Setup An init script and configuration file have been provided to run dnscrypt-wrapper as a daemon. To configure dnscrypt-wrapper, edit /etc/default/dnscrypt-wrapper with the desired settings. By default dnscrypt-wrapper will run on 0.0.0.0 (all interfaces), port 53, forwarding DNS queries to 8.8.8.8:53 (Google's DNS server). The configuration file is setup to use a dnscrypt user by default, and to chroot into that user's home directory to maximize security. In order to use the default configuration you should create a dnscrypt user and group with the following commands: groupadd -g 293 dnscrypt useradd -u 293 -g 293 -c "DNSCrypt" -d /run/dnscrypt -s /bin/false dnscrypt If you decide to use another user you should edit the CHROOTDIR and USER options in /etc/default/dnscrypt-wrapper (there are example settings provided for the user 'nobody'). dnscrypt-wrapper requires both provider and cryptographic public and secret keys, and a provider certificate. These can all be generated manually (see /usr/doc/dnscrypt-wrapper-@VERSION@/README.md ), or they can be generated automatically by configuring /etc/default/dnscrypt-wrapper and running /etc/rc.d/rc.dnscrypt-wrapper generate-keys /etc/rc.d/rc.dnscrypt-wrapper generate-cert You will need to note the provider key fingerprint(s) when running that command, since clients will need it for verification. In order for clients to forward queries through dnscrypt-wrapper, they will need to run dnscrypt-proxy configured to connect to the server running dnscrypt-wrapper. To start dnscrypt-wrapper automatically at system start, add the following to /etc/rc.d/rc.local: if [ -x /etc/rc.d/rc.dnscrypt-wrapper ]; then /etc/rc.d/rc.dnscrypt-wrapper start fi To properly stop dnscrypt-wrapper on system shutdown, add the following to /etc/rc.d/rc.local_shutdown: if [ -x /etc/rc.d/rc.dnscrypt-wrapper ]; then /etc/rc.d/rc.dnscrypt-wrapper stop fi