UBNT USG

[ChrisColotti]

Noticed this page was added for Ubiquiti: https://github.com/nextdns/nextdns/wiki/Installer

but getting errors on a USG:

admin@Gateway:~$ sh -c 'sh -c "$(curl -sL https://nextdns.io/install)"' ERROR: Unsupported GOARCH: mips64

Maybe this also is only good for non Unifi devices only EdgeGateway? The Unifi USG runs Edge OS but re-writes on every update/boot

Maybe this is not ready yet for EdgeOS? I see QNAP is coming soon as well....nice!

[rs]

The mips64 detection was broken. Can you please test with:

sh -c "$(curl -sL https://raw.githubusercontent.com/nextdns/nextdns/master/install.sh)"

[ChrisColotti]

I can try it in a bit. Do we know if the Unifi USG will keep the config or will it get overwritten on a reboot/upgrade/provision operation from the controller?

PS - keep up the great work, been telling everyone i know in IT to test the service!

[rs]

I tested as a standalone. It should survive reboots and upgrades, not sure about controller provisioning.

[ChrisColotti]

I have a backup USG-3 I can test on with a re-provisioning as well before I push it to my production USG. I keep that smaller spare on hand for isolated testing like this. I will report back.

[ChrisColotti]

well bugger, my spare USG-3 seems to be dead....hmm....don't have another one to test on besides my production USG-Pro. I gave it a try anyhow and got this:

      Welcome to EdgeOS on UniFi Security Gateway!

 **********************  WARNING!  **********************
 * Configuration changes made here are not persistent.  *
 * They will be overwritten by the controller on next   *
 * provision. Configuration must be done in controller. *
 ********************************************************

Last login: Sat Jan  4 11:52:28 2020 from 192.168.100.162
admin@Gateway:~$ sh -c "$(curl -sL https://github.com/nextdns/nextdns/blob/master/install.sh)"
sh: -c: line 6: syntax error near unexpected token `newline'
sh: -c: line 6: `<!DOCTYPE html>'

My experience with the Unifi stuff is depending on the change too it needs to be in a JSON file on the controller to remain persistent but I can always see if it removes the settings with a forced provision if we can get the installer to work.

[ChrisColotti]

however, now the original commands work seem to run but wget is missing....these USG's are finicky...

did you test on an EdgeRouter or a USG? Just curious

admin@Gateway:~$ sh -c 'sh -c "$(curl -sL https://nextdns.io/install)"' INFO: OS: debian INFO: GOARCH: mips64 INFO: GOOS: linux i) Install NextDNS q) Quit Choice (default=i): i INFO: Installing NextDNS... sh: line 148: wget: command not found gpg: no valid OpenPGP data found. deb https://nextdns.io/repo/deb stable main sudo: apt: command not found sudo: apt: command not found sudo: apt: command not found ERROR: install: exit 0

[rs]

EdgeRouter. Isn’t curl installed on your router? It should not use wget.

[dave14305]

The mips64 detection was broken. Can you please test with:

sh -c "$(curl -sL https://github.com/nextdns/nextdns/blob/master/install.sh)"

This should be the raw link:

https://raw.githubusercontent.com/nextdns/nextdns/master/install.sh

[rs]

Correct, sorry about that

[rs]

The installer uses wget to install the deb signing key. I will fix that and use curl when available.

Can you confirm curl is installed and working with https? If not, is openssl command?

[ChrisColotti]

Curl is installed on a USG...yes

admin@Gateway:~$ curl curl: try 'curl --help' or 'curl --manual' for more information admin@Gateway:~$

I did try to hack some packages on the USG, broke it, reset it and re-provisioned it got it back online.....The upside to Unifi devices I guess :)

[ChrisColotti]

Now I wish that backup spare wasn't dead so I don't bring down the whole house LOL

[ChrisColotti]

so maybe we need to figure out the Unifi side of things separately than the Edgerouter. I am pretty sure if the installer works Unifi upgrades will wipe the install.

While Unifi Runs EdgeOS they configure very differently especially with :"installed" items directly on the router. Worst case the installer needs to be re-run each time the router is rebooted or at least upgraded. A reboot on unifi will trigger a re-provision so that is easily tested.

[kevtainer]

I've run into a couple issues while attempting to use the setup script.

USG does not have the apt alias/helper, though apt-get works. I replaced that in the script but ran up against another error. While running apt-get update I get a TLS error, upon investigation I believe the OS doesn't support SNI.

xxx@ubnt:/usr/bin$ sudo apt-get update
Ign https://nextdns.io stable Release.gpg
Ign https://nextdns.io stable Release
Err https://nextdns.io stable/main mips Packages
  gnutls_handshake() failed: A TLS fatal alert has been received.
Ign https://nextdns.io stable/main Translation-en
W: Failed to fetch https://nextdns.io/repo/deb/dists/stable/main/binary-mips/Packages  gnutls_handshake() failed: A TLS fatal alert has been received.

E: Some index files failed to download. They have been ignored, or old ones used instead.

yyy@ubnt:~$ openssl s_client -connect nextdns.io:443
CONNECTED(00000003)
2002551960:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:757:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 290 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1579274310
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

zzz@ubnt:~$ openssl s_client -tls1_2 -connect nextdns.io:443
CONNECTED(00000003)
1994589336:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:348:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1579274347
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

[ChrisColotti]

@notsureifkevin I still believe this code is only written for the EdgeRouter line NOT the Unifi Line. For this to work it has to be completely different fort Unifi Security Gateway (USG). I too am a USG user and need this integrated into that line not the EdgeRouter Line.

[rs]

I'm not familiar with USG. How can I test it using an EdgeRouter?

[ChrisColotti]

@rs you can't they are two distinctly different products from Ubiquiti...

USG does not support directly installing applications (there is work arounds), but it's a JSON based config push from a controller https://www.ui.com/unifi-routing/usg/

EdgeRouter as you have seen supports directly installing applications. https://www.ui.com/edgemax/edgerouter-lite/

[Lifeling]

I would also love to be able to use this on the USG.

[rs]

I need an USG setup to test it with. Since you have experience with it, do you know if there is a way to simulate it?

[ChrisColotti]

They may have a simulator for development if you contact them but other wise you just have to buy one or borrow one from someone. I had a spare but it died on me a while back :/

Ubiquiti Unifi Security Gateway (USG) https://www.amazon.com/dp/B00LV8YZLK/ref=cm_sw_r_cp_api_i_Si-qEbTPJWKYE

[ChrisColotti]

@rs do we need to pitch in to buy you a USG? :)

[rs]

Done already but thx :)

[ChrisColotti]

@rs woot woot!

PS - nice job adding the block page option too!

[eproxus]

Is there any progress on this? I would love to be able to run this on a USG as well.

[ChrisColotti]

Same I know a bunch of people using the USG

[w3st3ry]

Same! Excited to move on nextdns with my USG :)

[kunickiaj]

Just wanted to leave a note with my experience here. EdgeOS 2.x is based on Debian stretch which has "apt" and other commands used in the script.

The UniFi USG runs EdgeOS 1.x which is based on Debian wheezy (no apt, only apt-get). The script currently detects the OS incorrectly as Debian and not EdgeOS because the version string in /etc/version is different than the regex in the install script:

cat /etc/version
UniFiSecurityGateway.ER-e120.v4.4.50.5272448.200215.0243

I modified the install script locally to detect it as EdgeOS and use binary install rather than debian packages and was able to get up and running. Still working through testing reboot/reprovision persistence. Note, using the "router" mode automatic setup, will bind to 5432 to not interfere with dnsmasq. ~You will need to update your config.gateway.json overrides in the UniFi Controller (e.g. CloudKey) to match so that reprovision doesn't wipe stuff out. If you're enabling device names, there's a couple extra options which I found in the nextdns client source here:~

Router mode seems to rewrite the dnsmasq config directly, ignoring what's in the edgeos configuration.

https://github.com/nextdns/nextdns/blob/master/router/edgeos/setup.go#L74-L78

In recent controller versions (I'm running 5.12.66) the controller DNS settings seem to override anything you put in config.gateway.json (ironic, right?). So to ensure that everything goes through the NextDNS CLI, I've set them to 127.0.0.1 in the UniFi controller as well, though that still doesn't quite seem right, since you cannot specify an alternate port number in the UI, nor does it seem like you can override it in config.gateway.json anymore.

[rs]

Yes, the setup-router mode is an automated setup of routers so you don't have to edit things yourself. The idea is to change settings on startup and restore then on exit.

[kunickiaj]

Side question, is it correct to only see the padlock and tool tip in the NextDNS dashboard logs section for DNS-over-HTTPS (NextDNS CLI) for IPv4 networks? For IPv6 queries I usually see the device ID but no indicator of DNS-over-HTTPS or the NextDNS CLI.

[rs]

No it is not, contact us on our live chat for that.

[eproxus]

Also, apt is not supposed to be used by machines, only apt-get is.

The apt command is meant to be pleasant for end users and does not need to be backward compatible like apt-get(8).

[rs]

Can you guys please test the installer on USG and report any issue?

[oneguynick]

Can confirm it worked for me:

• USG Pro 4
• Using dnsmasq instead of default
• Dual WAN with Load Balancing

admin@sidewinder:~$ uname -ar
Linux sidewinder 3.10.107-UBNT #1 SMP Sat Feb 15 05:22:22 UTC 2020 mips64 GNU/Linux

[clarkdave]

Worked for me with the standard (non pro) USG.

$ uname -ar
Linux SecurityGateway 3.10.107-UBNT #1 SMP Sat Feb 15 02:47:59 UTC 2020 mips64 GNU/Linux

I had to upgrade to the latest USG firmware; the installer failed until I did that with the error tar: short read

[euskode]

I tested this on a Dream Machine Pro and ran into the following error:

# uname -ar
Linux gasteiz 4.1.37-v1.6.6.2431-b2007c3 #1 SMP Fri Mar 27 20:17:42 UTC 2020 aarch64 GNU/Linux
# sh -c 'DEBUG=1 sh -c "$(curl -sL https://nextdns.io/install)"'
ERROR: Unsupported OS: Linux
INFO: OS:
INFO: GOARCH: arm64
INFO: GOOS: linux
ERROR: Cannot detect running environment.
# sh -c "$(curl -sL https://raw.githubusercontent.com/nextdns/nextdns/master/install.sh)"
ERROR: Unsupported OS: Linux
INFO: OS:
INFO: GOARCH: arm64
INFO: GOOS: linux
ERROR: Cannot detect running environment.

This device is fairly new so I'm happy to help test things as needed.

[ChrisColotti]

I can test later today on a USG pro. Do we know if it survives an upgrade/reprovison?

[rs]

What do you get for cat /etc/version on UDM?

[rs]

@ChrisColotti I doubt it.

[kunickiaj]

Haven't had an upgrade to try but can confirm my setup survives reprovision.

See previous comment about how recently versions of the controller seem to ignore DNS overrides in config.gateway.json. Not sure if intentional or a bug on Ubiquiti's part.

The NextDNS CLI adds additional configuration in dnsmasq.conf.d which won't conflict.

On Sun, Apr 19, 2020 at 10:12 ChrisColotti notifications@github.com wrote:

I can test later today on a USG pro. Do we know if it survives an upgrade/reprovison?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/nextdns/nextdns/issues/48#issuecomment-616185651, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFWH2REVFHAWDNIP444JK3RNMWGLANCNFSM4KCW43IQ .

[rs]

Note that if you enable caching it will disable dnsmasq dns and bind port 53 directly since 1.5 (recommended). This might ignore some dns related functions of ubiquity tho, but they should be easy to replicate with the cli if needed.

[ChrisColotti]

Well installer seemed to work fine and logs are reporting MANY more device names....which is a GOOD thing, and some are now showing DNSoHTTPS but not all. In some cases the same client shows both HTTPS and non-HTTPS.

Also with this implementation are the controller WAN DNS servers no longer in use? Just trying to understand how the config changes on the USG itself as a router I've been more used to the local clients only this is the first "router" client I have not.

[rs]

Are those clients windows machines by any chance? Let’s discuss that over chat as it is not related to this issue.

[kunickiaj]

I'll try to gather up some of the information I see on my end on the USG3. I'm using 1.5.1 with the updated installer at this time without any noticed issues. Will verify whether cache enabled or not and try it both ways.

On Sun, Apr 19, 2020 at 10:28 ChrisColotti notifications@github.com wrote:

Well installer seemed to work fine and logs are reporting MANY more device names....which is a GOOD thing, and some are now showing DNSoHTTPS but not all. In some cases the same client shows both HTTPS and non-HTTPS.

Also with this implementation are the controller WAN DNS servers no longer in use? Just trying to understand how the config changes on the USG itself as a router I've been more used to the local clients only this is the first "router" client I have not.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/nextdns/nextdns/issues/48#issuecomment-616189746, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFWH2QFC3WP7FYCE5AZMYTRNMYC3ANCNFSM4KCW43IQ .

[kunickiaj]

Is there a better forum for this discussion? Feels like this thread has gotten a little off topic.

On Sun, Apr 19, 2020 at 10:32 Adam Kunicki kunickiaj@gmail.com wrote:

I'll try to gather up some of the information I see on my end on the USG3. I'm using 1.5.1 with the updated installer at this time without any noticed issues. Will verify whether cache enabled or not and try it both ways.

On Sun, Apr 19, 2020 at 10:28 ChrisColotti notifications@github.com wrote:

Well installer seemed to work fine and logs are reporting MANY more device names....which is a GOOD thing, and some are now showing DNSoHTTPS but not all. In some cases the same client shows both HTTPS and non-HTTPS.

Also with this implementation are the controller WAN DNS servers no longer in use? Just trying to understand how the config changes on the USG itself as a router I've been more used to the local clients only this is the first "router" client I have not.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/nextdns/nextdns/issues/48#issuecomment-616189746, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFWH2QFC3WP7FYCE5AZMYTRNMYC3ANCNFSM4KCW43IQ .

[rs]

Please upgrade to 1.5.2 first.

[iandees]

Hi! I just ran the installer on my EdgeRouter PoE running EdgeOS 2.0.1 as mentioned on the wiki. I completed the setup and gave it my NextDNS configuration ID. When I check my dashboard, though, NextDNS says I'm still using Cloudflare for DNS resolving.

If I remember correctly I had previously set up dnsmasq to cache locally with 1.1.1.1/1.0.0.1 as the upstream resolvers. Will the NextDNS install/configuration disable that or do I need to do it?

[iandees]

Ah nevermind, I'm seeing activity and stats showing up. I bet the Cloudflare info was cached somewhere. I'll be more patient 😄

[iwilliamsj]

Does this works on a UniFi Dream Machine Pro? I'm currently running it on a Raspberry Pi with no issues but I will like to have a one Device solution if possible.

[euskode]

What do you get for cat /etc/version on UDM?

# cat /etc/version
cat: can't open '/etc/version': No such file or directory

I can also send you guys an email or chat about this – definitely don't wanna take over the USG discussion! Should I just open a new issue?

[rs]

Yes please contact us on chat.