I added this temp fix in the meantime. I haven't noticed any issues so far. Seems this may be the fix !
I've been having issues with this script lately. It seems I have to run the manual "start" command a few times per day because I all of a sudden cannot load a website. When that happens, I run the start command and the page loads.
What do I need to do to temporarily "disable" this script until I learn more how all this works to try to fix it (could be something I missed in the setup since I'm a novice with this stuff)?
What do I need to do to temporarily "disable" this script until I learn more how all this works to try to fix it (could be something I missed in the setup since I'm a novice with this stuff)?
All you should need to is remove the lines from the vpnclient1-route-up and vpnclient1-pre-down and reboot.
Before you do that you can run the script with the “stop” argument to remove the iptables rules and remove the vpn as the outgoing interface. You shouldn’t need to do this as a reboot should take care of it but running the stop argument will disable in the current instance.
so just to be clear
running /jffs/scripts/unbound_via_vc1.sh stop
will disable the script
and removing the lines calling the script from /jffs/scripts/x3mRouting/vpnclient1-route-up and ../vpnclient1-route-pre-down
will stop the script from running when your vpn client starts and stops
sorry it’s giving you trouble.. I promise I have been working, very slowly, but working on a version that will make it much easier to use. I greatly appreciate the feedback I have gotten on what I’ve released so far so thanks for giving it a shot.
Looking forward for a future update. I've been using your current script without any issues.
Thanks for doing this for VPN users along with unbound!!!!
You have a donation link available to assist you with your favorite beverage?
I’m glad it’s been working for you! I didn’t really think to list anything for donations but you are welcome to use my PayPal or cashapp. I certainly appreciate any donation to the college coffee fund but definitely don’t feel obligated.
Cheers,
-Swinson
PayPal: http://paypal.me/SwinsonT
Cashapp: $swinsonterry
Mathieu
Regular Contributor
Hi
@Kingp1n You mentioned in an earlier post you had been on trial with another VPN provider, though per your signature it appears you did not proceed.
I don't mean to be nosy, but was such decision driven by technical difficulties you encountered with their solution?
As it happens, I have been using them for some time, but lately have run into some issues.
Just trying to discard those could be provider-specific.
Thanks.
@Kingp1n You mentioned in an earlier post you had been on trial with another VPN provider, though per your signature it appears you did not proceed.
I don't mean to be nosy, but was such decision driven by technical difficulties you encountered with their solution?
As it happens, I have been using them for some time, but lately have run into some issues.
Just trying to discard those could be provider-specific.
Thanks.
I tried NordVPN free 30 day trial but ended canceling services due to my current PIA subscription not running out til next year. I didn't noticed any difference between NordVPN and PIA as far as speeds go. (I even tried expressVPN) .I currently connect to the East DNS servers.
What issues are you having? Can you post screenshots on how you have WAN page setup? Also post screenshots of your VPN setup and what rules you're using?
The times the script would seem to stop for me was when I was running spdMerlin script or when making changes thru VPN and/or Adaptive QoS (once changes were applied, it would make the script to stop). The way I would bring it back was to use the scMerlin script and restart VPN 1. I also stop using the spdMerlin script.
The last change I recently made was to use my ISP DNS servers versus Quad9/Cloudflare. I've been using that setup for the last couple of days with no issues.
Inside the WAN tab, where it asks "connect to DNS servers automatically " I still choose no, and right below it I still input comcast DNS servers. If left to "yes", I noticed it would leak.
Last edited:
Thanks, will try running without for now. I think it's not working for me just due to a mistake somewhere (Imy ip tables output might be it). I'll revisit this in a few days to try again when my internet is not tied up for work purposes.
@Kingp1n
I noticed the rules appearing twice in my iptables after a reboot. So apparently calling that at the beginning of the script is a bit too early. You might want to add the line:
Delete_Rules
At the top of the add rules function. Just make it the first line of the Add_Rules function so it makes double sure there aren’t any old rules.
I guess this means I should probably add some lock functionality to the final script.
I’m also going to have to dig a bit more into the Speedtest/Qos stuff and see why exactly that causes a failure.
I noticed the rules appearing twice in my iptables after a reboot. So apparently calling that at the beginning of the script is a bit too early. You might want to add the line:
Delete_Rules
At the top of the add rules function. Just make it the first line of the Add_Rules function so it makes double sure there aren’t any old rules.
I guess this means I should probably add some lock functionality to the final script.
I’m also going to have to dig a bit more into the Speedtest/Qos stuff and see why exactly that causes a failure.
Code:
Add_Rules(){
Delete_Rules
iptables -t mangle -A OUTPUT -d "${wan0_dns##*.*.*.* }"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns%% *.*.*.*}"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns##*.*.*.* }"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns%% *.*.*.*}"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
}I haven't noticed any duplicate rules. This is my current setup based from your previous comment:
Code:
#!/bin/sh
Check_Tun11_Con() {
ping -c1 -w1 -I tun11 75.75.75.75
}
Delete_Rules() {
iptables-save | grep "unbound_rule" | sed 's/^-A/iptables -t mangle -D/' | while read CMD;do $CMD;done
}
Add_Rules(){
iptables -t mangle -A OUTPUT -d "${wan0_dns##*.*.*.* }"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns%% *.*.*.*}"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns##*.*.*.* }"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns%% *.*.*.*}"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
}
Call_unbound_manager() {
/jffs/addons/unbound/unbound_manager.sh vpn="$1"
}
Poll_Tun11() {
timer=$1
[ -z $timer ] && Post_log "Error Timeout" && exit 1 || sleep 2
Check_Tun11_Con && Add_Rules && Call_unbound_manager "1" || Poll_Tun11 "$((timer--))"
}
Post_log() {
$(logger -st "($(basename "$0"))" $$ "$1")
}
[ -z "$1" ] && Post_log "Script Arg Missing" && exit 1 || Post_log "Starting Script Execution"
wan0_dns="$(nvram get wan0_dns)"
Delete_Rules
case "$1" in
start)
Poll_Tun11 "150" && Post_log "Ending Script Execution" && exit 0;;
stop)
Call_unbound_manager "disable" && Post_log "Ending Script Execution" && exit 0;;
*)
Post_log "Script Arg Invalid" && exit 1;;
esacI’ve had issues in the past copying and pasting iptables rules where there are invisible trailing control characters. It might be worth trying to type everything out or go through and make sure there aren’t any invisible characters by selecting every after the last visible character on each line and deleting up to the new line character.
Yeah it should delete them right off the bat when the script runs but I guess on my router the script would start, delete the rules, then start pinging the tunnel, then the vpn restart would run it again before the rules got added so in rare instances it could add two sets of rules. If it’s not an issue don’t worry about it but I thought I would let you know in case you had the same thing going on.
Mathieu
Regular Contributor
Thank you for responding.
I believe my issue is a DNS leak ( I am not 100% sure as I don't know how to check my public ip on a a device different from PC/Laptop). I use Netflix on an Apple TV with a manually assigned IP. I use ExpressVPN as provider and rely on the router's selective routing feature to have the Apple TV traffic go through the tunnel. This did work fine for some time but recently I receive TLS handshake errors anytime I try to play Netflix contents. I thought there may be some conflict with Unbound, so I turned that off. The issue persists. That said, I can stream the (geoblocked) netflix content on a laptop (not bound by vpn rules) when I manually activate the VPN app there. So it's as though the problem were on Apple TV and/or the way the router directs VPN traffic.
I attach edited screenshots of wan gui page and vpn client.
[Edit: All the VPN client settings derived from the .ovpn config file of provider, other than user / pw and policy rules: strict / c lient based]
Attachments
Last edited:
I noticed under the WAN page, you have DoT enabled (under DNS Privacy Protocol). Do you have this on while using unbound too?
There's a few things you can try for testing purposes...you can always go back to your previous setup.
1st disabled DoT while using unbound. Also, under LAN page, under the DNS Filter tab, make sure you choose 'router' (under Global Filter Mode) and apply.
Inside VPN, changed the Accept DNS Configuration to "Disabled" & change the VPN renegotiation time to "0".
The way I have my router & VPN traffic setup are by these 2 rules:
Code:
Description Source IP Destination Iface
Main router: 192.168.1.1 blank WAN
All VPN traffic: 192.1681.0/24 blank VPNHowever, I also use x3mRouting script option 3 rule that for all my streaming traffic (i.e. Prime/Netflix/HBO/DisneyPlus etc...) it's bypass and not go thru the VPN tunnel. This works better for me since the wife just wants to watch these streaming apps without seeing the "you're using a VPN message" when trying to stream something thru one of these apps.
Start the swinson script (vc1.sh) and make sure you have all the commands inside the init-start and inside the route-up/route-down inside x3mRouting folder.
Also, dont forget to ensure you have these 2 commands:
Code:
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 WIP-vpn dnsmasq=whatismyipaddress.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 WIP-real dnsmasq=whatsmyipaddress.comRun a ipleak.net and dnsleaktest.com test and you should see the VPN IP on both IP and DNS.
Last edited:
Just to add a bit to kingp1n response.
With regard to Netflix/other streaming services they don’t want you to use a vpn because their content agreements vary country to country. That’s not to say you can’t connect to these services with a vpn but they make it hard and constantly update methods for detecting vpns. Personally I default all traffic to the vpn but streaming traffic gets marked and goes right out before hitting the vpn. I use x3mRouting to handle this.
You can use x3mRouting 1 0 StreamIng dnsmasq=Netflix.com,Hulu.com,{etc}
this marks any packet that supposed to go to Netflix.com and sends it out directly without going to the vpn. It’s not quite as simple as just listing Netflix.com because each service Norma has multiple URLs that need to be listed. I would recommend looking at x3mRouting’s git hub page to get a better idea.
Sorry for the delay in my response but kingp1n definitely has you on the right track. I’ll try to check back today to see if I need to clarify something.
@Kingp1n: I’m pretty sure the reset problem is with the dnsmasq configuration. I commented out the unbound call in /jffs/scripts/dnsmasq.postconf and went into /jffs/configs/dnsmasq.add and added the line “server=127.0.0.1@53535” at the very end.I’ve rebooted multiple times this morning and it has come up every time without the need for a vpn reset. If this also fixes it for you let me know and I’ll try to figure out why the dnsmasq.postconf is not adding the unbound stuff.
Last edited:
To clarify, when you mention "commented out the unbound call in /jffs/scripts/dnsmasq.postconf", do you mean to removed this line inside dnsmasq.postconf, correct?
Code:
sh /jffs/addons/unbound/unbound.postconf "$1" # unbound_managerI will also the "server=127.0.0.1@53535" inside the dnsmasq.add. Thanks!
Yeah that’s the one. and yes just put the server line at the end of /jffs/configs/dnsmasq.add the default unbound is localhost on port 53535. If you want to verify its in the first section of the unbound config under interface and port.
it seems adding the "server=127.0.0.1@53535" allows DNS leak when doing an ipleak test. Have you encounter this issue? It was showing me 13 DNS servers vs the one VPN IP.
Mathieu
Regular Contributor
Thank you both for taking the time.
I will try experiment over the week-end with your suggestions.
Worst case scenario, I'll take advantage of the new 2_1 release and proceed with a clean install, testing as much as I can before adding the incremental 'add-ons'
@Swinson I appreciate I wan't very clear, but one of my vpn use is actually to try and circumvent possible geoblocking.
Thanks, gents.
Hmm yeah it appears I’m showing 2 one is the vpn the other is cloud flare. So I think that line not being in the config is what the problem was but I’ll need to check out what all the unbound.postconfig does because disabling it seems to be a no go.
Similar threads
DomainVPNRouting
Domain VPN Routing v3.0.3 ***Release***
Similar threads
Similar threads
-
-
Unbound Force all DNS requests through Unbound using iptables?- Started by muffintastic
- Replies: 14
-
Is it possible to use nord dns with unbound or any way to add it?
- Started by Jack-Sparr0w
- Replies: 9
-
Unbound Use unbound/router as default DNS server
- Started by BeachGuy
- Replies: 2
-
-
-
-
-
-
Latest threads
-
Does the Synology RT6600AX block a particular adult site?
- Started by road hazard
- Replies: 0
-
-
-
High Latency Issues on WiFi? GT-BE98 Pro
- Started by hadesflames
- Replies: 2
-
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!