Integrate UpdateScript and FW-Upgrade-Survival

[dcsITsolutions]

Wireguard and ubnt-devices get upgrades. For Wireguard update you need some manual steps to update. If the device is off-site and i remove the interface i cant connect anymore. For ubnt-device update you loose the whole wireguard module afterwards.

The script on github https://github.com/whiskerz007/ubnt_get_wireguard/blob/master/get_wireguard.sh enables you to update to a specific version or the latest version without loosing access afterwards. Also the script helps you to survive an upgrade of the ubnt-device firmware and the device will reconnect after upgrade.

It would be great to include the script here.

[FossoresLP]

Hi, thanks for the suggestion. The reason we do not provide any automated update scripts is that this package is currently not properly tested before a release. This means that issues should be expected which for a manual upgrade is more reasonable that for an (automated) update script. I know about the script and I know it is well-designed (e.g. ignores pre-releases, etc.), so feel free to use it at your own discretion but I'm not confident in including an update script, yet. There is also progress on using an apt repository for updates (see #41) but this will not currently solve your issue either.

[dcsITsolutions]

Thank you for your fast response. I saw an similar answer from you in another thread. BUT in my opinion the provided script does NOT automatically update the wireguard module. It only wraps needed commands in a single shell script. You have to trigger it manually, the only good thing is, that it backup your config and reinstall it afterwards. When the only connection to the offsite-location is via wireguard this is the only way to update wireguard.

The second point is, that it also helps you to survive an upgrade of the ubnt-device which your package actually doesnt. Maybe the second part is something you want to import.

Nevertheless thank you for your time and effort.

[FossoresLP]

Surviving upgrades is a good argument for using the script. But on the other hand you described the exact reason I am not sure about providing an upgrade script - the expectation that running the script will restore full functionality after updating the package. There have been cases in the past where the interface would not come online again after the upgrade - a real issue when it is the only way to connect to the device remotely. @whiskerz007 What do you think about this? Would it maybe even be possible to revert to the running configuration in case the upgrade fails in an obvious way (i.e. failure to install package or restore configuration)?

[dcsITsolutions]

I only have experience on several installations of ugw3 and there it worked fine in the past. Before using whiskerz007 script i always needed to establish an additional ipsec vpn connection to re enable everything and it's a mess. To move forward from home and experiemental use to a usable business solution(also because usg is more for business customers; shame on them, that they don't add wireguard functionality native ;) ) these features would be very great. Maybe whiskerz007 can confirm possibility and/or improve his script to be more robust and you could merge your solutions.

Looking forward to see a great solution

[boteman]

I guess you have to weigh what is more important to you:

• Upgrade now

• Maintain VPN connectivity

Frankly, I have never understood this compulsion to upgrade simply because a newer version of some software has come out. Newer is not better.

The other day Win10 popped up a notice that “updates are available”. When I searched for the KB number I saw a bunch of reports of problems with it, resulting in Microsoft pulling it back. Yes, even the mighty Microsoft can put out botched updates. UBNT is famous for putting out buggy firmware.

The choice is easy for me: I wait until I can stand in front of the box and update it manually. If the update fails, I can address it directly.

Bote Man

http://www.botecomm.com/bote/radio/streaming.html http://www.botecomm.com/bote/radio/streaming.html

From: dcsITsolutions @.> Sent: Friday, 7 May, 2021 17:45 To: WireGuard/wireguard-vyatta-ubnt @.> Cc: Subscribed @.***> Subject: Re: [WireGuard/wireguard-vyatta-ubnt] Integrate UpdateScript and FW-Upgrade-Survival (#87)

I only have experience on several installations of ugw3 and there it worked fine in the past. Before using whiskerz007 script i always needed to establish an additional ipsec vpn connection to re enable everything and it's a mess. To move forward from home and experiemental use to a usable business solution(also because usg is more for business customers; shame on them, that they don't add wireguard functionality native ;) ) these features would be very great. Maybe whiskerz007 can confirm possibility and/or improve his script to be more robust and you could merge your solutions.

Looking forward to see a great solution

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/WireGuard/wireguard-vyatta-ubnt/issues/87#issuecomment-834801166 , or unsubscribe https://github.com/notifications/unsubscribe-auth/AHXXWB25RDZITSQR4L3O4V3TMRNNFANCNFSM44LAADXQ . https://github.com/notifications/beacon/AHXXWB3TJUFNMFSXLTA2WYDTMRNNFA5CNFSM44LAADX2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOGHBA4DQ.gif

[dc361]

Surviving upgrades is a good argument for using the script.

I agree that whiskerz007's script is great (and very well written) but if surviving a firmware upgrade is the only concern you can copy the wireguard install package to "/config/data/firstboot/install-packages/" and it will be installed after a firmware update.

There are other handy things that wiskerz007 script does as well but I had my own configuration management practices in place previously -and- I am testing new versions so I want to install them manually to ensure the process works.

Bottom line, I think that it should be the choice of the user to install and use the script and not include it as part of the wireguard for EdgeOS package.

[FossoresLP]

@dc361 and @boteman Thank you for your feedback. I think the solution to surviving firmware upgrades dc361 provided might deserve better documentation in this project to ensure that users not that familiar with EdgeOS could make use of it. Right now I'm thinking of also documenting the option of using wiskerz007's script (linking to it) but not integrating it into this project directly. That way we provide both options and have an opportunity to warn users about the problems that could occur when using the script for (especially remote) upgrades.

[dcsITsolutions]

I am not sure about your usecases. In a business environment (after testing) you need to update to close security issues. So updates on non-isolated environment are essential. The Windows10 Popups seems to me that you are using it on your private computer. I use WSUS and aplly updates after feeling good for them. UBNT is famous for their buggy GUI, but the APs themselves are good hardware and i don't really got any problems updating them. Actually i don't update the GUI anymore until the changes are more stable. Your choice is funny. If you maintain several customers you want to drive to everyone to stand in front of it to update? I don't know the english translation, but in german it is Turnschuhadministration ;)

I could agree that an integrated update-solution isn't a must have (nevertheless that if this feature would be integrated the user could manually trigger it) i can't agree that surviving a firmware upgrade isn't an essential feature. If i install any other package on a linux/windows system and do a windows update/linux update the package will persist as yours should.

But i respect your decision and want to thank your for your time and that you are interested in a putting a notice and a link to whiskerz package.