Overcoming the UniFi Security Gateway's configuration_

August 14, 2020 @21:59

I've had a UniFi USG-3 in the office for a while now, and I have had a few problems with it over the years. The most recent being a quirk of the configuration system that ham strings certificate authentication with intermediate CAs. You can read about my struggle a little bit in a previous post.

Well, thanks to COVID-19 I have not been in the office since March of this year and predictably a firmware update hit and caused the certificates to be wiped and the tunnel to be stuck down. This broke the Time Machine backups of my work laptop (the NAS it backs up to is in the office) and I finally got annoyed with the daily whining (more and more macOS is turning into a petulant child) so I decided to fix the problem hopefully once and for all.

The software on the USG is based on an old version of Vyatta (now known as VyOS) so I did a little digging and there (thankfully) is a hook to run an arbitrary script after configuration that is persistent across firmware updates. I came up with the following and put it in /config/scripts/post-config.d, named install-ca.sh.

#!/bin/sh
# install-ca.sh (c) 2020 Matthew J. Ernisse <matt@going-flying.com>
# All Rights Reserved.
#
# Redistribution and use in source and binary forms,
# with or without modification, are permitted provided
# that the following conditions are met:
#
#     * Redistributions of source code must retain the
#       above copyright notice, this list of conditions
#       and the following disclaimer.
#     * Redistributions in binary form must reproduce
#       the above copyright notice, this list of conditions
#       and the following disclaimer in the documentation
#       and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
# OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
# TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
# Info at: https://docs.vyos.io/en/latest/appendix/command-scripting.html

set -e

restart_vpn=0

if [ ! -d "/config/auth" ]; then
    logger "install-ca.sh: /config/auth does not exist, exiting."
    exit 1
fi

for cert in $(find /config/auth -name \*ca.crt); do
    cert=$(basename $cert)

    if [ ! -f "/etc/ipsec.d/cacerts/$cert" ]; then
        logger "install-ca.sh: installing $cert"
        cp "/config/auth/$cert" "/etc/ipsec.d/cacerts/$cert"
        restart_vpn=$(( $restart_vpn + 1 ))
    fi
done

if [ "$restart_vpn" -gt 0 ]; then
    logger "install-ca.sh: restarting strongswan."
    /usr/sbin/ipsec restart
fi

The script is pretty simple, it looks in /config/auth for certificates that end in ca.crt (I store mine as root_ca.crt and vpn_ca.crt) and copies them into the strongSwan cert location. If any certificates are copied in it will restart strongSwan as well.

Hopefully this will finally solve this particular problem. Longer term I am hoping that Ubiquiti will eventually either upgrade the USG software or officially support WireGuard (which is coming in the next version of OpenBSD which is what I use for my VPN servers).

🥃

Subscribe via RSS. Send me a comment.