SBS. Script for using sing-box on Asus routers with Merlin firmware.

[Kyjiep]

I created an sbtun interface using sing-box on my router RT-AX86U with firmware Merlin 3004.388.7. How can I route traffic from a device with the address 192.168.50.31, which is in the router's network, through this sbtun interface?
Sorry for my English.

Upd. I did this and much more. I present to your attention SBS (sing-box-script).
To do this, your router, in addition to the Merlin firmware, needs a USB drive with Entware installed. To download, install, configure and run sing-box, simply run this command in the router's command line:

wget -O /jffs/scripts/sbs https://raw.githubusercontent.com/Dr4tez/sing-box4asus/main/sbs && chmod 775 /jffs/scripts/sbs && /jffs/scripts/sbs install

Spoiler: Readme

A script to run sing-box on Asus routers with Merlin firmware and Entware installed on a USB drive.

I. Basics.
1. You should be able to create, or at least edit, configuration files for sing-box. Documentation: https://sing-box.sagernet.org/. My config file template is installed with the script.
2. Only routers with the following processor architectures are supported: ARMv8/AArch64 and ARMv7/AArch32.
3. If IPv6 is enabled in your router settings, it is not recommended to use this script, as it will likely not function as intended in most cases.
4. A USB drive with Entware installed must be connected to your router. The sing-box core will be installed on it, and during its operation, a directory with UI and a cache file will be created there. Installing these components in the router's internal memory is not desirable and often impossible due to its limitations, and is not considered.
5. If you notice bugs in the script or can improve/optimize the script, please share this information with me.

II. Features of configuring sing-box on a router.
1. Generally, DNS servers and their rules are specified at the beginning of the sing-box configuration file (config.json). However, on a router, these settings are ignored for the sing-box tun interface due to the router's dnsmasq, which intercepts DNS requests. As a result, all DNS requests from devices whose traffic is routed through the sing-box tun interface are always directed to the DNS server specified in the router's settings. Nevertheless, DNS settings in the configuration file are still necessary for the proper functioning of inbounds, which act as proxy servers, such as mixed, they rely on these DNS settings.
2. It is not recommended to include clash_mods in the DNS rules within config.json. Under certain settings and actions, this can cause the sing-box process to quickly consume all available RAM and lead to the router freezing.
3. Do not use the

"auto_route": true

setting in config.json, it does not function correctly on the router and disrupts routing.
4. Do not use the

"strict_route": true

setting in config.json; it is pointless without '"auto_route": true' and can also cause loss of access to the router's command line and routing issues.

III. Installing the script.
Run the following command in the router's command line:

wget -O /jffs/scripts/sbs https://raw.githubusercontent.com/Dr4tez/sing-box4asus/main/sbs && chmod 775 /jffs/scripts/sbs && /jffs/scripts/sbs install

IV. Initial setup and running of the script.
After installing the script, before the first start of sing-box, be sure to configure it! To do this, follow these steps.
1. First, you need to edit the sing-box configuration file located at /jffs/addons/sing-box-script/config.json. You can do this in the menu called by the

sbs edit

command, selecting the first item there. You can also do this in any other way convenient for you, for example, using WinSCP. At a minimum, you must enter your values in the lines with X's. Please note that this config.json uses my personal ruleset, downloaded from my GitHub page (https://github.com/Dr4tez/my_domains), it may not contain the blocked domains you need. Traffic for the first TUN interface is routed according to the rules specified in this config.json - domains from the ruleset and IP 31.131.253.250 go to the proxy tunnel, and everything else goes to direct. Traffic for the second TUN interface by default goes entirely to the proxy tunnel. Of course, you can replace the configuration file with your own, the main thing is that it has the name config.json, and it must comply with the sing-box configuration features on the router specified in section II.
2. Then, to enter the script setup menu, run the

sbs setup

command. If one or two TUN interfaces are specified in your config.json, the menu will also contain one or two first items for configuring the IP addresses of devices whose traffic you want to route through the corresponding TUN interface of the sing-box. When entering IP addresses, you can enter the entire subnet in CIDR format, for example 192.168.50.0/24, then the next step will ask you to enter IP addresses from this subnet for devices whose traffic you want to exclude from the corresponding TUN interface of the sing-box. At each step, enter the required IP addresses in one line, separating them only with spaces.
Attention! If you need direct access from the WAN to certain device in your router's network via port forwarding, do not add the IP address of this device when configuring the script, otherwise there will be no access. The same is true when adding the entire subnet - there will be no direct access from the WAN to the router's web interface and to all devices except those whose IP addresses you specified at the stage of entering the IP addresses of exceptions.
3. If your config.json specifies one or two TUN interfaces, the script settings menu will also have one or two items for changing the routing table numbers for these TUN interfaces. These are optional items. If you don't know why you need this, then you don't need it.
4. Also in the script settings menu, you can edit the script settings file in the nano editor by selecting the item with the corresponding name. This is not a mandatory item. In it, you can manually do everything described in the two previous items. For some, this may be more convenient if you only need to delete some of the IP addresses from the list, or, conversely, add some addresses to the existing lists. But you must understand the structure of the file and what can be entered where, so as not to disrupt the routing. The file contains explanations for this. If you are not sure, then it is better not to use this tool.
5. When you select the item to exit the script settings menu, you will be prompted to run sing-box. If you are ready, agree.

V. About the sing-box core.
During installation, by default, the latest stable release of sing-box core from the developer's GitHub page https://github.com/SagerNet/sing-box/releases/latest is downloaded and installed. If you want to use a different version, you can replace the sing-box file in the /opt/root/sing-box directory with the one you need. Just don't forget to give it execute permissions and, if necessary, change the configuration file according to the Migration section (https://sing-box.sagernet.org/migration/) in the sing-box documentation.

VI. Script management commands.
To start the sing-box script, run the following command in the router's command line:

sbs start

If you want to completely stop the script and do not want it to start automatically when the router reboots, run the following command:

sbs stop

To remove the script and all the results of its activity, run the following command:

sbs remove

You can see a complete list of commands with their descriptions by running the following command:

sbs

Page on github.

 

[ZebMcKayhan]

I created an sbtun interface using sing-box on my router RT-AX86U with firmware Merlin 3004.388.7. How can I route traffic from a device with the address 192.168.50.31, which is in the router's network, through this sbtun interface?
Sorry for my English.

Routes are destination ip based, not source ip based. So if the ips you would like to access via sbtun interface are one or more unique confined ranges you could just add a route in the main route table. All lan could then access these ip/ranges via sbtun interface.

If you plan on accessing I.e internet (all ips) via this interface only from a specific lan ip you will need to setup a new routing table and create ip rules that your lan ip will use only. It gets a tad more messy.

 

[Kyjiep]

Routes are destination ip based, not source ip based. So if the ips you would like to access via sbtun interface are one or more unique confined ranges you could just add a route in the main route table. All lan could then access these ip/ranges via sbtun interface.

If you plan on accessing I.e internet (all ips) via this interface only from a specific lan ip you will need to setup a new routing table and create ip rules that your lan ip will use only. It gets a tad more messy.

Thank you. I already figured this out using ChatGPT, and with its help I even made the corresponding script. It works as I wanted. There are some minor flaws that I couldn't eliminate, but I'm happy with it anyway. Later I will translate the readme into English and upload it here along with the script.

 

[Kyjiep]

My script for running sing-box on Asus routers with Merlin firmware. I have not found other methods on the Internet. It is primitive, but it works. I am not a programmer, and I made this script using ChatGPT. I would be glad to see any improvements from those who know how to make scripts.
You can download the archive with everything you need at https://github.com/Dr4tez/my_domains/raw/main/sing-box-script+readme.zip. I understand that the archive will cause mistrust in many. But I initially did everything in the archive, because in this form everything is simpler and faster, and I have to write fewer instructions. The archive contains readme.txt and a nested archive, which contains a script, sing-box and a sample of my config.json. First, read readme.txt, then do everything according to it.

Upd. The download link for the archive no longer works. Installation and configuration via commands in the router console are already available.

wget -O /jffs/scripts/sb-script-install https://raw.githubusercontent.com/Dr4tez/sing-box4asus/main/sb-script-install && chmod 775 /jffs/scripts/sb-script-install && /jffs/scripts/sb-script-install

This command no longer works because the files for this version of the script have been removed.

 

[ZebMcKayhan]

My script for running sing-box on Asus routers with Merlin firmware. I have not found other methods on the Internet. It is primitive, but it works. I am not a programmer, and I made this script using ChatGPT. I would be glad to see any improvements from those who know how to make scripts.
You can download the archive with everything you need at https://github.com/Dr4tez/my_domains/raw/main/sing-box-script+readme.zip. I understand that the archive will cause mistrust in many. But I initially did everything in the archive, because in this form everything is simpler and faster, and I have to write fewer instructions. The archive contains readme.txt and a nested archive, which contains a script, sing-box and a sample of my config.json. First, read readme.txt, then do everything according to it.

I checked your script quickly and from what I understand it creates a new routing table with only a default route in it. Nothing else. Then points one IP to use this table.

The problem I see is any local routes (I.e. to guest wifi or other stuff) will not be present in this table and even if it does not create problems for you, right now, it probably will for others. I would propose to use PRIO to set ip rule priority and use a "from all lookup main suppress_prefixlength 0" with higher priority.

This is how Wireguards userspace tool does it for ubuntu:

$ip rule

0:      from all lookup local
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0xca6c lookup 51820
32766:  from all lookup main
32767:  from all lookup default

The usage of suppress_prefixlength 0 is available on our routers and would give a routing improvement for your script I believe.

Edit: Oh, and another thing... your router may flush all firewall rules and rebuild them on various events. In order to make sure the firewall rules continue to work over time they would need to be re-applied in firewall-start hook script https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts#firewall-start

 

[Kyjiep]

I checked your script quickly and from what I understand it creates a new routing table with only a default route in it. Nothing else. Then points one IP to use this table.

The problem I see is any local routes (I.e. to guest wifi or other stuff) will not be present in this table and even if it does not create problems for you, right now, it probably will for others. I would propose to use PRIO to set ip rule priority and use a "from all lookup main suppress_prefixlength 0" with higher priority.

This is how Wireguards userspace tool does it for ubuntu:

$ip rule

0:      from all lookup local
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0xca6c lookup 51820
32766:  from all lookup main
32767:  from all lookup default

The usage of suppress_prefixlength 0 is available on our routers and would give a routing improvement for your script I believe.

Edit: Oh, and another thing... your router may flush all firewall rules and rebuild them on various events. In order to make sure the firewall rules continue to work over time they would need to be re-applied in firewall-start hook script https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts#firewall-start

Now I’m reworking the script so that it automatically finds the desired directory on the Entware flash drive, downloads the sing-box archive from the developer’s GitHub, unzips it, and creates the necessary subdirectories and files.
By the way, initially you can specify several IPs in the script, not just one.
I don’t plan to solve the problem of access from guest wi-fi yet, maybe in the future, this is not such a priority issue, I don’t even know.
Now I still didn’t understand anything about PRIO.
But I will solve the problem with the firewall rules as quickly as possible.
Thanks for the advices.
There is one strange thing: in the list of processes it is indicated that the sing-box process uses 1227m of RAM, but in the web interface of the router it shows that more than 500 MB of 1024 are free and swap is not used. This does not seem to cause problems, but it confuses me.
As I already said, I'm not a programmer and don't know much about scripts. So this is somewhat difficult for me, even using chatGPT, which also gets things wrong sometimes.

 

[ZebMcKayhan]

I don’t plan to solve the problem of access from guest wi-fi yet, maybe in the future, this is not such a priority issue, I don’t even know.
Now I still didn’t understand anything about PRIO.

I understand, but it's a quite easy fix, just add it after adding the other rules so it gets added last:
Like:

for IP in $DEVICE_IPS; do
        echo "Adding routing rule for $IP..."
        ip rule add from $IP table $ROUTE_TABLE
    done
ip rule add from all lookup main suppress_prefixlength 0

And also remove it before the others:

ip rule del from all lookup main suppress_prefixlength 0
for IP in $DEVICE_IPS; do
        echo "Removing routing rule for $IP..."
        ip rule del from $IP table $ROUTE_TABLE
    done

You can list your rules by

ip rule

You see the priority numbers and rules are processed in order from low number to high number. You can specify the priority number when adding a rule, like:

ip rule add from all lookup main suppress_prefixlength 0 prio 32764

and then you can easily remove it by:

ip rule del prio 32764

Now I’m reworking the script so that it automatically finds the desired directory on the Entware flash drive, downloads the sing-box archive from the developer’s GitHub, unzips it, and creates the necessary subdirectories and files.

That's great! Perhaps it's time to move this thread to the Addons section?

 

[Kyjiep]

That's great! Perhaps it's time to move this thread to the Addons section?

Maybe. How to do it? Although it is far from an addon, just a small script for now. But maybe there will be more specific help there. I do not have enough free time to study scripting, support the project, and especially take into account the wishes of other people. I will be making the necessary changes for quite a long time.
There is another serious problem. When I run sing-box from the command line, it works until I close the command line. I found out that after closing it, the output of the command

ip route show table 222

disappears, for which the command

ip route add default dev sbtun table 222

is responsible. The rest of the changes made by the script are saved after closing the command line. But the script stops working correctly. How can this be solved?

 

[ZebMcKayhan]

How can this be solved?

Probably your run command runs in the ssh console sessions and ends with the session.
Some information here: https://askubuntu.com/questions/8653/how-to-keep-processes-running-after-ending-ssh-session

The link proposes using nohup to prevent it from being killed with your session.

Perhaps there are others here with better knowledge about how to run things outside the ssh session.

 

[Kyjiep]

Probably your run command runs in the ssh console sessions and ends with the session.
Some information here: https://askubuntu.com/questions/8653/how-to-keep-processes-running-after-ending-ssh-session

The link proposes using nohup to prevent it from being killed with your session.

Perhaps there are others here with better knowledge about how to run things outside the ssh session.

I tried adding nohup with &, it has no effect in that case.

 

[ZebMcKayhan]

I tried adding nohup with &, it has no effect in that case.

I would assume the route dissappears because the interface sbtun does not exist anymore? Could you confirm this using i.e "ifconfig sbtun"?

Perhaps some more information relevant to merlin fw here https://www.snbforums.com/threads/struggling-to-write-a-non-killable-process.62455/post-556998

 

[Kyjiep]

I would assume the route dissappears because the interface sbtun does not exist anymore? Could you confirm this using i.e "ifconfig sbtun"?

Perhaps some more information relevant to merlin fw here https://www.snbforums.com/threads/struggling-to-write-a-non-killable-process.62455/post-556998

The rest of the changes made by the script are saved after closing the command line.

The sbtun interface exists after closing the command line. There are also rules like

from 192.168.50.31 lookup 222

and created firewall rules. And the sing-box process continues its work.

 

[ZebMcKayhan]

The sbtun interface exists after closing the command line

Hmm, ok. weird...

Now that I think of it, both fw and other vpn managers (like Wireguard Session Manager) Does not use default route in the policy tables. Instead they use 0.0.0.0/1 & 128.0.0.0/1. I wonder if that is the reason something like that happens??

What if you replace

ip route add default dev $TUN_INTERFACE table $ROUTE_TABLE

With

ip route add 0.0.0.0/1 dev $TUN_INTERFACE table $ROUTE_TABLE
ip route add 128.0.0.0/1 dev $TUN_INTERFACE table $ROUTE_TABLE

You would also need to make the same change for removing the rules
Change

ip route del default dev $TUN_INTERFACE table $ROUTE_TABLE

To

ip route del 0.0.0.0/1 dev $TUN_INTERFACE table $ROUTE_TABLE
ip route del 128.0.0.0/1 dev $TUN_INTERFACE table $ROUTE_TABLE

Would that make any difference?

 

[Kyjiep]

Would that make any difference?

This doesn't change anything. I suspect that when I close the command line the 222 routing table itself disappears.

 

[ZebMcKayhan]

This doesn't change anything. I suspect that when I close the command line the 222 routing table itself disappears.

I wouldn't think so. You could test this by adding some route manually, I.e

ip route add 10.11.12.13 dev br0 table 222

Then log out and back in and check that it's still there. It is for me.

More likely your sbtun interface goes down and up again, even so shortly. When an interface goes down it's associated routes are also removed.

Starting the interface outside of the shell session might solve this, like in firewall-start or a cron job.

Another solution would be to re-add the routes periodically in a cron job. But since it's not running continuously you could expect some minutes of outages.

 

[Kyjiep]

I have made some improvements to the script.

Spoiler: Archive update from 07/02/2024

1. Added a command to restart the script. (See readme.txt in the archive)
2. Added automatic creation of system scripts firewall-start and services-start, as well as checks for their existence, automatic addition and deletion of records and rules in them, as well as checks for their existence, to prevent their duplication. This is necessary to prevent sudden incorrect termination of the script during some events in the system, as well as for the correct autostart of the script when the router is rebooted.
3. Added a check for the existence of the sing-box process to prevent duplication of some functions. Now, when you try to run the script twice in a row, it will not allow it.
4. Fixed the found errors.

You can download the updated archive using the same link as before https://github.com/Dr4tez/my_domains/raw/main/sing-box-script+readme.zip
This link no longer works because the files for this version of the script have been removed.

 

[Kyjiep]

I wouldn't think so. You could test this by adding some route manually, I.e

Yes, you are right, rules can still be added...
Here's what I noticed: if after starting the script from the console, close this console window, then open it again and execute the command

ip route add default dev sbtun table 222

, then the script starts working correctly again. And it works correctly even after closing this console window.

 

[ZebMcKayhan]

That's great! Perhaps it's time to move this thread to the Addons section?

Maybe. How to do it? Although it is far from an addon, just a small script for now. But maybe there will be more specific help there.

You would just ping a moderator, like @thiggins and ask him to move the thread to the asuswrt-merlin addons section. I think this fits better there.

I do not have enough free time to study scripting, support the project, and especially take into account the wishes of other people. I will be making the necessary changes for quite a long time.

It could be whatever you want it to be. If you choose to just leave it as it is, then that's great too!

 

[Kyjiep]

The download link for the archive no longer works. Installation and configuration via commands in the router console will be available soon.

 

[Kyjiep]

I did it. To download, install, configure and run sing-box, simply run this command in the router console:

wget -O /jffs/scripts/sb-script-install https://raw.githubusercontent.com/Dr4tez/sing-box4asus/main/sb-script-install && chmod 775 /jffs/scripts/sb-script-install && /jffs/scripts/sb-script-install

This command no longer works because the files for this version of the script have been removed.
Please read the attached readme file first.