How to - Sending SSH commands to router from Vera (VPN On / Off)

I wanted to be able to send commands from Vera to my Asus Merlin router to control the VPN client connection.

Thanks to the posters in this thread and a couple of guys on the UK Smart Home Automation Group on Facebook who pointed me in the right direction.

After a lot of trial and error I now have it working, these are the steps.

  1. Vera needs to be able to communicate with the router via SSH without prompting for login authentication.

Following steps 1 and 2 on this post I was able to generate a public key from Vera.

To do this I used Putty SSH client on my Windows laptop and connected to Vera’s command terminal.

Run these two commands:

a) Generate SSH key

dropbearkey -t rsa -f ~/.ssh/id_dss

b) View SSH public key

dropbearkey -y -f ~/.ssh/id_dss
  1. I then copied the key to my clipboard and then went to the Asus routers admin page in a browser, go to the Administration menu, then the System tab. Scroll down to the section titled: Authorized Keys and paste in your key into the box.

Example:

ssh-rsa Axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxE=

Under advisement from one of the guys I was talking too on Facebook he recommended to also set:

Allow Password Login = NO
Enable SSH Brute Force Protection = YES

I have also set SSH access on the router to LAN ONLY

  1. Test it works, go back to Putty and the SSH connection to the Vera command terminal and type the following command:
ssh -i ~/.ssh/id_dss -l admin 192.168.1.1 service stop_vpnclient5

Note: My VPN Client connection is on number 5, yours maybe on 1,2,3 or 4 so check that. The IP address is the LAN IP address of your router.

If the command works it should say DONE and your VPN client on the router should then be turned OFF.

This is the command to turn it back on:

ssh -i ~/.ssh/id_dss -l admin 192.168.1.1 service start_vpnclient5

When prompted in Putty to save the router as a known device, select Yes.

  1. Make a change to Vera so the commands work via LUA code in your scenes or in PLEG.

First I had to do what was suggested here

Basically in Putty connected to the Vera command terminal run these two commands:

rm -rf /.ssh
ln -s /root/.ssh /.ssh
  1. Test your commands in the Vera UI7 web GUI - Go to the Apps menu then Develop Apps then Test Luup code (Lua)

In the code test window using these commands:

VPN OFF -

os.execute("ssh -y -i ~/.ssh/id_dss admin@192.168.1.1 service stop_vpnclient5")

VPN ON -

os.execute("ssh -y -i ~/.ssh/id_dss admin@192.168.1.1 service start_vpnclient5")

If the commands successfully work in the Vera code test window and control your VPN client connection on your router ON / OFF then you can proceed.

  1. Create two Vera scenes one for VPN Off and one for VPN On use the correct os.execute command as above in your scene, paste the command in the “Also, execute the following Luup code:” section of the scene and click the Save Lua button.

Test your scenes work by running them, does the VPN client connect / disconnect OK on your router?

  1. (Optional) I didn’t create Vera scenes as in step 6. I instead created a Virtual binary light device in Vera and tied that virtual switch being on or off in to some PLEG logic (triggers) and then had my PLEG actions send the SSH commands to the router via LUA code. I won’t cover the full details of how I did that now.

I then added the Virtual switch for the VPN in to the Imperihome mobile app as well.

Issues: The only thing I haven’t figured out now, is since adding Vera’s public key on to the router and turning off “Allow Password Login” for the SSH on the router, on my Windows laptop I can no longer connect to the router via Putty or WinWCP. Perhaps I need to add another public key from those clients on my laptop also to the router.

EDIT: Seems if I turn back on the router the option “Allow Password Login” I can once again login to SSH from my Windows laptop using Putty or WinSCP and the VPN On / Off still works OK via Vera, so maybe you can do both.

1 Like

And here is the VPN virtual switch in the Imperihome mobile app.

There is a kill switch option in the Asus Merlin router firmware. Under the VPN client tab its called:

“Block routed clients if tunnel goes down” Yes or No

It’s probably a good idea to have this option set to Yes under normal operation.

However if you want to turn this option off when you manually turn your VPN off via Vera, so your LAN clients can still access the internet you can do the following:

Start a SSH session in Putty connecting to your router.

Set the appropriate NVRAM variable

nvram show 2>/dev/null | grep -E "vpn_client[1-5]_enforce" | sort

so if they are all set to "0’’ (Block routed clients if tunnel goes down=NO), you can alter the setting

e.g. to set ‘Block routed clients if tunnel goes down=YES’ for VPN Client 5 enter:

nvram set vpn_client5_enforce="1"
nvram commit

and to set ‘Block routed clients if tunnel goes down=NO’ for VPN Client 5 enter:

nvram set vpn_client5_enforce="0"
nvram commit

Once you are happy its working via Putty and you can see in the Asus routers admin page that the “Block routed clients if tunnel goes down” option is changing from Yes to No etc (Refresh the browser), you can edit your VPN scenes on Vera.

LUA Code for VPN On and “Block routed clients if tunnel goes down” On

os.execute("ssh -y -i ~/.ssh/id_dss admin@192.168.1.1 nvram set vpn_client5_enforce=1")
os.execute("ssh -y -i ~/.ssh/id_dss admin@192.168.1.1 nvram commit")
os.execute("ssh -y -i ~/.ssh/id_dss admin@192.168.1.1 service start_vpnclient5")

LUA Code for VPN Off and “Block routed clients if tunnel goes down” Off

os.execute("ssh -y -i ~/.ssh/id_dss admin@192.168.1.1 nvram set vpn_client5_enforce=0")
os.execute("ssh -y -i ~/.ssh/id_dss admin@192.168.1.1 nvram commit")
os.execute("ssh -y -i ~/.ssh/id_dss admin@192.168.1.1 service stop_vpnclient5")

Thanks for the help on this thread to know how to do this.

Firmware version 1.7.4955 (7.31) on my Vera Plus broke this functionality.

Similar problem and a fix was discussed here.

To fix this I had to create the .ssh directory and set its permissions and generate a new SSH key and paste that in to the Asus routers Administration → System tab under Authorized Keys.

Commands in Putty I needed to run on Vera:

Make new .ssh directory

mkdir /root/.ssh

Set permissions on the .ssh directory

chmod 700 /root/.ssh

Generate new SSH Key

dropbearkey -t rsa -f ~/.ssh/id_dss

View SSH Key

dropbearkey -y -f ~/.ssh/id_dss

To make the VPN commands work, when run from Vera Lua code in your scenes:

rm -rf /.ssh
ln -s /root/.ssh /.ssh

Thanks for updating this. I use it all the time.

1 Like

Yes. You can do both if you leave “allow password login” enabled. That would be my recommendation, assuming your password is strong.

If you ever get to the point where you use SSH a lot, then it makes sense to set up a second key one from putty on your desktop to the router and one from the Vera to the router. This makes login automatic and more secure.