Last active
August 24, 2023 15:18
-
-
Save LanceMcCarthy/1298dca711984ef77d1035a66b7210ac to your computer and use it in GitHub Desktop.
UDM Pro IPsec VPN Configuration Updater
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# ***** warning ***** warning ***** warning ***** warning ***** warning ***** warning ***** | |
# THIS IS NOT LONGER A GOOD APPROACH TO USE. SCROLL DOWN TO THE COMMENTS TO SEE HOW YOU CAN USE WIREGUARD WITH A DDNS FQDN INSTEAD | |
# ***** warning ***** warning ***** warning ***** warning ***** warning ***** warning ***** | |
# ___ ____ _ _ _ _ | |
# |_ _| _ \ ___ ___ ___ | | | |_ __ __| | __ _| |_ ___ _ __ | |
# | || |_) / __|/ _ \/ __| | | | | '_ \ / _` |/ _` | __/ _ \ '__| | |
# | || __/\__ \ __/ (__ | |_| | |_) | (_| | (_| | || __/ | | |
# |___|_| |___/\___|\___| \___/| .__/ \__,_|\__,_|\__\___|_| | |
# |_| | |
# CLI parameters | |
# $1 - path to the config file (e.g. /run/strongswan/ipsec.d/tunnels/6c1b_6f95_d0be_8a4d.ipsec.s2s.config) | |
# $2 - FQDN of the UDM Pro (e.g. mysite.com) | |
# $3 - DNS nameserver (e.g. ns69.domaincontrol.com) | |
echo "-------- VPN Configuration Updater - v0.0.1 by Lance McCarthy --------" | |
reload_needed=false | |
config_file=$1 | |
udmpro_fqdn=$2 | |
dns_nameserver=$3 | |
################################################################ | |
# Phase 1. Check the left-side values and update if neccessary # | |
################################################################ | |
echo "***** Checking left IP address *****" | |
# Get the IP address of the local UDM Pro from ppp0 and store it in $local_wan_ip | |
# ------ IMPORTANT ----- | |
# - Check that you're using the correct network adapter name using 'ifconfig' command | |
# - if you're using PPPoE, then it's probably 'ppp0' | |
# - if you're using ethernet in port 8, then it's probbaly 'eth8' (or 'eth10' for SFP in port 10) | |
local_wan_ip="$(ifconfig | grep -A 1 'eth8' | tail -1 | cut -d ':' -f 2 | cut -d ' ' -f 1)" | |
# prepare the current and expected IP address values | |
echo expected_left=" left=$local_wan_ip" | |
echo current_left=$(sed -n '17p' $config_file) | |
# Check to see if the config has the expected left value (using the regex operator) | |
if [ "$current_left" == "$expected_left" ]; then | |
echo "LEFT OK - left does not need an update" | |
else | |
echo "!!! left mismatch !!! Updating config..." | |
sed -i "/left/s/=.*/=$local_wan_ip/" $config_file | |
echo " -- Done. Config successfully updated with new left value." | |
reload_needed=true | |
fi | |
################################################################# | |
# Phase 2. Check the right-side values and update if neccessary # | |
################################################################# | |
echo "***** Checking right IP address *****" | |
# Get the IP address of the remote UDM Pro and store it in $remote_wan_ip | |
remote_wan_ip="$(nslookup -type=A $udmpro_fqdn $dns_nameserver | grep "Address" | awk '{print $2}' | sed -n 2p)" | |
echo expected_right=" right=$remote_wan_ip" | |
echo current_right=$(sed -n '18p' $config_file) | |
# Check to see if the config has the expected right valie | |
if [ "$current_right" == "$expected_right" ]; then | |
echo "RIGHT OK - right does not need an update." | |
else | |
echo "!!! right mismatch !!! Updating config..." | |
sed -i "/right/s/=.*/=$remote_wan_ip/" $config_file | |
echo " -- Done. Config successfully updated with new right value." | |
reload_needed=true | |
fi | |
################################################## | |
# PHASE 3. Invoke any required swanctrl commands # | |
################################################## | |
echo "***** Validate VPN Setting Reload *****" | |
if [ "$reload_needed" = true ]; then | |
ipsec reload | |
echo ' ----> Reloaded IPsec <----' | |
else | |
echo 'No configuration changes were made, skipping swanctl settings reload.' | |
fi | |
echo "Done." |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Unfortunately, I am not finding any examples of connecting two UDMs site-to-site using WireGuard (though under the covers, Magic Sites appears to be using WireGuard to create the site-to-site VPN).
I think I just need to continue investigating the best way to force certain routing. It's unusual because when you setup magic sites, the "gateway" for the wireguard VPN it creates is a .0 address, so it's not really clear what the real gateway IP address would be to direct traffic out over that interface:
# ip route show
...
192.168.1.0 dev wgsts1000 proto kernel scope link
192.168.2.0/24 via 192.168.1.0 dev wgsts1000 proto ospf metric 20 onlink