UDM Pro IPsec VPN Configuration Updater

vpn-config-updater.sh

#!/bin/sh

# ***** warning ***** warning ***** warning ***** warning ***** warning ***** warning *****

# THIS IS NOT LONGER A GOOD APPROACH TO USE. SCROLL DOWN TO THE COMMENTS TO SEE HOW YOU CAN USE WIREGUARD WITH A DDNS FQDN INSTEAD

# ***** warning ***** warning ***** warning ***** warning ***** warning ***** warning *****

#  ___ ____                  _   _           _       _
# |_ _|  _ \ ___  ___  ___  | | | |_ __   __| | __ _| |_ ___ _ __
#  | || |_) / __|/ _ \/ __| | | | | '_ \ / _` |/ _` | __/ _ \ '__|
#  | ||  __/\__ \  __/ (__  | |_| | |_) | (_| | (_| | ||  __/ |
# |___|_|   |___/\___|\___|  \___/| .__/ \__,_|\__,_|\__\___|_|
#                                 |_|

# CLI parameters
# $1 - path to the config file (e.g. /run/strongswan/ipsec.d/tunnels/6c1b_6f95_d0be_8a4d.ipsec.s2s.config)
# $2 - FQDN of the UDM Pro (e.g. mysite.com)
# $3 - DNS nameserver (e.g. ns69.domaincontrol.com)

echo "-------- VPN Configuration Updater - v0.0.1 by Lance McCarthy --------"

reload_needed=false
config_file=$1
udmpro_fqdn=$2
dns_nameserver=$3


################################################################
# Phase 1. Check the left-side values and update if neccessary #
################################################################

echo "***** Checking left IP address *****"

# Get the IP address of the local UDM Pro from ppp0 and store it in $local_wan_ip
# ------ IMPORTANT -----
# - Check that you're using the correct network adapter name using 'ifconfig' command
# - if you're using PPPoE, then it's probably 'ppp0'
# - if you're using ethernet in port 8, then it's probbaly 'eth8' (or 'eth10' for SFP in port 10)
local_wan_ip="$(ifconfig | grep -A 1 'eth8' | tail -1 | cut -d ':' -f 2 | cut -d ' ' -f 1)"

# prepare the current and expected IP address values
echo expected_left=" left=$local_wan_ip"
echo current_left=$(sed -n '17p' $config_file)

# Check to see if the config has the expected left value (using the regex operator)
if [ "$current_left" == "$expected_left" ]; then
  echo "LEFT OK - left does not need an update"
else
  echo "!!! left mismatch !!! Updating config..."
  sed -i "/left/s/=.*/=$local_wan_ip/" $config_file
  echo " -- Done. Config successfully updated with new left value."
  reload_needed=true
fi


#################################################################
# Phase 2. Check the right-side values and update if neccessary #
#################################################################

echo "***** Checking right IP address *****"

# Get the IP address of the remote UDM Pro and store it in $remote_wan_ip
remote_wan_ip="$(nslookup -type=A $udmpro_fqdn $dns_nameserver | grep "Address" | awk '{print $2}' | sed -n 2p)"

echo expected_right=" right=$remote_wan_ip"
echo current_right=$(sed -n '18p' $config_file)

# Check to see if the config has the expected right valie
if [ "$current_right" == "$expected_right" ]; then
  echo "RIGHT OK - right does not need an update."
else
  echo "!!! right mismatch !!! Updating config..."
  sed -i "/right/s/=.*/=$remote_wan_ip/" $config_file
  echo " -- Done. Config successfully updated with new right value."
  reload_needed=true
fi


##################################################
# PHASE 3. Invoke any required swanctrl commands #
##################################################

echo "***** Validate VPN Setting Reload *****"

if [ "$reload_needed" = true ]; then
    ipsec reload
    echo ' ----> Reloaded IPsec <----'
  else
  echo 'No configuration changes were made, skipping swanctl settings reload.'
fi

echo "Done."

Many thanks for taking the time to explain. let me see what works for me, I'm not keen on setting up other hardware next to the UDMs

I have a Unifi Cloud Gateway Max that connects over PPPoE to my ISP. The IP on WAN changes upon every connection or, otherwise, every a few days. I have set up a simple VPN server (IPSEC L2TP) for the iOS devices around. The connection works great until the WAN receives a new IP. Unless I manually adapt the VPN settings i am not able to set up the VPN tunnel any more.
I briefly looked over your script to adapt it to my constellation but i have no idea where the VPN connection file is stored on the system (nor if the same setup applies for VPN servers). Do you have some insight/hints how to try and solve this issue? (I’m new to UCG but not to networking or Linux). I already have a ticket and am waiting for feedback but given similar issues other have i do not hold my hopes high for a quick fix.

I got a stable setup eventually without using the script. Rather than using site magic, I defined a VPN server with wire guard on the unify dream machine pro connected to a fixed IP. That I use for my normal IOS VPN needs to egress at that site.

The original need of forcing egress in another country wasn’t possible with site magic or the above script. Instead and only once I got a fixed IP (although it will change from time to time) the extended NAT applied by the provider was disabled, only leaving local NAT between my cable modem and the UDM pro. That was enough to define a normal wireguard VPN manually with the UDM interface for the other site to connect TO. Once I had a named connection from my remote site, the UDM on that site is configured to route certain clients through the named VPN tunnel. The trick was to set it up manually (in UDM console, not above script) because that allows the traffic to be directed by UDM based on say MAC addresses.

The setup works well and stable. At the remote site UDM Pro is my main router and it’s IP address isn’t NATted by a modem. It also doesn’t tend to change. But who knows how stable it will be if it would. In any case it can set up the vpn to the other UDM in another country, even though that UDM Pro is behind NAT of my router there. It only started working when the provider NAT was disabled and having a dynamic but fixed IP. The local NAT is skipped by exposing the UDM Pro as server, as it handles outside attacks elegantly, this is no issue. The VPN is set up quickly and the traffic gets routed to the UDM in the other country only for the few clients, regardless of wired or wireless connection as the UDM Pro handles dhcp and traffic routing.

Result is a stable connection where a few selected clients are routed to egress at my “other” UDM router, and this allows for a company IPsec VPN to be set up on top of the site to site VPN.

If I’m at the other end, I tend to set up client vpns to just be able to watch my streaming service of choice that’s not available in that country.

It took a while to figure it out, and I got my entire site cut off from the interwebs more than once. But I’m happy with this setup.

I should probably put a note at the top of the script to say that it's largely outdated and it's not a great idea to play with the containers. UniFi OS/Network has come a long way and supports DDNS (which was my saving grace with IPsec) and Wireguard.

@leonardpitzu DDNS was the solution for me, go to https://freedns.afraid.org/signup/?plan=starter and get up to 3 free DDNS addresses. The UDM Pro will automatically update them when the WAN IP changes (one of my UDMs are on a fiber PPPoE and IP changes frequently)