Last active
September 30, 2024 13:28
-
-
Save LanceMcCarthy/1298dca711984ef77d1035a66b7210ac to your computer and use it in GitHub Desktop.
UDM Pro IPsec VPN Configuration Updater
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# ***** warning ***** warning ***** warning ***** warning ***** warning ***** warning ***** | |
# THIS IS NOT LONGER A GOOD APPROACH TO USE. SCROLL DOWN TO THE COMMENTS TO SEE HOW YOU CAN USE WIREGUARD WITH A DDNS FQDN INSTEAD | |
# ***** warning ***** warning ***** warning ***** warning ***** warning ***** warning ***** | |
# ___ ____ _ _ _ _ | |
# |_ _| _ \ ___ ___ ___ | | | |_ __ __| | __ _| |_ ___ _ __ | |
# | || |_) / __|/ _ \/ __| | | | | '_ \ / _` |/ _` | __/ _ \ '__| | |
# | || __/\__ \ __/ (__ | |_| | |_) | (_| | (_| | || __/ | | |
# |___|_| |___/\___|\___| \___/| .__/ \__,_|\__,_|\__\___|_| | |
# |_| | |
# CLI parameters | |
# $1 - path to the config file (e.g. /run/strongswan/ipsec.d/tunnels/6c1b_6f95_d0be_8a4d.ipsec.s2s.config) | |
# $2 - FQDN of the UDM Pro (e.g. mysite.com) | |
# $3 - DNS nameserver (e.g. ns69.domaincontrol.com) | |
echo "-------- VPN Configuration Updater - v0.0.1 by Lance McCarthy --------" | |
reload_needed=false | |
config_file=$1 | |
udmpro_fqdn=$2 | |
dns_nameserver=$3 | |
################################################################ | |
# Phase 1. Check the left-side values and update if neccessary # | |
################################################################ | |
echo "***** Checking left IP address *****" | |
# Get the IP address of the local UDM Pro from ppp0 and store it in $local_wan_ip | |
# ------ IMPORTANT ----- | |
# - Check that you're using the correct network adapter name using 'ifconfig' command | |
# - if you're using PPPoE, then it's probably 'ppp0' | |
# - if you're using ethernet in port 8, then it's probbaly 'eth8' (or 'eth10' for SFP in port 10) | |
local_wan_ip="$(ifconfig | grep -A 1 'eth8' | tail -1 | cut -d ':' -f 2 | cut -d ' ' -f 1)" | |
# prepare the current and expected IP address values | |
echo expected_left=" left=$local_wan_ip" | |
echo current_left=$(sed -n '17p' $config_file) | |
# Check to see if the config has the expected left value (using the regex operator) | |
if [ "$current_left" == "$expected_left" ]; then | |
echo "LEFT OK - left does not need an update" | |
else | |
echo "!!! left mismatch !!! Updating config..." | |
sed -i "/left/s/=.*/=$local_wan_ip/" $config_file | |
echo " -- Done. Config successfully updated with new left value." | |
reload_needed=true | |
fi | |
################################################################# | |
# Phase 2. Check the right-side values and update if neccessary # | |
################################################################# | |
echo "***** Checking right IP address *****" | |
# Get the IP address of the remote UDM Pro and store it in $remote_wan_ip | |
remote_wan_ip="$(nslookup -type=A $udmpro_fqdn $dns_nameserver | grep "Address" | awk '{print $2}' | sed -n 2p)" | |
echo expected_right=" right=$remote_wan_ip" | |
echo current_right=$(sed -n '18p' $config_file) | |
# Check to see if the config has the expected right valie | |
if [ "$current_right" == "$expected_right" ]; then | |
echo "RIGHT OK - right does not need an update." | |
else | |
echo "!!! right mismatch !!! Updating config..." | |
sed -i "/right/s/=.*/=$remote_wan_ip/" $config_file | |
echo " -- Done. Config successfully updated with new right value." | |
reload_needed=true | |
fi | |
################################################## | |
# PHASE 3. Invoke any required swanctrl commands # | |
################################################## | |
echo "***** Validate VPN Setting Reload *****" | |
if [ "$reload_needed" = true ]; then | |
ipsec reload | |
echo ' ----> Reloaded IPsec <----' | |
else | |
echo 'No configuration changes were made, skipping swanctl settings reload.' | |
fi | |
echo "Done." |
I should probably put a note at the top of the script to say that it's largely outdated and it's not a great idea to play with the containers. UniFi OS/Network has come a long way and supports DDNS (which was my saving grace with IPsec) and Wireguard.
@leonardpitzu DDNS was the solution for me, go to https://freedns.afraid.org/signup/?plan=starter and get up to 3 free DDNS addresses. The UDM Pro will automatically update them when the WAN IP changes (one of my UDMs are on a fiber PPPoE and IP changes frequently)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I got a stable setup eventually without using the script. Rather than using site magic, I defined a VPN server with wire guard on the unify dream machine pro connected to a fixed IP. That I use for my normal IOS VPN needs to egress at that site.
The original need of forcing egress in another country wasn’t possible with site magic or the above script. Instead and only once I got a fixed IP (although it will change from time to time) the extended NAT applied by the provider was disabled, only leaving local NAT between my cable modem and the UDM pro. That was enough to define a normal wireguard VPN manually with the UDM interface for the other site to connect TO. Once I had a named connection from my remote site, the UDM on that site is configured to route certain clients through the named VPN tunnel. The trick was to set it up manually (in UDM console, not above script) because that allows the traffic to be directed by UDM based on say MAC addresses.
The setup works well and stable. At the remote site UDM Pro is my main router and it’s IP address isn’t NATted by a modem. It also doesn’t tend to change. But who knows how stable it will be if it would. In any case it can set up the vpn to the other UDM in another country, even though that UDM Pro is behind NAT of my router there. It only started working when the provider NAT was disabled and having a dynamic but fixed IP. The local NAT is skipped by exposing the UDM Pro as server, as it handles outside attacks elegantly, this is no issue. The VPN is set up quickly and the traffic gets routed to the UDM in the other country only for the few clients, regardless of wired or wireless connection as the UDM Pro handles dhcp and traffic routing.
Result is a stable connection where a few selected clients are routed to egress at my “other” UDM router, and this allows for a company IPsec VPN to be set up on top of the site to site VPN.
If I’m at the other end, I tend to set up client vpns to just be able to watch my streaming service of choice that’s not available in that country.
It took a while to figure it out, and I got my entire site cut off from the interwebs more than once. But I’m happy with this setup.