Commandline administration

Andreas Ziegler edited this page Aug 2, 2018 · 136 revisions

On this page you can find various commands to manage your Gluon based node using the command line. You can access the command line remotely using SSH if you've added your public key or defined a password in the configuration wizard. All nodes should be accessible using their IPv6 addresses. If in doubt ask your local community on how to find your devices IPv6 address.


Most settings can be changed using the UCI configuration tool.


On the console you have a Linux busybox shell with a limited command set.


You read the current value with

uci get <config>.<section>.<option>

If you don't know where to find a certain value search for it with

uci show | grep searchpattern

for setting a value you use

uci set <config>.<section>.<option>="new value"

If the variable is a list, for example fastd.mesh_vpn.method, use uci set to set the first list array element and every further element add with

uci add_list <config>.<section>.<option>="new list element"

or del_list to Remove the given string from an existing list option:

del_list <config>.<section>.<option>="list element"

See also the UCI Documentation

Your Gluon Release may have some custom scripts, which use temporary UCI state to do some of its magic. So it may be a good idea to check changes before commit:

uci changes

Common Tasks



(Re-)entering config mode

uci set gluon-setup-mode.@setup_mode[0].enabled='1'
uci commit gluon-setup-mode

Install new firmware via commandline

cd /tmp/
echo 3 > /proc/sys/vm/drop_caches
echo 3 > /proc/sys/vm/drop_caches

As an alternative to wget you can push the firmware file from your client using scp

Add SSH public key

SSH_KEY="ssh-rsa ..."
touch /etc/dropbear/authorized_keys
sed -i "1i$SSH_KEY" /etc/dropbear/authorized_keys 

Show number of connected clients

grep -cEo "\[.*W.*\]+" /sys/kernel/debug/batman_adv/bat0/transtable_local

Show router model

# With vendor and hardware version (example: "tp-link-tl-wdr4300-v1")
lua -e 'print(require("platform_info").get_image_name())'
# With vendor and hardware version (human readable, example: "TP-Link TL-WDR4300 v1")
lua -e 'print(require("platform_info").get_model())'
# Only type of router (example: "tl-wdr4300")
lua -e 'print(require("platform_info").get_board_name())'

Show installed gluon version

# Gluon version (example: "v2017.1.5")
cat /lib/gluon/gluon-version
# Build version (example: "2016.1.5-stable-2016-06.05")
cat /lib/gluon/release

Change autoupdater branch

uci set autoupdater.settings.enabled=1
uci set autoupdater.settings.branch=stable
uci commit autoupdater
autoupdater -f

To use a different branch than saved only once, use:

autoupdater -b [NAMEOFBRANCH] -f

To do an update to a firmware lacking enough signatures

uci set autoupdater.stable.good_signatures='1'
autoupdater -f

Change the OpenWrt keyboard layout

Only helpful on targets (eg. x86, kvm) that have a direct keyboard interface (usb/ps2 etc.). Gluon being OpenWrt based by default only sports the US keyboard layout which makes using eg. a German keyboard a tedious task.

For this to work you have to explicitely enable the busybox applet loadkmap during gluon build time. You can do that eg. in GLUON_DIR/include/config or more target specific in GLUON_DIR/targets/<profile>/config (if you don't want the applet in all profiles). add


When the loadkmap applet is available in your Gluon build you can load keymaps like this

loadkmap < /usr/share/keymaps/i386/qwertz/de-latin1-nodeadkeys.bmap

A readymade package of binary keymaps (the format expected by busybox, converted from the Debian keymaps package) can be downloaded here . The whole package is 1.1MB in size, so you might want to copy only selected maps to your box if you are constrained for space. Placing the maps into /usr/share/keymaps/ would be good style but is not necessarily needed.

Change/Disable console blanking timeout, monitor switch off

By default the physical console gets blanked after 10 minutes (600 secs). You can check the current timeout via

cat /sys/module/kernel/parameters/consoleblank

Gluon/OpenWrt is lacking the needed setterm binary to manipulate this timeout. Luckily the timeout is set via a control sequence "\033[<signal>;<value>]". Valid combinations are listed on the console_codes man page.

Linux Console Private CSI Sequences
The following sequences are neither ECMA-48 nor native VT102.  They are native  to  the
Linux console driver.  Colors are in SGR parameters: 0 = black, 1 = red, 2 = green, 3 =
brown, 4 = blue, 5 = magenta, 6 = cyan, 7 = white.
ESC [ 1 ; n ]       Set color n as the underline color
ESC [ 2 ; n ]       Set color n as the dim color
ESC [ 8 ]           Make the current color pair the default attributes.
ESC [ 9 ; n ]       Set screen blank timeout to n minutes.
ESC [ 10 ; n ]      Set bell frequency in Hz.
ESC [ 11 ; n ]      Set bell duration in msec.
ESC [ 12 ; n ]      Bring specified console to the front.
ESC [ 13 ]          Unblank the screen.
ESC [ 14 ; n ]      Set the VESA powerdown interval in minutes.

Knowing that we can disable the timeouts for blanking and monitor switch off

printf '\033[9;0]\033[14;0]'

If you want to make the changes permanent, you can add the line to ~/.profile, which is executed everytime a shell is started. If the file is missing simply create it.

Node Information

Setting location

uci set gluon-node-info.@location[0].latitude=53.834470
uci set gluon-node-info.@location[0].longitude=10.702518
uci set gluon-node-info.@location[0].altitude=11.51
uci set gluon-node-info.@location[0].share_location=1
uci commit gluon-node-info

Check settings

uci show gluon-node-info

Setting contact

uci get gluon-node-info.@owner[0] || uci add gluon-node-info owner
uci set gluon-node-info.@owner[0]
uci commit gluon-node-info

Check settings

$ uci show gluon-node-info

Changing hostname

$ pretty-hostname newhostname-with-utf8-support

Check settings

$ pretty-hostname

Setting Hostname without pretty-hostname

Note: this paragraph is meant for routers with old firmware, that may not have 'pretty-hostname', yet. This way utf8-support is not given.

uci set system.@system[0].hostname='newname'
uci commit system
/etc/init.d/system reload

Showing Hostname without pretty-hostname

$ uci show system



The VPN-Uplink (Mesh-VPN) can be enabled and disabled via console.

Enabling fastd

$ uci set fastd.mesh_vpn.enabled=1
$ uci commit fastd
$ /etc/init.d/fastd generate_key mesh_vpn

Disable fastd

/etc/init.d/fastd stop
uci set fastd.mesh_vpn.enabled=0
uci commit fastd

Note: "/etc/init.d/fastd stop" won't stop fastd process if enabled=0.

This will desable Mesh-VPN permanently. If you just want to disable it for example for one hour or until reboot, the preferred method is the following:

Disable fastd for a limited time

You can remotely stop fastd for a while with this script from your console

SECONDS=3600 # one hour
ssh root@your:ipv6::addr:ess '(/etc/init.d/fastd stop && sleep '$SECONDS' && /etc/init.d/fastd start)&'

Disable fastd encryption

uci del_list fastd.mesh_vpn.method=salsa2012+umac
uci add_list fastd.mesh_vpn.method=null
uci add_list fastd.mesh_vpn.method=salsa2012+umac
uci commit fastd
/etc/init.d/fastd restart

Note: Your community's servers need to support unencrypted connections.

Show fastd public key

/etc/init.d/fastd show_key mesh_vpn

Show fastd private key

uci get fastd.mesh_vpn.secret

Set existing fastd private key

uci set fastd.mesh_vpn.enabled=1
uci set fastd.mesh_vpn.secret=18fa75d1808692f04770bedf30c42dac24585d331560c545d70dd27f22a05648
uci commit fastd  

Depending on the setup your community uses this can be helpful to avoid reregistration of your node due to new fastd keys

Limit Bandwidth (Gluon >=2016.x)

uci set simple-tc.mesh_vpn.limit_egress=800    # upload 0.8 Mbit/s
uci set simple-tc.mesh_vpn.limit_ingress=5000  # download 5.0 Mbit/s
uci set simple-tc.mesh_vpn.enabled=1
uci commit simple-tc
/etc/init.d/fastd restart

Note: It is not a good idea to set the upload Bandwidth below 200 (or below 500 in large meshes)

Set a static IPv4 for the WAN-Port

uci set network.wan.proto=static
uci set network.wan.ipaddr=XXX.XXX.XXX.XXX
uci set network.wan.netmask=XXX.XXX.XXX.XXX
uci set network.wan.gateway=XXX.XXX.XXX.XXX
uci commit network
/etc/init.d/network restart

DNS server

uci add_list gluon-wan-dnsmasq.@static[0].server=XXX.XXX.XXX.XXX
uci commit gluon-wan-dnsmasq
/etc/init.d/gluon-wan-dnsmasq restart

Enable DHCP for the WAN-Port

uci set network.wan.proto=dhcp
uci commit network
/etc/init.d/network restart

Mesh VXLAN ID (>=2018.1)

The VXLAN ID can be discovered from the domain_seed.

lua -lgluon.util -e 'print(tonumber(gluon.util.domain_seed_bytes("gluon-mesh-vxlan", 3), 16))'

Mesh on LAN

This will activate mesh on all LAN ports (usually yellow on TP-Link devices).

activate (Gluon >=2016.1.x)

uci set
for ifname in $(cat /lib/gluon/core/sysconfig/lan_ifname); do
  uci del_list network.client.ifname=$ifname
uci commit network
/etc/init.d/network restart

deactivate (Gluon >=2016.1.x)

uci set
for ifname in $(cat /lib/gluon/core/sysconfig/lan_ifname); do
  uci add_list network.client.ifname=$ifname
uci commit network
/etc/init.d/network restart

activate (Gluon >=2018.1)

uci set network.mesh_lan.disabled=0
for ifname in $(cat /lib/gluon/core/sysconfig/lan_ifname); do
  uci del_list network.client.ifname=$ifname
uci commit network
/etc/init.d/network restart

deactivate (Gluon >=2018.1)

uci set network.mesh_lan.disabled=1
for ifname in $(cat /lib/gluon/core/sysconfig/lan_ifname); do
  uci add_list network.client.ifname=$ifname
uci commit network
/etc/init.d/network restart

Mesh on WAN

This will change the behaviour of the WAN port (on most devices the blue port) so you can directly connect other nodes on the WAN port that also have enabled any of Mesh-on-WAN or Mesh-on-LAN.

activate (Gluon <=2017.1.x)

uci set
uci commit network
/etc/init.d/network restart

activate (Gluon >=2018.1.x)

uci set network.mesh_wan.disabled=0
uci commit network
/etc/init.d/network restart


  1. If you now connect your WAN port to your Home Router too and don't configure some additional VLAN, the whole mesh traffic will also be pushed into your local network, which might cause problems.
  2. Be sure to have VPN disabled, otherwise this connection would build up another fastd tunnel inside the Freifunk net.

deactivate (Gluon <= 2017.1.x)

uci set
uci commit network
/etc/init.d/network restart

deactivate (Gluon >= 2018.1.x)

uci set network.mesh_wan.disabled=1
uci commit network
/etc/init.d/network restart

switch to legacy mode (without VXLAN, Gluon >=2018.1)

uci set network.mesh_wan.legacy='1'
uci commit network
/etc/init.d/network restart

use "legacy='0'" to enable VXLAN based meshing

Mesh on WAN and private WiFi simultaneously

(tested & valid for Gluon 2014.4)

Simultaneous configuration of Mesh-on-WAN and a private WiFi network (bridged to your local network on the WAN port) is not usually possible - in Mesh-on-WAN mode B.A.T.M.A.N. consumes the WAN interface completely, no other traffic should use that interface anymore. A private WiFi would not have access to your LAN in this case.

While making only minimal changes to the network configuration of the node, you can achieve both by using a VLAN on your local network (or a second port & cable if you're so inclined and have more than one port available, which isn't covered in this example). Let the node do Mesh-on-WAN directly on the WAN interface, while seperating your private network with a VLAN tag from that interface (mixed untagged/tagged mode). Tagging the mesh traffic is possible too, but needs additional configuration (REORDER_HDR) and isn't covered in this example.

This example is designed to keep as much of the upper level network layout consistent with the default state, in particular the interface br-wan still is the interface which handles local network traffic (Ethernet & WiFi), which is used e.g. by the firewall.
This example uses VLAN id 42. The necessary VLAN configuration of your local network will not be explained.

This example was used on a TP-Link TL-WR841Nv9 which features an additional integrated VLAN aware ethernet switch. This switch and its ports were not used, keeping it available for other tasks and configurations. This also means that this example does work on devices with only one ethernet port.

uci set
uci set network.mesh_wan.ifname=$(cat /lib/gluon/core/sysconfig/wan_ifname)
uci set network.wan_vlan=device
uci set network.wan_vlan.type=8021q
uci set network.wan_vlan.vid=42
uci set network.wan_vlan.ifname=$(cat /lib/gluon/core/sysconfig/wan_ifname)
uci set
uci set network.wan.ifname=vlan-wan

Then configure your private WiFi like you usually would:

uci set wireless.wan_radio$RID=wifi-iface
uci set wireless.wan_radio$RID.device=radio$RID
uci set wireless.wan_radio$
uci set wireless.wan_radio$RID.mode=ap
uci set wireless.wan_radio$RID.encryption=psk2
uci set wireless.wan_radio$RID.ssid="$SSID"
uci set wireless.wan_radio$RID.key="$KEY"
uci set wireless.wan_radio$RID.disabled=0
uci set wireless.wan_radio$RID.macaddr="$($(echo "lua -e print(require('gluon.util').generate_mac(3+4*$RID))"))"

And finish it all up:

uci commit wireless

If you can't reach your node on the WAN port after it has rebooted, you're in the wrong VLAN.

switching WAN network to LAN ports

WAN at all LAN ports (switch mode)

If you don't need Freifunk on LAN but do need more network ports of your local private network, you can user your router as switch.

uci set network.client.ifname=bat0
uci set network.wan.ifname='eth0 eth1'
uci commit network
/etc/init.d/network restart

For the TP-LINK 3600/4300 use eth0.1 and eth0.2 instead of eth0 and eth1.

Client network on LAN ports (reverse switch mode)

uci set network.client.ifname='bat0 eth0'
uci set network.wan.ifname=eth1
uci commit network
/etc/init.d/network restart

Wireless configuration

All tasks are per radio. If you've got only a single radio (2.4GHz only or 5GHz only) it is usually named radio0. On dualband devices you have to apply the setting to each radio. On dual-band devices the radios are usually named radio0 for 2.4GHz and radio1 for 5GHz. If in doubt check using uci show wireless - each radio should display a value "hwmode" - 11g or 11ng are 2.4GHz, 11a or 11na are 5GHz. The following examples are radio0 only.

Disable Client Network

This will disable the client network while the mesh network stays active:


uci set wireless.client_radio0.disabled=1
uci commit wireless


uci set wireless.client_radio0.disabled=0
uci commit wireless

Disable IBSS/Ad-Hoc Mesh Network

deactivate (Gluon >=2016.1.x)

uci set wireless.ibss_radio0.disabled=1
uci commit wireless

activate (Gluon >=2016.1.x)

uci set wireless.ibss_radio0.disabled=0
uci commit wireless

Disable 802.11s Mesh Network


uci set wireless.mesh_radio0.disabled=1
uci commit wireless


uci set wireless.mesh_radio0.disabled=0
uci commit wireless

Change wireless channel

uci set
uci commit wireless

Please keep in mind changing the channel can prevent nearby devices from meshing with your router.

PoE passthrough

activate (Gluon 2017.x ?) and above

uci set system.gpio_switch_poe_passthrough.value=1
uci commit system
/etc/init.d/gpio_switch restart

deactivate (Gluon 2017.x ?) and above

uci set system.gpio_switch_poe_passthrough.value=0
uci commit system
/etc/init.d/gpio_switch restart

activate (Gluon 2016.2.x)

uci set system.poe_passthrough.value=1
uci commit system
/etc/init.d/gpio_switch restart

deactivate (Gluon 2016.2.x)

uci set system.poe_passthrough.value=0
uci commit system
/etc/init.d/gpio_switch restart

Gluon 2016.1.6 and below

Execute the following commands to enable PoE passthrough, or add to /etc/rc.local to automatically enable on boot.

# Uncomment one of these three:
#GPIO=20 # TP-LINK CPE210/510
#GPIO=8 # Ubiquiti Nanostation M2/M5 (XM)
#GPIO=2 # Ubiquiti Nanostation M2/M5 (XW)
echo $GPIO > /sys/class/gpio/export
echo out > /sys/class/gpio/gpio$GPIO/direction
echo 1 > /sys/class/gpio/gpio$GPIO/value

To prevent the /etc/rc.local to be overwritten during a sysupgrade add the filename as one line into /etc/sysupgrade.conf

Device specific

TP-Link CPE 210/510/...

WAN-LAN Bridge

uci set network.client.ifname='bat0'              # remove eth0.2 from client net
uci delete network.@switch_vlan[1]                # delete VLAN 2 
uci set network.@switch_vlan[0].ports='0t 4 5'    # set VLAN 1 to Port 4 (LAN)
uci commit network
/etc/init.d/network restart


Transmit power on Ubiquiti devices

There is a bug in the current (2015/01) OpenWRT Barrier Breaker which prevents to factor in the antenna gain for transmission power setting. This is still existant in Chaos Calmer (Gluon 2016.1). Therefore your device will actually transmit with higher power than advertised in the web-UI. This is a) usually illegal and b) while clients may receive a great signal they will most likely be unable to answer. To prevent this we lower the power manually.


uci set wireless.radio0.txpower=9
uci commit wireless

Nanostation M2 loco

uci set wireless.radio0.txpower=12
uci commit wireless

you can check the currently set transmit power with:

iwinfo client0 txpower

Nanostation webinterface inside the Freifunk network

The NanoStation and other Point-to-Point accesspoints usually have only one network interface. If you use these PtP links for batman-adv traffic, you lose the ability to access the web interface .

WARNING: If you connect two Gluon Routers with VLAN10 on br-client using WAN you'll get a loop. You have been warned...

Tha WAN Interface must not be behind a vswitch


cat /lib/gluon/core/sysconfig/wan_ifname

shows for example eth1.4 VLAN tagging is not possible

Settings for Nanostation: here

uci set network.client.ifname="$(cat /lib/gluon/core/sysconfig/lan_ifname) bat0 $(cat /lib/gluon/core/sysconfig/wan_ifname).10"
uci commit network
/etc/init.d/network restart

Additional links

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.