Unbound Unbound DNS VPN Client w/policy rules

[Swinson]

I put everything in functions and made a few little tweaks. I still need to add comments and incorporate a couple of checks to make sure the user has everything configured/installed as expected.

User configuration:
Unbound - running as system resolver
X3mRouting - installed (must have rules to make fwmark 0x8000 and 0x1000)
DNS lookups - forced to default gateway
Dns in wan tab- public dns server
Dns in lan tab - not set/default gateway
Vpn client 1 - setup and running

Add the following line to “/jffs/scripts/x3mRouting/vpnclient1-route-up”

/jffs/scripts/unbound_via_vc1.sh start &

Add the following line to “/jffs/scripts/x3mRouting/vpnclient1-route-pre-down”

/jffs/scripts/unbound_via_vc1.sh stop &

Create “unbound_via_vc1.sh” in “/jffs/scripts”, paste the code below and chmod 755

#!/bin/sh

Check_Tun11_Con() {
ping -c1 -w1 -I tun11 1.1.1.1
}

Delete_Rules() {
        iptables -t mangle -D OUTPUT -d "$wan0_dns0"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
        iptables -t mangle -D OUTPUT -d "$wan0_dns1"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
        iptables -t mangle -D OUTPUT -d "$wan0_dns0"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
        iptables -t mangle -D OUTPUT -d "$wan0_dns1"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
        iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
        iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
}

Add_Rules() {
        iptables -t mangle -A OUTPUT -d "$wan0_dns0"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
        iptables -t mangle -A OUTPUT -d "$wan0_dns1"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
        iptables -t mangle -A OUTPUT -d "$wan0_dns0"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
        iptables -t mangle -A OUTPUT -d "$wan0_dns1"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
        iptables -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
        iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
}

Unbound_vc1() {
        Add_Rules
        /jffs/addons/unbound/unbound_manager.sh vpn=1 &
        logger -st "($(basename "$0"))" $$  Ending Script Execution
}

Unbound_vpnDisable() {
        Delete_Rules
        /jffs/addons/unbound/unbound_manager.sh vpn=disable &
        logger -st "($(basename "$0"))" $$  Ending Script Execution
}

Poll_Tun11() {
        Delete_Rules
        sleep 5
        timer=5
        while [ $timer -lt 300 ]; do
        Check_Tun11_Con
                if [ "$?" -eq 0 ]; then
                        Unbound_vc1
                        logger -st "($(basename "$0"))" $$ Ending Script Execution
                        exit 0
                fi
                sleep 1
                timer++
        done
        logger -st "($(basename "$0"))" $$  Script Execution Timeout
        exit 3
}

if [ -z "$1" ]; then
        logger -st "($(basename "$0"))" $$ Script Arg Missing
        exit 1
else
        logger -st "($(basename "$0"))" $$ Starting Script Execution
        wan0_dns0="$( (nvram get wan0_dns) | awk '{print $1}' )"
        wan0_dns1="$( (nvram get wan0_dns) | awk '{print $2}' )"
        if [ "$wan0_dns1"  = "" ]; then
                wan0_dns1 = $wan0_dns0
        elif [ "$wan0_dns0" = "" ]; then
                wan0_dns0 = $wan0_dns1
                if [ "$wan0_dns1"  = "" ]; then
                        logger -st "($(basename "$0"))" $$  wan0_dns is NULL
                exit 2
                fi
        else
                  case "$1" in
                         start)
                                  Poll_Tun11
                                  exit 0;;
                        stop)
                                 Unbound_vpnDisable
                                 exit -1;;
                        *)
                                 logger -st "($(basename "$0"))" $$  Script Arg Invalid
                                 exit 1;;
               esac
        fi
fi

@Kingp1n if you want to update yours you can just Update the script you have with the new code in this post. No major changes though so you don’t need to mess with it unless you want to. To update just replace everything in the main file with the updated code and
then in the route-up file add the word “start” in between the script name and the ampersand. So the line would look something like this.

“/xx/xx/scriptName.sh start &”



you can keep route-pre-down the same or you can replace all the lines I had you add with one line. Instead of having the 6 iptables rule lines and the unbound vpn=disable line you can just put
“/xx/xx/scriptName.sh stop &”

 

[Kingp1n]

I put everything in functions and made a few little tweaks. I still need to add comments and incorporate a couple of checks to make sure the user has everything configured/installed as expected.

User configuration:
Unbound - running as system resolver
X3mRouting - installed (must have rules to make fwmark 0x8000 and 0x1000)
DNS lookups - forced to default gateway
Dns in wan tab- public dns server
Dns in lan tab - not set/default gateway
Vpn client 1 - setup and running

Add the following line to “/jffs/scripts/x3mRouting/vpnclient1-route-up”

/jffs/scripts/unbound_via_vc1.sh start &

Add the following line to “/jffs/scripts/x3mRouting/vpnclient1-route-pre-down”

/jffs/scripts/unbound_via_vc1.sh stop &

Create “unbound_via_vc1.sh” in “/jffs/scripts”, paste the code below and chmod 755

#!/bin/sh

Check_Tun11_Con() {
ping -c1 -w1 -I tun11 1.1.1.1
}

Delete_Rules() {
        iptables -t mangle -D OUTPUT -d "$wan0_dns0"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
        iptables -t mangle -D OUTPUT -d "$wan0_dns1"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
        iptables -t mangle -D OUTPUT -d "$wan0_dns0"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
        iptables -t mangle -D OUTPUT -d "$wan0_dns1"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
        iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
        iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
}

Add_Rules() {
        iptables -t mangle -A OUTPUT -d "$wan0_dns0"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
        iptables -t mangle -A OUTPUT -d "$wan0_dns1"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
        iptables -t mangle -A OUTPUT -d "$wan0_dns0"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
        iptables -t mangle -A OUTPUT -d "$wan0_dns1"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
        iptables -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
        iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
}

Unbound_vc1() {
        Add_Rules
        /jffs/addons/unbound/unbound_manager.sh vpn=1 &
        logger -st "($(basename "$0"))" $$  Ending Script Execution
}

Unbound_vpnDisable() {
        Delete_Rules
        /jffs/addons/unbound/unbound_manager.sh vpn=disable &
        logger -st "($(basename "$0"))" $$  Ending Script Execution
}

Poll_Tun11() {
        Delete_Rules
        sleep 5
        timer=5
        while [ $timer -lt 300 ]; do
        Check_Tun11_Con
                if [ "$?" -eq 0 ]; then
                        Unbound_vc1
                        logger -st "($(basename "$0"))" $$ Ending Script Execution
                        exit 0
                fi
                sleep 1
                timer++
        done
        logger -st "($(basename "$0"))" $$  Script Execution Timeout
        exit 3
}

if [ -z "$1" ]; then
        logger -st "($(basename "$0"))" $$ Script Arg Missing
        exit 1
else
        logger -st "($(basename "$0"))" $$ Starting Script Execution
        wan0_dns0="$( (nvram get wan0_dns) | awk '{print $1}' )"
        wan0_dns1="$( (nvram get wan0_dns) | awk '{print $2}' )"
        if [ "$wan0_dns1"  = "" ]; then
                wan0_dns1 = $wan0_dns0
        elif [ "$wan0_dns0" = "" ]; then
                logger -st "($(basename "$0"))" $$  wan0_dns is NULL
                exit 2
        else
                if [ "$wan0_dns0"  = "" ]; then
                        wan0_dns0 = $wan0_dns1
                fi
        case "$1" in
                start)
                        Poll_Tun11
                        exit 0;;
                stop)
                        Unbound_vpnDisable
                        exit -1;;
                *)
                        logger -st "($(basename "$0"))" $$  Script Arg Invalid
                        exit 1;;
        esac
        fi
fi

@Kingp1n if you want to update yours you can just Update the script you have with the new code in this post. No major changes though so you don’t need to mess with it unless you want to. To update just replace everything in the main file with the updated code and
then in the route-up file add the word “start” in between the script name and the ampersand. So the line would look something like this.

“/xx/xx/scriptName.sh start &”



you can keep route-pre-down the same or you can replace all the lines I had you add with one line. Instead of having the 6 iptables rule lines and the unbound vpn=disable line you can just put
“/xx/xx/scriptName.sh stop &”

Thanks for the update. Everything is currently working as intended with the older rules setup. Does the new rules add any benefits to the script or it works the same way? I can try to update just don't want to mess anything up but if it will improve anything I'm willing to update.

The new rules seem alot cleaner. Thanks again. Knowing me...I'll probably end up updating it haha

 

[Swinson]

Thanks for the update. Everything is currently working as intended with the older rules setup. Does the new rules add any benefits to the script or it works the same way? I can try to update just don't want to mess anything up but if it will improve anything I'm willing to update.

The new rules seem alot cleaner. Thanks again. Knowing me...I'll probably end up updating it haha

I changed the way a couple of values are used. Like the wan0_dns nvram variable is called and stored rather than wrapping the call in each of the iptables commands.

I also made it so if only one of the two wan0_dns fields is populated it will copy the valid field into the empty one and if they are both empty the script will exit and log an error.

Lastly I added the ability for it to accept arguments which should make it easy for me to add options in the future like automated setup and updating

Everything is functionally the same just converting what was more of a proof of concept/test run into something I can maintain/something someone else can read.

 

[Kingp1n]

I changed the way a couple of values are used. Like the wan0_dns nvram variable is called and stored rather than wrapping the call in each of the iptables commands.

I also made it so if only one of the two wan0_dns fields is populated it will copy the valid field into the empty one and if they are both empty the script will exit and log an error.

Lastly I added the ability for it to accept arguments which should make it easy for me to add options in the future like automated setup and updating

Everything is functionally the same just converting what was more of a proof of concept/test run into something I can maintain/something someone else can read.

Everything working as expected. I had to restart the router a couple of times for the new rules to take effect. Thanks alot for this. Keep us posted if you make any other updates in the future!!!!

 

[NoName79]

I put everything in functions and made a few little tweaks. I still need to add comments and incorporate a couple of checks to make sure the user has everything configured/installed as expected.

User configuration:
Unbound - running as system resolver
X3mRouting - installed (must have rules to make fwmark 0x8000 and 0x1000)
DNS lookups - forced to default gateway
Dns in wan tab- public dns server
Dns in lan tab - not set/default gateway
Vpn client 1 - setup and running

@Swinson and @Kingp1n

As a quiet reader , I say thanks for your work here. Awesome!!

Could you add some screenshots from the configuration you made? -
Guess i have the same configuration, with NordVPN Client connected, unbound running - but DNS-Leak still showing my real IP.

What i got working is my mobile phone connect via VPN into my ASUS Merlin, using the Routers NordVPN connection and unbound at the same time.

 

[Kingp1n]

@Swinson and @Kingp1n

As a quiet reader , I say thanks for your work here. Awesome!!

Could you add some screenshots from the configuration you made? -
Guess i have the same configuration, with NordVPN Client connected, unbound running - but DNS-Leak still showing my real IP.

What i got working is my mobile phone connect via VPN into my ASUS Merlin, using the Routers NordVPN connection and unbound at the same time.

Are you using the X3mRouting script available thru amtm as well?

 

[Swinson]

@Swinson and @Kingp1n

As a quiet reader , I say thanks for your work here. Awesome!!

Could you add some screenshots from the configuration you made? -
Guess i have the same configuration, with NordVPN Client connected, unbound running - but DNS-Leak still showing my real IP.

What i got working is my mobile phone connect via VPN into my ASUS Merlin, using the Routers NordVPN connection and unbound at the same time.

To get unbound to resolve via vpn client 1 you need to create the script in /jffs/scripts/ and add the calls in /jffs/scripts/x3mRouting/vpnclient1-route-up and /jffs/scripts/x3mRouting/vpnclient1-route-pre-down. All that stuff is listed a couple posts back. I piggybacked the script off of ip rules that are made by Xentrk’s script x3mRouting so that needs to be installed and have at least two rules is this format

x3mRouting 1 0 VPN_IP dnsmasq=whatsmyip.com
x3mRouting ALL 1 WAN_IP dnsmasq=whatismyip.com

The domains in each rule are arbitrary but they let you check that x3mRouting has set up its rules properly. The first domain should show your vpns ip and the second domain will show your wan ip. Once those two x3mRouting commands run the rules will be created automatically on boot and the script can function.

I can try to get you some screenshots tomorrow morning but I am also hoping I’ll get some time this weekend to write a setup function to automate the whole install which should make this a whole lot easier.

edit: xentrk, sorry didn’t mean to ping you with a tag. Just trying to look up your name and neglected to remove the [at]

 

[NoName79]

Are you using the X3mRouting script available thru amtm as well?

I reset my router some days ago and
tried the config explained here with X3mRouting, unbound and OpenVPN (hiding my local DNS IP).

It didn't work for me so I switched back my old config without X3mRouting

I edited the unbound.conf and the firewall-start to got my VPN Client(mobile) working with the OpenVPN connection and unbound in the same time.


A manual would be awesome guess I am not the only one interested using your configs.

 

[Kingp1n]

All that stuff is listed a couple posts back. I piggybacked the script off of ip rules that are made by Xentrk’s script x3mRouting so that needs to be installed and have at least two rules is this format

x3mRouting 1 0 VPN_IP dnsmasq=whatsmyip.com
x3mRouting ALL 1 WAN_IP dnsmasq=whatismyip.com

The domains in each rule are arbitrary but they let you check that x3mRouting has set up its rules properly. The first domain should show your vpns ip and the second domain will show your wan ip. Once those two x3mRouting commands run the rules will be created automatically on boot and the script can function.

@Swinson, the rule you're using above for "VPN_IP", I did have a question on it. Everytime I restart the router, my VPN IP normally changes, does that mean I have to re-run this rule with the new VPN_IP once the router boots up? For example:

"x3mRouting 1 0 "VPN_IP" dnsmasq=whatsmyip.com" do I need to replace the "VPN_IP" with the domain that shows in whatsmyip.com everytime it changes?

 

[Swinson]

@Swinson, the rule you're using above for "VPN_IP", I did have a question on it. Everytime I restart the router, my VPN IP normally changes, does that mean I have to re-run this rule with the new VPN_IP once the router boots up? For example:

"x3mRouting 1 0 "VPN_IP" dnsmasq=whatsmyip.com" do I need to replace the "VPN_IP" with the domain that shows in whatsmyip.com everytime it changes?

No sorry for the confusion that’s just the name of the ip set you can call it whatever. The important parts are the “x3mRouting 1 0” and “x3mRouting ALL 1” bits of the commands. That’s what creates the proper rules. The name can be whatever and you do need to list something for the dnsmasq method but it will not effect this script so I just used whatsmyip as an example because it provides a bit of utility

and don’t worry about your ip changing this works off of the OpenVPN client interface

 

[Kingp1n]

No sorry for the confusion that’s just the name of the ip set you can call it whatever. The important parts are the “x3mRouting 1 0” and “x3mRouting ALL 1” bits of the commands. That’s what creates the proper rules. The name can be whatever and you do need to list something for the dnsmasq method but it will not effect this script so I just used whatsmyip as an example because it provides a bit of utility

and don’t worry about your ip changing this works off of the OpenVPN client interface

Ok....thanks alot. The same applies for the "WAN_IP" rule correct or does this one need have the actual WAN IP domain? Sorry my slow self lol.. Thanks again!

 

[Swinson]

Ok....thanks alot. The same applies for the "WAN_IP" rule correct or does this one need have the actual WAN IP domain? Thanks again!

Yep same deal. wan_ip and vpn_ip are strictly names. And the domain names can be whatever but if you list a domain name(web address) in the wan_ip rule it’s going to connect through your wan and not your vpn and the same goes for the vpn_ip. You can list multiple domains separated by commas if you want to force websites to a particular interface. Refer to the x3mRouting documentation for more details as this is the purpose of this script.

 

[Kingp1n]

All that stuff is listed a couple posts back. I piggybacked the script off of ip rules that are made by Xentrk’s script x3mRouting so that needs to be installed and have at least two rules is this format

x3mRouting 1 0 VPN_IP dnsmasq=whatsmyip.com
x3mRouting ALL 1 WAN_IP dnsmasq=whatismyip.com

If I run these 2 rules above, do I still need to run the rule below as well?

"x3mRouting ALL 1 dummy dnsmasq=dummy.me"

The was my last question for the day! Appreciate your patience.

UPDATE: Disregard, it's similar to running the "WAN_IP" one haha since the name can be anything!!! Thanks alot man!!!

 

[Swinson]

If I run these 2 rules above, do I still need to run the rule below as well?

"x3mRouting ALL 1 dummy dnsmasq=dummy.me"

The was my last question for the day! Appreciate your patience!

If everything is working for you all the rules have been set up and you don’t need any extra commands. Running additional x3mRouting commands won’t cause problems but I believe duplicating domains is a no no so if you have run something with a rule for Netflix.com you can’t use Netflix.com again because it will cause conflicts.

 

[Kingp1n]

If everything is working for you all the rules have been set up and you don’t need any extra commands. Running additional x3mRouting commands won’t cause problems but I believe duplicating domains is a no no so if you have run something with a rule for Netflix.com you can’t use Netflix.com again because it will cause conflicts.

@Swinson, I wanted to inquire if you have similar issues when changing the WAN DNS servers from say cloudflare to quad9 or vice versa or even running a speedtest from within the Adaptive QoS tab, it seems the openvpn client resets and it starts to show my real IP address when running the dnsleak test. Once I reset the router everything is back to normal again where the IP and the DNS show my VPN IP.

At this time, if I run a speedtest or change my DNS servers inside WAN. After the update refreshes, my real IP is showing when I do a dns leak test. Any idea how I may be able tool fix this or the reboot is the only way to get VPN IP to show again?

Thanks again for your assistance!

 

[Swinson]

@Swinson, I wanted to inquire if you have similar issues when changing the WAN DNS servers from say cloudflare to quad9 or vice versa or even running a speedtest from within the Adaptive QoS tab, it seems the openvpn client resets and it starts to show my real IP address when running the dnsleak test. Once I reset the router everything is back to normal again where the IP and the DNS show my VPN IP.

At this time, if I run a speedtest or change my DNS servers inside WAN. After the update refreshes, my real IP is showing when I do a dns leak test. Any idea how I may be able tool fix this or the reboot is the only way to get VPN IP to show again?

Thanks again for your assistance!

Whoops. That’s happening because the iptables delete rules are referencing the nvram values so when you change them the rules do not get removed as they should. I will write a small patch today to address that issue. In the mean time as you stated rebooting will remove the old rules and only use the newest wan dns setting.

 

[Kingp1n]

Whoops. That’s happening because the iptables delete rules are referencing the nvram values so when you change them the rules do not get removed as they should. I will write a small patch today to address that issue. In the mean time as you stated rebooting will remove the old rules and only use the newest wan dns setting.

Thanks for the info. Looking forward for the small update. I really like using your script/rule in combination with unbound.

 

[Swinson]

Thanks for the info. Looking forward for the small update. I really like using your script/rule in combination with unbound.

No problem. I’m also quite happy with it. Nothing hard or complicated about it but it gets the job done so unbound can work like I want it to.

Just a quick update. I didn’t get a chance to look at it yesterday but I’m hoping to pull up the iptables man page during lunch today to see if there is any way I can tag rules upon creation then delete just based on a tag rather than matching a rule exactly. If anyone already knows how to do this I’m happy to take some input but worst case I’ll just save them to a file so the delete rules can work with old wan dns values.

 

[Martineau]

No problem. I’m also quite happy with it. Nothing hard or complicated about it but it gets the job done so unbound can work like I want it to.

Just a quick update. I didn’t get a chance to look at it yesterday but I’m hoping to pull up the iptables man page during lunch today to see if there is any way I can tag rules upon creation then delete just based on a tag rather than matching a rule exactly. If anyone already knows how to do this I’m happy to take some input but worst case I’ll just save them to a file so the delete rules can work with old wan dns values.

Tag each rule with a comment

e.g. as used in my QuotaMonitor.sh script, each rule is tagged by the actual Host name

del)
    iptables -D $TABLE_IN  -i        $WAN_IF -o br0 -d $IP -m comment --comment "$HOSTNAME" 2>/dev/null
    ;;
add)
   iptables -C $TABLE_IN  -i        $WAN_IF -o br0 -d $IP -m comment --comment "$HOSTNAME" 2>/dev/null
   if [ $? -eq 1 ];then
      iptables -A $TABLE_IN  -i        $WAN_IF -o br0 -d $IP -m comment --comment "$HOSTNAME"
   fi

 

[Kingp1n]

Whoops. That’s happening because the iptables delete rules are referencing the nvram values so when you change them the rules do not get removed as they should. I will write a small patch today to address that issue. In the mean time as you stated rebooting will remove ules and only use the newest wan dns setting.

I've noticed the last couple of days that a router reboot doesn't load the VPN IP anymore when checking it under whatsmyip.com. It actually shows my real WAN IP.

What's curious is that dnsleak & ipleak tests shows my VPN IP (both IP & DNS match) correctly.

I tried to delete cache/cookies without luck in chrome. I wonder why whatsmyip.com keeps reflecting my real IP and the 2 other sites show VPN IP.

Any ideas, anyone may assist? Thanks!