Introduction to VPN Policies and add rules in Batch on GL-iNet Routers

This article is to introduce how VPN Policies work and add rules in batch on GL-iNet Routers.

1.We have two types of policies, one is via MAC Address, and the other is via Domain/IP. Each of them supports both white list and black list.

Via MAC Address:
This filtering rule is according to the source MAC address of the clients. Take white list as the example, all the clients whose MAC address are in the white list can access Internet via VPN tunnel while other clients will be forwarded to WAN without VPN encryption, and vice versa.

image

Via Domain/IP:
This filtering rule is according to the destination Domain/IP of websites or services you want to access. Take white list as the example, if you want to access these websites or services in the white list, it will go through VPN tunnel while others will be forwarded directly from the WAN without VPN encryption, and vice versa.

image

2.Generally you can add the rules one by one on the web GUI, and if you would like to add in batch, you can download a WinSCP software to make it.
You can find and download this software in this link: https://winscp.net/

3.Login your router on WinSCP as the following picture. Hostname is the IP address of your router (192.168.8.1 by default), and password is the same to the one you setup on web GUI.

image

4.Go to this directory:

/etc/route_policy/

image

5.If you want to add rules via MAC Address, you shall replace the manual-list.conf file in this directory:

/etc/route_policy/mac/via_vpn/

image

Note: you can drag the file in your computer (the left side) to your router (the right side) directly on this software, but the format of rules shall be like this:

image

6.If you want to add rules via Domain/IP, you shall replace the manual-list.conf file in this directory:

/etc/route_policy/domin_name/via_vpn/

image

Note: you can drag the file in your computer (the left side) to your router (the right side) directly on this software, but the format of rules shall be like this:

image

7.Then the rules have been added in batch successfully, you can check them in the web GUI.

3 Likes

Hi! I tried doing this on my Beryl with WinSCP, but I always get an error message saying the .config file I want to copy-paste the batch into is “read only”. This is perplexing, as I’m logged into the router as the admin (root) and should be the owner.

Any help for a SSH novice is appreciated.

NO idea about the read only. But can you change name. The in ssh terminal, rename it?

even if the rights on the file are correct, you can’t write anything, when the filesystem itself is mounted ro (read only).

I have no GL.iNet router with me right now, but on a fully grown debian it looks something like:

lupus@zoe:~$ mount
[...]
/dev/mapper/zoe--vg-root on / type ext4 (rw,relatime,errors=remount-ro)

inside the () the first argument ‘rw’ means ‘read write’. but when it is ro instead, you can’t write, even if you are root.

In case of the router you also need to know what is exactly the mountpoint of the file. It could be some kind of overlay, binding, …

This sounds like it could be the reason.

@alzhao Any idea how to find the right command line and possibly change this?

umount the disk file steps:

  1. install lsof tool:
opkg update
opkg install lsof
  1. check the mountd disk file:
mount
/dev/mmcblk0p1 on /tmp/mountd/disk1_part1 type exfat (rw,relatime,fmask=0022,dmask=0022,allow_utime=177777,iocharset=utf8,errors=remount-ro)

find the disk file: /dev/mmcblk0p1, is mounted to /tmp/mountd/disk1_part1;

  1. want to umount disk file: /dev/mmcblk0p1, have to kill the process, which is used the disk file;
lsof /dev/mmcblk0p1 

COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
ash     15617 root  cwd    DIR  179,1    32768    1 /tmp/mountd/disk1_part1

find the process ID(15617) use the disk file /dev/mmcblk0p1, so kill the process:

kill -9 15617

and, umount the disk file:

umount /dev/mmcblk0p1