SBS. Script for using sing-box on Asus routers with Merlin firmware.

[Kyjiep]

Assuming data goes from your client over wan to sinbox sbtun interface onwards to wan it will be subject of MASQUARADE when leaving the router wan interface which is why it appears to come from your router wan ip externally. But internally, what address would data appear to come from?
Are routes set up for this ip to go to sbtun interface. If your clients use policy route tables, are these routes present there as well?
Firewall issues, are proper firewall routes in place on the router to allow new connections to be made from sbtun to br0 interface?
Are lan client own firewall accepting incoming connections from sbtun address range?

The tun interface is not used to access the proxy server. Simply after adding the proxy server settings to the sing-box configuration file and after rebooting it, sing-box starts listening to the port specified in the proxy server settings, working as a regular proxy server. The tun interface does not even need to be specified in the configuration file, proxy servers do not interact with it in any way. We need to somehow understand where exactly the traffic addressed to local resources goes from sing-box. In my configuration file, it is specified that it should go to direct. This means that it will not be routed to any of the proxy tunnels specified in the configuration file. Where exactly it goes on the router is not clear to me. Although, perhaps, this is not particularly important. Traffic to external sites comes from the external IP address of the router, which means that from sing-box it goes to direct, and not to tunnels. Here are my routing rules:

0:      from all lookup local
78:     from 192.168.50.52 lookup main
79:     from 192.168.50.51 lookup main
80:     from 192.168.50.50 lookup main
81:     from 192.168.50.46 lookup main
82:     from 192.168.50.41 lookup main
83:     from 192.168.50.37 lookup main
84:     from 192.168.50.36 lookup main
85:     from 192.168.50.35 lookup main
86:     from 192.168.50.34 lookup main
87:     from 192.168.50.30 lookup main
88:     from 192.168.50.1 lookup main
89:     from 192.168.50.0/24 lookup 5553
90:     from all to 10.6.0.2 lookup main
90:     from all to 10.6.0.3 lookup main
90:     from all to 10.6.0.4 lookup main
90:     from all to 10.6.0.5 lookup main
90:     from all to 10.6.0.6 lookup main
90:     from all to 10.6.0.7 lookup main
32766:  from all lookup main
32767:  from all lookup default

Table 5553 is the table for sing-box. Here are the routes in this table:

default dev sbtun scope link
10.6.0.2 dev wgs1 scope link
10.6.0.3 dev wgs1 scope link
10.6.0.4 dev wgs1 scope link
10.6.0.5 dev wgs1 scope link
10.6.0.6 dev wgs1 scope link
10.6.0.7 dev wgs1 scope link
95.165.64.1 dev ppp0 proto kernel scope link
127.0.0.0/8 dev lo scope link
169.254.0.0/16 dev eth0 proto kernel scope link src 169.254.251.191
172.19.0.0/28 dev sbtun proto kernel scope link src 172.19.0.1
192.168.50.0/24 dev br0 proto kernel scope link src 192.168.50.1

Except for the default route, all others are automatically copied by the sing-box script from the 'main' table.
I noticed that for the built-in wireguard server in the nat table there is a rule

-A LOCALSRV -p udp -m udp --dport <wireguard_server_port> -j ACCEPT

I created similar ones for udp and tcp for my proxy server, but this did not solve the problem.
I believe that another problem I wrote about earlier has the same cause https://www.snbforums.com/threads/s...outers-with-merlin-firmware.90762/post-918618

 

[Kyjiep]

Assuming data goes from your client over wan to sinbox sbtun interface onwards to wan it will be subject of MASQUARADE when leaving the router wan interface which is why it appears to come from your router wan ip externally. But internally, what address would data appear to come from?
Are routes set up for this ip to go to sbtun interface. If your clients use policy route tables, are these routes present there as well?
Firewall issues, are proper firewall routes in place on the router to allow new connections to be made from sbtun to br0 interface?
Are lan client own firewall accepting incoming connections from sbtun address range?

I think I found the reason. On the router, the sing-box "auto_detect_interface" function works a little incorrectly. When I deleted it and manually specified the interface for proxy outbounds in the config, in my case it was ppp0, then everything worked as it should.
I concluded that "auto_detect_interface" worked correctly only for proxy outbounds, but for direct outbound it apparently assigned the wrong interface. I couldn't determine which one is correct for direct, it doesn't work with br0 or lo, but without specifying it everything works correctly.
This also solved the problem of lack of access to the DNS server in the local network.
I am confused by the description of this function https://sing-box.sagernet.org/configuration/route/#auto_detect_interface
But I still removed it and removed "bind_interface" from all outbounds in the configuration file, so far everything works correctly without them, I will observe for some time.

 

[Kyjiep]

Another update of my script for downloading, installing, configuring and running sing-box on Asus routers with Merlin firmware.
Updated 10/13/2024. Version v1.5

Changes:
1. Added a new menu called by the

sbs server

command to specify ports that will be opened from WAN to the router when sing-box starts and closed when it stops. This will be useful for sing-box to work not only in client mode, but also in server mode with access from WAN, if you need it. For sing-box to work in server mode with access from WAN, specify at least one inbound proxy server with encryption and authorization in the sing-box configuration file.
2. The script code has been modified to work with only one TUN interface, since the functionality added by the second TUN interface can be implemented with just a couple of simple rules in the sing-box configuration file. This allowed us to solve problems when creating NAT rules for several subnets of different sizes, and also reduced the code size by a third.
3. Due to the reduction of the permitted number of tun interfaces to one, the template of the sing-box configuration file has been changed.
4. To maintain priorities, the logic of adding routing and nat rules by the main script and monitor has been changed. Now, when configuring the script in the 'sbs setup' menu, you can add any number of subnets of any size and in any order. As a result, in the routing and nat rules created by the script, smaller subnets will always have priority over larger ones.
5. A new option has been added to the IP address settings in the 'sbs setup' menu - 'Add/remove IP addresses'. It works like this: enter IP addresses, separating them with spaces, those that are already in the list will be removed from it, and those that are not will be added.
6. The item for editing the sbs-conf file in the nano editor has been removed from the 'sbs setup' menu.
7. Changed the menu command for editing and checking the config.json file from 'sbs edit' to

sbs config

8. The numbering of some of the choices provided by the script has been changed. Be careful when selecting options if you are used to their original numbering.
9. The names of variables in the sbs-conf file created by the script have been changed.
10. Several minor edits to the script code.


Due to the addition of new functionality and significant changes to the old one, you can update to version 1.5 only by reinstalling the script according to the following instructions:
1. Save your configuration file config.json from the /jffs/addons/sing-box-script directory somewhere safe.
2. Remove the previous version by running the command

sbs remove

in the router's command line.
3. Install version 1.5 by executing the following command in the router's command line:

wget -O /jffs/scripts/sbs https://raw.githubusercontent.com/Dr4tez/sing-box4asus/main/sbs && chmod 775 /jffs/scripts/sbs && /jffs/scripts/sbs install

4. Modify your config.json configuration file to work with a single tun interface. You can use the new template of my configuration file as a sample, which was installed with version 1.5 of the script.
5. Place your modified config.json configuration file in the /jffs/addons/sing-box-script directory instead of the template.
6. Configure the script by running the

sbs setup

command in the router's command line.

 

[Sheva]

Updated to version 1.5.
1) After start have errors:
+0000 2024-10-14 22:42:07 ERROR [2795013845 3.6s] inbound/tun[tunin]: dial tcp 10.0.0.1:443: connect: connection timed out
+0000 2024-10-14 22:42:26 ERROR [3834953 3.10s] inbound/tun[tunin]: dial tcp 10.0.0.1:443: connect: connection timed out
+0000 2024-10-14 22:42:29 ERROR [2851788221 3.6s] inbound/tun[tunin]: dial tcp 10.0.0.1:443: connect: connection timed out
+0000 2024-10-14 22:42:47 ERROR [2587242586 3.11s] inbound/tun[tunin]: dial tcp 10.0.0.1:443: connect: connection timed out
+0000 2024-10-14 22:42:50 ERROR [3931895058 3.6s] inbound/tun[tunin]: dial tcp 10.0.0.1:443: connect: connection timed out
+0000 2024-10-14 22:43:08 ERROR [807860283 3.11s] inbound/tun[tunin]: dial tcp 10.0.0.1:443: connect: connection timed out
+0000 2024-10-14 22:43:11 ERROR [1764975789 3.6s] inbound/tun[tunin]: dial tcp 10.0.0.1:443: connect: connection timed out
+0000 2024-10-14 22:43:29 ERROR [1928847714 3.9s] inbound/tun[tunin]: dial tcp 10.0.0.1:443: connect: connection timed out
Didn't have it in 1.3. Everything works correctly, but I would like to fix them.

2) Didn't measure on 1.3, but now speed dropped from 500 Mbps to 100 when download/upload in direct mode (without VPN). I assume the situation was similar with 1.3. Are there any ways to increase performance?

P.S. ASUS RT-AX58U Firmware version 3.0.0.4.388_25127 with entware on hdd.

 

[Kyjiep]

Firmware version 3.0.0.4.388_25127

So you have stock firmware? Not Merlin? My script is designed for Merlin firmware and uses some of its features that are not available in the stock firmware, such as hook scripts. In any case, I suggest we discuss the problems in conversation.

 

[Sheva]

So you have stock firmware? Not Merlin? My script is designed for Merlin firmware and uses some of its features that are not available in the stock firmware, such as hook scripts. In any case, I suggest we discuss the problems in conversation.

Merlin doesn't release firmware for my router, so I installed the entware myself on external hdd

 

[Kyjiep]

ASUS RT-AX58U

Merlin doesn't release firmware for my router

Release - GNUton [Official Fork] 388.8_2 Release

AIM This is an official Merlin fork which is supported by ASUS and RMerlin: Aim of this project is to make Merlin running on additional routers. My builds are intended to support all features present in the original Merlin firmware. Occasionally, I also incorporate additional features for...

www.snbforums.com