UDM Pro IPsec VPN Configuration Updater

vpn-config-updater.sh

#!/bin/sh

# ***** warning ***** warning ***** warning ***** warning ***** warning ***** warning *****

# THIS IS NOT LONGER A GOOD APPROACH TO USE. SCROLL DOWN TO THE COMMENTS TO SEE HOW YOU CAN USE WIREGUARD WITH A DDNS FQDN INSTEAD

# ***** warning ***** warning ***** warning ***** warning ***** warning ***** warning *****

#  ___ ____                  _   _           _       _
# |_ _|  _ \ ___  ___  ___  | | | |_ __   __| | __ _| |_ ___ _ __
#  | || |_) / __|/ _ \/ __| | | | | '_ \ / _` |/ _` | __/ _ \ '__|
#  | ||  __/\__ \  __/ (__  | |_| | |_) | (_| | (_| | ||  __/ |
# |___|_|   |___/\___|\___|  \___/| .__/ \__,_|\__,_|\__\___|_|
#                                 |_|

# CLI parameters
# $1 - path to the config file (e.g. /run/strongswan/ipsec.d/tunnels/6c1b_6f95_d0be_8a4d.ipsec.s2s.config)
# $2 - FQDN of the UDM Pro (e.g. mysite.com)
# $3 - DNS nameserver (e.g. ns69.domaincontrol.com)

echo "-------- VPN Configuration Updater - v0.0.1 by Lance McCarthy --------"

reload_needed=false
config_file=$1
udmpro_fqdn=$2
dns_nameserver=$3


################################################################
# Phase 1. Check the left-side values and update if neccessary #
################################################################

echo "***** Checking left IP address *****"

# Get the IP address of the local UDM Pro from ppp0 and store it in $local_wan_ip
# ------ IMPORTANT -----
# - Check that you're using the correct network adapter name using 'ifconfig' command
# - if you're using PPPoE, then it's probably 'ppp0'
# - if you're using ethernet in port 8, then it's probbaly 'eth8' (or 'eth10' for SFP in port 10)
local_wan_ip="$(ifconfig | grep -A 1 'eth8' | tail -1 | cut -d ':' -f 2 | cut -d ' ' -f 1)"

# prepare the current and expected IP address values
echo expected_left=" left=$local_wan_ip"
echo current_left=$(sed -n '17p' $config_file)

# Check to see if the config has the expected left value (using the regex operator)
if [ "$current_left" == "$expected_left" ]; then
  echo "LEFT OK - left does not need an update"
else
  echo "!!! left mismatch !!! Updating config..."
  sed -i "/left/s/=.*/=$local_wan_ip/" $config_file
  echo " -- Done. Config successfully updated with new left value."
  reload_needed=true
fi


#################################################################
# Phase 2. Check the right-side values and update if neccessary #
#################################################################

echo "***** Checking right IP address *****"

# Get the IP address of the remote UDM Pro and store it in $remote_wan_ip
remote_wan_ip="$(nslookup -type=A $udmpro_fqdn $dns_nameserver | grep "Address" | awk '{print $2}' | sed -n 2p)"

echo expected_right=" right=$remote_wan_ip"
echo current_right=$(sed -n '18p' $config_file)

# Check to see if the config has the expected right valie
if [ "$current_right" == "$expected_right" ]; then
  echo "RIGHT OK - right does not need an update."
else
  echo "!!! right mismatch !!! Updating config..."
  sed -i "/right/s/=.*/=$remote_wan_ip/" $config_file
  echo " -- Done. Config successfully updated with new right value."
  reload_needed=true
fi


##################################################
# PHASE 3. Invoke any required swanctrl commands #
##################################################

echo "***** Validate VPN Setting Reload *****"

if [ "$reload_needed" = true ]; then
    ipsec reload
    echo ' ----> Reloaded IPsec <----'
  else
  echo 'No configuration changes were made, skipping swanctl settings reload.'
fi

echo "Done."

That's amazing! Awesome. We have 2 UDMs and this solves our problem, but not quite ... for my next trick, I want to have certain hosts from Site B route their traffic over the VPN (or said another way, I want these select hosts on Site B to route their Internet traffic through the remote UDM Pro that's at Site A). With my old manually-configured Site-to-Site VPN, I was achieving this with https://github.com/peacey/split-vpn -- that approach worked with OpenVPN or IPSec site-to-site VPNs.

I see that with the new "Magic Site", Unifi has setup a new interface:

# ip route show 192.168.2.0/24
192.168.2.0/24 via 192.168.1.0 dev wgsts1000 proto ospf metric 20 onlink

Site B is 192.168.0.0/24, site A (the remote site) is 192.168.2.0/24 ... I want one or more of my local hosts (e.g. 192.168.0.161) to route its traffic over the VPN, i.e. to Site A.

Any thoughts on this? I am also going to go to the split-vpn author and see if maybe we can update the instructions to support this new Magic Site scenario.

Aha, that's a bit more complicated and not what Magic sites was designed for.

Then in this case, wouldn't it be easier just to use WireGuard? Then you have full control over the tunnel (you can use FQDN in wireguard configs)

When creating a new VPN, you can now choose Wireguard!

Yes, I see the option to create a WireGuard VPN server, but I don't believe the remote UDM Pro can be setup to act as a WireGuard VPN client to enable to a site-to-site VPN -- the only supported protocol for UDM Pro VPN Client is OpenVPN. Maybe I am misunderstanding.

Hmm, I've never attempted to use wg as a client with UDM Pro, but my experience with wg is that each peer is just a node of the network, there really isn't a strict hub-spoke (Server-client) model... it's peer-to-peer. So I assumed this would work similarly with UDM Pro, regardless if they've put wireguard in the same menu as other "VPN Server" settings page.

Unfortunately, I am not finding any examples of connecting two UDMs site-to-site using WireGuard (though under the covers, Magic Sites appears to be using WireGuard to create the site-to-site VPN).

I think I just need to continue investigating the best way to force certain routing. It's unusual because when you setup magic sites, the "gateway" for the wireguard VPN it creates is a .0 address, so it's not really clear what the real gateway IP address would be to direct traffic out over that interface:

# ip route show
...
192.168.1.0 dev wgsts1000 proto kernel scope link
192.168.2.0/24 via 192.168.1.0 dev wgsts1000 proto ospf metric 20 onlink