Unbound Unbound DNS VPN Client w/policy rules

[chongnt]

I've tried this setup but with only one VPN and ads still get through. Most ads are blocked so it does appear to work until you visit an ad heavy site.

You don't get any ads for any devices set not to use a VPN when you visit this site then: https://canyoublockit.com/extreme-test/?

The banner ads part of the test is where most of the ads come through.

Also remember some browsers have extensions/built in ad blocking that could make it appear to be working.

Screenshot examples:
Device set to WAN:
View attachment 35685

Device set to VPN:
View attachment 35686

Actually I don't use that link. I think it has some ads that is not able to be block by diversion natively. Instead I think something simple and straightforward is easier to tell if diversion adblock is working of not, https://ads-blocker.com/testing/

Ok, I just tested the link on device routed to ovpn 1 (nordvpn). Then I disable the device in VPN Director to make it route through WAN. I get the same result as yours. In both scenario, I was looking at the diversion log, and don't see blocking trace. Can you try disable diversion and re-do the test? I suspect the adblock we see via VPN is not related to diversion.

 

[Vertron]

Actually I don't use that link. I think it has some ads that is not able to be block by diversion natively. Instead I think something simple and straightforward is easier to tell if diversion adblock is working of not, https://ads-blocker.com/testing/

Ok, I just tested the link on device routed to ovpn 1 (nordvpn). Then I disable the device in VPN Director to make it route through WAN. I get the same result as yours. In both scenario, I was looking at the diversion log, and don't see blocking trace. Can you try disable diversion and re-do the test? I suspect the adblock we see via VPN is not related to diversion.

I disabled diversion and using my site first, all ads are equally coming through when the device is set to the VPN or WAN. Ads are showing on that site you linked for both too.

I enabled Diversion and it's back to normal, all ads blocked by VPN, not all by WAN.
The ads on that site you linked is now blocked by both WAN and VPN. Diversion appears to be mostly working even if not showing in the logs.

 

[Vertron]

This conversation continued on another thread, just letting people know here that this issue was fixed by using a medium block list in Diversion and adding https://v.firebog.net/hosts/AdguardDNS.txt as a host file.

 

[Vertron]

I had to turn my router off the other day in order to move it and somehow all my installed addons became corrupt despite safety removing the swap file sd card first.

I reinstalled everything and set this script back up by following my guide on page 10, but I'm now getting an issue I previously had again (I originally updated the guide to prevent this issue). The script isn't starting automatically when the router is rebooted anymore. It's showing my ISP IP as the DNS instead of the VPN IP when doing a DNS leak test. I have to manually stop and start the VPN to get the script running.

I've tried deleting the route up/down, nat-start files and ran these 2 commands below to recreate and populate the files but still showing ISP DNS after a reboot.

sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 WAN_IP dnsmasq=whatsmyip.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 VPN_IP dnsmasq=whatismyip.com

I even did the optional step 6 in the guide, that should restart the VPN after a reboot but no luck there either.

 

[Kingp1n]

I had to turn my router off the other day in order to move it and somehow all my installed addons became corrupt despite safety removing the swap file sd card first.

I reinstalled everything and set this script back up by following my guide on page 10, but I'm now getting an issue I previously had again (I originally updated the guide to prevent this issue). The script isn't starting automatically when the router is rebooted anymore. It's showing my ISP IP as the DNS instead of the VPN IP when doing a DNS leak test. I have to manually stop and start the VPN to get the script running.

I've tried deleting the route up/down, nat-start files and ran these 2 commands below to recreate and populate the files but still showing ISP DNS after a reboot.

sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 WAN_IP dnsmasq=whatsmyip.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 VPN_IP dnsmasq=whatismyip.com

I even did the optional step 6 in the guide, that should restart the VPN after a reboot but no luck there either.

Ensure unbound has restarted as well thru amtm. Other than that, im out of solutions.

You might have to wipe your USB clean and setup again.

 

[L&LD]

SD card? That may be your issue(s) right there?

 

[Vertron]

Ensure unbound has restarted as well thru amtm. Other than that, im out of solutions.

You might have to wipe your USB clean and setup again.

I've uninstalled every addon and deleted every trace, formatted the sd card and reinstalled everything from scratch. Still got the same issue.

I got it working in the end by using a workaround shown below, I'll add it to the guide.

Add the following line to "/jffs/scripts/services-start":

sleep 30 && sh /jffs/scripts/unbound_via_vc1.sh start &

 

[L&LD]

Where is the guide?

I still believe the issue is the SD card.

Why are you not using an SSD or at the very least, a USB drive?

 

[Vertron]

Where is the guide?

I still believe the issue is the SD card.

Why are you not using an SSD or at the very least, a USB drive?

It's near the bottom of page 10 on this thread.

I highly doubt it's the SD card, it worked perfectly fine before until I turned the router off.

It's a high endurance micro SD card in a USB reader, it is basically a USB drive, but will last longer.

 

[L&LD]

And yet, all indications are it's the SD card that no one else is using in their networks (and don't need that workaround).

 

[Vertron]

And yet, all indications are it's the SD card that no one else is using in their networks (and don't need that workaround).

Someone recommended it in an older thread. I didn't need the workaround before either, it's not the SD card.

 

[L&LD]

The better and more current recommendation is a cheap and cheerful SSD in an equally c&c enclosure (such as the uGreen products).

 

[Vertron]

The better and more current recommendation is a cheap and cheerful SSD in an equally c&c enclosure (such as the uGreen products).

Cheers, I'll upgrade to one when this eventually fails.

 

[Vertron]

I'm still getting issues unfortunately. It seems to randomly switch to the ISP DNS every now and then, I've been unable to identify the exact cause. It'll stay on VPN IP for 2 days solid then it'll automatically switch the the ISP DNS twice within an hour after manually restarting the script.

Has anyone else had this issue?

 

[dave14305]

I'm still getting issues unfortunately. It seems to randomly switch to the ISP DNS every now and then, I've been unable to identify the exact cause. It'll stay on VPN IP for 2 days solid then it'll automatically switch the the ISP DNS twice within an hour after manually restarting the script.

Has anyone else had this issue?

Is it truly your ISP DNS, or is it showing your real WAN IP that also belongs to your ISP? Under normal usage, Unbound will show your WAN IP as the DNS server in a DNS leak test.

 

[Vertron]

Is it truly your ISP DNS, or is it showing your real WAN IP that also belongs to your ISP? Under normal usage, Unbound will show your WAN IP as the DNS server in a DNS leak test.

I believe it is my WAN IP. This script changes it to the VPN IP however when doing a DNS leak test.

 

[Vertron]

I would be very grateful if someone whoes setup is working properly could compare my scripts to their own to help identify the issue, please let me know if there's anything that doesn't look right.

It currently doesn't show the VPN IP as my DNS after the router is rebooted, so there's obviously an issue somewhere. I currently have a workaround in the "services-start" file to start "unbound_via_vc1.sh".

Here are almost all of my scripts:

dnsmasq.postconf

#!/bin/sh
. /opt/share/diversion/file/post-conf.div # Added by Diversion
sh /jffs/addons/unbound/unbound.postconf "$1"        # unbound_manager

firewall-start

#!/bin/sh

sh /jffs/scripts/firewall start skynetloc=/tmp/mnt/MicroSD/skynet # Skynet

init-start

#!/bin/sh
sh /jffs/addons/unbound/stuning start            # unbound_manager
modprobe xt_comment

nat-start

#!/bin/sh
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 WAN_IP dnsmasq=whatsmyip.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 VPN_IP dnsmasq=whatismyip.com

openvpn-event

#!/bin/sh
[ -s /jffs/scripts/x3mRouting/openvpn-event ] && sh /jffs/scripts/x3mRouting/openvpn-event $@

post-mount

#!/bin/sh
swapon /tmp/mnt/MicroSD/myswap.swp # Added by amtm
. /jffs/addons/diversion/mount-entware.div # Added by Diversion
/jffs/addons/unbound/unbound_stats.sh startup "$@" & # Unbound_Stats.sh

service-event

#!/bin/sh
[ "$2" = diversion ] && sh /opt/share/diversion/webui/process.div "$1" & # Added by Diversion
if [ "$1" = "start" ] && [ "$2" = "SkynetStats" ]; then sh /jffs/scripts/firewall debug genstats; fi # Skynet
/jffs/addons/unbound/unbound_stats.sh generate "$1" "$2" & # Unbound_Stats.sh

services-start

#!/bin/sh
cru a root_servers  "12 4 * * * curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache"    # unbound_manager
sleep 30 && sh /jffs/scripts/unbound_via_vc1.sh start & # My reboot workaround fix

services-stop

#!/bin/sh
/opt/etc/init.d/rc.unslung stop # Added by Diversion
sh /jffs/scripts/firewall save # Skynet

unmount

#!/bin/sh
[ "$(/usr/bin/find $1/entware/bin/diversion 2> /dev/null)" ] && diversion unmount # Added by Diversion
swapoff -a 2>/dev/null # Skynet

x3mRouting / vpnclient1-route-pre-down

#!/bin/sh
iptables -t mangle -D PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -D PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null
/jffs/scripts/unbound_via_vc1.sh stop &

x3mRouting / vpnclient1-route-up

#!/bin/sh
iptables -t mangle -D PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x1000/0x1000
/jffs/scripts/unbound_via_vc1.sh start &

Update:
Reboot issue is sorted, reinstalled Unbound and this time the following was added to "services-start":

#!/bin/sh
cru a root_servers  "12 4 * * * curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache"    # unbound_manager
/jffs/addons/unbound/unbound_rpz.sh startup # Unbound_RPZ.sh

It now survives a reboot, going to add this to the guide. No idea why it didn't add this line the previous times I reinstalled Unbound. I'll keep an eye on it and hopefully it will maintain the VPN IP.

 

[Kingp1n]

I would be very grateful if someone whoes setup is working properly could compare my scripts to their own to help identify the issue, please let me know if there's anything that doesn't look right.

It currently doesn't show the VPN IP as my DNS after the router is rebooted, so there's obviously an issue somewhere. I currently have a workaround in the "services-start" file to start "unbound_via_vc1.sh".

Here are almost all of my scripts:

dnsmasq.postconf

#!/bin/sh
. /opt/share/diversion/file/post-conf.div # Added by Diversion
sh /jffs/addons/unbound/unbound.postconf "$1"        # unbound_manager

firewall-start

#!/bin/sh

sh /jffs/scripts/firewall start skynetloc=/tmp/mnt/MicroSD/skynet # Skynet

init-start

#!/bin/sh
sh /jffs/addons/unbound/stuning start            # unbound_manager
modprobe xt_comment

nat-start

#!/bin/sh
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 WAN_IP dnsmasq=whatsmyip.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 VPN_IP dnsmasq=whatismyip.com

openvpn-event

#!/bin/sh
[ -s /jffs/scripts/x3mRouting/openvpn-event ] && sh /jffs/scripts/x3mRouting/openvpn-event $@

post-mount

#!/bin/sh
swapon /tmp/mnt/MicroSD/myswap.swp # Added by amtm
. /jffs/addons/diversion/mount-entware.div # Added by Diversion
/jffs/addons/unbound/unbound_stats.sh startup "$@" & # Unbound_Stats.sh

service-event

#!/bin/sh
[ "$2" = diversion ] && sh /opt/share/diversion/webui/process.div "$1" & # Added by Diversion
if [ "$1" = "start" ] && [ "$2" = "SkynetStats" ]; then sh /jffs/scripts/firewall debug genstats; fi # Skynet
/jffs/addons/unbound/unbound_stats.sh generate "$1" "$2" & # Unbound_Stats.sh

services-start

#!/bin/sh
cru a root_servers  "12 4 * * * curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache"    # unbound_manager
sleep 30 && sh /jffs/scripts/unbound_via_vc1.sh start & # My reboot workaround fix

services-stop

#!/bin/sh
/opt/etc/init.d/rc.unslung stop # Added by Diversion
sh /jffs/scripts/firewall save # Skynet

unmount

#!/bin/sh
[ "$(/usr/bin/find $1/entware/bin/diversion 2> /dev/null)" ] && diversion unmount # Added by Diversion
swapoff -a 2>/dev/null # Skynet

x3mRouting / vpnclient1-route-pre-down

#!/bin/sh
iptables -t mangle -D PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -D PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null
/jffs/scripts/unbound_via_vc1.sh stop &

x3mRouting / vpnclient1-route-up

#!/bin/sh
iptables -t mangle -D PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x1000/0x1000
/jffs/scripts/unbound_via_vc1.sh start &

Update:
Reboot issue is sorted, reinstalled Unbound and this time the following was added to "services-start":

#!/bin/sh
cru a root_servers  "12 4 * * * curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache"    # unbound_manager
/jffs/addons/unbound/unbound_rpz.sh startup # Unbound_RPZ.sh

It now survives a reboot, going to add this to the guide. No idea why it didn't add this line the previous times I reinstalled Unbound. I'll keep an eye on it and hopefully it will maintain the VPN IP.

No issues here...do have something setup where the router does an automatic retart? Or running any speed test?

I noticed if I restart the router it will mess it up sometimes but I go under scmerlin and restart VPN1. I'm not sure what else it can be.

 

[Vertron]

No issues here...do have something setup where the router does an automatic retart? Or running any speed test?

I noticed if I restart the router it will mess it up sometimes but I go under scmerlin and restart VPN1. I'm not sure what else it can be.

Thanks for getting back to me, see the end of my previous post, I think it's sorted now. I had an error that forced me to reinstall Entware and Unbound, that added an additional line to the service-start file I was missing before. It now survives a reboot and fingers crossed will keep using the VPN IP.

Update:
It's been 5 days and it's still maintaining the VPN IP. It's safe to say this is now fixed.

 

[chongnt]

I would be very grateful if someone whoes setup is working properly could compare my scripts to their own to help identify the issue, please let me know if there's anything that doesn't look right.

It currently doesn't show the VPN IP as my DNS after the router is rebooted, so there's obviously an issue somewhere. I currently have a workaround in the "services-start" file to start "unbound_via_vc1.sh".

Here are almost all of my scripts:

dnsmasq.postconf

#!/bin/sh
. /opt/share/diversion/file/post-conf.div # Added by Diversion
sh /jffs/addons/unbound/unbound.postconf "$1"        # unbound_manager

firewall-start

#!/bin/sh

sh /jffs/scripts/firewall start skynetloc=/tmp/mnt/MicroSD/skynet # Skynet

init-start

#!/bin/sh
sh /jffs/addons/unbound/stuning start            # unbound_manager
modprobe xt_comment

nat-start

#!/bin/sh
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 WAN_IP dnsmasq=whatsmyip.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 VPN_IP dnsmasq=whatismyip.com

openvpn-event

#!/bin/sh
[ -s /jffs/scripts/x3mRouting/openvpn-event ] && sh /jffs/scripts/x3mRouting/openvpn-event $@

post-mount

#!/bin/sh
swapon /tmp/mnt/MicroSD/myswap.swp # Added by amtm
. /jffs/addons/diversion/mount-entware.div # Added by Diversion
/jffs/addons/unbound/unbound_stats.sh startup "$@" & # Unbound_Stats.sh

service-event

#!/bin/sh
[ "$2" = diversion ] && sh /opt/share/diversion/webui/process.div "$1" & # Added by Diversion
if [ "$1" = "start" ] && [ "$2" = "SkynetStats" ]; then sh /jffs/scripts/firewall debug genstats; fi # Skynet
/jffs/addons/unbound/unbound_stats.sh generate "$1" "$2" & # Unbound_Stats.sh

services-start

#!/bin/sh
cru a root_servers  "12 4 * * * curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache"    # unbound_manager
sleep 30 && sh /jffs/scripts/unbound_via_vc1.sh start & # My reboot workaround fix

services-stop

#!/bin/sh
/opt/etc/init.d/rc.unslung stop # Added by Diversion
sh /jffs/scripts/firewall save # Skynet

unmount

#!/bin/sh
[ "$(/usr/bin/find $1/entware/bin/diversion 2> /dev/null)" ] && diversion unmount # Added by Diversion
swapoff -a 2>/dev/null # Skynet

x3mRouting / vpnclient1-route-pre-down

#!/bin/sh
iptables -t mangle -D PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -D PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null
/jffs/scripts/unbound_via_vc1.sh stop &

x3mRouting / vpnclient1-route-up

#!/bin/sh
iptables -t mangle -D PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x1000/0x1000
/jffs/scripts/unbound_via_vc1.sh start &

Update:
Reboot issue is sorted, reinstalled Unbound and this time the following was added to "services-start":

#!/bin/sh
cru a root_servers  "12 4 * * * curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache"    # unbound_manager
/jffs/addons/unbound/unbound_rpz.sh startup # Unbound_RPZ.sh

It now survives a reboot, going to add this to the guide. No idea why it didn't add this line the previous times I reinstalled Unbound. I'll keep an eye on it and hopefully it will maintain the VPN IP.

Glad it works now. I am not sure if the two lines in nat-start are still required. I have commented it and see no difference. Everything is working after reboot. But then I think there is no harm with that two lines in nat-start.