What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

x3mRouting x3mRouting Updates (30 January, 2021)

I installed x3mRouting to be able to use Unbound with the VPN and not have any DNS leaks. It works.
But I ask one thing, I have installed option 2 for the GUI management of the VPN, at this point if I go to the Merlin 386 VPN configuration page, it does not allow me any adjustment, otherwise it gives me a configuration error. In order to adjust my VPN, add or remove devices from tunnels etc, I have to uninstall option 2 of x3mRouting, make the changes and then install option 2 again
Thanks for the notice. I have not experienced this on AC88U and AC86U models. Did you do this after a recent firmware upgrade from 384.x to 386.x? The upgrade may require an hour or so to settle down before the GUI works properly. What firmware version and router model are you using?
 
Ho un asus I have an asus DSL AC 68 U I'm using 386 beta 3 of GNUton. I didn't use X3mrouting before, but by installing Unbound I decided to use it to fix the DNS loss problem. Basically X3mrouting forces Unbound to go through the VPN tunnel. I therefore noticed the anomaly I pointed out earlier. I. I run the whole configuration and then install point 2 of X3mrouting
 
I didn't have x3mRouting on the 384 and then upgraded to the 386. I started with the 386, added AMTM, Entware, flexqos, skynet, diversion and then unbound. I use all my devices in VPN with ExpressVPN. I created the tunnel rules so that the flexqos can recognize the traffic and optimize it. Everything was fine but I found that unbound exposes DNS. At this point following a tutorial here on the site I installed x3mRouting and made it pass DNS requests directly into the VPN Everything works. As you can see below I created the tunnel and the rules in Merlin. When I installed x3mRouting I installed all its functions and I realized that if I install point 2 then I can no longer make any changes to the VPN configuration page. Even simply deactivating the VPN server creates a configuration error and it is no longer possible to activate it. To reactivate it or to change the settings, I have to uninstall point 2 of x3mRouting, make the changes, reinstall point 2 and restart the router. I also tried to do a master reset of client 1 vpn and reconfigure everything from scratch, if point 2 is installed you can't do anything, if it is uninstalled, you can configure.
My idea was to put my devices in the tunnel but to remove all the rules in Merlin and put them in x3mRouting, unfortunately if point 2 is installed it is not possible. Below you see my current configuration. Everything works, x3mRuoting does its duty like the other addons but you can't touch anything if point 2 is installed
 

Attachments

  • Firefox_Screenshot_2021-03-02T15-12-42.863Z.png
    Firefox_Screenshot_2021-03-02T15-12-42.863Z.png
    40.9 KB · Views: 141
I didn't have x3mRouting on the 384 and then upgraded to the 386. I started with the 386, added AMTM, Entware, flexqos, skynet, diversion and then unbound. I use all my devices in VPN with ExpressVPN. I created the tunnel rules so that the flexqos can recognize the traffic and optimize it. Everything was fine but I found that unbound exposes DNS. At this point following a tutorial here on the site I installed x3mRouting and made it pass DNS requests directly into the VPN Everything works. As you can see below I created the tunnel and the rules in Merlin. When I installed x3mRouting I installed all its functions and I realized that if I install point 2 then I can no longer make any changes to the VPN configuration page. Even simply deactivating the VPN server creates a configuration error and it is no longer possible to activate it. To reactivate it or to change the settings, I have to uninstall point 2 of x3mRouting, make the changes, reinstall point 2 and restart the router. I also tried to do a master reset of client 1 vpn and reconfigure everything from scratch, if point 2 is installed you can't do anything, if it is uninstalled, you can configure.
My idea was to put my devices in the tunnel but to remove all the rules in Merlin and put them in x3mRouting, unfortunately if point 2 is installed it is not possible. Below you see my current configuration. Everything works, x3mRuoting does its duty like the other addons but you can't touch anything if point 2 is installed
What is your goal? What are you trying to accomplish? That might help determine the best route you should take.
 
What is your goal? What are you trying to accomplish? That might help determine the best route you should take.
Actually, I already got what I wanted. The router now has monstrous performance. I just pointed out this X3mrouting anomaly
 
I didn't have x3mRouting on the 384 and then upgraded to the 386. I started with the 386, added AMTM, Entware, flexqos, skynet, diversion and then unbound. I use all my devices in VPN with ExpressVPN. I created the tunnel rules so that the flexqos can recognize the traffic and optimize it. Everything was fine but I found that unbound exposes DNS. At this point following a tutorial here on the site I installed x3mRouting and made it pass DNS requests directly into the VPN Everything works. As you can see below I created the tunnel and the rules in Merlin. When I installed x3mRouting I installed all its functions and I realized that if I install point 2 then I can no longer make any changes to the VPN configuration page. Even simply deactivating the VPN server creates a configuration error and it is no longer possible to activate it. To reactivate it or to change the settings, I have to uninstall point 2 of x3mRouting, make the changes, reinstall point 2 and restart the router. I also tried to do a master reset of client 1 vpn and reconfigure everything from scratch, if point 2 is installed you can't do anything, if it is uninstalled, you can configure.
My idea was to put my devices in the tunnel but to remove all the rules in Merlin and put them in x3mRouting, unfortunately if point 2 is installed it is not possible. Below you see my current configuration. Everything works, x3mRuoting does its duty like the other addons but you can't touch anything if point 2 is installed
Sorry, I can't help on the screen issues. The only thing I can thing of is you already had some existing entries that can't convert. If you still want to use the screen, wipe out the current client config first then, enter the configuration.

I recommend uninstalling option 2 and just use option 3 for routing of IPSET lists. You just have to specify the from/to interfaces on the command line. Plus, it will save you the extra steps of inputing the IPSET

Delete option 2
===> 2 del

Install option 3
==> 3

For DNS hacks, you can use the DNSFilter tab and configure a custom DNS for each device. If the device is configured to use a public DNS like Cloudflare and is configured to go thru the VPN, the DNS will be the same geo location as the VPN end point.


You can also set: dhcp-option DNS x.x.x.x
in the custom configuration section

Finally, you could specify the DNS in the Policy routing table. Pros/cons with this approach.

Accept DNS Configuration = Exclusive will use DNS of vpn provider. But when combined with Policy Rules, diversion will not be able to block ads and the dnsmasq method of x3mRouting will not work since dnsmasq is bypassed.
 
Sorry, I can't help on the screen issues. The only thing I can thing of is you already had some existing entries that can't convert. If you still want to use the screen, wipe out the current client config first then, enter the configuration.

I recommend uninstalling option 2 and just use option 3 for routing of IPSET lists. You just have to specify the from/to interfaces on the command line. Plus, it will save you the extra steps of inputing the IPSET

Delete option 2
===> 2 del

Install option 3
==> 3

For DNS hacks, you can use the DNSFilter tab and configure a custom DNS for each device. If the device is configured to use a public DNS like Cloudflare and is configured to go thru the VPN, the DNS will be the same geo location as the VPN end point.


You can also set: dhcp-option DNS x.x.x.x
in the custom configuration section

Finally, you could specify the DNS in the Policy routing table. Pros/cons with this approach.

Accept DNS Configuration = Exclusive will use DNS of vpn provider. But when combined with Policy Rules, diversion will not be able to block ads and the dnsmasq method of x3mRouting will not work since dnsmasq is bypassed.
I tried to do what you wrote but it doesn't work. I am forced to use option 2 or I don't get what I want. I followed the tutorial on this page:


I created the 3 files as indicated on the page and in any case followed the whole tutorial. With these 3 files and the x3mRouting option 2 installed everything works. Even if I had to reboot the router, he does execute commands etc. If you need to change the VPN configuration, you must first uninstall option 2, then modify and finally install option 2 again. start to the VPN and then I would have the DNS exposed. If I don't install option 2, on every boot, I have to manually stop the cliet vpn and then restart it. To not use option 2 it would take two commands that once booted, first disable the vpn server and then enable it again
 
I tried to do what you wrote but it doesn't work. I am forced to use option 2 or I don't get what I want. I followed the tutorial on this page:


I created the 3 files as indicated on the page and in any case followed the whole tutorial. With these 3 files and the x3mRouting option 2 installed everything works. Even if I had to reboot the router, he does execute commands etc. If you need to change the VPN configuration, you must first uninstall option 2, then modify and finally install option 2 again. start to the VPN and then I would have the DNS exposed. If I don't install option 2, on every boot, I have to manually stop the cliet vpn and then restart it. To not use option 2 it would take two commands that once booted, first disable the vpn server and then enable it again
Are you using the modified x3mRouting Advanced OpenVPN Screen as a hack for DNS leak issue with Unbound? My guess is you are using it to create the fwmarks so the script you are using can avail of them. If that is all you need, we can come up with a solution that does not require the modified x3mRouting Open VPN client screen. The purpose of the screen is to route IPSET lists thru VPN or bypass to the WAN interface. I don't see you routing any IPSET lists in the screen picture you posted. I have the x3mRouting screen working on AC88U and AC86U (HND CPU) with 386.x production and beta releases without any of the issues you describe. No one else has reported the issue. So, I am struggling in how to assist. Did you factory reset after moving to 386.x?

I only support x3mRouting on Asuswrt-Merlin firmware and not the Forks as I don't have those models to test on. I suspect that is where the issue is. Source code does not appear on the github page
https://github.com/gnuton/asuswrt-merlin.ng/ so it is hard for me to see if the code of the fork has kept up with the 386.x updates made by Merlin.
 
I wanted to route the IPSETs in x3mRouting but for the problems described above I can't do it. Doing a master reset of the whole modem then forces me to put all the addons back by hand from the beginning or by loading the bkp do I solve? Putting everything by hand from the start is a big waste of time
 
I wanted to route the IPSETs in x3mRouting but for the problems described above I can't do it. Doing a master reset of the whole modem then forces me to put all the addons back by hand from the beginning or by loading the bkp do I solve? Putting everything by hand from the start is a big waste of time
I still think it would help us to know your vision for what you believe success looks like. For example, I'm assuming you want to route DNS through the VPN so that you don't have DNS leaking. Your link to @Swinson 's post makes me think that. I found that when I was trying to accomplish eliminating DNS leaks.
 
I still think it would help us to know your vision for what you believe success looks like. For example, I'm assuming you want to route DNS through the VPN so that you don't have DNS leaking. Your link to @Swinson 's post makes me think that. I found that when I was trying to accomplish eliminating DNS leaks.
That's right, I'm using x3mRouting to route DNS through the VPN. But that tutorial only works if you install x3mRouting option 2. In any case, I did a matsre reset on the router, removed the usb stick and formatted it. I restarted from zero obviously using GNUton's 386 beta3. I put back AMTM, swap, Entware and then I immediately tried x3mRouting and I confirm that it creates the same anomaly that I indicated. If I install option 2 I can no longer touch the VPN server page or it gives me a configuration error. I will point this anomaly to GNUton.

To route the DNS, I'm using that tutorial for now because it's the only one that works. If there are others, that's fine
 
OK, here is what I did, which sounds like what you want to do:

Bash:
/jffs/scripts/unbound_via_vc1.sh stop &

Bash:
/jffs/scripts/unbound_via_vc1.sh stop &

Bash:
#!/bin/sh

Check_Tun11_Con() {
ping -c1 -w1 -I tun11 1.1.1.1
}

Delete_Rules() {
iptables-save | grep "unbound_rule" | sed 's/^-A/iptables -t mangle -D/' | while read CMD;do $CMD;done
}

Add_Rules() {
iptables -t mangle -A OUTPUT -d "$wan0_dns0"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "$wan0_dns1"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "$wan0_dns0"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "$wan0_dns1"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
Iptables -t mangle -A OUTPUT -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
}

Unbound_vc1() {
        Add_Rules
        /jffs/addons/unbound/unbound_manager.sh vpn=1 &
        logger -st "($(basename "$0"))" $$  Ending Script Execution
}

Unbound_vpnDisable() {
        Delete_Rules
        /jffs/addons/unbound/unbound_manager.sh vpn=disable &
        logger -st "($(basename "$0"))" $$  Ending Script Execution
}

Poll_Tun11() {
        Delete_Rules
        sleep 5
        timer=5
        while [ $timer -lt 300 ]; do
        Check_Tun11_Con
                if [ "$?" -eq 0 ]; then
                        Unbound_vc1
                        logger -st "($(basename "$0"))" $$ Ending Script Execution
                        exit 0
                fi
                sleep 1
                timer++
        done
        logger -st "($(basename "$0"))" $$  Script Execution Timeout
        exit 3
}

if [ -z "$1" ]; then
        logger -st "($(basename "$0"))" $$ Script Arg Missing
        exit 1
else
        logger -st "($(basename "$0"))" $$ Starting Script Execution
        wan0_dns0="$( (nvram get wan0_dns) | awk '{print $1}' )"
        wan0_dns1="$( (nvram get wan0_dns) | awk '{print $2}' )"
        if [ "$wan0_dns1"  = "" ]; then
                wan0_dns1 = $wan0_dns0
        elif [ "$wan0_dns0" = "" ]; then
                wan0_dns0 = $wan0_dns1
                if [ "$wan0_dns1"  = "" ]; then
                        logger -st "($(basename "$0"))" $$  wan0_dns is NULL
                exit 2
                fi
        else
                  case "$1" in
                         start)
                                  Poll_Tun11
                                  exit 0;;
                        stop)
                                 Unbound_vpnDisable
                                 exit -1;;
                        *)
                                 logger -st "($(basename "$0"))" $$  Script Arg Invalid
                                 exit 1;;
               esac
        fi
fi

Source: http://www.snbforums.com/threads/unbound-dns-vpn-client-w-policy-rules.67370/post-653427
 
Last edited:
I wanted to route the IPSETs in x3mRouting but for the problems described above I can't do it. Doing a master reset of the whole modem then forces me to put all the addons back by hand from the beginning or by loading the bkp do I solve? Putting everything by hand from the start is a big waste of time
There were many changes in the OpenVPN GUI and some supporting scripts in the 384.19 and 346.x releases. I monitor changes to those files as Merlin codes. I then update the x3mRouting master repo when Asuswrt-Merlin goes to production release. I suspect there is a difference in one of those support files in the DSL fork that are creating the conditions you are experiencing. When there are changes such as this, I always save off the prior version as a branch. Some people have reasons as to why they can't update to a new version. So saving off some of these older versions allow them to us it. I didn't see the source code files on the GitHub page for the DSL fork so I couldn't do any analysis. If you were still on the 384.19 release, I could have you try the version of x3mRouting that is compatible to see if the problem still exists. The solution @iTyPsIDg posted looks interesting. I will test it out on my end and see if I can add it to x3mRouting as a new feature.
 
OK, here is what I did, which sounds like what you want to do:

Bash:
/jffs/scripts/unbound_via_vc1.sh stop &
iptables -t mangle -D PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -D PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null

Bash:
/jffs/scripts/unbound_via_vc1.sh stop &
iptables -t mangle -D PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x1000/0x1000

Bash:
#!/bin/sh

Check_Tun11_Con() {
ping -c1 -w1 -I tun11 1.1.1.1
}

Delete_Rules() {
iptables-save | grep "unbound_rule" | sed 's/^-A/iptables -t mangle -D/' | while read CMD;do $CMD;done
}

Add_Rules() {
iptables -t mangle -A OUTPUT -d "$wan0_dns0"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "$wan0_dns1"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "$wan0_dns0"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "$wan0_dns1"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
Iptables -t mangle -A OUTPUT -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
}

Unbound_vc1() {
        Add_Rules
        /jffs/addons/unbound/unbound_manager.sh vpn=1 &
        logger -st "($(basename "$0"))" $$  Ending Script Execution
}

Unbound_vpnDisable() {
        Delete_Rules
        /jffs/addons/unbound/unbound_manager.sh vpn=disable &
        logger -st "($(basename "$0"))" $$  Ending Script Execution
}

Poll_Tun11() {
        Delete_Rules
        sleep 5
        timer=5
        while [ $timer -lt 300 ]; do
        Check_Tun11_Con
                if [ "$?" -eq 0 ]; then
                        Unbound_vc1
                        logger -st "($(basename "$0"))" $$ Ending Script Execution
                        exit 0
                fi
                sleep 1
                timer++
        done
        logger -st "($(basename "$0"))" $$  Script Execution Timeout
        exit 3
}

if [ -z "$1" ]; then
        logger -st "($(basename "$0"))" $$ Script Arg Missing
        exit 1
else
        logger -st "($(basename "$0"))" $$ Starting Script Execution
        wan0_dns0="$( (nvram get wan0_dns) | awk '{print $1}' )"
        wan0_dns1="$( (nvram get wan0_dns) | awk '{print $2}' )"
        if [ "$wan0_dns1"  = "" ]; then
                wan0_dns1 = $wan0_dns0
        elif [ "$wan0_dns0" = "" ]; then
                wan0_dns0 = $wan0_dns1
                if [ "$wan0_dns1"  = "" ]; then
                        logger -st "($(basename "$0"))" $$  wan0_dns is NULL
                exit 2
                fi
        else
                  case "$1" in
                         start)
                                  Poll_Tun11
                                  exit 0;;
                        stop)
                                 Unbound_vpnDisable
                                 exit -1;;
                        *)
                                 logger -st "($(basename "$0"))" $$  Script Arg Invalid
                                 exit 1;;
               esac
        fi
fi

Source: http://www.snbforums.com/threads/unbound-dns-vpn-client-w-policy-rules.67370/post-653427
The first two files are different than those in the post you indicated below. I tried the configuration you proposed but it doesn't work, I still have the DNS exposed. I then returned to the configuration that is present in the post you indicated and everything works, I have secure DNS. Obviously I must have x3mRouting option 2 installed or the DNS will be exposed
 
There were many changes in the OpenVPN GUI and some supporting scripts in the 384.19 and 346.x releases. I monitor changes to those files as Merlin codes. I then update the x3mRouting master repo when Asuswrt-Merlin goes to production release. I suspect there is a difference in one of those support files in the DSL fork that are creating the conditions you are experiencing. When there are changes such as this, I always save off the prior version as a branch. Some people have reasons as to why they can't update to a new version. So saving off some of these older versions allow them to us it. I didn't see the source code files on the GitHub page for the DSL fork so I couldn't do any analysis. If you were still on the 384.19 release, I could have you try the version of x3mRouting that is compatible to see if the problem still exists. The solution @iTyPsIDg posted looks interesting. I will test it out on my end and see if I can add it to x3mRouting as a new feature.
Thank you for your reply and for your commitment. The router however sunfiona and I am using the configuration with x3mRouting, as I explained earlier. If you can fix the anomaly I mentioned, great. At that point I would change the way to use the VPN tunnel etc.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Back
Top