I have mine configured as rc.local but roughly same thing. I have a couple things in hear, installing speedtest for testing directly on router and also policy based routing out a vpn, adding checks to make sure its up.
#!/bin/ash
# === Persistent Installation Path ===
SPEEDTEST_BIN="/usr/bin/speedtest"
SPEEDTEST_DIR="/cfg/speedtest"
SPEEDTEST_URL="https://install.speedtest.net/app/cli/ookla-speedtest-1.2.0-linux-$(uname -m).tgz"
# === Check if speedtest is already installed ===
if [ ! -f "$SPEEDTEST_BIN" ]; then
echo "Speedtest not found, downloading..."
mkdir -p "$SPEEDTEST_DIR"
cd "$SPEEDTEST_DIR"
wget -q "$SPEEDTEST_URL"
tar -xvzf ookla-speedtest-*.tgz
if [ -f "$SPEEDTEST_DIR/speedtest" ]; then
mv "$SPEEDTEST_DIR/speedtest" "$SPEEDTEST_BIN"
chmod +x "$SPEEDTEST_BIN"
echo "Speedtest installed successfully."
else
echo "Error: Speedtest binary not found after extraction!"
fi
else
echo "Speedtest already installed."
fi
# === WireGuard Interface ===
if ! uci show network | grep -q "^network.wg0="; then
uci set network.wg0='interface'
uci set network.wg0.proto='wireguard'
uci set network.wg0.private_key=’'
uci set network.wg0.addresses=''
uci set network.wg0.peerdns='0'
uci add_list network.wg0.dns=''
fi
# === WireGuard Peer ===
if ! uci show network | grep -q "network.@wireguard_wg0.*.public_key=''"; then
uci add network wireguard_wg0
uci set network.@wireguard_wg0[-1].public_key=''
uci set network.@wireguard_wg0[-1].allowed_ips='0.0.0.0/0'
uci set network.@wireguard_wg0[-1].endpoint_host=''
uci set network.@wireguard_wg0[-1].endpoint_port='51820'
uci set network.@wireguard_wg0[-1].persistent_keepalive='25'
fi
uci commit network
/etc/init.d/network reload
ifup wg0
# === Firewall Zone for WireGuard ===
if ! uci show firewall | grep -q "firewall.wg0_zone"; then
uci set firewall.wg0_zone="zone"
uci set firewall.wg0_zone.name="wg0"
uci set firewall.wg0_zone.network="wg0"
uci set firewall.wg0_zone.input="ACCEPT"
uci set firewall.wg0_zone.output="ACCEPT"
uci set firewall.wg0_zone.forward="REJECT"
uci set firewall.wg0_zone.masq="1"
uci set firewall.wg0_zone.mtu_fix="1"
fi
if ! uci get firewall.@zone[2].network | grep -q 'wg0'; then
uci add_list firewall.@zone[2].network='wg0'
fi
# === Custom Firewall Rule ===
if ! uci show firewall | grep -q ""; then
uci add firewall rule
uci set firewall.@rule[-1].name=''
uci set firewall.@rule[-1].src=''
uci set firewall.@rule[-1].src_ip=''
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].target='REJECT'
uci set firewall.@rule[-1].enabled='1'
fi
uci commit firewall
/etc/init.d/firewall restart
# === Routing Table and Rules ===
grep -q "wgroute" /etc/iproute2/rt_tables || echo "200 wgroute" >> /etc/iproute2/rt_tables
ip route show table wgroute | grep -q "^default" || ip route add default dev wg0 table wgroute
ip rule | grep -q "from 10.14.66.0/24.*table wgroute" || ip rule add from 10.14.66.0/24 table wgroute priority 300
ip rule | grep -q "to 10.14.1.0/24.*lookup main" || ip rule add to 10.14.1.0/24 lookup main
# === VPN Route Checker Script ===
cat << 'EOF' > /root/vpn-route-check.sh
#!/bin/ash
INTERFACE="10.14.66.1"
EXPECTED_CITY="Stockholm"
VPN_IF="wg0"
ROUTING_TABLE="wgroute"
LOG_TAG="VPNRouteCheck"
CITY=$(curl --silent --interface "$INTERFACE" http://ipinfo.io/city)
if [ "$CITY" != "$EXPECTED_CITY" ]; then
logger -t "$LOG_TAG" "❌ City mismatch: '$CITY'. Reapplying route through $VPN_IF."
ip route flush table $ROUTING_TABLE
ip route add default dev "$VPN_IF" table $ROUTING_TABLE
ip rule add from 10.14.66.0/24 table $ROUTING_TABLE priority 300
logger -t "$LOG_TAG" "✅ Route reapplied."
else
logger -t "$LOG_TAG" "✅ Routing through expected city: '$CITY'."
fi
EOF
chmod +x /root/vpn-route-check.sh
# === Cron Job for VPN Check ===
grep -q "/root/vpn-route-check.sh" /etc/crontabs/root || echo "* * * * * /root/vpn-route-check.sh" >> /etc/crontabs/root
/etc/init.d/cron enable
/etc/init.d/cron start
# === Custom Restart on Firewall Reload ===
grep -q "/cfg/rc.local restart" /etc/init.d/firewall || sed -i '/reload_service()/a\ /cfg/rc.local restart' /etc/init.d/firewall
exit 0
~ #