Skip to content

Setup wpa_supplicant on Unifi Gateways to bypass ATT modem

Notifications You must be signed in to change notification settings

evie-lau/Unifi-gateway-wpa-supplicant

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

38 Commits
 
 
 
 

Repository files navigation

Unifi Gateway wpa_supplicant bypass for ATT fiber modem

Use this guide to setup wpa_supplicant with your Unifi gateway to bypass the ATT modem.

This will work on any modern Unifi Console or Gateway. To my knowledge, that includes everything except the original USG which will have a different process that is already well documented over the years (check Additional resources).

Important

Take note of your Unifi gateway's WAN port interface name. In the rest of the guide, I'll be using eth1 because that is the WAN interface for the UXG Lite. If using another Unifi gateway, replace the interface name appropriately.

Here are some known interfaces for Unifi gateways, for use in the rest of the guide. Double check with your device to be sure.

  • UXG Lite or UX - eth1
  • UXG Pro - eth0 (WAN1, RJ-45), eth2 (WAN2, SFP+)
  • UXG Max - eth4
  • UCG Ultra - eth4
  • UDR and UDM-Base (the egg) - eth4
  • UDM Pro or SE - eth8 (WAN1, RJ-45), eth9 (WAN2, SFP+)

Prerequisites:

  • extracted and decoded certificates from an ATT modem

Instructions to extract certs from BGW210/BGW320

Table of Contents

Install wpa_supplicant on Unifi gateway

SSH into your Unifi gateway.

Tip

Unlike all my other Unifi devices, my SSH private key didn't work with my username, but worked with the root user instead. Or user + password defined in Settings -> System -> Advanced -> Device Authentication.

The Unifi gateways run a Debian-based distro, so we can install the wpasupplicant package.

> apt update -y
> apt install -y wpasupplicant

Create a certs folder in the /etc/wpa_supplicant folder.

> mkdir -p /etc/wpa_supplicant/certs

We'll copy files into here in the next step.

Copy certs and config to Unifi gateway

Back on your computer, prepare your files to copy into the Unifi gateway.

These files come from the mfg_dat_decode tool:

  • CA_XXXXXX-XXXXXXXXXXXXXX.pem
  • Client_XXXXXX-XXXXXXXXXXXXXX.pem
  • PrivateKey_PKCS1_XXXXXX-XXXXXXXXXXXXXX.pem
  • wpa_supplicant.conf
> scp *.pem <gateway>:/etc/wpa_supplicant/certs
> scp wpa_supplicant.conf <gateway>:/etc/wpa_supplicant

Important

Make sure in the wpa_supplicant.conf to modify the ca_cert, client_cert and private_key to use absolute paths. In this case, prepend /etc/wpa_supplicant/certs/ to the filename strings. It should look like the following...

...
network={
        ca_cert="/etc/wpa_supplicant/certs/CA_XXXXXX-XXXXXXXXXXXXXX.pem"
        client_cert="/etc/wpa_supplicant/certs/Client_XXXXXX-XXXXXXXXXXXXXX.pem"
        ...
        private_key="/etc/wpa_supplicant/certs/PrivateKey_PKCS1_XXXXXX-XXXXXXXXXXXXXX.pem"
}

Spoof MAC address

We'll need to spoof the MAC address on the WAN port (interface eth1 on the UXG-Lite) to successfully authenticate with ATT with our certificates.

Tip

I know there's an option in the Unifi dashboard to spoof MAC address on the Internet (WAN) network, but this didn't seem to work when I tested it. If the setting works for you, the rest of this section can be skipped.

Instead, I had to manually set it up, based on these instructions to spoof mac address.

SSH back into your gateway, and create the following file.

vi /etc/network/if-up.d/changemac

#!/bin/sh

if [ "$IFACE" = eth1 ]; then
  ip link set dev "$IFACE" address XX:XX:XX:XX:XX:XX
fi

Replace the mac address with your gateway's address, found in the wpa_supplicant.conf file.

Set the permissions:

> sudo chmod 755 /etc/network/if-up.d/changemac

This file will spoof your WAN mac address when eth1 starts up. Go ahead and run the same command now so you don't have to reboot your gateway.

> ip link set dev "$IFACE" address XX:XX:XX:XX:XX:XX

Setup network

Set VLAN ID on WAN connection

ATT authenticates using VLAN ID 0, so we have to tag our WAN port with that.

In your Unifi console/dashboard, under Settings -> Internet -> Primary (WAN1) (or your WAN name if you renamed it), Enable VLAN ID and set it to 0.

Warning

Before applying, note that this change will prevent you from accessing the internet until after running wpa_supplicant in the next step. If you need to restore internet access before finishing this setup guide, you can always disable VLAN ID.

Alt text

Apply the change, then unplug the ethernet cable from the ONT port on your ATT Gateway, and plug it into the WAN port on your Unifi gateway.

Test wpa_supplicant

While SSHed into the gateway, run this to test the authentication.

> wpa_supplicant -i eth1 -D wired -c /etc/wpa_supplicant/wpa_supplicant.conf

Breaking down this command...

  • -i eth1 Specifies eth1 (UXG-Lite WAN port) as the interface
  • -D wired Specify driver type of eth1
  • -c <path-to>/wpa_supplicant.conf The config file

You should see the message Successfully initialized wpa_supplicant if the command and config are configured correctly.

Following that will be some logs from authenticating. If it looks something like this, then it was successful!

eth1: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=Michigan/L=Southfield/O=ATT Services Inc/OU=OCATS/CN=aut03lsanca.lsanca.sbcglobal.net' hash=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
eth1: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:aut03lsanca.lsanca.sbcglobal.net
eth1: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
eth1: CTRL-EVENT-CONNECTED - Connection to XX:XX:XX:XX:XX:XX completed [id=0 id_str=]

Tip

If you don't see the EAP authentication completed successfully message, try checking to make sure the MAC address was spoofed successfully.

Ctrl-c to exit. If you would like to run it in the background for temporary internet access, add a -B parameter to the command. Running this command is still a manual process to authenticate, and it will only last until the next reboot.

Setup wpa_supplicant service for startup

Now we have to make sure wpa_supplicant starts automatically when the Unifi gateway reboots.

Let's use wpa_supplicant's built in interface-specific service to enable it on startup. More information here.

Because we need to specify the wired driver and eth1 interface, the corresponding service will be [email protected]. This service is tied to a specific .conf file, so we will have to rename our config file.

Back in /etc/wpa_supplicant, rename wpa_supplicant.conf to wpa_supplicant-wired-eth1.conf.

> cd /etc/wpa_supplicant
> mv wpa_supplicant.conf wpa_supplicant-wired-eth1.conf

Then start the service and check the status.

> systemctl start wpa_supplicant-wired@eth1

> systemctl status wpa_supplicant-wired@eth1

If the service successfully started and is active, you should see similar logs as when we tested with the wpa_supplicant command.

Now we can go ahead and enable the service.

> systemctl enable wpa_supplicant-wired@eth1

Try restarting your Unifi gateway if you wish, and it should automatically authenticate!

Survive firmware updates

Firmware updates will nuke the packages installed through apt that don't come with the stock Unifi OS, removing our wpasupplicant package and service. Since we'll no longer have internet without wpa_supplicant authenticating us with ATT, we can't reinstall it from the debian repos.

Let's cache some files locally and create a system service to automatically reinstall, start, and enable wpa_supplicant again on bootup.

First download the required packages (with missing dependencies) from debian into a persisted folder. These are the resources if you wish to pull the latest download links. Make sure to get the arm64 package.

> mkdir -p /etc/wpa_supplicant/packages
> cd /etc/wpa_supplicant/packages
> wget http://ftp.us.debian.org/debian/pool/main/w/wpa/wpasupplicant_2.9.0-21_arm64.deb
> wget http://ftp.us.debian.org/debian/pool/main/p/pcsc-lite/libpcsclite1_1.9.1-1_arm64.deb

As of the 3.1.15 -> 3.1.16 firmware update, my /etc/wpa_supplicant folder did not get wiped, so these should persist through an update for us to reinstall.

Now let's create a service to install these packages and enable/start wpa_supplicant:

> vi /etc/systemd/system/reinstall-wpa.service

Paste this as the content:

[Unit]
Description=Reinstall and start/enable wpa_supplicant
AssertPathExistsGlob=/etc/wpa_supplicant/packages/wpasupplicant*arm64.deb
AssertPathExistsGlob=/etc/wpa_supplicant/packages/libpcsclite1*arm64.deb
ConditionPathExists=!/sbin/wpa_supplicant
After=basic.target sysinit.target
Wants=basic.target sysinit.target

[Service]
Type=oneshot
ExecStartPre=/bin/sh -c 'dpkg -Ri /etc/wpa_supplicant/packages'
ExecStart=/bin/sh -c 'systemctl start wpa_supplicant-wired@eth1'
ExecStartPost=/bin/sh -c 'systemctl enable wpa_supplicant-wired@eth1'
Restart=on-failure

[Install]
WantedBy=multi-user.target

Now enable the service.

> systemctl daemon-reload
> systemctl enable reinstall-wpa.service

This service should run on startup. It will check if /sbin/wpa_supplicant got wiped, and if our package files exist. If both are true, it will install and startup wpa_supplicant.

(Optional) If you want to test this...

> systemctl stop wpa_supplicant-wired@eth1
> systemctl disable wpa_supplicant-wired@eth1
> apt remove wpasupplicant -y

Now try restarting your gateway. Upon boot up, SSH back in, and check systemctl status wpa_supplicant-wired@eth1.

  • Alternatively, without a restart, run systemctl start reinstall.service, wait until it finishes, then systemctl status wpa_supplicant-wired@eth1.)

You should see the following:

Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor preset: enabled)
Active: active (running) ...
...
Dec 29 23:20:00 UXG-Lite wpa_supplicant[6845]: eth1: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully

File list

For my own sanity, here's a final list of files created or copied into the gateway during this guide:

etc
├── network
│   └── if-up.d
│       └── **changemac** (if needed for MAC spoof)
├── systemd
│   └── system
│       └── **reinstall-wpa.service**
└── wpa_supplicant
    ├── **wpa_supplicant-wired-eth1.conf**
    ├── certs
    │   ├── CA_XXX.pem
    │   ├── Client_XXX.pem
    │   └── PrivateKey_PKCS1_XXX.pem
    └── packages
        ├── wpasupplicant_..._arm64.deb
        └── libpcsclite1_..._arm64.deb

Troubleshooting

Some problems I ran into...

OpenSSL: tls_connection_ca_cert
> OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:02001002:system library:fopen:No such file or directory
  • Make sure in the wpa_supplicant config file to set the absolute path for each certificate, mentioned here.

Additional resources

Special thanks to many of these resources I used to learn all this (nearly from scratch).