23] [NOTICE] Anonymizing queries for [cs-hungary] via [anon-scaleway-ams]
Sun May  3 20:28:23 2026 daemon.err dnscrypt-proxy[7715]: [2026-05-03 20:28:23] [NOTICE] Anonymizing queries for [scaleway-fr] via [anon-scaleway]
Sun May  3 20:28:23 2026 daemon.err dnscrypt-proxy[7715]: [2026-05-03 20:28:23] [NOTICE] Anonymizing queries for [nwps.fi] via [anon-cs-nl]
Sun May  3 20:28:23 2026 daemon.err dnscrypt-proxy[7715]: [2026-05-03 20:28:23] [NOTICE] Anonymizing queries for [cs-md] via [anon-cs-hungary]
Sun May  3 20:28:23 2026 daemon.err dnscrypt-proxy[7715]: [2026-05-03 20:28:23] [NOTICE] Anonymizing queries for [cs-belgium] via [anon-cs-barcelona]
Sun May  3 20:28:23 2026 daemon.err dnscrypt-proxy[7715]: [2026-05-03 20:28:23] [NOTICE] Anonymizing queries for [cs-finland] via [anon-scaleway]
Sun May  3 20:28:34 2026 daemon.err dnscrypt-proxy[7715]: [2026-05-03 20:28:34] [NOTICE] [cs-hungary] TIMEOUT
Sun May  3 20:28:34 2026 daemon.err dnscrypt-proxy[7715]: [2026-05-03 20:28:34] [NOTICE] [scaleway-fr] TIMEOUT
Sun May  3 20:28:34 2026 daemon.err dnscrypt-proxy[7715]: [2026-05-03 20:28:34] [NOTICE] [nwps.fi] TIMEOUT
Sun May  3 20:28:34 2026 daemon.err dnscrypt-proxy[7715]: [2026-05-03 20:28:34] [NOTICE] [cs-md] TIMEOUT
Sun May  3 20:28:34 2026 daemon.err dnscrypt-proxy[7715]: [2026-05-03 20:28:34] [NOTICE] [cs-belgium] TIMEOUT
Sun May  3 20:28:34 2026 daemon.err dnscrypt-proxy[7715]: [2026-05-03 20:28:34] [NOTICE] [cs-finland] TIMEOUT

# service dnscrypt-proxy status
running

# netstat -lnup | grep 53
udp        0      0 127.0.0.53:53           0.0.0.0:*                           7715/dnscrypt-proxy
udp        0      0 127.0.0.1:53            0.0.0.0:*                           7445/dnsmasq
udp        0      0 192.168.XX.XXX:53       0.0.0.0:*                           7445/dnsmasq

logread -l 100 | grep dnsmasq
Sun May  3 20:32:23 2026 daemon.info dnsmasq[1]: started, version 2.90 cache disabled
Sun May  3 20:32:23 2026 daemon.info dnsmasq[1]: DNS service limited to local subnets
Sun May  3 20:32:23 2026 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
Sun May  3 20:32:23 2026 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Sun May  3 20:32:23 2026 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.XXX.XXX -- 192.168.XXX.XXX, lease time 12h
Sun May  3 20:32:23 2026 daemon.info dnsmasq[1]: using nameserver 127.0.0.53#53
Sun May  3 20:32:23 2026 daemon.info dnsmasq[1]: using only locally-known addresses for test
Sun May  3 20:32:23 2026 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Sun May  3 20:32:23 2026 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Sun May  3 20:32:23 2026 daemon.info dnsmasq[1]: using only locally-known addresses for local
Sun May  3 20:32:23 2026 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Sun May  3 20:32:23 2026 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Sun May  3 20:32:23 2026 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Sun May  3 20:32:23 2026 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Sun May  3 20:32:23 2026 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 4 names
Sun May  3 20:32:23 2026 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 0 names
Sun May  3 20:32:23 2026 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
13

The bootstrap_resolvers are needed for dnscrypt-proxy2 to look up the addresses to the servers and relays when the service first starts up. Would you please share your full dnscrypt-proxy.toml and dnsmasq files? Please comment out anything sensitive, if any.

14

This is not helpful! Slow down and work with us by providing the information we have asked for. CLI returns tells us absolutely nothing about your specific configuration.

15

@rexbinary @RuralRoots Hello,
Thank you for your answers. Okay, I understand you. In addition to these commands, what other information do you need to provide?

cat *toml | grep -n -A 75 -B 1 "Global settings"

head -25 dhcp

16

To start, full output of /etc/dnscrypt-proxy/dnscrypt-proxy.toml and /etc/config/dhcp please

cat /etc/dnscrypt-proxy/dnscrypt-proxy.toml
cat /etc/config/dhcp

Copy and paste the output of each command here into code boxes please.

17

From what I see of your dnscrypt-proxy.toml I don’t see your issue being centred there. According to your above snippets, your .toml is configured to use relays for Anonymized DNS is that really your intent? Also, make sure to enable your Bootstrap resolvers as @rexbinary notes above.

Let’s start here:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Screenshot 2025-10-20 at 8.14.14 PM

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
uci export /etc/config/network
uci export /etc/config/dhcp

Don’t redact RFC1918 ip addresses (private networks: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16)