How To Bypass AT&T Gateway on the UDM-Pro in 2023

Recently, my UDM-Pro (Unifi Dream Machine) updated it’s firmware to 2.4.x. It was pretty silly of me to have auto updates turned on, but I prefer my network gear to always be as up to date as possible. In the past, this has been no issue and Ubiquiti has made sure those updates don’t alter any custom configurations. But that all changed with version 2.0. You see, when the UDM updated it’s firmware, it removed container support (podman) which in turn meant that my previous method to bypass my AT&T router was no longer working. This left me without internet and I had to go back to utilizing my old AT&T gateway until I figured out a workaround.

UDM-Pro AT&T Bypass

After some intense googling, I was able to get the bypass working again with the help from some reddit comments. This resource was great, but it dig take a little bit of figuring out on my end to get it working. I am sure someone more technical than me can handle it as written, but for me, I needed something a bit more detailed. So that is why this guide exists. Partially to tell you, the reader, what I did to get it going, but mostly to document the process for myself incase I need to do this again in the future.

Requirements to Bypass the AT&T Gateway on the UDM-Pro

  • UDM-Pro with firmware 2.x installed (This likely works on other products but this is all I have available to test)
  • SSH Client (I use PuTTY)
  • SCP Client (I use WinSCP)
  • Keys from a working AT&T gateway (such as the NVG589)

The Old Way via Podman and the WPA Supplicant Docker Image (Not Recomended)

The whole reason the old method stopped working is because Ubiquiti re-platformed and moved away from podman in version 2.0. Honestly, this was a huge improvement for the UDM-Pro and all things considered I am happy that they made that move. You can however add docker back onto the UDM-Pro and there are some guides out there on how to do it. I personally do not recommend this method unless you have another use case to re-install podman. However, once podman is reinstalled, you can utilize the old WPA supplicant guides.

How to Install WPA Supplicant on the UDM-Pro in 2023 (Recommended)

Ok, let’s get down to business and install WPA supplicant on our UDM-Pro running UnifiOs 2.0.

  1. Enable SSH on the UDM-Pro

To enable SSH on the UDM-Pro, you need to log in to UnifiOs. This typically means navigating to 192.168.1.1 in your web browser. Update this adress with whatever scheme you are using for your local IPs.

Once logged in, navigate to Settings -> System -> SSH

UnifiOs -> Settings -> System

Check the box, and create a password.

*Note: SSH should be enabled on the main settings page. If you navigate to the “Network” section, you have gone too far.

  1. SSH into the UDM-Pro using PuTTY
  2. At this point you should be able to use PuTTY to SSH into your UDM-Pro. I am not going to go into details here and just expect if you are looking into this topic that you are able to SSH into your UDM.

    1. Install WPA supplicant
    2. Once you are logged in via SSH, it is time to install the WPA supplicant package! Simply run the following command:

      apt-get install wpasupplicant
      1. Prep certificates to transfer
      2. This is probably the step that hung me up the most. First you need to extract the following certificates using the mfg_dat_decode tool, then you need to update the config file to use the correct paths that we will be using on the UDM. This assumes that you already have the certificates extracted. You will need the following files:

        • CA_xxxxxxxxxxxx.pem
        • Client_xxxxxxxxx.pem
        • PrivateKey_xxxx.pem
        • wpa_supplicant.conf

        Open wpa_supplicant.conf using a text editor and update the file paths to point to where we will be placing the files on the UDM-Pro. For this guide, I have put the certificates in /etc/wpa_supplicant/conf/. I know there is a way to do this via the command line using sed, but this is what works for me.

        There are 3 places in this file that need updated. Here is what your file should look like:

        # Generated by 802.1x Credential Extraction Tool
        # Copyright (c) 2018-2021 devicelocksmith.com
        # Version: 1.06 windows 386
        # 
        # Change file names to absolute paths
        eapol_version=1
        ap_scan=0
        fast_reauth=1
        network={
                ca_cert="/etc/wpa_supplicant/conf/CA_000000-00000000000.pem"
                client_cert="/etc/wpa_supplicant/conf/Client_000000-00000000000.pem"
                eap=TLS
                eapol_flags=0
                identity="44:E1:37:C6:33:21" # Internet (ONT) interface MAC address must match this value
                key_mgmt=IEEE8021X
                phase1="allow_canned_success=1"
                private_key="/etc/wpa_supplicant/conf/PrivateKey_PKCS1_000000-00000000000.pem"
        }
        1. Send certificates to the UDM-Pro using WinSCP
        2. Now send the certificate files to the UDM-Pro using WinSCP. Yes, I know you can do this other ways, but again, this is what works for me.

          Place the certificates in /etc/wpa_supplicant/conf/

          Transfer certificates to the UDM-Pro
          1. Create WPA supplicant as a system service and update it’s configuration
          2. You are now ready to create the WPA supplicant service and config. Via ssh, run the following command:

            systemctl edit wpa_supplicant

            This will create the service, and open the editor to create the config file.

            Press the “i” key to insert text and insert the following:

            [Service]
            ExecStart=
            ExecStart=/sbin/wpa_supplicant -u -s -Dwired -ieth8 -c/etc/wpa_supplicant/conf/wpa_supplicant.conf

            A few notes: The UDM-Pro uses eth8 for the WAN port. I know, there are 9 ports, but the numbering starts at 0. This also assumes that you wpa_supplicant.conf file is located in /etc/wpa_supplicant/conf/.

            To save this file, press the escape key, the type :wq and press enter.

            1. Start the WPA supplicant service
            2. Ok, the hard stuff is done! Assuming everything has been done correctly, it is smooth sailing from here.

              Let’s start the WPA supplicant service by running the following command:

              systemctl start wpa_supplicant
              1. Check if the service is running correctly on the UDM-Pro
              2. If all went well, you should now be connected to the internet. But let’s check the WPA supplicant status by using the following command:

                systemctl status wpa_supplicant

                This will show you the recent log for wpasupplicant. What you want to see is something like:

                Successfully initialized wpa_supplicant

                If you see errors here, go back and check that all of your files are in the right location and all of the paths are updated.

                1. Set the service to run on boot
                2. Last step, just one more command so this service will run when the UDM-Pro reboots. Run the following via SSH:

                  systemctl enable wpa_supplicant

                  If this worked correctly, you should see no errors and two symlinks created.

                  1. Disable SSH and clean up
                  2. Ok, I lied, there is one more step. Before you are done, disable SSH on the UDM-Pro by unchecking the SSH box in Settings -> System -> SSH.

                    Always leave SSH disabled

                    Also, take a moment to back up your certificates somewhere. You may need these in the future and it would be awesome to not have to get them again.

                    Bypassing AT&T Gateway on UDM-Pro: Final Thoughts

                    In the end, I am really happy with how WPA supplicant works in the new UDM 2.0 firmware. Yes, it was annoying that the previous solution just disappeared overnight, but using the WPA supplicant package is far less resource intensive than running docker and podman on the UDM.

                    Now the big question is, did I disable automatic updates? You would think that losing internet for a day, on an update that can’t be reversed would make me disable automatic updates. Well, they are still on. I am not an expert in cyber security, but my UDM is the centerpiece of my digital access to the outside world. But more importantly, it is the outside world’s access to me. With that being said, I think it is important to have this particular device up to date at all times. Especially with such a feature rich, and regularly developed device. So for me and my UDM, we will be leaving automatic updates on and dealing with these bumps as they happen.

                    31 Comments

                    1. Thank you for laying this all out so clearly. I followed your instructions and was able to get back up and running on my UDM Pro after the latest firmware update wiped my prio config. One small difference for me 1) Initially I kept getting an “invalid section header” error in my wpa supplicant status so I had to split the insert into the insert into three separate lines L1:[Service] L2: Execstart= L3: Execstart=/sbin … I just manually edited the systemd override.conf file and that seemed to do the trick.

                      Once i did that the service started up without an error and the wpa_supplicant status showed the service as active and also provided the last the last 10 log entries where I could also see that the EAP authentication completed successfully.

                      Thanks again for taking the time to do this, much appreciated!

                      1. Good catch! That was a formatting issue on the blog side. Should be fixed now.

                        There are a lot of really smart people our there making all of this happen, but for me and my knowledge level I had to piece together a few different posts to get me where I was successful. I put this together mostly so I could have it as reference for next time (assuming at some point this will happen again) but am glad it is helping others in the process!

                        Thanks for stopping by and helping make the guide better!

                    2. Everything worked perfect and then 2 days later the newest update broke systemctl start wpa_supplicant and I can’t figure it out. Did you find a solution for this?

                      1. Hmmm. I haven’t had this issue, but I also don’t think I have gotten an update since I have implemented this.

                        Are you getting an error or anything?

                        1. Not the person you’re replying to, but I just hit this with the 2.5.17 RC. Seems that manually installed packages don’t survive upgrades. The service (systemctl edit …) and the cert/key files persist, but I had to reinstall wpasupplicant to get it going again.

                          Might be apt to keep a copy of the wpa_supplicant deb file (linked in the original reddit post) on the UDM for offline reinstall to avoid needing to hook up all the ATT gear just to bypass it again.

                          1. hey, how exactly do you get a copy of the deb file and store it offline? i hate having to hook up the att gear each time an update is pushed to the udm pro.

                            1. for those looking for how to keep a copy of the wpa_supplicant deb file on your udm pro and install it from there after a firmware update, here is what I did to make this work. It keeps me from having to hook up the ATT gateway with each firmware update.

                              note – do steps 1, 2, & 3 BEFORE upgrading firmware.

                              1. sudo apt-get reinstall –download-only wpasupplicant
                              2. mkdir /etc/wpa_supplicant/repository
                              3. cp /var/cache/apt/archives/wpasupplicant*.deb /etc/wpa_supplicant/repository
                              4. after upgrading firmware isntall the wpasupplicant from the local file using the following command:
                              apt install /etc/wpa_supplicant/repository/*.deb (be sure to replace the * with the name of the actual .deb file

                              1 downloads the file to the var/cache/apt/archives folder.
                              2 creates a folder in the etc/wpa_supplicant folder called repository
                              3 copies the file from where it downloaded the file to the new folder you just created, be sure to replace the * with the actual name of the .deb file
                              4 installs the .deb file from where you stored it originally

                              From here follow Craig’s guide from the systemctl start step.

                    3. Fantastic resource. I had the bypass working throughout the 1. versions . When it went to 2. I never ended up resetting it and plugged in my att modem. But for whatever reason my service disconnects every day for like 3 minute at different times.
                      I would love to lose the att modem again. However, I’m at 3.0.19 . When yours updates do you mind letting us know what additional steps are needed to get it up and running on the UDM Pro 3. Firmware.

                    4. Worked like a charm! .Removed Podman. Did not need a restart of the SE, yet got “wpa_supplicant.service: Current command vanished from the unit file, execution of the command list won’t be resumed.” a simple and am so back in business! Without this and needing the ATT Modem, VoIP was down, accessing Proxmox was gone, Pihole wasnt working, etc, etc.. A total GAME CHANGER and oh so much easier than Podman!! THANK YOU! Have been looking for a solution for over a month!

                    5. ** Simple “systemctl stop wpa_supplicant” followed by ” systemctl start wpa_supplicant” was needed. Follow instructions to the T and did not include that, so perhaps it might help another dunce like me. Thank you!

                    6. Thanks Craig! Great writeup. Really appreciate the edit, save & quit systemd commands since I always forget those. Works like a charm on my (non pro) Unifi Dream Machine, only change I had to make was use eth4 for wpa_supplicant instead of eth8.
                      One note: The 1.06 windows version of the mfg_decoder tool linked on devicelocksmith’s page gave me a Trojan:Win32/Zpevdo.B warning, so I used the 1.04 version here instead:
                      https://github.com/bypassrg/att/tree/master/decoder
                      Worked fine on my BGW210-700. Maybe it’s a false positive but I’d rather not risk it.

                      1. Oh I also had an error on first run: “UDM wpa_supplicant[7601]: WMM AC: Missing IEs”
                        But I still got EAP authentication completed successfully and it’s been working for about 20 minutes so far.

                    7. This stopped working for me after the update to 3.0.20 and had to redo it. Has anyone experienced issues after upgrading firmware?

                      1. I was getting SSL errors after latest update. I had to enable all ciphers and downgrade to TLS 1.2

                        Edit the bottom of openssl config file and replace with tls 1.2 and ciphers ALL

                        vi /etc/ssl/openssl.cnf

                        # Bottom of file
                        [system_default_sect]
                        MinProtocol = TLSv1.2
                        CipherString = ALL

                        systemctl restart wpa_supplicant
                        journalctl -fu wpa_supplicant

                    8. If you are getting SSL errors like these, it’s because new versions of openssl disabled the ciphers that ATT uses.

                      eth8: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
                      Sep 13 19:37:35 UDM-Pro wpa_supplicant[48395]: TLS: Failed to set TLS connection parameters
                      Sep 13 19:37:35 UDM-Pro wpa_supplicant[48395]: EAP-TLS: Failed to initialize SSL.

                      Edit the bottom of openssl config file and replace with tls 1.2 and ciphers ALL

                      vi /etc/ssl/openssl.cnf

                      # Bottom of file
                      [system_default_sect]
                      MinProtocol = TLSv1.2
                      CipherString = ALL

                    9. Works perfectly for a ‘factory reset/defaulted’ UDM-Pro on the very latest firmware 3.1.16. Other guides on the internet only misguide you! Thank you for putting these instructions together, works well and quickly!

                    10. Also for 3.2.7 on UDM-Pro, works great! After the upgrade I just had to run the apt install wpasupplicant, but the rest of the configuration and certificate files were still there! But, I still lost internet while the upgrade removed wpa_supplicant. So, have your ATT router handy or a second connection… or make sure to have the wpa_supplicant app on backup so as to install it without the internet, that may work!

                    11. 3.2.9 Broke it and now trying to reinstall wpasupplicant says Unable to locate package wpasupplicant.

                      Maybe because its an EA firmware? I’m going to downgrade for now and see if someone else has a solution or hopefully works when it GA.

                      1. im guessing it works when you reconnect to the internet to reinstall the wpa supplicant as suggested – did you try that?

                      2. 3.2.9 works for me. As with other versions, it does give you an error “E: Unable to locate package wpasupplicant
                        ” if you try to install it too soon.

                    12. 3.2.12 uninstalled wpasupplicant. Just reinstall it via “apt-get install wpasupplicant” and proceed with the same steps in the original post.

                    Leave a Reply