Unbound Unbound DNS VPN Client w/policy rules

[Swinson]

What is the reason for using exit -1 rather than a value from 0-255? I'm trying to eliminate errors from ShellCheck, and this is the only one remaining.

The reason is..... I’m a bash novice lol
I now have exit 1 as an error and exit 0 as a success

 

[Swinson]

Novice here (been lurking as a guest for a few weeks to learn), with a few questions... wasn't sure where to post this and didn't want to start a new thread.

My goal is to increase privacy without sacrificing too much security. I realize there are different opinions how to go about that.

I'm currently running skynet and unbound. Since installing unbound, it looks like it was not compatible when running OVPN client, so I have my VPN turned off for now. Which brought me to this thread.

I started to install x3mRouting based on this thread, but I'm a novice at Linux. I am able to bring up the code with the nano command, but from there I am stuck what to do. Are there lines of code that are comments by default, which I should "uncomment" them depending which method I want to use for policy rules? I just want to start simple, by defining which of my clients will use VPN, and to also have unbound working and running the DNS queries through my VPN. I understand this will cause my DNS leak test to show my VPN IP. When I run the sh command for the script, it returns this error message (assuming since I have not edited the default file yet):

ERROR Expecting first parameter to be 'server=' or 'ipset_name='

This is where I'm stuck! I'll try to get further along but if someone here would like to push me towards the next step with a response that'd be much appreciated.

I’m getting the automated install together. Stay posted.

 

[Swinson]

That makes sense. I guess I assumed the first 2 files should have been there already since the procedure only says to create a file for the third one.

I did the steps, rebooted router but no luck with DNS leak test, still shows my IP. I realize I did forget to chmod 755 but being a linux novice, I'm not sure if that could make it fail. Could that be the issue?

I tried to avoid installing option 2 since after reading up on it, seems to be more complicated than I need or capable of right now. I installed it anyway to see if that would make it work, but now my VPN cannot connect. I uninstalled option 2, rebooted but still cannot connect to VPN. I'm not sure what went wrong.

On another note, I noticed when I type "ip rule", it doesn't always match up with what I have in the GUI. Maybe it is delayed or requires a reboot to update?

I also notice the rules to make fwmark 0x8000 and 0x1000 are not always there. I don't know what causes those to show up or disappear but I am understanding they are required.

The files are created when you run an x3mRouting command for the vpn you want to use. The only file you should need to make is the script file. The rest should just be modifying files that already exist.

running these two commands will direct x3mRouting to make the vpn up/down files and set up the iptables stuff needed for this script


sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 WIP-vpn dnsmasq=whatismyipaddress.com

sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 WIP-real dnsmasq=whatsmyipaddress.com

(note those are two different domain names. The first will show your vpn clients IP address in the web browser and the second will show your ISP provided IP address. )
This sets up the ip rules and generates the iptables rules that will direct the traffic for those two domains. It’s like putting up a street sign so when my script runs it knows which road to turn on.

 

[ascent]

The files are created when you run an x3mRouting command for the vpn you want to use. The only file you should need to make is the script file. The rest should just be modifying files that already exist.

running these two commands will direct x3mRouting to make the vpn up/down files and set up the iptables stuff needed for this script


sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 WIP-vpn dnsmasq=whatismyipaddress.com

sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 WIP-real dnsmasq=whatsmyipaddress.com

(note those are two different domain names. The first will show your vpn clients IP address in the web browser and the second will show your ISP provided IP address. )
This sets up the ip rules and generates the iptables rules that will direct the traffic for those two domains. It’s like putting up a street sign so when my script runs it knows which road to turn on.

Thanks, those two lines of code I was missing must have been the issue. I read countless posts and thought it was something like that but didn't want to play around too much being a novice. I'll give that a go and report back. Thanks!

 

[ascent]

Alright, I feel pretty good about following the steps correctly as outlined in post #41 now. I rebooted and double checked the files are all still there, ip rule command looks good. But still have DNS leak showing my WAN IP (device is routed to VPN via policy rules in the GUI).

On that same device, if I go to the web address that is supposed to show my WAN IP, it does so. When I go to any other IP lookup site, it shows my VPN. So that seems correct as a check that x3mRouting is working.

I'm stuck what might be wrong or missing.

Maybe I don't have the exact router settings as in post 41 (DNS lookups - forced to default gateway, Dns in wan tab- public dns server, Dns in lan tab - not set/default gateway). Here is what I have:

LAN tab > DNS filter > Router (custom 1,2,3 are filled in but not selected)
WAN tab > Connect to DNS filter automatically > No > (I chose cloudflare servers for now)
VPN tab > accept DNS configuration > disabled (I tried the other settings but did not work to hide my DNS leak)

It was mentioned that x3mRouting option 2 might need to be installed for this to work. Is that the case? I try to avoid it since when I installed it last time my VPN connection dropped out, so I'm not sure how to set that up yet.

 

[Swinson]

Alright, I feel pretty good about following the steps correctly as outlined in post #41 now. I rebooted and double checked the files are all still there, ip rule command looks good. But still have DNS leak showing my WAN IP (device is routed to VPN via policy rules in the GUI).

On that same device, if I go to the web address that is supposed to show my WAN IP, it does so. When I go to any other IP lookup site, it shows my VPN. So that seems correct as a check that x3mRouting is working.

I'm stuck what might be wrong or missing.

Maybe I don't have the exact router settings as in post 41 (DNS lookups - forced to default gateway, Dns in wan tab- public dns server, Dns in lan tab - not set/default gateway). Here is what I have:

LAN tab > DNS filter > Router (custom 1,2,3 are filled in but not selected)
WAN tab > Connect to DNS filter automatically > No > (I chose cloudflare servers for now)
VPN tab > accept DNS configuration > disabled (I tried the other settings but did not work to hide my DNS leak)

It was mentioned that x3mRouting option 2 might need to be installed for this to work. Is that the case? I try to avoid it since when I installed it last time my VPN connection dropped out, so I'm not sure how to set that up yet.

Okay it sounds like x3mRouting did it’s thing and your dns setup looks fine.

check to see if the iptables rules are created by running

iptables -nvL OUTPUT -t mangle

post the output of that. It should contain 6 rules created by my script.

Also check the ip rules. So post the output of this command for that.

ip rule

If both of those are good we’ll go from there

 

[ascent]

Okay it sounds like x3mRouting did it’s thing and your dns setup looks fine.

check to see if the iptables rules are created by running

iptables -nvL OUTPUT -t mangle

post the output of that. It should contain 6 rules created by my script.

Also check the ip rules. So post the output of this command for that.

ip rule

If both of those are good we’ll go from there

Spoiler: output

Chain OUTPUT (policy ACCEPT 1140 packets, 268K bytes)
pkts bytes target prot opt in out source destination

Spoiler: ip rule

0: from all lookup local
9990: from all fwmark 0x8000/0x8000 lookup main
9995: from all fwmark 0x1000/0x1000 lookup ovpnc1
10001: from 192.168.1.113 lookup main
10002: from 192.168.1.1 lookup main
10101: from 192.168.1.189 lookup ovpnc1
10102: from 192.168.1.245 lookup ovpnc1
10103: from 192.168.1.107 lookup ovpnc1
10104: from 192.168.1.241 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default

looks like the ip tables are empty

 

[Swinson]

Spoiler: output

Chain OUTPUT (policy ACCEPT 1140 packets, 268K bytes)
pkts bytes target prot opt in out source destination

Spoiler: ip rule

0: from all lookup local
9990: from all fwmark 0x8000/0x8000 lookup main
9995: from all fwmark 0x1000/0x1000 lookup ovpnc1
10001: from 192.168.1.113 lookup main
10002: from 192.168.1.1 lookup main
10101: from 192.168.1.189 lookup ovpnc1
10102: from 192.168.1.245 lookup ovpnc1
10103: from 192.168.1.107 lookup ovpnc1
10104: from 192.168.1.241 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default

looks like the ip tables are empty

Yep that’s the problem. (Note that in the newer versions of the script the rules have comments.)
If you don’t have the line:

modprobe xt_comment

in your init-start file the rule creation will fail. If I had to take a wild stab at it I would guess that’s going to be the problem. Add that line to init-start and run my script manually with the argument “start” and see if that populates the OUTPUT rules.

/jffs/scripts/unbound_via_vc1.sh start

 

[ascent]

Yep that’s the problem. (Note that in the newer versions of the script the rules have comments.)
If you don’t have the line:

modprobe xt_comment

in your init-start file the rule creation will fail. If I had to take a wild stab at it I would guess that’s going to be the problem. Add that line to init-start and run my script manually with the argument “start” and see if that populates the OUTPUT rules.

/jffs/scripts/unbound_via_vc1.sh start

I didn't find the init-start file so I just tried doing your next step of manually starting the script. That did the trick! DNS leak test is now showing my VPN IP and the IP tables are now showing up.

Thanks for helping a novice and creating this script!

ETA: checked DNS leak test a few hours later on and showed my real IP again. I re-ran the manual start code and now its working again. I also found the init-start file (didn't realize its in /jffs/scripts, and I need to learn commands to find files!). The line of code you mentioned was missing so I added it.

 

[ascent]

I still have to run the manual start command (/jffs/scripts/unbound_via_vc1.sh start) often. Am I missing something?

 

[Swinson]

I still have to run the manual start command (/jffs/scripts/unbound_via_vc1.sh start) often. Am I missing something?

You should put this line in /jffs/scripts/x3mRouting/vpnclient1-route-up:

/jffs/scripts/unbound_via_vc1.sh start &

and


You should put this line in /jffs/scripts/x3mRouting/vpnclient1-route-pre-down:

/jffs/scripts/unbound_via_vc1.sh stop &

This will enable the rules every time vpn client 1 starts and remove them when it stops. I still have a bug where I sometimes have to restart the vpn after a reboot but I haven’t figured out why it sometimes works and sometimes needs a restart to take effect.

 

[Swinson]

As a temporary fix for the reboot issue you can add this line to /jffs/scripts/services-start:

sleep 30 && service restart_vpnclient1 &

Because I can’t figure out how to reproduce the issue reliability I’m having trouble figuring out exactly what the issue is. Im happy to take anyone’s feedback to help narrow it down.

 

[Swinson]

I still have to run the manual start command (/jffs/scripts/unbound_via_vc1.sh start) often. Am I missing something?

Was adding the calls to the up and pre down scripts what you needed? Or is there still an issue?

 

[ascent]

Was adding the calls to the up and pre down scripts what you needed? Or is there still an issue?

Sorry for the late response. It appears to be working now without the need to input the manual start code. I'm not sure what caused it to stop working before (I might have been going through reboots and was trying to set up a DDNS service which is around that time I kept losing unbound through VPN).

Thanks for all the help!

 

[Skeptical.me]

I've read some of this thread, and I'm a bit confused. Does the script in this thread make Unbound not to use the WAN IP as DNS, but rather the VPN's DNS? Sorry for my confusion.

 

[Swinson]

I've read some of this thread, and I'm a bit confused. Does the script in this thread make Unbound not to use the WAN IP as DNS, but rather the VPN's DNS? Sorry for my confusion.

Yeah sorry it will have it’s own thread soon once I finish the install and configuration stuff. But yeah that’s all it does. Just makes unbound go through the vpn tunnel first.

It sets up rules to make DNS traffic from the router itself goes out normally but all other traffic gets marked for the vpn tunnel. It then configures unbound to use the tunnel once it’s up.

 

[Skeptical.me]

Yeah sorry it will have it’s own thread soon once I finish the install and configuration stuff. But yeah that’s all it does. Just makes unbound go through the vpn tunnel first.

It sets up rules to make DNS traffic from the router itself goes out normally but all other traffic gets marked for the vpn tunnel. It then configures unbound to use the tunnel once it’s up.

Awesome! That's exactly what I was hoping for before I read some of the thread. I'll bookmark this thread and wait for an update on your progress. Thanks!

 

[Swinson]

@Kingp1n Any chance you running YazFi? I think that might be why the vpn needed to be restarted after reboot.

I’m pretty sure it’s an issue with dnsmasq and I’m thinking maybe unbound runs first then when yazfi does its thing the config gets messed up.

@Jack Yaz Do you think this is a reasonable guess and if so do you have preferred method for checking the status of your script?

 

[Kingp1n]

@Kingp1n Any chance you running YazFi? I think that might be why the vpn needed to be restarted after reboot.

I’m pretty sure it’s an issue with dnsmasq and I’m thinking maybe unbound runs first then when yazfi does its thing the config gets messed up.

@Jack Yaz Do you think this is a reasonable guess and if so do you have preferred method for checking the status of your script?

@Swinson I don't run YazFi.

I'm not sure what can be the culprit.

Have you recently ran an ipleak test thru ipleak.net lately?

It seems they added the webRTC detection now and it seems my current setup is currently leaking. I was wondering if you're getting the same thing.

Update: I'm only noticing the webRTC leak on my mobile phone only and not on my laptop.

 

[Swinson]

@Swinson I don't run YazFi.

I'm not sure what can be the culprit.

Have you recently ran an ipleak test thru ipleak.net lately?

It seems they added the webRTC detection now and it seems my current setup is currently leaking. I was wondering if you're getting the same thing.

Update: I'm only noticing the webRTC leak on my mobile phone only and not on my laptop.

Hmm well I guess that one is out the window.

As far as the RTC leak stuff I haven’t had an issue with it. I run leak tests all the time as I’m fiddling with the script but I normally don’t do a super robust check.

I would clear out your cache first and see if that fixes it. I want to say toggling airplane mode should do it but you may have to do it in settings. If that doesn’t do it check your browser and phone settings for something that might override the vpn connection.