UDM Pro IPsec VPN Configuration Updater

vpn-config-updater.sh

#!/bin/sh

# ***** warning ***** warning ***** warning ***** warning ***** warning ***** warning *****

# THIS IS NOT LONGER A GOOD APPROACH TO USE. SCROLL DOWN TO THE COMMENTS TO SEE HOW YOU CAN USE WIREGUARD WITH A DDNS FQDN INSTEAD

# ***** warning ***** warning ***** warning ***** warning ***** warning ***** warning *****

#  ___ ____                  _   _           _       _
# |_ _|  _ \ ___  ___  ___  | | | |_ __   __| | __ _| |_ ___ _ __
#  | || |_) / __|/ _ \/ __| | | | | '_ \ / _` |/ _` | __/ _ \ '__|
#  | ||  __/\__ \  __/ (__  | |_| | |_) | (_| | (_| | ||  __/ |
# |___|_|   |___/\___|\___|  \___/| .__/ \__,_|\__,_|\__\___|_|
#                                 |_|

# CLI parameters
# $1 - path to the config file (e.g. /run/strongswan/ipsec.d/tunnels/6c1b_6f95_d0be_8a4d.ipsec.s2s.config)
# $2 - FQDN of the UDM Pro (e.g. mysite.com)
# $3 - DNS nameserver (e.g. ns69.domaincontrol.com)

echo "-------- VPN Configuration Updater - v0.0.1 by Lance McCarthy --------"

reload_needed=false
config_file=$1
udmpro_fqdn=$2
dns_nameserver=$3


################################################################
# Phase 1. Check the left-side values and update if neccessary #
################################################################

echo "***** Checking left IP address *****"

# Get the IP address of the local UDM Pro from ppp0 and store it in $local_wan_ip
# ------ IMPORTANT -----
# - Check that you're using the correct network adapter name using 'ifconfig' command
# - if you're using PPPoE, then it's probably 'ppp0'
# - if you're using ethernet in port 8, then it's probbaly 'eth8' (or 'eth10' for SFP in port 10)
local_wan_ip="$(ifconfig | grep -A 1 'eth8' | tail -1 | cut -d ':' -f 2 | cut -d ' ' -f 1)"

# prepare the current and expected IP address values
echo expected_left=" left=$local_wan_ip"
echo current_left=$(sed -n '17p' $config_file)

# Check to see if the config has the expected left value (using the regex operator)
if [ "$current_left" == "$expected_left" ]; then
  echo "LEFT OK - left does not need an update"
else
  echo "!!! left mismatch !!! Updating config..."
  sed -i "/left/s/=.*/=$local_wan_ip/" $config_file
  echo " -- Done. Config successfully updated with new left value."
  reload_needed=true
fi


#################################################################
# Phase 2. Check the right-side values and update if neccessary #
#################################################################

echo "***** Checking right IP address *****"

# Get the IP address of the remote UDM Pro and store it in $remote_wan_ip
remote_wan_ip="$(nslookup -type=A $udmpro_fqdn $dns_nameserver | grep "Address" | awk '{print $2}' | sed -n 2p)"

echo expected_right=" right=$remote_wan_ip"
echo current_right=$(sed -n '18p' $config_file)

# Check to see if the config has the expected right valie
if [ "$current_right" == "$expected_right" ]; then
  echo "RIGHT OK - right does not need an update."
else
  echo "!!! right mismatch !!! Updating config..."
  sed -i "/right/s/=.*/=$remote_wan_ip/" $config_file
  echo " -- Done. Config successfully updated with new right value."
  reload_needed=true
fi


##################################################
# PHASE 3. Invoke any required swanctrl commands #
##################################################

echo "***** Validate VPN Setting Reload *****"

if [ "$reload_needed" = true ]; then
    ipsec reload
    echo ' ----> Reloaded IPsec <----'
  else
  echo 'No configuration changes were made, skipping swanctl settings reload.'
fi

echo "Done."

@saltorico I've ditched this approach because of the headache from it not persisting. More importantly, it's become so much easier using IPSec for dedicated Site-To-Site VPN (which it's looking like you're trying to do?).

Alternatively, if you really want a wireguard connection, you can now configure a client setup right in the UI!

Thanks @LanceMcCarthy for the answer. Also site magic does wonders. Once either are in place, I would like all site a vlan internet bound traffic (non default 10.0.0.x to be tunnelled and egress in site b (different country).

Any idea how to combine the standard web interface for site to site like above or using site magic, and….. configuring site a to route its vlan internet traffic to site b?

Or… are you using above wirevueard solution to build a site 2 site vpn?

I have a similar setup and use the IPsec VPN to handle all the traffic. The trick is you need to make sure those subnets are listed and you have all corners of the traffic connected.

For example, I no longer use my homes' IP addresses for my DNS, instead I have my public-facing things point ot Azure Linux VM. then that Linux VM is connected to site-to-site VPNs to both opf my UDM Pros.

Inside azure VM I am running https://nginxproxymanager.com (super easy reverse proxy with automatic Let's Encrypt), that redirects traffic down to 192.168.x.0/24 which send traffic down the correct VPN.

No wireguard at all, it's pure IP sec site-to-site VPN and using that other UDM Pro's WAN IP:

I would recommend hitting up https://networkengineering.stackexchange.com/questions to get help from real network engineers ;)

also Reddit is sometimes helpful

Many thanks for taking the time to explain. let me see what works for me, I'm not keen on setting up other hardware next to the UDMs