diff --git a/dns/dnscrypt-proxy/Makefile b/dns/dnscrypt-proxy/Makefile
new file mode 100644
index 000000000..9d1e2b677
--- /dev/null
+++ b/dns/dnscrypt-proxy/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=		dnscrypt-proxy
+PLUGIN_VERSION=		0.1
+PLUGIN_COMMENT=		Flexible DNS proxy supportung DNSCrypt and DoH
+PLUGIN_DEPENDS=		dnscrypt-proxy2
+PLUGIN_MAINTAINER=	m.muenz@gmail.com
+PLUGIN_DEVEL=       yes
+
+.include "../../Mk/plugins.mk"
diff --git a/dns/dnscrypt-proxy/pkg-descr b/dns/dnscrypt-proxy/pkg-descr
new file mode 100644
index 000000000..e5c1bc90d
--- /dev/null
+++ b/dns/dnscrypt-proxy/pkg-descr
@@ -0,0 +1,4 @@
+A flexible DNS proxy, with support for modern encrypted DNS protocols
+such as DNSCrypt v2 and DNS-over-HTTPS.
+
+WWW: https://github.com/jedisct1/dnscrypt-proxy
diff --git a/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc b/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc
new file mode 100644
index 000000000..3f3588874
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc
@@ -0,0 +1,55 @@
+<?php
+
+/*
+    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+function dnscryptproxy_enabled()
+{
+    $model = new \OPNsense\Dnscryptproxy\General();
+    return (string)$model->enabled == '1';
+}
+
+function dnscryptproxy_services()
+{
+    $services = array();
+
+    if (!dnscryptproxy_enabled()) {
+        return $services;
+    }
+
+    $services[] = array(
+        'description' => gettext('DNSCrypt-Proxy'),
+        'configd' => array(
+            'restart' => array('dnscryptproxy restart'),
+            'start' => array('dnscryptproxy start'),
+            'stop' => array('dnscryptproxy stop'),
+        ),
+        'name' => 'dnscrypt-proxy',
+        'pid' => '/var/run/dnscrypt-proxy.pid'
+    );
+
+    return $services;
+}
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/CloakController.php b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/CloakController.php
new file mode 100644
index 000000000..425e656b6
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/CloakController.php
@@ -0,0 +1,65 @@
+<?php
+/**
+ *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Dnscryptproxy\Api;
+
+use \OPNsense\Base\ApiMutableModelControllerBase;
+use \OPNsense\Core\Backend;
+
+class CloakController extends ApiMutableModelControllerBase
+{
+    static protected $internalModelName = 'cloak';
+    static protected $internalModelClass = '\OPNsense\Dnscryptproxy\Cloak';
+
+    public function searchCloakAction()
+    {
+        return $this->searchBase('cloaks.cloak', array("enabled", "name", "destination"));
+    }
+    public function getCloakAction($uuid = null)
+    {
+        $this->sessionClose();
+        return $this->getBase('cloak', 'cloaks.cloak', $uuid);
+    }
+    public function addCloakAction()
+    {
+        return $this->addBase('cloak', 'cloaks.cloak');
+    }
+    public function delCloakAction($uuid)
+    {
+        return $this->delBase('cloaks.cloak', $uuid);
+    }
+    public function setCloakAction($uuid)
+    {
+        return $this->setBase('cloak', 'cloaks.cloak', $uuid);
+    }
+    public function toggleCloakAction($uuid)
+    {
+        return $this->toggleBase('cloaks.cloak', $uuid);
+    }
+}
\ No newline at end of file
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/ForwardController.php b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/ForwardController.php
new file mode 100644
index 000000000..d6c66bc1a
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/ForwardController.php
@@ -0,0 +1,65 @@
+<?php
+/**
+ *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Dnscryptproxy\Api;
+
+use \OPNsense\Base\ApiMutableModelControllerBase;
+use \OPNsense\Core\Backend;
+
+class ForwardController extends ApiMutableModelControllerBase
+{
+    static protected $internalModelName = 'forward';
+    static protected $internalModelClass = '\OPNsense\Dnscryptproxy\Forward';
+
+    public function searchForwardAction()
+    {
+        return $this->searchBase('forwards.forward', array("enabled", "domain", "dnsserver"));
+    }
+    public function getForwardAction($uuid = null)
+    {
+        $this->sessionClose();
+        return $this->getBase('forward', 'forwards.forward', $uuid);
+    }
+    public function addForwardAction()
+    {
+        return $this->addBase('forward', 'forwards.forward');
+    }
+    public function delForwardAction($uuid)
+    {
+        return $this->delBase('forwards.forward', $uuid);
+    }
+    public function setForwardAction($uuid)
+    {
+        return $this->setBase('forward', 'forwards.forward', $uuid);
+    }
+    public function toggleForwardAction($uuid)
+    {
+        return $this->toggleBase('forwards.forward', $uuid);
+    }
+}
\ No newline at end of file
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/GeneralController.php b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/GeneralController.php
new file mode 100644
index 000000000..7ea282a81
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/GeneralController.php
@@ -0,0 +1,39 @@
+<?php
+
+/**
+ *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Dnscryptproxy\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class GeneralController extends ApiMutableModelControllerBase
+{
+    static protected $internalModelClass = '\OPNsense\Dnscryptproxy\General';
+    static protected $internalModelName = 'general';
+}
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/ServiceController.php b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/ServiceController.php
new file mode 100644
index 000000000..14a940bb2
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/ServiceController.php
@@ -0,0 +1,47 @@
+<?php
+
+/**
+ *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Dnscryptproxy\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+use OPNsense\Core\Backend;
+use OPNsense\Dnscryptproxy\General;
+
+/**
+ * Class ServiceController
+ * @package OPNsense\Dnscrypt-proxy
+ */
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    static protected $internalServiceClass = '\OPNsense\Dnscryptproxy\General';
+    static protected $internalServiceTemplate = 'OPNsense/Dnscryptproxy';
+    static protected $internalServiceEnabled = 'enabled';
+    static protected $internalServiceName = 'dnscryptproxy';
+}
\ No newline at end of file
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/WhitelistController.php b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/WhitelistController.php
new file mode 100644
index 000000000..2df33da72
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/WhitelistController.php
@@ -0,0 +1,65 @@
+<?php
+/**
+ *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Dnscryptproxy\Api;
+
+use \OPNsense\Base\ApiMutableModelControllerBase;
+use \OPNsense\Core\Backend;
+
+class WhitelistController extends ApiMutableModelControllerBase
+{
+    static protected $internalModelName = 'whitelist';
+    static protected $internalModelClass = '\OPNsense\Dnscryptproxy\Whitelist';
+
+    public function searchWhitelistAction()
+    {
+        return $this->searchBase('whitelists.whitelist', array("enabled", "name"));
+    }
+    public function getWhitelistAction($uuid = null)
+    {
+        $this->sessionClose();
+        return $this->getBase('whitelist', 'whitelists.whitelist', $uuid);
+    }
+    public function addWhitelistAction()
+    {
+        return $this->addBase('whitelist', 'whitelists.whitelist');
+    }
+    public function delWhitelistAction($uuid)
+    {
+        return $this->delBase('whitelists.whitelist', $uuid);
+    }
+    public function setWhitelistAction($uuid)
+    {
+        return $this->setBase('whitelist', 'whitelists.whitelist', $uuid);
+    }
+    public function toggleWhitelistAction($uuid)
+    {
+        return $this->toggleBase('whitelists.whitelist', $uuid);
+    }
+}
\ No newline at end of file
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/GeneralController.php b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/GeneralController.php
new file mode 100644
index 000000000..e887e0263
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/GeneralController.php
@@ -0,0 +1,41 @@
+<?php
+
+/*
+    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Dnscryptproxy;
+
+class GeneralController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->generalForm = $this->getForm("general");
+        $this->view->formDialogEditDnscryptproxyForward = $this->getForm("dialogEditDnscryptproxyForward");
+        $this->view->formDialogEditDnscryptproxyCloak = $this->getForm("dialogEditDnscryptproxyCloak");
+        $this->view->formDialogEditDnscryptproxyWhitelist = $this->getForm("dialogEditDnscryptproxyWhitelist");
+        $this->view->pick('OPNsense/Dnscryptproxy/general');
+    }
+}
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/dialogEditDnscryptproxyCloak.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/dialogEditDnscryptproxyCloak.xml
new file mode 100644
index 000000000..419c8eb87
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/dialogEditDnscryptproxyCloak.xml
@@ -0,0 +1,20 @@
+<form>
+    <field>
+        <id>cloak.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>This will enable or disable this override.</help>
+    </field>
+    <field>
+        <id>cloak.name</id>
+        <label>Name</label>
+        <type>text</type>
+        <help>Set the name to override, e.g. www.google.*</help>
+    </field>
+    <field>
+        <id>cloak.destination</id>
+        <label>Destination</label>
+        <type>text</type>
+        <help>Set target name to what to resolve.</help>
+    </field>
+</form>
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/dialogEditDnscryptproxyForward.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/dialogEditDnscryptproxyForward.xml
new file mode 100644
index 000000000..0ac5cc11e
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/dialogEditDnscryptproxyForward.xml
@@ -0,0 +1,20 @@
+<form>
+    <field>
+        <id>forward.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>This will enable or disable this forward.</help>
+    </field>
+    <field>
+        <id>forward.domain</id>
+        <label>Domain</label>
+        <type>text</type>
+        <help>Set the domain, e.g. example.com</help>
+    </field>
+    <field>
+        <id>forward.dnsserver</id>
+        <label>DNS Server</label>
+        <type>text</type>
+        <help>Set the IP addresses to forward the domain.</help>
+    </field>
+</form>
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/dialogEditDnscryptproxyWhitelist.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/dialogEditDnscryptproxyWhitelist.xml
new file mode 100644
index 000000000..b623288c0
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/dialogEditDnscryptproxyWhitelist.xml
@@ -0,0 +1,14 @@
+<form>
+    <field>
+        <id>whitelist.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>This will enable or disable the whitelist entry.</help>
+    </field>
+    <field>
+        <id>whitelist.name</id>
+        <label>Name</label>
+        <type>text</type>
+        <help>Set the domain, IP or expression to whitelist, e.g. ads.* or *.example.com</help>
+    </field>
+</form>
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml
new file mode 100644
index 000000000..d784dbd0b
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml
@@ -0,0 +1,154 @@
+<form>
+    <field>
+        <id>general.enabled</id>
+        <label>Enable DNSCrypt-Proxy</label>
+        <type>checkbox</type>
+        <help>This will activate DNSCrypt-Proxy service.</help>
+    </field>
+    <field>
+        <id>general.listen_addresses</id>
+        <label>Listen Address</label>
+        <style>tokenize</style>
+        <type>select_multiple</type>
+        <allownew>true</allownew>
+        <help>Set the IP address and port combinations this service should listen on, e.g 127.0.0.1:5353 and/or [::1]:5353</help>
+    </field>
+    <field>
+        <id>general.max_clients</id>
+        <label>Max Client Connections</label>
+        <type>text</type>
+        <help>Set the maximum number of simultaneous client connections to accept.</help>
+    </field>
+    <field>
+        <id>general.ipv4_servers</id>
+        <label>Use IPv4 Servers</label>
+        <type>checkbox</type>
+        <help>Let DNSCrypt-Proxy use IPv4 enabled servers.</help>
+    </field>
+    <field>
+        <id>general.ipv6_servers</id>
+        <label>Use IPv6 Servers</label>
+        <type>checkbox</type>
+        <help>Let DNSCrypt-Proxy use IPv6 enabled servers.</help>
+    </field>
+    <field>
+        <id>general.dnscrypt_servers</id>
+        <label>Use DNSCrypt Servers</label>
+        <type>checkbox</type>
+        <help>Let DNSCrypt-Proxy use servers with DNSCrypt protocol enabled.</help>
+    </field>
+    <field>
+        <id>general.doh_servers</id>
+        <label>Use DNS-over-HTTPS Servers</label>
+        <type>checkbox</type>
+        <help>Let DNSCrypt-Proxy use servers with DNS-over-HTTPS protocol enabled.</help>
+    </field>
+    <field>
+        <id>general.require_dnssec</id>
+        <label>Require DNSSEC</label>
+        <type>checkbox</type>
+        <help>Only use DNS server with DNSSEC enabled.</help>
+    </field>
+    <field>
+        <id>general.require_nolog</id>
+        <label>Require NoLog</label>
+        <type>checkbox</type>
+        <help>Only use DNS server without user request logging.</help>
+    </field>
+    <field>
+        <id>general.require_nofilter</id>
+        <label>Require NoFilter</label>
+        <type>checkbox</type>
+        <help>Only use DNS server without own blacklisting. There are many servers deleting ads or with parental control enabled.</help>
+    </field>
+    <field>
+        <id>general.force_tcp</id>
+        <label>Force TCP</label>
+        <type>checkbox</type>
+        <help>Always use TCP to connect to upstream servers. This can be can be useful if you need to route everything through Tor, otherwise keep it disabled.</help>
+    </field>
+    <field>
+        <id>general.proxy</id>
+        <label>Proxy</label>
+        <type>text</type>
+        <help>Use this to route all TCP connections to a local Tor node, format has to be like 127.0.0.1:9050</help>
+    </field>
+    <field>
+        <id>general.timeout</id>
+        <label>Timeout</label>
+        <type>text</type>
+        <help>How long a DNS query will wait for a response in milliseconds.</help>
+    </field>
+    <field>
+        <id>general.keepalive</id>
+        <label>Keepalive</label>
+        <type>text</type>
+        <help>Keepalive for HTTP (HTTPS, HTTP/2) queries in seconds.</help>
+    </field>
+    <field>
+        <id>general.cert_refresh_delay</id>
+        <label>Cert Refresh Delay</label>
+        <type>text</type>
+        <help>Delay in minutes after which certificates are reloaded.</help>
+    </field>
+    <field>
+        <id>general.dnscrypt_ephemeral_keys</id>
+        <label>Ephemeral Keys</label>
+        <type>checkbox</type>
+        <help>Create a new, unique key for every single DNS query. This may improve privacy but can also have a significant impact on CPU usage.</help>
+    </field>
+    <field>
+        <id>general.tls_disable_session_tickets</id>
+        <label>TLS Disable Session Tickets</label>
+        <type>checkbox</type>
+        <help>Disable TLS session tickets - increases privacy but also latency.</help>
+    </field>
+    <field>
+        <id>general.fallback_resolver</id>
+        <label>Fallback Resolver</label>
+        <type>text</type>
+        <help>This is a normal, non-encrypted DNS resolver, that will be only used for one-shot queries when retrieving the initial resolvers list, and only if the system DNS configuration does not work. Format is e.g. 9.9.9.9:53</help>
+    </field>
+    <field>
+        <id>general.block_ipv6</id>
+        <label>Block IPv6</label>
+        <type>checkbox</type>
+        <help>Immediately respond to IPv6-related queries with an empty response. This makes things faster when there is no IPv6 connectivity.</help>
+    </field>
+    <field>
+        <id>general.cache</id>
+        <label>Cache</label>
+        <type>checkbox</type>
+        <help>Enable a DNS cache to reduce latency and outgoing traffic.</help>
+    </field>
+    <field>
+        <id>general.cache_size</id>
+        <label>Cache Size</label>
+        <type>text</type>
+        <help>Set the cache size.</help>
+    </field>
+    <field>
+        <id>general.cache_min_ttl</id>
+        <label>Cache Min TTL</label>
+        <type>text</type>
+        <help>Minimum TTL for cached entries.</help>
+    </field>
+    <field>
+        <id>general.cache_max_ttl</id>
+        <label>Cache Max TTL</label>
+        <type>text</type>
+        <help>Maximum TTL for cached entries.</help>
+    </field>
+    <field>
+        <id>general.cache_neg_min_ttl</id>
+        <label>Cache Negative Min TTL</label>
+        <type>text</type>
+        <help>Minimum TTL for negatively cached entries.</help>
+    </field>
+    <field>
+        <id>general.cache_neg_max_ttl</id>
+        <label>Cache Negative Max TTL</label>
+        <type>text</type>
+        <help>Maximum TTL for negatively cached entries.</help>
+    </field>
+</form>
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/ACL/ACL.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/ACL/ACL.xml
new file mode 100644
index 000000000..424376e1c
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/ACL/ACL.xml
@@ -0,0 +1,9 @@
+<acl>
+   <page-dnscryptproxy-config>
+      <name>Services: dnscrypt-proxy</name>
+      <patterns>
+         <pattern>ui/dnscryptproxy/*</pattern>
+         <pattern>api/dnscryptproxy/*</pattern>
+      </patterns>
+   </page-dnscryptproxy-config>
+</acl>
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Cloak.php b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Cloak.php
new file mode 100644
index 000000000..526f7bbb0
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Cloak.php
@@ -0,0 +1,31 @@
+<?php
+
+/*
+    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Dnscryptproxy;
+
+use OPNsense\Base\BaseModel;
+
+class Cloak extends BaseModel
+{
+}
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Cloak.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Cloak.xml
new file mode 100644
index 000000000..fd1c125db
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Cloak.xml
@@ -0,0 +1,21 @@
+<model>
+    <mount>//OPNsense/dnscryptproxy/cloak</mount>
+    <description>dnscrypt-proxy Override configuration</description>
+    <version>0.1.0</version>
+    <items>
+        <cloaks>
+            <cloak type="ArrayField">
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+                <name type="TextField">
+                    <Required>Y</Required>
+                </name>
+                <destination type="HostnameField">
+                    <Required>Y</Required>
+                </destination>
+            </cloak>
+        </cloaks>
+    </items>
+</model>
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Forward.php b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Forward.php
new file mode 100644
index 000000000..c353ce7d0
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Forward.php
@@ -0,0 +1,31 @@
+<?php
+
+/*
+    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Dnscryptproxy;
+
+use OPNsense\Base\BaseModel;
+
+class Forward extends BaseModel
+{
+}
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Forward.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Forward.xml
new file mode 100644
index 000000000..5632cc3a6
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Forward.xml
@@ -0,0 +1,21 @@
+<model>
+    <mount>//OPNsense/dnscryptproxy/forward</mount>
+    <description>dnscrypt-proxy Forwarder configuration</description>
+    <version>0.1.0</version>
+    <items>
+        <forwards>
+            <forward type="ArrayField">
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+                <domain type="HostnameField">
+                    <Required>Y</Required>
+                </domain>
+                <dnsserver type="HostnameField">
+                    <Required>Y</Required>
+                </dnsserver>
+            </forward>
+        </forwards>
+    </items>
+</model>
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.php b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.php
new file mode 100644
index 000000000..a10bb4ad9
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.php
@@ -0,0 +1,35 @@
+<?php
+
+/*
+    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Dnscryptproxy;
+
+use OPNsense\Base\BaseModel;
+
+class General extends BaseModel
+{
+}
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
new file mode 100644
index 000000000..10d7f6abd
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
@@ -0,0 +1,133 @@
+<model>
+    <mount>//OPNsense/dnscryptproxy/general</mount>
+    <description>dnscrypt-proxy configuration</description>
+    <version>0.1.0</version>
+    <items>
+        <enabled type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enabled>
+        <listen_addresses type="CSVListField">
+            <default>127.0.0.1:5353,[::1]:5353</default>
+            <Required>N</Required>
+        </listen_addresses>
+        <max_clients type="IntegerField">
+            <default>250</default>
+            <Required>Y</Required>
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>10000</MaximumValue>
+            <ValidationMessage>Choose a number between 1 and 10000.</ValidationMessage>
+        </max_clients>
+        <ipv4_servers type="BooleanField">
+            <default>1</default>
+            <Required>Y</Required>
+        </ipv4_servers>
+        <ipv6_servers type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </ipv6_servers>
+        <dnscrypt_servers type="BooleanField">
+            <default>1</default>
+            <Required>Y</Required>
+        </dnscrypt_servers>
+        <doh_servers type="BooleanField">
+            <default>1</default>
+            <Required>Y</Required>
+        </doh_servers>
+        <require_dnssec type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </require_dnssec>
+        <require_nolog type="BooleanField">
+            <default>1</default>
+            <Required>Y</Required>
+        </require_nolog>
+        <require_nofilter type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </require_nofilter>
+        <force_tcp type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </force_tcp>
+        <proxy type="TextField">
+            <Required>N</Required>
+        </proxy>
+        <timeout type="IntegerField">
+            <default>2500</default>
+            <Required>Y</Required>
+            <MinimumValue>100</MinimumValue>
+            <MaximumValue>10000</MaximumValue>
+            <ValidationMessage>Choose a number between 100 and 10000.</ValidationMessage>
+        </timeout>
+        <keepalive type="IntegerField">
+            <default>30</default>
+            <Required>Y</Required>
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>600</MaximumValue>
+            <ValidationMessage>Choose a number between 1 and 600.</ValidationMessage>
+        </keepalive>
+        <cert_refresh_delay type="IntegerField">
+            <default>240</default>
+            <Required>Y</Required>
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>3600</MaximumValue>
+            <ValidationMessage>Choose a number between 1 and 3600.</ValidationMessage>
+        </cert_refresh_delay>
+        <dnscrypt_ephemeral_keys type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </dnscrypt_ephemeral_keys>
+        <tls_disable_session_tickets type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </tls_disable_session_tickets>
+        <fallback_resolver type="TextField">
+            <default>9.9.9.9:53</default>
+            <Required>Y</Required>
+        </fallback_resolver>
+        <block_ipv6 type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </block_ipv6>
+        <cache type="BooleanField">
+            <default>1</default>
+            <Required>Y</Required>
+        </cache>
+        <cache_size type="IntegerField">
+            <default>512</default>
+            <Required>Y</Required>
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>20480</MaximumValue>
+            <ValidationMessage>Choose a number between 1 and 20480.</ValidationMessage>
+        </cache_size>
+        <cache_min_ttl type="IntegerField">
+            <default>600</default>
+            <Required>Y</Required>
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>3600</MaximumValue>
+            <ValidationMessage>Choose a number between 1 and 3600.</ValidationMessage>
+        </cache_min_ttl>
+        <cache_max_ttl type="IntegerField">
+            <default>86400</default>
+            <Required>Y</Required>
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>86400</MaximumValue>
+            <ValidationMessage>Choose a number between 1 and 86400.</ValidationMessage>
+        </cache_max_ttl>
+        <cache_neg_min_ttl type="IntegerField">
+            <default>60</default>
+            <Required>Y</Required>
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>3600</MaximumValue>
+            <ValidationMessage>Choose a number between 1 and 3600.</ValidationMessage>
+        </cache_neg_min_ttl>
+        <cache_neg_max_ttl type="IntegerField">
+            <default>600</default>
+            <Required>Y</Required>
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>86400</MaximumValue>
+            <ValidationMessage>Choose a number between 1 and 86400.</ValidationMessage>
+        </cache_neg_max_ttl>
+    </items>
+</model>
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Menu/Menu.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Menu/Menu.xml
new file mode 100644
index 000000000..345c11266
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Menu/Menu.xml
@@ -0,0 +1,5 @@
+<menu>
+    <Services>
+        <DNSCrypt-Proxy cssClass="fa fa-lock fa-fw" url="/ui/dnscryptproxy/general/index" />
+    </Services>
+</menu>
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Whitelist.php b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Whitelist.php
new file mode 100644
index 000000000..7670f8da0
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Whitelist.php
@@ -0,0 +1,31 @@
+<?php
+
+/*
+    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Dnscryptproxy;
+
+use OPNsense\Base\BaseModel;
+
+class Whitelist extends BaseModel
+{
+}
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Whitelist.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Whitelist.xml
new file mode 100644
index 000000000..13cc2de9a
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Whitelist.xml
@@ -0,0 +1,18 @@
+<model>
+    <mount>//OPNsense/dnscryptproxy/whitelist</mount>
+    <description>dnscrypt-proxy Whitelist configuration</description>
+    <version>0.1.0</version>
+    <items>
+        <whitelists>
+            <whitelist type="ArrayField">
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+                <name type="TextField">
+                    <Required>Y</Required>
+                </name>
+            </whitelist>
+        </whitelists>
+    </items>
+</model>
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/views/OPNsense/Dnscryptproxy/general.volt b/dns/dnscrypt-proxy/src/opnsense/mvc/app/views/OPNsense/Dnscryptproxy/general.volt
new file mode 100644
index 000000000..6bdf106e8
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/views/OPNsense/Dnscryptproxy/general.volt
@@ -0,0 +1,219 @@
+{#
+
+OPNsense® is Copyright © 2014 – 2018 by Deciso B.V.
+This file is Copyright © 2018 by Michael Muenz <m.muenz@gmail.com>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1.  Redistributions of source code must retain the above copyright notice,
+    this list of conditions and the following disclaimer.
+
+2.  Redistributions in binary form must reproduce the above copyright notice,
+    this list of conditions and the following disclaimer in the documentation
+    and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+#}
+
+<!-- Navigation bar -->
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
+    <li><a data-toggle="tab" href="#forwards">{{ lang._('Forwarders') }}</a></li>
+    <li><a data-toggle="tab" href="#cloaks">{{ lang._('Overrides') }}</a></li>
+    <li><a data-toggle="tab" href="#whitelists">{{ lang._('Whitelists') }}</a></li>
+</ul>
+
+<div class="tab-content content-box tab-content">
+    <div id="general" class="tab-pane fade in active">
+        <div class="content-box" style="padding-bottom: 1.5em;">
+            {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
+            <div class="col-md-12">
+                <hr />
+                <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Save') }}</b><i id="saveAct_progress"></i></button>
+            </div>
+        </div>
+    </div>
+    <div id="forwards" class="tab-pane fade in">
+        <table id="grid-forwards" class="table table-responsive" data-editDialog="dialogEditDnscryptproxyForward">
+            <thead>
+                <tr>
+                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                    <th data-column-id="domain" data-type="string" data-visible="true">{{ lang._('Domain') }}</th>
+                    <th data-column-id="dnsserver" data-type="string" data-visible="true">{{ lang._('DNS Server') }}</th>
+                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+                <tr>
+                    <td colspan="5"></td>
+                    <td>
+                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    </td>
+                </tr>
+            </tfoot>
+        </table>
+        <div class="col-md-12">
+            <hr />
+            <button class="btn btn-primary"  id="saveAct_forward" type="button"><b>{{ lang._('Save') }}</b><i id="saveAct_forward_progress"></i></button>
+            <br /><br />
+        </div>
+    </div>
+    <div id="cloaks" class="tab-pane fade in">
+        <table id="grid-cloaks" class="table table-responsive" data-editDialog="dialogEditDnscryptproxyCloak">
+            <thead>
+                <tr>
+                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                    <th data-column-id="name" data-type="string" data-visible="true">{{ lang._('Name') }}</th>
+                    <th data-column-id="destination" data-type="string" data-visible="true">{{ lang._('Destination') }}</th>
+                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+                <tr>
+                    <td colspan="5"></td>
+                    <td>
+                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    </td>
+                </tr>
+            </tfoot>
+        </table>
+        <div class="col-md-12">
+            <hr />
+            <button class="btn btn-primary"  id="saveAct_cloak" type="button"><b>{{ lang._('Save') }}</b><i id="saveAct_cloak_progress"></i></button>
+            <br /><br />
+        </div>
+    </div>
+    <div id="whitelists" class="tab-pane fade in">
+        <table id="grid-whitelists" class="table table-responsive" data-editDialog="dialogEditDnscryptproxyWhitelist">
+            <thead>
+                <tr>
+                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                    <th data-column-id="name" data-type="string" data-visible="true">{{ lang._('Name') }}</th>
+                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+                <tr>
+                    <td colspan="5"></td>
+                    <td>
+                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    </td>
+                </tr>
+            </tfoot>
+        </table>
+        <div class="col-md-12">
+            <hr />
+            <button class="btn btn-primary"  id="saveAct_whitelist" type="button"><b>{{ lang._('Save') }}</b><i id="saveAct_whitelist_progress"></i></button>
+            <br /><br />
+        </div>
+    </div>
+</div>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditDnscryptproxyForward,'id':'dialogEditDnscryptproxyForward','label':lang._('Edit Forwarders')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditDnscryptproxyCloak,'id':'dialogEditDnscryptproxyCloak','label':lang._('Edit Overrides')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditDnscryptproxyWhitelist,'id':'dialogEditDnscryptproxyWhitelist','label':lang._('Edit Whitelists')])}}
+
+<script>
+
+$( document ).ready(function() {
+    var data_get_map = {'frm_general_settings':"/api/dnscryptproxy/general/get"};
+    mapDataToFormUI(data_get_map).done(function(data){
+        formatTokenizersUI();
+        $('.selectpicker').selectpicker('refresh');
+    });
+
+    updateServiceControlUI('dnscryptproxy');
+
+    $("#grid-forwards").UIBootgrid(
+        {   'search':'/api/dnscryptproxy/forward/searchForward',
+            'get':'/api/dnscryptproxy/forward/getForward/',
+            'set':'/api/dnscryptproxy/forward/setForward/',
+            'add':'/api/dnscryptproxy/forward/addForward/',
+            'del':'/api/dnscryptproxy/forward/delForward/',
+            'toggle':'/api/dnscryptproxy/forward/toggleForward/'
+        }
+    );
+
+    $("#grid-cloaks").UIBootgrid(
+        {   'search':'/api/dnscryptproxy/cloak/searchCloak',
+            'get':'/api/dnscryptproxy/cloak/getCloak/',
+            'set':'/api/dnscryptproxy/cloak/setCloak/',
+            'add':'/api/dnscryptproxy/cloak/addCloak/',
+            'del':'/api/dnscryptproxy/cloak/delCloak/',
+            'toggle':'/api/dnscryptproxy/cloak/toggleCloak/'
+        }
+    );
+
+    $("#grid-whitelists").UIBootgrid(
+        {   'search':'/api/dnscryptproxy/whitelist/searchWhitelist',
+            'get':'/api/dnscryptproxy/whitelist/getWhitelist/',
+            'set':'/api/dnscryptproxy/whitelist/setWhitelist/',
+            'add':'/api/dnscryptproxy/whitelist/addWhitelist/',
+            'del':'/api/dnscryptproxy/whitelist/delWhitelist/',
+            'toggle':'/api/dnscryptproxy/whitelist/toggleWhitelist/'
+        }
+    );
+
+    $("#saveAct").click(function(){
+        saveFormToEndpoint(url="/api/dnscryptproxy/general/set", formid='frm_general_settings',callback_ok=function(){
+        $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+            ajaxCall(url="/api/dnscryptproxy/service/reconfigure", sendData={}, callback=function(data,status) {
+                updateServiceControlUI('dnscryptproxy');
+                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+            });
+        });
+    });
+
+    $("#saveAct_forward").click(function(){
+        saveFormToEndpoint(url="/api/dnscryptproxy/forward/set", formid='frm_general_settings',callback_ok=function(){
+        $("#saveAct_forward_progress").addClass("fa fa-spinner fa-pulse");
+            ajaxCall(url="/api/dnscryptproxy/service/reconfigure", sendData={}, callback=function(data,status) {
+                updateServiceControlUI('dnscryptproxy');
+                $("#saveAct_forward_progress").removeClass("fa fa-spinner fa-pulse");
+            });
+        });
+    });
+
+    $("#saveAct_cloak").click(function(){
+        saveFormToEndpoint(url="/api/dnscryptproxy/cloak/set", formid='frm_general_settings',callback_ok=function(){
+        $("#saveAct_cloak_progress").addClass("fa fa-spinner fa-pulse");
+            ajaxCall(url="/api/dnscryptproxy/service/reconfigure", sendData={}, callback=function(data,status) {
+                updateServiceControlUI('dnscryptproxy');
+                $("#saveAct_cloak_progress").removeClass("fa fa-spinner fa-pulse");
+            });
+        });
+    });
+
+    $("#saveAct_whitelist").click(function(){
+        saveFormToEndpoint(url="/api/dnscryptproxy/whitelist/set", formid='frm_general_settings',callback_ok=function(){
+        $("#saveAct_whitelist_progress").addClass("fa fa-spinner fa-pulse");
+            ajaxCall(url="/api/dnscryptproxy/service/reconfigure", sendData={}, callback=function(data,status) {
+                updateServiceControlUI('dnscryptproxy');
+                $("#saveAct_whitelist_progress").removeClass("fa fa-spinner fa-pulse");
+            });
+        });
+    });
+
+});
+</script>
diff --git a/dns/dnscrypt-proxy/src/opnsense/service/conf/actions.d/actions_dnscryptproxy.conf b/dns/dnscrypt-proxy/src/opnsense/service/conf/actions.d/actions_dnscryptproxy.conf
new file mode 100644
index 000000000..cbd158b77
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/service/conf/actions.d/actions_dnscryptproxy.conf
@@ -0,0 +1,23 @@
+[start]
+command:/usr/local/etc/rc.d/dnscrypt-proxy start
+parameters:
+type:script
+message:starting dnscrypt-proxy
+
+[stop]
+command:/usr/local/etc/rc.d/dnscrypt-proxy stop
+parameters:
+type:script
+message:stopping dnscrypt-proxy
+
+[restart]
+command:/usr/local/etc/rc.d/dnscrypt-proxy restart
+parameters:
+type:script
+message:restarting dnscrypt-proxy
+
+[status]
+command:/usr/local/etc/rc.d/dnscrypt-proxy status; exit 0
+parameters:
+type:script
+message:restarting dnscrypt-proxy
diff --git a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/+TARGETS b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/+TARGETS
new file mode 100644
index 000000000..033eed567
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/+TARGETS
@@ -0,0 +1,5 @@
+dnscrypt_proxy:/etc/rc.conf.d/dnscrypt_proxy
+dnscrypt-proxy.toml:/usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml
+cloaking-rules.txt:/usr/local/etc/dnscrypt-proxy/cloaking-rules.txt
+forwarding-rules.txt:/usr/local/etc/dnscrypt-proxy/forwarding-rules.txt
+whitelist.txt:/usr/local/etc/dnscrypt-proxy/whitelist.txt
diff --git a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/cloaking-rules.txt b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/cloaking-rules.txt
new file mode 100644
index 000000000..02dc106b2
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/cloaking-rules.txt
@@ -0,0 +1,11 @@
+{% if helpers.exists('OPNsense.dnscryptproxy.general.enabled') and OPNsense.dnscryptproxy.general.enabled == '1' %}
+
+{% if helpers.exists('OPNsense.dnscryptproxy.cloak.cloaks.cloak') %}
+{%   for cloak_list in helpers.toList('OPNsense.dnscryptproxy.cloak.cloaks.cloak') %}
+{%     if cloak_list.enabled == '1' %}
+{{ cloak_list.name }} {{ cloak_list.destination }}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+
+{% endif %}
diff --git a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
new file mode 100644
index 000000000..eee0fe17d
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
@@ -0,0 +1,138 @@
+{% if helpers.exists('OPNsense.dnscryptproxy.general.enabled') and OPNsense.dnscryptproxy.general.enabled == '1' %}
+
+{%   if helpers.exists('OPNsense.dnscryptproxy.general.listen_addresses') and OPNsense.dnscryptproxy.general.listen_addresses != '' %}
+listen_addresses = [{{ "'" + ("','".join(OPNsense.dnscryptproxy.general.listen_addresses.split(','))) + "'" }}]
+{%   else %}
+listen_addresses = []
+{%   endif %}
+
+max_clients = {{ OPNsense.dnscryptproxy.general.max_clients }}
+
+{%   if helpers.exists('OPNsense.dnscryptproxy.general.ipv4_servers') and OPNsense.dnscryptproxy.general.ipv4_servers == '1' %}
+ipv4_servers = true
+{%   else %}
+ipv4_servers = false
+{%   endif %}
+
+{%   if helpers.exists('OPNsense.dnscryptproxy.general.ipv6_servers') and OPNsense.dnscryptproxy.general.ipv6_servers == '1' %}
+ipv6_servers = true
+{%   else %}
+ipv6_servers = false
+{%   endif %}
+
+{%   if helpers.exists('OPNsense.dnscryptproxy.general.dnscrypt_servers') and OPNsense.dnscryptproxy.general.dnscrypt_servers == '1' %}
+dnscrypt_servers = true
+{%   else %}
+dnscrypt_servers = false
+{%   endif %}
+
+{%   if helpers.exists('OPNsense.dnscryptproxy.general.doh_servers') and OPNsense.dnscryptproxy.general.doh_servers == '1' %}
+doh_servers = true
+{%   else %}
+doh_servers = false
+{%   endif %}
+
+{%   if helpers.exists('OPNsense.dnscryptproxy.general.require_dnssec') and OPNsense.dnscryptproxy.general.require_dnssec == '1' %}
+require_dnssec = true
+{%   else %}
+require_dnssec = false
+{%   endif %}
+
+{%   if helpers.exists('OPNsense.dnscryptproxy.general.require_nolog') and OPNsense.dnscryptproxy.general.require_nolog == '1' %}
+require_nolog = true
+{%   else %}
+require_nolog = false
+{%   endif %}
+
+{%   if helpers.exists('OPNsense.dnscryptproxy.general.require_nofilter') and OPNsense.dnscryptproxy.general.require_nofilter == '1' %}
+require_nofilter = true
+{%   else %}
+require_nofilter = false
+{%   endif %}
+
+{%   if helpers.exists('OPNsense.dnscryptproxy.general.force_tcp') and OPNsense.dnscryptproxy.general.force_tcp == '1' %}
+force_tcp = true
+{%   else %}
+force_tcp = false
+{%   endif %}
+
+{%   if helpers.exists('OPNsense.dnscryptproxy.general.proxy') and OPNsense.dnscryptproxy.general.proxy != '' %}
+proxy = "socks5://{{ OPNsense.dnscryptproxy.general.proxy }}"
+{%   endif %}
+
+timeout = {{ OPNsense.dnscryptproxy.general.timeout }}
+keepalive = {{ OPNsense.dnscryptproxy.general.keepalive }}
+
+log_level = 2
+log_file = 'dnscrypt-proxy.log'
+use_syslog = false
+
+cert_refresh_delay = {{ OPNsense.dnscryptproxy.general.cert_refresh_delay }}
+
+{%   if helpers.exists('OPNsense.dnscryptproxy.general.dnscrypt_ephemeral_keys') and OPNsense.dnscryptproxy.general.dnscrypt_ephemeral_keys == '1' %}
+dnscrypt_ephemeral_keys = true
+{%   else %}
+dnscrypt_ephemeral_keys = false
+{%   endif %}
+
+{%   if helpers.exists('OPNsense.dnscryptproxy.general.tls_disable_session_tickets') and OPNsense.dnscryptproxy.general.tls_disable_session_tickets == '1' %}
+tls_disable_session_tickets = true
+{%   else %}
+tls_disable_session_tickets = false
+{%   endif %}
+
+fallback_resolver = '{{ OPNsense.dnscryptproxy.general.fallback_resolver }}'
+
+{%   if helpers.exists('OPNsense.dnscryptproxy.general.ignore_system_dns') and OPNsense.dnscryptproxy.general.ignore_system_dns == '1' %}
+ignore_system_dns = true
+{%   else %}
+ignore_system_dns = false
+{%   endif %}
+
+netprobe_timeout = 30
+log_files_max_size = 10
+log_files_max_age = 7
+log_files_max_backups = 1
+
+{%   if helpers.exists('OPNsense.dnscryptproxy.general.block_ipv6') and OPNsense.dnscryptproxy.general.block_ipv6 == '1' %}
+block_ipv6 = true
+{%   else %}
+block_ipv6 = false
+{%   endif %}
+
+forwarding_rules = 'forwarding-rules.txt'
+cloaking_rules = 'cloaking-rules.txt'
+
+{%   if helpers.exists('OPNsense.dnscryptproxy.cache') and OPNsense.dnscryptproxy.cache == '1' %}
+cache = true
+cache_size = {{ OPNsense.dnscryptproxy.general.cache_size }}
+cache_min_ttl = {{ OPNsense.dnscryptproxy.general.cache_min_ttl }}
+cache_max_ttl = {{ OPNsense.dnscryptproxy.general.cache_max_ttl }}
+cache_neg_min_ttl = {{ OPNsense.dnscryptproxy.general.cache_neg_min_ttl }}
+cache_neg_max_ttl = {{ OPNsense.dnscryptproxy.general.cache_neg_max_ttl }}
+{%   else %}
+cache = false
+{%   endif %}
+
+[query_log]
+  file = 'query.log'
+  format = 'tsv'
+
+[nx_log]
+  file = 'nx.log'
+  format = 'tsv'
+
+[whitelist]
+  whitelist_file = 'whitelist.txt'
+  log_file = 'whitelisted.log'
+  log_format = 'tsv'
+
+[sources]
+  [sources.'public-resolvers']
+  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
+  cache_file = 'public-resolvers.md'
+  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+  refresh_delay = 72
+  prefix = ''
+
+{% endif %}
diff --git a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt_proxy b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt_proxy
new file mode 100644
index 000000000..d0f6db463
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt_proxy
@@ -0,0 +1,5 @@
+{% if helpers.exists('OPNsense.dnscryptproxy.general.enabled') and OPNsense.dnscryptproxy.general.enabled == '1' %}
+dnscrypt_proxy_enable="YES"
+{% else %}
+dnscrypt_proxy_enable="NO"
+{% endif %}
diff --git a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/forwarding-rules.txt b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/forwarding-rules.txt
new file mode 100644
index 000000000..6d13789f8
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/forwarding-rules.txt
@@ -0,0 +1,11 @@
+{% if helpers.exists('OPNsense.dnscryptproxy.general.enabled') and OPNsense.dnscryptproxy.general.enabled == '1' %}
+
+{% if helpers.exists('OPNsense.dnscryptproxy.forward.forwards.forward') %}
+{%   for forward_list in helpers.toList('OPNsense.dnscryptproxy.forward.forwards.forward') %}
+{%     if forward_list.enabled == '1' %}
+{{ forward_list.domain }} {{ forward_list.dnsserver }}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+
+{% endif %}
diff --git a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/whitelist.txt b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/whitelist.txt
new file mode 100644
index 000000000..89d428055
--- /dev/null
+++ b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/whitelist.txt
@@ -0,0 +1,11 @@
+{% if helpers.exists('OPNsense.dnscryptproxy.general.enabled') and OPNsense.dnscryptproxy.general.enabled == '1' %}
+
+{% if helpers.exists('OPNsense.dnscryptproxy.whitelist.whitelists.whitelist') %}
+{%   for whitelist_list in helpers.toList('OPNsense.dnscryptproxy.whitelist.whitelists.whitelist') %}
+{%     if whitelist_list.enabled == '1' %}
+{{ whitelist_list.name }}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+
+{% endif %}