Debian9 setup DNSCrypt server

Environment: Debian 9 sid
Updated: add basic gcc c compiler on fresh install env

DNSCrypt server installation

$ apt install libevent-dev autoconf make libsodium-dev build-essential
$ git clone git://
$ cd dnscrypt-wrapper
$ make configure
$ ./configure
$ make install

Generate SSL, Public key, Private key, Cert

$ mkdir ~/dnscrypt-key
$ cd dnscrypt-key/
$ dnscrypt-wrapper --gen-provider-keypair \
  --provider-name=2.dnscrypt-cert.<yourdomain> --ext-address=<external server ip> --dnssec --nolog

* If your server doesn't store logs, add --nolog and if it supports DNSSEC, add --dnssec.
This will create two files in the current directory: public.key and secret.key.

// Generate SSL 
$ dnscrypt-wrapper --gen-crypt-keypair --crypt-secretkey-file=./ssl.key

// Generate Cert
$ dnscrypt-wrapper --gen-cert-file --crypt-secretkey-file=./ssl.key --provider-publickey-file=./public.key --provider-secretkey-file=./secret.key --cert-file-expire-days=365 --provider-cert-file=ssl.cert

If you forgot your public key, run this command

$ dnscrypt-wrapper --show-provider-publickey --provider-publickey-file ./public.key

Add generated TXT into your DNS Record

I will add this TXT into my cloudflare DNS record

If you forgot the TXT, you can get again with this cmd

$ dnscrypt-wrapper -r --crypt-secretkey-file=ssl.key --provider-cert-file=ssl.cert --show-provider-publickey-dns-records

Start the server

Before you start your server, please make sure you already have those files in your dnscrypt-key folder

4 files are necessary
// IPv4
$ dnscrypt-wrapper -d -r -a --crypt-secretkey-file=ssl.key --provider-cert-file=ssl.cert -VVV

// IPv6
$ dnscrypt-wrapper -d -r -a [::]:8443 --crypt-secretkey-file=ssl.key --provider-cert-file=ssl.cert -VVV


Featured Photo by John Carlisle on Unsplash