Tutorial Application based policy routing

[Mikii]

Hi everyone,

I’ve developed a working solution for application-based policy routing. The basic idea is to detect which application is running on a target device, and then automatically set a VPN Director rule to route that device’s IP through the appropriate VPN.

Let me break it down into sections.

Step 1: Detecting Which App Is Running on a Device​

As an example, let’s take an Android device.
First, install adb on your router (using opkg):

ssh [email protected]
opkg update
opkg install adb

Once adb is installed, you can query the currently active app on the target Android device. For example:

adb connect 192.168.1.125:5555
adb -s 192.168.1.125:5555 shell dumpsys window | grep mCurrentFocus

On my NVIDIA Shield, this returns something like:

mCurrentFocus=Window{52bbc7c u0 com.nvidia.bbciplayer/com.nvidia.bbciplayer.BaseWebViewActivity}

This lets you know exactly which application is currently active.

Step 2: Updating VPN Director Rules​

Once you know the active app, you can modify the VPN Director rule for the device (e.g., 192.168.1.125) and redirect it to the correct VPN.

1. Disable all VPN Director rules for the device. For example:

sed -r -i.bak 's/<[01]>([^>]*>192\.168\.1\.125>>)/<0>\1/g' /jffs/openvpn/vpndirector_rulelist

Enable only the rule that redirects the device to the correct VPN. In my case, UK

sed -r -i.bak 's/<[01]>(NVIDIA_WGC2>192\.168\.1\.125>>)/<1>\1/g' /jffs/openvpn/vpndirector_rulelist

This works because I pre-created a rule named NVIDIA_WGC2 (via the Merlin web interface) that routes the local IP 192.168.1.125 through WireGuard2.

Finally, restart the VPN Director service:

service restart_vpnrouting0

I’ve been testing this with a script that runs every 3 seconds. it works quite reliably, but see cron advices here:

Sometimes apps check geolocation too quickly and may fail the first time, but usually succeed on a second run.

Changing WireGuard Configurations on the Fly​

If you run out of VPN slots, you can also dynamically change the WireGuard client configuration. For example:

#!/bin/sh
# Configure WireGuard client wgc5 on ASUS Merlin

echo "Configuring WireGuard client wgc5 (NORD - Canada)..."

wgc5_enable=0
service stop_wgc

nvram set wgc5_addr="10.5.0.2/16"
nvram set wgc5_desc="NORD - Canada"
nvram set wgc5_ep_addr="iphere"
nvram set wgc5_ep_port="51820"
nvram set wgc5_ppub="yourkeyhere"
nvram set wgc5_priv="yourkeyhere"
nvram set wgc5_aips="0.0.0.0/0,::/0"
nvram commit
sleep 1
service start_wgc

echo "Done."

This allows you to switch regions on demand.

Managing ADB Pairing Keys​

For this setup, you’ll need ADB debugging enabled on your Android device.
The first time you connect, you’ll have to authorize your ASUS router on the Android device. Once authorized, the router will generate keys in ~/.android/:

ls ~/.android/
adbkey  adbkey.pub

These keys do not survive reboots, so you should back them up and restore them automatically before connecting:

Backup (one-time setup):

cp ~/.android/* /jffs/bootsurvive/android/

Always Restore before connecting:

/bin/mkdir -p ~/.android/
/bin/cp /jffs/bootsurvive/android/* ~/.android/

With this approach, you can dynamically route traffic based on the active app on your Android device. It’s flexible, scriptable, and in my experience works well in practice.