Menu
What's new
By:
Filters Better Search

Unbound Unbound DNS VPN Client w/policy rules

  • Thread starter Deleted member 62525
  • Start date

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Vertron said:
I've tried this setup but with only one VPN and ads still get through. Most ads are blocked so it does appear to work until you visit an ad heavy site.

You don't get any ads for any devices set not to use a VPN when you visit this site then: https://canyoublockit.com/extreme-test/?

The banner ads part of the test is where most of the ads come through.

Also remember some browsers have extensions/built in ad blocking that could make it appear to be working.

Screenshot examples:
Device set to WAN:
View attachment 35685

Device set to VPN:
View attachment 35686
Click to expand...
Actually I don't use that link. I think it has some ads that is not able to be block by diversion natively. Instead I think something simple and straightforward is easier to tell if diversion adblock is working of not, https://ads-blocker.com/testing/

Ok, I just tested the link on device routed to ovpn 1 (nordvpn). Then I disable the device in VPN Director to make it route through WAN. I get the same result as yours. In both scenario, I was looking at the diversion log, and don't see blocking trace. Can you try disable diversion and re-do the test? I suspect the adblock we see via VPN is not related to diversion.
 
chongnt said:
Actually I don't use that link. I think it has some ads that is not able to be block by diversion natively. Instead I think something simple and straightforward is easier to tell if diversion adblock is working of not, https://ads-blocker.com/testing/

Ok, I just tested the link on device routed to ovpn 1 (nordvpn). Then I disable the device in VPN Director to make it route through WAN. I get the same result as yours. In both scenario, I was looking at the diversion log, and don't see blocking trace. Can you try disable diversion and re-do the test? I suspect the adblock we see via VPN is not related to diversion.
Click to expand...
I disabled diversion and using my site first, all ads are equally coming through when the device is set to the VPN or WAN. Ads are showing on that site you linked for both too.

I enabled Diversion and it's back to normal, all ads blocked by VPN, not all by WAN.
The ads on that site you linked is now blocked by both WAN and VPN. Diversion appears to be mostly working even if not showing in the logs.
 
I had to turn my router off the other day in order to move it and somehow all my installed addons became corrupt despite safety removing the swap file sd card first.

I reinstalled everything and set this script back up by following my guide on page 10, but I'm now getting an issue I previously had again (I originally updated the guide to prevent this issue). The script isn't starting automatically when the router is rebooted anymore. It's showing my ISP IP as the DNS instead of the VPN IP when doing a DNS leak test. I have to manually stop and start the VPN to get the script running.

I've tried deleting the route up/down, nat-start files and ran these 2 commands below to recreate and populate the files but still showing ISP DNS after a reboot.
Code: 
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 WAN_IP dnsmasq=whatsmyip.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 VPN_IP dnsmasq=whatismyip.com

I even did the optional step 6 in the guide, that should restart the VPN after a reboot but no luck there either.
 
Vertron said:
I had to turn my router off the other day in order to move it and somehow all my installed addons became corrupt despite safety removing the swap file sd card first.

I reinstalled everything and set this script back up by following my guide on page 10, but I'm now getting an issue I previously had again (I originally updated the guide to prevent this issue). The script isn't starting automatically when the router is rebooted anymore. It's showing my ISP IP as the DNS instead of the VPN IP when doing a DNS leak test. I have to manually stop and start the VPN to get the script running.

I've tried deleting the route up/down, nat-start files and ran these 2 commands below to recreate and populate the files but still showing ISP DNS after a reboot.
Code: 
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 WAN_IP dnsmasq=whatsmyip.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 VPN_IP dnsmasq=whatismyip.com

I even did the optional step 6 in the guide, that should restart the VPN after a reboot but no luck there either.
Click to expand...
Ensure unbound has restarted as well thru amtm. Other than that, im out of solutions.

You might have to wipe your USB clean and setup again.
 
SD card? That may be your issue(s) right there?
 
Kingp1n said:
Ensure unbound has restarted as well thru amtm. Other than that, im out of solutions.

You might have to wipe your USB clean and setup again.
Click to expand...
I've uninstalled every addon and deleted every trace, formatted the sd card and reinstalled everything from scratch. Still got the same issue.

I got it working in the end by using a workaround shown below, I'll add it to the guide.

Add the following line to "/jffs/scripts/services-start":
Code: 
sleep 30 && sh /jffs/scripts/unbound_via_vc1.sh start &
 
Where is the guide?

I still believe the issue is the SD card.

Why are you not using an SSD or at the very least, a USB drive?
 
L&LD said:
Where is the guide?

I still believe the issue is the SD card.

Why are you not using an SSD or at the very least, a USB drive?
Click to expand...
It's near the bottom of page 10 on this thread.

I highly doubt it's the SD card, it worked perfectly fine before until I turned the router off.

It's a high endurance micro SD card in a USB reader, it is basically a USB drive, but will last longer.
 
And yet, all indications are it's the SD card that no one else is using in their networks (and don't need that workaround). :)
 
L&LD said:
And yet, all indications are it's the SD card that no one else is using in their networks (and don't need that workaround). :)
Click to expand...
Someone recommended it in an older thread. I didn't need the workaround before either, it's not the SD card.
 
Last edited:
The better and more current recommendation is a cheap and cheerful SSD in an equally c&c enclosure (such as the uGreen products).
 
I'm still getting issues unfortunately. It seems to randomly switch to the ISP DNS every now and then, I've been unable to identify the exact cause. It'll stay on VPN IP for 2 days solid then it'll automatically switch the the ISP DNS twice within an hour after manually restarting the script.

Has anyone else had this issue?
 
Vertron said:
I'm still getting issues unfortunately. It seems to randomly switch to the ISP DNS every now and then, I've been unable to identify the exact cause. It'll stay on VPN IP for 2 days solid then it'll automatically switch the the ISP DNS twice within an hour after manually restarting the script.

Has anyone else had this issue?
Click to expand...
Is it truly your ISP DNS, or is it showing your real WAN IP that also belongs to your ISP? Under normal usage, Unbound will show your WAN IP as the DNS server in a DNS leak test.
 
dave14305 said:
Is it truly your ISP DNS, or is it showing your real WAN IP that also belongs to your ISP? Under normal usage, Unbound will show your WAN IP as the DNS server in a DNS leak test.
Click to expand...
I believe it is my WAN IP. This script changes it to the VPN IP however when doing a DNS leak test.
 
I would be very grateful if someone whoes setup is working properly could compare my scripts to their own to help identify the issue, please let me know if there's anything that doesn't look right.

It currently doesn't show the VPN IP as my DNS after the router is rebooted, so there's obviously an issue somewhere. I currently have a workaround in the "services-start" file to start "unbound_via_vc1.sh".

Here are almost all of my scripts:

dnsmasq.postconf
Code: 
#!/bin/sh
. /opt/share/diversion/file/post-conf.div # Added by Diversion
sh /jffs/addons/unbound/unbound.postconf "$1"        # unbound_manager

firewall-start
Code: 
#!/bin/sh

sh /jffs/scripts/firewall start skynetloc=/tmp/mnt/MicroSD/skynet # Skynet

init-start
Code: 
#!/bin/sh
sh /jffs/addons/unbound/stuning start            # unbound_manager
modprobe xt_comment

nat-start
Code: 
#!/bin/sh
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 WAN_IP dnsmasq=whatsmyip.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 VPN_IP dnsmasq=whatismyip.com

openvpn-event
Code: 
#!/bin/sh
[ -s /jffs/scripts/x3mRouting/openvpn-event ] && sh /jffs/scripts/x3mRouting/openvpn-event $@

post-mount
Code: 
#!/bin/sh
swapon /tmp/mnt/MicroSD/myswap.swp # Added by amtm
. /jffs/addons/diversion/mount-entware.div # Added by Diversion
/jffs/addons/unbound/unbound_stats.sh startup "$@" & # Unbound_Stats.sh

service-event
Code: 
#!/bin/sh
[ "$2" = diversion ] && sh /opt/share/diversion/webui/process.div "$1" & # Added by Diversion
if [ "$1" = "start" ] && [ "$2" = "SkynetStats" ]; then sh /jffs/scripts/firewall debug genstats; fi # Skynet
/jffs/addons/unbound/unbound_stats.sh generate "$1" "$2" & # Unbound_Stats.sh

services-start
Code: 
#!/bin/sh
cru a root_servers  "12 4 * * * curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache"    # unbound_manager
sleep 30 && sh /jffs/scripts/unbound_via_vc1.sh start & # My reboot workaround fix

services-stop
Code: 
#!/bin/sh
/opt/etc/init.d/rc.unslung stop # Added by Diversion
sh /jffs/scripts/firewall save # Skynet

unmount
Code: 
#!/bin/sh
[ "$(/usr/bin/find $1/entware/bin/diversion 2> /dev/null)" ] && diversion unmount # Added by Diversion
swapoff -a 2>/dev/null # Skynet

x3mRouting / vpnclient1-route-pre-down
Code: 
#!/bin/sh
iptables -t mangle -D PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -D PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null
/jffs/scripts/unbound_via_vc1.sh stop &

x3mRouting / vpnclient1-route-up
Code: 
#!/bin/sh
iptables -t mangle -D PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x1000/0x1000
/jffs/scripts/unbound_via_vc1.sh start &



Update:
Reboot issue is sorted, reinstalled Unbound and this time the following was added to "services-start":

Code: 
#!/bin/sh
cru a root_servers  "12 4 * * * curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache"    # unbound_manager
/jffs/addons/unbound/unbound_rpz.sh startup # Unbound_RPZ.sh

It now survives a reboot, going to add this to the guide. No idea why it didn't add this line the previous times I reinstalled Unbound. I'll keep an eye on it and hopefully it will maintain the VPN IP.
 
Last edited:
Vertron said:
I would be very grateful if someone whoes setup is working properly could compare my scripts to their own to help identify the issue, please let me know if there's anything that doesn't look right.

It currently doesn't show the VPN IP as my DNS after the router is rebooted, so there's obviously an issue somewhere. I currently have a workaround in the "services-start" file to start "unbound_via_vc1.sh".

Here are almost all of my scripts:

dnsmasq.postconf
Code: 
#!/bin/sh
. /opt/share/diversion/file/post-conf.div # Added by Diversion
sh /jffs/addons/unbound/unbound.postconf "$1"        # unbound_manager

firewall-start
Code: 
#!/bin/sh

sh /jffs/scripts/firewall start skynetloc=/tmp/mnt/MicroSD/skynet # Skynet

init-start
Code: 
#!/bin/sh
sh /jffs/addons/unbound/stuning start            # unbound_manager
modprobe xt_comment

nat-start
Code: 
#!/bin/sh
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 WAN_IP dnsmasq=whatsmyip.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 VPN_IP dnsmasq=whatismyip.com

openvpn-event
Code: 
#!/bin/sh
[ -s /jffs/scripts/x3mRouting/openvpn-event ] && sh /jffs/scripts/x3mRouting/openvpn-event $@

post-mount
Code: 
#!/bin/sh
swapon /tmp/mnt/MicroSD/myswap.swp # Added by amtm
. /jffs/addons/diversion/mount-entware.div # Added by Diversion
/jffs/addons/unbound/unbound_stats.sh startup "$@" & # Unbound_Stats.sh

service-event
Code: 
#!/bin/sh
[ "$2" = diversion ] && sh /opt/share/diversion/webui/process.div "$1" & # Added by Diversion
if [ "$1" = "start" ] && [ "$2" = "SkynetStats" ]; then sh /jffs/scripts/firewall debug genstats; fi # Skynet
/jffs/addons/unbound/unbound_stats.sh generate "$1" "$2" & # Unbound_Stats.sh

services-start
Code: 
#!/bin/sh
cru a root_servers  "12 4 * * * curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache"    # unbound_manager
sleep 30 && sh /jffs/scripts/unbound_via_vc1.sh start & # My reboot workaround fix

services-stop
Code: 
#!/bin/sh
/opt/etc/init.d/rc.unslung stop # Added by Diversion
sh /jffs/scripts/firewall save # Skynet

unmount
Code: 
#!/bin/sh
[ "$(/usr/bin/find $1/entware/bin/diversion 2> /dev/null)" ] && diversion unmount # Added by Diversion
swapoff -a 2>/dev/null # Skynet

x3mRouting / vpnclient1-route-pre-down
Code: 
#!/bin/sh
iptables -t mangle -D PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -D PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null
/jffs/scripts/unbound_via_vc1.sh stop &

x3mRouting / vpnclient1-route-up
Code: 
#!/bin/sh
iptables -t mangle -D PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x1000/0x1000
/jffs/scripts/unbound_via_vc1.sh start &



Update:
Reboot issue is sorted, reinstalled Unbound and this time the following was added to "services-start":

Code: 
#!/bin/sh
cru a root_servers  "12 4 * * * curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache"    # unbound_manager
/jffs/addons/unbound/unbound_rpz.sh startup # Unbound_RPZ.sh

It now survives a reboot, going to add this to the guide. No idea why it didn't add this line the previous times I reinstalled Unbound. I'll keep an eye on it and hopefully it will maintain the VPN IP.
Click to expand...
No issues here...do have something setup where the router does an automatic retart? Or running any speed test?

I noticed if I restart the router it will mess it up sometimes but I go under scmerlin and restart VPN1. I'm not sure what else it can be.
 
Kingp1n said:
No issues here...do have something setup where the router does an automatic retart? Or running any speed test?

I noticed if I restart the router it will mess it up sometimes but I go under scmerlin and restart VPN1. I'm not sure what else it can be.
Click to expand...
Thanks for getting back to me, see the end of my previous post, I think it's sorted now. I had an error that forced me to reinstall Entware and Unbound, that added an additional line to the service-start file I was missing before. It now survives a reboot and fingers crossed will keep using the VPN IP.

Update:
It's been 5 days and it's still maintaining the VPN IP. It's safe to say this is now fixed.
 
Last edited:
Vertron said:
I would be very grateful if someone whoes setup is working properly could compare my scripts to their own to help identify the issue, please let me know if there's anything that doesn't look right.

It currently doesn't show the VPN IP as my DNS after the router is rebooted, so there's obviously an issue somewhere. I currently have a workaround in the "services-start" file to start "unbound_via_vc1.sh".

Here are almost all of my scripts:

dnsmasq.postconf
Code: 
#!/bin/sh
. /opt/share/diversion/file/post-conf.div # Added by Diversion
sh /jffs/addons/unbound/unbound.postconf "$1"        # unbound_manager

firewall-start
Code: 
#!/bin/sh

sh /jffs/scripts/firewall start skynetloc=/tmp/mnt/MicroSD/skynet # Skynet

init-start
Code: 
#!/bin/sh
sh /jffs/addons/unbound/stuning start            # unbound_manager
modprobe xt_comment

nat-start
Code: 
#!/bin/sh
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 WAN_IP dnsmasq=whatsmyip.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 VPN_IP dnsmasq=whatismyip.com

openvpn-event
Code: 
#!/bin/sh
[ -s /jffs/scripts/x3mRouting/openvpn-event ] && sh /jffs/scripts/x3mRouting/openvpn-event $@

post-mount
Code: 
#!/bin/sh
swapon /tmp/mnt/MicroSD/myswap.swp # Added by amtm
. /jffs/addons/diversion/mount-entware.div # Added by Diversion
/jffs/addons/unbound/unbound_stats.sh startup "$@" & # Unbound_Stats.sh

service-event
Code: 
#!/bin/sh
[ "$2" = diversion ] && sh /opt/share/diversion/webui/process.div "$1" & # Added by Diversion
if [ "$1" = "start" ] && [ "$2" = "SkynetStats" ]; then sh /jffs/scripts/firewall debug genstats; fi # Skynet
/jffs/addons/unbound/unbound_stats.sh generate "$1" "$2" & # Unbound_Stats.sh

services-start
Code: 
#!/bin/sh
cru a root_servers  "12 4 * * * curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache"    # unbound_manager
sleep 30 && sh /jffs/scripts/unbound_via_vc1.sh start & # My reboot workaround fix

services-stop
Code: 
#!/bin/sh
/opt/etc/init.d/rc.unslung stop # Added by Diversion
sh /jffs/scripts/firewall save # Skynet

unmount
Code: 
#!/bin/sh
[ "$(/usr/bin/find $1/entware/bin/diversion 2> /dev/null)" ] && diversion unmount # Added by Diversion
swapoff -a 2>/dev/null # Skynet

x3mRouting / vpnclient1-route-pre-down
Code: 
#!/bin/sh
iptables -t mangle -D PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -D PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null
/jffs/scripts/unbound_via_vc1.sh stop &

x3mRouting / vpnclient1-route-up
Code: 
#!/bin/sh
iptables -t mangle -D PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set WAN_IP dst -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set VPN_IP dst -j MARK --set-mark 0x1000/0x1000
/jffs/scripts/unbound_via_vc1.sh start &



Update:
Reboot issue is sorted, reinstalled Unbound and this time the following was added to "services-start":

Code: 
#!/bin/sh
cru a root_servers  "12 4 * * * curl -o \/opt\/var\/lib\/unbound\/root\.hints https://www.internic.net/domain/named.cache"    # unbound_manager
/jffs/addons/unbound/unbound_rpz.sh startup # Unbound_RPZ.sh

It now survives a reboot, going to add this to the guide. No idea why it didn't add this line the previous times I reinstalled Unbound. I'll keep an eye on it and hopefully it will maintain the VPN IP.
Click to expand...
Glad it works now. I am not sure if the two lines in nat-start are still required. I have commented it and see no difference. Everything is working after reboot. But then I think there is no harm with that two lines in nat-start.
 
You must log in or register to reply here.

Similar threads

tRiFFiD
Unbound Unbound & local domain DNS
Replies
0
Views
897
tRiFFiD
tRiFFiD
R
DomainVPNRouting Domain VPN Routing v3.0.3 ***Release***
2 3
Replies
44
Views
3K
maghuro
maghuro
O
PI hole + unbound + domain vpn routing
Replies
10
Views
649
OBENZ
O
T
Wireguard Client VPN not using DNS
Replies
14
Views
743
Tom Jo-Jo Junior Shabadoo
Tom Jo-Jo Junior Shabadoo
D
Proper VPN Policy Rules
Replies
2
Views
345
Dougj
D
Similar threads
Thread starter Title Forum Replies Date
Jack-Sparr0w Guide to using vpn with unbound dns? Asuswrt-Merlin AddOns 3
muffintastic Unbound Force all DNS requests through Unbound using iptables? Asuswrt-Merlin AddOns 14
Jack-Sparr0w Is it possible to use nord dns with unbound or any way to add it? Asuswrt-Merlin AddOns 9
B Unbound Use unbound/router as default DNS server Asuswrt-Merlin AddOns 2
tRiFFiD Unbound Unbound & local domain DNS Asuswrt-Merlin AddOns 0
Z Unbound Unbound + AdGuard Settings Asuswrt-Merlin AddOns 1
Z Unbound Unbound on subnet router Asuswrt-Merlin AddOns 3
B Unbound Does unbound update automatically? Asuswrt-Merlin AddOns 8
F Unbound Unbound stopped working Asuswrt-Merlin AddOns 3
B Unbound Unbound whitelist Asuswrt-Merlin AddOns 15

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 695 (members: 14, guests: 681)
Top