EdgeRouter Policy Based Routing Using DNSMASQ IPSET


EdgeRouter的Policy Based Routing(PBR)使用的是自带配置语法的firewall modify功能。
EdgeRouter – Policy-based routing for destination port
EdgeRouter – Policy-based routing (source address based)

第二篇文章顺带提了network-group。之前在配置VPN时,使用过network-group,还比较过使用firewall modify + network-group 与配置一堆interface-route的区别。

而,这里的network-group的实现,使用了netfilter的ipset。Man pages可以看这里,命令在edgerouter上也附带了。

dnsmasq支持 ‘–ipset‘ 参数,把对配置域名解析的IP存入到指定的ipset。具体细节可以看dnsmasq的文档


domain 部分参考 address 的语法。例如:


ipset本身支持timeout,但是edge os的network-group不支持,所以在配置dnsmasq之前,最好创建一个新的network-group。

假定新建的ipset名叫 MY_SET,edge router的主要相关配置如下:

其他诸如配置 static table, interface firewall 可以参考最前边的文档。

EdgeRouter Policy Based Routing Using DNSMASQ IPSET by @sskaje: https://sskaje.me/2017/04/edgerouter-policy-based-routing-dnsmasq-ipset/

Incoming search terms:

Set up OpenVPN Site-to-Site on UBNT EdgeRouter Lite

不同的是,我一端是Ubuntu Linux,另一端是EdgeRouter Lite。

PPTP的方案参考:EdgeOS PPTP VPN客户端配置


Ubuntu Linux,
EdgeRouter Lite,

配置EdgeRouter Lite

SSH到Ubnt EdgeRouter Lite






把EdgeRouter的 /config/auth/secret 复制到 /etc/openvpn/er-site2site-static.key

编辑 /etc/openvpn/server.conf



在EdgeRouter ping Linux

在Linux ping EdgeRouter



参考下一篇文章 UBNT EdgeOS 配置设备路由(interface-route)的方法

Set up OpenVPN Site-to-Site on UBNT EdgeRouter Lite by @sskaje: https://sskaje.me/2016/02/set-openvpn-site-to-site-ubnt-edgerouter-lite/

Incoming search terms:

EdgeOS PPTP VPN客户端配置


买了个Ubnt EdgeRouter Lite,应同事的需求,研究配置自动翻墙。

本次配置使用远程PPTP Server,只考虑Google、Twitter和Facebook的自动翻墙,其他可以参照思路自己加路由和NAT。


Continue reading “EdgeOS PPTP VPN客户端配置” »

EdgeOS PPTP VPN客户端配置 by @sskaje: https://sskaje.me/2014/12/edgeos-pptp-vpn%e5%ae%a2%e6%88%b7%e7%ab%af%e9%85%8d%e7%bd%ae/

Incoming search terms:

OpenConnect DNS Only + Google Only

I’m using 4G by China Mobile, but the DNS it provides really sucks. Changing DNS from Cellular Data on a not-jailbroken iPhone is impossible so far as I know (I tried mobileconfig but can find any working options).

The first idea is pushing DNS from a PPTP server, which I wrote: Notes: PPTP/L2TP Server on Ubuntu.
I can create two connections on my iOS, one set default route, one not. All users share a same setting from PPTPd, it’s almost impossible if I want to use a different DNS in these two connections, changing default pptp port from 1723 to others is not as easy as it is on windows.
Don’t forget that PPTP is what GF*W likes.
Continue reading “OpenConnect DNS Only + Google Only” »

OpenConnect DNS Only + Google Only by @sskaje: https://sskaje.me/2014/06/openconnect-dns-google/

Incoming search terms:

OpenConnect Public Key Authentication

Here are old articles about OpenConnect, the open source AnyConnect server:
OpenConnect on Ubuntu
Open Connect Server Configuration (Working for iOS)
Cisco AnyConnect Client for OS X/Windows/Linux (Version 3.1.05160)

This time, OCServ 0.80 on Ubuntu 14.04.
And still doesn’t work for OS X.

I was using password based authentication, but clients on iOS can not remember my password.
So now add some configurations based on “Open Connect Server Configuration (Working for iOS)“.

Create Client Certificates

Just follow the manual: http://www.infradead.org/ocserv/manual.html.
If you already have a CA based on openssl, I have another article: Generate Certificate with GnuTLS and Sign with OpenSSL.

Here is my user.tmpl:

After the pkcs12 is created like ‘Create Client Config’ in “iOS IPSec VPN Server on Ubuntu“, the mobileconfig should be also created.
Remember to leave the ‘Account‘ and ‘Group‘ BLANK in the VPN page.

Update config

Copy a new sample.config from source, edit it following Open Connect Server Configuration (Working for iOS)

Now comes the certificate authentication related changes:


I tried to use both certificate and plain, but failed.
Just keep the certificate one.

server-cert & server-key

You can add your own certificate or get it somewhere like startssl.com.
I got my certificates from startssl.com, class 1, I got three files: ca.pem, sub.class1.server.ca.pem, and my own ssl.crt:

If you don’t make these three in a right order, you’ll see errors below in syslog:

The server-key I got from startssl is encrypted, decrypt it:

Encrypted private key would result:


This ca-cert is for CLIENT certificates!

cert-user-oid & cert-group-oid

Follow the comment:


Enable this! Thanks to @simamy.

OpenConnect Public Key Authentication by @sskaje: https://sskaje.me/2014/06/openconnect-public-key-authentication/

Incoming search terms: