What's new

More Easily Enable/Disable VPN Director Rule

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

marclafountain

Occasional Visitor
I don’t think this question has already been asked here from my searching. Apologies if it has.

I live abroad and have a VPN Director rule in Asuswrt-Merlin that must be enabled for me to access some content and disabled for me to access other content. So, I am constantly going into the web admin for Asuswrt-Merlin to manually enable or disable this rule. (The needs are too complex to permanently include/exclude specific devices, domains, or IP addresses from VPN. I need to be able to easily turn the rule on/off.)

Is there some way I could have a webhook-like on/off trigger for the rule that I could easily control with a browser bookmark or Shortcuts or something like IFTTT, Zapier, or Integromat? (It’s fine if a solution only works from local devices. I don’t need to do this from outside my network.) Maybe some Entware-based solution?

Thanks for any advice you can offer.
 
The VPN Director implements routing policy by adding rules to the RPDB (Routing Policy DataBase). I suppose like so many things, you could hack it and add/remove rules dynamically. Obviously I don't recommend it.

You can examine the RPDB using the following command from an ssh session.

Code:
ip rule show

The rules are processed top to bottom in terms of priority.

I suppose you could even use ssh to trigger a script from your client to add/remove these rules.

The better option (if possible) would be to change the client. For example, I've had situations where the use of a guest VM was used solely to provide a secondary source IP, and thus trigger a different rule. You might then use the browser from either the guest VM or host depending on the behavior you wanted. IOW, you push the change out to the client to avoid having to mess w/ the router.

But truth be told, there is no really good solution at the router level. Routing policy, as implemented, is inherently static. And you're trying to impose dynamic behavior on top of it.

P.S. Frankly, I don't see all that much benefit in using anything other than Enable/Disable feature of the VPN Director. From my playing around with it, it is dynamic in the sense that it doesn't appear to restart the OpenVPN client as the rule is enabled and disabled. I suppose the biggest complaint would be non-administrative users don't have access to the GUI.
 
Last edited:
Interesting, I'm trying to do the same thing to toggle my router VPN on/off for a specific device when I'm trying to game. I'm looking into somehow making a shell script I can leave on my desktop to trigger "Enable/Disable/Apply" of specific VPN rules. I'll let you know if I'm able to figure it out.
 
You can sed <1> for <0> and vice versa in /jffs/openvpn/vpndirector_rulelist for the relevant rule
 
This seems to work (TV VPN example):

Enable rule:
Bash:
#!/bin/sh
sed -i 's/<0>Apple TV VPN>/<1>Apple TV VPN>/g' /jffs/openvpn/vpndirector_rulelist
service restart_vpnrouting0
/jffs/scripts/service-event restart vpnrouting0

Disable rule:

Bash:
#!/bin/sh
sed -i 's/<1>Apple TV VPN>/<0>Apple TV VPN>/g' /jffs/openvpn/vpndirector_rulelist
service restart_vpnrouting0
/jffs/scripts/service-event restart vpnrouting0
 
This seems to work (TV VPN example):

Enable rule:
Bash:
#!/bin/sh
sed -i 's/<0>Apple TV VPN>/<1>Apple TV VPN>/g' /jffs/openvpn/vpndirector_rulelist
service restart_vpnrouting0
/jffs/scripts/service-event restart vpnrouting0

Disable rule:

Bash:
#!/bin/sh
sed -i 's/<1>Apple TV VPN>/<0>Apple TV VPN>/g' /jffs/openvpn/vpndirector_rulelist
service restart_vpnrouting0
/jffs/scripts/service-event restart vpnrouting0
Nice, how would you do this in a completed terminal script file, along with router login, etc?
 
You can sed <1> for <0> and vice versa in /jffs/openvpn/vpndirector_rulelist for the relevant rule
sed is working perfectly to make the 0/1 changes in the file. And I can easily trigger the changes via SSH in Shortcuts from my iPhone, iPad, or Apple Watch, which is awesome.

However, the changes in the file don’t take effect in terms of how the VPN rules behave.

I think clicking the Apply button on the VPN Director web page must cause some process to refresh or restart and see any rule changes. Is there a SSH command I can issue to trigger the same action that the Apply button does?
 
sed is working perfectly to make the 0/1 changes in the file. And I can easily trigger the changes via SSH in Shortcuts from my iPhone, iPad, or Apple Watch, which is awesome.

However, the changes in the file don’t take effect in terms of how the VPN rules behave.

I think clicking the Apply button on the VPN Director web page must cause some process to refresh or restart and see any rule changes. Is there a SSH command I can issue to trigger the same action that the Apply button does?
Are you also issuing the service restart_vpnrouting0 command to effect the change?
 
Are you also issuing the service restart_vpnrouting0 command to effect the change?
Whoops, I somehow didn’t see the more recent posts here mentioning that command. Apologies. Adding service restart_vpnrouting0 did the trick!

Do I need /jffs/scripts/service-event restart vpnrouting0 too? It seems to be working without it.
 
Hey guys,
I spent a load of time playing with this building on the ideas above and have created a script for managing VPN Director rules that has the following benefits:
  1. It lets you specify destination hosts that you want to route over the VPN (for all local devices). Want to send all traffic to netflix.com via the VPN. You got it!
  2. It also uses iptables to achieve the 'kill switch' functionality for such rules.
You can find the write-up and the script(s) here: https://charleswilkinson.co.uk/2021/11/21/asus-merlin-route-via-vpn-for-specific-destination-hosts/
Let me know what you think - my shell scripting is a bit rusty!
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top