What's new

Unbound Unbound DNS VPN Client w/policy rules

  • Thread starter Deleted member 62525
  • Start date
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I put everything in functions and made a few little tweaks. I still need to add comments and incorporate a couple of checks to make sure the user has everything configured/installed as expected.

User configuration:
Unbound - running as system resolver
X3mRouting - installed (must have rules to make fwmark 0x8000 and 0x1000)
DNS lookups - forced to default gateway
Dns in wan tab- public dns server
Dns in lan tab - not set/default gateway
Vpn client 1 - setup and running

Add the following line to “/jffs/scripts/x3mRouting/vpnclient1-route-up”
Code:
/jffs/scripts/unbound_via_vc1.sh start &

Add the following line to “/jffs/scripts/x3mRouting/vpnclient1-route-pre-down”
Code:
/jffs/scripts/unbound_via_vc1.sh stop &

Create “unbound_via_vc1.sh” in “/jffs/scripts”, paste the code below and chmod 755
Code:
#!/bin/sh

Check_Tun11_Con() {
ping -c1 -w1 -I tun11 1.1.1.1
}

Delete_Rules() {
        iptables -t mangle -D OUTPUT -d "$wan0_dns0"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
        iptables -t mangle -D OUTPUT -d "$wan0_dns1"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
        iptables -t mangle -D OUTPUT -d "$wan0_dns0"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
        iptables -t mangle -D OUTPUT -d "$wan0_dns1"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
        iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
        iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
}

Add_Rules() {
        iptables -t mangle -A OUTPUT -d "$wan0_dns0"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
        iptables -t mangle -A OUTPUT -d "$wan0_dns1"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
        iptables -t mangle -A OUTPUT -d "$wan0_dns0"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
        iptables -t mangle -A OUTPUT -d "$wan0_dns1"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
        iptables -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
        iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
}

Unbound_vc1() {
        Add_Rules
        /jffs/addons/unbound/unbound_manager.sh vpn=1 &
        logger -st "($(basename "$0"))" $$  Ending Script Execution
}

Unbound_vpnDisable() {
        Delete_Rules
        /jffs/addons/unbound/unbound_manager.sh vpn=disable &
        logger -st "($(basename "$0"))" $$  Ending Script Execution
}

Poll_Tun11() {
        Delete_Rules
        sleep 5
        timer=5
        while [ $timer -lt 300 ]; do
        Check_Tun11_Con
                if [ "$?" -eq 0 ]; then
                        Unbound_vc1
                        logger -st "($(basename "$0"))" $$ Ending Script Execution
                        exit 0
                fi
                sleep 1
                timer++
        done
        logger -st "($(basename "$0"))" $$  Script Execution Timeout
        exit 3
}

if [ -z "$1" ]; then
        logger -st "($(basename "$0"))" $$ Script Arg Missing
        exit 1
else
        logger -st "($(basename "$0"))" $$ Starting Script Execution
        wan0_dns0="$( (nvram get wan0_dns) | awk '{print $1}' )"
        wan0_dns1="$( (nvram get wan0_dns) | awk '{print $2}' )"
        if [ "$wan0_dns1"  = "" ]; then
                wan0_dns1 = $wan0_dns0
        elif [ "$wan0_dns0" = "" ]; then
                wan0_dns0 = $wan0_dns1
                if [ "$wan0_dns1"  = "" ]; then
                        logger -st "($(basename "$0"))" $$  wan0_dns is NULL
                exit 2
                fi
        else
                  case "$1" in
                         start)
                                  Poll_Tun11
                                  exit 0;;
                        stop)
                                 Unbound_vpnDisable
                                 exit -1;;
                        *)
                                 logger -st "($(basename "$0"))" $$  Script Arg Invalid
                                 exit 1;;
               esac
        fi
fi

@Kingp1n if you want to update yours you can just Update the script you have with the new code in this post. No major changes though so you don’t need to mess with it unless you want to. To update just replace everything in the main file with the updated code and
then in the route-up file add the word “start” in between the script name and the ampersand. So the line would look something like this.

“/xx/xx/scriptName.sh start &”



you can keep route-pre-down the same or you can replace all the lines I had you add with one line. Instead of having the 6 iptables rule lines and the unbound vpn=disable line you can just put
“/xx/xx/scriptName.sh stop &”
What is the reason for using exit -1 rather than a value from 0-255? I'm trying to eliminate errors from ShellCheck, and this is the only one remaining.
 
Novice here (been lurking as a guest for a few weeks to learn), with a few questions... wasn't sure where to post this and didn't want to start a new thread.

My goal is to increase privacy without sacrificing too much security. I realize there are different opinions how to go about that.

I'm currently running skynet and unbound. Since installing unbound, it looks like it was not compatible when running OVPN client, so I have my VPN turned off for now. Which brought me to this thread.

I started to install x3mRouting based on this thread, but I'm a novice at Linux. I am able to bring up the code with the nano command, but from there I am stuck what to do. Are there lines of code that are comments by default, which I should "uncomment" them depending which method I want to use for policy rules? I just want to start simple, by defining which of my clients will use VPN, and to also have unbound working and running the DNS queries through my VPN. I understand this will cause my DNS leak test to show my VPN IP. When I run the sh command for the script, it returns this error message (assuming since I have not edited the default file yet):

ERROR Expecting first parameter to be 'server=' or 'ipset_name='

This is where I'm stuck! I'll try to get further along but if someone here would like to push me towards the next step with a response that'd be much appreciated.
 
Last edited:
Novice here (been lurking as a guest for a few weeks to learn), with a few questions... wasn't sure where to post this and didn't want to start a new thread.

My goal is to increase privacy without sacrificing too much security. I realize there are different opinions how to go about that.

I'm currently running skynet and unbound. Since installing unbound, it looks like it was not compatible when running OVPN client, so I have my VPN turned off for now. Which brought me to this thread.

I started to install x3mRouting based on this thread, but I'm a novice at Linux. I am able to bring up the code with the nano command, but from there I am stuck what to do. Are there lines of code that are comments by default, which I should "uncomment" them depending which method I want to use for policy rules? I just want to start simple, by defining which of my clients will use VPN, and to also have unbound working and running the DNS queries through my VPN. I understand this will cause my DNS leak test to show my VPN IP. When I run the sh command for the script, it returns this error message (assuming since I have not edited the default file yet):

ERROR Expecting first parameter to be 'server=' or 'ipset_name='

This is where I'm stuck! I'll try to get further along but if someone here would like to push me towards the next step with a response that'd be much appreciated.
Do you want all your devices to run through VPN client 1?
 
Do you want all your devices to run through VPN client 1?

I have ~5 devices to run through VPN client 1, and 1 laptop that needs to stay on WAN. I just use policy rules in the GUI for now. I haven't been running the VPN for very long and may find I want to route certain websites or streaming services through WAN. I understand x3mRouting will do that but I'll cross that road later.

From reading countless posts here, it now seems like maybe I just need to enter a few lines of code in the main terminal window after I ssh into the router? I've seen some examples of this code in posts here, but I don't know if that is just copy/pasted out of the x3mRouting.sh file, or really just entered by itself in the terminal window.

The rest of the steps to actual do what I want (DNS leak test to show as my VPN IP as in this thread) I think I can manage, but haven't gotten x3mRouting running yet.
 
I have ~5 devices to run through VPN client 1, and 1 laptop that needs to stay on WAN. I just use policy rules in the GUI for now. I haven't been running the VPN for very long and may find I want to route certain websites or streaming services through WAN. I understand x3mRouting will do that but I'll cross that road later.

From reading countless posts here, it now seems like maybe I just need to enter a few lines of code in the main terminal window after I ssh into the router? I've seen some examples of this code in posts here, but I don't know if that is just copy/pasted out of the x3mRouting.sh file, or really just entered by itself in the terminal window.

The rest of the steps to actual do what I want (DNS leak test to show as my VPN IP as in this thread) I think I can manage, but haven't gotten x3mRouting running yet.
You can find most of what you want to do here. I believe you should be able to do basic PBR for that one device, but you should also be able to do it via x3mRouting as well.
 
You can find most of what you want to do here. I believe you should be able to do basic PBR for that one device, but you should also be able to do it via x3mRouting as well.
This is what I initially tried to do just after installing x3mRouting. However, I do not see that I have these files to do the first two steps:
  1. vpnclient1-route-up
  2. vpnclient1-route-pre-down
When I "ls" the location "/jffs/scripts/x3mRouting", I get these files:
  1. x3mRouting_client_config.sh
  2. x3mRouting.sh
  3. x3mRouting_client_nvram.sh
And when I "ls" the location "/jffs/addons/x3mRouting", I get these files:
updown-dns.sh
  1. x3mRouting_firewall_start.sh
  2. x3mRouting_Menu.sh
  3. x3mvpnrouting.sh
I had assumed that I need to do some initial setup in x3mRouting to get it running so that these files (1 & 2 in my first list above) get created (automatically?). If so, I do not know what to do.

Or were those files supposed to be there after installing x3mRouting? If that's the case, my questions probably sounded confusing since I wasn't even asking the right ones.

Or, do I just need to create those files myself? I think I can handle that but I have a feeling that is not correct.

From a VPN policy rules standpoint, I'd be happy with what the standard Merlin GUI offers for now. My main goal is to keep a DNS leak test from showing my real IP, which is it doing now since I'm using unbound.
 
Last edited:
This is what I initially tried to do just after installing x3mRouting. However, I do not see that I have these files to do the first two steps:
  1. vpnclient1-route-up
  2. vpnclient1-route-pre-down
When I "ls" the location "/jffs/scripts/x3mRouting", I get these files:
  1. x3mRouting_client_config.sh
  2. x3mRouting.sh
  3. x3mRouting_client_nvram.sh
And when I "ls" the location "/jffs/addons/x3mRouting", I get these files:
updown-dns.sh
  1. x3mRouting_firewall_start.sh
  2. x3mRouting_Menu.sh
  3. x3mvpnrouting.sh
I had assumed that I need to do some initial setup in x3mRouting to get it running so that these files (1 & 2 in my first list above) get created (automatically?). If so, I do not know what to do.

Or were those files supposed to be there after installing x3mRouting? If that's the case, my questions probably sounded confusing since I wasn't even asking the right ones.

Or, do I just need to create those files myself? I think I can handle that but I have a feeling that is not correct.

From a VPN policy rules standpoint, I'd be happy with what the standard Merlin GUI offers for now. My main goal is to keep a DNS leak test from showing my real IP, which is it doing now since I'm using unbound.
You create all three files yourself. You may have to install options 2 and 3 from the x3mRouting menu, but I'm not positive on that part.
 
You create all three files yourself. You may have to install options 2 and 3 from the x3mRouting menu, but I'm not positive on that part.
That makes sense. I guess I assumed the first 2 files should have been there already since the procedure only says to create a file for the third one.

I did the steps, rebooted router but no luck with DNS leak test, still shows my IP. I realize I did forget to chmod 755 but being a linux novice, I'm not sure if that could make it fail. Could that be the issue?

I tried to avoid installing option 2 since after reading up on it, seems to be more complicated than I need or capable of right now. I installed it anyway to see if that would make it work, but now my VPN cannot connect. I uninstalled option 2, rebooted but still cannot connect to VPN. I'm not sure what went wrong.

On another note, I noticed when I type "ip rule", it doesn't always match up with what I have in the GUI. Maybe it is delayed or requires a reboot to update?

I also notice the rules to make fwmark 0x8000 and 0x1000 are not always there. I don't know what causes those to show up or disappear but I am understanding they are required.
 
That makes sense. I guess I assumed the first 2 files should have been there already since the procedure only says to create a file for the third one.

I did the steps, rebooted router but no luck with DNS leak test, still shows my IP. I realize I did forget to chmod 755 but being a linux novice, I'm not sure if that could make it fail. Could that be the issue?

I tried to avoid installing option 2 since after reading up on it, seems to be more complicated than I need or capable of right now. I installed it anyway to see if that would make it work, but now my VPN cannot connect. I uninstalled option 2, rebooted but still cannot connect to VPN. I'm not sure what went wrong.

On another note, I noticed when I type "ip rule", it doesn't always match up with what I have in the GUI. Maybe it is delayed or requires a reboot to update?

I also notice the rules to make fwmark 0x8000 and 0x1000 are not always there. I don't know what causes those to show up or disappear but I am understanding they are required.
Yes, you do need to chmod those files because when you create a file in Linux it isn't executable. Since this is a script you want to run, it must be executable.
 
Yes, you do need to chmod those files because when you create a file in Linux it isn't executable. Since this is a script you want to run, it must be executable.

Thanks! I did that now but have to wait until later for a reboot to test. I'll report back hopefully with success.

Before I'm not sure what happened with my VPN connection (in the OVPN GUI), but I just deleted it and added it over again and now it's connected.
 
Still stuck here. DNS leak still showed my real IP after I performed the steps including chmod 755 to the three files that I forgot the first time.

I installed option 2 again to see if that was the issue, but as soon as I install it my VPN connection goes down. I don't know why and the only way I got my VPN back up was by uninstalling option 2, deleting my OVPN client info and entering it in again.

I still don't know why the result of "ip rule" sometimes shows the correct rules (fwmark 0x8000 and 0x1000) and other times not.

To test with for now, I just have in the GUI > Policy Rules Strict, and one source IP routed to VPN to test this with. Accept DNS config is disabled.

I'll keep digging at this...
 
Here are all the files in my
Bash:
-rwxr-xr-x    1 user root          3417 Mar 14 17:19 autoscan.sh*
-rwxr-xr-x    1 user root          2396 Mar 14 17:19 getdomainnames.sh*
-rwxr-xr-x    1 user root          2514 Mar 14 20:50 openvpn-event*
-rwxr-xr-x    1 user root            40 Mar 14 20:51 vpnclient1-route-pre-down*
-rwxr-xr-x    1 user root            41 Mar 14 20:52 vpnclient1-route-up*
-rwxr-xr-x    1 user root         65381 Mar 14 20:50 x3mRouting.sh*
I am pretty sure you have to have openvpn-event for any of this to work. That is from option 2 and 3.
 
Are you using vpnmgr? If your VPN client is static, then you can just use unbound_manager in advanced mode to modify the setting.

Bash:
unbound_manager advanced

Option 3

vpn = BIND unbound to VPN {vpnid [debug]} | [disable | debug show] e.g. vpn 1
 
If x3mRouting option 2 is required to get this to work, I need to figure out why my OVPN 1 goes down as soon as I install it.

I tried the vpn option in Unbound advanced menu but that dropped my entire internet connection (WAN and VPN).
 
If x3mRouting option 2 is required to get this to work, I need to figure out why my OVPN 1 goes down as soon as I install it.

I tried the vpn option in Unbound advanced menu but that dropped my entire internet connection (WAN and VPN).
You don't need to enable the VPN within unbound. The script ( unbound_via_vc1.sh) will take care of that.
 
Code:
#!/bin/sh
Check_Tun11_Con() {
ping -c1 -w1 -I tun11 1.1.1.1
}
Delete_Rules() {
iptables-save | grep "unbound_rule" | sed 's/^-A/iptables -t mangle -D/' | while read CMD;do $CMD;done
}
Add_Rules(){
iptables -t mangle -A OUTPUT -d "${wan0_dns##*.*.*.* }"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns%% *.*.*.*}"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns##*.*.*.* }"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns%% *.*.*.*}"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
}
Call_unbound_manager() {
/jffs/addons/unbound/unbound_manager.sh vpn="$1"
}
Poll_Tun11() {
timer=$1
[ -z $timer ] && Post_log "Error Timeout" && exit 1 || sleep 2
Check_Tun11_Con && Add_Rules && Call_unbound_manager "1" || Poll_Tun11 "$((timer--))"
}
Post_log() {
$(logger -st "($(basename "$0"))" $$ "$1")
}
[ -z "$1" ] && Post_log "Script Arg Missing" && exit 1 || Post_log "Starting Script Execution"
wan0_dns="$(nvram get wan0_dns)"
Delete_Rules
case "$1" in
start)
Poll_Tun11 "150" && Post_log "Ending Script Execution" && exit 0;;
stop)
Call_unbound_manager "disable" && Post_log "Ending Script Execution" && exit 0;;
*)
Post_log "Script Arg Invalid" && exit 1;;
esac

Sorry I’ve been so checked out lately. I see I have some posts to catch up on so I’ll be doing that today. Above is my latest revision. I have stream lined the functions a bit as my understanding of bash/sh expands.

my first priority today is to catch up on people’s posts while I’ve been gone and put a repo together.

other todos:

Make a user dialog so users can configure which vpn client to use rather than hard coding 1

Make an install function to check basic config, adds the necessary lines to the jffs files, and run the x3mRouting commands that configure the ip rules

Possibly expand the user dialogue to allow configuration of wan_ip, and the timeout manually.

As a reach goal I would like to eventually add configurations to the VPN GUI on the web interface.
 
Welcome back.
Looking forward for the update. Still using with unbound without any issues. I'll update to the latest revision. Thanks again!
 
Last edited:
Welcome back.
Looking forward for the update. Still using with unbound without any issues. I'll update to the latest revision. Thanks again!
Make a backup of your working script and run:

/jffs/scripts/unbound_via_vc1.sh start

with the new one to make sure it doesn’t throw any errors. I’m pretty sure it’s good but if you notice it looks pretty different from the last version since I’ve learned some new bash tricks.
 
Make a backup of your working script and run:

/jffs/scripts/unbound_via_vc1.sh start

with the new one to make sure it doesn’t throw any errors. I’m pretty sure it’s good but if you notice it looks pretty different from the last version since I’ve learned some new bash tricks.
Updated and I'm running with no issues. Thanks.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top