Menu
What's new
By:
Filters Better Search

Unbound Unbound DNS VPN Client w/policy rules

  • Thread starter Deleted member 62525
  • Start date

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

D

Deleted member 62525

Guest
I have been using Unbound DNS for a long time as my primary DNS on my local network. Some of my client devices use NordVPN with Unbound as DNS.
I have been wondering recently if Unbound can be configured so all DNS traffic for those specific VPN devices traverses over VPN interface/tunnel.
As I was reading the Unbound documentation it is possible to specify multiple interfaces in unbund.conf. One of these can be the VPN interface. We can also force VPN clients to use specific DNS IP/interface declared in the VPN client configuration. It got me thinking but I have not yet experimented with it yet.
Looking for ideas and feedback if this is even possible.

-cheers
 
Markster said:
I have been using Unbound DNS for a long time as my primary DNS on my local network. Some of my client devices use NordVPN with Unbound as DNS.
I have been wondering recently if Unbound can be configured so all DNS traffic for those specific VPN devices traverses over VPN interface/tunnel.
As I was reading the Unbound documentation it is possible to specify multiple interfaces in unbund.conf. One of these can be the VPN interface. We can also force VPN clients to use specific DNS IP/interface declared in the VPN client configuration. It got me thinking but I have not yet experimented with it yet.
Looking for ideas and feedback if this is even possible.

-cheers
Click to expand...

You have placed this thread in the wrong sub-forum. All "add-ons" like unbound etc have been moved OUT of the Rmerlin Forum into a stand-alone forum on their own which you won't find unless you dig up one forum level to Asus Wireless - then down again to "Asuswrt-Merlin Addons"
NOT your fault - somewhat controversial structural change made recently!

To make life easier for you here's a link ...
https://www.snbforums.com/forums/asuswrt-merlin-addons.60/

No idea why they can't simply provide a link to the sub-form within the RMerlin one to help folks to easily navigate to the extended magic of Merlin-Ware ???
 
I’m also looking to set up some policy rules for unbound. Does anyone already have anything available for this? Possibly a nice little one line x3mRouting command that does everything?
 
Updated: new rules at the bottom
Okay so here is what I’ve got. You need to have x3mRouting installed and at least set up a dummy. You can then go through and configure unbound with the by running
Code: 
unbound_manager vpn=X
Then you will need to add these lines for the vpnevent script

vpnclientX-route-up
Code: 
jffs/addons/unbound/unbound_manager.sh vpn=X delay=9 &
vpnclientX-route-pre-down
Code: 
/jffs/addons/unbound/unbound_manager.sh vpn=disable

Finally I added these lines to my services-start file so anything going to port 53 will piggy back off the rules x3mRouting has setup
Code: 
iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000

I’m still learning and figuring stuff out so if anything is wrong here feel free to let me know but it looks like all my dns lookup will now be forced through the vpn

(11/22/2020) edit:
Still running into a few issues. I’m working on getting it set up to run in route-up and pre-down rather than services-start because I don’t think it really belongs there and firewall-start won’t work either because I’m pretty sure putting it that early would break the boot up.

(11/23/2020) Rule update:
(1) setup WAN_DNS to go to wan0 and mark all other dns packets to go to vpn
(2) move everything into route-up/route-pre-down


/jffs/scripts/x3mRouting/vpnclientX-route-up
Code: 
# WAN DNS requests to Wan0 #
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000

iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000

iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000

iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
# WAN DNS requests to Wan0 #

# Default DNS requests to VPN_Client 1 #
iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000

iptables -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
# Default DNS requests to VPN_Client 1 #

jffs/addons/unbound/unbound_manager.sh vpn=X delay=5 &


/jffs/scripts/x3mRouting/vpnclientX-route-pre-down
Code: 
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000

iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000


iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000

/jffs/addons/unbound/unbound_manager.sh vpn=disable
 
Last edited:
Can anyone confirm that both unbound and Merlin only use UDP on 53 for DNS lookups and doesn’t ever use TCP for anything.
283F225B-832A-4FB0-A902-08F4A679BF06.jpeg

I’m also wondering if anyone knows if it’s better to use “wan_dns” or “wan0_dns” from nvram. I’m guessing wan0 and wan1 are used to hold isp dns while wan is for user settings but I’m not really sure so if anyone can confirm that would be great.
 
Swinson said:
Can anyone confirm that both unbound and Merlin only use UDP on 53 for DNS lookups and doesn’t ever use TCP for anything.
Click to expand...
TCP is used if the response is too large for a UDP packet. So you can’t say “never” but probably “occasionally.”

If you don’t use Dual WAN, I would just use wan0_dns.
 
dave14305 said:
TCP is used if the response is too large for a UDP packet. So you can’t say “never” but probably “occasionally.”

If you don’t use Dual WAN, I would just use wan0_dns.
Click to expand...
Okay I’ll definitely keep TCP rules then. I figured it might be used on occasion but I hadn’t noticed anything so I figured it was worth asking about.

So I know dual wan is a thing and I think it’s clear that wan1 would be used for the second one but wan0/wan is kind of ambitious. I do not use dual wan and “wan_dns” as well as “wan0_dns” are both populated. Do you know how they are used when dual wan is in use? Like I said I assume wan1 would be used for dns pulled/set for your second interface but is “wan_dns” the counterpart to wan1 or is it wan0?

let’s say your primary is “wan0_dns” and your secondary is “wan1_dns” what is “wan_dns”? Does that represent the dns to be used when dual wan is implemented or does that represent the what is set in the webUI? @RMerlin do you have any insight into the specific function of these vars?
 
Last edited:
@dave14305 went ahead and changed it from “wan_dns” to “wan0_dns” as per your suggestion. Everything looks good after doing a couple reboots so I went a head and updated my post to reflect the change. Thanks for the input.
C2821719-336E-4970-B65A-3459B147F36B.jpeg

I’m also seeing a handful of tcp packets from unbound but still nothing from the router. Going to keep an eye on it though
 
Swinson said:
Updated: new rules at the bottom
Okay so here is what I’ve got. You need to have x3mRouting installed and at least set up a dummy. You can then go through and configure unbound with the by running
Code: 
unbound_manager vpn=X
Then you will need to add these lines for the vpnevent script

vpnclientX-route-up
Code: 
jffs/addons/unbound/unbound_manager.sh vpn=X delay=9 &
vpnclientX-route-pre-down
Code: 
/jffs/addons/unbound/unbound_manager.sh vpn=disable

Finally I added these lines to my services-start file so anything going to port 53 will piggy back off the rules x3mRouting has setup
Code: 
iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000

I’m still learning and figuring stuff out so if anything is wrong here feel free to let me know but it looks like all my dns lookup will now be forced through the vpn

(11/22/2020) edit:
Still running into a few issues. I’m working on getting it set up to run in route-up and pre-down rather than services-start because I don’t think it really belongs there and firewall-start won’t work either because I’m pretty sure putting it that early would break the boot up.

(11/23/2020) Rule update:
(1) setup WAN_DNS to go to wan0 and mark all other dns packets to go to vpn
(2) move everything into route-up/route-pre-down


/jffs/scripts/x3mRouting/vpnclientX-route-up
Code: 
# WAN DNS requests to Wan0 #
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000

iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000

iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000

iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
# WAN DNS requests to Wan0 #

# Default DNS requests to VPN_Client 1 #
iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000

iptables -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
# Default DNS requests to VPN_Client 1 #

jffs/addons/unbound/unbound_manager.sh vpn=X delay=5 &


/jffs/scripts/x3mRouting/vpnclientX-route-pre-down
Code: 
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000

iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000


iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000

/jffs/addons/unbound/unbound_manager.sh vpn=disable
Click to expand...
@Swinson are you still using these rules with unbound and a VPN setup? How is it working out for you?
 
Kingp1n said:
@Swinson are you still using these rules with unbound and a VPN setup? How is it working out for you?
Click to expand...
I am. Sorry for the delayed response I didn’t see the notification. Everything is working as expected however I’m still playing with the delay setting. If I get some time I am planning on trying to modify the vpnevent script to poll the connection status of the tunnel and run unbound once it’s up rather a static delay.
 
Swinson said:
I am. Sorry for the delayed response I didn’t see the notification. Everything is working as expected however I’m still playing with the delay setting. If I get some time I am planning on trying to modify the vpnevent script to poll the connection status of the tunnel and run unbound once it’s up rather a static delay.
Click to expand...
so your DNS packets appear to originate off in VPN host provider and not the WAN ISP host provider?
 
Swinson said:
Yes that is correct. The router should resolve through the DNS provided in your WAN settings and everything else should resolve through unbound with your VPNs ip
Click to expand...
Thanks for the response. Please keep us posted if you make any changes to the delay setting. I haven't used unbound in a while so I might give a go with your instructions.

Where do you make changes from #1 (WAN_DNS to go to wan0) ?
 
Kingp1n said:
Thanks for the response. Please keep us posted if you make any changes to the delay setting. I haven't used unbound in a while so I might give a go with your instructions.

Where do you make changes from #1 (WAN_DNS to go to wan0) ?
Click to expand...
Ive edited the original post to reflect the change already. You really just need to get the dns servers your router users so the new rules won’t break how the router does it’s lookups. On my router both wan_dns and wan0_dns contain these values I just wanted to try to make sure it works the same for anyone who just want to copy and paste the rules.
 
Swinson said:
Ive edited the original post to reflect the change already. You really just need to get the dns servers your router users so the new rules won’t break how the router does it’s lookups. On my router both wan_dns and wan0_dns contain these values I just wanted to try to make sure it works the same for anyone who just want to copy and paste the rules.
Click to expand...
Appreciate the response. I'm running a fulltime VPN with unbound and I have no issues so far using the rules you posted earlier. Thanks again and keep us posted if you make any edits to the delay time.
 
Kingp1n said:
Appreciate the response. I'm running a fulltime VPN with unbound and I have no issues so far using the rules you posted earlier. Thanks again and keep us posted if you make any edits to the delay time.
Click to expand...
I have a small update. I spent like 30-45 minutes this morning working on a rough concept script for getting unbound set to the vpn once it’s available rather than a hard coded delay. I’ll post what I’ve thrown together below and I’d be happy to get some feedback.

**warning** I literally just did this in just a couple minutes proceed with caution and check my work. **warning**

/jffs/scripts/x3mRouting/vpnclient1-route-up.sh
Code: 
sh /jffs/addons/unbound/unbound_manager.sh vpn=1 delay=25 &

Replaced with:
Code: 
/jffs/scripts/unbound_tunCheck.sh &

Created /jffs/scripts/unbound_tunCheck.sh
New file needs permissions so make sure you chmod 755

Code: 
#!/bin/sh

tunCheck=$(curl -sA "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36" https://nordvpn.com/what-is-my-ip/  | grep -c "$(nvram get wan0_ipaddr)")

if [ $tunCheck -eq 0 ]
then
/jffs/addons/unbound/unbound_manager.sh vpn=1 delay=1 &
exit 0
fi

while [ $tunCheck -ne 0 ]
do
tunCheck=$(curl -sA "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36" https://nordvpn.com/what-is-my-ip/  | grep -c "$(nvram get wan0_ipaddr)")
     if [ $tunCheck -eq 0 ]
     then
          /jffs/addons/unbound/unbound_manager.sh vpn=1 delay=1 &
          exit 0
     else
          sleep 1
     fi
done
exit 0

Probably still need to add a timeout and log an error in case it fails. Also probably should add secondary check since the primary check is just making sure your wan ip isn’t present.
 
Last edited:
Swinson said:
I have a small update. I spent like 30-45 minutes this morning working on a rough concept script for getting unbound set to the vpn once it’s available rather than a hard coded delay. I’ll post what I’ve thrown together below and I’d be happy to get some feedback.

**warning** I literally just did this in just a couple minutes proceed with caution and check my work. **warning**

/jffs/scripts/x3mRouting/vpnclient1-route-up.sh
Code: 
sh /jffs/addons/unbound/unbound_manager.sh vpn=1 delay=25 &

Replaced with:
Code: 
/jffs/scripts/unbound_tunCheck.sh &

Created /jffs/scripts/unbound_tunCheck.sh
New file needs permissions so make sure you chmod 755

Code: 
#!/bin/sh

tunCheck=$(curl -sA "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36" https://nordvpn.com/what-is-my-ip/  | grep -c "$(nvram get wan0_ipaddr)")

if [ $tunCheck -eq 0 ]
then
/jffs/addons/unbound/unbound_manager.sh vpn=1 delay=1 &
exit 0
fi

while [ $tunCheck -ne 0 ]
do
tunCheck=$(curl -sA "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36" https://nordvpn.com/what-is-my-ip/  | grep -c "$(nvram get wan0_ipaddr)")
     if [ $tunCheck -eq 0 ]
     then
          /jffs/addons/unbound/unbound_manager.sh vpn=1 delay=1 &
          exit 0
     else
          sleep 1
     fi
done
exit 0

Probably still need to add a timeout and log an error in case it fails. Also probably should add secondary check since the primary check is just making sure your wan ip isn’t present.
Click to expand...
could you not simplify this by trying to ping an IP (say 8.8.8.8) specifying -I tun11 (or whatever) and check the return code? you'd need to specify it only sending X pings, though, example:
Code: 
ping -c1 -w1 -I tun11 8.8.8.8
 
Jack Yaz said:
could you not simplify this by trying to ping an IP (say 8.8.8.8) specifying -I tun11 (or whatever) and check the return code? you'd need to specify it only sending X pings, though, example:
Code: 
ping -c1 -w1 -I tun11 8.8.8.8
Click to expand...
Ha I feel like a dummy but I did say rough concept didn’t I? So maybe something like this?

Code: 
#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
sleep 5
timer=5

while [ $timer -lt 300 ]
do
        ping -c1 -w1 -I tun11 1.1.1.1
        pingCode=$?
        if [ $pingCode -eq 0 ]
        then
                /jffs/addons/unbound/unbound_manager.sh vpn=1 &
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
                iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
                logger -st "($(basename "$0"))" $$ Ending Script Execution
                exit 0
        else
                sleep 1
        fi
        timer++
done
logger -st "($(basename "$0"))" $$  Script Execution Timeout
exit 1

Edit: Added roughly a 300 second timeout

Edit 2: I moved the iptables route-up stuff into tunCheck so the setup can be done by just calling tunCheck The pre-down iptables deletes are still in x3mRouting. I consolidated the file configuration in the spoiler below.
File modifications to existing scripts:


Add to "/jffs/scripts/x3mRouting/vpnclient1-route-up"
Code: 
/jffs/scripts/unbound_tunCheck.sh &


Add to "/jffs/scripts/x3mRouting/vpnclient1-route-pre-down"
Code: 
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
/jffs/addons/unbound/unbound_manager.sh vpn=disable



Create "/jffs/scripts/unbound_tunCheck.sh" and chmod 755
Code: 
#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
sleep 5
timer=5

while [ $timer -lt 300 ]
do
        ping -c1 -w1 -I tun11 1.1.1.1
        pingCode=$?
        if [ $pingCode -eq 0 ]
        then
                /jffs/addons/unbound/unbound_manager.sh vpn=1 &
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
                iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
                logger -st "($(basename "$0"))" $$ Ending Script Execution
                exit 0
        else
                sleep 1
        fi
        timer++
done
logger -st "($(basename "$0"))" $$  Script Execution Timeout
exit 1
 
Last edited:
Swinson said:
Ha I feel like a dummy but I did say rough concept didn’t I? So maybe something like this?

Code: 
#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
sleep 5
timer=5

while [ $timer -lt 300 ]
do
        ping -c1 -w1 -I tun11 1.1.1.1
        pingCode=$?
        if [ $pingCode -eq 0 ]
        then
                /jffs/addons/unbound/unbound_manager.sh vpn=1 &
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
                iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
                logger -st "($(basename "$0"))" $$ Ending Script Execution
                exit 0
        else
                sleep 1
        fi
        timer++
done
logger -st "($(basename "$0"))" $$  Script Execution Timeout
exit 1

Edit: Added roughly a 300 second timeout

Edit 2: I moved the iptables route-up stuff into tunCheck so the setup can be done by just calling tunCheck The pre-down iptables deletes are still in x3mRouting. I consolidated the file configuration in the spoiler below.
File modifications to existing scripts:


Add to "/jffs/scripts/x3mRouting/vpnclient1-route-up"
Code: 
/jffs/scripts/unbound_tunCheck.sh &


Add to "/jffs/scripts/x3mRouting/vpnclient1-route-pre-down"
Code: 
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
/jffs/addons/unbound/unbound_manager.sh vpn=disable



Create "/jffs/scripts/unbound_tunCheck.sh" and chmod 755
Code: 
#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
sleep 5
timer=5

while [ $timer -lt 300 ]
do
        ping -c1 -w1 -I tun11 1.1.1.1
        pingCode=$?
        if [ $pingCode -eq 0 ]
        then
                /jffs/addons/unbound/unbound_manager.sh vpn=1 &
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p udp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $1}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -d "$( (nvram get wan0_dns) | awk '{print $2}')"/32 -p tcp --dport 53 -j MARK --set-mark 0x8000/0x8000
                iptables -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark 0x1000/0x1000
                iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 0x1000/0x1000
                logger -st "($(basename "$0"))" $$ Ending Script Execution
                exit 0
        else
                sleep 1
        fi
        timer++
done
logger -st "($(basename "$0"))" $$  Script Execution Timeout
exit 1
Click to expand...
@Swinson, i'm getting ready to this nifty little rule you created. How is it working for you overall? Any issues at all. Thanks!
 
You must log in or register to reply here.

Similar threads

tRiFFiD
Unbound Unbound & local domain DNS
Replies
0
Views
897
tRiFFiD
tRiFFiD
R
DomainVPNRouting Domain VPN Routing v3.0.3 ***Release***
2 3
Replies
44
Views
3K
maghuro
maghuro
O
PI hole + unbound + domain vpn routing
Replies
10
Views
648
OBENZ
O
T
Wireguard Client VPN not using DNS
Replies
14
Views
742
Tom Jo-Jo Junior Shabadoo
Tom Jo-Jo Junior Shabadoo
D
Proper VPN Policy Rules
Replies
2
Views
344
Dougj
D
Similar threads
Thread starter Title Forum Replies Date
Jack-Sparr0w Guide to using vpn with unbound dns? Asuswrt-Merlin AddOns 3
muffintastic Unbound Force all DNS requests through Unbound using iptables? Asuswrt-Merlin AddOns 14
Jack-Sparr0w Is it possible to use nord dns with unbound or any way to add it? Asuswrt-Merlin AddOns 9
B Unbound Use unbound/router as default DNS server Asuswrt-Merlin AddOns 2
tRiFFiD Unbound Unbound & local domain DNS Asuswrt-Merlin AddOns 0
Z Unbound Unbound + AdGuard Settings Asuswrt-Merlin AddOns 1
Z Unbound Unbound on subnet router Asuswrt-Merlin AddOns 3
B Unbound Does unbound update automatically? Asuswrt-Merlin AddOns 8
F Unbound Unbound stopped working Asuswrt-Merlin AddOns 3
B Unbound Unbound whitelist Asuswrt-Merlin AddOns 15

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 911 (members: 23, guests: 888)
Top