How To Bypass AT&T Gateway on the UDM-Pro in 2023

Recently, my UDM-Pro (Unifi Dream Machine) updated it’s firmware to 2.4.x. It was pretty silly of me to have auto updates turned on, but I prefer my network gear to always be as up to date as possible. In the past, this has been no issue and Ubiquiti has made sure those updates don’t alter any custom configurations. But that all changed with version 2.0. You see, when the UDM updated it’s firmware, it removed container support (podman) which in turn meant that my previous method to bypass my AT&T router was no longer working. This left me without internet and I had to go back to utilizing my old AT&T gateway until I figured out a workaround.

UDM-Pro AT&T Bypass

After some intense googling, I was able to get the bypass working again with the help from some reddit comments. This resource was great, but it dig take a little bit of figuring out on my end to get it working. I am sure someone more technical than me can handle it as written, but for me, I needed something a bit more detailed. So that is why this guide exists. Partially to tell you, the reader, what I did to get it going, but mostly to document the process for myself incase I need to do this again in the future.

Requirements to Bypass the AT&T Gateway on the UDM-Pro

  • UDM-Pro with firmware 2.x installed (This likely works on other products but this is all I have available to test)
  • SSH Client (I use PuTTY)
  • SCP Client (I use WinSCP)
  • Keys from a working AT&T gateway (such as the NVG589)

The Old Way via Podman and the WPA Supplicant Docker Image (Not Recomended)

The whole reason the old method stopped working is because Ubiquiti re-platformed and moved away from podman in version 2.0. Honestly, this was a huge improvement for the UDM-Pro and all things considered I am happy that they made that move. You can however add docker back onto the UDM-Pro and there are some guides out there on how to do it. I personally do not recommend this method unless you have another use case to re-install podman. However, once podman is reinstalled, you can utilize the old WPA supplicant guides.

How to Install WPA Supplicant on the UDM-Pro in 2023 (Recommended)

Ok, let’s get down to business and install WPA supplicant on our UDM-Pro running UnifiOs 2.0.

  1. Enable SSH on the UDM-Pro

To enable SSH on the UDM-Pro, you need to log in to UnifiOs. This typically means navigating to in your web browser. Update this adress with whatever scheme you are using for your local IPs.

Once logged in, navigate to Settings -> System -> SSH

UnifiOs -> Settings -> System

Check the box, and create a password.

*Note: SSH should be enabled on the main settings page. If you navigate to the “Network” section, you have gone too far.

  1. SSH into the UDM-Pro using PuTTY
  2. At this point you should be able to use PuTTY to SSH into your UDM-Pro. I am not going to go into details here and just expect if you are looking into this topic that you are able to SSH into your UDM.

    1. Install WPA supplicant
    2. Once you are logged in via SSH, it is time to install the WPA supplicant package! Simply run the following command:

      apt-get install wpasupplicant
      1. Prep certificates to transfer
      2. This is probably the step that hung me up the most. First you need to extract the following certificates using the mfg_dat_decode tool, then you need to update the config file to use the correct paths that we will be using on the UDM. This assumes that you already have the certificates extracted. You will need the following files:

        • CA_xxxxxxxxxxxx.pem
        • Client_xxxxxxxxx.pem
        • PrivateKey_xxxx.pem
        • wpa_supplicant.conf

        Open wpa_supplicant.conf using a text editor and update the file paths to point to where we will be placing the files on the UDM-Pro. For this guide, I have put the certificates in /etc/wpa_supplicant/conf/. I know there is a way to do this via the command line using sed, but this is what works for me.

        There are 3 places in this file that need updated. Here is what your file should look like:

        # Generated by 802.1x Credential Extraction Tool
        # Copyright (c) 2018-2021
        # Version: 1.06 windows 386
        # Change file names to absolute paths
                identity="44:E1:37:C6:33:21" # Internet (ONT) interface MAC address must match this value
        1. Send certificates to the UDM-Pro using WinSCP
        2. Now send the certificate files to the UDM-Pro using WinSCP. Yes, I know you can do this other ways, but again, this is what works for me.

          Place the certificates in /etc/wpa_supplicant/conf/

          Transfer certificates to the UDM-Pro
          1. Create WPA supplicant as a system service and update it’s configuration
          2. You are now ready to create the WPA supplicant service and config. Via ssh, run the following command:

            systemctl edit wpa_supplicant

            This will create the service, and open the editor to create the config file.

            Press the “i” key to insert text and insert the following:

            ExecStart=/sbin/wpa_supplicant -u -s -Dwired -ieth8 -c/etc/wpa_supplicant/conf/wpa_supplicant.conf

            A few notes: The UDM-Pro uses eth8 for the WAN port. I know, there are 9 ports, but the numbering starts at 0. This also assumes that you wpa_supplicant.conf file is located in /etc/wpa_supplicant/conf/.

            To save this file, press the escape key, the type :wq and press enter.

            1. Start the WPA supplicant service
            2. Ok, the hard stuff is done! Assuming everything has been done correctly, it is smooth sailing from here.

              Let’s start the WPA supplicant service by running the following command:

              systemctl start wpa_supplicant
              1. Check if the service is running correctly on the UDM-Pro
              2. If all went well, you should now be connected to the internet. But let’s check the WPA supplicant status by using the following command:

                systemctl status wpa_supplicant

                This will show you the recent log for wpasupplicant. What you want to see is something like:

                Successfully initialized wpa_supplicant

                If you see errors here, go back and check that all of your files are in the right location and all of the paths are updated.

                1. Set the service to run on boot
                2. Last step, just one more command so this service will run when the UDM-Pro reboots. Run the following via SSH:

                  systemctl enable wpa_supplicant

                  If this worked correctly, you should see no errors and two symlinks created.

                  1. Disable SSH and clean up
                  2. Ok, I lied, there is one more step. Before you are done, disable SSH on the UDM-Pro by unchecking the SSH box in Settings -> System -> SSH.

                    Always leave SSH disabled

                    Also, take a moment to back up your certificates somewhere. You may need these in the future and it would be awesome to not have to get them again.

                    Bypassing AT&T Gateway on UDM-Pro: Final Thoughts

                    In the end, I am really happy with how WPA supplicant works in the new UDM 2.0 firmware. Yes, it was annoying that the previous solution just disappeared overnight, but using the WPA supplicant package is far less resource intensive than running docker and podman on the UDM.

                    Now the big question is, did I disable automatic updates? You would think that losing internet for a day, on an update that can’t be reversed would make me disable automatic updates. Well, they are still on. I am not an expert in cyber security, but my UDM is the centerpiece of my digital access to the outside world. But more importantly, it is the outside world’s access to me. With that being said, I think it is important to have this particular device up to date at all times. Especially with such a feature rich, and regularly developed device. So for me and my UDM, we will be leaving automatic updates on and dealing with these bumps as they happen.


                    1. Thank you for laying this all out so clearly. I followed your instructions and was able to get back up and running on my UDM Pro after the latest firmware update wiped my prio config. One small difference for me 1) Initially I kept getting an “invalid section header” error in my wpa supplicant status so I had to split the insert into the insert into three separate lines L1:[Service] L2: Execstart= L3: Execstart=/sbin … I just manually edited the systemd override.conf file and that seemed to do the trick.

                      Once i did that the service started up without an error and the wpa_supplicant status showed the service as active and also provided the last the last 10 log entries where I could also see that the EAP authentication completed successfully.

                      Thanks again for taking the time to do this, much appreciated!

                      1. Good catch! That was a formatting issue on the blog side. Should be fixed now.

                        There are a lot of really smart people our there making all of this happen, but for me and my knowledge level I had to piece together a few different posts to get me where I was successful. I put this together mostly so I could have it as reference for next time (assuming at some point this will happen again) but am glad it is helping others in the process!

                        Thanks for stopping by and helping make the guide better!

                    2. Everything worked perfect and then 2 days later the newest update broke systemctl start wpa_supplicant and I can’t figure it out. Did you find a solution for this?

                      1. Hmmm. I haven’t had this issue, but I also don’t think I have gotten an update since I have implemented this.

                        Are you getting an error or anything?

                        1. Not the person you’re replying to, but I just hit this with the 2.5.17 RC. Seems that manually installed packages don’t survive upgrades. The service (systemctl edit …) and the cert/key files persist, but I had to reinstall wpasupplicant to get it going again.

                          Might be apt to keep a copy of the wpa_supplicant deb file (linked in the original reddit post) on the UDM for offline reinstall to avoid needing to hook up all the ATT gear just to bypass it again.

                    3. Fantastic resource. I had the bypass working throughout the 1. versions . When it went to 2. I never ended up resetting it and plugged in my att modem. But for whatever reason my service disconnects every day for like 3 minute at different times.
                      I would love to lose the att modem again. However, I’m at 3.0.19 . When yours updates do you mind letting us know what additional steps are needed to get it up and running on the UDM Pro 3. Firmware.

                    Leave a Reply