What's new

Unbound Unbound DNS VPN Client w/policy rules

  • Thread starter Deleted member 62525
  • Start date
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Modprobe directive did allow me to add comments so the rules are now created with the comment “unbound_rule”. The delete command isn’t matching right now but all the rules with the specified comment are now produced so this will definitely work once I figure out what’s wrong with the output rule format.
Do the following display any matching rules?
Code:
iptables-save | grep "unbound_rule"
or
Code:
iptables -S | grep "unbound_rule"
 
Do the following display any matching rules?
Code:
iptables-save | grep "unbound_rule"
or
Code:
iptables -S | grep "unbound_rule"
I’m going to dig at it a little more in a couple of hours but if I remember correctly from briefly poking around this morning iptables-save and iptables -S return the same thing. I think that was the first thing I tried. I also changed --set-mark to --set-xmark to see if that fixed it because that’s what the returned rule showed up as but that didn’t do it either. I think it’s just a formatting thing but I’ll get it sorted out.
 
I’m going to dig at it a little more in a couple of hours but if I remember correctly from briefly poking around this morning iptables-save and iptables -S return the same thing. I think that was the first thing I tried. I also changed --set-mark to --set-xmark to see if that fixed it because that’s what the returned rule showed up as but that didn’t do it either. I think it’s just a formatting thing but I’ll get it sorted out.
Yes both commands should report the same output, but if required iptables -S allows you to list a specific chain/table.
(IIRC in the past not all routers supported both)
 
Yes both commands should report the same output, but if required iptables -S allows you to list a specific chain/table.
(IIRC in the past not all routers supported both)
I figured it out. I didn’t realize the table wasn’t specified so adding -t mangle removes the rules now. Thanks for your help with this. It is very much appreciated.
Code:
iptables-save | grep "unbound_rule" | sed 's/^-A/iptables -t mangle -D/' | while read CMD;do $CMD;done

I’ll get the updated stuff up in a bit
 
I figured it out. I didn’t realize the table wasn’t specified so adding -t mangle removes the rules now. Thanks for your help with this. It is very much appreciated.
Code:
iptables-save | grep "unbound_rule" | sed 's/^-A/iptables -t mangle -D/' | while read CMD;do $CMD;done

I’ll get the updated stuff up in a bit
Glad to see you figured this out with help of some members here. Looking forward for the update! Thanks @Martineau for his assistance!!!

@Swinson ,what VPN service do you currently use?

I was using PIA but I'm now trying out ExpressVPN (trying it out for 30 days). Just curious how you're setting up your VPN with your script and unbound together. Thanks again.
 
Last edited:
Glad to see you figured this out with help of some members here. Looking forward for the update! Thanks @Martineau for his assistance!!!

@Swinson ,what VPN service do you currently use?

I was using PIA but I'm now trying out ExpressVPN (trying it out for 30 days). Just curious how you're setting up your VPN with your script and unbound together. Thanks again.
Currently nord.
I have run out of time today and im in the middle of writing setup function so I’m not going to post it tonight. If you want the fix now it’s pretty simple to implement. Just delete all the lines in the delete rules function and replace it with the command I posted above. The new function should look like this.
Code:
Delete_Rules() {

iptables-save | grep "unbound_rule" | sed 's/^-A/iptables -t mangle -D/' | while read CMD;do $CMD;done

}

Then add -m comment --comment unbound_rule to each rule in the add rule function. The new function should look like this.
Code:
Add_Rules(){
iptables -t mangle -A OUTPUT -d "$wan0_dns0"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "$wan0_dns1"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "$wan0_dns0"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "$wan0_dns1"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
Iptables -t mangle -A OUTPUT -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
}

Finally add this command to the bottom of init-start so the comments work

Code:
modprobe xt_comment
That should be all you need to remove rules that are no longer referenced by nvram.
 
Currently nord.
I have run out of time today and im in the middle of writing setup function so I’m not going to post it tonight. If you want the fix now it’s pretty simple to implement. Just delete all the lines in the delete rules function and replace it with the command I posted above. The new function should look like this.
Code:
Delete_Rules() {

iptables-save | grep "unbound_rule" | sed 's/^-A/iptables -t mangle -D/' | while read CMD;do $CMD;done

}

Then add -m comment --comment unbound_rule to each rule in the add rule function. The new function should look like this.
Code:
Add_Rules(){
iptables -t mangle -A OUTPUT -d "$wan0_dns0"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "$wan0_dns1"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "$wan0_dns0"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "$wan0_dns1"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
Iptables -t mangle -A OUTPUT -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
}

Finally add this command to the bottom of init-start so the comments work

Code:
modprobe xt_comment
That should be all you need to remove rules that are no longer referenced by nvram.
Ill try it out..looks a little over my head for me haha might just wait until you can get it loaded but looks like I'm just replacing the old lines with the new rules. Thanks for all the hardwork on this!

Update: I made the changes per your instructions. The script things to be running, however, when I run a speedtest from GUI, it seems the rules are still getting deleted. The dns leak test shows the IP as my VPN but the DNS as my real IP. Once I restart VPN Clinet 1 thru scmerlin, everything seems to work again. It could be I did something wrong on my end.
 
Last edited:
Ill try it out..looks a little over my head for me haha might just wait until you can get it loaded but looks like I'm just replacing the old lines with the new rules. Thanks for all the hardwork on this!

Update: I made the changes per your instructions. The script things to be running, however, when I run a speedtest from GUI, it seems the rules are still getting deleted. The dns leak test shows the IP as my VPN but the DNS as my real IP. Once I restart VPN Clinet 1 thru scmerlin, everything seems to work again. It could be I did something wrong on my end.
That’s weird. I don’t use the GUI Speedtest so I haven’t run into this. Have you looked at the system logs to see if any additional info is available?
 
Ill try it out..looks a little over my head for me haha might just wait until you can get it loaded but looks like I'm just replacing the old lines with the new rules. Thanks for all the hardwork on this!

Update: I made the changes per your instructions. The script things to be running, however, when I run a speedtest from GUI, it seems the rules are still getting deleted. The dns leak test shows the IP as my VPN but the DNS as my real IP. Once I restart VPN Clinet 1 thru scmerlin, everything seems to work again. It could be I did something wrong on my end.
Can you see if maybe there is a firewall restart or something in the logs.
 
Can you see if maybe there is a firewall restart or something in the logs.
Can you see if maybe there is a firewall restart or something in the logs.
I'm looking at the logs, I'll try to load a screenshot but something keeps restarting my nat-start script.

Update: Everything is working as intended. Not sure what was happening before but the rules are working properly. Thanks for you assistance in this, very much appreciated! Keep us posted if you make any future tweaks to the rules.
 
Last edited:
If you wish to force all unbound requests via a VPN Client, then you should be using the appropriate openvpn-event triggers

e.g.

'/jffs/scripts/vpnclientX-up'
Code:
unbound_manager.sh vpn=X
'/jffs/scripts/vpnclientX-down'
Code:
unbound_manager.sh vpn=disable
to modify 'unbound.conf'

Also, as a failsafe during the boot process i.e. before the VPN Client(s) are connected, it is recommended that you also modify

'/jffs/scripts/post-mount'
Code:
logger "Checking unbound VPN bind....."
[ -n "$(which unbound_manager)" ] && { sh /jffs/addons/unbound/unbound_manager.sh vpn=disable; logger "unbound VPN routing DISABLED"; } # unbound_manager
I do want to force all unbound requests via VPN client 1. Do I also need x3mRouting? If no, then do I just need
'/jffs/scripts/vpnclient1-up'
Code:
#!/bin/sh

/jffs/addons/unbound/unbound_manager.sh vpn=1
'/jffs/scripts/vpnclient1-down'
Code:
#!/bin/sh

/jffs/addons/unbound/unbound_manager.sh vpn=disable

Then I just need to add
Code:
logger "Checking unbound VPN bind....."
[ -n "$(which unbound_manager)" ] && { sh /jffs/addons/unbound/unbound_manager.sh vpn=disable; logger "unbound VPN routing DISABLED"; } # unbound_manager
to the end of '/jffs/scripts/post-mount'?

Then chmod vpnclient1-up and vpnclient1-down to 755 and restart the router for all unbound requests to start using the VPN? Is that it?
 
I do want to force all unbound requests via VPN client 1. Do I also need x3mRouting? If no, then do I just need
'/jffs/scripts/vpnclient1-up'
Code:
#!/bin/sh

/jffs/addons/unbound/unbound_manager.sh vpn=1
'/jffs/scripts/vpnclient1-down'
Code:
#!/bin/sh

/jffs/addons/unbound/unbound_manager.sh vpn=disable

Then I just need to add
Code:
logger "Checking unbound VPN bind....."
[ -n "$(which unbound_manager)" ] && { sh /jffs/addons/unbound/unbound_manager.sh vpn=disable; logger "unbound VPN routing DISABLED"; } # unbound_manager
to the end of '/jffs/scripts/post-mount'?

Then chmod vpnclient1-up and vpnclient1-down to 755 and restart the router for all unbound requests to start using the VPN? Is that it?
Yes x3mRouting is needed because it handles the ip rule directives to direct the packets to the different interfaces. Theoretically you could code to set that stuff up without x3mRouting but since I was already using x3mRouting to direct packets I just piggybacked it. No need to reinvent the wheel.

I have been working to automate the install but I have not yet decided if I should be creating my own ip rules or if I can just keep using x3mRouting. Personally I feel like x3mRouting is critical to easily managing these things and while I don’t want to require a bunch of dependencies i feel as though anyone who would want to run unbound in this manner would benefit from having x3mRouting as an available utility. I’m am absolutely open to suggestions about what would make this script more accessible/usable. This is my first bash script so it’s going to be a work in process but I’m doing my best to make it readable and fairly easy to use.
 
If by dependencies, you mean scripts that have been created and working well, that is the path to follow.

Don't recreate the wheel that got you to, here. :)
 
Yes x3mRouting is needed because it handles the ip rule directives to direct the packets to the different interfaces. Theoretically you could code to set that stuff up without x3mRouting but since I was already using x3mRouting to direct packets I just piggybacked it. No need to reinvent the wheel.

I have been working to automate the install but I have not yet decided if I should be creating my own ip rules or if I can just keep using x3mRouting. Personally I feel like x3mRouting is critical to easily managing these things and while I don’t want to require a bunch of dependencies i feel as though anyone who would want to run unbound in this manner would benefit from having x3mRouting as an available utility. I’m am absolutely open to suggestions about what would make this script more accessible/usable. This is my first bash script so it’s going to be a work in process but I’m doing my best to make it readable and fairly easy to use.
I've been looking for this solution for a long time, which you found! Thank you for the great work! It is a simple and fully transparent solution and works.
 
@Swinson I'm currently using vpnmgr (w/PIA VPN enabled) and the vpnmgr script refreshes once a day at midnight. I noticed once it refreshes, it seems the rules get erased. Have you tried using vpnmgr with NordVPN enabled?

Just wondering if I need to adjust anything on your script to get it working automatically again.

I believe it happens when I changed the bandwidth speeds inside Adaptive QOS tab as well.

In order to get it working again, I use scmerlin and restart the VPN1 again.

Other than that, the script is working perfectly with unbound. Thanks again!
 
Last edited:
@Swinson I'm currently using vpnmgr (w/PIA VPN enabled) and the vpnmgr script refreshes once a day at midnight. I noticed once it refreshes, it seems the rules get erased. Have you tried using vpnmgr with NordVPN enabled?

Just wondering if I need to adjust anything on your script to get it working automatically again.

I believe it happens when I changed the bandwidth speeds inside Adaptive QOS tab as well.

In order to get it working again, I use scmerlin and restart the VPN1 again.

Other than that, the script is working perfectly with unbound. Thanks again!
I too noticed that this gets removed from ip rule when vpn client connection flaps.
9995: from all fwmark 0x1000/0x1000 lookup ovpnc1

Which rule of yours is removed? However, all the dns rules remains working. So mine could be a different issue afterall.

I haven't figure out how this is being removed when I bounce the vpn client 1 connection.
I have explicitly added the following in vpnclient1-route-up. I have x3mRouting, vpnmgr, scMerlin and using Nordvpn.
Code:
# Create RPDB rules
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9995        # create VPN 1 fwmark
 
Last edited:
I too noticed that this gets removed from ip rule when vpn client connection flaps.
9995: from all fwmark 0x1000/0x1000 lookup ovpnc1

Which rule of yours is removed?

I haven't figure out how this is being removed when I bounce the vpn client 1 connection.
I have explicitly added the following in vpnclient1-route-up. I have x3mRouting, vpnmgr, scMerlin and using Nordvpn.
Code:
# Create RPDB rules
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9995        # create VPN 1 fwmark
I haven't checked which rule gets removed, however when I run a dns leak test after I make an update inside A. QoS or when vpgmgr automatically refreshes at midnight, the test starts to show my actual IP address.

Once I restart VPN1 manually, we're good again.

Update: I checked my setup now after vpnmgr refreshed, and all is good for now. My dns test shows my VPN IP. I'll try adjusting the bandwidth speeds later today to see if that messes with the rules. Again all is good for now. False alarm previously, might be something else throwing it off. I'll continue to test/monitor.

Update #2: So I did some more troubleshooting, so definitely changing the bandwidth speeds inside the A. QoS (enabled with Flex) and once it's done updating, it starts to show my real IP address when running a dnsleak test.

Not a big deal, I just restart the VPN1 and I'm good again. Maybe it's just happening to me :)
 
Last edited:
@Kingp1n its not just you I have also had this issue. I am a computer student at UAH and I’m currently in the middle of midterms so I haven’t touched this is a couple of weeks. I do have it on my list to look into as well as the install function which is about half done. I’ll probably be checked out for at least another week but please post any of your observations in the mean time and when I get the time hopefully that will help me track it down.

I’m thinking I probably need something in firewall-start but I’m not sure on that but that would definitely clear out the rules if the firewall restarting doesn’t also reset the vpn client.
 
I too noticed that this gets removed from ip rule when vpn client connection flaps.
9995: from all fwmark 0x1000/0x1000 lookup ovpnc1

Which rule of yours is removed? However, all the dns rules remains working. So mine could be a different issue afterall.

I haven't figure out how this is being removed when I bounce the vpn client 1 connection.
I have explicitly added the following in vpnclient1-route-up. I have x3mRouting, vpnmgr, scMerlin and using Nordvpn.
Code:
# Create RPDB rules
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9995        # create VPN 1 fwmark
Ohh I wonder if moving the x3mRouting commands to run when the tunnel resets would fix that. @Xentrk can you advise on how the ip rules are created and removed?

Edit: I need to look at what vpnmgr does to reset the connection because it kind of seems like maybe the vpntunnel is reset followed by a firewall reset or maybe something nat-start isn’t rerun that should be.
 
Last edited:
@Kingp1n its not just you I have also had this issue. I am a computer student at UAH and I’m currently in the middle of midterms so I haven’t touched this is a couple of weeks. I do have it on my list to look into as well as the install function which is about half done. I’ll probably be checked out for at least another week but please post any of your observations in the mean time and when I get the time hopefully that will help me track it down.

I’m thinking I probably need something in firewall-start but I’m not sure on that but that would definitely clear out the rules if the firewall restarting doesn’t also reset the vpn client.
Best of luck to you in your midterms. If I find anything else, ill report it here.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top