RT-AX 92 U - ASUSWRT bypass VPN for 1 IP.

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Newbie_21

New Around Here
Hi,
First of all, thanks to Merlin's firmware I used for a long time. Since my AC87U is defective, I bought a AX92 set. Unfortunately, Merlin does not support the AX92.
For streaming services I have to route an IP directly via WAN.
For this I found this script:

Bash:
echo #!/bin/sh
mkdir /tmp/asusrouterlock 2> /dev/null || exit
nvram set no_vpn_lst="192.168.1.3"
nvram commit
sleep 30
NO_VPN_LST=`nvram get no_vpn_lst`
[ -z "$NO_VPN_LST" ] && exit 0
WAN_GWAY="0.0.0.0"
while [ $WAN_GWAY == "0.0.0.0" ];do
sleep 5
WAN_GWAY=`nvram get wan0_gateway`
done
ip route add default via $WAN_GWAY table 10
for ipa in $NO_VPN_LST; do
ip rule add from $ipa table 10
done
ip route flush cache
exit 0

Then
nvram set jffs2_exec=/jffs/myscript.sh
then issue
nvram commit

If I now enter:
nvram show | grep jffs | sort -u
I get this issue

size: 82080 bytes (48992 left)
diag_db_path=/jffs/.sys/diag_db/conn_diag_1632441600.db
diag_db_path_old=/jffs/.sys/diag_db/conn_diag_1632441600.db
jffs2_exec=/jffs/bypassVPN.sh
jffs2_on=1
log_path=/jffs

but it doesn't work.

Please excuse my bad English and bash-script knowledge!
 

eibgrad

Very Senior Member
Did you actually create the script and mark it executable? Drop the following into an ssh window and it will do so.

Bash:
cat << "EOF" > /jffs/bypassVPN.sh
#!/bin/sh
mkdir /tmp/asusrouterlock 2> /dev/null || exit
nvram set no_vpn_lst="192.168.1.3"
nvram commit
sleep 30
NO_VPN_LST=`nvram get no_vpn_lst`
[ -z "$NO_VPN_LST" ] && exit 0
WAN_GWAY="0.0.0.0"
while [ $WAN_GWAY == "0.0.0.0" ];do
sleep 5
WAN_GWAY=`nvram get wan0_gateway`
done
ip route add default via $WAN_GWAY table 10
for ipa in $NO_VPN_LST; do
ip rule add from $ipa table 10
done
ip route flush cache
exit 0
EOF
chmod +x /jffs/bypassVPN.sh
:
 

Newbie_21

New Around Here
@eibgrad
Thank you for your quick response.
I have now done as you wrote. Now it is executeable. It starts without errors. BUT:
After booting, I cannot establish an internet connection. I have to switch the VPN client off and on first and then start the script via the ssh console.
Then it works great. Is that a timing problem? How can i diagnose this?
 

eibgrad

Very Senior Member
I wasn't really trying to assess the efficacy of the script. But now that I am, it seems unnecessarily complex. For example, I have no idea why it's necessary to store the IPs in nvram. And it would be better to monitor the WAN for internet access instead of just blindly waiting for 30 seconds. And anytime you're waiting, it's probably better to have the script run in the background. Try the following script instead.

Bash:
cat << "EOF" > /jffs/bypassVPN.sh
#!/bin/sh
(
while ! ping -qc1 -w3 8.8.8.8 &>/dev/null; do sleep 10; done
ip route add default via $(nvram get wan0_gateway) table 10
ip rule add from 192.168.1.3 table 10
ip route flush cache
) &
EOF
chmod +x /jffs/bypassVPN.sh
:
 
Last edited:

Newbie_21

New Around Here
Hi
The rule works fine, but after booting I first have to renew the VPN connection and then start the script.
Without this procedure, I always get a timeout error with internet calls.
 

eibgrad

Very Senior Member
There's no logical or obvious reason for that particular code to prevent access to the internet, esp. if it works fine when manually executed.

Prior to this thread, I was only vaguely familiar w/ this technique of starting an arbitrary end-user script within the ASUS stock firmware. So I decided to dig a little deeper to determine where you found that original script, and came across the following link.


It seems likely that ASUS has purposely prevented this technique from working across a reboot, for security reasons. At least w/ more recent firmware. And in that case, you may be stuck. The fact I don't even run stock ASUS firmware (only third-party) makes it nearly impossible for me to diagnose the problem. What attempts I've made so far are me just guessing about what would work.

In that same link, I did notice someone suggest trying to use the USB mounting option to trigger a script (post #12). This also explains why the original script contained the following line.

Code:
mkdir /tmp/asusrouterlock 2> /dev/null || exit

It prevents re-execution.

You might want to consider that approach instead.
 

Newbie_21

New Around Here
Before buying the AX6100 (2x AX92U), I unfortunately did not check whether Merlin supports it.
Believe me, I would also have liked to have installed AsusWRT-Merlin because I knew it from my old router.
An alternative tri-band router with aimesh and AsusWRT-Merlin support would only be the AX11000. But this is too expensive for me.
I will have another look at that with the usb mount. Thanks very much.
 

Newbie_21

New Around Here
Hi eibgrad.
Now I use the method from this thread and start your script with it.
https://www.snbforums.com/threads/h...an-is-down-from-pov-of-a-non-linux-guy.74336/
Although it starts according to the syslog after the VPN connection, I have to switch the VPN connection off and on after booting otherwise the VPN connections are extremely slow.
I have two more questions about the script.
- Can I insert several IPs or an IP range ?
- How can i display the execution in the router syslog.

Many thanks.
 

eibgrad

Very Senior Member
You can simply add more ip rules as necessary. You can also specify a range of IPs by using one of many available IP Range to CIDR calculators.


These will generate one or more IPs that define that specific range, which is sometimes more practical than creating an rule for each and every IP.

For example, a range of 192.168.1.160 through 192.168.1.175 (16 hosts) can be expressed as 192.168.1.160/28.

As far as the script, I made a few modifications so it will output to the syslog. There's a debugging option as well so you can follow the execution and any errors.

Bash:
cat << "EOF" > /jffs/bypassVPN.sh
#!/bin/sh
set -x # uncomment/comment to enable/disable debug mode
(
while ! ping -qc1 -w3 8.8.8.8 &>/dev/null; do sleep 10; done
ip route add default via $(nvram get wan0_gateway) table 10
ip rule add from 192.168.1.3 table 10
ip rule add from 192.168.1.4 table 10
ip rule add from 192.168.1.5 table 10
ip route flush cache
) 2>&1 | logger -t $(basename $0)[$$] &
EOF
chmod +x /jffs/bypassVPN.sh
:
 
Last edited:

Newbie_21

New Around Here
Thanks eibgrad.
That works great. Now I can hopefully try out why I always have to quit and restart the VPN after the reboot. Otherwise I only have internet access from the IPs that are passed by bypassVPN.sh.

I noticed something else although I don't yet know whether it's because of the script. If I set up a guest network without accessing the intranet, the router creates a new DHCP IP range 192.168.110.x.
But I have no internet access from this one.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top