dnscrypt-proxy is broken from a permissions error.

[unlockedmutex]

the dnscrypt-proxy installed from the PPA does not work on a vanilla Ubuntu 18.04 install. running systemctl restart dnscrypt-proxy running journalctl -u dnscrypt-proxy shows

Apr 18 08:08:00 systemd[1]: Started DNSCrypt-proxy client.
Apr 18 08:08:00 systemd[11879]: dnscrypt-proxy.service: Failed to execute command: Operation not permitted
Apr 18 08:08:00 systemd[11879]: dnscrypt-proxy.service: Failed at step EXEC spawning /usr/bin/dnscrypt-proxy: Operation not permitted
Apr 18 08:08:00 systemd[1]: dnscrypt-proxy.service: Main process exited, code=exited, status=203/EXEC
Apr 18 08:08:00 systemd[1]: dnscrypt-proxy.service: Failed with result 'exit-code'.

To Reproduce

Steps to reproduce the behavior: run ./algo. It causes no issues with dns_encryption set to false but setting it to true makes clients not able to make any requests.

Expected behavior

This shouldn't fail, and dnscrypt-proxy should run

Additional context

Add any other context about the problem here.

Full log

PUT THE OUTPUT HERE
[WARNING]: Could not match supplied host pattern, ignoring: vpn-host

PLAY [localhost] **********************************************************************************************************************************

TASK [Gathering Facts] ****************************************************************************************************************************
ok: [localhost]

TASK [Playbook dir stat] **************************************************************************************************************************
ok: [localhost]

TASK [Ensure Ansible is not being run in a world writable directory] ******************************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [Ensure the requirements installed] **********************************************************************************************************
ok: [localhost]

TASK [Set required ansible version as a fact] *****************************************************************************************************
ok: [localhost] => (item=ansible==2.8.8)

TASK [Verify Python meets Algo VPN requirements] **************************************************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [Verify Ansible meets Algo VPN requirements] *************************************************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

PLAY [Ask user for the input] *********************************************************************************************************************

TASK [Gathering Facts] ****************************************************************************************************************************
ok: [localhost]
[Cloud prompt]
What provider would you like to use?
    1. DigitalOcean
    2. Amazon Lightsail
    3. Amazon EC2
    4. Microsoft Azure
    5. Google Compute Engine
    6. Hetzner Cloud
    7. Vultr
    8. Scaleway
    9. OpenStack (DreamCompute optimised)
    10. CloudStack (Exoscale optimised)
    11. Install to existing Ubuntu 18.04 or 19.10 server (for more advanced users)

Enter the number of your desired provider
:

TASK [Cloud prompt] *******************************************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] ***************************************************************************************************************
ok: [localhost]
[Cellular On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to cellular networks?
[y/N]
:

TASK [Cellular On Demand prompt] ******************************************************************************************************************
ok: [localhost]
[Wi-Fi On Demand prompt]
Do you want macOS/iOS clients to enable "Connect On Demand" when connected to Wi-Fi?
[y/N]
:

TASK [Wi-Fi On Demand prompt] *********************************************************************************************************************
ok: [localhost]
[Trusted Wi-Fi networks prompt]
List the names of any trusted Wi-Fi networks where macOS/iOS clients should not use "Connect On Demand"
(e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
:

TASK [Trusted Wi-Fi networks prompt] **************************************************************************************************************
ok: [localhost]
[Retain the PKI prompt]
Do you want to retain the keys (PKI)? (required to add users in the future, but less secure)
[y/N]
:

TASK [Retain the PKI prompt] **********************************************************************************************************************
ok: [localhost]
[DNS adblocking prompt]
Do you want to enable DNS ad blocking on this VPN server?
[y/N]
:

TASK [DNS adblocking prompt] **********************************************************************************************************************
ok: [localhost]
[SSH tunneling prompt]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:

TASK [SSH tunneling prompt] ***********************************************************************************************************************
ok: [localhost]

TASK [Set facts based on the input] ***************************************************************************************************************
ok: [localhost]

PLAY [Provision the server] ***********************************************************************************************************************

TASK [Gathering Facts] ****************************************************************************************************************************
ok: [localhost]

--> Please include the following block of text when reporting issues:

Algo running on: Ubuntu 18.04.4 LTS (Virtualized: lxc)
Created from git clone. Last commit: c231cd4 Bump ansible from 2.8.3 to 2.8.8 (#1736)
Python 3.6.9
Runtime variables:
    algo_provider "local"
    algo_ondemand_cellular "True"
    algo_ondemand_wifi "True"
    algo_ondemand_wifi_exclude "X251bGw="
    algo_dns_adblocking "False"
    algo_ssh_tunneling "True"
    wireguard_enabled "True"
    dns_encryption "False"

TASK [Display the invocation environment] *********************************************************************************************************
changed: [localhost -> localhost]

TASK [Install the requirements] *******************************************************************************************************************
ok: [localhost -> localhost]
[local : pause]
Enter the IP address of your server: (or use localhost for local installation):
[localhost]
:

TASK [local : pause] ******************************************************************************************************************************
ok: [localhost]

TASK [local : Set the facts] **********************************************************************************************************************
ok: [localhost]
[local : pause]
Enter the public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate)
[localhost]
:

TASK [local : pause] ******************************************************************************************************************************
ok: [localhost]

TASK [local : Set the facts] **********************************************************************************************************************
ok: [localhost]

TASK [Set subjectAltName as a fact] ***************************************************************************************************************
ok: [localhost]

TASK [Add the server to an inventory group] *******************************************************************************************************
changed: [localhost]

TASK [debug] **************************************************************************************************************************************
ok: [localhost] => {
    "IP_subject_alt_name": "*******"
}
[WARNING]: Reset is not implemented for this connection

TASK [Wait 600 seconds for target connection to become reachable/usable] **************************************************************************
ok: [localhost -> localhost] => (item=localhost)

PLAY [Configure the server and install required software] *****************************************************************************************

TASK [common : Check the system] ******************************************************************************************************************
ok: [localhost]
included: /root/algo/roles/common/tasks/ubuntu.yml for localhost

TASK [common : Gather facts] **********************************************************************************************************************
ok: [localhost]

TASK [common : Install unattended-upgrades] *******************************************************************************************************
ok: [localhost]

TASK [common : Configure unattended-upgrades] *****************************************************************************************************
ok: [localhost]

TASK [common : Periodic upgrades configured] ******************************************************************************************************
ok: [localhost]

TASK [common : Disable MOTD on login and SSHD] ****************************************************************************************************
ok: [localhost] => (item={'regexp': '^session.*optional.*pam_motd.so.*', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/login'})
ok: [localhost] => (item={'regexp': '^session.*optional.*pam_motd.so.*', 'line': '# MOTD DISABLED', 'file': '/etc/pam.d/sshd'})

TASK [common : Loopback for services configured] **************************************************************************************************
ok: [localhost]

TASK [common : systemd services enabled and started] **********************************************************************************************
ok: [localhost] => (item=systemd-networkd)
ok: [localhost] => (item=systemd-resolved)

TASK [common : Check apparmor support] ************************************************************************************************************
ok: [localhost]

TASK [common : Set fact if apparmor enabled] ******************************************************************************************************
ok: [localhost]

TASK [common : Define facts] **********************************************************************************************************************
ok: [localhost]

TASK [common : Set facts] *************************************************************************************************************************
ok: [localhost]

TASK [common : Set IPv6 support as a fact] ********************************************************************************************************
ok: [localhost]

TASK [common : Check size of MTU] *****************************************************************************************************************
ok: [localhost]

TASK [common : Set OS specific facts] *************************************************************************************************************
ok: [localhost]

TASK [common : Install tools] *********************************************************************************************************************
ok: [localhost]

TASK [common : Install headers] *******************************************************************************************************************
ok: [localhost]
included: /root/algo/roles/common/tasks/iptables.yml for localhost

TASK [common : Iptables configured] ***************************************************************************************************************
ok: [localhost] => (item={'src': 'rules.v4.j2', 'dest': '/etc/iptables/rules.v4'})

TASK [common : Iptables configured] ***************************************************************************************************************
ok: [localhost] => (item={'src': 'rules.v6.j2', 'dest': '/etc/iptables/rules.v6'})

TASK [common : Sysctl tuning] *********************************************************************************************************************
ok: [localhost] => (item={'item': 'net.ipv4.ip_forward', 'value': 1})
ok: [localhost] => (item={'item': 'net.ipv4.conf.all.forwarding', 'value': 1})
ok: [localhost] => (item={'item': 'net.ipv6.conf.all.forwarding', 'value': 1})
[WARNING]: flush_handlers task does not support when conditional

TASK [wireguard : Ensure the required directories exist] ******************************************************************************************
ok: [localhost -> localhost] => (item=configs/*****/wireguard//.pki//preshared)
ok: [localhost -> localhost] => (item=configs/*****/wireguard//.pki//private)
ok: [localhost -> localhost] => (item=configs/*****/wireguard//.pki//public)
ok: [localhost -> localhost] => (item=configs/*****/wireguard//apple/ios)
ok: [localhost -> localhost] => (item=configs/*****/wireguard//apple/macos)
included: /root/algo/roles/wireguard/tasks/ubuntu.yml for localhost

TASK [wireguard : WireGuard repository configured] ************************************************************************************************
ok: [localhost]

TASK [wireguard : WireGuard installed] ************************************************************************************************************
ok: [localhost]

TASK [wireguard : WireGuard reload-module-on-update] **********************************************************************************************
changed: [localhost]

TASK [wireguard : Configure unattended-upgrades] **************************************************************************************************
ok: [localhost]

TASK [wireguard : Set OS specific facts] **********************************************************************************************************
ok: [localhost]

TASK [wireguard : Generate private keys] **********************************************************************************************************
ok: [localhost] => (item=phone)
ok: [localhost] => (item=laptop)
ok: [localhost] => (item=desktop)
ok: [localhost] => (item=*****)

TASK [wireguard : Generate preshared keys] ********************************************************************************************************
ok: [localhost] => (item=phone)
ok: [localhost] => (item=laptop)
ok: [localhost] => (item=desktop)
ok: [localhost] => (item=*****)

TASK [wireguard : Generate public keys] ***********************************************************************************************************
ok: [localhost] => (item=phone)
ok: [localhost] => (item=laptop)
ok: [localhost] => (item=desktop)
ok: [localhost] => (item=*****)

TASK [wireguard : Save public keys] ***************************************************************************************************************
ok: [localhost -> localhost] => (item=None)
ok: [localhost -> localhost] => (item=None)
ok: [localhost -> localhost] => (item=None)
ok: [localhost -> localhost] => (item=None)
ok: [localhost]

TASK [wireguard : WireGuard user list updated] ****************************************************************************************************
ok: [localhost -> localhost] => (item=phone)
ok: [localhost -> localhost] => (item=laptop)
ok: [localhost -> localhost] => (item=desktop)

TASK [wireguard : set_fact] ***********************************************************************************************************************
ok: [localhost -> localhost]

TASK [wireguard : WireGuard users config generated] ***********************************************************************************************
changed: [localhost -> localhost] => (item=[0, 'phone'])
changed: [localhost -> localhost] => (item=[1, 'laptop'])
changed: [localhost -> localhost] => (item=[2, 'desktop'])
included: /root/algo/roles/wireguard/tasks/mobileconfig.yml for localhost
included: /root/algo/roles/wireguard/tasks/mobileconfig.yml for localhost

TASK [wireguard : WireGuard apple mobileconfig generated] *****************************************************************************************
changed: [localhost -> localhost] => (item=[0, 'phone'])
changed: [localhost -> localhost] => (item=[1, 'laptop'])
changed: [localhost -> localhost] => (item=[2, 'desktop'])

TASK [wireguard : WireGuard apple mobileconfig generated] *****************************************************************************************
changed: [localhost -> localhost] => (item=[0, 'phone'])
changed: [localhost -> localhost] => (item=[1, 'laptop'])
changed: [localhost -> localhost] => (item=[2, 'desktop'])

TASK [wireguard : Generate QR codes] **************************************************************************************************************
ok: [localhost -> localhost] => (item=[0, 'phone'])
ok: [localhost -> localhost] => (item=[1, 'laptop'])
ok: [localhost -> localhost] => (item=[2, 'desktop'])

TASK [wireguard : WireGuard configured] ***********************************************************************************************************
ok: [localhost]

TASK [wireguard : WireGuard enabled and started] **************************************************************************************************
ok: [localhost]
included: /root/algo/roles/strongswan/tasks/ubuntu.yml for localhost

TASK [strongswan : Set OS specific facts] *********************************************************************************************************
ok: [localhost]

TASK [strongswan : Ubuntu | Install strongSwan] ***************************************************************************************************
ok: [localhost]

TASK [strongswan : Ubuntu | Charon profile for apparmor configured] *******************************************************************************
ok: [localhost]

TASK [strongswan : Ubuntu | Enforcing ipsec with apparmor] ****************************************************************************************
ok: [localhost] => (item=/usr/lib/ipsec/charon)
ok: [localhost] => (item=/usr/lib/ipsec/lookip)
ok: [localhost] => (item=/usr/lib/ipsec/stroke)

TASK [strongswan : Ubuntu | Enable services] ******************************************************************************************************
ok: [localhost] => (item=apparmor)
ok: [localhost] => (item=strongswan)
ok: [localhost] => (item=netfilter-persistent)

TASK [strongswan : Ubuntu | Ensure that the strongswan service directory exists] ******************************************************************
ok: [localhost]

TASK [strongswan : Ubuntu | Setup the cgroup limitations for the ipsec daemon] ********************************************************************
ok: [localhost]

TASK [strongswan : Ensure that the strongswan user exists] ****************************************************************************************
ok: [localhost]

TASK [strongswan : Install strongSwan] ************************************************************************************************************
ok: [localhost]

TASK [strongswan : Setup the config files from our templates] *************************************************************************************
ok: [localhost] => (item={'src': 'strongswan.conf.j2', 'dest': 'strongswan.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'})
changed: [localhost] => (item={'src': 'ipsec.conf.j2', 'dest': 'ipsec.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'})
ok: [localhost] => (item={'src': 'ipsec.secrets.j2', 'dest': 'ipsec.secrets', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
ok: [localhost] => (item={'src': 'charon.conf.j2', 'dest': 'strongswan.d/charon.conf', 'owner': 'root', 'group': 'root', 'mode': '0644'})

TASK [strongswan : Get loaded plugins] ************************************************************************************************************
ok: [localhost]

TASK [strongswan : Disable unneeded plugins] ******************************************************************************************************
ok: [localhost] => (item=attr)
ok: [localhost] => (item=constraints)
ok: [localhost] => (item=dnskey)
ok: [localhost] => (item=fips-prf)
ok: [localhost] => (item=gmp)
ok: [localhost] => (item=md4)
ok: [localhost] => (item=md5)
ok: [localhost] => (item=mgf1)
ok: [localhost] => (item=pkcs1)
ok: [localhost] => (item=rc2)
ok: [localhost] => (item=resolve)
ok: [localhost] => (item=sha1)
ok: [localhost] => (item=sshkey)
ok: [localhost] => (item=xcbc)
ok: [localhost] => (item=aesni)
ok: [localhost] => (item=agent)
ok: [localhost] => (item=connmark)
ok: [localhost] => (item=eap-mschapv2)
ok: [localhost] => (item=xauth-generic)
ok: [localhost] => (item=bypass-lan)
ok: [localhost] => (item=counters)
ok: [localhost] => (item=updown)

TASK [strongswan : Ensure that required plugins are enabled] **************************************************************************************
ok: [localhost] => (item=aes)
ok: [localhost] => (item=hmac)
ok: [localhost] => (item=kernel-netlink)
ok: [localhost] => (item=nonce)
ok: [localhost] => (item=pem)
ok: [localhost] => (item=pgp)
ok: [localhost] => (item=pkcs12)
ok: [localhost] => (item=pkcs7)
ok: [localhost] => (item=pkcs8)
ok: [localhost] => (item=pubkey)
ok: [localhost] => (item=random)
ok: [localhost] => (item=revocation)
ok: [localhost] => (item=sha2)
ok: [localhost] => (item=x509)
ok: [localhost] => (item=gcm)
ok: [localhost] => (item=openssl)
ok: [localhost] => (item=socket-default)
ok: [localhost] => (item=stroke)

TASK [strongswan : debug] *************************************************************************************************************************
ok: [localhost -> localhost] => {
    "subjectAltName": "IP:*****"
}

TASK [strongswan : Ensure the pki directories exist] **********************************************************************************************
changed: [localhost -> localhost] => (item=ecparams)
changed: [localhost -> localhost] => (item=certs)
ok: [localhost -> localhost] => (item=crl)
ok: [localhost -> localhost] => (item=newcerts)
changed: [localhost -> localhost] => (item=private)
changed: [localhost -> localhost] => (item=public)
changed: [localhost -> localhost] => (item=reqs)

TASK [strongswan : Ensure the config directories exist] *******************************************************************************************
changed: [localhost -> localhost] => (item=apple)
changed: [localhost -> localhost] => (item=manual)

TASK [strongswan : Ensure the files exist] ********************************************************************************************************
changed: [localhost -> localhost] => (item=.rnd)
changed: [localhost -> localhost] => (item=private/.rnd)
changed: [localhost -> localhost] => (item=index.txt)
changed: [localhost -> localhost] => (item=index.txt.attr)
changed: [localhost -> localhost] => (item=serial)

TASK [strongswan : Generate the openssl server configs] *******************************************************************************************
ok: [localhost -> localhost]

TASK [strongswan : Build the CA pair] *************************************************************************************************************
ok: [localhost -> localhost]

TASK [strongswan : Copy the CA certificate] *******************************************************************************************************
ok: [localhost -> localhost]

TASK [strongswan : Generate the serial number] ****************************************************************************************************
ok: [localhost -> localhost]

TASK [strongswan : Build the server pair] *********************************************************************************************************
ok: [localhost -> localhost]

TASK [strongswan : Build the client's pair] *******************************************************************************************************
ok: [localhost -> localhost] => (item=phone)
ok: [localhost -> localhost] => (item=laptop)
ok: [localhost -> localhost] => (item=desktop)

TASK [strongswan : Build openssh public keys] *****************************************************************************************************
ok: [localhost -> localhost] => (item=phone)
ok: [localhost -> localhost] => (item=laptop)
ok: [localhost -> localhost] => (item=desktop)

TASK [strongswan : Build the client's p12] ********************************************************************************************************
changed: [localhost -> localhost] => (item=phone)
changed: [localhost -> localhost] => (item=laptop)
changed: [localhost -> localhost] => (item=desktop)

TASK [strongswan : Build the client's p12 with the CA cert included] ******************************************************************************
changed: [localhost -> localhost] => (item=phone)
changed: [localhost -> localhost] => (item=laptop)
changed: [localhost -> localhost] => (item=desktop)

TASK [strongswan : Copy the p12 certificates] *****************************************************************************************************
changed: [localhost -> localhost] => (item=phone)
changed: [localhost -> localhost] => (item=laptop)
changed: [localhost -> localhost] => (item=desktop)

TASK [strongswan : Get active users] **************************************************************************************************************
changed: [localhost -> localhost]

TASK [strongswan : Copy the keys to the strongswan directory] *************************************************************************************
ok: [localhost] => (item={'src': 'cacert.pem', 'dest': 'cacerts/ca.crt', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
ok: [localhost] => (item={'src': 'certs/*****.crt', 'dest': 'certs/*****.crt', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})
ok: [localhost] => (item={'src': 'private/*****.key', 'dest': 'private/*****.key', 'owner': 'strongswan', 'group': 'root', 'mode': '0600'})

TASK [strongswan : Register p12 PayloadContent] ***************************************************************************************************
ok: [localhost -> localhost] => (item=phone)
ok: [localhost -> localhost] => (item=laptop)
ok: [localhost -> localhost] => (item=desktop)

TASK [strongswan : Set facts for mobileconfigs] ***************************************************************************************************
ok: [localhost -> localhost]

TASK [strongswan : Build the mobileconfigs] *******************************************************************************************************
changed: [localhost -> localhost] => (item=None)
changed: [localhost -> localhost] => (item=None)
changed: [localhost -> localhost] => (item=None)
changed: [localhost]

TASK [strongswan : Build the client ipsec config file] ********************************************************************************************
changed: [localhost -> localhost] => (item=phone)
changed: [localhost -> localhost] => (item=laptop)
changed: [localhost -> localhost] => (item=desktop)

TASK [strongswan : Build the client ipsec secret file] ********************************************************************************************
changed: [localhost -> localhost] => (item=phone)
changed: [localhost -> localhost] => (item=laptop)
changed: [localhost -> localhost] => (item=desktop)

TASK [strongswan : Restrict permissions for the local private directories] ************************************************************************
ok: [localhost -> localhost]

TASK [strongswan : strongSwan started] ************************************************************************************************************
ok: [localhost]

RUNNING HANDLER [strongswan : restart strongswan] *************************************************************************************************
changed: [localhost]

TASK [ssh_tunneling : Ensure that the sshd_config file has desired options] ***********************************************************************
ok: [localhost]

TASK [ssh_tunneling : Ensure that the algo group exist] *******************************************************************************************
ok: [localhost]

TASK [ssh_tunneling : Ensure that the jail directory exist] ***************************************************************************************
ok: [localhost]

TASK [ssh_tunneling : Ensure that the SSH users exist] ********************************************************************************************
ok: [localhost] => (item=phone)
ok: [localhost] => (item=laptop)
ok: [localhost] => (item=desktop)

TASK [ssh_tunneling : Ensure the config directories exist] ****************************************************************************************
changed: [localhost -> localhost]

TASK [ssh_tunneling : Check if the private keys exist] ********************************************************************************************
ok: [localhost -> localhost] => (item=phone)
ok: [localhost -> localhost] => (item=laptop)
ok: [localhost -> localhost] => (item=desktop)

TASK [ssh_tunneling : Build the client ssh config] ************************************************************************************************
ok: [localhost -> localhost] => (item=phone)
ok: [localhost -> localhost] => (item=laptop)
ok: [localhost -> localhost] => (item=desktop)

TASK [ssh_tunneling : The authorized keys file created] *******************************************************************************************
ok: [localhost] => (item=phone)
ok: [localhost] => (item=laptop)
ok: [localhost] => (item=desktop)

TASK [ssh_tunneling : Get active users] ***********************************************************************************************************
ok: [localhost]

TASK [ssh_tunneling : Delete non-existing users] **************************************************************************************************
ok: [localhost] => (item=)

TASK [Dump the configuration] *********************************************************************************************************************
changed: [localhost -> localhost]

TASK [Create a symlink if deploying to localhost] *************************************************************************************************
ok: [localhost]

TASK [debug] **************************************************************************************************************************************
ok: [localhost] => {
    "msg": [
        [
            "\"#                          Congratulations!                            #\"",
            "\"#                     Your Algo server is running.                     #\"",
            "\"#    Config files and certificates are in the ./configs/ directory.    #\"",
            "\"#              Go to https://whoer.net/ after connecting               #\"",
            "\"#        and ensure that all your traffic passes through the VPN.      #\"",
            "\"#                     Local DNS resolver 172.24.198.122, fd00::8:c67a                   #\"",
            ""
        ],
        "    \"#        The p12 and SSH keys password for new users is eUpMHQtsc       #\"\n",
        "    \"#        The CA key password is 4J1X_A0LDMSVs5kv       #\"\n",
        "    "
    ]
}

PLAY RECAP ****************************************************************************************************************************************
localhost                  : ok=122  changed=20   unreachable=0    failed=0    skipped=50   rescued=0    ignored=0

[davidemyers]

Algo running on: Ubuntu 18.04.4 LTS (Virtualized: lxc)

Are you using the recently added support for virtual machines in LXD?

[unlockedmutex]

Are you using the recently added support for virtual machines in LXD?

I have no idea, I'm trying to run Algo on a VPS somewhere. I didn't think virtualization would be causing the issue, but if that's the case this should be more a dnscrypt-proxy ticket than an algo one.

[davidemyers]

When you said you were using a "vanilla" install I assumed you installed it yourself. Cloud providers often modify their images and some of them break things.

Try a different cloud provider.