Unbound Unbound DNS VPN Client w/policy rules

[Swinson]

@Kingp1n I kept the added server line but re-enabled the unbound.postconf. I restarted dnsmasq the server line is in there twice now which doesn’t seem to be a problem so far and I’m currently not showing a leak. I’ll do some reboots and report back if I find anything.

 

[Swinson]

Update: reboot worked fine

I poked at the unbound.postconf and it look like the “servers-file=/xxx/xxx”gets deleted from the dnsmasq.conf so that’s where the leak is coming from.
I moved the “sh ../unbound.postconf $1” right under the “. /opt/...post-conf.div” line when I re-enabled so hopefully that fixes it. Previously uidivstats was before the unbound.postconf.

I’m keeping the extra server=127.0.0.1#53535 line in my dnsmasq.add file for now in case unbound.postconf fails but so far so good.

 

[Kingp1n]

Update: reboot worked fine

I poked at the unbound.postconf and it look like the “servers-file=/xxx/xxx”gets deleted from the dnsmasq.conf so that’s where the leak is coming from.
I moved the “sh ../unbound.postconf $1” right under the “. /opt/...post-conf.div” line when I re-enabled so hopefully that fixes it. Previously uidivstats was before the unbound.postconf.

I’m keeping the extra server=127.0.0.1#53535 line in my dnsmasq.add file for now in case unbound.postconf fails but so far so good.

I've made the changes and so far no leak. I haven't made any Adaptive QoS changes (normally adjusting the upload/download bandwidth if enough) but if I do, I'll see if the script stops working.

Thanks for the update.

Update: @Swinson, I went back to the previous (original) setup. I did not see any difference as far any disconnections of the VPN script, however, I was noticing lag in videos loading thru VPN on my 2.4ghz.

I'm not sure if it was due to adding the command "server=127.0.0.1@53535" or if it was the culprit but I just ended going back to the original settings. Like I said, I haven't had issues previously and maybe the issue is not even related to this.

If I reboot my router with the original setup, the script normally works without issues. I noticed it more, when I edit the Adaptive QoS settings (bandwidth settings) and hit apply. At this point, when I run the ipleak test, it shows my ISP DSN. Once I hit, restart "VPN 1" everything works again. This is not a big deal for me since I don't make too many changes inside the A. QoS once I set it up how I like it.

Thanks for looking into this and maintaining the script.

 

[Swinson]

Automatic reboot this morning and nothing would load. I checked my dnsmasq.conf and the unbound.conf definitely ran. So that’s not the issue but it didn’t run on reboot yesterday so obviously there is something else up the chain.

My logs have not helped so far but I’m going to keep digging deeper. The sleep 30 && service restart_vpnc1 is an adequate solution for now but IMO that’s just a bandaid. It’s a pretty good bandaid but in the long run I really want to figure out the core issue.

 

[Kingp1n]

Automatic reboot this morning and nothing would load. I checked my dnsmasq.conf and the unbound.conf definitely ran. So that’s not the issue but it didn’t run on reboot yesterday so obviously there is something else up the chain.

My logs have not helped so far but I’m going to keep digging deeper. The sleep 30 && service restart_vpnc1 is an adequate solution for now but IMO that’s just a bandaid. It’s a pretty good bandaid but in the long run I really want to figure out the core issue.

Appreciate the update.

As mentioned in my previous post, im back to using the original setup.

It seems I was having slow downs with the "server=127...." command. I'm currently not using the "sleep 30" command as well.

I rebooted the router a couple of times and all booted fine with script still working.

I will keep the "sleep30" command but I'm currently running without it to test.

Update: I found out where my lag was coming from. I had assigned a static IP address to my mobile phone, however, this IP address was already being used by another device. User error on my end. Thought I would comment here. I'm testing your recent changes again.

Thanks again!

 

[Swinson]

Appreciate the update.

As mentioned in my previous post, im back to using the original setup.

It seems I was having slow downs with the "server=127...." command. I'm currently not using the "sleep 30" command as well.

I rebooted the router a couple of times and all booted fine with script still working.

I will keep the "sleep30" command but I'm currently running without it to test.

Update: I found out where my lag was coming from. I had assigned a static IP address to my mobile phone, however, this IP address was already being used by another device. User error on my end. Thought I would comment here. I'm testing your recent changes again.

Thanks again!

Thanks for the lag update. I hadn’t noticed anything on my end but I was keeping an eye on it since I’ve been tweaking things. Glad you got it figured out.

Update on my end: The extra server line has been removed since the unbound.postconf seems to be running without issue. Additionally I’ve removed the sleep and vpn restart from the services-start script so I can test.

As of right now everything seems to be running fine but Ive been here before only to have the issue come back up a few days later. I’m really hoping the problem was the dnsmasq.postconf script.

The post-conf.div file is set to run in the current shell to set up the environment. I’m wondering if the uidivstats running before the unbound.postconf was messing up the environment somehow.

@Martineau can you provide any insight into whether or not uidivstats running in a sub shell could mess up the parent environment set up by post-conf.div?

 

[Kingp1n]

Thanks for the lag update. I hadn’t noticed anything on my end but I was keeping an eye on it since I’ve been tweaking things. Glad you got it figured out.

Update on my end: The extra server line has been removed since the unbound.postconf seems to be running without issue. Additionally I’ve removed the sleep and vpn restart from the services-start script so I can test.

As of right now everything seems to be running fine but Ive been here before only to have the issue come back up a few days later. I’m really hoping the problem was the dnsmasq.postconf script.

The post-conf.div file is set to run in the current shell to set up the environment. I’m wondering if the uidivstats running before the unbound.postconf was messing up the environment somehow.

@Martineau can you provide any insight into whether or not uidivstats running in a sub shell could mess up the parent environment set up by post-conf.div?

I'm using the same setup as you. I'll continue to monitor and post any findings! Appreciate the info/update.

 

[Kingp1n]

@Swinson

I wanted to ask you about your VPN speeds, have you noticed any difference in speeds from your initial script versus the recent updated one?

I'm trying to determine is PIA is the culprit with the recent slow downs speeds.

I was wondering if your speeds (while using VPN) have remain the same using both scripts below. Thanks!

Initial script:

#!/bin/sh

Check_Tun11_Con() {
ping -c1 -w1 -I tun11 9.9.9.9
}

Delete_Rules() {
    iptables-save | grep "unbound_rule" | sed 's/^-A/iptables -t mangle -D/' | while read CMD;do $CMD;done
}

Add_Rules() {
    iptables -t mangle -A OUTPUT -d "$wan0_dns0"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
    iptables -t mangle -A OUTPUT -d "$wan0_dns1"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
    iptables -t mangle -A OUTPUT -d "$wan0_dns0"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
    iptables -t mangle -A OUTPUT -d "$wan0_dns1"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
    iptables -t mangle -A OUTPUT -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
    iptables -t mangle -A OUTPUT -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
}

Unbound_vc1() {
        Add_Rules
        /jffs/addons/unbound/unbound_manager.sh vpn=1 &
        logger -st "($(basename "$0"))" $$  Ending Script Execution
}

Unbound_vpnDisable() {
        Delete_Rules
        /jffs/addons/unbound/unbound_manager.sh vpn=disable &
        logger -st "($(basename "$0"))" $$  Ending Script Execution
}

Poll_Tun11() {
        Delete_Rules
        sleep 5
        timer=5
        while [ $timer -lt 300 ]; do
        Check_Tun11_Con
                if [ "$?" -eq 0 ]; then
                        Unbound_vc1
                        logger -st "($(basename "$0"))" $$ Ending Script Execution
                        exit 0
                fi
                sleep 1
                timer++
        done
        logger -st "($(basename "$0"))" $$  Script Execution Timeout
        exit 3
}

if [ -z "$1" ]; then
        logger -st "($(basename "$0"))" $$ Script Arg Missing
        exit 1
else
        logger -st "($(basename "$0"))" $$ Starting Script Execution
        wan0_dns0="$( (nvram get wan0_dns) | awk '{print $1}' )"
        wan0_dns1="$( (nvram get wan0_dns) | awk '{print $2}' )"
        if [ "$wan0_dns1"  = "" ]; then
                wan0_dns1 = $wan0_dns0
        elif [ "$wan0_dns0" = "" ]; then
                logger -st "($(basename "$0"))" $$  wan0_dns is NULL
                exit 2
        else
                if [ "$wan0_dns0"  = "" ]; then
                        wan0_dns0 = $wan0_dns1
                fi
        case "$1" in
                start)
                        Poll_Tun11
                        exit 0;;
                stop)
                        Unbound_vpnDisable
                        exit -1;;
                *)
                        logger -st "($(basename "$0"))" $$  Script Arg Invalid
                        exit 1;;
        esac
        fi
fi

New script:

#!/bin/sh
Check_Tun11_Con() {
ping -c1 -w1 -I tun11 9.9.9.9
}
Delete_Rules() {
iptables-save | grep "unbound_rule" | sed 's/^-A/iptables -t mangle -D/' | while read CMD;do $CMD;done
}
Add_Rules(){
Delete_Rules
iptables -t mangle -A OUTPUT -d "${wan0_dns##*.*.*.* }"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns%% *.*.*.*}"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns##*.*.*.* }"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns%% *.*.*.*}"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
}
Call_unbound_manager() {
/jffs/addons/unbound/unbound_manager.sh vpn="$1"
}
Poll_Tun11() {
timer=$1
[ -z $timer ] && Post_log "Error Timeout" && exit 1 || sleep 2
Check_Tun11_Con && Add_Rules && Call_unbound_manager "1" || Poll_Tun11 "$((timer--))"
}
Post_log() {
$(logger -st "($(basename "$0"))" $$ "$1")
}
[ -z "$1" ] && Post_log "Script Arg Missing" && exit 1 || Post_log "Starting Script Execution"
wan0_dns="$(nvram get wan0_dns)"
Delete_Rules
case "$1" in
start)
Poll_Tun11 "150" && Post_log "Ending Script Execution" && exit 0;;
stop)
Call_unbound_manager "disable" && Post_log "Ending Script Execution" && exit 0;;
*)
Post_log "Script Arg Invalid" && exit 1;;
esac

 

[Swinson]

@Kingp1n I have noticed slow downs due to the pandemic and the openings/closings but I have not observed any slowdowns as it relates to script.

edit: I will note that my vpn speeds are capped by my en/decryption limitations so my speed tests for the vpn are relatively static. I can pretty much always go as fast as encryption will allow. The variation I see is in the WAN speed tests.

 

[ascent]

This might be the wrong place for this question but here it goes:

I use the following example code to route certain addresses to WAN even though the device is using VPN via policy rules in the GUI:

x3mRouting ALL 1 WAN_IP dnsmasq=whatismyip.com

I found this is useful for banking, email, etc.

All I do is ssh into my router and input this code and it works. Is there a way I can see a list of all the websites I added to route over WAN?

 

[Swinson]

This might be the wrong place for this question but here it goes:

I use the following example code to route certain addresses to WAN even though the device is using VPN via policy rules in the GUI:

x3mRouting ALL 1 WAN_IP dnsmasq=whatismyip.com

I found this is useful for banking, email, etc.

All I do is ssh into my router and input this code and it works. Is there a way I can see a list of all the websites I added to route over WAN?

Yep just look at the IP sets. The name of your ipset in this case is WAN_IP so the only thing in that set would be whatismyip.com. Basically the “ dnsmasq=“ starts a comma separated list of domains so you can add as many or as few as you want to that list. I just use it for stuff that blocks the vpn and to check that the script is working. If you cat the dnsmasq configuration file you should be able to see the domains and which set they are associated with. It’s also in x3mRouting’s stuff so it added it to dnsmasq configuration at startup.

 

[Kingp1n]

Yep just look at the IP sets. The name of your ipset in this case is WAN_IP so the only thing in that set would be whatismyip.com. Basically the “ dnsmasq=“ starts a comma separated list of domains so you can add as many or as few as you want to that list. I just use it for stuff that blocks the vpn and to check that the script is working. If you cat the dnsmasq configuration file you should be able to see the domains and which set they are associated with. It’s also in x3mRouting’s stuff so it added it to dnsmasq configuration at startup.

@Swinson, this is not related to the question above but I noticed there's an alpha VPN Director testing brewing for the upcoming 386.3 RMerlin fw. I don't think your script will be affected by 386.3 correct?

 

[Swinson]

@Swinson, this is not related to the question above but I noticed there's an alpha VPN Director testing brewing for the upcoming 386.3 RMerlin fw. I don't think your script will be affected by 386.3 correct?

Honestly I have no idea. I can look into it though. This is just kind of a hobby project so I can apply what I’m learning in my classes/from the wonder that is the internet. Sounds interesting though.

 

[ascent]

Yep just look at the IP sets. The name of your ipset in this case is WAN_IP so the only thing in that set would be whatismyip.com. Basically the “ dnsmasq=“ starts a comma separated list of domains so you can add as many or as few as you want to that list. I just use it for stuff that blocks the vpn and to check that the script is working. If you cat the dnsmasq configuration file you should be able to see the domains and which set they are associated with. It’s also in x3mRouting’s stuff so it added it to dnsmasq configuration at startup.

Perfect, just looking for the dnsmasq config file now. Any tips on how to find it? I am still new to linux, all I've tried is using "ls" to go through the different directors in jffs. I only found "dnsmasq.postconfig" and using cat for that did not pull up much.

I already had a handful of sites I put in to route over WAN and just wanted to see the complete list to make sure I didn't miss any I wanted to add. I am also wondering an easy way to maybe delete an entry. Reason I may need to delete an entry is I think I noticed at least one website that I log into with an account redirects to a different address after logging in, then it kicks me out possibly since I came from a different IP. So in those cases I would just delete the entry since it didn't work well. Hope that makes sense.

I'm finding this is a very useful tool for websites that I log into, some of which track and record logins (such as my email) by IP address and date. I figure it'd be safer to keep those on my local IP.

 

[iTyPsIDg]

I posted to the wrong thread last time, which doesn't help since these are such specific use cases.

I noticed that my DNS is leaking since upgrading to 386.3. I use Unbound and x3mRouting and Unbound says the requests are going through the VPN tunnel. I'm not sure where the problem is for that issue.

I also use Swinson's scripts. If I set DNS to Exclusive, I don't leak but I also don't use Unbound and don't get local DNS resolving any longer.

 

[MatteoPV]

I posted to the wrong thread last time, which doesn't help since these are such specific use cases.



I also use Swinson's scripts. If I set DNS to Exclusive, I don't leak but I also don't use Unbound and don't get local DNS resolving any longer.

I use the DNS setting to exclusive but Unbound works. I'm using firmware 386.02_6 though

 

[Vertron]

I've read through this whole thread but don't fully understand it.

When doing a DNS leak test:
1a. For devices routed through the VPN using policy rules, does it show the VPN IP as the DNS?

1b. For devices NOT routed through the VPN, does it show the ISP IP as the DNS?

2. Or does it always show the VPN IP as the DNS regardless of if the device is set to the VPN or WAN?


I'm unsure how to set this up:
Which x3mrouting option are you supposed to install 1, 2, 3 or 4?

Once installed, how do you actually apply edit/create scripts? What are all the commands I have to run?

What is the latest the script?

I've got unbound set up and binded to the VPN, do I need to bind it back to the WAN for this to work?

An updated guide would be much appreciated.



Update:
Got it working and can answer these questions now Incase anyone else wants to know.

1. It always shows VPN IP as the DNS regardless of if the device is set to the VPN or WAN.
2. You only need to install x3mrouting option 3.
3. Use PuTTY/Terminal to run the commands and use WinSCP to create and edit the scripts. (Tip: copy an existing script and edit it instead of else you'll get a permission error).
4. The latest script and previous is shown page 10, post #188.
5. I binded it back to the WAN first.
6. See page 3 post #41 for the guide. I'm going to put my own guide together with all the additional changes in the next post to help new people put it all together.

 

[Vertron]

How to set this up, all info from the thread put into one place.

This script will ensure the VPN IP is used for Unbound DNS when policy rules is set, regardless if the device is set to use the WAN or VPN. It will still work if the VPN IP ever changes or the VPN tunnel goes down, in this case, devices not set to use the VPN will use the ISP IP until the VPN starts up again.

Use PuTTY/Terminal to enter commands and WinSCP to edit scripts.

Pre-requisites:
Unbound - Running as system resolver (Only a basic install is required, you don't need to manually bind Unbound to the VPN).
X3mRouting - Option 3 installed.
DNS lookups - Forced to default gateway.
DNS in WAN tab- Connect to DNS Server automatically set to "No", DNS Server 1 set to a public resolver such as "9.9.9.9" (This is only used until Unbound starts after a reboot).
DNS in LAN tab - Not set/all set to router.
VPN client 1 - Setup and running, DNS set to diabled.

1. Run the following 2 commands to create and populate the "vpnclient1-route-up" and "vpnclient1-route-pre-down" files:

sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 WAN_IP dnsmasq=whatsmyip.com

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 VPN_IP dnsmasq=whatismyip.com

2. Add the following line to “/jffs/scripts/x3mRouting/vpnclient1-route-up”:

/jffs/scripts/unbound_via_vc1.sh start &

3. Add the following line to “/jffs/scripts/x3mRouting/vpnclient1-route-pre-down”:

/jffs/scripts/unbound_via_vc1.sh stop &

4. Add the following line to "/jffs/scripts/init-start":

modprobe xt_comment

5a. Go to "/jffs/scripts".
5b. Copy any existing script (to prevent a permission error).
5c. Rename the copy to “unbound_via_vc1.sh”.
5d. Delete any existing code.
5e. Copy and paste the below code into it:

#!/bin/sh
Check_Tun11_Con() {
ping -c1 -w1 -I tun11 9.9.9.9
}
Delete_Rules() {
iptables-save | grep "unbound_rule" | sed 's/^-A/iptables -t mangle -D/' | while read CMD;do $CMD;done
}
Add_Rules(){
Delete_Rules
iptables -t mangle -A OUTPUT -d "${wan0_dns##*.*.*.* }"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns%% *.*.*.*}"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns##*.*.*.* }"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns%% *.*.*.*}"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
}
Call_unbound_manager() {
/jffs/addons/unbound/unbound_manager.sh vpn="$1"
}
Poll_Tun11() {
timer=$1
[ -z $timer ] && Post_log "Error Timeout" && exit 1 || sleep 2
Check_Tun11_Con && Add_Rules && Call_unbound_manager "1" || Poll_Tun11 "$((timer--))"
}
Post_log() {
$(logger -st "($(basename "$0"))" $$ "$1")
}
[ -z "$1" ] && Post_log "Script Arg Missing" && exit 1 || Post_log "Starting Script Execution"
wan0_dns="$(nvram get wan0_dns)"
Delete_Rules
case "$1" in
start)
Poll_Tun11 "150" && Post_log "Ending Script Execution" && exit 0;;
stop)
Call_unbound_manager "disable" && Post_log "Ending Script Execution" && exit 0;;
*)
Post_log "Script Arg Invalid" && exit 1;;
esac

6. OPTIONAL - Add the following line to "/jffs/scripts/services-start":
(Only required if the VPN doesn't automatically start when the router is rebooted)

sleep 30 && service restart_vpnclient1 &

7a. Ensure your "/jffs/scripts/services-start" file contains the following line, if not add it:
(This will ensure the script automatically starts when the router is rebooted)

/jffs/addons/unbound/unbound_rpz.sh startup # Unbound_RPZ.sh

7b. (Not required anymore but kept here just in case) OPTIONAL - Add the following line to "/jffs/scripts/services-start":
(Only required if this script doesn't automatically start when the router is rebooted)

sleep 30 && sh /jffs/scripts/unbound_via_vc1.sh start &

8. Reboot your router, it is now configured.


A. To manually start the script run the following command:

/jffs/scripts/unbound_via_vc1.sh start

B. To check it's working, run the following command and check the IP tables are populated:

iptables -nvL OUTPUT -t mangle

Ci. Run this to check it's setup correctly:

ip rule

Cii. It should output like below:

0:      from all lookup local
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
10010:  from 192.168.1.124 lookup main
10210:  from 192.168.1.139 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

D. Check the VPN IP is showing as the DNS: https://dnsleak.com/

 

[Vertron]

I've upgraded to the latest firmware and it's now showing my ISP IP as my DNS. Is it working for anyone else?

EDIT:
This has been fixed and the above guide amended.

 

[Kingp1n]

If you have scmerlin installed go to the web GUI inside Addons/scmerlin and restart the VPN client 1 or whtaver VPN client you have set-up. This will restart the script again.