Setup

An init script and configuration file have been provided to run
dnscrypt-wrapper as a daemon. To configure dnscrypt-wrapper, edit
/etc/default/dnscrypt-wrapper with the desired settings. By default
dnscrypt-wrapper will run on 0.0.0.0 (all interfaces), port 53, forwarding DNS
queries to 8.8.8.8:53 (Google's DNS server).

The configuration file is setup to use a dnscrypt user by default, and to
chroot into that user's home directory to maximize security. In order to use
the default configuration you should create a dnscrypt user and group with the
following commands:

    groupadd -g 293 dnscrypt
    useradd -u 293 -g 293 -c "DNSCrypt" -d /run/dnscrypt -s /bin/false dnscrypt

If you decide to use another user you should edit the CHROOTDIR and USER
options in /etc/default/dnscrypt-wrapper (there are example settings provided
for the user 'nobody').

dnscrypt-wrapper requires both provider and cryptographic public and secret
keys, and a provider certificate. These can all be generated manually (see
/usr/doc/dnscrypt-wrapper-@VERSION@/README.md ), or they can be generated
automatically by configuring /etc/default/dnscrypt-wrapper and running

    /etc/rc.d/rc.dnscrypt-wrapper generate-keys
    /etc/rc.d/rc.dnscrypt-wrapper generate-cert

You will need to note the provider key fingerprint(s) when running that
command, since clients will need it for verification.

In order for clients to forward queries through dnscrypt-wrapper, they will
need to run dnscrypt-proxy configured to connect to the server running
dnscrypt-wrapper.

To start dnscrypt-wrapper automatically at system start, add the following to
/etc/rc.d/rc.local:

    if [ -x /etc/rc.d/rc.dnscrypt-wrapper ]; then
        /etc/rc.d/rc.dnscrypt-wrapper start
    fi

To properly stop dnscrypt-wrapper on system shutdown, add the following to
/etc/rc.d/rc.local_shutdown:

    if [ -x /etc/rc.d/rc.dnscrypt-wrapper ]; then
        /etc/rc.d/rc.dnscrypt-wrapper stop
    fi