Pritunl Link cannot connect to new version of Unifi OS (UDM)

Hello,
I was trying to configure Pritunl link with Unifi UDM by following the official Pritunl documentation.
However, I faced with the issue that is probably related to the changes in the new versions of Unifi OS.

Current version of Unifi OS is: 4.1.13
Current version of Unifi Network Application is 9.0.108.

The issue appeared when I started the pritunl-link service. Here is the response I get using the journalctl -u pritunl-link command:

Jan 08 17:35:59 hostname pritunl-link[919125]: [2025-01-08 17:35:59][ERRO] ▶ state: Failed to deploy state
Jan 08 17:35:59 hostname pritunl-link[919125]: advertise: Unifi csrf token empty
Jan 08 17:35:59 hostname pritunl-link[919125]: ORIGINAL STACK TRACE:
Jan 08 17:35:59 hostname pritunl-link[919125]: github.com/pritunl/pritunl-link/advertise.unifiGetCsrf
Jan 08 17:35:59 hostname pritunl-link[919125]:         /go/src/github.com/pritunl/pritunl-link/advertise/unifi.go:171 +0xd04d16
Jan 08 17:35:59 hostname pritunl-link[919125]: github.com/pritunl/pritunl-link/advertise.unifiPostAuth
Jan 08 17:35:59 hostname pritunl-link[919125]:         /go/src/github.com/pritunl/pritunl-link/advertise/unifi.go:180 +0xd04eaa
Jan 08 17:35:59 hostname pritunl-link[919125]: github.com/pritunl/pritunl-link/advertise.unifiGetClient
Jan 08 17:35:59 hostname pritunl-link[919125]:         /go/src/github.com/pritunl/pritunl-link/advertise/unifi.go:312 +0xd06108
Jan 08 17:35:59 hostname pritunl-link[919125]: github.com/pritunl/pritunl-link/advertise.UnifiAddPorts
Jan 08 17:35:59 hostname pritunl-link[919125]:         /go/src/github.com/pritunl/pritunl-link/advertise/unifi.go:956 +0xd0bb68
Jan 08 17:35:59 hostname pritunl-link[919125]: github.com/pritunl/pritunl-link/advertise.Ports
Jan 08 17:35:59 hostname pritunl-link[919125]:         /go/src/github.com/pritunl/pritunl-link/advertise/advertise.go:232 +0xcf2e37
Jan 08 17:35:59 hostname pritunl-link[919125]: github.com/pritunl/pritunl-link/ipsec.deploy
Jan 08 17:35:59 hostname pritunl-link[919125]:         /go/src/github.com/pritunl/pritunl-link/ipsec/ipsec.go:542 +0xd110d9
Jan 08 17:35:59 hostname pritunl-link[919125]: github.com/pritunl/pritunl-link/ipsec.runDeploy
Jan 08 17:35:59 hostname pritunl-link[919125]:         /go/src/github.com/pritunl/pritunl-link/ipsec/ipsec.go:700 +0xd11f04
Jan 08 17:35:59 hostname pritunl-link[919125]: runtime.goexit
Jan 08 17:35:59 hostname pritunl-link[919125]:         /usr/local/go/src/runtime/asm_amd64.s:1700 +0x47aa40

I checked the code and found the related entry: pritunl-link/advertise/unifi.go at master · pritunl/pritunl-link · GitHub

Seems that pritunl-link still trying to use the CSRF toke for the further Authentication. However, on Unifi side the Header that stores this token is not included anymore in the response.

I checked on my own and it’s true, no X-CSFR-Token header is present:

HTTP/2 200
server: nginx
date: Wed, 08 Jan 2025 15:45:08 GMT
content-type: text/html
content-length: 819
last-modified: Tue, 07 Jan 2025 01:06:55 GMT
etag: "xxxxxxxxxxx"
expires: Wed, 08 Jan 2025 15:45:07 GMT
cache-control: no-cache
access-control-allow-credentials: false
access-control-expose-headers: Content-Disposition, Content-Range, Filename, Location, Range, Upload-Length, Upload-Offset, X-Connection-Type, X-Csrf-Token, X-File-Id, X-Token-Expire-Time, X-Updated-Csrf-Token
referrer-policy: no-referrer
strict-transport-security: max-age=15552000; includeSubDomains
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
accept-ranges: bytes

It’s present there only as a value of ‘access-control-expose-headers’ header.

Regarding Unifi - on the official forum I found the notice that they stopped requiring the x-csrf-token for login.
I checked on my own and I was able to successfully login to Unifi using API. I simulated the behavior from your code: pritunl-link/advertise/unifi.go at master · pritunl/pritunl-link · GitHub

What is the approximate estimation for receiving the fix for this case?
Thanks!

There isn’t an official API for the Unifi router to handle the configuration changes so the compatibility can change unexpectedly. This should be fix in 1-2 weeks.

1 Like

Yes, I understand it. Thank you, will be waiting for the fix.
Is there a specific channel that I can use to follow the newest code updates?

@zach, I don’t know if I can use this topic to raise additional questions related to Unifi. So if it’s not relevant here, I’ll create another topic.

I haven’t deployed Pritunl link for UDM because of the mentioned reason, so didn’t have a possibility to test it. My goal is to have a Server on Pritunl VPN that would have access to the UDM router and to the clients connected to this router. In short I just want to use Pritunl VPN to access internal office network which is behind the UDM.

Do I understand correctly that I just need to next in order to configure it correctly?

  • Deploy pritunl-link for UDM on some host inside internal network that have access to UDM gateway
  • Add appropriate Link & Location on the VPN UI.
  • Configure Host on VPN UI according to your documentation.
  • Add Route which represent the UDM subnet (like 10.0.0.0/24) to the Link Location.
  • In the needed VPN Server add route to the UDM (10.0.0.0/24).

I assume it should work, but not sure. There is no appropriate documentation for this particular case. As far as I know there is only a documentation on how to connect to private AWS network from Pritunl VPN.
Thank you in advance!

The Pritunl server only handles managing the link state it does not function as a link connection. There would need to be at least 2 servers running Pritunl Link. The link on the side of the Pritunl server would need to have the local network as a route and the Unifi link would have that local network as a route. Then both networks would be added to the routes on the Pritunl server with NAT enabled.

The provider option on Pritunl Link can be left blank and the configuration can be done manually. Port forwarding should be configured on the Unifi router with ports 500/udp and 4500/udp for IPsec then 9790/tcp for Pritunl Link host checking. Then a static route to the local network on the Pritunl server with a next hop to the Pritunl Link server. The Pritunl Link on the other side will need a static route on the routing table to the Unifi network with a next hop to the Pritunl Link server.