What's new

Unbound Unbound DNS VPN Client w/policy rules

  • Thread starter Deleted member 62525
  • Start date
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Ohh I wonder if moving the x3mRouting commands to run when the tunnel resets would fix that. @Xentrk can you advise on how the ip rules are created and removed?

Edit: I need to look at what vpnmgr does to reset the connection because it kind of seems like maybe the vpntunnel is reset followed by a firewall reset or maybe something nat-start isn’t rerun that should be.
What x3mRouting option are you using? You shouldn't have had to add that line. x3mRouting will add it for you. x3mRouting should also reapply the rules after a firewall-start. The is a similar line in the route-down file to remove the rule when the vpn is turned off. Try reinstalling the option to make sure you have the latest code. Note that x3mRouting places the route-up and route-down files in /jffs/scripts/x3mRouting.
 
What x3mRouting option are you using? You shouldn't have had to add that line. x3mRouting will add it for you. x3mRouting should also reapply the rules after a firewall-start. The is a similar line in the route-down file to remove the rule when the vpn is turned off. Try reinstalling the option to make sure you have the latest code. Note that x3mRouting places the route-up and route-down files in /jffs/scripts/x3mRouting.
x3mRouting ALL 1 xx dnsmasq=xx
x3mRouting 1 0 xxx dnsmasq=xxx

are the two options that are required for the script to work.
 
x3mRouting ALL 1 xx dnsmasq=xx
x3mRouting 1 0 xxx dnsmasq=xxx

are the two options that are required for the script to work.
dnsmasq is required for the dnsmasq method. Every time I test x3mRouting with unbound, I keep dnsmasq enabled and have not had an issue.

Once you have let unbound + dnsmasq run for awhile and don't see anymore IPv4 addresses being populated in the IPSET list, you should be okay with disabling dnsmasq. The IPv4 address will be saved in the /opt/tmp directory via 2AM cron job and used to load the list at boot. However, no new IPv4 addresses will be added dynamically since dnsmasq is turned off.
 
Hi @Xentrk, I am not sure why I need to add the line only for VPN client 1. VPN client 2 is working fine.
I have comment out unbound_via_vc1.sh and still happen. So it appears not related to the rule here. Perhaps I should create another thread.

Here is the config
Code:
admin@RT-AC86U-DBA8:/jffs/scripts/x3mRouting# more vpnclient1-route-pre-down
#!/bin/sh
logger "VPN Client 1 going down ..."
iptables -t nat -D POSTROUTING -s "$(nvram get vpn_server2_sn)"/24 -o tun11 -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s "$(nvram get vpn_server2_sn)"/24 -o tun11 -j MASQUERADE
#/jffs/scripts/unbound_via_vc1.sh stop & #Disable Unbound BIND to VPN 1 pre-down, BIND Unbound back to WAN
admin@RT-AC86U-DBA8:/jffs/scripts/x3mRouting# more vpnclient1-route-up
#!/bin/sh
logger "VPN Client 1 coming up ..."
iptables -t nat -D POSTROUTING -s "$(nvram get vpn_server2_sn)"/24 -o tun11 -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s "$(nvram get vpn_server2_sn)"/24 -o tun11 -j MASQUERADE
#/jffs/scripts/unbound_via_vc1.sh start & #BIND Unbound to VPN 1
# Create RPDB rules
#ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9995        # create VPN 1 fwmark
admin@RT-AC86U-DBA8:/jffs/scripts/x3mRouting#


messages when I bounce VPN client 1
Code:
##### Starting with VPN1 up #####
##### IN VPN webui, VPN Client 1 Service State turn off  #####
Feb 22 12:09:54 RT-AC86U-DBA8 rc_service: httpd 1179:notify_rc stop_vpnclient1
Feb 22 12:09:54 RT-AC86U-DBA8 custom_script: Running /jffs/scripts/service-event (args: stop vpnclient1)
Feb 22 12:09:54 RT-AC86U-DBA8 ovpn-client1[17341]: event_wait : Interrupted system call (code=4)
Feb 22 12:09:54 RT-AC86U-DBA8 ovpn-client1[17341]: SIGTERM received, sending exit notification to peer
Feb 22 12:09:55 RT-AC86U-DBA8 ovpn-client1[17341]: vpnrouting.sh tun11 1500 1584 10.8.1.3 255.255.255.0 init
Feb 22 12:09:55 RT-AC86U-DBA8 openvpn-routing: Configuring policy rules for client 1
Feb 22 12:09:56 RT-AC86U-DBA8 custom_script: Running /jffs/scripts/openvpn-event (args: tun11 1500 1584 10.8.1.3 255.255.255.0 init)
Feb 22 12:09:56 RT-AC86U-DBA8 (updown-dns.sh): 11113 Starting script execution
Feb 22 12:09:56 RT-AC86U-DBA8 (updown-dns.sh): 11113 Ending script execution
Feb 22 12:09:56 RT-AC86U-DBA8 (x3mvpnrouting.sh): 11147 00 Deleting fwmark 0x1000/0x1000
Feb 22 12:09:56 RT-AC86U-DBA8 x3mRouting: Configuring policy rules for client 1
Feb 22 12:09:56 RT-AC86U-DBA8 (x3mvpnrouting.sh): 11147 Completed routing policy configuration for client 1
Feb 22 12:09:56 RT-AC86U-DBA8 admin: VPN Client 1 going down ...
Feb 22 12:09:57 RT-AC86U-DBA8 openvpn-event[11092]: Running /jffs/scripts/x3mRouting/vpnclient1-route-pre-down tun11 1500 1584 10.8.1.3 255.255.255.0 init
Feb 22 12:09:57 RT-AC86U-DBA8 ovpn-client1[17341]: Closing TUN/TAP interface
Feb 22 12:09:57 RT-AC86U-DBA8 ovpn-client1[17341]: /usr/sbin/ip addr del dev tun11 10.8.1.3/24
Feb 22 12:09:57 RT-AC86U-DBA8 ovpn-client1[17341]: ovpn-down 1 client tun11 1500 1584 10.8.1.3 255.255.255.0 init
Feb 22 12:09:57 RT-AC86U-DBA8 ovpn-client1[17341]: SIGTERM[soft,exit-with-notification] received, process exiting
Feb 22 12:09:57 RT-AC86U-DBA8 custom_script: Running /jffs/scripts/service-event-end (args: stop vpnclient1)

##### IN VPN webui, VPN Client 1 Service State turn on  #####
Feb 22 12:13:02 RT-AC86U-DBA8 rc_service: httpd 1179:notify_rc start_vpnclient1
Feb 22 12:13:02 RT-AC86U-DBA8 custom_script: Running /jffs/scripts/service-event (args: start vpnclient1)
Feb 22 12:13:03 RT-AC86U-DBA8 ovpn-client1[16222]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Feb 22 12:13:03 RT-AC86U-DBA8 ovpn-client1[16222]: OpenVPN 2.5.0 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb 12 2021
Feb 22 12:13:03 RT-AC86U-DBA8 ovpn-client1[16222]: library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.08
Feb 22 12:13:03 RT-AC86U-DBA8 custom_script: Running /jffs/scripts/service-event-end (args: start vpnclient1)
Feb 22 12:13:03 RT-AC86U-DBA8 ovpn-client1[16229]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
... snipped ovpn-client1 logs...
Feb 22 12:13:04 RT-AC86U-DBA8 ovpn-client1[16229]: ovpn-up 1 client tun11 1500 1584 10.8.2.3 255.255.255.0 init
Feb 22 12:13:04 RT-AC86U-DBA8 (updown-dns.sh): 16508 Starting script execution
Feb 22 12:13:05 RT-AC86U-DBA8 (updown-dns.sh): 16508 Ending script execution
Feb 22 12:13:05 RT-AC86U-DBA8 x3mRouting: Configuring policy rules for client 1
Feb 22 12:13:05 RT-AC86U-DBA8 (x3mvpnrouting.sh): 16538 Completed routing policy configuration for client 1
Feb 22 12:13:05 RT-AC86U-DBA8 openvpn-event[16500]: No scripts found to run for openvpn-event: vpnclient1-up
Feb 22 12:13:05 RT-AC86U-DBA8 custom_script: Running openvpn-event
Feb 22 12:13:07 RT-AC86U-DBA8 openvpn-routing: Configuring policy rules for client 1
Feb 22 12:13:08 RT-AC86U-DBA8 custom_script: Running /jffs/scripts/openvpn-event (args: tun11 1500 1584 10.8.2.3 )
Feb 22 12:13:08 RT-AC86U-DBA8 (updown-dns.sh): 17307 Starting script execution
Feb 22 12:13:08 RT-AC86U-DBA8 (updown-dns.sh): 17307 Ending script execution
Feb 22 12:13:08 RT-AC86U-DBA8 (x3mvpnrouting.sh): 17358 Removing rule 10001 from routing policy
Feb 22 12:13:08 RT-AC86U-DBA8 (x3mvpnrouting.sh): 17358 Removing rule 10101 from routing policy
Feb 22 12:13:08 RT-AC86U-DBA8 (x3mvpnrouting.sh): 17358 Removing rule 10102 from routing policy
Feb 22 12:13:09 RT-AC86U-DBA8 (x3mvpnrouting.sh): 17358 Removing rule 10103 from routing policy
Feb 22 12:13:09 RT-AC86U-DBA8 (x3mvpnrouting.sh): 17358 Removing rule 10104 from routing policy
Feb 22 12:13:09 RT-AC86U-DBA8 (x3mvpnrouting.sh): 17358 Removing rule 10105 from routing policy
Feb 22 12:13:09 RT-AC86U-DBA8 (x3mvpnrouting.sh): 17358 ip rule add from 192.168.1.1   table main priority 10001
Feb 22 12:13:09 RT-AC86U-DBA8 (x3mvpnrouting.sh): Adding route for 192.168.1.1 to  through WAN
Feb 22 12:13:09 RT-AC86U-DBA8 (x3mvpnrouting.sh): 17358 ip rule add from 10.16.0.0/24   table ovpnc1 priority 10101
Feb 22 12:13:09 RT-AC86U-DBA8 (x3mvpnrouting.sh): Adding route for 10.16.0.0/24 to  through VPN client 1
Feb 22 12:13:09 RT-AC86U-DBA8 (x3mvpnrouting.sh): 17358 ip rule add from 192.168.1.2   table ovpnc1 priority 10102
Feb 22 12:13:09 RT-AC86U-DBA8 (x3mvpnrouting.sh): Adding route for 192.168.1.2 to  through VPN client 1
Feb 22 12:13:10 RT-AC86U-DBA8 (x3mvpnrouting.sh): 17358 ip rule add from 192.168.1.11   table ovpnc1 priority 10103
Feb 22 12:13:10 RT-AC86U-DBA8 (x3mvpnrouting.sh): Adding route for 192.168.1.11 to  through VPN client 1
Feb 22 12:13:10 RT-AC86U-DBA8 (x3mvpnrouting.sh): 17358 ip rule add from 192.168.1.21   table ovpnc1 priority 10104
Feb 22 12:13:10 RT-AC86U-DBA8 (x3mvpnrouting.sh): Adding route for 192.168.1.21 to  through VPN client 1
Feb 22 12:13:10 RT-AC86U-DBA8 (x3mvpnrouting.sh): 17358 ip rule add from 192.168.1.91   table ovpnc1 priority 10105
Feb 22 12:13:10 RT-AC86U-DBA8 (x3mvpnrouting.sh): Adding route for 192.168.1.91 to  through VPN client 1
Feb 22 12:13:10 RT-AC86U-DBA8 (x3mvpnrouting.sh): 17358 Routing rules created for IPSET list Astro
Feb 22 12:13:10 RT-AC86U-DBA8 x3mRouting: Configuring policy rules for client 1
Feb 22 12:13:10 RT-AC86U-DBA8 (x3mvpnrouting.sh): 17358 Completed routing policy configuration for client 1
Feb 22 12:13:10 RT-AC86U-DBA8 admin: VPN Client 1 coming up ...
Feb 22 12:13:10 RT-AC86U-DBA8 openvpn-event[17293]: Running /jffs/scripts/x3mRouting/vpnclient1-route-up tun11 1500 1584 10.8.2.3
Feb 22 12:13:10 RT-AC86U-DBA8 ovpn-client1[16229]: Initialization Sequence Completed

VPN Client 2 no need to add the line and working.
Code:
##### IN VPN webui, VPN Client 2 Service State turn off #####
Feb 22 12:25:15 RT-AC86U-DBA8 (updown-dns.sh): 31891 Starting script execution
Feb 22 12:25:15 RT-AC86U-DBA8 (updown-dns.sh): 31891 Ending script execution
Feb 22 12:25:15 RT-AC86U-DBA8 (x3mvpnrouting.sh): 31910 00 Deleting fwmark 0x2000/0x2000
Feb 22 12:25:15 RT-AC86U-DBA8 x3mRouting: Configuring policy rules for client 2
Feb 22 12:25:15 RT-AC86U-DBA8 (x3mvpnrouting.sh): 31910 Completed routing policy configuration for client 2
Feb 22 12:25:15 RT-AC86U-DBA8 admin: VPN Client 2 going down .

##### IN VPN webui, VPN Client 2 Service State turn on #####
Feb 22 12:25:47 RT-AC86U-DBA8 rc_service: httpd 1179:notify_rc start_vpnclient2
Feb 22 12:25:47 RT-AC86U-DBA8 custom_script: Running /jffs/scripts/service-event (args: start vpnclient2)
...
Feb 22 12:25:52 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7455 Removing rule 10301 from routing policy
Feb 22 12:25:52 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7455 Created fwmark 0x2000/0x2000
Feb 22 12:25:52 RT-AC86U-DBA8 x3mRouting: Configuring policy rules for client 2
Feb 22 12:25:52 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7455 Completed routing policy configuration for client 2
Feb 22 12:25:52 RT-AC86U-DBA8 admin: VPN Client 2 coming up ...
Feb 22 12:25:52 RT-AC86U-DBA8 openvpn-event[7418]: Running /jffs/scripts/x3mRouting/vpnclient2-route-up tun12 1500 1586 10.7.3.2
Feb 22 12:25:52 RT-AC86U-DBA8 ovpn-client2[6413]: Initialization Sequence Completed

Update: Issue seems gone by itself. I have comment out fwmark 0x1000 addition in vpnclient1-route-up and everything is working fine. Will report back if there is any update.
 
Last edited:
Hello everyone. I recently installed Unbound. I use ExpressVPN and all my devices go to VPN. Doing the VPN operation test, under the heading 'DNS exposure' I see that the test displays my WAN IP and not the IP provided by the VPN. I read here in discussion that someone solved it but I failed. I went into Unbound advanced settings, used option 3 and then typed the command vpn 1 because I use the vpn client 1. When the router restarts I can't navigate, everything is blocked, at which point to solve I have to install Unbound again with the basic configuration. How can I fix the exposed DNS problem?
 
I see that here in the discussion we talk about x3mrouting, I explain my configuration better so let's see if we can solve it. I have installed AMTM, Entware, flexqos, skynet, Diversion and Unbound. I use ExpressoVPN configured on the router in OpenVPN mode. I have activated the tunnel and assigned to all my devices their own static IP address so that when they pass through the tunnel they go to VPN. In this way the felxqos is able to monitor the traffic. Everything works fine and Unbound would work fine too except it makes me DNS exposed. Here we were talking about x3mrouting, but I did not understand what use is made of it. I would like to make Unboung use the VPN and not leave the DNS exposed to me. Should I use x3mrouting?
 
I have followed the whole tutorial but I still have the problem of exposed DNS. I installed x3mrouting, I went to / jffs / scripts / x3mrouting / and I created the file vpnclient1-route-up by inserting the code indicated before. Same thing for the vpnclient1-route-pre-down file and for the unbound_via_vc1.sh file. Then I restarted the router but I still have the DNS exposed. Where did I go wrong? Is there a guide explaining what to do from start to finish?
 
Here I am again, I had something wrong.

It works, I have run everything and the tests tell me that I no longer have the DNS exposed.

Is it possible to do the same thing with the VPN client 2 etc?
 
Here I am again, I had something wrong.

It works, I have run everything and the tests tell me that I no longer have the DNS exposed.

Is it possible to do the same thing with the VPN client 2 etc?
Yes just change everything from vpn 1 to reflect vpn 2.
 
After 5 hours of use I did the DNS exposure test. I am located 6 Google servers located in Switzerland and expressvpn servers, there is no IP address of my carrier. Is it normal for these Google servers to be there?
 
If I do the test with the PC that is always on the home network connected to the router, I do not have the DNS exposed. If I do it with the smartphone that was previously in 4G and is now in the home network, it finds me Google DNS, but my IP address of the telephone company is not visible. Everything seems okay to me ........ I hope
 
I checked again, on PC everything ok, on smartphone no, I don't understand why. On smartphones, I still see advertising on websites. I don't know what to say, maybe it is due to the fact that the smartphone is not always connected to the router but also to the 4G network if I'm not at home.
 
Since I worked a lot on it, I had thought about uninstalling Unbound and then reinstalling it cleanly, but I was unable to remove it. Is there a particular procedure for doing this?
 
I point out that to correctly execute the 3 files proposed in this tutorial, x3mRouting must also be installed in its option 2 which, however, can create a conflict with the VPN configuration. On firmware 386 and with x3mRouting option 2 installed, the VPN configuration cannot be changed or by a configuration error. If you uninstall option 2, at boot the system does not stop and start the VPN client and therefore you will have the DNS exposed.
 
Not to hijack, but is the aforesaid tutorial post 73 in this thread by @Xentrk ? Is this the lead to follow for setting this up?
tia,
jts
 
I point out that to correctly execute the 3 files proposed in this tutorial, x3mRouting must also be installed in its option 2 which, however, can create a conflict with the VPN configuration. On firmware 386 and with x3mRouting option 2 installed, the VPN configuration cannot be changed or by a configuration error. If you uninstall option 2, at boot the system does not stop and start the VPN client and therefore you will have the DNS exposed.
I suggest to run the following commands and compare the output in different scenario. It will make it easier to see what went wrong when it is not working.
Code:
ip rule
iptables -nvL OUTPUT -t mangle --line
 
I suggest to run the following commands and compare the output in different scenario. It will make it easier to see what went wrong when it is not working.
Code:
ip rule
iptables -nvL OUTPUT -t mangle --line
Everything works but I believe there is a problem between x3mrouting and the 386 firmware
 
Hi,
Thanks @Swinson for developing this easy way to bind unbound to a VPN client.

I do not have knowledge in understanding all the scripts but thanks to post #41 and #102 I made it work on my AC86U.

Now I see that unbound is tied to VPN 1 [v] unbound requests via VPN Client 1 (10.7.0.5) tunnel ENABLED and dnsleak displays my VPN's IP.

1. I also wanted to make the same steps for VPN 3.
Following post #41 I created the files:
  • “/jffs/scripts/x3mRouting/vpnclient3-route-up” with the same line /jffs/scripts/unbound_via_vc1.sh start &
and​
  • “/jffs/scripts/x3mRouting/vpnclient3-route-pre-down” with the corresponding same line /jffs/scripts/unbound_via_vc1.sh stop &
  • then I ran
Code:
x3mRouting 3 0 VPN_IP_3 dnsmasq=whatsmyip.com
x3mRouting ALL 3 WAN_IP_3 dnsmasq=whatismyip.com

But I am not sure if it is the right way to do as I suppose this script "unbound_via_vc1.sh" is only for VPN-1, ins't it !?
If yes, can you please tell me what I need to modify to customize it for VPN3 ? Is there anything else I should change?

2. I activated a guest WiFi network: ASUS_88_2G_Guest
However, I want this network to have the DNS resolved by my ISP, not by unbound.
Is this possible? and how to do that?

Thanks
 
Hi,
Thanks @Swinson for developing this easy way to bind unbound to a VPN client.

I do not have knowledge in understanding all the scripts but thanks to post #41 and #102 I made it work on my AC86U.

Now I see that unbound is tied to VPN 1 [v] unbound requests via VPN Client 1 (10.7.0.5) tunnel ENABLED and dnsleak displays my VPN's IP.

1. I also wanted to make the same steps for VPN 3.
Following post #41 I created the files:
  • “/jffs/scripts/x3mRouting/vpnclient3-route-up” with the same line /jffs/scripts/unbound_via_vc1.sh start &
and​
  • “/jffs/scripts/x3mRouting/vpnclient3-route-pre-down” with the corresponding same line /jffs/scripts/unbound_via_vc1.sh stop &
  • then I ran
Code:
x3mRouting 3 0 VPN_IP_3 dnsmasq=whatsmyip.com
x3mRouting ALL 3 WAN_IP_3 dnsmasq=whatismyip.com

But I am not sure if it is the right way to do as I suppose this script "unbound_via_vc1.sh" is only for VPN-1, ins't it !?
If yes, can you please tell me what I need to modify to customize it for VPN3 ? Is there anything else I should change?

2. I activated a guest WiFi network: ASUS_88_2G_Guest
However, I want this network to have the DNS resolved by my ISP, not by unbound.
Is this possible? and how to do that?

Thanks
Just create another script but rename everything to reflect vpn3 (unbound_via_vc3.sh), to include inside the rules. If it says vpn1 change it too vpn3. The rules will automatically populate inside x3mRouting folder, open the the pre-up and down and change it to vpn3:

/jffs/scripts/unbound_via_vc3.sh start &


jffs/scripts/unbound_via_vc3.sh stop &



Open the unbound_via_vc3 script that you created and change anything inside that reads vpn1 to vpn3 and save it.
 
Last edited:

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top