Last active
May 8, 2024 19:30
-
-
Save LanceMcCarthy/1298dca711984ef77d1035a66b7210ac to your computer and use it in GitHub Desktop.
UDM Pro IPsec VPN Configuration Updater
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# ***** warning ***** warning ***** warning ***** warning ***** warning ***** warning ***** | |
# THIS IS NOT LONGER A GOOD APPROACH TO USE. SCROLL DOWN TO THE COMMENTS TO SEE HOW YOU CAN USE WIREGUARD WITH A DDNS FQDN INSTEAD | |
# ***** warning ***** warning ***** warning ***** warning ***** warning ***** warning ***** | |
# ___ ____ _ _ _ _ | |
# |_ _| _ \ ___ ___ ___ | | | |_ __ __| | __ _| |_ ___ _ __ | |
# | || |_) / __|/ _ \/ __| | | | | '_ \ / _` |/ _` | __/ _ \ '__| | |
# | || __/\__ \ __/ (__ | |_| | |_) | (_| | (_| | || __/ | | |
# |___|_| |___/\___|\___| \___/| .__/ \__,_|\__,_|\__\___|_| | |
# |_| | |
# CLI parameters | |
# $1 - path to the config file (e.g. /run/strongswan/ipsec.d/tunnels/6c1b_6f95_d0be_8a4d.ipsec.s2s.config) | |
# $2 - FQDN of the UDM Pro (e.g. mysite.com) | |
# $3 - DNS nameserver (e.g. ns69.domaincontrol.com) | |
echo "-------- VPN Configuration Updater - v0.0.1 by Lance McCarthy --------" | |
reload_needed=false | |
config_file=$1 | |
udmpro_fqdn=$2 | |
dns_nameserver=$3 | |
################################################################ | |
# Phase 1. Check the left-side values and update if neccessary # | |
################################################################ | |
echo "***** Checking left IP address *****" | |
# Get the IP address of the local UDM Pro from ppp0 and store it in $local_wan_ip | |
# ------ IMPORTANT ----- | |
# - Check that you're using the correct network adapter name using 'ifconfig' command | |
# - if you're using PPPoE, then it's probably 'ppp0' | |
# - if you're using ethernet in port 8, then it's probbaly 'eth8' (or 'eth10' for SFP in port 10) | |
local_wan_ip="$(ifconfig | grep -A 1 'eth8' | tail -1 | cut -d ':' -f 2 | cut -d ' ' -f 1)" | |
# prepare the current and expected IP address values | |
echo expected_left=" left=$local_wan_ip" | |
echo current_left=$(sed -n '17p' $config_file) | |
# Check to see if the config has the expected left value (using the regex operator) | |
if [ "$current_left" == "$expected_left" ]; then | |
echo "LEFT OK - left does not need an update" | |
else | |
echo "!!! left mismatch !!! Updating config..." | |
sed -i "/left/s/=.*/=$local_wan_ip/" $config_file | |
echo " -- Done. Config successfully updated with new left value." | |
reload_needed=true | |
fi | |
################################################################# | |
# Phase 2. Check the right-side values and update if neccessary # | |
################################################################# | |
echo "***** Checking right IP address *****" | |
# Get the IP address of the remote UDM Pro and store it in $remote_wan_ip | |
remote_wan_ip="$(nslookup -type=A $udmpro_fqdn $dns_nameserver | grep "Address" | awk '{print $2}' | sed -n 2p)" | |
echo expected_right=" right=$remote_wan_ip" | |
echo current_right=$(sed -n '18p' $config_file) | |
# Check to see if the config has the expected right valie | |
if [ "$current_right" == "$expected_right" ]; then | |
echo "RIGHT OK - right does not need an update." | |
else | |
echo "!!! right mismatch !!! Updating config..." | |
sed -i "/right/s/=.*/=$remote_wan_ip/" $config_file | |
echo " -- Done. Config successfully updated with new right value." | |
reload_needed=true | |
fi | |
################################################## | |
# PHASE 3. Invoke any required swanctrl commands # | |
################################################## | |
echo "***** Validate VPN Setting Reload *****" | |
if [ "$reload_needed" = true ]; then | |
ipsec reload | |
echo ' ----> Reloaded IPsec <----' | |
else | |
echo 'No configuration changes were made, skipping swanctl settings reload.' | |
fi | |
echo "Done." |
Many thanks for taking the time to explain. let me see what works for me, I'm not keen on setting up other hardware next to the UDMs
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I have a similar setup and use the IPsec VPN to handle all the traffic. The trick is you need to make sure those subnets are listed and you have all corners of the traffic connected.
For example, I no longer use my homes' IP addresses for my DNS, instead I have my public-facing things point ot Azure Linux VM. then that Linux VM is connected to site-to-site VPNs to both opf my UDM Pros.
Inside azure VM I am running https://nginxproxymanager.com (super easy reverse proxy with automatic Let's Encrypt), that redirects traffic down to
192.168.x.0/24
which send traffic down the correct VPN.No wireguard at all, it's pure IP sec site-to-site VPN and using that other UDM Pro's WAN IP:
I would recommend hitting up https://networkengineering.stackexchange.com/questions to get help from real network engineers ;)
also Reddit is sometimes helpful