SBS. Script for using sing-box on Asus routers with Merlin firmware.

[ZebMcKayhan]

They don't come there. At least AGH doesn't see them.

So they never leave the router then. What if you do a dns lookup from your router to the linux server i.e:

dig @<linux server ip> google.com

If this works it would indicate that your issue is with singbox not forwarding requests locally or atleast not correct.

If it's not working there is still something in routing or firewall config.

 

[Kyjiep]

So they never leave the router then. What if you do a dns lookup from your router to the linux server i.e:

dig @<linux server ip> google.com

-sh: dig: not found

nslookup google.com 192.168.50.30
Server:    192.168.50.30
Address 1: 192.168.50.30 ubuntu-first.RT-AX86U


Name:      google.com
Address 1: 142.250.74.78 arn09s23-in-f14.1e100.net
Address 2: 2a00:1450:400f:802::200e arn09s23-in-x0e.1e100.net

But, as I already said, I previously installed sing-box on a virtual Linux machine and from there it worked without problems with AGH on a home Linux server.

 

[Kyjiep]

New update for SBS (sing-box-script).
To install the script, run this command on the router command line

wget -O /jffs/scripts/sbs https://raw.githubusercontent.com/Dr4tez/sing-box4asus/main/sbs && chmod 775 /jffs/scripts/sbs && /jffs/scripts/sbs install

Spoiler: Updated 07/25/2024. Version v0.7

1. Support for simultaneous operation of up to two TUN interfaces. This will be useful if, for example, you want to direct the traffic of some devices through sing-box according to the rules specified in the sing-box configuration file, while directing the traffic of other devices entirely to the proxy tunnel.
2. Added command:

sbs check

This function is built into the sing-box core and is used to check the correctness of the sing-box configuration file (config.json). It does not detect all errors, but in most cases, it helps a lot in finding them. As a result, it shows the first found error with its line and column number in config.json. Then, to fix the error, you are prompted to open config.json in the nano editor. After fixing and finishing editing, the next error, if any, is found, and you are again prompted to fix it in the nano editor. This repeats until you fix all errors or decide to stop by refusing to edit the next error.
3. Added command:

sbs format

This function is built into the sing-box core and is used to give config.json a readable structure as intended by the sing-box developer. First, like sbs check, the sbs format command checks config.json for errors. If errors are found, formatting will be impossible until you fix them all. After fixing all errors, the configuration file structure will be optimized, the result will be displayed in the console, and you will be prompted to save it to your config.json.
4. Minor bug fixes.

To upgrade from version 0.6 or 0.5 to version 0.7:
Save your config.json file located in the /jffs/addons/sing-box-script directory (this directory will be deleted along with the /opt/root/sing-box directory).
Remove version 0.6 or 0.5 using the command in the router's console:

sbs remove

Install version 0.7 by running the following command in the router's console:

wget -O /jffs/scripts/sbs https://raw.githubusercontent.com/Dr4tez/sing-box4asus/main/sbs && chmod 775 /jffs/scripts/sbs && /jffs/scripts/sbs install

Set up the script with the command in the router's console:

sbs setup

At this point, you can edit the new preset config.json template or edit your config.json after placing it in the /jffs/addons/sing-box-script directory, as it is now possible to use two TUN interfaces simultaneously, and the template has been slightly modified for this purpose.

 

[Kyjiep]

Just finished another update of my script for downloading, installing, configuring and running sing-box on Asus routers with Merlin firmware.
Updated 08/04/2024. Version v0.8
Added the command

sbs status

which shows whether sing-box is running, as well as the versions of the installed SBS script and sing-box core.

To update from version 0.7 to version 0.8, run the following command in the router's command line:

sbs update

To install the script, run this command in the router's command line:

wget -O /jffs/scripts/sbs https://raw.githubusercontent.com/Dr4tez/sing-box4asus/main/sbs && chmod 775 /jffs/scripts/sbs && /jffs/scripts/sbs install

 

[Kyjiep]

Another update of my script for downloading, installing, configuring and running sing-box on Asus routers with Merlin firmware.
Updated 08/09/2024. Version v0.9

Changes:
1. Fixes for discovered issues.
2. Added support for routers with ARMv7/AArch32 processor architecture. Previously, only ARMv8/AArch64 architecture was supported.

To upgrade from version 0.8 to version 0.9:
1. Save your configuration file config.json located in the /jffs/addons/sing-box-script directory (it will be deleted, along with the /opt/root/sing-box directory).
2. Remove version 0.8 by running the following command in the router's command line:

sbs remove

3. Install version 0.9 by running the following command in the router's command line:

wget -O /jffs/scripts/sbs-ru https://raw.githubusercontent.com/Dr4tez/sing-box4asus/main/sbs-ru && chmod 775 /jffs/scripts/sbs-ru && /jffs/scripts/sbs-ru install

4. Place your saved config.json file in the /jffs/addons/sing-box-script directory.
5. Configure the script by running the following command in the router's command line:

sbs setup

 

[Kyjiep]

Again updating my script for downloading, installing, configuring and running sing-box on Asus routers with Merlin firmware.
Updated 08/13/2024. Version v1.0

Changes:
1. The output of the 'sbs status' command now includes the sing-box core architecture and the router's CPU architecture.
2. For devices whose traffic is routed through sing-box, the script now adds routing rules to the system that direct their local traffic to bypass sing-box. This improves the interaction of these devices with each other and with other devices on the local network.
3. Improved the logic of the sbs-monitor script.

To upgrade from version 0.9 to version 1.0, run the

sbs update

command in the router command line.

 

[Kyjiep]

The latest update of my script for downloading, installing, configuring, and running sing-box on Asus routers with Merlin firmware.
Updated 08/23/2024. Version v1.1

Changes:
1. The routes and routing rules created by the script have been optimized.
2. A simpler and more reliable method for removing the routing tables created by the script at startup has been implemented when the script is stopped.
3. The 'sbs update' command now presents a menu that allows you to select components for updating and displays their installed and available versions.
4. Now, when configuring the script with the 'sbs setup' command, you can enter the entire subnet of the router in the field for device IP addresses. The only downside to this is that access to the router's web interface from the WAN will be lost if it is allowed in the router settings. Additionally, access from the WAN through port forwarding to other devices on the router's network will also be lost. However, this was already the case for all devices whose IP addresses were entered during the script setup.

To upgrade from version 0.9 or 1.0 to version 1.1, run the

sbs update

command in the router command line.

 

[Kyjiep]

Another update of my script for downloading, installing, configuring and running sing-box on Asus routers with Merlin firmware.
Updated 09/01/2024. Version v1.2

Changes:
1. A separate menu has been created for script configuration, which can be accessed using the

sbs setup

command. In this menu, functions previously performed by the single 'sbs setup' command have been separated: adding device IP addresses and changing routing table numbers. Additionally, the menu now includes the option to edit the script's settings file using the nano editor, which was previously done with the separate 'sbs edit' command.
2. In the script configuration menu, when adding a subnet in CIDR format as a device's IP address (e.g., 192.168.50.0/24), the next step prompts you to enter exception IP addresses.
3. A separate menu has been created for configuring the sing-box configuration file, accessible via the

sbs edit

command. This menu combines functions previously performed by separate commands: checking the sing-box configuration file for errors and optimizing its structure. Additionally, this menu now includes the option to edit the sing-box configuration file using the nano editor, which was previously offered during the execution of the 'sbs setup' command.
4. The main script and the sbs-monitor script have been improved to correctly add, remove, and restore rules and routes, taking into account subnets and exceptions.
5. Code optimization and adjustments to command line output messages.

Due to the addition of new functionality, it is not possible to update to version 1.2 correctly using the 'sbs update' command. Therefore, to upgrade from previous versions to version 1.2:
1. Save your configuration file config.json from the /jffs/addons/sing-box-script directory somewhere safe.
2. Remove the previous version by running the command

sbs remove

in the router's command line.
3. Install version 1.2 by executing the following command in the router's command line:

wget -O /jffs/scripts/sbs https://raw.githubusercontent.com/Dr4tez/sing-box4asus/main/sbs && chmod 775 /jffs/scripts/sbs && /jffs/scripts/sbs install

4. Place your saved configuration file config.json back into the /jffs/addons/sing-box-script directory.
5. Configure the script by running the

sbs setup

command in the router's command line.

 

[CA5CA5]

Curious is this now working as you wanted it to? Am in restricted country as well, China. Have been able to use singbox apps mostly android, use hiddify on windows but using a subscription to an outside VPS server somehow everything that runs through singbox always works the best, everything seems to be optimized for hopping over the wall. Also been using the Merlin fork Clash with the VPS service which mostly works fine but has it's own complications DNS which is beyond my skill level. Was curious about installing just Singbox on my router as singbox just seems to work almost without problems in my situation

 

[Kyjiep]

Curious is this now working as you wanted it to? Am in restricted country as well, China. Have been able to use singbox apps mostly android, use hiddify on windows but using a subscription to an outside VPS server somehow everything that runs through singbox always works the best, everything seems to be optimized for hopping over the wall. Also been using the Merlin fork Clash with the VPS service which mostly works fine but has it's own complications DNS which is beyond my skill level. Was curious about installing just Singbox on my router as singbox just seems to work almost without problems in my situation

Everything works the way I need it to, at least for me.
Read the readme in the first post of the topic, some nuances are described there. In China, perhaps censorship is stricter, and therefore problems with DNS requests are possible. Try it, the script and all its tails are removed as easily as they are installed, with just one command.

 

[Kyjiep]

Your call.

Hello. Now that I have a much better understanding of the issues related to this script, I returned to the problem of using DNS specified in the sing-box configuration file. And I saw that I was doing it wrong before. To receive DNS requests on port 55553 sing-box, I created a special inbound in its configuration file, but at the same time, the iptables rules directed DNS requests from the necessary devices to tun inbound. All I had to do was specify the IP address of the router in the iptables rules, not the tun interface. That's how it works.

iptables -t nat -A PREROUTING -p tcp -m set --match-set sbs-ipset src -m tcp --dport 53 -j DNAT --to-destination 192.168.50.1:55553
iptables -t nat -A PREROUTING -p udp -m set --match-set sbs-ipset src -m udp --dport 53 -j DNAT --to-destination 192.168.50.1:55553

Thank you for your help and support.

 

[Kyjiep]

need to be re-applied in firewall-start hook script

Should I add these rules to the nat-start script or to the firewall-start script? I would like to know how to do it more correctly, since it works both ways.

iptables -t nat -A PREROUTING -p tcp -m set --match-set sbsinc-ipset src -m set ! --match-set sbsexc-ipset src -m tcp --dport 53 -j DNAT --to-destination 192.168.50.1:55553
iptables -t nat -A PREROUTING -p udp -m set --match-set sbsinc-ipset src -m set ! --match-set sbsexc-ipset src -m udp --dport 53 -j DNAT --to-destination 192.168.50.1:55553

 

[ZebMcKayhan]

Should I add these rules to the nat-start script or to the firewall-start script? I would like to know how to do it more correctly, since it works both ways.

iptables -t nat -A PREROUTING -p tcp -m set --match-set sbsinc-ipset src -m set ! --match-set sbsexc-ipset src -m tcp --dport 53 -j DNAT --to-destination 192.168.50.1:55553
iptables -t nat -A PREROUTING -p udp -m set --match-set sbsinc-ipset src -m set ! --match-set sbsexc-ipset src -m udp --dport 53 -j DNAT --to-destination 192.168.50.1:55553

NAT rules should be in nat-start. FILTER rules should be in firewall-start, so these should go in nat-start.

Previously the advice was that everything should be in nat-start (nat, mangle, raw) except filter which should be in firewall-start, but I'm not reading that now so perhaps something have changed: https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts#nat-start

 

[Kyjiep]

Another update of my script for downloading, installing, configuring and running sing-box on Asus routers with Merlin firmware.
Updated 09/19/2024. Version v1.3

Changes:
1. Now DNS settings in the sing-box configuration file also work for tun interfaces.
2. In the script setup menu, called by the

sbs setup

command in the router's command line, an item for selecting DNS servers for tun interfaces has been added- DNS servers configured in the router web interface, or DNS servers specified in the sing-box configuration file.
3. Improved sbs-monitor script logic.
4. Supplemented and revised Readme. Be sure to read it.

Due to the addition of new functionality, it is not possible to update to version 1.3 correctly using the 'sbs update' command. Therefore, to upgrade from previous versions to version 1.3:
1. Save your configuration file config.json from the /jffs/addons/sing-box-script directory somewhere safe.
2. Remove the previous version by running the command

sbs remove

in the router's command line.
3. Install version 1.3 by executing the following command in the router's command line:

wget -O /jffs/scripts/sbs https://raw.githubusercontent.com/Dr4tez/sing-box4asus/main/sbs && chmod 775 /jffs/scripts/sbs && /jffs/scripts/sbs install

4. Make the router's web interface settings into compliance with section V of the Readme.
5. Make your saved config.json file into compliance with section V of the Readme, and place it in the /jffs/addons/sing-box-script directory.
6. Configure the script by running the

sbs setup

command in the router's command line.

 

[Kyjiep]

Another update of my script for downloading, installing, configuring and running sing-box on Asus routers with Merlin firmware.
Updated 09/19/2024. Version v1.3

Changes:
1. Now DNS settings in the sing-box configuration file also work for tun interfaces.
2. In the script setup menu, called by the

sbs setup

command in the router's command line, an item for selecting DNS servers for tun interfaces has been added- DNS servers configured in the router web interface, or DNS servers specified in the sing-box configuration file.
3. Improved sbs-monitor script logic.
4. Supplemented and revised Readme. Be sure to read it.

Due to the addition of new functionality, it is not possible to update to version 1.3 correctly using the 'sbs update' command. Therefore, to upgrade from previous versions to version 1.3:
1. Save your configuration file config.json from the /jffs/addons/sing-box-script directory somewhere safe.
2. Remove the previous version by running the command

sbs remove

in the router's command line.
3. Install version 1.3 by executing the following command in the router's command line:

wget -O /jffs/scripts/sbs https://raw.githubusercontent.com/Dr4tez/sing-box4asus/main/sbs && chmod 775 /jffs/scripts/sbs && /jffs/scripts/sbs install

4. Make the router's web interface settings into compliance with section V of the Readme.
5. Make your saved config.json file into compliance with section V of the Readme, and place it in the /jffs/addons/sing-box-script directory.
6. Configure the script by running the

sbs setup

command in the router's command line.

I fixed a serious bug there that I came across today. I didn't change the script version. Those who managed to update to version 1.3, to eliminate the consequences via the

sbs update

menu, update the script and reconfigure the devices' IP addresses via the

sbs setup

menu.

 

[Kyjiep]

Another update of my script for downloading, installing, configuring and running sing-box on Asus routers with Merlin firmware.
Updated 09/23/2024. Version v1.4

Changes:
Optimizations, bugfixes and logic improvements for several script functions.

To update from version 1.3 to version 1.4, execute the command

sbs update

in the router's command line and select the first item in the menu that appears.

From versions older than 1.3 to version 1.4 you can only update by reinstalling the script according to the following instructions:
1. Save your configuration file config.json from the /jffs/addons/sing-box-script directory somewhere safe.
2. Remove the previous version by running the command

sbs remove

in the router's command line.
3. Install version 1.3 by executing the following command in the router's command line:

wget -O /jffs/scripts/sbs https://raw.githubusercontent.com/Dr4tez/sing-box4asus/main/sbs && chmod 775 /jffs/scripts/sbs && /jffs/scripts/sbs install

4. Make the router's web interface settings into compliance with section V of the Readme.txt.
5. Make your saved config.json file into compliance with section V of the Readme.txt, and place it in the /jffs/addons/sing-box-script directory.
6. Configure the script by running the

sbs setup

command in the router's command line.

 

[Kyjiep]

NAT rules should be in nat-start. FILTER rules should be in firewall-start, so these should go in nat-start.

Previously the advice was that everything should be in nat-start (nat, mangle, raw) except filter which should be in firewall-start, but I'm not reading that now so perhaps something have changed: https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts#nat-start

Can you tell me how to open a port from WAN to the router itself using the command line? sing-box can be used as a proxy server, and I would like to do this on the router so as not to have to run an instance of sing-box on a separate linux machine specifically for this purpose.

 

[ZebMcKayhan]

Can you tell me how to open a port from WAN to the router itself using the command line? sing-box can be used as a proxy server, and I would like to do this on the router so as not to have to run an instance of sing-box on a separate linux machine specifically for this purpose.

If it's for the router itself it would be filter table in the INPUT chain. So, like:

iptables -I INPUT -p udp --dport <PortNr> -j ACCEPT
iptables -I INPUT -p tcp --dport <PortNr> -j ACCEPT

Usage of --dport requires you to use -p which means each rule is only for udp or tcp. 2 rules are needed for both. If you know which will be used you may skip the other.

 

[Kyjiep]

If it's for the router itself it would be filter table in the INPUT chain. So, like:

iptables -I INPUT -p udp --dport <PortNr> -j ACCEPT
iptables -I INPUT -p tcp --dport <PortNr> -j ACCEPT

Usage of --dport requires you to use -p which means each rule is only for udp or tcp. 2 rules are needed for both. If you know which will be used you may skip the other.

Partially succeeded. Connection to sing-box on the router from WAN occurs - when I do this using a mobile phone, sites determine the external IP address of the router. But this was intended for access from WAN to local resources in the home network. But for some reason there is no access to local resources of the home network at all. The same configuration of sing-box on a Linux machine in the home network has access to local resources. The router lacks something for this.

 

[ZebMcKayhan]

Partially succeeded. Connection to sing-box on the router from WAN occurs - when I do this using a mobile phone, sites determine the external IP address of the router. But this was intended for access from WAN to local resources in the home network. But for some reason there is no access to local resources of the home network at all. The same configuration of sing-box on a Linux machine in the home network has access to local resources. The router lacks something for this.

Assuming data goes from your client over wan to sinbox sbtun interface onwards to wan it will be subject of MASQUARADE when leaving the router wan interface which is why it appears to come from your router wan ip externally. But internally, what address would data appear to come from?
Are routes set up for this ip to go to sbtun interface. If your clients use policy route tables, are these routes present there as well?
Firewall issues, are proper firewall routes in place on the router to allow new connections to be made from sbtun to br0 interface?
Are lan client own firewall accepting incoming connections from sbtun address range?