Here are the instructions, apologies for the delay in posting them!
Instructions for AR150:
This set of scripts will properly configure the switch on your router to enable / disable the VPN, sync the LEDs to the VPN status, and sync the VPN status and LEDs to the switch position on reboot. I get no DNS leak with this configuration, the DNS is properly tunneled when the VPN is enabled.
YOU MUST BE ON FIRMWARE 2.25
1.) SSH into your router and upload vpn.zip to the / directory (the root directory of the router)
2.) cd into / and extract the contents of vpn.zip
3.) You should end up with a folder located at /vpn/ containing files such as /vpn/BTN_8, /vpn/up, /vpn/down, /vpn/config.sh and some others
4.) Perform a chmod +x on /vpn/config.sh
5.) cd into the /vpn/ directory
6.) run config.sh (type ./config.sh)
7.) Modify /vpn/network and /vpn/dhcp and change all instances of DNSHERE to the IP of the custom DNS server you want to use when the VPN is connected and all instances of SECONDDNSHERE to the IP of the secondary custom DNS server you want to use when the VPN is connected
After performing these steps your router will be properly configured. The switch will now enable the VPN and custom DNS when switched to the right and disable the VPN and custom DNS and return to DHCP when switched to the left. When the router is rebooted the position of the switch will determine whether or not to enable or disable the VPN. Whenever the VPN is enabled the middle green LED light is on, whenever the VPN is disabled the red LED light is on instead. The lights are coordinated to the switch each time the switch is flipped and also whenever the router is rebooted. The switch, LEDs, and VPN will always be in sync.
You can use a public DNS such as Google DNS (8.8.8.8 and 8.8.4.4) for DNSHERE and SECONDDNSHERE in your /vpn/network and /vpn/dhcp files or you can use a private DNS that is only accessible when connected to the VPN (such as 172.0.0.2 and 172.0.0.3)
When connected to the VPN all DNS requests will tunnel through the VPN using the custom DNS servers, when not connected the VPN the router will use the default DNS provided by DHCP.
With some simple changes you can configure the router to also use custom DNS when the VPN is disconnected if you don’t want to use the DNS assigned via DHCP.
When you connect to the VPN the /etc/config/network and /etc/config/dhcp get replaced by /vpn/network and /vpn/dhcp
When you disconnect from the VPN the /etc/config/network and /etc/config/dhcp files get replaced by /vpn/network.good and /vpn/dhcp.good
The /vpn/network.good and /vpn/dhcp.good files are configured to use DNS via DHCP, so if you want to use custom DNS servers when the VPN is disconnected instead of the default DNS provided by DHCP, you will need to modify two files:
Modify the /vpn/network.good and add the following lines to the wan and wwan interface configs, replacing the DNSHERE and SECONDDNSHERE with the custom DNS you want to use when the VPN is disconnected:
option custom_dns ‘1’
option dns ‘DNSHERE SECONDDNSHERE’
Then modify /vpn/dhcp.good and add the following lines to the dnsmasq config, replacing the DNSHERE and SECONDDNSHERE with the custom DNS you want to use when the VPN is disconnected:
list server ‘DNSHERE’
list server ‘SECONDDNSHERE’
option noresolv ‘1’
After you have made these modifications the router will use your custom DNS settings from /vpn/network.good and /vpn/dhcp.good whenever the VPN is disconnected.
You can use different custom DNS settings for when the VPN is connected and for when it is disconnected.
The DNSHERE and SECONDDNSHERE in your /vpn/network.good and /vpn/dhcp.good do not have to be the same servers as you have in /vpn/network and /vpn/dhcp, so you can use one set of custom DNS servers when the VPN is connected and a different set of custom DNS servers when the VPN is disconnected.
You can add your VPN configuration file to the router at anytime and you can connect the router to the internet at anytime. Changing the .ovpn file or source of the router’s internet (WiFi, ethernet, etc) will not affect the switch functionality. The switch enables/disables whatever .ovpn file is configured and doesn’t care about how the router is connected to the internet.
Just make sure that if you’ve been using an .ovpn file and have private custom DNS servers set in /vpn/network and /vpn/dhcp that are only accessible when the VPN is connected, that if you change to a new .ovpn file you need to make sure to update your /vpn/network and /vpn/dhcp files with custom DNS that the new .ovpn configuration can access. If you are using public custom DNS for the VPN such as Google DNS (8.8.8.8 and 8.8.4.4) and want your .ovpn configuration to always use that custom DNS, then you won’t need to modify anything when you change to a new .ovpn configuration because all .ovpn files will use that DNS. You only need to worry about updating the custom DNS if you change to an .ovpn file that can’t access the DNS you were previously using.
Also, the reason the setvpnfirewall script is being replaced in config.sh is because the –
in front of options such as –
disable was not working. It was not correctly reading the parameter when I used the –
in my up and down scripts so I modified the setvpnfirewall script to look for arguments such as disable and force instead of –
disable and –
force
The zip file containing everything you need is attached.
The final functionality is as follows:
When the router is already powered on and running
Moving the switch to the RIGHT calls a script to enable the VPN and set custom DNS servers
Moving the switch to the LEFT calls a script to disable the VPN and use DHCP for DNS
LED status syncs with switch position
When the router reboots
A script detects the position of the switch
If the switch is to the RIGHT a script is called to enable the VPN and set custom DNS servers
If the switch is to the LEFT a script is called to disable the VPN and use DHCP for DNS
LED status syncs with switch position
LED status
Whenever the switch is toggled or the router reboots the LED status updates to sync with the switch position
The LED for wan (green, on the left) is always on whenever the router has power
The LED for lan (green, in the middle) is only on whenever the switch is to the RIGHT
The LED for wlan (red, on the right) is only on whenever the switch is to the LEFT
The middle LED (lan) and right LED (wlan) are never on at the same time
Other Models
This works flawlessly on my AR150 and the same solution should work on other GLI models also. I’m sure the network and dhcp and setvpnfirewall files are different for some of the other routers or firmware, but you can clone this pretty easily by replacing the /vpn/network.good and /vpn/dhcp.good and the /vpn/network and /vpn/dhcp files with the default /etc/config/network and /etc/config/dhcp files from the router you are using and then and replacing the /vpn/setvpnfirewall script with the default one from the router you are using.
Then modify the new /vpn/network and add the following lines to the wan and wwan interface configs, replacing the DNSHERE and SECONDDNSHERE with the custom DNS you want to use when the VPN is connected:
option custom_dns ‘1’
option dns ‘DNSHERE SECONDDNSHERE’
Then modify the new /vpn/dhcp and add the following lines to the dnsmasq config, replacing the DNSHERE and SECONDDNSHERE with the custom DNS you want to use when the VPN is connected:
list server ‘DNSHERE’
list server ‘SECONDDNSHERE’
option noresolv ‘1’
Then modify the new /vpn/setfirewallvpn to remove the –
from in front strong of –
disable, –
force, etc like in the original /vpn/setfirewallvpn. Those simple changes should make it work for the other routers or firmware.
I’ll answer any questions I can, hope this helps!
(There are two zip files attached because the forum wouldn’t let me delete the original upload. They are almost identical, but the first one contains the original glddnsupdater.sh file. I removed this file from my router to prevent calling out to update the dynamic DNS but left it in the zip file in case I wanted to restore it at some point. The second zip file does not include this file. This file plays no part in the switch functionality.)