| #!/bin/sh | |
| # ***** warning ***** warning ***** warning ***** warning ***** warning ***** warning ***** | |
| # THIS IS NOT LONGER A GOOD APPROACH TO USE. SCROLL DOWN TO THE COMMENTS TO SEE HOW YOU CAN USE WIREGUARD WITH A DDNS FQDN INSTEAD | |
| # ***** warning ***** warning ***** warning ***** warning ***** warning ***** warning ***** | |
| # ___ ____ _ _ _ _ | |
| # |_ _| _ \ ___ ___ ___ | | | |_ __ __| | __ _| |_ ___ _ __ | |
| # | || |_) / __|/ _ \/ __| | | | | '_ \ / _` |/ _` | __/ _ \ '__| | |
| # | || __/\__ \ __/ (__ | |_| | |_) | (_| | (_| | || __/ | | |
| # |___|_| |___/\___|\___| \___/| .__/ \__,_|\__,_|\__\___|_| | |
| # |_| | |
| # CLI parameters | |
| # $1 - path to the config file (e.g. /run/strongswan/ipsec.d/tunnels/6c1b_6f95_d0be_8a4d.ipsec.s2s.config) | |
| # $2 - FQDN of the UDM Pro (e.g. mysite.com) | |
| # $3 - DNS nameserver (e.g. ns69.domaincontrol.com) | |
| echo "-------- VPN Configuration Updater - v0.0.1 by Lance McCarthy --------" | |
| reload_needed=false | |
| config_file=$1 | |
| udmpro_fqdn=$2 | |
| dns_nameserver=$3 | |
| ################################################################ | |
| # Phase 1. Check the left-side values and update if neccessary # | |
| ################################################################ | |
| echo "***** Checking left IP address *****" | |
| # Get the IP address of the local UDM Pro from ppp0 and store it in $local_wan_ip | |
| # ------ IMPORTANT ----- | |
| # - Check that you're using the correct network adapter name using 'ifconfig' command | |
| # - if you're using PPPoE, then it's probably 'ppp0' | |
| # - if you're using ethernet in port 8, then it's probbaly 'eth8' (or 'eth10' for SFP in port 10) | |
| local_wan_ip="$(ifconfig | grep -A 1 'eth8' | tail -1 | cut -d ':' -f 2 | cut -d ' ' -f 1)" | |
| # prepare the current and expected IP address values | |
| echo expected_left=" left=$local_wan_ip" | |
| echo current_left=$(sed -n '17p' $config_file) | |
| # Check to see if the config has the expected left value (using the regex operator) | |
| if [ "$current_left" == "$expected_left" ]; then | |
| echo "LEFT OK - left does not need an update" | |
| else | |
| echo "!!! left mismatch !!! Updating config..." | |
| sed -i "/left/s/=.*/=$local_wan_ip/" $config_file | |
| echo " -- Done. Config successfully updated with new left value." | |
| reload_needed=true | |
| fi | |
| ################################################################# | |
| # Phase 2. Check the right-side values and update if neccessary # | |
| ################################################################# | |
| echo "***** Checking right IP address *****" | |
| # Get the IP address of the remote UDM Pro and store it in $remote_wan_ip | |
| remote_wan_ip="$(nslookup -type=A $udmpro_fqdn $dns_nameserver | grep "Address" | awk '{print $2}' | sed -n 2p)" | |
| echo expected_right=" right=$remote_wan_ip" | |
| echo current_right=$(sed -n '18p' $config_file) | |
| # Check to see if the config has the expected right valie | |
| if [ "$current_right" == "$expected_right" ]; then | |
| echo "RIGHT OK - right does not need an update." | |
| else | |
| echo "!!! right mismatch !!! Updating config..." | |
| sed -i "/right/s/=.*/=$remote_wan_ip/" $config_file | |
| echo " -- Done. Config successfully updated with new right value." | |
| reload_needed=true | |
| fi | |
| ################################################## | |
| # PHASE 3. Invoke any required swanctrl commands # | |
| ################################################## | |
| echo "***** Validate VPN Setting Reload *****" | |
| if [ "$reload_needed" = true ]; then | |
| ipsec reload | |
| echo ' ----> Reloaded IPsec <----' | |
| else | |
| echo 'No configuration changes were made, skipping swanctl settings reload.' | |
| fi | |
| echo "Done." |
UDMP new version is not valid.
@danny-source Unfortunately this entire approach is not really stable anymore.
I'm still waiting for an official solution from Ubiquity that will let me use a DDNS domain URL for the VPN. That way, the UDM Pro will update the DDNS's IP address and the VPN will always use the latest value.
Until then, I'm stuck just updating each site-to-site VPN when the WAN IP changes.
@LanceMcCarthy Hello. Have you found an alternative? Thx.
@pgregg88 Good news... there is now a better option since Ubiquiti added support for WireGuard natively on the UDM Pro (UniFi OS v3+)
this means you can actually use a FQDN for the server, here's an example os a client wireguard config file.
[Interface]
PrivateKey = ABCDTEHSKSUELSJSJSLSKSKSKSKSK=
# This is the IP address the client device will be assigned
Address = 10.10.0.12/24
# Notice the Endpoint FQDN, that's the DDNS setup on the UDM Pro, no need for IP address.
# Note the port number, that's the default port for wireguard, I would change it slightly.
[Peer]
PublicKey = JHSALKJSDAHLKASJHVLKSJVSLKJHVLK=
Endpoint = yoursubdomain.afraid.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
In case you haven't updated the UDM Pro and UniFi Network app yet, here's what the new WireGuard portal looks like
Since I have DDNS setup on all my UDM Pros, and I use that DDNS name as the remote host on the client configs, it's (almost) perfect. No need to worry when my ISP changes my WAN IP, because the clients are using the DDNS url (and not an IP address).
If you are not already using DDNS, I like afraid's DDNS service, because it allows up to 3 FQDNs for free without huge hoops ot jump through. You can choose any from the UniFi DDNS dropdown, or check out these popular free options.
Example
An example usage is the following:
# ./vpn-config-updater.sh /run/strongswan/ipsec.d/tunnels/6c1b_6f95_d0be_8a4d.ipsec.s2s.config myudmpro.com ns1.exampleserver.comResult
Here's the output when no changes are needed:
DNS Updater
If you're wondering how to keep a domain name always up to date with the WAN IP address of any UDM Pro. This is easily done with another script I wrote that will constantly check your WAN IP address and update the DNS record if it changes https://gist.github.com/LanceMcCarthy/6efd13c87d33567a7ec2bf5c067fab4e