Based on Jim Angel's blog post and comment section.
This was ran against UniFi OS v3.2.9.
When moving from UniFi OS 1.x to 2.x, they switched their base OS distro to Debian, which removed the need for containerizing their applications. The original solution was to run wpa_supplicant
from within a container on the host system's podman
instance - however from 2.x this is no longer needed and the host system itself will run wpa_supplicant
.
I did not realize this when I was updating, figuring it's about time to get on the latest version and having regular security patches again. These are the steps I followed after reading the comment section on Jim's original blog post.
- Get old router setup, been forever since it was plugged in, it wasn't able to forward the public IP to my UDM and I had to configure it to be on a different subnet so the UDM would pick up an IP from the ATT RG.
- After getting UDM back online, you might as well update to the latest.
- Find backups of certs + conf to copy back to UDM. These should be generated for you from the original blog's tool.
- ssh into UDM, replace
192.168.1.1
with your UDM's IP, however for the rest of these examples we're going to assume192.168.1.1
. Installwpasupplicant
package.
ssh root@192.168.1.1
apt-get install wpasupplicant
mkdir -p /etc/wpasupplicant/conf
- Now cache the files locally so we don't need the internet to install this package should something go wrong during an upgrade.
sudo apt-get reinstall --download-only wpasupplicant
mkdir /etc/wpa_supplicant/repository
cp /var/cache/apt/archives/wpasupplicant*.deb /etc/wpasupplicant/repository
Now in the event of the package being removed during an upgrade, assuming this directory remains in tact, you can run this command to install the service again:
apt install /etc/wpasupplicant/repository/*.deb
- Update your conf file locally (easier than
sed
) to reflect the full paths of where you'll be copying to. These examples we're using/etc/wpasupplicant/conf
so we'll prefix the paths with this. End result should look something like this:
network={
ca_cert="/etc/wpasupplicant/conf/CA_001E46-xxxx.pem"
client_cert="/etc/wpasupplicant/conf/Client_001E46-xxxx.pem"
eap=TLS
eapol_flags=0
identity="8C:7F:xx:xx:xx:xx" # Internet (ONT) interface MAC address must match this value
key_mgmt=IEEE8021X
phase1="allow_canned_success=1"
private_key="/etc/wpasupplicant/conf/PrivateKey_PKCS1_001E46-xxxx.pem"
}
- Copy files over to UDM, run this from where your PEM and CONF files are saved (and backed up somewhere safe!)
scp -r *.pem root@192.168.1.1:/etc/wpasupplicant/conf/
scp -r *.conf root@192.168.1.1:/etc/wpasupplicant/conf/
- Now use
systemctl
to edit the services properties
systemctl edit wpa_supplicant
We need to update the settings between the comment blocks to look like this
[Service]
ExecStart=/sbin/wpa_supplicant -u -s -Dwired -ieth8 -c /etc/wpasupplicant/conf/wpa_supplicant.conf
[Install]
WantedBy=multi-user.target
Use :wq
to write the changes to disc and quit.
- Use
systemctl
to start and enable thewpa_supplicant
service.
systemctl start wpa_supplicant
systemctl enable wpa_supplicant
NOTE: You may see the following in error logs, but it appears to be benign
WMM AC: Missing IEs
- (Maybe Optional) Update the MAC address of your WAN port to be what was included in your conf file. To do that in the UDM Web UI, go to
Network > Settings > Internet
and select the WAN you're using, switchAdvanced
tomanual
to enable the advanced options, and provide the address inMAC Address Clone
. - (Optional/Troubleshooting) Some have said they needed to set the WAN to VLAN 0 as well, you can do that in this same screen if you need to.
- Now you should be able to plug the ONT back into your UDM!
To view logs, use this command (run from the UDM)
grep wpa_supplicant /var/log/daemon.log