Installation on OpenWRT

Frank Denis edited this page Jul 1, 2018 · 19 revisions

Installation on OpenWRT


Download the proper binary from the releases page. Get the right binary for your architecture. If you get a strange parse error later when trying to run the executable file, chances are that you didn't pick the right file for the CPU of your router.

Optional: compress the executable

The dnscrypt-proxy file is quite large, but can be compressed for a massive reduction of its size, from ~12 Mb down to ~2 Mb.

In order to do so, use UPX on any platform (Windows, Linux, macOS...) with the following command:

upx --lzma dnscrypt-proxy

Tweak the example file

Rename example-dnscrypt-proxy.toml to dnscrypt-proxy.toml, and change at least the following line:

listen_addresses = ['', '[::1]:53']

to (notice the IP address change):

listen_addresses = ['']

In order for local host names (.lan) to be resolved, also change

# forwarding_rules = 'forwarding-rules.txt'


forwarding_rules = 'forwarding-rules.txt'

Install the files on the router

Use scp to copy:

  • dnscrypt-proxy to /usr/sbin/
  • The modified dnscrypt-proxy.toml file to /etc/config/
  • This init.d file by @etam saved as /etc/init.d/dnscrypt-proxy.
  • The following content as /etc/config/forwarding-rules.txt:

If your local domain is not .lan, or if you have more, change/add them accordingly in the above file.

Then use ssh to log on the router and type:

chmod +x /usr/sbin/dnscrypt-proxy
chmod +x /etc/init.d/dnscrypt-proxy

Install the ca-bundle package on the router

The ca-bundle package is not installed by default in OpenWRT/LEDE, which will cause issues if not installed.


opkg update
opkg install ca-bundle

Check that the proxy is properly installed


dnscrypt-proxy -config /etc/config/dnscrypt-proxy.toml -check

And watch for possible errors.

Looks good? Start it for real:

/etc/init.d/dnscrypt-proxy enable
/etc/init.d/dnscrypt-proxy start

Configure the LAN interface to use the proxy

Using the LUCI web interface:

Go to Network/Interfaces/LAN and in the Use custom DNS servers field, enter: and hit Save & Apply.

Using the command line:

Edit /etc/config/network to include the following line in the config interface 'lan' section:

option dns ''


config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option ipaddr ''
        option netmask ''
        option ip6assign '60'
        option dns ''

When using the command-line, for the new configuration to be applied, type:

/etc/init.d/network restart

And don't panic (42) if the network appears to be stuck for a couple seconds.

Optional: configure the WAN interface the same way

Go to Network/Interfaces/WAN and in Advanced Settings, uncheck If unchecked, the advertised DNS server addresses are ignored.

In addition to, you may want to enter an additional backup IP here, for example or

Check that your queries are using the proxy:

dnscrypt-proxy -resolve

Make sure that the files you added are backuped

Using the LUCI web interface:

In the System/Backup/Flash page, click the Configuration tab and add the files you uploaded to the list:


Configuration files in /etc/config are automatically saved already.

Using the command line:

Edit /etc/sysupgrade.conf to add files to be included in backups.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.