MartineauUK/Unbound-Asuswrt-Merlin

VPN tunnel for unbound only

Closed this issue · 0 comments

AlexanderPavlenko commented

Can someone help me understand how to configure it?
VPN Client has Force Internet traffic through tunnel option. If I set it to No and also add route-nopull to the Custom Configuration field, this seems to have almost the same effect as using the empty Policy Rules table instead of No.

curl ifconfig.co returns ISP IP.
curl --interface tun11 ifconfig.co returns VPN IP.
ip route:

default via 192.168.1.254 dev eth0 # ISP
10.8.8.0/24 dev tun11 proto kernel scope link src 10.8.8.48 # VPN client
10.11.12.0/24 dev tun21 proto kernel scope link src 10.11.12.1 # VPN server
127.0.0.0/8 dev lo scope link
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.90
192.168.1.0/24 dev eth4 proto kernel scope link src 192.168.1.65
192.168.1.254 dev eth4 scope link
192.168.44.0/24 dev br0 proto kernel scope link src 192.168.44.254 # LAN

unbound_manager vpn=1:

unbound requests via VPN Client 1 (10.8.8.48) tunnel ENABLED
15:50:28 Checking 'unbound.conf' for valid Syntax.....
15:50:28 Saving unbound cache to '/opt/share/unbound/configs/cache.txt' msg.cache=930/752 rrset.cache=3509/3157
15:50:28 Requesting unbound (S61unbound) restart.....
 Shutting down unbound...              done.
 Starting unbound...              done.
15:50:29 Checking status, please wait.....
15:50:31 Restoring unbound cache from '/opt/share/unbound/configs/cache.txt' (2021-06-28 15:50:28) msg.cache=26/752 rrset.cache=122/3157
15:50:32 unbound OK

Still, DNS requests go via ISP which does block some DNS servers by IP:
dig pm.me @192.168.44.254

; <<>> DiG 9.10.6 <<>> pm.me @192.168.44.254
;; global options: +cmd
;; connection timed out; no servers could be reached

It's probably a dumb mistake of legal system, because even ISP's DNS resolves it, and the actual service's IP is not blocked.
dig pm.me @192.168.1.254

; <<>> DiG 9.10.6 <<>> pm.me @192.168.1.254
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28892
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; ANSWER SECTION:
pm.me.			373	IN	A	185.70.42.16

;; Query time: 60 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Mon Jun 28 16:14:21 MSK 2021
;; MSG SIZE  rcvd: 50

Without route-nopull:
Both curl ifconfig.co and curl --interface tun11 ifconfig.co return VPN IP.
Both unbound_manager vpn=1 and unbound_manager vpn=disable allow access to the blocked DNS server.