Based on Jim Angel's blog post and comment section.
This was ran against UniFi OS v3.2.9.
When moving from UniFi OS 1.x to 2.x, they switched their base OS distro to Debian, which removed the need for containerizing their applications. The original solution was to run wpa_supplicant from within a container on the host system's podman instance - however from 2.x this is no longer needed and the host system itself will run wpa_supplicant.
I did not realize this when I was updating, figuring it's about time to get on the latest version and having regular security patches again. These are the steps I followed after reading the comment section on Jim's original blog post.
- Get old router setup, been forever since it was plugged in, it wasn't able to forward the public IP to my UDM and I had to configure it to be on a different subnet so the UDM would pick up an IP from the ATT RG.
- After getting UDM back online, you might as well update to the latest.
- Find backups of certs + conf to copy back to UDM. These should be generated for you from the original blog's tool.
- ssh into UDM, replace
192.168.1.1with your UDM's IP, however for the rest of these examples we're going to assume192.168.1.1. Installwpasupplicantpackage.
ssh root@192.168.1.1
apt-get install wpasupplicant
mkdir -p /etc/wpasupplicant/conf- Now cache the files locally so we don't need the internet to install this package should something go wrong during an upgrade.
sudo apt-get reinstall --download-only wpasupplicant
mkdir /etc/wpa_supplicant/repository
cp /var/cache/apt/archives/wpasupplicant*.deb /etc/wpasupplicant/repositoryNow in the event of the package being removed during an upgrade, assuming this directory remains in tact, you can run this command to install the service again:
apt install /etc/wpasupplicant/repository/*.deb- Update your conf file locally (easier than
sed) to reflect the full paths of where you'll be copying to. These examples we're using/etc/wpasupplicant/confso we'll prefix the paths with this. End result should look something like this:
network={
ca_cert="/etc/wpasupplicant/conf/CA_001E46-xxxx.pem"
client_cert="/etc/wpasupplicant/conf/Client_001E46-xxxx.pem"
eap=TLS
eapol_flags=0
identity="8C:7F:xx:xx:xx:xx" # Internet (ONT) interface MAC address must match this value
key_mgmt=IEEE8021X
phase1="allow_canned_success=1"
private_key="/etc/wpasupplicant/conf/PrivateKey_PKCS1_001E46-xxxx.pem"
}
- Copy files over to UDM, run this from where your PEM and CONF files are saved (and backed up somewhere safe!)
scp -r *.pem root@192.168.1.1:/etc/wpasupplicant/conf/
scp -r *.conf root@192.168.1.1:/etc/wpasupplicant/conf/- Now use
systemctlto edit the services properties
systemctl edit wpa_supplicantWe need to update the settings between the comment blocks to look like this
[Service]
ExecStart=/sbin/wpa_supplicant -u -s -Dwired -ieth8 -c /etc/wpasupplicant/conf/wpa_supplicant.conf
[Install]
WantedBy=multi-user.target
Use :wq to write the changes to disc and quit.
- Use
systemctlto start and enable thewpa_supplicantservice.
systemctl start wpa_supplicant
systemctl enable wpa_supplicantNOTE: You may see the following in error logs, but it appears to be benign
WMM AC: Missing IEs
- (Maybe Optional) Update the MAC address of your WAN port to be what was included in your conf file. To do that in the UDM Web UI, go to
Network > Settings > Internetand select the WAN you're using, switchAdvancedtomanualto enable the advanced options, and provide the address inMAC Address Clone. - (Optional/Troubleshooting) Some have said they needed to set the WAN to VLAN 0 as well, you can do that in this same screen if you need to.
- Now you should be able to plug the ONT back into your UDM!
To view logs, use this command (run from the UDM)
grep wpa_supplicant /var/log/daemon.log