Using sing-box on Asus routers with Merlin firmware.

[Kyjiep]

I created an sbtun interface using sing-box on my router RT-AX86U with firmware Merlin 3004.388.7. How can I route traffic from a device with the address 192.168.50.31, which is in the router's network, through this sbtun interface?
Sorry for my English.

Upd. I did it. To install and configure sing-box, simply run this command in the router console:

wget -O /jffs/scripts/sing-box_script-install https://raw.githubusercontent.com/Dr4tez/sing-box4asus/main/sing-box_script-install && chmod 775 /jffs/scripts/sing-box_script-install && /jffs/scripts/sing-box_script-install

Please read the attached readme file first.

 

[ZebMcKayhan]

I created an sbtun interface using sing-box on my router RT-AX86U with firmware Merlin 3004.388.7. How can I route traffic from a device with the address 192.168.50.31, which is in the router's network, through this sbtun interface?
Sorry for my English.

Routes are destination ip based, not source ip based. So if the ips you would like to access via sbtun interface are one or more unique confined ranges you could just add a route in the main route table. All lan could then access these ip/ranges via sbtun interface.

If you plan on accessing I.e internet (all ips) via this interface only from a specific lan ip you will need to setup a new routing table and create ip rules that your lan ip will use only. It gets a tad more messy.

 

[Kyjiep]

Routes are destination ip based, not source ip based. So if the ips you would like to access via sbtun interface are one or more unique confined ranges you could just add a route in the main route table. All lan could then access these ip/ranges via sbtun interface.

If you plan on accessing I.e internet (all ips) via this interface only from a specific lan ip you will need to setup a new routing table and create ip rules that your lan ip will use only. It gets a tad more messy.

Thank you. I already figured this out using ChatGPT, and with its help I even made the corresponding script. It works as I wanted. There are some minor flaws that I couldn't eliminate, but I'm happy with it anyway. Later I will translate the readme into English and upload it here along with the script.

 

[Kyjiep]

My script for running sing-box on Asus routers with Merlin firmware. I have not found other methods on the Internet. It is primitive, but it works. I am not a programmer, and I made this script using ChatGPT. I would be glad to see any improvements from those who know how to make scripts.
You can download the archive with everything you need at https://github.com/Dr4tez/my_domains/raw/main/sing-box-script+readme.zip. I understand that the archive will cause mistrust in many. But I initially did everything in the archive, because in this form everything is simpler and faster, and I have to write fewer instructions. The archive contains readme.txt and a nested archive, which contains a script, sing-box and a sample of my config.json. First, read readme.txt, then do everything according to it.

Upd. The download link for the archive no longer works. Installation and configuration via commands in the router console are already available.

wget -O /jffs/scripts/sing-box_script-install https://raw.githubusercontent.com/Dr4tez/sing-box4asus/main/sing-box_script-install && chmod 775 /jffs/scripts/sing-box_script-install && /jffs/scripts/sing-box_script-install

 

[ZebMcKayhan]

My script for running sing-box on Asus routers with Merlin firmware. I have not found other methods on the Internet. It is primitive, but it works. I am not a programmer, and I made this script using ChatGPT. I would be glad to see any improvements from those who know how to make scripts.
You can download the archive with everything you need at https://github.com/Dr4tez/my_domains/raw/main/sing-box-script+readme.zip. I understand that the archive will cause mistrust in many. But I initially did everything in the archive, because in this form everything is simpler and faster, and I have to write fewer instructions. The archive contains readme.txt and a nested archive, which contains a script, sing-box and a sample of my config.json. First, read readme.txt, then do everything according to it.

I checked your script quickly and from what I understand it creates a new routing table with only a default route in it. Nothing else. Then points one IP to use this table.

The problem I see is any local routes (I.e. to guest wifi or other stuff) will not be present in this table and even if it does not create problems for you, right now, it probably will for others. I would propose to use PRIO to set ip rule priority and use a "from all lookup main suppress_prefixlength 0" with higher priority.

This is how Wireguards userspace tool does it for ubuntu:

$ip rule

0:      from all lookup local
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0xca6c lookup 51820
32766:  from all lookup main
32767:  from all lookup default

The usage of suppress_prefixlength 0 is available on our routers and would give a routing improvement for your script I believe.

Edit: Oh, and another thing... your router may flush all firewall rules and rebuild them on various events. In order to make sure the firewall rules continue to work over time they would need to be re-applied in firewall-start hook script https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts#firewall-start

 

[Kyjiep]

I checked your script quickly and from what I understand it creates a new routing table with only a default route in it. Nothing else. Then points one IP to use this table.

The problem I see is any local routes (I.e. to guest wifi or other stuff) will not be present in this table and even if it does not create problems for you, right now, it probably will for others. I would propose to use PRIO to set ip rule priority and use a "from all lookup main suppress_prefixlength 0" with higher priority.

This is how Wireguards userspace tool does it for ubuntu:

$ip rule

0:      from all lookup local
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0xca6c lookup 51820
32766:  from all lookup main
32767:  from all lookup default

The usage of suppress_prefixlength 0 is available on our routers and would give a routing improvement for your script I believe.

Edit: Oh, and another thing... your router may flush all firewall rules and rebuild them on various events. In order to make sure the firewall rules continue to work over time they would need to be re-applied in firewall-start hook script https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts#firewall-start

Now I’m reworking the script so that it automatically finds the desired directory on the Entware flash drive, downloads the sing-box archive from the developer’s GitHub, unzips it, and creates the necessary subdirectories and files.
By the way, initially you can specify several IPs in the script, not just one.
I don’t plan to solve the problem of access from guest wi-fi yet, maybe in the future, this is not such a priority issue, I don’t even know.
Now I still didn’t understand anything about PRIO.
But I will solve the problem with the firewall rules as quickly as possible.
Thanks for the advices.
There is one strange thing: in the list of processes it is indicated that the sing-box process uses 1227m of RAM, but in the web interface of the router it shows that more than 500 MB of 1024 are free and swap is not used. This does not seem to cause problems, but it confuses me.
As I already said, I'm not a programmer and don't know much about scripts. So this is somewhat difficult for me, even using chatGPT, which also gets things wrong sometimes.

 

[ZebMcKayhan]

I don’t plan to solve the problem of access from guest wi-fi yet, maybe in the future, this is not such a priority issue, I don’t even know.
Now I still didn’t understand anything about PRIO.

I understand, but it's a quite easy fix, just add it after adding the other rules so it gets added last:
Like:

for IP in $DEVICE_IPS; do
        echo "Adding routing rule for $IP..."
        ip rule add from $IP table $ROUTE_TABLE
    done
ip rule add from all lookup main suppress_prefixlength 0

And also remove it before the others:

ip rule del from all lookup main suppress_prefixlength 0
for IP in $DEVICE_IPS; do
        echo "Removing routing rule for $IP..."
        ip rule del from $IP table $ROUTE_TABLE
    done

You can list your rules by

ip rule

You see the priority numbers and rules are processed in order from low number to high number. You can specify the priority number when adding a rule, like:

ip rule add from all lookup main suppress_prefixlength 0 prio 32764

and then you can easily remove it by:

ip rule del prio 32764

Now I’m reworking the script so that it automatically finds the desired directory on the Entware flash drive, downloads the sing-box archive from the developer’s GitHub, unzips it, and creates the necessary subdirectories and files.

That's great! Perhaps it's time to move this thread to the Addons section?

 

[Kyjiep]

That's great! Perhaps it's time to move this thread to the Addons section?

Maybe. How to do it? Although it is far from an addon, just a small script for now. But maybe there will be more specific help there. I do not have enough free time to study scripting, support the project, and especially take into account the wishes of other people. I will be making the necessary changes for quite a long time.
There is another serious problem. When I run sing-box from the command line, it works until I close the command line. I found out that after closing it, the output of the command

ip route show table 222

disappears, for which the command

ip route add default dev sbtun table 222

is responsible. The rest of the changes made by the script are saved after closing the command line. But the script stops working correctly. How can this be solved?

 

[ZebMcKayhan]

How can this be solved?

Probably your run command runs in the ssh console sessions and ends with the session.
Some information here: https://askubuntu.com/questions/8653/how-to-keep-processes-running-after-ending-ssh-session

The link proposes using nohup to prevent it from being killed with your session.

Perhaps there are others here with better knowledge about how to run things outside the ssh session.

 

[Kyjiep]

Probably your run command runs in the ssh console sessions and ends with the session.
Some information here: https://askubuntu.com/questions/8653/how-to-keep-processes-running-after-ending-ssh-session

The link proposes using nohup to prevent it from being killed with your session.

Perhaps there are others here with better knowledge about how to run things outside the ssh session.

I tried adding nohup with &, it has no effect in that case.

 

[ZebMcKayhan]

I tried adding nohup with &, it has no effect in that case.

I would assume the route dissappears because the interface sbtun does not exist anymore? Could you confirm this using i.e "ifconfig sbtun"?

Perhaps some more information relevant to merlin fw here https://www.snbforums.com/threads/struggling-to-write-a-non-killable-process.62455/post-556998

 

[Kyjiep]

I would assume the route dissappears because the interface sbtun does not exist anymore? Could you confirm this using i.e "ifconfig sbtun"?

Perhaps some more information relevant to merlin fw here https://www.snbforums.com/threads/struggling-to-write-a-non-killable-process.62455/post-556998

The rest of the changes made by the script are saved after closing the command line.

The sbtun interface exists after closing the command line. There are also rules like

from 192.168.50.31 lookup 222

and created firewall rules. And the sing-box process continues its work.

 

[ZebMcKayhan]

The sbtun interface exists after closing the command line

Hmm, ok. weird...

Now that I think of it, both fw and other vpn managers (like Wireguard Session Manager) Does not use default route in the policy tables. Instead they use 0.0.0.0/1 & 128.0.0.0/1. I wonder if that is the reason something like that happens??

What if you replace

ip route add default dev $TUN_INTERFACE table $ROUTE_TABLE

With

ip route add 0.0.0.0/1 dev $TUN_INTERFACE table $ROUTE_TABLE
ip route add 128.0.0.0/1 dev $TUN_INTERFACE table $ROUTE_TABLE

You would also need to make the same change for removing the rules
Change

ip route del default dev $TUN_INTERFACE table $ROUTE_TABLE

To

ip route del 0.0.0.0/1 dev $TUN_INTERFACE table $ROUTE_TABLE
ip route del 128.0.0.0/1 dev $TUN_INTERFACE table $ROUTE_TABLE

Would that make any difference?

 

[Kyjiep]

Would that make any difference?

This doesn't change anything. I suspect that when I close the command line the 222 routing table itself disappears.

 

[ZebMcKayhan]

This doesn't change anything. I suspect that when I close the command line the 222 routing table itself disappears.

I wouldn't think so. You could test this by adding some route manually, I.e

ip route add 10.11.12.13 dev br0 table 222

Then log out and back in and check that it's still there. It is for me.

More likely your sbtun interface goes down and up again, even so shortly. When an interface goes down it's associated routes are also removed.

Starting the interface outside of the shell session might solve this, like in firewall-start or a cron job.

Another solution would be to re-add the routes periodically in a cron job. But since it's not running continuously you could expect some minutes of outages.

 

[Kyjiep]

I have made some improvements to the script.

Spoiler: Archive update from 07/02/2024

1. Added a command to restart the script. (See readme.txt in the archive)
2. Added automatic creation of system scripts firewall-start and services-start, as well as checks for their existence, automatic addition and deletion of records and rules in them, as well as checks for their existence, to prevent their duplication. This is necessary to prevent sudden incorrect termination of the script during some events in the system, as well as for the correct autostart of the script when the router is rebooted.
3. Added a check for the existence of the sing-box process to prevent duplication of some functions. Now, when you try to run the script twice in a row, it will not allow it.
4. Fixed the found errors.

You can download the updated archive using the same link as before https://github.com/Dr4tez/my_domains/raw/main/sing-box-script+readme.zip

 

[Kyjiep]

I wouldn't think so. You could test this by adding some route manually, I.e

Yes, you are right, rules can still be added...
Here's what I noticed: if after starting the script from the console, close this console window, then open it again and execute the command

ip route add default dev sbtun table 222

, then the script starts working correctly again. And it works correctly even after closing this console window.

 

[ZebMcKayhan]

That's great! Perhaps it's time to move this thread to the Addons section?

Maybe. How to do it? Although it is far from an addon, just a small script for now. But maybe there will be more specific help there.

You would just ping a moderator, like @thiggins and ask him to move the thread to the asuswrt-merlin addons section. I think this fits better there.

I do not have enough free time to study scripting, support the project, and especially take into account the wishes of other people. I will be making the necessary changes for quite a long time.

It could be whatever you want it to be. If you choose to just leave it as it is, then that's great too!

 

[Kyjiep]

The download link for the archive no longer works. Installation and configuration via commands in the router console will be available soon.

 

[Kyjiep]

I did it. To install and configure sing-box, simply run this command in the router console:

wget -O /jffs/scripts/sing-box_script-install https://raw.githubusercontent.com/Dr4tez/sing-box4asus/main/sing-box_script-install && chmod 775 /jffs/scripts/sing-box_script-install && /jffs/scripts/sing-box_script-install

Please read the attached readme file first.