30 Jul 2016
These scripts are based on the instructions in the Azure Documentation.
The first step is to set up the Azure side. This script can be run from any machine with the AzureRM PowerShell modules installed. Be sure to read it through and update the variables at the top before you run it.
First we need a resource group to put the Azure objects in, into which we create a new Virtual Network, and create two subnets inside. The first subnet “GatewaySubnet” is important, and must be named exactly that in order to work correctly. The other subnet (“AzureSubnet”) is where we will be attaching our VMs, and can be named anything you like. You can add additional subnets to the Virtual Network later to organise your Azure network.
To represent the local side of the network we create a local network gateway. This is configures with our external IP address, and details of the address space we use internally.
Next we need to request a public IP address, get a reference to our GatewaySubnet, and use these to create a new Virtual Network Gateway IP Config. This is then used to create the Virtual Network Gateway. This step can take up to 20 mins to return a reference to the created object.
The last step is to create a Virtual Network Gateway Connection to link the Virtual Network Gateway with the Local Network Gateway, and configure it to use IPSec and a pre shared key.
With Azure configured, we just need to tell the EdgeRouter to connect. These settings work for me, but may not be optimal. Make sure you set the right interface on line 1. Mine is a pppoe interface, but yours may be different.
To get the public IP address of your new Azure Virtual Network Gateway, you can use:
$remoteGatewayIP = Get-AzureRmPublicIpAddress -Name $remoteGatewayIPAddressName -ResourceGroupName $resourceGroup
Write-Host $remoteGatewayIP.IpAddress
If you need to add additional VPNs - perhaps to a second subscription - set up the Azure side, and create a new site-to-site-peer on the EdgeRouter. You can reuse the same esp-group and ike-group.
After saving the configuration you should be able to see the active connection in the EdgeRouter CLI with show vpn ipsec status, which should return something like:
IPSec Process Running PID: 1703
1 Active IPsec Tunnels
IPsec Interfaces :
pppoe0 (123.123.123.123)
With the VPN up we can now build Azure VMs in the AzureSubnet of our Virtual Network without creating a public IP for each one.
30 Jun 2016
Dynamic DNS
Setting up VPN remote access on the EdgeRouter is a pretty straightforward, but without a static IP address we won’t be able to connect back home if the external IP changes. To get around this we can use a dynamic DNS provider like noip.com and have the EdgeRouter update the IP if it changes. After setting up an account and a new dynamic hostname, we can configure the router with:
Now that we have a DNS name we can set up the PPTP VPN.
First we enable the PPTP VPN using local authentication. This handy because I don’t yet have a RADIUS server to use for authentication. We specify an address pool to hand out to VPN clients, and a DNS server for them to use.
Since I’m using the router as my DNS server I also need to listen for DNS forwarding on that IP, otherwise it won’t respond to DNS requests from the VPN client IP pool.
Finally we need to set up firewall rules that wil allow the PPTP and GRE traffic to reach the router.
10 Feb 2016
I needed a small tweak to my EdgeRouter config to let me connect to my bridged VDSL modem. The EdgeRouter is connected to the modem on eth0.
The modem uses 192.168.1.254/24 by default, so the first step is to give eth0 an IP on the same network. Then we need a NAT masquerade rule to NAT traffic for the 192.168.1.0/24 network through eth0.
After applying the changes I can now browse to the admin interface of the modem.
07 Feb 2016
As part of a project to build a home lab for testing, I’m upgrading my home network. My first addition is an Ubiquiti EdgeRouter Lite.
I have the ERL connected to my VDSL modem (bridged) on eth0, and to my Netgear AP on eth1. I will be creating a DHCP LAN on each of eth1 and eth2, and setting up a pppoe interface on eth0 to connect to the Internet. Eth1 will be connected to my existing wireless router, and eth2 will be connected to my XBox.
Fortunately, after upgrading the firmware to version 1.8 almost all of this can be done using the setup wizard. The only remaining settings I need to adjust are to set up a couple of DHCP reservations and port forwarding rules to keep Plex and Transmission working on my server.
Initial impressions are great. The setup took about an hour, including the time it took to hook everything up and to download and install the firmware update. The router has a console management port for when I inevitably wreck the config or lock myself out of the network, SSH admin console, and the web GUI seems to cover almost all day to day tasks.
The final config looks like this.
05 Jun 2015
It took me a while to find this so it seems worth posting here.
Once you have a signed certificate file we need to create a p12 keystore file. In my case the certificate was from Go Daddy and there’s an intermediate certificate (gd_bundle-g2-g1.crt) that needs to be included.
openssl pkcs12 -export -in example.crt \
-inkey example.key \
-out example.p12 \
-name unifi \
-certfile gd_bundle-g2-g1.crt
At the prompt enter the password aircontrolenterprise.
We can then import example.p12 into the Unifi keystore:
sudo keytool -importkeystore \
-deststorepass aircontrolenterprise \
-destkeypass aircontrolenterprise \
-destkeystore /usr/lib/unifi/data/keystore \
-srckeystore example.p12 \
-srcstoretype PKCS12 \
-srcstorepass aircontrolenterprise \
-alias unifi
And restart the controller with service unifi restart.