Craig Layne

Recently, my UDM-Pro (Unifi Dream Machine) updated it’s firmware to 2.4.x. It was pretty silly of me to have auto updates turned on, but I prefer my network gear to always be as up to date as possible. In the past, this has been no issue and Ubiquiti has made sure those updates don’t alter any custom configurations. But that all changed with version 2.0. You see, when the UDM updated it’s firmware, it removed container support (podman) which in turn meant that my previous method to bypass my AT&T router was no longer working. This left me without internet and I had to go back to utilizing my old AT&T gateway until I figured out a workaround.

After some intense googling, I was able to get the bypass working again with the help from some reddit comments. This resource was great, but it dig take a little bit of figuring out on my end to get it working. I am sure someone more technical than me can handle it as written, but for me, I needed something a bit more detailed. So that is why this guide exists. Partially to tell you, the reader, what I did to get it going, but mostly to document the process for myself incase I need to do this again in the future.

Requirements to Bypass the AT&T Gateway on the UDM-Pro

• UDM-Pro with firmware 2.x installed (This likely works on other products but this is all I have available to test)
• SSH Client (I use PuTTY)
• SCP Client (I use WinSCP)
• Keys from a working AT&T gateway (such as the NVG589)

The Old Way via Podman and the WPA Supplicant Docker Image (Not Recomended)

The whole reason the old method stopped working is because Ubiquiti re-platformed and moved away from podman in version 2.0. Honestly, this was a huge improvement for the UDM-Pro and all things considered I am happy that they made that move. You can however add docker back onto the UDM-Pro and there are some guides out there on how to do it. I personally do not recommend this method unless you have another use case to re-install podman. However, once podman is reinstalled, you can utilize the old WPA supplicant guides.

How to Install WPA Supplicant on the UDM-Pro in 2023 (Recommended)

Ok, let’s get down to business and install WPA supplicant on our UDM-Pro running UnifiOs 2.0.

1. Enable SSH on the UDM-Pro

To enable SSH on the UDM-Pro, you need to log in to UnifiOs. This typically means navigating to 192.168.1.1 in your web browser. Update this adress with whatever scheme you are using for your local IPs.

Once logged in, navigate to Settings -> System -> SSH

Check the box, and create a password.

*Note: SSH should be enabled on the main settings page. If you navigate to the “Network” section, you have gone too far.

SSH into the UDM-Pro using PuTTY

At this point you should be able to use PuTTY to SSH into your UDM-Pro. I am not going to go into details here and just expect if you are looking into this topic that you are able to SSH into your UDM.

Install WPA supplicant

Once you are logged in via SSH, it is time to install the WPA supplicant package! Simply run the following command:

apt-get install wpasupplicant

Prep certificates to transfer

This is probably the step that hung me up the most. First you need to extract the following certificates using the mfg_dat_decode tool, then you need to update the config file to use the correct paths that we will be using on the UDM. This assumes that you already have the certificates extracted. You will need the following files:

• CA_xxxxxxxxxxxx.pem
• Client_xxxxxxxxx.pem
• PrivateKey_xxxx.pem
• wpa_supplicant.conf

Open wpa_supplicant.conf using a text editor and update the file paths to point to where we will be placing the files on the UDM-Pro. For this guide, I have put the certificates in /etc/wpa_supplicant/conf/. I know there is a way to do this via the command line using sed, but this is what works for me.

There are 3 places in this file that need updated. Here is what your file should look like:

# Generated by 802.1x Credential Extraction Tool
# Copyright (c) 2018-2021 devicelocksmith.com
# Version: 1.06 windows 386
# 
# Change file names to absolute paths
eapol_version=1
ap_scan=0
fast_reauth=1
network={
        ca_cert="/etc/wpa_supplicant/conf/CA_000000-00000000000.pem"
        client_cert="/etc/wpa_supplicant/conf/Client_000000-00000000000.pem"
        eap=TLS
        eapol_flags=0
        identity="44:E1:37:C6:33:21" # Internet (ONT) interface MAC address must match this value
        key_mgmt=IEEE8021X
        phase1="allow_canned_success=1"
        private_key="/etc/wpa_supplicant/conf/PrivateKey_PKCS1_000000-00000000000.pem"
}

Send certificates to the UDM-Pro using WinSCP

Now send the certificate files to the UDM-Pro using WinSCP. Yes, I know you can do this other ways, but again, this is what works for me.

Place the certificates in /etc/wpa_supplicant/conf/

Create WPA supplicant as a system service and update it’s configuration

You are now ready to create the WPA supplicant service and config. Via ssh, run the following command:

systemctl edit wpa_supplicant

This will create the service, and open the editor to create the config file.

Press the “i” key to insert text and insert the following:

[Service]
ExecStart=
ExecStart=/sbin/wpa_supplicant -u -s -Dwired -ieth8 -c/etc/wpa_supplicant/conf/wpa_supplicant.conf

A few notes: The UDM-Pro uses eth8 for the WAN port. I know, there are 9 ports, but the numbering starts at 0. This also assumes that you wpa_supplicant.conf file is located in /etc/wpa_supplicant/conf/.

To save this file, press the escape key, the type :wq and press enter.

Start the WPA supplicant service

Ok, the hard stuff is done! Assuming everything has been done correctly, it is smooth sailing from here.

Let’s start the WPA supplicant service by running the following command:

systemctl start wpa_supplicant

Check if the service is running correctly on the UDM-Pro

If all went well, you should now be connected to the internet. But let’s check the WPA supplicant status by using the following command:

systemctl status wpa_supplicant

This will show you the recent log for wpasupplicant. What you want to see is something like:

Successfully initialized wpa_supplicant

If you see errors here, go back and check that all of your files are in the right location and all of the paths are updated.

Set the service to run on boot

Last step, just one more command so this service will run when the UDM-Pro reboots. Run the following via SSH:

systemctl enable wpa_supplicant

If this worked correctly, you should see no errors and two symlinks created.

Disable SSH and clean up

Ok, I lied, there is one more step. Before you are done, disable SSH on the UDM-Pro by unchecking the SSH box in Settings -> System -> SSH.

Also, take a moment to back up your certificates somewhere. You may need these in the future and it would be awesome to not have to get them again.

Bypassing AT&T Gateway on UDM-Pro: Final Thoughts

In the end, I am really happy with how WPA supplicant works in the new UDM 2.0 firmware. Yes, it was annoying that the previous solution just disappeared overnight, but using the WPA supplicant package is far less resource intensive than running docker and podman on the UDM.

Now the big question is, did I disable automatic updates? You would think that losing internet for a day, on an update that can’t be reversed would make me disable automatic updates. Well, they are still on. I am not an expert in cyber security, but my UDM is the centerpiece of my digital access to the outside world. But more importantly, it is the outside world’s access to me. With that being said, I think it is important to have this particular device up to date at all times. Especially with such a feature rich, and regularly developed device. So for me and my UDM, we will be leaving automatic updates on and dealing with these bumps as they happen.