What's new

Unbound Unbound DNS VPN Client w/policy rules

  • Thread starter Deleted member 62525
  • Start date
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

@Swinson, i'm getting ready to this nifty little rule you created. How is it working for you overall? Any issues at all. Thanks!
Everything has been working great for me. Definitely feels much snappier once the tunnel has been established but that could just be my perception.
 
Everything has been working great for me. Definitely feels much snappier once the tunnel has been established but that could just be my perception.
Do you use Diversion and seeing ads? I also use VPN and I have "accept DNS configuration" as disabled but I'm still seeing ads. I wonder if I need to change this. The DNSFilter is set router inside the LAN.

Update: Disregard..i figured out what I was doing wrong. All is good! Thanks for this!
 
Last edited:
Do you use Diversion and seeing ads? I also use VPN and I have "accept DNS configuration" as disabled but I'm still seeing ads. I wonder if I need to change this. The DNSFilter is set router inside the LAN.

Update: Disregard..i figured out what I was doing wrong. All is good! Thanks for this!
Glad you got it figured out. Let me know if anything else comes up.
 
Glad you got it figured out. Let me know if anything else comes up.
I did have 1 last question, is there a way to test if it's working? I have everything setup and just hoping I did it right! Thanks
 
I did have 1 last question, is there a way to test if it's working?
I use dnsleaktest.com to make sure my vpn’s IP is being used. I also have whatsmyip.com listed in x3mRoutings bypass rules so I can check that my wan ip is being used for things that should be bypassing the vpn.
 
I use dnsleaktest.com to make sure my vpn’s IP is being used. I also have whatsmyip.com listed in x3mRoutings bypass rules so I can check that my wan ip is being used for things that should be bypassing the vpn.
Can you share the x3mRouting bypass rule or a screenshot on how it looks? Thanks & sorry for the questions!

When I 1st go into the dns leak test web page I see the NY IP address. When I run an "extended" dns leak test I still see my actual device IP location. Aslos whatsmyip.com show the NY IP too.. I think this is normal when using unbound correct.
 
Last edited:
Can you share the x3mRouting bypass rule? Thanks
You can run this to create a new ipset with a bypass rule for vpn client 1 so any packets that match will get marked and not go through your vpn tunnel.

Code:
x3mRouting 1 0 whatsMyIP dnsmasq=whatsmyip.com

If you already have an ipset using the dnsmasq method you can just add the domain to that set and it will have the same effect. You just need something that will trigger a bypass and show you where your connection came from.
 
Things like right to you on these screenshots?
 
Thanks man. I appreciate all the help on this!
 
Things like right to you on these screenshots?
No that does not look right. Dns leak test should show your vpn on the main screen and during the test. Also make sure you used the same domain your browser shows you using what IS my ip. I have whats my ip in the rule I posted

can you run and post the output

Code:
iptables -nvL OUTPUT -t mangle
 
No that does not look right. Dns leak test should show your vpn on the main screen and during the test. Also make sure you used the same domain your browser shows you using what IS my ip. I have whats my ip in the rule I posted

can you run and post the output

Code:
iptables -nvL OUTPUT -t mangle
Got it...thats what I missed. It's all working now!
 
No that does not look right. Dns leak test should show your vpn on the main screen and during the test. Also make sure you used the same domain your browser shows you using what IS my ip. I have whats my ip in the rule I posted

can you run and post the output

Code:
iptables -nvL OUTPUT -t mangle
@Swinson, I'm back at this again. I thought it was working fine, I rebooted my router and below is the output:

Code:
admin@RT-AX88U-0D80:/tmp/home/root# iptables -nvL OUTPUT -t mangle
Chain OUTPUT (policy ACCEPT 1074 packets, 196K bytes)
pkts bytes target     prot opt in     out     source               destination     
  939 66923 MARK       udp  --  *      *       0.0.0.0/0            9.9.9.9              udp dpt:53 MARK or 0x8000
    2   143 MARK       udp  --  *      *       0.0.0.0/0            149.112.112.112      udp dpt:53 MARK or 0x8000
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            9.9.9.9              tcp dpt:53 MARK or 0x8000
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            149.112.112.112      tcp dpt:53 MARK or 0x8000
   12   750 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 MARK or 0x1000
2285  176K MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 MARK or 0x1000

However, when I run dns leak test, on the main screen I see my VPN IP, however, when I run the dns test I see my actual WAN IP address. Any ideas why I might be doing wrong?

I also did an ipleak.net test and my IP shows the vpn IP but the DNS shows my actual location. I believe I'm doing something wrong with whatsmyIP domain?

I've created the unbound_tunCheck.sh file and copy everything you posted. I also added the other rules inside the x3mRouting folder under route-up and route-pre-down files. I've enabled "vpn 1" inside unbound_manager advanced.

I might have to give up on this as I cannot figure this out.

I appreciate all your help though!
 
Last edited:
@Swinson, I'm back at this again. I thought it was working fine, I rebooted my router and below is the output:

Code:
admin@RT-AX88U-0D80:/tmp/home/root# iptables -nvL OUTPUT -t mangle
Chain OUTPUT (policy ACCEPT 1074 packets, 196K bytes)
pkts bytes target     prot opt in     out     source               destination   
  939 66923 MARK       udp  --  *      *       0.0.0.0/0            9.9.9.9              udp dpt:53 MARK or 0x8000
    2   143 MARK       udp  --  *      *       0.0.0.0/0            149.112.112.112      udp dpt:53 MARK or 0x8000
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            9.9.9.9              tcp dpt:53 MARK or 0x8000
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            149.112.112.112      tcp dpt:53 MARK or 0x8000
   12   750 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 MARK or 0x1000
2285  176K MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 MARK or 0x1000

However, when I run dns leak test, on the main screen I see my VPN IP, however, when I run the dns test I see my actual WAN IP address. Any ideas why I might be doing wrong?

I also did an ipleak.net test and my IP shows the vpn IP but the DNS shows my actual location. I believe I'm doing something wrong with whatsmyIP domain?

I've created the unbound_tunCheck.sh file and copy everything you posted. I also added the other rules inside the x3mRouting folder under route-up and route-pre-down files. I've enabled "vpn 1" inside unbound_manager advanced.

I might have to give up on this as I cannot figure this out.

I appreciate all your help though!
Hmm that all looks right. Can you also check that x3mRouting has rules created? run this to display your ip rules:
Code:
ip rule
 
Hmm that all looks right. Can you also check that x3mRouting has rules created? run this to display your ip rules:
Code:
ip rule
This is what i get:

Code:
admin@RT-AX88U-0D80:/tmp/home/root# ip rule
0:    from all lookup local
9990:    from all fwmark 0x8000/0x8000 lookup main
10001:    from 192.168.1.1/27 lookup main
10101:    from 192.168.1.0/24 lookup ovpnc1
32766:    from all lookup main
32767:    from all lookup default

I have the main router and certain devices (xbox, Nest devices) that go thru WAN that I dont want them to go thru VPN. However, all my testing is done thru laptop that is under the VPN.
 
You don’t need to enable the vpn 1 option in unbound as this is done in the script but that shouldn’t cause any problems.

Make sure dns is set to router mode. To force traffic to dnsmasq.

In your guest networks and vpn configurations you can list your routers ip as the dns server to make sure everything is going to dnsmasq.

In you WAN page list the public dns you want your router to use for its own internals.

The idea is to force all client traffic to dnsmasq. Then dnsmasq forwards that to unbound. Now if you are using policy rules(strict) and you have something like

192.168.1.1->wan
192.168.1.0/24->tun

You are now forcing all your lan clients through the tunnel but bypassing for the router itself. Since unbound is running on the router you have a rule already for that traffic saying don’t use the tunnel. The first step is to tell unbound to try to use the vpn interface but your router is going to tell it “no. All router traffic goes to a different interface”. So the rules in the output table parse all the dns requests i.e. everything on port 53 based on a know destination. Everything from port 53 should default to the tunnel unless it matches an ip you have in you wan dns settings.

I hope maybe that helps you understand my thought about how to get this to work the way I wanted.
 
This is what i get:

Code:
admin@RT-AX88U-0D80:/tmp/home/root# ip rule
0:    from all lookup local
9990:    from all fwmark 0x8000/0x8000 lookup main
10001:    from 192.168.1.1/27 lookup main
10101:    from 192.168.1.0/24 lookup ovpnc1
32766:    from all lookup main
32767:    from all lookup default

I have the main router and certain devices (xbox, Nest devices) that go thru WAN that I dont want them to go thru VPN. However, all my testing is done thru laptop that is under the VPN.
You are missing “from all fwmark 0x1000/0x1000 lookup ovpnc1”
 
Try running this and then run ip rule again
x3mRouting ALL 1 dummy dnsmasq=dummy.me

Problem SOLVED!!!

I went to unbound_manager and switch "vpn 1" back to WAN using "bind".

But running the rule:

Code:
x3mRouting ALL 1 dummy dnsmasq=dummy.me

Now shows dnsleak & ipleak tests both IP & DNS as my VPN ip.

IP rule:
Code:
admin@RT-AX88U-0D80:/tmp/home/root# ip rule
0:    from all lookup local
9990:    from all fwmark 0x8000/0x8000 lookup main
9995:    from all fwmark 0x1000/0x1000 lookup ovpnc1
10001:    from 192.168.1.1/27 lookup main
10101:    from 192.168.1.0/24 lookup ovpnc1
32766:    from all lookup main
32767:    from all lookup default

Thanks alot for taking the time and helping me out on this!!! I owe you a beer!
 

Attachments

  • Screenshot_20210115-095334_Chrome.jpg
    Screenshot_20210115-095334_Chrome.jpg
    46.9 KB · Views: 168

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top