In my last update, I was setting up the new Unifi networks and getting the devices migrated. I have now pulled the old Amplifi router off of the network as all of the devices have been migrated to the new Unifi Access Point. There were a few challenges along the way.
A big part of why I wanted to upgrade the network gear was the ability to have an always-on VPN connection to home directly into the router. The two reasons for this were to take advantage of the PiHole's ad blocking and to ensure privacy and security on open WiFi or even on mobile networks. I just have a hard time trusting a VPN providers, even the ones that say they respect the privacy of their customers and don't log. The Amplif Teleport solution worked okay, but I hadn't automated it.
Once I had a good bit of the devices migrated over to Unifi, I set out to create an L2TP VPN endpoint on the USG using this guide. When I was all done, it didn't work. The radius logs were saying:
Error: Ignoring request to authentication address * port 1812 from unknown client 192.168.1.1 port 53427
The radius server on the USG was not accepting itself as a client. Ugh.
After trying everything I could think of to make it work, I opened a support request and sent them all of the diagnostic information requested. Apparently, there is a bug in the current version of the controller software that happens with the radius server configuration if you ever enable "Try New Settings" to get the new layout for the settings pages. An important configuration section is left out.
The bad news was the only way to fix it was to migrate all of the devices to a new site and NEVER enable "Try New Settings". Well, I was not happy with the performance of the Unifi Controller on the Hass.io Raspberry Pi so I figured now was as good a time as any to get the Unif Controller Docker working on the QNAP. Unfortunately, that was easier said than done.
I should have taken the time originally to just set it up on the QNAP because the problem I was having originally was easily fixed once I realized that it wasn't the QNAP web interface that was using the port that the the Unifi controller wanted, it was the QNAP web server which I enabled but wasn't using. Ooops, but easily fixed. The trouble came in with getting the Unifi devices moved over. Not only did I have to recreate the entire configuration again because restoring from a backup would just reintroduce the same problem with the radius server, but I ended up doing a factory reset on the devices to get them adopted into the new Unifi controller. It's now done though and everything is working great.
The next task was to set up the VPN connection to automatically connect when I'm not home and connceted to WiFi and disconnect when I'm no longer connected to Home WiFi. For this, Tasker to the rescue.
First, I set up a profile for each of the Home SSIDs:
Then, create a task for Enter Home WiFi and Leave Home WiFi which:
- Pauses for 5 seconds to ensure the new network connection is now stable
- Launches the VPN connections screen in the Samsung settings app (android.settings.biometrics.BiometricsAuthenticationActivity:VPN)
- Utilizes AutoInput to tap the correct VPN profile and tap the Connect or Disconnect button
- Switches back to the last app
- Uses AutoNotification to create a notification that VPN has been connected or disconnected
It doesn't work flawlessly, espcially if you are doing something on the phone when WiFi connects or disconnects such as trying to use an app to set up an IoT device on the connect network. However, disabling the profiles in Tasker is a temporary quick fix and this works well enough for now.
I'm sure I will continue to find new firewall rules that need to be added to Unifi USG, but so far so good. The devices which require Internet access such as Google smart speakers and Chromecast devices have it without having access to the main network. The devices which don't require Internet such as the TV tuner and the IP cameras can't talk to anything that didn't initiate the connection to them. Eveything can talk to Home Assistant and Plex when it needs to, but only the ports that they need and nothing more. Guest have Internet access which is throttled to a generous but reasonable speed.
At some point, I'll cover the firewall rules in more detail.