Hello,
I was trying to configure Pritunl link with Unifi UDM by following the official Pritunl documentation.
However, I faced with the issue that is probably related to the changes in the new versions of Unifi OS.
Current version of Unifi OS is: 4.1.13
Current version of Unifi Network Application is 9.0.108.
The issue appeared when I started the pritunl-link service. Here is the response I get using the journalctl -u pritunl-link
command:
Jan 08 17:35:59 hostname pritunl-link[919125]: [2025-01-08 17:35:59][ERRO] ▶ state: Failed to deploy state
Jan 08 17:35:59 hostname pritunl-link[919125]: advertise: Unifi csrf token empty
Jan 08 17:35:59 hostname pritunl-link[919125]: ORIGINAL STACK TRACE:
Jan 08 17:35:59 hostname pritunl-link[919125]: github.com/pritunl/pritunl-link/advertise.unifiGetCsrf
Jan 08 17:35:59 hostname pritunl-link[919125]: /go/src/github.com/pritunl/pritunl-link/advertise/unifi.go:171 +0xd04d16
Jan 08 17:35:59 hostname pritunl-link[919125]: github.com/pritunl/pritunl-link/advertise.unifiPostAuth
Jan 08 17:35:59 hostname pritunl-link[919125]: /go/src/github.com/pritunl/pritunl-link/advertise/unifi.go:180 +0xd04eaa
Jan 08 17:35:59 hostname pritunl-link[919125]: github.com/pritunl/pritunl-link/advertise.unifiGetClient
Jan 08 17:35:59 hostname pritunl-link[919125]: /go/src/github.com/pritunl/pritunl-link/advertise/unifi.go:312 +0xd06108
Jan 08 17:35:59 hostname pritunl-link[919125]: github.com/pritunl/pritunl-link/advertise.UnifiAddPorts
Jan 08 17:35:59 hostname pritunl-link[919125]: /go/src/github.com/pritunl/pritunl-link/advertise/unifi.go:956 +0xd0bb68
Jan 08 17:35:59 hostname pritunl-link[919125]: github.com/pritunl/pritunl-link/advertise.Ports
Jan 08 17:35:59 hostname pritunl-link[919125]: /go/src/github.com/pritunl/pritunl-link/advertise/advertise.go:232 +0xcf2e37
Jan 08 17:35:59 hostname pritunl-link[919125]: github.com/pritunl/pritunl-link/ipsec.deploy
Jan 08 17:35:59 hostname pritunl-link[919125]: /go/src/github.com/pritunl/pritunl-link/ipsec/ipsec.go:542 +0xd110d9
Jan 08 17:35:59 hostname pritunl-link[919125]: github.com/pritunl/pritunl-link/ipsec.runDeploy
Jan 08 17:35:59 hostname pritunl-link[919125]: /go/src/github.com/pritunl/pritunl-link/ipsec/ipsec.go:700 +0xd11f04
Jan 08 17:35:59 hostname pritunl-link[919125]: runtime.goexit
Jan 08 17:35:59 hostname pritunl-link[919125]: /usr/local/go/src/runtime/asm_amd64.s:1700 +0x47aa40
I checked the code and found the related entry: pritunl-link/advertise/unifi.go at master · pritunl/pritunl-link · GitHub
Seems that pritunl-link still trying to use the CSRF toke for the further Authentication. However, on Unifi side the Header that stores this token is not included anymore in the response.
I checked on my own and it’s true, no X-CSFR-Token header is present:
HTTP/2 200
server: nginx
date: Wed, 08 Jan 2025 15:45:08 GMT
content-type: text/html
content-length: 819
last-modified: Tue, 07 Jan 2025 01:06:55 GMT
etag: "xxxxxxxxxxx"
expires: Wed, 08 Jan 2025 15:45:07 GMT
cache-control: no-cache
access-control-allow-credentials: false
access-control-expose-headers: Content-Disposition, Content-Range, Filename, Location, Range, Upload-Length, Upload-Offset, X-Connection-Type, X-Csrf-Token, X-File-Id, X-Token-Expire-Time, X-Updated-Csrf-Token
referrer-policy: no-referrer
strict-transport-security: max-age=15552000; includeSubDomains
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
accept-ranges: bytes
It’s present there only as a value of ‘access-control-expose-headers’ header.
Regarding Unifi - on the official forum I found the notice that they stopped requiring the x-csrf-token
for login.
I checked on my own and I was able to successfully login to Unifi using API. I simulated the behavior from your code: pritunl-link/advertise/unifi.go at master · pritunl/pritunl-link · GitHub
What is the approximate estimation for receiving the fix for this case?
Thanks!