This is amazing @Martineau. Thanks for taking the time to write this. Greatly appreciated!!!Whilst I do not wish to offend @Swinson, in light of his current ongoing forum absence since June 2021, I have created a generic version of his original script that should allow you to designate any VPN client without the need to edit/hack the script.
You can download/test it from
Unbound-Asuswrt-Merlin/unbound_DNS_via_OVPN.sh at dev · MartineauUK/Unbound-Asuswrt-Merlin
Install and manage unbound (Recursive DNS) on Asus routers - MartineauUK/Unbound-Asuswrt-Merlingithub.com
Clearly your previous statement [the script] 'did not provide a reliable solution' needs to be made clearer... i.e. are you absolutely sure that the DNS Leak test is always 100% accurate?
IMHO,x3mrouting
shouldn't be necessary just for your DNS routing requirement? - see below
If not usingx3mrouting
then you need to implement the RPDB fwmark rules manually...
see '/jffs/scripts/nat-start'
Policy based Port routing (manual method) · RMerl/asuswrt-merlin.ng Wiki · GitHub
to ensure that the RPDB fwmark rules are always available should the firewall be rebuilt whilst the VPN Client is UP.
(x3mrouting
dynamically adds/deletes the RPDB fwmark rules only when the VPN Client is actually started/stopped!)
EDIT:
If you decide to test my generic '/jffs/addons/unbound/unbound_DNS_via_OVPN.sh' script then you should ensure ALL of the 'vpnclientX-route-*' event scripts contain the appropriate call
e.g. VPN Client 5
'/jffs/scripts/vpnclient5-route-up'
andCode:VPN_ID=${dev:4:1} [ -z "$VPN_ID" ] && { SCR=$(basename $0); VPN_ID=${SCR:9:1}; } # Allow manual debugging from commandline if [ -n "$(which unbound-control)" ] && [ -n "$(unbound-control status | grep -E "unbound.*running")" ];then Say "Unbound DNS requests via VPN Client $VPN_ID requested....." /jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" start & fi
'/jffs/scripts/vpnclient5-route-pre-down'
Code:VPN_ID=${dev:4:1} [ -z "$VPN_ID" ] && { SCR=$(basename $0); VPN_ID=${SCR:9:1}; } # Allow manual debugging from commandline if [ -n "$(which unbound-control)" ] && [ -n "$(unbound-control status | grep -E "unbound.*running")" ];then Say "Unbound DNS requests via VPN Client $VPN_ID terminating....." /jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" stop fi
I see a few people have successfully tried this with x3mrouting installed. I'm trying this without x3mrouting. Here is what I have done.
1.) Copy+pasted and added your script unbound_DNS_via_OVPN.sh in /jffs/addons/unbound/
2.) In the script above, changed this: VPN_ID=$1 to VPN_ID=4 (want DNS queries tunneled through VPN4)
3.) Under /jffs/scripts/ modified the following files:
- for init-start added:
-
Code:
modprobe xt_comment
-
- for nat-start added:
-
Code:
#!/bin/sh sleep 10 # During the boot process nat-start may run multiple times so this is required # Ensure duplicate rules are not created for VPN_ID in 0 1 2 3 4 5 do ip rule del prio 999$VPN_ID 2>/dev/null done # Create the RPDB rules ip rule add from 0/0 fwmark "0x8000/0x8000" table main prio 9990 # WAN fwmark ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991 # VPN 4 fwmark
-
- for vpnclient4-route-up added:
-
Code:
#!/bin/sh logger -t $(basename $0) "OpenVPN Client 4 coming up ..." ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991 # VPN 4 fwmark VPN_ID=${dev:4:1} [ -z "$VPN_ID" ] && { SCR=$(basename $0); VPN_ID=${SCR:9:1}; } # Allow manual debugging from commandline if [ -n "$(which unbound-control)" ] && [ -n "$(unbound-control status | grep -E "unbound.*running")" ];then Say "Unbound DNS requests via VPN Client $VPN_ID requested....." /jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" start & fi
-
- for vpnclient4-route-pre-down added:
-
Code:
#!/bin/sh logger -t $(basename $0) "OpenVPN Client 4 going down ..." ip rule add from 0/0 fwmark "0x8000/0x8000" table main prio 9990 # WAN fwmark VPN_ID=${dev:4:1} [ -z "$VPN_ID" ] && { SCR=$(basename $0); VPN_ID=${SCR:9:1}; } # Allow manual debugging from commandline if [ -n "$(which unbound-control)" ] && [ -n "$(unbound-control status | grep -E "unbound.*running")" ];then Say "Unbound DNS requests via VPN Client $VPN_ID terminating....." /jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" stop fi
-
After doing all this, I reboot the router. When I run ip rule, I can see entries for 0x8000/0x8000 and 0x7000/0x7000, but for some reason, the DNS queries are going through VPN1. Oddly, when I go through a few reboot cycles, sometimes the DNS queries are going through VPN1/VPN3/VPN4.
Questions:
1.) Are the steps listed above, correct?
2.) Why are the DNS queries not consistently going through VPN4? Anything I need to add/remove to get this to work?
3.) With this setup, what happens if theVPN4 goes down, does the DNS query go to the next available tunnel, or does it now leak my IP?
4.) The script doesn't appear to run by itself on reboot. Or if it is, the VPN tunnel is not up by that time and need to delay the start of the script.
a.) For this script to startup at reboot, do I need to add this code to services-start
Code:
/jffs/addons/unbound/unbound_DNS_via_OVPN.sh 4 start
b.) For adding more delay for the script to run at startup, in unbound_DNS_via_OVPN.sh, should I change:
Code:
[ -z "$3" ] && MAX_WAIT=150 || MAX_WAIT=$3
Code:
[ -z "$3" ] && MAX_WAIT=300 || MAX_WAIT=$3
5.) Lastly, is it possible to have all devices connected to a VPN have that VPN's IP address for DNS? For example:
- Devices A/B/C are connected to VPN1; their DNS IP should be that of VPN1
- Devices D/E/F are connected to VPN2; their DNS IP should be that of VPN2
- Devices G/H/I are connected to VPN3; their DNS IP should be that of VPN3
- ...and so on.
Once I get everything sorted, I'll update this post and hope it will serve as a step-by-step guide for future/present visitors (until someone can create an installer).
Appreciate the help, @Martineau and all!
Last edited: