Enable/Disable VPN Client on ASUS Router With Physical Switch

by whs92 in Circuits > Remote Control

385 Views, 1 Favorites, 0 Comments

Enable/Disable VPN Client on ASUS Router With Physical Switch

complete.jpg
packet_intercept.jpg

I found out the REST API used by my ASUS router and then configured a Pico W board to send commands to the router to enable or disable a VPN client.

This allows guests in the house to easily switch between the UK and DE WLAN being provided by the router. A chromecast is connected to this WLAN and so the switch allows us to switch between different countries which is handy when we want to watch something only available in the UK one day or only in DE the next.

It's possible to do all of this with an app, but this is annoying to have to ask people to download and install if I am not there. A physical switch is a lot easier.

This idea could be applied to other smart devices provided they also use an API which can be intercepted.

Supplies

  • Pico W
  • 100 Ohm resistor x2
  • red/green LED
  • Switch
  • Housing
  • ASUS router with Merlin installed
  • VPN service provider

Discover Router API

sniffer_config.jpg
asus_app_vpn.jpg
packet_intercept.jpg

We need to know the HTTP requests to send to the router to perform the following actions:

  1. Find status of VPN client, on or off
  2. Enable VPN Client
  3. Disable VPN Client

ASUS routers have an app which let's us control the device remotely. Commands are sent from the device running the app to the router over http and can be intercepted. To intercept the messages from the device running the app we use a tool like PCAPdroid. I was inspired by this blog

To find each instruction you have to first:

  • Have a vpn client set up on the router (see instructions here for nord vpn/asus/merlin) you will need account details for the vpn provider. I will refer to these later as "vpn_user" and "vpn_pass".
  • Install the asus router app on your phone. Be connected to the same network as the router. Log in to the router with admin account. I will refer to this account as "router_admin" and "router_pass".
  • Install the PCAPdroid app or similar on the same device.

Now you can prime the PCAPdroid app to only log traffic from the asus router app and tell it to start logging. After that take an action in the asus router app and then look at the http traffic. In the images shown here I am showing the traffic resulting from disabling the vpn client.

The HTTP traffic then has to be parsed and decoded to get the string that can be sent later by our device. You can use a parser like this to parse the HTTP request.

For example the following HTTP is taken from the PCAPdroid app after a request to disable the VPN client.

%7B+%22vpnc_proto%22%3A+%22disable%22%2C+%22vpnc_pptp_options_x%22%3A+%22%22%2C+%22vpn_clientx_eas%22%3A+%22%22%2C+%22vpn_client_unit%22%3A+%22%22%2C+%22vpnc_pppoe_username%22%3A+%22%22%2C+%22vpnc_pppoe_passwd%22%3A+%22%22%2C+%22vpnc_heartbeat_x%22%3A+%22%22%2C+%22action_mode%22%3A+%22apply%22+%7D


It get's parsed to the following string

{ "vpnc_proto": "disable", "vpnc_pptp_options_x": "", "vpn_clientx_eas": "", "vpn_client_unit": "", "vpnc_pppoe_username": "", "vpnc_pppoe_passwd": "", "vpnc_heartbeat_x": "", "action_mode": "apply" }


Test the API

Next we will test the API calls using the python library requests.

See this notebook for details: https://github.com/whs92/router_control/blob/main/dev/router.ipynb



Write Some Code to Run on Pico W

We want to be able to send the requests using the API we've discovered to the router when a switch is pressed. We'd also like an LED to indicate whether the VPN is enabled or not.

The application should:

  1. Log in to the wifi network of the router
  2. Log in to the router using the admin credentials
  3. Poll the status of the vpn client
  4. Poll the status of a switch
  5. If the switch and the vpn client are in different states, change the state of the vpn client so that they are in the same state.
  6. If the VPN client is enabled make an LED light in green, if it's off in red

Here is some micro python that achieves that. If you wanted to use this you'd have to provide your own passwords and VPN client number.

Upload to Pico W

Save the file as main.py and then upload the project to the Pico W

Wire an LED and a Swith to the Pico W

housing1.jpg
wiring.jpg
  1. Wire a red/green LED through two 100 Ohm resistors on the anodes to GPIO pins 2 and 3
  2. Connect the common ground of the LED to a ground pin of the Pico W
  3. Wire one terminal of a switch to another ground pin of the Pico W and the other terminal to GPIO 14


Put Everything in a Housing

housing2.jpg
housing3.jpg
housing3.jpg

Mount the Pico W in the housing after cutting a hole for the micro USB connector. Use a sticky pad to attach it.

Mount the LED and the switch. Close everything up

Plug It in and Test That VPN Is Correctly Switched

Connect the Pico W to power and wait for it to connect to the WLAN. Test that changing the switch will enable or disable the VPN client.