More Easily Enable/Disable VPN Director Rule

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

marclafountain

Occasional Visitor
I don’t think this question has already been asked here from my searching. Apologies if it has.

I live abroad and have a VPN Director rule in Asuswrt-Merlin that must be enabled for me to access some content and disabled for me to access other content. So, I am constantly going into the web admin for Asuswrt-Merlin to manually enable or disable this rule. (The needs are too complex to permanently include/exclude specific devices, domains, or IP addresses from VPN. I need to be able to easily turn the rule on/off.)

Is there some way I could have a webhook-like on/off trigger for the rule that I could easily control with a browser bookmark or Shortcuts or something like IFTTT, Zapier, or Integromat? (It’s fine if a solution only works from local devices. I don’t need to do this from outside my network.) Maybe some Entware-based solution?

Thanks for any advice you can offer.
 

eibgrad

Very Senior Member
The VPN Director implements routing policy by adding rules to the RPDB (Routing Policy DataBase). I suppose like so many things, you could hack it and add/remove rules dynamically. Obviously I don't recommend it.

You can examine the RPDB using the following command from an ssh session.

Code:
ip rule show

The rules are processed top to bottom in terms of priority.

I suppose you could even use ssh to trigger a script from your client to add/remove these rules.

The better option (if possible) would be to change the client. For example, I've had situations where the use of a guest VM was used solely to provide a secondary source IP, and thus trigger a different rule. You might then use the browser from either the guest VM or host depending on the behavior you wanted. IOW, you push the change out to the client to avoid having to mess w/ the router.

But truth be told, there is no really good solution at the router level. Routing policy, as implemented, is inherently static. And you're trying to impose dynamic behavior on top of it.

P.S. Frankly, I don't see all that much benefit in using anything other than Enable/Disable feature of the VPN Director. From my playing around with it, it is dynamic in the sense that it doesn't appear to restart the OpenVPN client as the rule is enabled and disabled. I suppose the biggest complaint would be non-administrative users don't have access to the GUI.
 
Last edited:

pchabs

New Around Here
Interesting, I'm trying to do the same thing to toggle my router VPN on/off for a specific device when I'm trying to game. I'm looking into somehow making a shell script I can leave on my desktop to trigger "Enable/Disable/Apply" of specific VPN rules. I'll let you know if I'm able to figure it out.
 

Jack Yaz

Part of the Furniture
You can sed <1> for <0> and vice versa in /jffs/openvpn/vpndirector_rulelist for the relevant rule
 

elliottt

New Around Here
This seems to work (TV VPN example):

Enable rule:
Bash:
#!/bin/sh
sed -i 's/<0>Apple TV VPN>/<1>Apple TV VPN>/g' /jffs/openvpn/vpndirector_rulelist
service restart_vpnrouting0
/jffs/scripts/service-event restart vpnrouting0

Disable rule:

Bash:
#!/bin/sh
sed -i 's/<1>Apple TV VPN>/<0>Apple TV VPN>/g' /jffs/openvpn/vpndirector_rulelist
service restart_vpnrouting0
/jffs/scripts/service-event restart vpnrouting0
 

pchabs

New Around Here
This seems to work (TV VPN example):

Enable rule:
Bash:
#!/bin/sh
sed -i 's/<0>Apple TV VPN>/<1>Apple TV VPN>/g' /jffs/openvpn/vpndirector_rulelist
service restart_vpnrouting0
/jffs/scripts/service-event restart vpnrouting0

Disable rule:

Bash:
#!/bin/sh
sed -i 's/<1>Apple TV VPN>/<0>Apple TV VPN>/g' /jffs/openvpn/vpndirector_rulelist
service restart_vpnrouting0
/jffs/scripts/service-event restart vpnrouting0
Nice, how would you do this in a completed terminal script file, along with router login, etc?
 

ColinTaylor

Part of the Furniture
Nice, how would you do this in a completed terminal script file, along with router login, etc?
That would be down to the capabilities of whatever client software your are using on your PC.
 

marclafountain

Occasional Visitor
You can sed <1> for <0> and vice versa in /jffs/openvpn/vpndirector_rulelist for the relevant rule
sed is working perfectly to make the 0/1 changes in the file. And I can easily trigger the changes via SSH in Shortcuts from my iPhone, iPad, or Apple Watch, which is awesome.

However, the changes in the file don’t take effect in terms of how the VPN rules behave.

I think clicking the Apply button on the VPN Director web page must cause some process to refresh or restart and see any rule changes. Is there a SSH command I can issue to trigger the same action that the Apply button does?
 

ColinTaylor

Part of the Furniture
sed is working perfectly to make the 0/1 changes in the file. And I can easily trigger the changes via SSH in Shortcuts from my iPhone, iPad, or Apple Watch, which is awesome.

However, the changes in the file don’t take effect in terms of how the VPN rules behave.

I think clicking the Apply button on the VPN Director web page must cause some process to refresh or restart and see any rule changes. Is there a SSH command I can issue to trigger the same action that the Apply button does?
Are you also issuing the service restart_vpnrouting0 command to effect the change?
 

marclafountain

Occasional Visitor
Are you also issuing the service restart_vpnrouting0 command to effect the change?
Whoops, I somehow didn’t see the more recent posts here mentioning that command. Apologies. Adding service restart_vpnrouting0 did the trick!

Do I need /jffs/scripts/service-event restart vpnrouting0 too? It seems to be working without it.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top