-
-
Save LanceMcCarthy/1298dca711984ef77d1035a66b7210ac to your computer and use it in GitHub Desktop.
#!/bin/sh | |
# ***** warning ***** warning ***** warning ***** warning ***** warning ***** warning ***** | |
# THIS IS NOT LONGER A GOOD APPROACH TO USE. SCROLL DOWN TO THE COMMENTS TO SEE HOW YOU CAN USE WIREGUARD WITH A DDNS FQDN INSTEAD | |
# ***** warning ***** warning ***** warning ***** warning ***** warning ***** warning ***** | |
# ___ ____ _ _ _ _ | |
# |_ _| _ \ ___ ___ ___ | | | |_ __ __| | __ _| |_ ___ _ __ | |
# | || |_) / __|/ _ \/ __| | | | | '_ \ / _` |/ _` | __/ _ \ '__| | |
# | || __/\__ \ __/ (__ | |_| | |_) | (_| | (_| | || __/ | | |
# |___|_| |___/\___|\___| \___/| .__/ \__,_|\__,_|\__\___|_| | |
# |_| | |
# CLI parameters | |
# $1 - path to the config file (e.g. /run/strongswan/ipsec.d/tunnels/6c1b_6f95_d0be_8a4d.ipsec.s2s.config) | |
# $2 - FQDN of the UDM Pro (e.g. mysite.com) | |
# $3 - DNS nameserver (e.g. ns69.domaincontrol.com) | |
echo "-------- VPN Configuration Updater - v0.0.1 by Lance McCarthy --------" | |
reload_needed=false | |
config_file=$1 | |
udmpro_fqdn=$2 | |
dns_nameserver=$3 | |
################################################################ | |
# Phase 1. Check the left-side values and update if neccessary # | |
################################################################ | |
echo "***** Checking left IP address *****" | |
# Get the IP address of the local UDM Pro from ppp0 and store it in $local_wan_ip | |
# ------ IMPORTANT ----- | |
# - Check that you're using the correct network adapter name using 'ifconfig' command | |
# - if you're using PPPoE, then it's probably 'ppp0' | |
# - if you're using ethernet in port 8, then it's probbaly 'eth8' (or 'eth10' for SFP in port 10) | |
local_wan_ip="$(ifconfig | grep -A 1 'eth8' | tail -1 | cut -d ':' -f 2 | cut -d ' ' -f 1)" | |
# prepare the current and expected IP address values | |
echo expected_left=" left=$local_wan_ip" | |
echo current_left=$(sed -n '17p' $config_file) | |
# Check to see if the config has the expected left value (using the regex operator) | |
if [ "$current_left" == "$expected_left" ]; then | |
echo "LEFT OK - left does not need an update" | |
else | |
echo "!!! left mismatch !!! Updating config..." | |
sed -i "/left/s/=.*/=$local_wan_ip/" $config_file | |
echo " -- Done. Config successfully updated with new left value." | |
reload_needed=true | |
fi | |
################################################################# | |
# Phase 2. Check the right-side values and update if neccessary # | |
################################################################# | |
echo "***** Checking right IP address *****" | |
# Get the IP address of the remote UDM Pro and store it in $remote_wan_ip | |
remote_wan_ip="$(nslookup -type=A $udmpro_fqdn $dns_nameserver | grep "Address" | awk '{print $2}' | sed -n 2p)" | |
echo expected_right=" right=$remote_wan_ip" | |
echo current_right=$(sed -n '18p' $config_file) | |
# Check to see if the config has the expected right valie | |
if [ "$current_right" == "$expected_right" ]; then | |
echo "RIGHT OK - right does not need an update." | |
else | |
echo "!!! right mismatch !!! Updating config..." | |
sed -i "/right/s/=.*/=$remote_wan_ip/" $config_file | |
echo " -- Done. Config successfully updated with new right value." | |
reload_needed=true | |
fi | |
################################################## | |
# PHASE 3. Invoke any required swanctrl commands # | |
################################################## | |
echo "***** Validate VPN Setting Reload *****" | |
if [ "$reload_needed" = true ]; then | |
ipsec reload | |
echo ' ----> Reloaded IPsec <----' | |
else | |
echo 'No configuration changes were made, skipping swanctl settings reload.' | |
fi | |
echo "Done." |
That's amazing! Awesome. We have 2 UDMs and this solves our problem, but not quite ... for my next trick, I want to have certain hosts from Site B route their traffic over the VPN (or said another way, I want these select hosts on Site B to route their Internet traffic through the remote UDM Pro that's at Site A). With my old manually-configured Site-to-Site VPN, I was achieving this with https://github.com/peacey/split-vpn -- that approach worked with OpenVPN or IPSec site-to-site VPNs.
I see that with the new "Magic Site", Unifi has setup a new interface:
# ip route show 192.168.2.0/24
192.168.2.0/24 via 192.168.1.0 dev wgsts1000 proto ospf metric 20 onlink
Site B is 192.168.0.0/24, site A (the remote site) is 192.168.2.0/24 ... I want one or more of my local hosts (e.g. 192.168.0.161) to route its traffic over the VPN, i.e. to Site A.
Any thoughts on this? I am also going to go to the split-vpn author and see if maybe we can update the instructions to support this new Magic Site scenario.
Yes, I see the option to create a WireGuard VPN server, but I don't believe the remote UDM Pro can be setup to act as a WireGuard VPN client to enable to a site-to-site VPN -- the only supported protocol for UDM Pro VPN Client is OpenVPN. Maybe I am misunderstanding.
Hmm, I've never attempted to use wg as a client with UDM Pro, but my experience with wg is that each peer is just a node of the network, there really isn't a strict hub-spoke (Server-client) model... it's peer-to-peer. So I assumed this would work similarly with UDM Pro, regardless if they've put wireguard in the same menu as other "VPN Server" settings page.
Unfortunately, I am not finding any examples of connecting two UDMs site-to-site using WireGuard (though under the covers, Magic Sites appears to be using WireGuard to create the site-to-site VPN).
I think I just need to continue investigating the best way to force certain routing. It's unusual because when you setup magic sites, the "gateway" for the wireguard VPN it creates is a .0 address, so it's not really clear what the real gateway IP address would be to direct traffic out over that interface:
# ip route show
...
192.168.1.0 dev wgsts1000 proto kernel scope link
192.168.2.0/24 via 192.168.1.0 dev wgsts1000 proto ospf metric 20 onlink
I should have shared this, too... it's no joke https://www.youtube.com/watch?v=hqnl9awwYiM