Unbound Unbound DNS VPN Client w/policy rules

[Kingp1n]

0

Sure. I renamed the file to unbound_via_wg11.sh and make it executable.

Spoiler: unbound_via_wg11.sh

#!/bin/sh
Check_wg11_Con() {
ping -c1 -w1 -I wg11 1.1.1.1
}
Delete_Rules() {
ip rule del prio 9905 2>/dev/null
iptables-save | grep "unbound_rule" | sed 's/^-A/iptables -t mangle -D/' | while read CMD;do $CMD;done
}
Add_Rules() {
ip rule add from 0/0 fwmark 0xd1/0xd1 lookup 121 prio 9905
iptables -t mangle -A OUTPUT -d "${wan0_dns##*.*.*.* }"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns%% *.*.*.*}"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns##*.*.*.* }"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns%% *.*.*.*}"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0xd1/0xd1
iptables -t mangle -A OUTPUT -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0xd1/0xd1
}
Poll_wg11() {
timer=$1
[ "$timer" = "0" ] && Post_log "Error Timeout" && exit 1 || sleep 2
Check_wg11_Con && Add_Rules || Poll_wg11 "$((timer-1))"
}
Post_log() {
$(logger -st "($(basename "$0"))" $$ "$1")
}
[ -z "$1" ] && Post_log "Script Arg Missing" && exit 1 || Post_log "Starting Script Execution"
wan0_dns="$(nvram get wan0_dns)"
Delete_Rules
case "$1" in
start)
Poll_wg11 "120" && Post_log "Bind Unbound to wg11. Ending Script Execution" && exit 0;;
stop)
Post_log "Bind Unbound to WAN. Ending Script Execution" && exit 0;;
*)
Post_log "Script Arg Invalid" && exit 1;;
esac

Add the start and stop option in wg11-route-up.sh and wg11-route-down.sh
In my case, I put it in /jffs/addons/wireguard/Scripts. You can put it in other directory like /jffs/scripts as well. Just make sure to put the correct path here.

Spoiler: wg11-route-up.sh

/jffs/addons/wireguard/Scripts/unbound_via_wg11.sh start &
logger -t $(basename $0) "unbound bind to wg11"

Spoiler: wg11-route-down.sh

/jffs/addons/wireguard/Scripts/unbound_via_wg11.sh stop &
logger -t $(basename $0) "unbound bind to WAN"

I appreciate the info.

I'm testing the swinson script again with Unbound & OPVN.

I have my VPNClient setup with DNS set to Disabled.

My ip rule shows:

admin@GT-AX11000-xxxx:/tmp/home/root# ip rule
0:    from all lookup local
9990:    from all fwmark 0x8000/0x8000 lookup main
9995:    from all fwmark 0x1000/0x1000 lookup ovpnc1
10010:    from 192.168.1.1/27 lookup main
10210:    from 192.168.1.0/24 lookup ovpnc1
32766:    from all lookup main
32767:    from all lookup default

iptables command shows:

admin@GT-AX11000-xxxx:/tmp/home/root# iptables -nvL OUTPUT -t mangle
Chain OUTPUT (policy ACCEPT 26328 packets, 5915K bytes)
pkts bytes target     prot opt in     out     source               destination      
2766  216K MARK       udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            multiport dports 53,123 MARK xset 0x4009ffff/0xc03fffff
    0     0 MARK       tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            multiport dports 53,853 MARK xset 0x4009ffff/0xc03fffff
12407 4900K MARK       udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            multiport dports  !53,123 MARK xset 0x4003ffff/0xc03fffff
3987  368K MARK       tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            multiport dports  !53,853 MARK xset 0x4003ffff/0xc03fffff
    0     0 MARK       udp  --  *      *       0.0.0.0/0            149.112.112.112      udp dpt:53 /* unbound_rule */ MARK or 0x8000
    8   568 MARK       udp  --  *      *       0.0.0.0/0            9.9.9.9              udp dpt:53 /* unbound_rule */ MARK or 0x8000
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            149.112.112.112      tcp dpt:53 /* unbound_rule */ MARK or 0x8000
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            9.9.9.9              tcp dpt:53 /* unbound_rule */ MARK or 0x8000
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* unbound_rule */ MARK or 0x1000
  278 24825 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* unbound_rule */ MARK or 0x1000

All looks good so far. However, when I run the ipleak test, I see my VPN IP but my DNS shows as WAN IP.

Is this how is supposed to work now?

The reason I asked, it's because prior to VPN Director on the new fw, when using unbound with this script, the VPN IP & DNS would be the same (with DNS configuration set to "disabled").

It seems after I updated, it no longer shows both VPN IP & DNS when set to disabled. Unless I have something screwed up with my setup (which may very well be the case) haha

Just trying to confirm.

 

[chongnt]

0

I appreciate the info.

I'm testing the swinson script again with Unbound & OPVN.

I have my VPNClient setup with DNS set to Disabled.

My ip rule shows:

admin@GT-AX11000-xxxx:/tmp/home/root# ip rule
0:    from all lookup local
9990:    from all fwmark 0x8000/0x8000 lookup main
9995:    from all fwmark 0x1000/0x1000 lookup ovpnc1
10010:    from 192.168.1.1/27 lookup main
10210:    from 192.168.1.0/24 lookup ovpnc1
32766:    from all lookup main
32767:    from all lookup default

iptables command shows:

admin@GT-AX11000-xxxx:/tmp/home/root# iptables -nvL OUTPUT -t mangle
Chain OUTPUT (policy ACCEPT 26328 packets, 5915K bytes)
pkts bytes target     prot opt in     out     source               destination     
2766  216K MARK       udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            multiport dports 53,123 MARK xset 0x4009ffff/0xc03fffff
    0     0 MARK       tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            multiport dports 53,853 MARK xset 0x4009ffff/0xc03fffff
12407 4900K MARK       udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            multiport dports  !53,123 MARK xset 0x4003ffff/0xc03fffff
3987  368K MARK       tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            multiport dports  !53,853 MARK xset 0x4003ffff/0xc03fffff
    0     0 MARK       udp  --  *      *       0.0.0.0/0            149.112.112.112      udp dpt:53 /* unbound_rule */ MARK or 0x8000
    8   568 MARK       udp  --  *      *       0.0.0.0/0            9.9.9.9              udp dpt:53 /* unbound_rule */ MARK or 0x8000
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            149.112.112.112      tcp dpt:53 /* unbound_rule */ MARK or 0x8000
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            9.9.9.9              tcp dpt:53 /* unbound_rule */ MARK or 0x8000
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* unbound_rule */ MARK or 0x1000
  278 24825 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* unbound_rule */ MARK or 0x1000

All looks good so far. However, when I run the ipleak test, I see my VPN IP but my DNS shows as WAN IP.

Is this how is supposed to work now?

The reason I asked, it's because prior to VPN Director on the new fw, when using unbound with this script, the VPN IP & DNS would be the same (with DNS configuration set to "disabled").

It seems after I updated, it no longer shows both VPN IP & DNS when set to disabled. Unless I have something screwed up with my setup (which may very well be the case) haha

Just trying to confirm.

By right your DNS IP should be your VPN IP if it works.
Looking at your iptables -nvL OUTPUT -t mangle output, I am not sure where the first 4 rules come from. Did you configure it from anywhere? The last 6 rows are from Swinson's script. If it works, you should see the last row numbers increasing when your clients DNS request is going through VPN Client 1.

 

[Kingp1n]

0

I appreciate the info.

I'm testing the swinson script again with Unbound & OPVN.

I have my VPNClient setup with DNS set to Disabled.

My ip rule shows:

admin@GT-AX11000-xxxx:/tmp/home/root# ip rule
0:    from all lookup local
9990:    from all fwmark 0x8000/0x8000 lookup main
9995:    from all fwmark 0x1000/0x1000 lookup ovpnc1
10010:    from 192.168.1.1/27 lookup main
10210:    from 192.168.1.0/24 lookup ovpnc1
32766:    from all lookup main
32767:    from all lookup default

iptables command shows:

admin@GT-AX11000-xxxx:/tmp/home/root# iptables -nvL OUTPUT -t mangle
Chain OUTPUT (policy ACCEPT 26328 packets, 5915K bytes)
pkts bytes target     prot opt in     out     source               destination    
2766  216K MARK       udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            multiport dports 53,123 MARK xset 0x4009ffff/0xc03fffff
    0     0 MARK       tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            multiport dports 53,853 MARK xset 0x4009ffff/0xc03fffff
12407 4900K MARK       udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            multiport dports  !53,123 MARK xset 0x4003ffff/0xc03fffff
3987  368K MARK       tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            multiport dports  !53,853 MARK xset 0x4003ffff/0xc03fffff
    0     0 MARK       udp  --  *      *       0.0.0.0/0            149.112.112.112      udp dpt:53 /* unbound_rule */ MARK or 0x8000
    8   568 MARK       udp  --  *      *       0.0.0.0/0            9.9.9.9              udp dpt:53 /* unbound_rule */ MARK or 0x8000
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            149.112.112.112      tcp dpt:53 /* unbound_rule */ MARK or 0x8000
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            9.9.9.9              tcp dpt:53 /* unbound_rule */ MARK or 0x8000
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* unbound_rule */ MARK or 0x1000
  278 24825 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* unbound_rule */ MARK or 0x1000

All looks good so far. However, when I run the ipleak test, I see my VPN IP but my DNS shows as WAN IP.

Is this how is supposed to work now?

The reason I asked, it's because prior to VPN Director on the new fw, when using unbound with this script, the VPN IP & DNS would be the same (with DNS configuration set to "disabled").

It seems after I updated, it no longer shows both VPN IP & DNS when set to disabled. Unless I have something screwed up with my setup (which may very well be the case) haha

Just trying to confirm.

Great question.
I'm not sure where the 1st 4 rules are coming from. I wonder if it's coming the "develop" FlexQoS? When i go to the stable version, I seems the script starts working again. Let me keep testing.

But I can honestly say, the script is currently not working for me since it's my DNS IP is not from VPN.

Ill do some research. Thanks for for confirming.

 

[chongnt]

Great question.
I'm not sure where the 1st 4 rules are coming from. I wonder if it's coming the "develop" FlexQoS? When i go to the stable version, I seems the script starts working again. Let me keep testing.

But I can honestly say, the script is currently not working for me since it's my DNS IP is not from VPN.

Ill do some research. Thanks for for confirming.

It seems come from flexqos. I’m not sure what is the impact. If you can temporarily disable it and see if the top 4 rules get deleted? From your output, most DNS queries to destination port 53 counters are in the 3rd and 4th row. For Swinson script to work, you should see most packets counts increases in the last row which bind it to open vpn client 1.

 

[Kingp1n]

It seems come from flexqos. I’m not sure what is the impact. If you can temporarily disable it and see if the top 4 rules get deleted? From your output, most DNS queries to destination port 53 counters are in the 3rd and 4th row. For Swinson script to work, you should see most packets counts increases in the last row which bind it to open vpn client 1.

Yes the cause comes from FlexQoS "develop" version. When I go to the stable version, everthing works again.

This is from the FlexQoS thread on the dev version:

If you don't use IPv6, the only other change in this version is a change to classify outbound DNS, DoT and NTP as Net Control. Previously, these bypassed QoS completely.

 

[Kingp1n]

So, once and if the FlexQoS dev script gets finalized (working flawlessly)...will the Swinson script rules need to be updated/modified to work with unbound and VPN?

If so, can someone smarter than me modify it and I can test with flexqos dev?

I was trying to mess with swinson script but couldn't get anywhere it.

Just trying to jump ahead...

Thanks!

 

[dave14305]

So, once and if the FlexQoS dev script gets finalized (working flawlessly)...will the Swinson script rules need to be updated/modified to work with unbound and VPN?

If so, can someone smarter than me modify it and I can test with flexqos dev?

I was trying to mess with swinson script but couldn't get anywhere it.

Just trying to jump ahead...

Thanks!

It looks like Swinson just uses the rules setup by x3mRouting, so both would have to agree on any changes. And both devs are silent. I suppose the onus is on me then to revert my change.

 

[Kingp1n]

It looks like Swinson just uses the rules setup by x3mRouting, so both would have to agree on any changes. And both devs are silent. I suppose the onus is on me then to revert my change.

@dave14305

Please don't revert any changes. I'm sure someone will come up with a solution.

 

[dave14305]

@dave14305

Please don't revert any changes. I'm sure someone will come up with a solution.

Practically speaking, you need two other guys to revive their respective scripts and decide a new fwmark scheme that won’t conflict with Adaptive QoS marks. Or I can make my outbound DNS changes dependent upon the non-existence of the x3mRouting script.

 

[Zim]

Anyone been able to get this to work with a different VPN client other than 1? Following instruction in this thread on page 6 give errors.

I am editing this script only: /jffs/scripts/unbound_via_vc1.sh

Does this look correct, if I want to run this on Client #2?

#!/bin/sh
Check_Tun12_Con() {
ping -c1 -w1 -I tun12 9.9.9.9
}
Delete_Rules() {
iptables-save | grep "unbound_rule" | sed 's/^-A/iptables -t mangle -D/' | while read CMD;do $CMD;done
}
Add_Rules(){
Delete_Rules
iptables -t mangle -A OUTPUT -d "${wan0_dns##*.*.*.* }"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns%% *.*.*.*}"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns##*.*.*.* }"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns%% *.*.*.*}"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
}
Call_unbound_manager() {
/jffs/addons/unbound/unbound_manager.sh vpn="$2"
}
Poll_Tun12() {
timer=$1
[ -z $timer ] && Post_log "Error Timeout" && exit 1 || sleep 2
Check_Tun12_Con && Add_Rules && Call_unbound_manager "1" || Poll_Tun12 "$((timer--))"
}
Post_log() {
$(logger -st "($(basename "$0"))" $$ "$2")
}
[ -z "$2" ] && Post_log "Script Arg Missing" && exit 1 || Post_log "Starting Script Execution"
wan0_dns="$(nvram get wan0_dns)"
Delete_Rules
case "$2" in
start)
Poll_Tun11 "150" && Post_log "Ending Script Execution" && exit 0;;
stop)
Call_unbound_manager "disable" && Post_log "Ending Script Execution" && exit 0;;
*)
Post_log "Script Arg Invalid" && exit 1;;
esac

I get error when I run this.

 

[chongnt]

Anyone been able to get this to work with a different VPN client other than 1? Following instruction in this thread on page 6 give errors.

I am editing this script only: /jffs/scripts/unbound_via_vc1.sh

Does this look correct, if I want to run this on Client #2?

#!/bin/sh
Check_Tun12_Con() {
ping -c1 -w1 -I tun12 9.9.9.9
}
Delete_Rules() {
iptables-save | grep "unbound_rule" | sed 's/^-A/iptables -t mangle -D/' | while read CMD;do $CMD;done
}
Add_Rules(){
Delete_Rules
iptables -t mangle -A OUTPUT -d "${wan0_dns##*.*.*.* }"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns%% *.*.*.*}"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns##*.*.*.* }"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns%% *.*.*.*}"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
}
Call_unbound_manager() {
/jffs/addons/unbound/unbound_manager.sh vpn="$2"
}
Poll_Tun12() {
timer=$1
[ -z $timer ] && Post_log "Error Timeout" && exit 1 || sleep 2
Check_Tun12_Con && Add_Rules && Call_unbound_manager "1" || Poll_Tun12 "$((timer--))"
}
Post_log() {
$(logger -st "($(basename "$0"))" $$ "$2")
}
[ -z "$2" ] && Post_log "Script Arg Missing" && exit 1 || Post_log "Starting Script Execution"
wan0_dns="$(nvram get wan0_dns)"
Delete_Rules
case "$2" in
start)
Poll_Tun11 "150" && Post_log "Ending Script Execution" && exit 0;;
stop)
Call_unbound_manager "disable" && Post_log "Ending Script Execution" && exit 0;;
*)
Post_log "Script Arg Invalid" && exit 1;;
esac

I get error when I run this.

Seems like you missed one

Poll_Tun11 "150" && Post_log "Ending Script Execution" && exit 0;;

 

[Martineau]

Practically speaking, you need two other guys to revive their respective scripts and decide a new fwmark scheme that won’t conflict with Adaptive QoS marks. Or I can make my outbound DNS changes dependent upon the non-existence of the x3mRouting script.

I proposed the Selective Routing fwmarks back in 2016, and in 2017 @Xentrk joined the forum, and adopted/adapted my initial Selective Routing fwmarks solution for x3mrouting

Given its wide success/acceptance I eventually provided formal WiKi documention in May 2019

Policy based Port routing (manual method)

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

More recently, others have apparently followed the WiKi and created useful solutions
e.g. @garycnew

Tutorial - [SOLUTION] OpenVPN Client Split Tunnel for BitTorrent Traffic

[SOLUTION] OpenVPN Client Split Tunnel for BitTorrent Traffic Requirements/Assumptions: 1. An Asuswrt-Merlin Compatible Router (i.e., Asus RT-AC66U) 2. Asuswrt-Merlin Compatible Firmware (i.e., 384.19) 3. Established OpenVPN Client Connection (Force Internet traffic through tunnel: Policy...

www.snbforums.com

So, clearly x3mrouting is not a mandatory prereq to successfully implement use of the current Selective Routing fwmarks, therefore the existence (or not) of the x3mRouting script should not be the criteria for determining if Selective Routing fwmarks are being used.

 

[dave14305]

So, clearly x3mrouting is not a mandatory prereq to successfully implement use of the current Selective Routing fwmarks, therefore the existence (or not) of the x3mRouting script should not be the criteria for determining if Selective Routing fwmarks are being used.

I’ve made an update to not overwrite the same bits.

Avoid conflicts with Selective Routing fwmarks · dave14305/FlexQoS@cf6ddbf

FlexQoS - Flexible QoS Enhancement Script for Adaptive QoS on ASUSWRT-Merlin - Avoid conflicts with Selective Routing fwmarks · dave14305/FlexQoS@cf6ddbf

github.com

@Kingp1n please force a FlexQoS update on the develop branch and see if it works better.

 

[Zim]

Seems like you missed one

Poll_Tun11 "150" && Post_log "Ending Script Execution" && exit 0;;

Good catch, but that's still a no go.

After making the changes again, I still get an error when I run/start the script. Here's the error I get.


(unbound_via_vc2.sh): 14035


Every time I run the script I get the same error but with different numbers at the end.

Do I need to make changes to any other script?

 

[Martineau]

Good catch, but that's still a no go.

After making the changes again, I still get an error when I run/start the script. Here's the error I get.


(unbound_via_vc2.sh): 14035


Every time I run the script I get the same error but with different numbers at the end.

Do I need to make changes to any other script?

As a quick hack... try passing two arguments to the script... and might as well run in debug mode to confirm the root cause (and the other error!)
e.g.

sh -x /jffs/scripts/unbound_via_vc2.sh start start

 

[Kingp1n]

I’ve made an update to not overwrite the same bits.

Avoid conflicts with Selective Routing fwmarks · dave14305/FlexQoS@cf6ddbf

FlexQoS - Flexible QoS Enhancement Script for Adaptive QoS on ASUSWRT-Merlin - Avoid conflicts with Selective Routing fwmarks · dave14305/FlexQoS@cf6ddbf

github.com

@Kingp1n please force a FlexQoS update on the develop branch and see if it works better.

@dave14305

I appreciate the quick update/modification on the Flex script.

All is working again with Swinson script and Unbound.

I had to restart VPN1 after the updat but all is working again!

Thanks again!

New iptables output

admin@GT-AX11000-xxxx:/tmp/home/root# iptables -nvL OUTPUT -t mangle
Chain OUTPUT (policy ACCEPT 36914 packets, 4520K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1323  103K MARK       udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            multiport dports 53,123 MARK xset 0x40090000/0xc03f0000
    0     0 MARK       tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            multiport dports 53,853 MARK xset 0x40090000/0xc03f0000
 2036  617K MARK       udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            multiport dports  !53,123 MARK xset 0x4003ffff/0xc03fffff
 2575  172K MARK       tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            multiport dports  !53,853 MARK xset 0x4003ffff/0xc03fffff
    0     0 MARK       udp  --  *      *       0.0.0.0/0            149.112.112.112      udp dpt:53 /* unbound_rule */ MARK or 0x8000
    0     0 MARK       udp  --  *      *       0.0.0.0/0            9.9.9.9              udp dpt:53 /* unbound_rule */ MARK or 0x8000
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            149.112.112.112      tcp dpt:53 /* unbound_rule */ MARK or 0x8000
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            9.9.9.9              tcp dpt:53 /* unbound_rule */ MARK or 0x8000
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* unbound_rule */ MARK or 0x1000
  161 15951 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* unbound_rule */ MARK or 0x1000

 

[DreaZ]

I got a question.

Im using unbound manager with OpenVPN connected as strict with policy rules in the Asus GUI. If I do a dns leak test, it shows my IP from the VPN prov, but DNS from my ISP. Is this correct? Should it not be the DNS from my VPN prov?

 

[Kingp1n]

I got a question.

Im using unbound manager with OpenVPN connected as strict with policy rules in the Asus GUI. If I do a dns leak test, it shows my IP from the VPN prov, but DNS from my ISP. Is this correct? Should it not be the DNS from my VPN prov?

You would have to use the swinson script for your DNS script to show as your VPN with unbound.

 

[Zim]

As a quick hack... try passing two arguments to the script... and might as well run in debug mode to confirm the root cause (and the other error!)
e.g.

sh -x /jffs/scripts/unbound_via_vc2.sh start start

Thanks for the suggestion @Martineau . I tried this and make some tweaks (trial and error) now the script below runs without errors. It shows the DNS requests routed through VC2, BUT the DNS leak test reports the IP of VC1. After restarting the router the results are the same.

#!/bin/sh
Check_Tun12_Con() {
ping -c1 -w1 -I tun12 1.1.1.1
}
Delete_Rules() {
iptables-save | grep "unbound_rule" | sed 's/^-A/iptables -t mangle -D/' | while read CMD;do $CMD;done
}
Add_Rules(){
Delete_Rules
iptables -t mangle -A OUTPUT -d "${wan0_dns##*.*.*.* }"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns%% *.*.*.*}"/32 -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns##*.*.*.* }"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -d "${wan0_dns%% *.*.*.*}"/32 -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -A OUTPUT -p tcp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A OUTPUT -p udp --dport 53 -m comment --comment unbound_rule -j MARK --set-mark 0x1000/0x1000
}
Call_unbound_manager() {
/jffs/addons/unbound/unbound_manager.sh vpn="2"
}
Poll_Tun12() {
timer=$1
[ -z $timer ] && Post_log "Error Timeout" && exit 1 || sleep 2
Check_Tun12_Con && Add_Rules && Call_unbound_manager "1" || Poll_Tun12 "$((timer--))"
}
Post_log() {
$(logger -st "($(basename "$0"))" $$ "$1")
}
[ -z "$1" ] && Post_log "Script Arg Missing" && exit 1 || Post_log "Starting Script Execution"
wan0_dns="$(nvram get wan0_dns)"
Delete_Rules
case "$1" in
start)
Poll_Tun12 "150" && Post_log "Ending Script Execution" && exit 0;;
stop)
Call_unbound_manager "disable" && Post_log "Ending Script Execution" && exit 0;;
*)
Post_log "Script Arg Invalid" && exit 1;;
esac

I noticed that in the original script this line has a "$"
/jffs/addons/unbound/unbound_manager.sh vpn="$1"

When I use vpn="$2" or "$3" or "$4" or "$5" I get an error.
(unbound_manager.sh): 2691 ***ERROR Invalid argument '' must be numeric '1-5' or 'disable'.

It appears to work when I remove $

Could this be the issue?

 

[dave14305]

It shows the DNS requests routed through VC2, BUT the DNS leak test reports the IP of VC1. After restarting the router the results are the same.

I think you need to replace all 0x1000/0x1000 with 0x2000/0x2000 to route through ovpnc2.