Unbound Unbound DNS VPN Client w/policy rules

[Zim]

How to set this up, all info from the thread put into one place.

This script will ensure the VPN IP is used for Unbound DNS when policy rules is set, regardless if the device is set to use the WAN or VPN. It will still work if the VPN IP ever changes or the VPN tunnel goes down, in this case, devices not set to use the VPN will use the ISP IP until the VPN starts up again.

Use PuTTY/Terminal to enter commands and WinSCP to edit scripts.

Pre-requisites:
Unbound - Running as system resolver (Only a basic install is required, you don't need to manually bind Unbound to the VPN).
X3mRouting - Option 3 installed.
DNS lookups - Forced to default gateway.
DNS in WAN tab- Connect to DNS Server automatically set to "No", DNS Server 1 set to a public resolver such as "9.9.9.9" (This is only used until Unbound starts after a reboot).
DNS in LAN tab - Not set/all set to router.
VPN client 1 - Setup and running, DNS set to diabled.

1. Run the following 2 commands to create and populate the "vpnclient1-route-up" and "vpnclient1-route-pre-down" files:

sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 WAN_IP dnsmasq=whatsmyip.com

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 VPN_IP dnsmasq=whatismyip.com

2. Add the following line to “/jffs/scripts/x3mRouting/vpnclient1-route-up”:

/jffs/scripts/unbound_via_vc1.sh start &

3. Add the following line to “/jffs/scripts/x3mRouting/vpnclient1-route-pre-down”:

/jffs/scripts/unbound_via_vc1.sh stop &

4. Add the following line to "/jffs/scripts/init-start":

modprobe xt_comment

5a. Go to "/jffs/scripts".
5b. Copy any existing script (to prevent a permission error).
5c. Rename the copy to “unbound_via_vc1.sh”.
5d. Delete any existing code.
5e. Copy and paste the below code into it:

#!/bin/sh
Check_Tun11_Con() {
ping -c1 -w1 -I tun11 9.9.9.9
}
Delete_Rules() {
iptables-save | grep "unbound_rule" | sed 's/^-A/iptables -t mangle -D/' | while read CMD;do $CMD;done
}
Add_Rules(){
Delete_Rules
iptables -t mangle -A OUTPUT -d "${wan0_dns##*.*.*.* }"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns%% *.*.*.*}"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns##*.*.*.* }"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns%% *.*.*.*}"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
}
Call_unbound_manager() {
/jffs/addons/unbound/unbound_manager.sh vpn="$1"
}
Poll_Tun11() {
timer=$1
[ -z $timer ] && Post_log "Error Timeout" && exit 1 || sleep 2
Check_Tun11_Con && Add_Rules && Call_unbound_manager "1" || Poll_Tun11 "$((timer--))"
}
Post_log() {
$(logger -st "($(basename "$0"))" $$ "$1")
}
[ -z "$1" ] && Post_log "Script Arg Missing" && exit 1 || Post_log "Starting Script Execution"
wan0_dns="$(nvram get wan0_dns)"
Delete_Rules
case "$1" in
start)
Poll_Tun11 "150" && Post_log "Ending Script Execution" && exit 0;;
stop)
Call_unbound_manager "disable" && Post_log "Ending Script Execution" && exit 0;;
*)
Post_log "Script Arg Invalid" && exit 1;;
esac

6. OPTIONAL - Add the following line to "/jffs/scripts/services-start":
(Only required if the VPN doesn't automatically start when the router is rebooted)

sleep 30 && service restart_vpnclient1 &

7a. Ensure your "/jffs/scripts/services-start" file contains the following line, if not add it:
(This will ensure the script automatically starts when the router is rebooted)

/jffs/addons/unbound/unbound_rpz.sh startup # Unbound_RPZ.sh

7b. (Not required anymore but kept here just in case) OPTIONAL - Add the following line to "/jffs/scripts/services-start":
(Only required if this script doesn't automatically start when the router is rebooted)

sleep 30 && sh /jffs/scripts/unbound_via_vc1.sh start &

8. Reboot your router, it is now configured.


A. To manually start the script run the following command:

/jffs/scripts/unbound_via_vc1.sh start

B. To check it's working, run the following command and check the IP tables are populated:

iptables -nvL OUTPUT -t mangle

Ci. Run this to check it's setup correctly:

ip rule

Cii. It should output like below:

0:      from all lookup local
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
10010:  from 192.168.1.124 lookup main
10210:  from 192.168.1.139 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

D. Check the VPN IP is showing as the DNS: https://dnsleak.com/

This is super helpful. Thanks for outlining the setup step by step.

When following this guide, I am not getting expected results, maybe you or someone can explain.

1.) DNS lookups - Forced to default gateway.
You are referring to the default gateway setting on LAN > DHCP Server page, correct? This should be the IP of the router?

2.) Correct VPN IP address not showing up.
After following this guide, I get to step 8B, 8Ci, 8Cii and everything appears to be as per your post in SSH, but when I run the DNS leak test, I don't get the IP address of the VPN, I seem to be getting the IP address of the DNS Server setup in WAN tab along with others (I have no idea where they are coming from).

3.) It appears with this setup, if I have more than one VPN tunnel active, the tunnels other than VPN1 sporadically disconnect and reconnect.

4.) Just realized, that this (or x3mRouting) somehow created issues with Unbound. I now get a "Segmentation fault" when launching Unbound Manager. Prior to this experiment, Unbound had no issues.

 

[chongnt]

This is super helpful. Thanks for outlining the setup step by step.

When following this guide, I am not getting expected results, maybe you or someone can explain.

1.) DNS lookups - Forced to default gateway.
You are referring to the default gateway setting on LAN > DHCP Server page, correct? This should be the IP of the router?
View attachment 36138

2.) Correct VPN IP address not showing up.
After following this guide, I get to step 8B, 8Ci, 8Cii and everything appears to be as per your post in SSH, but when I run the DNS leak test, I don't get the IP address of the VPN, I seem to be getting the IP address of the DNS Server setup in WAN tab along with others (I have no idea where they are coming from).

3.) It appears with this setup, if I have more than one VPN tunnel active, the tunnels other than VPN1 sporadically disconnect and reconnect.

4.) Just realized, that this (or x3mRouting) somehow created issues with Unbound. I now get a "Segmentation fault" when launching Unbound Manager. Prior to this experiment, Unbound had no issues.

Hi,
1) I have the same as your screen shot.
On top of that, under LAN -> DNSFilter, I have it enabled and global filter mode set to “Router”.

2) perhaps if you can share the output of 8b and 8c (remove those public ip if any)?

3) how many vpn tunnel do you have? Was it working before? Can you check system log during that time and see what is the reason vpn client disconnect.

4) I don't remember come across this. Did you happen to update entware recently? If you can refer to this thread:

Unbound - Entware+386.3

I am using GNUton 386.3 on Asus DSL AC 68 U. Everything was fine, but yesterday Entware updated and since then Unbound doesn't work anymore, besides the router does strange things, it seems unstable, at startup it disconnects the wifi which it did not do before. before updating Entware it was fine

www.snbforums.com

I think you need to get unbound working again first.

 

[Vertron]

This is super helpful. Thanks for outlining the setup step by step.

When following this guide, I am not getting expected results, maybe you or someone can explain.

1.) DNS lookups - Forced to default gateway.
You are referring to the default gateway setting on LAN > DHCP Server page, correct? This should be the IP of the router?
View attachment 36138

2.) Correct VPN IP address not showing up.
After following this guide, I get to step 8B, 8Ci, 8Cii and everything appears to be as per your post in SSH, but when I run the DNS leak test, I don't get the IP address of the VPN, I seem to be getting the IP address of the DNS Server setup in WAN tab along with others (I have no idea where they are coming from).

3.) It appears with this setup, if I have more than one VPN tunnel active, the tunnels other than VPN1 sporadically disconnect and reconnect.

4.) Just realized, that this (or x3mRouting) somehow created issues with Unbound. I now get a "Segmentation fault" when launching Unbound Manager. Prior to this experiment, Unbound had no issues.

I'm glad you found it helpful.

1. My default gateway is left blank.

2. Your issue on 4. might be causing this.

3. I only have one tunnel running so haven't noticed the same, but hopefully 4. is causing this again.

4. I also had this issue very recently, you need to update/reinstall Entware. If it still doesn't work then reinstall Unbound after.

 

[Zim]

Hi,
1) I have the same as your screen shot.
On top of that, under LAN -> DNSFilter, I have it enabled and global filter mode set to “Router”.

2) perhaps if you can share the output of 8b and 8c (remove those public ip if any)?

3) how many vpn tunnel do you have? Was it working before? Can you check system log during that time and see what is the reason vpn client disconnect.

4) I don't remember come across this. Did you happen to update entware recently? If you can refer to this thread:

Unbound - Entware+386.3

I am using GNUton 386.3 on Asus DSL AC 68 U. Everything was fine, but yesterday Entware updated and since then Unbound doesn't work anymore, besides the router does strange things, it seems unstable, at startup it disconnects the wifi which it did not do before. before updating Entware it was fine

www.snbforums.com

I think you need to get unbound working again first.

I'm glad you found it helpful.

1. My default gateway is left blank.

2. Your issue on 4. might be causing this.

3. I only have one tunnel running so haven't noticed the same, but hopefully 4. is causing this again.

4. I also had this issue very recently, you need to update/reinstall Entware. If it still doesn't work then reinstall Unbound after.

Alright, after much tinkering and testing, turns out the USB attached to the router was dying. Replacing the USB, factory resetting and reinstalling the scripts made everything work.

I have also been able to get the script in this thread to work well with Unbound and VPN.

I am running into one problem. I have noticed that after manually updating the Unbound stats from the WebUI page, this script stops working and it needs to be restarted running the command: /jffs/scripts/unbound_via_vc1.sh start

Is anyone else running into this issue?

Does the order of commnads in /jffs/scripts/services-start make any difference? My file looks like this.

Appreciate the help with this last piece of the puzzle.

 

[chongnt]

Alright, after much tinkering and testing, turns out the USB attached to the router was dying. Replacing the USB, factory resetting and reinstalling the scripts made everything work.

I have also been able to get the script in this thread to work well with Unbound and VPN.

I am running into one problem. I have noticed that after manually updating the Unbound stats from the WebUI page, this script stops working and it needs to be restarted running the command: /jffs/scripts/unbound_via_vc1.sh start

Is anyone else running into this issue?

Does the order of commnads in /jffs/scripts/services-start make any difference? My file looks like this.
View attachment 36306

Appreciate the help with this last piece of the puzzle.

Good to know that you have found the culprit.
I am not sure why some need to have this line in services-start script. I do not have it. I only have it start in vpnclient1-route-up and stop in vpnclient1-route-pre-down script.
By the way, what do you mean by this script stops working? Do you mean unbound DNS query is not going through open vpn client 1 anymore?

 

[Zim]

Good to know that you have found the culprit.
I am not sure why some need to have this line in services-start script. I do not have it. I only have it start in vpnclient1-route-up and stop in vpnclient1-route-pre-down script.
By the way, what do you mean by this script stops working? Do you mean unbound DNS query is not going through open vpn client 1 anymore?

That's correct. The Unbound DNS query does not go through VPN 1. A restart later and I am unable to replicate the issue.

On another note, how can I start VPN Client 2 and 3 at reboot with a 2 to 3 minute delay.

I tried this in /jffs/scripts/services-start

sleep 120 service start_vpnclient2​

sleep 180 service start_vpnclient3​

but the VPN Clients do not start.

 

[chongnt]

That's correct. The Unbound DNS query does not go through VPN 1. A restart later and I am unable to replicate the issue.

On another note, how can I start VPN Client 2 and 3 at reboot with a 2 to 3 minute delay.

I tried this in /jffs/scripts/services-start

sleep 120 service start_vpnclient2​

sleep 180 service start_vpnclient3​

but the VPN Clients do not start.

Usually I do not click the update stats in unbound GUI and have no problem.
Why would you want to delay VPN client startup? Just select "Automatic start at boot time" in each VPN Client GUI page will do.

 

[Kingp1n]

I noticed this script doesn't work anymore on latest stable rmerlin fw when setting the VPN Accept DNS Configuration as "Disabled" and setting redirect internet traffic to 'VPN Director (policy rules)'.

Once I setup as DNS configuration to "Exclusive" within the VPNClient the Swinson script starts to work again but it breaks ads for diversion.


Update:

It seems with the latest stable fw and using the VPN Director you no longer need this script anymore. I removed the script, and get the same results when switching to Disabled vs Exclusive. VPN Director is working as intended here. and it seems it replaces the need for this script. I just wish I can use Diversion with the DNS setup as Exclusive and still blocking ads which at this point it doesnt work.

You can test it by removing the script, setup your VPN Rules and test ipleak by switching between DNS as Disabled/Exclusive.

At least for me since I use Diversion, setting as exclusive breaks ads for me.

Just curious if anyone using this script with unbound is having the same issue?

 

[chongnt]

I noticed this script doesn't work anymore on latest stable rmerlin fw when setting the VPN Accept DNS Configuration as "Disabled" and setting redirect internet traffic to 'VPN Director (policy rules)'.

Once I setup as DNS configuration to "Exclusive" within the VPNClient the Swinson script starts to work again but it breaks ads for diversion.


Update:

It seems with the latest stable fw and using the VPN Director you no longer need this script anymore. I removed the script, and get the same results when switching to Disabled vs Exclusive. VPN Director is working as intended here. and it seems it replaces the need for this script. I just wish I can use Diversion with the DNS setup as Exclusive and still blocking ads which at this point it doesnt work.

You can test it by removing the script, setup your VPN Rules and test ipleak by switching between DNS as Disabled/Exclusive.

At least for me since I use Diversion, setting as exclusive breaks ads for me.

Just curious if anyone using this script with unbound is having the same issue?

I am still using his script, although a bit differently now. On top of two existing open vpn client connections, I added wireguard vpn client connection. Instead of routing unbound DNS query to openvpn client, I edited his script a little bit and route unbound DNS query to wireguard vpn client. It is working as expected and all devices ip leak test show wireguard vpn client IP as my DNS server. The reason I do this is my openvpn client is not so stable and tends to go down and reconnect after few days, some time after a week or so. Every time openvpn client 1 connection flaps, unbound gets restarted and the DNS cache are gone. I find that wireguard vpn client is very stable and there is no flaps at all. Even when I manually restart wireguard vpn client, unbound DNS query will go through WAN temporarily and does not get restarted and hence the DNS cache remains. While I don't really see the difference, it just feel better that I am maximizing unbound caching feature.

I am not sure how is your setup. Do you route the whole LAN to a single openvpn client? Say in my case, I have devices that routed through WAN, openvpn client 1, openvpn client 3. At the moment, wireguard vpn client 1 is purely for unbound DNS query only. When I purposely bring down wireguard vpn client, unbound DNS query go through WAN connection. In openvpn client GUI, I have set "Accept DNS Configuration" to Disabled. Devices that is configured in VPN Director will still use unbound and diversion adblock, the only difference is now all devices ip leak test show my WAN IP as DNS server.

There was a discussion that pointed out diversion will work with "Accept DNS configuration" set to "Exclusive" with specific policy rules. I have not try it myself.

x3mRouting - VPN client bypass routing without policy rules ('Force Internet traffic through tunnel' option set to 'Yes')

Hi, I have read the requirements for X3mRouting scripts and can see that Policy Rules (Strict) or Policy Rules must be enabled on the OpenVPN Client Screen for the scripts to work. Is there any way to have the 'Force Internet traffic through tunnel' option set to 'Yes' instead of using Policy...

www.snbforums.com

 

[Vertron]

I noticed this script doesn't work anymore on latest stable rmerlin fw when setting the VPN Accept DNS Configuration as "Disabled" and setting redirect internet traffic to 'VPN Director (policy rules)'.

Once I setup as DNS configuration to "Exclusive" within the VPNClient the Swinson script starts to work again but it breaks ads for diversion.


Update:

It seems with the latest stable fw and using the VPN Director you no longer need this script anymore. I removed the script, and get the same results when switching to Disabled vs Exclusive. VPN Director is working as intended here. and it seems it replaces the need for this script. I just wish I can use Diversion with the DNS setup as Exclusive and still blocking ads which at this point it doesnt work.

You can test it by removing the script, setup your VPN Rules and test ipleak by switching between DNS as Disabled/Exclusive.

At least for me since I use Diversion, setting as exclusive breaks ads for me.

Just curious if anyone using this script with unbound is having the same issue?

I didn't know you could go through Unbound with DNS set to exclusive before. As far as I was aware, if you set the DNS to Exclusive, it uses the VPNs DNS and bypasses the router. I'm still on the last version, not had any update come through yet.

Update: Tested it and it doesn't block ads for me with the VPN DNS set to exclusive either, it uses the VPNs DNS.

It works without the script now then? It'll always use the VPN IP as the DNS for devices both set to the WAN and VPN? I assume you have to bind Unbound to the VPN?

 

[Kingp1n]

I didn't know you could go through Unbound with DNS set to exclusive before. As far as I was aware, if you set the DNS to Exclusive, it uses the VPNs DNS and bypasses the router. I'm still on the last version, not had any update come through yet.

Update: Tested it and it doesn't block ads for me with the VPN DNS set to exclusive either, it uses the VPNs DNS.

It works without the script now then? It'll always use the VPN IP as the DNS for devices both set to the WAN and VPN? I assume you have to bind Unbound to the VPN?

I have removed the script and I haven't bind unbound to VPN either. I updated unbound and started from scratch without keeping previous data files.

I simply just set exclusive in the VPNClient with VPN Director and my 2 policy rules. When running ipleak test, both IP/DNS show the same from my VPN provider.

Be aware, that if use Diversion, setting it to exclusive will not block ads any longer.

If you set to disabled, ipleak test will now show the IP from your VPN, but you will also see your own public ip address as your DNS service (diversion will block ads again). In Diversion, i'm using the predifined blocking list (medium).

 

[chongnt]

I have removed the script and I haven't bind unbound to VPN either. I updated unbound and started from scratch without keeping previous data files.

I simply just set exclusive in the VPNClient with VPN Director and my 2 policy rules. When running ipleak test, both IP/DNS show the same from my VPN provider.

Be aware, that if use Diversion, setting it to exclusive will not block ads any longer.

If you set to disabled, ipleak test will now show the IP from your VPN, but you will also see your own public ip address as your DNS service (diversion will block ads again). In Diversion, i'm using the predifined blocking list (medium).

When you set to exclusive, you are actually using DNS server from your VPN provider. It means unbound is not used now. So regardless unbound is going through WAN or bind to VPN does not make any difference anymore because DNS query is forwarded to VPN provider DNS server. And the same time diversion is also bypassed.
I guess if you are still using unbound, the script from Swinson is valid to bind it to vpn.

 

[Kingp1n]

I guess if you are still using unbound, the script from Swinson is valid to bind it to vpn.

So if you do use unbound and the script from Swinson to bind the vpn...does it matter at this point whether you choose exclusive or disabled with this specific setup in the OpenVPN client?

 

[chongnt]

So if you do use unbound and the script from Swinson to bind the vpn...does it matter at this point whether you choose exclusive or disabled with this specific setup in the OpenVPN client?

Yes it does. When Accept DNS configuration set to exclusive, unbound is bypassed. Disabled will ignore VPN provider DNS, so unbound is used.

Edit: I think the following commands can tell if you are using router dnsmasq/unbound or not. If there is dns query logs and unbound counters increases while you do some browsing, then you are using it. Otherwise you are most probably using VPN provider's DNS Server.

tail -f /opt/var/log/dnsmasq.log
unbound-control stats_noreset | grep -F total.num

 

[Vertron]

I have removed the script and I haven't bind unbound to VPN either. I updated unbound and started from scratch without keeping previous data files.

I simply just set exclusive in the VPNClient with VPN Director and my 2 policy rules. When running ipleak test, both IP/DNS show the same from my VPN provider.

Be aware, that if use Diversion, setting it to exclusive will not block ads any longer.

If you set to disabled, ipleak test will now show the IP from your VPN, but you will also see your own public ip address as your DNS service (diversion will block ads again). In Diversion, i'm using the predifined blocking list (medium).

Thanks for that. I'm on the old version still and mine does exactly the same with DNS set to exclusive. It's a shame it doesn't work anymore with it set to disabled as that's how I have mine setup.

@chongnt did you say it's still working for you?

 

[chongnt]

Thanks for that. I'm on the old version still and mine does exactly the same with DNS set to exclusive. It's a shame it doesn't work anymore with it set to disabled as that's how I have mine setup.

@chongnt did you say it's still working for you?

Do you mean the script to bind unbound to vpn client? Instead of bind it to openvpn client, I edit the script a bit to bind unbound to wireguard vpn client. Yes, Swinson script still works for me. Before this, I use his original script to bind unbound to openvpn client with no issue as well.
Are yours working as expected? I saw your detailed tutorial in post 237, seems like you get it working.

 

[Vertron]

Do you mean the script to bind unbound to vpn client? Instead of bind it to openvpn client, I edit the script a bit to bind unbound to wireguard vpn client. Yes, Swinson script still works for me. Before this, I use his original script to bind unbound to openvpn client with no issue as well.
Are yours working as expected? I saw your detailed tutorial in post 237, seems like you get it working.

Yes mines working too but I've not updated to the latest version yet and worried it will break it. I'm glad it's still working for you.

 

[chongnt]

Yes mines working too but I've not updated to the latest version yet and worried it will break it. I'm glad it's still working for you.

I have updated to the latest release with VPN Director after waited for a couple of weeks after released. I was worry something might breaks as well. The only problem I remember is with x3mRouting option 2. After uninstall option 2 and install with option 3, everything is fine.

 

[Kingp1n]

Do you mean the script to bind unbound to vpn client? Instead of bind it to openvpn client, I edit the script a bit to bind unbound to wireguard vpn client. Yes, Swinson script still works for me. Before this, I use his original script to bind unbound to openvpn client with no issue as well.
Are yours working as expected? I saw your detailed tutorial in post 237, seems like you get it working.

Wld you be able to share the modified script to use with unbound and wg? Thanks!

 

[chongnt]

Wld you be able to share the modified script to use with unbound and wg? Thanks!

Sure. I renamed the file to unbound_via_wg11.sh and make it executable.

Spoiler: unbound_via_wg11.sh

#!/bin/sh
Check_wg11_Con() {
ping -c1 -w1 -I wg11 1.1.1.1
}
Delete_Rules() {
ip rule del prio 9905 2>/dev/null
iptables-save | grep "unbound_rule" | sed 's/^-A/iptables -t mangle -D/' | while read CMD;do $CMD;done
}
Add_Rules() {
ip rule add from 0/0 fwmark 0xd1/0xd1 lookup 121 prio 9905
iptables -t mangle -A OUTPUT -d "${wan0_dns##*.*.*.* }"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns%% *.*.*.*}"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns##*.*.*.* }"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns%% *.*.*.*}"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0xd1/0xd1
iptables -t mangle -A OUTPUT -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0xd1/0xd1
}
Poll_wg11() {
timer=$1
[ "$timer" = "0" ] && Post_log "Error Timeout" && exit 1 || sleep 2
Check_wg11_Con && Add_Rules || Poll_wg11 "$((timer-1))"
}
Post_log() {
$(logger -st "($(basename "$0"))" $$ "$1")
}
[ -z "$1" ] && Post_log "Script Arg Missing" && exit 1 || Post_log "Starting Script Execution"
wan0_dns="$(nvram get wan0_dns)"
Delete_Rules
case "$1" in
start)
Poll_wg11 "120" && Post_log "Bind Unbound to wg11. Ending Script Execution" && exit 0;;
stop)
Post_log "Bind Unbound to WAN. Ending Script Execution" && exit 0;;
*)
Post_log "Script Arg Invalid" && exit 1;;
esac

Add the start and stop option in wg11-route-up.sh and wg11-route-down.sh
In my case, I put it in /jffs/addons/wireguard/Scripts. You can put it in other directory like /jffs/scripts as well. Just make sure to put the correct path here.

Spoiler: wg11-route-up.sh

/jffs/addons/wireguard/Scripts/unbound_via_wg11.sh start &
logger -t $(basename $0) "unbound bind to wg11"

Spoiler: wg11-route-down.sh

/jffs/addons/wireguard/Scripts/unbound_via_wg11.sh stop &
logger -t $(basename $0) "unbound bind to WAN"