Valid SSL certificate on a UDR

I recently got a Unifi Dream Router as an upgrade from the Unifi Security Gateway.

One of the differences is that the controller is hosted on the router itself, i quite often use the local access as opposed to going via Since this is exposed locally on 443, i wanted to be able to access it without errors regarding invalid SSL certificates.

I found it was quite easy to provide a valid SSL certificate. I already have a wildcard certificate or *, so I set a hostname in the internal DNS, and then copied over the wildcard cert and key to the UDR:

 scp privkey.pem fullchain.pem root@

Then SSH into the UDR using credentials set in the controller, and navigate to /data/unifi-core/config and replace unifi-core.crt with fullchain.pem and unifi-core.key with privkey.pem. Once done you can restart the UI with:

systemctl restart unifi-core

And then navigate to the DNS name you set earlier and hopefully see a valid certificate:

Obviously this will need replacing each time the certificate expires, though i hope to setup a custom configuration in to handle this.

Configuring Multicast DNS and IGMP across VLANs on Unifi

Since I have two VLANS, some things stop working if I am trying to use a device on one network from the other.

As an example, at the moment I have put my Sonos speakers on the IOT VLAN, but i want to be able to control that from my mobile which connects to the normal network.

Multicast DNS is what is needed to make this work.

"service": {
	 "mdns": {
	  "repeater": {
	   "interface": [

This means that mdns traffic from one network, will be repeated to the other.

The next thing I found I also had to enable was IGMP-Proxy.

  "service": {
   	"protocols": {
    	"igmp-proxy": {
    		"interface": {
      			"alt-subnet": [
      			"role" : "upstream",
      			"threshold": "1"
      			"alt-subnet": [
      			"role" : "downstream",
      			"threshold": "1"

Adding host records and cnames to a Unifi USG

At the moment I have my local domain name set to – the first issue I came across was that I lost the ability to look up my domain names on the internet – because the USG held the record of truth for

I am fairly sure I should be able to configure it to look up unknown addresses, but i have not found out how yet.

The current solution I have implemented is to update the dnsmasq config with my internet domain name records – this means that if I make a change, I need to make it locally and on the internet – I will fix this when it becomes an issue.

"service": {
   "dns": {
     "forwarding": {
        "options": [

Here I have my upstream DNS for the USG set to google, plus the domain name record for – i have included others but they arent important here.

Initially I just added the host record and cname – this resulted in the USG losing the ability to lookup any websites – meaning things like time server, dynamicdns etc stopped working. Adding the data back fixed things.

Configuration of a Unifi USG

Having recently upgraded our home network to Unifi, I figured it would be useful to record some of the configuration changes i’ve made.

I have set up the network with two main VLANs – our normal VLAN, and an IOT network. The aim of the IOT network is to seperate IOT devices from the rest of the network. At the moment I havent implemented any block rules yet – i have been trying to get everything working as normal first before I start blocking traffic.

As well as the two local networks, I also am running two wireguard interfaces on the USG – one for incoming connections and one which establishes an outgoing connection.

For the incoming interface I can connect from my phone, I also have a VPS that I use for various purposes – I am now allowing this to connect into my network and then the majority of services run across that interface now instead of over the public internet.

The first configuration change I had to make was adding configuration to dnsmasq

Monitoring of an IVT Vent 302

I have an IVT Vent 302 for heating. Along with the heatpump, there is also an addon – IVT Anywhere Gateway. This enables the heatpump to:

  • Be controlled remotely via an app
  • Decide when to heat the house/water according to the current energy price

Events currently being monitored:

  • /system/sensors/temperatures/switch
  • /system/sensors/temperatures/supply_t1
  • /system/healthStatus
  • /dhwCircuits/dhw1/actualTemp
  • /system/sensors/temperatures/return
  • /heatingCircuits/hc1/actualSupplyTemperature
  • /system/sensors/temperatures/outdoor_t1

Configuring OpenVPN

After my vpn stopping working due to changes in openssl, i reinstalled it on a newer raspberry pi and tried to move my keys over – this didn’t work, first due to the diffie hellman only being 1024 bytes, then for some reason my client couldn’t negotiate tls, so rather than invest time getting the old keys working, i thought i’d just regenerate a new set – it’s not a bad thing.

The setup for keys via easy-rsa has changed since i last setup my pi, a quick search didn’t show up instructions for the new version, so i thought i would post this – for my own reference if nothing else.

  1. After installing openvpn and easy-rsa, copy the easy-rsa directory into your openvpn directory: cp -r /usr/share/easy-rsa /etc/openvpn
  2. Goto /etc/openvpn/easy-rsa and copy vars .example to vars – cp vars.example vars
  3. Edit vars and set appropriate settings – i used the default values for everything – i noticed the default key length was 2048, so i shouldn’t hit the same issue with diffie hellman again
  4. I then ran:
    1. ./easyrsa init-pki
    2. ./easyrsa build-ca
    3. ./easyrsa gen-dh (this took ages….run in screen next time!)
    4. ./easyrsa build-server-full VPNSERVERNAME
    5. ./easyrsa build-client-full CLIENTNAME
    6. openvpn –genkey –secret ta.key
    7. ./easyrsa gen-crl

Debugging SQS::QueuePolicy in AWS

At work I needed to deploy an SQS queue along with policies to restrict access to the correct roles.

I came across an annoying error, which took way to long to figure out.

I originally started writing this as I assumed it would be some obscure problem that could affect other people… reality it was more of a typo, but i’ll write about it anyway.

The error i got when trying to deploy via serverless was:

An error occurred: SQSQueuePolicy – Invalid value for the parameter Policy. (Service: AmazonSQS; Status Code: 400; Error Code: InvalidAttributeValue; Request ID XXXXX)

This wasn’t that helpful, since 90% of this resource was the policy.

Eventually I ended up copying a policy from the AWS website, and then comparing my copy to theirs, moving parts of the Statement block over and testing.

In the end i had my entire policy in their structure, and it worked. So i ran a diff…..turns out i had – Sid:: SendReceiveDelete rather than – Sid: SendReceiveDelete.

It would be really good if AWS could improve the error message to highlight at least the line of the policy that has an issue…it would have saved a lot of time!

Getting settled in

It’s now the Sunday of my first complete week in Sweden.

I hoped I’d have sorted more out than I have. After being offered a job last week, I got the contract through on Tuesday and went straight down to Skatteverket to register and get a personnummer.

This seemed to go well, as the person there said we’d brought down more than enough evidence. As Sofia & I have lived together for the last few years, I was eligible for a personnummer on two counts. First because I have a job in Sweden, and second because me and Sofia have lived and do live together. The person at skatteverket gave the same estimate as she gave to Sofia when she reregistered as being in Sweden – upto two months! However Sofia got reregistered within a few days, so I’m hoping it goes quicker for me too. I’ve read online people in the last month getting their number through within a week, so perhaps something may arrive next Monday or Tuesday….

What is a personnummer?

A personnummer is essentially like a national insurance number in the UK, however whilst in the UK it only really is used related to tax and benefits, in Sweden it’s used for absolutely everything.

After going to Skatteverket we went to a bank to try and get a bank account, however was told that I can’t do that without Swedish ID. This seems to be slightly incorrect, as the law apparently is like the UK where they need to be able to confirm my identity. As the personnummer is used for everything, an ID with this on confirms my identity. However, it does seem that it should be possible without a personnummer and  just using my EU passport.

We may go down again next week and try again.

The long journey

A few days ago I completed quite a long drive from the UK to Sweden. The journey length was about 1100 miles. The route I took was :


All in all I spread the drive over three days, the first driving in the afternoon to Dover where I stayed over night. Then on the next morning I took the ferry over to Dunkirk with my brother and we drove through France, Belgium, the Netherlands to Bremen, Germany. Then the final day we drove Bremen to Sweden.

It was a long drive, and ideally it would have been better to spend a few more days and get to see a little more, however we had to try and get there as soon as possible.

Now, I’ve got to get setup with everything I need to start my new job at the end of October.

The final countdown

Yesterday we finally exchanged contracts on the sale of our house. That means that on the 28th September we will complete the sale, and can begin our move to Sweden.

We’ve been planning this for a while now, so it’s quite exciting to finally know that it’s happening – though also slightly nerve racking, given the large number of things to organise before completion.

I still need to find work, which I’m in the process of applying for a number of jobs. Hopefully I’m able to find something interesting to work on.