diff --git a/net/gnunet/Makefile b/net/gnunet/Makefile
index f4833404b..b26aef470 100644
--- a/net/gnunet/Makefile
+++ b/net/gnunet/Makefile
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2015 OpenWrt.org
+# Copyright (C) 2016 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=gnunet
 PKG_SOURCE_VERSION:=37051
 PKG_VERSION:=0.10.1-svn$(PKG_SOURCE_VERSION)
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 # ToDo:
 #  - break-out {peer,name,data}store for each backend
@@ -173,6 +173,12 @@ define Package/gnunet/install
 	$(INSTALL_DATA) ./files/gnunet.upgrade $(1)/lib/upgrade/keep.d/gnunet
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
 	$(INSTALL_BIN) ./files/gnunet.defaults $(1)/etc/uci-defaults/gnunet
+	$(INSTALL_BIN) ./files/gnunet-dns.fw $(1)/usr/lib/gnunet/libexec/gnunet-dns.fw
+	$(INSTALL_BIN) ./files/gnunet-proto.sh $(1)/lib/netifd/proto
+endef
+
+define Package/gnunet/conffiles
+/etc/config/gnunet
 endef
 
 define Build/InstallDev
@@ -215,7 +221,7 @@ PLUGIN_fs:=block_fs
 LIBEXEC_fs:=helper-fs-publish service-fs
 CONF_fs:=fs
 
-DEPENDS_gns:=+gnunet-vpn
+DEPENDS_gns:=+gnunet-vpn +iptables-mod-extra
 USERID_gns:=gnunet=400:gnunetdns=401
 BIN_gns:=gns gns-import.sh namecache namestore resolver
 LIB_gns:=gns gnsrecord namecache namestore
@@ -280,7 +286,130 @@ LIB_vpn:=tun vpn
 LIBEXEC_vpn:=daemon-exit daemon-pt helper-exit helper-vpn service-vpn
 CONF_vpn:=exit pt vpn
 
+define PostInstFixSUIDPerms
+  define Package/$(1)/postinst
+  #!/bin/sh
+  [ -e /usr/share/gnunet/.permfix ] && rm /usr/share/gnunet/.permfix
+  endef
+endef
+
+define Package/gnunet-gns/postinst
+#!/bin/sh
+
+[ -e /usr/share/gnunet/.permfix ] && rm /usr/share/gnunet/.permfix
+
+uci -q batch <<EOF
+del network.gnunetdns
+set network.gnunetdns=interface
+set network.gnunetdns.ifname='gnunet-dns'
+set network.gnunetdns.proto='gnunet'
+
+del network.gndnsrtt
+set network.gndnsrtt=route
+set network.gndnsrtt.interface='gnunetdns'
+set network.gndnsrtt.table='53'
+set network.gndnsrtt.target='0.0.0.0/0'
+
+del network.gndnsrl
+set network.gndnsrl=rule
+set network.gndnsrl.mark='0x8260035'
+set network.gndnsrl.lookup='53'
+
+commit network
+
+del firewall.gnunetdns
+set firewall.gnunetdns=zone
+set firewall.gnunetdns.name='gnunetdns'
+set firewall.gnunetdns.network='gnunetdns'
+set firewall.gnunetdns.input='ACCEPT'
+set firewall.gnunetdns.output='ACCEPT'
+set firewall.gnunetdns.forward='ACCEPT'
+
+del firewall.gndnsinc
+set firewall.gndnsinc=include
+set firewall.gndnsinc.path='/usr/lib/gnunet/libexec/gnunet-dns.fw'
+
+commit firewall
+EOF
+
+endef
+
+define Package/gnunet-gns/prerm
+#!/bin/sh
+
+uci -q batch <<EOF
+del network.gnunetdns
+del network.gndnsrtt
+del network.gndnsrl
+commit network
+
+del firewall.gnunetdns
+del firewall.gndnsinc
+commit firewall
+EOF
+
+endef
+
+
+define Package/gnunet-vpn/postinst
+#!/bin/sh
+
+[ -e /usr/share/gnunet/.permfix ] && rm /usr/share/gnunet/.permfix
+
+uci -q batch <<EOF
+del network.gnunetvpn
+set network.gnunetvpn=interface
+set network.gnunetvpn.ifname='vpn-gnunet'
+set network.gnunetvpn.proto='gnunet'
+
+del network.gnunetexit
+set network.gnunetexit=interface
+set network.gnunetexit.ifname='exit-gnunet'
+set network.gnunetexit.proto='gnunet'
+
+commit network
+
+del firewall.gnunetvpn
+set firewall.gnunetvpn=zone
+set firewall.gnunetvpn.name='gnunetvpn'
+set firewall.gnunetvpn.network='gnunetvpn'
+set firewall.gnunetvpn.input='ACCEPT'
+set firewall.gnunetvpn.output='ACCEPT'
+set firewall.gnunetvpn.forward='REJECT'
+
+del firewall.gnunetexit
+set firewall.gnunetexit=zone
+set firewall.gnunetexit.name='gnunetexit'
+set firewall.gnunetexit.network='gnunetexit'
+set firewall.gnunetexit.input='ACCEPT'
+set firewall.gnunetexit.output='ACCEPT'
+set firewall.gnunetexit.forward='REJECT'
+
+del firewall.gnexitfwd
+set firewall.gnexitfwd=forwarding
+set firewall.gnexitfwd.src='gnunetexit'
+set firewall.gnexitfwd.dest='wan'
+
+commit firewall
+EOF
+
+endef
+
+define Package/gnunet-vpn/prerm
+#!/bin/sh
+
+uci -q batch <<EOF
+del network.gnunetvpn
+del network.gnunetexit
+del firewall.gnunetvpn
+del firewall.gnunetexit
+del firewall.gnexitfwd
+EOF
+
+endef
+
 $(eval $(call BuildPackage,gnunet))
+$(eval $(call PostInstFixSUIDPerms,gnunet))
 $(eval $(call BuildComponent,conversation,conversation component,))
 $(eval $(call BuildComponent,datastore,data storage components,))
 $(eval $(call BuildComponent,dv,distance-vector routing component,))
@@ -296,8 +425,10 @@ $(eval $(call BuildComponent,rps,RPS routing component,))
 $(eval $(call BuildComponent,social,social components,))
 $(eval $(call BuildComponent,sqlite,libsqlite3 storage backends,y))
 $(eval $(call BuildComponent,transport-bluetooth,bluetooth transport,))
+$(eval $(call PostInstFixSUIDPerms,gnunet-transport-bluetooth))
 $(eval $(call BuildComponent,transport-http_client,HTTP/HTTPS client transport,y))
 $(eval $(call BuildComponent,transport-http_server,HTTP/HTTPS server transport,))
 $(eval $(call BuildComponent,transport-wlan,WLAN transport,))
+$(eval $(call PostInstFixSUIDPerms,gnunet-transport-wlan))
 $(eval $(call BuildComponent,utils,administration utililties,))
 $(eval $(call BuildComponent,vpn,vpn components,y))
diff --git a/net/gnunet/files/gnunet-dns.fw b/net/gnunet/files/gnunet-dns.fw
new file mode 100755
index 000000000..fb5316723
--- /dev/null
+++ b/net/gnunet/files/gnunet-dns.fw
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+ip link show gnunet-dns 1>/dev/null 2>/dev/null || exit 0
+
+iptables -t mangle -I OUTPUT 1 -p udp -m owner --gid-owner gnunetdns --dport 53 -j ACCEPT
+iptables -t mangle -I OUTPUT 2 -p udp --dport 53 -j MARK --set-mark 136708149
+
diff --git a/net/gnunet/files/gnunet-proto.sh b/net/gnunet/files/gnunet-proto.sh
new file mode 100644
index 000000000..8883f4246
--- /dev/null
+++ b/net/gnunet/files/gnunet-proto.sh
@@ -0,0 +1,51 @@
+#!/bin/sh
+# gnunet.sh - GNUnet proto for netifd
+# Copyright (c) 2016 OpenWrt.org
+
+[ -n "$INCLUDE_ONLY" ] || {
+	. /lib/functions.sh
+	. /lib/functions/network.sh
+	. ../netifd-proto.sh
+	init_proto "$@"
+}
+
+proto_gnunet_setup() {
+	local cfg="$1"
+	local iface="$2"
+
+	local ipv4_addr ipv6_addr prefix ipaddr ip6addr
+
+	local configfile="/var/run/gnunet/gnunet.conf"
+	local gnunet_iftype
+
+	for gnit in dns exit vpn; do
+		local i1="$(gnunet-config -c $configfile -s $gnit -o IFNAME 2>/dev/null)"
+		local i2="$(gnunet-config -c $configfile -s $gnit -o TUN_IFNAME 2>/dev/null)"
+		[ "$i1" = "$iface" -o "$i2" = "$iface" ] && gnunet_iftype="$gnit"
+	done
+
+	if [ -z "$iface" -o -z "$gnunet_iftype" ]; then
+		proto_setup_failed "$cfg"
+		return
+	fi
+
+	proto_init_update "$iface" 1
+	ipaddr="$(gnunet-config -c $configfile -s $gnunet_iftype -o IPV4ADDR 2>/dev/null)"
+	ipmask="$(gnunet-config -c $configfile -s $gnunet_iftype -o IPV4MASK 2>/dev/null)"
+	ip6addr="$(gnunet-config -c $configfile -s $gnunet_iftype -o IPV6ADDR 2>/dev/null)"
+	ip6prefix="$(gnunet-config -c $configfile -s $gnunet_iftype -o IPV6PREFIX 2>/dev/null)"
+
+	[ -n "$ipaddr" ]  && proto_add_ipv4_address "$ipaddr" "$ipmask"
+	[ -n "$ip6addr" ] && proto_add_ipv6_address "$ip6addr" "$ip6prefix"
+	proto_send_update "$cfg"
+}
+
+proto_gnunet_teardown() {
+	return
+}
+
+[ -n "$INCLUDE_ONLY" ] || {
+	add_protocol gnunet
+}
+
+
diff --git a/net/gnunet/files/gnunet.defaults b/net/gnunet/files/gnunet.defaults
index 8b769191c..2448d1791 100644
--- a/net/gnunet/files/gnunet.defaults
+++ b/net/gnunet/files/gnunet.defaults
@@ -4,33 +4,33 @@
 
 touch /etc/config/gnunet
 
-uci set gnunet.datastore=gnunet-config
-uci set gnunet.datastore.DATABASE=heap
-uci set gnunet.datastore.QUOTA="4 MB"
+uci batch <<EOF
+set gnunet.datastore=gnunet-config
+set gnunet.datastore.DATABASE=heap
+set gnunet.datastore.QUOTA="4 MB"
 
-uci set gnunet.fs=gnunet-config
-uci set gnunet.fs.CONTENT_PUSHING=NO
-uci set gnunet.fs.CONTENT_CACHING=NO
+set gnunet.fs=gnunet-config
+set gnunet.fs.CONTENT_PUSHING=NO
+set gnunet.fs.CONTENT_CACHING=NO
 
-# limit dhtcache memory usage to 4 MB
-uci set gnunet.dhtcache=gnunet-config
-uci set gnunet.dhtcache.QUOTA="4 MB"
+set gnunet.dhtcache=gnunet-config
+set gnunet.dhtcache.QUOTA="4 MB"
 
-# enable dns2gns
-uci set gnunet.dns2gns=gnunet-config
-uci set gnunet.dns2gns.AUTOSTART=YES
-uci set gnunet.dns2gns.FORCESTART=YES
+set gnunet.dns2gns=gnunet-config
+set gnunet.dns2gns.AUTOSTART=YES
+set gnunet.dns2gns.FORCESTART=YES
 
-# enable v4/v6 protocol translation for EXIT/VPN
-uci set gnunet.pt=gnunet-config
-uci set gnunet.pt.FORCESTART=YES
+set gnunet.pt=gnunet-config
+set gnunet.pt.FORCESTART=YES
 
-uci set gnunet.exit=gnunet-config
-uci set gnunet.exit.AUTOSTART=YES
-uci set gnunet.exit.FORCESTART=YES
+set gnunet.exit=gnunet-config
+set gnunet.exit.AUTOSTART=YES
+set gnunet.exit.FORCESTART=YES
 
-# increase WORKDELAY to something more sane on small CPUs
-uci set gnunet.nse=gnunet-config
-uci set gnunet.nse.WORKDELAY='500 ms'
+set gnunet.nse=gnunet-config
+set gnunet.nse.WORKDELAY='500 ms'
+
+commit gnunet
+
+EOF
 
-uci commit gnunet
diff --git a/net/gnunet/files/gnunet.init b/net/gnunet/files/gnunet.init
old mode 100644
new mode 100755