Unbound Unbound DNS VPN Client w/policy rules

[Vertron]

If you have scmerlin installed go to the GUI inside addons/scmerlin and restart the VPN 1 or whtaver VPN you have set-up. This will restart the script again.

I've already tried that. I even ran the command to start the script manually and checked the IP tables, all good there but not working. Is it working for you?

 

[Kingp1n]

I've already tried that. I even ran the command to start the script manually and checked the IP tables, all good there but not working. Is it working for you?

Yes it ls working for me. Are you running spdMerlin? Also i dont use step 4 from your instructions. The sleep 30 command was more of a test that wasnt required at the end. Try removing it and restart vpn1 and wait a few seconds before running an ipleak test. Also try removing spdMerlin and test again. I kept having issues with spdMerlin and this script everytime it did an automatic speedtest so i ended removing spdMerlin.

 

[Vertron]

Yes it ls working for me. Are you running spdMerlin? Also i dont use step 4 from your instructions. The sleep 30 command was more of a test that wasnt required at the end. Try removing it and restart vpn1 and wait a few seconds before running an ipleak test. Also try removing spdMerlin and test again. I kept having issues with spdMerlin and this script everytime it did an automatic speedtest so i ended removing spdMerlin.

Thanks, I got it working now by re-running:

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 WIP-vpn dnsmasq=whatismyipaddress.com

sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 WIP-real dnsmasq=whatsmyipaddress.com

I'm not running spdMerlin. I edited the route-up/down files earlier but then put the code back as it was, that probably caused the issue.

Interesting about step 4, what was the reboot issue exactly?

 

[Kingp1n]

Thanks, I got it working now by re-running:

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 WIP-vpn dnsmasq=whatismyipaddress.com

sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 WIP-real dnsmasq=whatsmyipaddress.com

I'm not running spdMerlin. I edited the route-up/down files earlier but then put the code back as it was, that probably caused the issue.

Interesting about step 4, what was the reboot issue exactly?

I think some users were reporting that script wasnt re-starting after rebooting the router. This command should assist by waiting 30 seconds allowing time for the router to bootup and then restarting the vpn client. Maybe @Swinson can explain it better. I dont thinj its a problem if you keep it though. Maybe you can test with and without and check how the router acts after a reboot and see if the vpn client starts with either or.

Ive been using the script for awhile and all is good. Love using unbound with VPN on it.

 

[Vertron]

I think some users were reporting that script wasnt re-starting after rebooting the router. This command should assist by waiting 30 seconds allowing time for the router to bootup and then restarting the vpn client. Maybe @Swinson can explain it better. I dont thinj its a problem if you keep it though. Maybe you can test with and without and check how the router acts after a reboot and see if the vpn client starts with either or.

Ive been using the script for awhile and all is good. Love using unbound with VPN on it.

I've never had an issue with the VPN not restarting after a reboot before. I've removed it for now and see how I get on.

I agree, it's brilliant. Don't need to place any trust in any 3rd party or even the VPN provider for storing DNS logs.
This script is the final piece of the puzzle, they really should intergrate it with Unbound directly.

 

[Vertron]

Weird, did a reboot and the same issue, showing ISP IP as DNS again. Had the run the same 2 scripts to get it to work again. I wonder what's causing it.

 

[Kingp1n]

Weird, did a reboot and the same issue, showing ISP IP as DNS again. Had the run the same 2 scripts to get it to work again. I wonder what's causing it.

Check inside /jffs/scripts/ folder....do you see/have a nat-start file inside the scripts folder?

Also look inside the x3mRouting folder open both the route-up & route-down files to ensure the commnds have been created when yiur those 2 lines.

 

[Vertron]

Check inside /jffs/scripts/ folder....do you see/have a nat-start file inside the scripts folder?

Yes I do, it contains the following:

#!/bin/sh
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 WIP-vpn dnsmasq=whatismyipaddress.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 WIP-real dnsmasq=whatsmyipaddress.com

 

[Kingp1n]

Yes I do, it contains the following:

#!/bin/sh
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 WIP-vpn dnsmasq=whatismyipaddress.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 WIP-real dnsmasq=whatsmyipaddress.com

I'm not sure what's going. I would delete those lines within nat-start and insde the vpn-route-up and down files.

Than run these command lines and see if it's working for you. This what I show inside my nat-start file:

sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 WAN_IP dnsmasq=whatsmyip.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 VPN_IP dnsmasq=whatismyip.com

Also post results after using this command

iptables -nvL OUTPUT -t mangle

Also this is what gets created inside my route-up file:

iptables -t mangle -D PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x1000/0x1000

and route-down:

iptables -t mangle -D PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -D PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null

Also show your results when running this command:

ip rule

 

[Vertron]

I'm not sure what's going. I would delete those lines within nat-start and insde the vpn-route-up and down files.

Than run these command lines and see if it's working for you. This what I show inside my nat-start file:

sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 WAN_IP dnsmasq=whatsmyip.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 VPN_IP dnsmasq=whatismyip.com

Also post results after using this command

iptables -nvL OUTPUT -t mangle

Also this is what gets created inside my route-up file:

iptables -t mangle -D PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x1000/0x1000

and route-down:

iptables -t mangle -D PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -D PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null

Also show your results when running this command:

ip rule

That worked, it now survives a reboot. Thank you! I'll add this to my guide.

 

[iTyPsIDg]

Does running these commands create the "vpnclient1-route-up" and "vpnclient1-route-pre-down" files?

sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 WAN_IP dnsmasq=whatsmyip.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 VPN_IP dnsmasq=whatismyip.com

In either case, I didn't run those this before but as soon as I did, it fixed my DNS leak. I don't know why, but I'm happy.

 

[Kingp1n]

Does running these commands create the "vpnclient1-route-up" and "vpnclient1-route-pre-down" files?

sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 WAN_IP dnsmasq=whatsmyip.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 VPN_IP dnsmasq=whatismyip.com

In either case, I didn't run those this before but as soon as I did, it fixed my DNS leak. I don't know why, but I'm happy.

Yes...downloadin x3mRouting script will create the files but runnin that command will add the lines inside those files....enjoy!!!

 

[iTyPsIDg]

Yes...downloadin x3mRouting script will create the files but runnin that command will add the lines inside those files....enjoy!!!

Sorry, I meant that I already had the scripts created since I've been using it for a while. Running those commands didn't change anything in the files, either. The description in step 1 says it creates the two files by running those commands, I already had them but my DNS was still leaking until I added the rules to ensure whatsmyip.com went through the WAN and whatismyip.com went through the VPN.

 

[Vertron]

I've found a bug with my setup. I've set a rule up to direct all traffic through the VPN "192.168.1.0/24" and set certain devices to go through the WAN.

All devices that run through the VPN are working fine but I've noticed it's not blocking ads using diversion anymore for devices set to the WAN. Does anyone have any ideas where I've gone wrong?

Update 16/08/21:
Using a medium block list and adding AdGuard as a host has fixed this: https://v.firebog.net/hosts/AdguardDNS.txt

 

[Kingp1n]

I've found a bug with my setup. I've set a rule up to direct all traffic through the VPN "192.168.1.0/24" and set certain devices to go through the WAN.

All devices that run through the VPN are working fine but I've noticed it's not blocking ads using diversion anymore for devices set to the WAN. Does anyone have any ideas where I've gone wrong?

I dont think thats a bug but maybe you can ask in the diversion thread.

 

[Vertron]

I dont think thats a bug but maybe you can ask in the diversion thread.

I've removed all my policy rules now and it's still happening. I'm not sure if it's an issue with my setup, Unbound or the script itself. All ads are blocked on devices set to the VPN and only some ads are blocked when set to WAN.

How to replicate this issue:

1. Set a device to policy rules: VPN client 1.
2. Go to https://canyoublockit.com/extreme-test/.
3. See if you get any ads.
4. Set the same device to policy rules: WAN.
5. Clear your browsers cache.
6. Go to the same website.
7. See if you get any ads this time.

Update: 16/08/21
This is now blocking ads for devices set to both WAN and VPN using host file: https://v.firebog.net/hosts/AdguardDNS.txt

 

[Vertron]

I've removed all my policy rules now and it's still happening. I'm not sure if it's an issue with my setup, Unbound or the script itself. All ads are blocked on devices set to the VPN and only some ads are blocked when set to WAN.

How to replicate this issue:

1. Set a device to policy rules: VPN client 1.
2. Go to https://canyoublockit.com/extreme-test/.
3. See if you get any ads.
4. Set the same device to policy rules: WAN.
5. Clear your browsers cache.
6. Go to the same website.
7. See if you get any ads this time.

I did some testing and it looks like Unbound is causing the ads to come through:

I deleted this script, unstalled x3mrouting and Unbound. With only Diversion and Skynet installed it started to fully block ads again for devices set to both the WAN and VPN.

I then did a basic install of Unbound and ads started coming though again using the above test. It doesn't matter if you bind the VPN or WAN to Unbound. All devices set to WAN will let ads through and all devices set to the VPN will block all ads. I'll report this in the Unbound thread.

 

[Rippo]

I did some testing yesterday also and reached the same conclusion as you have.

Also, thanks for posting such a helpful installation guide. I followed it with minor modifications and was able to get it working for VPN5 easily (I needed my default route to VPN provider to be lower priority that other specific VPNs I manage). Works wonderfully

 

[chongnt]

I've found a bug with my setup. I've set a rule up to direct all traffic through the VPN "192.168.1.0/24" and set certain devices to go through the WAN.

All devices that run through the VPN are working fine but I've noticed it's not blocking ads using diversion anymore for devices set to the WAN. Does anyone have any ideas where I've gone wrong?

I have a bit different setup, only have rules for one device route to ovpn1 and another device to ovpn3. All other devices are routed through WAN without any rules in VPN director. With this, adblock by diversion is working for all devices.
Have you check diversion log?

 

[Vertron]

I have a bit different setup, only have rules for one device route to ovpn1 and another device to ovpn3. All other devices are routed through WAN without any rules in VPN director. With this, adblock by diversion is working for all devices.
Have you check diversion log?

I've tried this setup but with only one VPN and ads still get through. Most ads are blocked so it does appear to work until you visit an ad heavy site.

You don't get any ads for any devices set not to use a VPN when you visit this site then: https://canyoublockit.com/extreme-test/?

The banner ads part of the test is where most of the ads come through.

Also remember some browsers have extensions/built in ad blocking that could make it appear to be working.

Screenshot examples:
Device set to WAN:

Device set to VPN: