Unbound Unbound DNS VPN Client w/policy rules

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Kingp1n

Very Senior Member
Everything has been working great for me. Definitely feels much snappier once the tunnel has been established but that could just be my perception.
Do you use Diversion and seeing ads? I also use VPN and I have "accept DNS configuration" as disabled but I'm still seeing ads. I wonder if I need to change this. The DNSFilter is set router inside the LAN.

Update: Disregard..i figured out what I was doing wrong. All is good! Thanks for this!
 
Last edited:

Swinson

Regular Contributor
Do you use Diversion and seeing ads? I also use VPN and I have "accept DNS configuration" as disabled but I'm still seeing ads. I wonder if I need to change this. The DNSFilter is set router inside the LAN.

Update: Disregard..i figured out what I was doing wrong. All is good! Thanks for this!
Glad you got it figured out. Let me know if anything else comes up.
 

Kingp1n

Very Senior Member
Glad you got it figured out. Let me know if anything else comes up.
I did have 1 last question, is there a way to test if it's working? I have everything setup and just hoping I did it right! Thanks
 

Swinson

Regular Contributor
I did have 1 last question, is there a way to test if it's working?
I use dnsleaktest.com to make sure my vpn’s IP is being used. I also have whatsmyip.com listed in x3mRoutings bypass rules so I can check that my wan ip is being used for things that should be bypassing the vpn.
 

Kingp1n

Very Senior Member
I use dnsleaktest.com to make sure my vpn’s IP is being used. I also have whatsmyip.com listed in x3mRoutings bypass rules so I can check that my wan ip is being used for things that should be bypassing the vpn.
Can you share the x3mRouting bypass rule or a screenshot on how it looks? Thanks & sorry for the questions!

When I 1st go into the dns leak test web page I see the NY IP address. When I run an "extended" dns leak test I still see my actual device IP location. Aslos whatsmyip.com show the NY IP too.. I think this is normal when using unbound correct.
 
Last edited:

Swinson

Regular Contributor
Can you share the x3mRouting bypass rule? Thanks
You can run this to create a new ipset with a bypass rule for vpn client 1 so any packets that match will get marked and not go through your vpn tunnel.

Code:
x3mRouting 1 0 whatsMyIP dnsmasq=whatsmyip.com
If you already have an ipset using the dnsmasq method you can just add the domain to that set and it will have the same effect. You just need something that will trigger a bypass and show you where your connection came from.
 

Kingp1n

Very Senior Member
Things like right to you on these screenshots?
 

Kingp1n

Very Senior Member
Thanks man. I appreciate all the help on this!
 

Swinson

Regular Contributor
Things like right to you on these screenshots?
No that does not look right. Dns leak test should show your vpn on the main screen and during the test. Also make sure you used the same domain your browser shows you using what IS my ip. I have whats my ip in the rule I posted

can you run and post the output

Code:
iptables -nvL OUTPUT -t mangle
 

Kingp1n

Very Senior Member
No that does not look right. Dns leak test should show your vpn on the main screen and during the test. Also make sure you used the same domain your browser shows you using what IS my ip. I have whats my ip in the rule I posted

can you run and post the output

Code:
iptables -nvL OUTPUT -t mangle
Got it...thats what I missed. It's all working now!
 

Kingp1n

Very Senior Member
No that does not look right. Dns leak test should show your vpn on the main screen and during the test. Also make sure you used the same domain your browser shows you using what IS my ip. I have whats my ip in the rule I posted

can you run and post the output

Code:
iptables -nvL OUTPUT -t mangle
@Swinson, I'm back at this again. I thought it was working fine, I rebooted my router and below is the output:

Code:
[email protected]:/tmp/home/root# iptables -nvL OUTPUT -t mangle
Chain OUTPUT (policy ACCEPT 1074 packets, 196K bytes)
pkts bytes target     prot opt in     out     source               destination     
  939 66923 MARK       udp  --  *      *       0.0.0.0/0            9.9.9.9              udp dpt:53 MARK or 0x8000
    2   143 MARK       udp  --  *      *       0.0.0.0/0            149.112.112.112      udp dpt:53 MARK or 0x8000
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            9.9.9.9              tcp dpt:53 MARK or 0x8000
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            149.112.112.112      tcp dpt:53 MARK or 0x8000
   12   750 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 MARK or 0x1000
2285  176K MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 MARK or 0x1000
However, when I run dns leak test, on the main screen I see my VPN IP, however, when I run the dns test I see my actual WAN IP address. Any ideas why I might be doing wrong?

I also did an ipleak.net test and my IP shows the vpn IP but the DNS shows my actual location. I believe I'm doing something wrong with whatsmyIP domain?

I've created the unbound_tunCheck.sh file and copy everything you posted. I also added the other rules inside the x3mRouting folder under route-up and route-pre-down files. I've enabled "vpn 1" inside unbound_manager advanced.

I might have to give up on this as I cannot figure this out.

I appreciate all your help though!
 
Last edited:

Swinson

Regular Contributor
@Swinson, I'm back at this again. I thought it was working fine, I rebooted my router and below is the output:

Code:
[email protected]:/tmp/home/root# iptables -nvL OUTPUT -t mangle
Chain OUTPUT (policy ACCEPT 1074 packets, 196K bytes)
pkts bytes target     prot opt in     out     source               destination   
  939 66923 MARK       udp  --  *      *       0.0.0.0/0            9.9.9.9              udp dpt:53 MARK or 0x8000
    2   143 MARK       udp  --  *      *       0.0.0.0/0            149.112.112.112      udp dpt:53 MARK or 0x8000
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            9.9.9.9              tcp dpt:53 MARK or 0x8000
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            149.112.112.112      tcp dpt:53 MARK or 0x8000
   12   750 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 MARK or 0x1000
2285  176K MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 MARK or 0x1000
However, when I run dns leak test, on the main screen I see my VPN IP, however, when I run the dns test I see my actual WAN IP address. Any ideas why I might be doing wrong?

I also did an ipleak.net test and my IP shows the vpn IP but the DNS shows my actual location. I believe I'm doing something wrong with whatsmyIP domain?

I've created the unbound_tunCheck.sh file and copy everything you posted. I also added the other rules inside the x3mRouting folder under route-up and route-pre-down files. I've enabled "vpn 1" inside unbound_manager advanced.

I might have to give up on this as I cannot figure this out.

I appreciate all your help though!
Hmm that all looks right. Can you also check that x3mRouting has rules created? run this to display your ip rules:
Code:
ip rule
 

Kingp1n

Very Senior Member
Hmm that all looks right. Can you also check that x3mRouting has rules created? run this to display your ip rules:
Code:
ip rule
This is what i get:

Code:
[email protected]:/tmp/home/root# ip rule
0:    from all lookup local
9990:    from all fwmark 0x8000/0x8000 lookup main
10001:    from 192.168.1.1/27 lookup main
10101:    from 192.168.1.0/24 lookup ovpnc1
32766:    from all lookup main
32767:    from all lookup default
I have the main router and certain devices (xbox, Nest devices) that go thru WAN that I dont want them to go thru VPN. However, all my testing is done thru laptop that is under the VPN.
 

Swinson

Regular Contributor
You don’t need to enable the vpn 1 option in unbound as this is done in the script but that shouldn’t cause any problems.

Make sure dns is set to router mode. To force traffic to dnsmasq.

In your guest networks and vpn configurations you can list your routers ip as the dns server to make sure everything is going to dnsmasq.

In you WAN page list the public dns you want your router to use for its own internals.

The idea is to force all client traffic to dnsmasq. Then dnsmasq forwards that to unbound. Now if you are using policy rules(strict) and you have something like

192.168.1.1->wan
192.168.1.0/24->tun

You are now forcing all your lan clients through the tunnel but bypassing for the router itself. Since unbound is running on the router you have a rule already for that traffic saying don’t use the tunnel. The first step is to tell unbound to try to use the vpn interface but your router is going to tell it “no. All router traffic goes to a different interface”. So the rules in the output table parse all the dns requests i.e. everything on port 53 based on a know destination. Everything from port 53 should default to the tunnel unless it matches an ip you have in you wan dns settings.

I hope maybe that helps you understand my thought about how to get this to work the way I wanted.
 

Swinson

Regular Contributor
This is what i get:

Code:
[email protected]:/tmp/home/root# ip rule
0:    from all lookup local
9990:    from all fwmark 0x8000/0x8000 lookup main
10001:    from 192.168.1.1/27 lookup main
10101:    from 192.168.1.0/24 lookup ovpnc1
32766:    from all lookup main
32767:    from all lookup default
I have the main router and certain devices (xbox, Nest devices) that go thru WAN that I dont want them to go thru VPN. However, all my testing is done thru laptop that is under the VPN.
You are missing “from all fwmark 0x1000/0x1000 lookup ovpnc1”
 

Kingp1n

Very Senior Member
Try running this and then run ip rule again
x3mRouting ALL 1 dummy dnsmasq=dummy.me
Problem SOLVED!!!

I went to unbound_manager and switch "vpn 1" back to WAN using "bind".

But running the rule:

Code:
x3mRouting ALL 1 dummy dnsmasq=dummy.me
Now shows dnsleak & ipleak tests both IP & DNS as my VPN ip.

IP rule:
Code:
[email protected]:/tmp/home/root# ip rule
0:    from all lookup local
9990:    from all fwmark 0x8000/0x8000 lookup main
9995:    from all fwmark 0x1000/0x1000 lookup ovpnc1
10001:    from 192.168.1.1/27 lookup main
10101:    from 192.168.1.0/24 lookup ovpnc1
32766:    from all lookup main
32767:    from all lookup default
Thanks alot for taking the time and helping me out on this!!! I owe you a beer!
 

Attachments

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top