# OpenVPN + Dnscrypt panic

## yx681745

Hello, I used OpenDns + Dnscrypt on windows and it works well enough to bypass China firewall

However, when I tried to follow the guide https://wiki.installgentoo.com/index.php/DNSCrypt and merged the Dnscrypt-2.00 package and try to start dnscrpt-proxy, it saied It cant find dnscrypt.toml

Also I use NetworkManager. Even after diabling it writing resolv.conf the configuration is still a huge panic.

How can I get the right configuation to get Dnscrypt and OpenDNS work?

----------

## kiksen

Hi.

You find the dnscrypt-proxy configuration in /etc/dnscrypt-proxy/dnscrypt-proxy.toml

If you want to restrict it to only using OpenDNS, you need to add a line with:

```
server_names = ['cisco']
```

 (or uncomment and edit the existing line). It's line 25 in my file.

'cisco' is the name for OpenDNS in dnscrypt-proxy.

You can see the list of servers and their names here: 

https://github.com/dyne/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

----------

## n05ph3r42

 *yx681745 wrote:*   

> Hello, I used OpenDns + Dnscrypt on windows and it works well enough to bypass China firewall
> 
> However, when I tried to follow the guide https://wiki.installgentoo.com/index.php/DNSCrypt and merged the Dnscrypt-2.00 package and try to start dnscrpt-proxy, it saied It cant find dnscrypt.toml
> 
> Also I use NetworkManager. Even after diabling it writing resolv.conf the configuration is still a huge panic.
> ...

 

Check this https://forums.gentoo.org/viewtopic-t-1076052.html and this https://forums.gentoo.org/viewtopic-t-1075746.html

btw, beware that even with dnscrypt-proxy browser still leaks the domain name via SNI extension, even though it runs over https.

----------

## n05ph3r42

Ah, as for  *Quote:*   

> cant find dnscrypt.toml

  - by default dnscrypt-proxy 2.0 looks for cfg in current dir (not like v.1, i even reported a bug, but dev's say that i should specify config via parameter, and that is not a bug), so u should run it after 

```
cd /etc/dnscrypt-proxy/
```

 or specify cfg in cmd line.

----------

## Hu

 *n05ph3r42 wrote:*   

> btw, beware that even with dnscrypt-proxy browser still leaks the domain name via SNI extension, even though it runs over https.

 Although true, there was a similar problem before SNI was widely used.  Prior to use of SNI, servers had to guess which certificate to send.  The CN of the sent certificate would be visible in the clear.  If you care about name privacy, you cannot allow an attacker to observe any TCP traffic between you and the server.

----------

