Unbound Unbound DNS VPN Client w/policy rules

  • SNBForums will be unavailable for about 2 hours TOMORROW 23 January starting around 2PM EDT for a server changeover.

    All accounts and posts will be preserved.
  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Markster

Senior Member
I have been using Unbound DNS for a long time as my primary DNS on my local network. Some of my client devices use NordVPN with Unbound as DNS.
I have been wondering recently if Unbound can be configured so all DNS traffic for those specific VPN devices traverses over VPN interface/tunnel.
As I was reading the Unbound documentation it is possible to specify multiple interfaces in unbund.conf. One of these can be the VPN interface. We can also force VPN clients to use specific DNS IP/interface declared in the VPN client configuration. It got me thinking but I have not yet experimented with it yet.
Looking for ideas and feedback if this is even possible.

-cheers
 

kernol

Very Senior Member
I have been using Unbound DNS for a long time as my primary DNS on my local network. Some of my client devices use NordVPN with Unbound as DNS.
I have been wondering recently if Unbound can be configured so all DNS traffic for those specific VPN devices traverses over VPN interface/tunnel.
As I was reading the Unbound documentation it is possible to specify multiple interfaces in unbund.conf. One of these can be the VPN interface. We can also force VPN clients to use specific DNS IP/interface declared in the VPN client configuration. It got me thinking but I have not yet experimented with it yet.
Looking for ideas and feedback if this is even possible.

-cheers
You have placed this thread in the wrong sub-forum. All "add-ons" like unbound etc have been moved OUT of the Rmerlin Forum into a stand-alone forum on their own which you won't find unless you dig up one forum level to Asus Wireless - then down again to "Asuswrt-Merlin Addons"
NOT your fault - somewhat controversial structural change made recently!

To make life easier for you here's a link ...
https://www.snbforums.com/forums/asuswrt-merlin-addons.60/

No idea why they can't simply provide a link to the sub-form within the RMerlin one to help folks to easily navigate to the extended magic of Merlin-Ware ???
 

Swinson

Regular Contributor
I’m also looking to set up some policy rules for unbound. Does anyone already have anything available for this? Possibly a nice little one line x3mRouting command that does everything?
 

Swinson

Regular Contributor
Updated: new rules at the bottom
Okay so here is what I’ve got. You need to have x3mRouting installed and at least set up a dummy. You can then go through and configure unbound with the by running
Code:
unbound_manager vpn=X
Then you will need to add these lines for the vpnevent script

vpnclientX-route-up
Code:
jffs/addons/unbound/unbound_manager.sh vpn=X delay=9 &
vpnclientX-route-pre-down
Code:
/jffs/addons/unbound/unbound_manager.sh vpn=disable
Finally I added these lines to my services-start file so anything going to port 53 will piggy back off the rules x3mRouting has setup
Code:
iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
I’m still learning and figuring stuff out so if anything is wrong here feel free to let me know but it looks like all my dns lookup will now be forced through the vpn

(11/22/2020) edit:
Still running into a few issues. I’m working on getting it set up to run in route-up and pre-down rather than services-start because I don’t think it really belongs there and firewall-start won’t work either because I’m pretty sure putting it that early would break the boot up.

(11/23/2020) Rule update:
(1) setup WAN_DNS to go to wan0 and mark all other dns packets to go to vpn
(2) move everything into route-up/route-pre-down


/jffs/scripts/x3mRouting/vpnclientX-route-up
Code:
# WAN DNS requests to Wan0 #
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000

iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000

iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000

iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
# WAN DNS requests to Wan0 #

# Default DNS requests to VPN_Client 1 #
iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000

iptables -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
# Default DNS requests to VPN_Client 1 #

jffs/addons/unbound/unbound_manager.sh vpn=X delay=5 &

/jffs/scripts/x3mRouting/vpnclientX-route-pre-down
Code:
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000

iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000


iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000

/jffs/addons/unbound/unbound_manager.sh vpn=disable
 
Last edited:

Swinson

Regular Contributor
Can anyone confirm that both unbound and Merlin only use UDP on 53 for DNS lookups and doesn’t ever use TCP for anything.
283F225B-832A-4FB0-A902-08F4A679BF06.jpeg

I’m also wondering if anyone knows if it’s better to use “wan_dns” or “wan0_dns” from nvram. I’m guessing wan0 and wan1 are used to hold isp dns while wan is for user settings but I’m not really sure so if anyone can confirm that would be great.
 

dave14305

Part of the Furniture
Can anyone confirm that both unbound and Merlin only use UDP on 53 for DNS lookups and doesn’t ever use TCP for anything.
TCP is used if the response is too large for a UDP packet. So you can’t say “never” but probably “occasionally.”

If you don’t use Dual WAN, I would just use wan0_dns.
 

Swinson

Regular Contributor
TCP is used if the response is too large for a UDP packet. So you can’t say “never” but probably “occasionally.”

If you don’t use Dual WAN, I would just use wan0_dns.
Okay I’ll definitely keep TCP rules then. I figured it might be used on occasion but I hadn’t noticed anything so I figured it was worth asking about.

So I know dual wan is a thing and I think it’s clear that wan1 would be used for the second one but wan0/wan is kind of ambitious. I do not use dual wan and “wan_dns” as well as “wan0_dns” are both populated. Do you know how they are used when dual wan is in use? Like I said I assume wan1 would be used for dns pulled/set for your second interface but is “wan_dns” the counterpart to wan1 or is it wan0?

let’s say your primary is “wan0_dns” and your secondary is “wan1_dns” what is “wan_dns”? Does that represent the dns to be used when dual wan is implemented or does that represent the what is set in the webUI? @RMerlin do you have any insight into the specific function of these vars?
 
Last edited:

Swinson

Regular Contributor
@dave14305 went ahead and changed it from “wan_dns” to “wan0_dns” as per your suggestion. Everything looks good after doing a couple reboots so I went a head and updated my post to reflect the change. Thanks for the input.
C2821719-336E-4970-B65A-3459B147F36B.jpeg

I’m also seeing a handful of tcp packets from unbound but still nothing from the router. Going to keep an eye on it though
 

Kingp1n

Very Senior Member
Updated: new rules at the bottom
Okay so here is what I’ve got. You need to have x3mRouting installed and at least set up a dummy. You can then go through and configure unbound with the by running
Code:
unbound_manager vpn=X
Then you will need to add these lines for the vpnevent script

vpnclientX-route-up
Code:
jffs/addons/unbound/unbound_manager.sh vpn=X delay=9 &
vpnclientX-route-pre-down
Code:
/jffs/addons/unbound/unbound_manager.sh vpn=disable
Finally I added these lines to my services-start file so anything going to port 53 will piggy back off the rules x3mRouting has setup
Code:
iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
I’m still learning and figuring stuff out so if anything is wrong here feel free to let me know but it looks like all my dns lookup will now be forced through the vpn

(11/22/2020) edit:
Still running into a few issues. I’m working on getting it set up to run in route-up and pre-down rather than services-start because I don’t think it really belongs there and firewall-start won’t work either because I’m pretty sure putting it that early would break the boot up.

(11/23/2020) Rule update:
(1) setup WAN_DNS to go to wan0 and mark all other dns packets to go to vpn
(2) move everything into route-up/route-pre-down


/jffs/scripts/x3mRouting/vpnclientX-route-up
Code:
# WAN DNS requests to Wan0 #
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000

iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000

iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000

iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
# WAN DNS requests to Wan0 #

# Default DNS requests to VPN_Client 1 #
iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000

iptables -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
# Default DNS requests to VPN_Client 1 #

jffs/addons/unbound/unbound_manager.sh vpn=X delay=5 &

/jffs/scripts/x3mRouting/vpnclientX-route-pre-down
Code:
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000

iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000


iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000

/jffs/addons/unbound/unbound_manager.sh vpn=disable
@Swinson are you still using these rules with unbound and a VPN setup? How is it working out for you?
 

Swinson

Regular Contributor
@Swinson are you still using these rules with unbound and a VPN setup? How is it working out for you?
I am. Sorry for the delayed response I didn’t see the notification. Everything is working as expected however I’m still playing with the delay setting. If I get some time I am planning on trying to modify the vpnevent script to poll the connection status of the tunnel and run unbound once it’s up rather a static delay.
 

SomeWhereOverTheRainBow

Very Senior Member
I am. Sorry for the delayed response I didn’t see the notification. Everything is working as expected however I’m still playing with the delay setting. If I get some time I am planning on trying to modify the vpnevent script to poll the connection status of the tunnel and run unbound once it’s up rather a static delay.
so your DNS packets appear to originate off in VPN host provider and not the WAN ISP host provider?
 

Kingp1n

Very Senior Member
Yes that is correct. The router should resolve through the DNS provided in your WAN settings and everything else should resolve through unbound with your VPNs ip
Thanks for the response. Please keep us posted if you make any changes to the delay setting. I haven't used unbound in a while so I might give a go with your instructions.

Where do you make changes from #1 (WAN_DNS to go to wan0) ?
 

Swinson

Regular Contributor
Thanks for the response. Please keep us posted if you make any changes to the delay setting. I haven't used unbound in a while so I might give a go with your instructions.

Where do you make changes from #1 (WAN_DNS to go to wan0) ?
Ive edited the original post to reflect the change already. You really just need to get the dns servers your router users so the new rules won’t break how the router does it’s lookups. On my router both wan_dns and wan0_dns contain these values I just wanted to try to make sure it works the same for anyone who just want to copy and paste the rules.
 

Kingp1n

Very Senior Member
Ive edited the original post to reflect the change already. You really just need to get the dns servers your router users so the new rules won’t break how the router does it’s lookups. On my router both wan_dns and wan0_dns contain these values I just wanted to try to make sure it works the same for anyone who just want to copy and paste the rules.
Appreciate the response. I'm running a fulltime VPN with unbound and I have no issues so far using the rules you posted earlier. Thanks again and keep us posted if you make any edits to the delay time.
 

Swinson

Regular Contributor
Appreciate the response. I'm running a fulltime VPN with unbound and I have no issues so far using the rules you posted earlier. Thanks again and keep us posted if you make any edits to the delay time.
I have a small update. I spent like 30-45 minutes this morning working on a rough concept script for getting unbound set to the vpn once it’s available rather than a hard coded delay. I’ll post what I’ve thrown together below and I’d be happy to get some feedback.

**warning** I literally just did this in just a couple minutes proceed with caution and check my work. **warning**

/jffs/scripts/x3mRouting/vpnclient1-route-up.sh
Code:
sh /jffs/addons/unbound/unbound_manager.sh vpn=1 delay=25 &
Replaced with:
Code:
/jffs/scripts/unbound_tunCheck.sh &
Created /jffs/scripts/unbound_tunCheck.sh
New file needs permissions so make sure you chmod 755

Code:
#!/bin/sh

tunCheck=$(curl -sA "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36" https://nordvpn.com/what-is-my-ip/  | grep -c "$(nvram get wan0_ipaddr)")

if [ $tunCheck -eq 0 ]
then
/jffs/addons/unbound/unbound_manager.sh vpn=1 delay=1 &
exit 0
fi

while [ $tunCheck -ne 0 ]
do
tunCheck=$(curl -sA "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36" https://nordvpn.com/what-is-my-ip/  | grep -c "$(nvram get wan0_ipaddr)")
     if [ $tunCheck -eq 0 ]
     then
          /jffs/addons/unbound/unbound_manager.sh vpn=1 delay=1 &
          exit 0
     else
          sleep 1
     fi
done
exit 0
Probably still need to add a timeout and log an error in case it fails. Also probably should add secondary check since the primary check is just making sure your wan ip isn’t present.
 
Last edited:

Jack Yaz

Part of the Furniture
I have a small update. I spent like 30-45 minutes this morning working on a rough concept script for getting unbound set to the vpn once it’s available rather than a hard coded delay. I’ll post what I’ve thrown together below and I’d be happy to get some feedback.

**warning** I literally just did this in just a couple minutes proceed with caution and check my work. **warning**

/jffs/scripts/x3mRouting/vpnclient1-route-up.sh
Code:
sh /jffs/addons/unbound/unbound_manager.sh vpn=1 delay=25 &
Replaced with:
Code:
/jffs/scripts/unbound_tunCheck.sh &
Created /jffs/scripts/unbound_tunCheck.sh
New file needs permissions so make sure you chmod 755

Code:
#!/bin/sh

tunCheck=$(curl -sA "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36" https://nordvpn.com/what-is-my-ip/  | grep -c "$(nvram get wan0_ipaddr)")

if [ $tunCheck -eq 0 ]
then
/jffs/addons/unbound/unbound_manager.sh vpn=1 delay=1 &
exit 0
fi

while [ $tunCheck -ne 0 ]
do
tunCheck=$(curl -sA "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36" https://nordvpn.com/what-is-my-ip/  | grep -c "$(nvram get wan0_ipaddr)")
     if [ $tunCheck -eq 0 ]
     then
          /jffs/addons/unbound/unbound_manager.sh vpn=1 delay=1 &
          exit 0
     else
          sleep 1
     fi
done
exit 0
Probably still need to add a timeout and log an error in case it fails. Also probably should add secondary check since the primary check is just making sure your wan ip isn’t present.
could you not simplify this by trying to ping an IP (say 8.8.8.8) specifying -I tun11 (or whatever) and check the return code? you'd need to specify it only sending X pings, though, example:
Code:
ping -c1 -w1 -I tun11 8.8.8.8
 

Swinson

Regular Contributor
could you not simplify this by trying to ping an IP (say 8.8.8.8) specifying -I tun11 (or whatever) and check the return code? you'd need to specify it only sending X pings, though, example:
Code:
ping -c1 -w1 -I tun11 8.8.8.8
Ha I feel like a dummy but I did say rough concept didn’t I? So maybe something like this?

Code:
#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
sleep 5
timer=5

while [ $timer -lt 300 ]
do
        ping -c1 -w1 -I tun11 1.1.1.1
        pingCode=$?
        if [ $pingCode -eq 0 ]
        then
                /jffs/addons/unbound/unbound_manager.sh vpn=1 &
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
                iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
                logger -st "($(basename "$0"))" $$ Ending Script Execution
                exit 0
        else
                sleep 1
        fi
        timer++
done
logger -st "($(basename "$0"))" $$  Script Execution Timeout
exit 1
Edit: Added roughly a 300 second timeout

Edit 2: I moved the iptables route-up stuff into tunCheck so the setup can be done by just calling tunCheck The pre-down iptables deletes are still in x3mRouting. I consolidated the file configuration in the spoiler below.
File modifications to existing scripts:


Add to "/jffs/scripts/x3mRouting/vpnclient1-route-up"
Code:
/jffs/scripts/unbound_tunCheck.sh &

Add to "/jffs/scripts/x3mRouting/vpnclient1-route-pre-down"
Code:
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
/jffs/addons/unbound/unbound_manager.sh vpn=disable


Create "/jffs/scripts/unbound_tunCheck.sh" and chmod 755
Code:
#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
sleep 5
timer=5

while [ $timer -lt 300 ]
do
        ping -c1 -w1 -I tun11 1.1.1.1
        pingCode=$?
        if [ $pingCode -eq 0 ]
        then
                /jffs/addons/unbound/unbound_manager.sh vpn=1 &
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
                iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
                logger -st "($(basename "$0"))" $$ Ending Script Execution
                exit 0
        else
                sleep 1
        fi
        timer++
done
logger -st "($(basename "$0"))" $$  Script Execution Timeout
exit 1
 
Last edited:

Kingp1n

Very Senior Member
Ha I feel like a dummy but I did say rough concept didn’t I? So maybe something like this?

Code:
#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
sleep 5
timer=5

while [ $timer -lt 300 ]
do
        ping -c1 -w1 -I tun11 1.1.1.1
        pingCode=$?
        if [ $pingCode -eq 0 ]
        then
                /jffs/addons/unbound/unbound_manager.sh vpn=1 &
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
                iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
                logger -st "($(basename "$0"))" $$ Ending Script Execution
                exit 0
        else
                sleep 1
        fi
        timer++
done
logger -st "($(basename "$0"))" $$  Script Execution Timeout
exit 1
Edit: Added roughly a 300 second timeout

Edit 2: I moved the iptables route-up stuff into tunCheck so the setup can be done by just calling tunCheck The pre-down iptables deletes are still in x3mRouting. I consolidated the file configuration in the spoiler below.
File modifications to existing scripts:


Add to "/jffs/scripts/x3mRouting/vpnclient1-route-up"
Code:
/jffs/scripts/unbound_tunCheck.sh &

Add to "/jffs/scripts/x3mRouting/vpnclient1-route-pre-down"
Code:
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
/jffs/addons/unbound/unbound_manager.sh vpn=disable


Create "/jffs/scripts/unbound_tunCheck.sh" and chmod 755
Code:
#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
sleep 5
timer=5

while [ $timer -lt 300 ]
do
        ping -c1 -w1 -I tun11 1.1.1.1
        pingCode=$?
        if [ $pingCode -eq 0 ]
        then
                /jffs/addons/unbound/unbound_manager.sh vpn=1 &
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
                iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
                logger -st "($(basename "$0"))" $$ Ending Script Execution
                exit 0
        else
                sleep 1
        fi
        timer++
done
logger -st "($(basename "$0"))" $$  Script Execution Timeout
exit 1
@Swinson, i'm getting ready to this nifty little rule you created. How is it working for you overall? Any issues at all. Thanks!
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top