New LuCI-GUI for dnscrypt-proxy


in latest luci snapshot sources you'll find a new GUI for DNSCrypt-Proxy to ease the dnscrypt-proxy configuration, main features:

  • full resolver list handling, incl. list refresh and simple resolver selection per instance
  • parse/show the resolver, Location, DNSSEC- and NOLOG-Flag in the resolver select box
  • automatically transfer dnscrypt specific settings to dnsmasq as well,
    This may change the values for 'noresolv', 'resolvfile',
    'allservers' and the list 'server' settings (enabled by default)
  • startup trigger support
  • support the following (conditional) options:
  • resolvers_list
  • ephemeral_keys
  • blacklist
  • block_ipv6
  • local_cache
  • query_log_file
  • complete dnscrypt & dnsmasq configuration in 'Advanced' section

Example screenshots:



Download: You will find the ready to run ipk-package here

Any feedback is greatly appreciated!

Have fun!


Please add the option to make horizontal "make menuconfig" encryption library - not everyone uses mbedtls...

Good catch, should be fixed in trunk now (see

thanks, very useful

Thanks for the gui but I can't see anything in general options so I can't use refresh resolver list and startup trigger:
General options
This section contains no values yet
Any idea what might be wrong? I can see all the other options.
I run my own build of LEDE kernel 4.4.83, git 364befeccf01c07049b492d90e98c2c13457c7c3
luci-app-dnscrypt-proxy git-17.230.25723-2163284-1
Btw when one creates a second dnscrypt instance one needs to create a file /etc/resolv-crypt.conf with options timeout:1. The gui is not doing that - is it a bug?

Yes, your config has no 'global' section ... I'll add a workaround for this issue with the next update.

No, this config tweak is optional, not uci-based and simply not supported.

@montvid regarding your issues, I've opend a PR on github, see here.

Wow, this looks great. Thanks for your work.

Can you tell me how to install it, add the repo to my existing LEDE installation? I'm using the latest build of hnyman for my r7800:

It is in the main LuCI repo (for master, but not yet for 17.01).
Just use opkg to install the package into your router

opkg update
opkg install luci-app-dnscrypt-proxy

Thanks for the fast reply, hnyman.

I installed your DNScrypt GUI and love it, dibdot. Setting up DNScrypt now is easy and intuitive, great work!

1 Like

Hello again,

I think that I just found a bug while using your DNScrypt GUI.

I configured DNScrypt to use three DNS servers and mapped the IP to the ports 5353, 5354 and 5355.
After my first DNS server wasn't available anymore, the others were not used. I had to set a new server for my first DNScrypt instance.

DNSmasq looks like following:
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
#option resolvfile '/tmp/'
option nonwildcard '1'
option localservice '1'
option noresolv '1'
option strictorder '1'
list server ''
list server ''
list server ''
list server '/'

Any idea what is the problem here? Thanks!

The new LuCI-GUI works only on /etc/config/dnscrypt-proxy, it didn't make any changes to your dnsmasq configuration. For running Multiple DNSCrypt instances please consult the wiki page

Don't use port 5355, this port is IANA registered for Link-Local Multicast Name Resolution (LLMNR) protocol.
I have same problem & change to 5454 work well.

Hi @dibdot

I think no need resolv-crypt.conf. Just add dnsmasq option "allservers".
The document say: By default, when dnsmasq has more than one upstream server available, it will send queries to just one server. Setting this flag forces dnsmasq to send all queries to all available servers. The reply from the server which answers first will be returned to the original requester.


I noticed this today while compiling an image for my router.
Thanks a lot for this. Do you have a patreon or something like that to donate to you?

note: install is failing on OpenWrt 15.05

Error /usr/sbin/dnscrypt-proxy: can't load library ''

# find / -name *libsodium*


update: now luci-app-dnscrypt-proxy is missing from repo

that's an cc-related dnscrypt-proxy problem, it has nothing todo with the LuCI-frontend.

this package is only available in luci trunk.

Thanks for your work, its really user friendly and beatiful :slight_smile:

One last question: What do I have to do to enable blacklist? I mean, can I add the link to mybase.txt ( ) on the GUI or do I have to upload it through SCP first and then put that local path on the GUI?

The blacklist directive in dnscrypt-proxy is reference to a local file on your router only.