Configuring Multicast DNS and IGMP across VLANs on Unifi

Since I have two VLANS, some things stop working if I am trying to use a device on one network from the other.

As an example, at the moment I have put my Sonos speakers on the IOT VLAN, but i want to be able to control that from my mobile which connects to the normal network.

Multicast DNS is what is needed to make this work.

"service": {
	 "mdns": {
	  "repeater": {
	   "interface": [

This means that mdns traffic from one network, will be repeated to the other.

The next thing I found I also had to enable was IGMP-Proxy.

  "service": {
   	"protocols": {
    	"igmp-proxy": {
    		"interface": {
      			"alt-subnet": [
      			"role" : "upstream",
      			"threshold": "1"
      			"alt-subnet": [
      			"role" : "downstream",
      			"threshold": "1"

Adding host records and cnames to a Unifi USG

At the moment I have my local domain name set to – the first issue I came across was that I lost the ability to look up my domain names on the internet – because the USG held the record of truth for

I am fairly sure I should be able to configure it to look up unknown addresses, but i have not found out how yet.

The current solution I have implemented is to update the dnsmasq config with my internet domain name records – this means that if I make a change, I need to make it locally and on the internet – I will fix this when it becomes an issue.

"service": {
   "dns": {
     "forwarding": {
        "options": [

Here I have my upstream DNS for the USG set to google, plus the domain name record for – i have included others but they arent important here.

Initially I just added the host record and cname – this resulted in the USG losing the ability to lookup any websites – meaning things like time server, dynamicdns etc stopped working. Adding the data back fixed things.

Configuration of a Unifi USG

Having recently upgraded our home network to Unifi, I figured it would be useful to record some of the configuration changes i’ve made.

I have set up the network with two main VLANs – our normal VLAN, and an IOT network. The aim of the IOT network is to seperate IOT devices from the rest of the network. At the moment I havent implemented any block rules yet – i have been trying to get everything working as normal first before I start blocking traffic.

As well as the two local networks, I also am running two wireguard interfaces on the USG – one for incoming connections and one which establishes an outgoing connection.

For the incoming interface I can connect from my phone, I also have a VPS that I use for various purposes – I am now allowing this to connect into my network and then the majority of services run across that interface now instead of over the public internet.

The first configuration change I had to make was adding configuration to dnsmasq

Monitoring of an IVT Vent 302

I have an IVT Vent 302 for heating. Along with the heatpump, there is also an addon – IVT Anywhere Gateway. This enables the heatpump to:

  • Be controlled remotely via an app
  • Decide when to heat the house/water according to the current energy price

Events currently being monitored:

  • /system/sensors/temperatures/switch
  • /system/sensors/temperatures/supply_t1
  • /system/healthStatus
  • /dhwCircuits/dhw1/actualTemp
  • /system/sensors/temperatures/return
  • /heatingCircuits/hc1/actualSupplyTemperature
  • /system/sensors/temperatures/outdoor_t1

Configuring OpenVPN

After my vpn stopping working due to changes in openssl, i reinstalled it on a newer raspberry pi and tried to move my keys over – this didn’t work, first due to the diffie hellman only being 1024 bytes, then for some reason my client couldn’t negotiate tls, so rather than invest time getting the old keys working, i thought i’d just regenerate a new set – it’s not a bad thing.

The setup for keys via easy-rsa has changed since i last setup my pi, a quick search didn’t show up instructions for the new version, so i thought i would post this – for my own reference if nothing else.

  1. After installing openvpn and easy-rsa, copy the easy-rsa directory into your openvpn directory: cp -r /usr/share/easy-rsa /etc/openvpn
  2. Goto /etc/openvpn/easy-rsa and copy vars .example to vars – cp vars.example vars
  3. Edit vars and set appropriate settings – i used the default values for everything – i noticed the default key length was 2048, so i shouldn’t hit the same issue with diffie hellman again
  4. I then ran:
    1. ./easyrsa init-pki
    2. ./easyrsa build-ca
    3. ./easyrsa gen-dh (this took ages….run in screen next time!)
    4. ./easyrsa build-server-full VPNSERVERNAME
    5. ./easyrsa build-client-full CLIENTNAME
    6. openvpn –genkey –secret ta.key
    7. ./easyrsa gen-crl

Debugging SQS::QueuePolicy in AWS

At work I needed to deploy an SQS queue along with policies to restrict access to the correct roles.

I came across an annoying error, which took way to long to figure out.

I originally started writing this as I assumed it would be some obscure problem that could affect other people… reality it was more of a typo, but i’ll write about it anyway.

The error i got when trying to deploy via serverless was:

An error occurred: SQSQueuePolicy – Invalid value for the parameter Policy. (Service: AmazonSQS; Status Code: 400; Error Code: InvalidAttributeValue; Request ID XXXXX)

This wasn’t that helpful, since 90% of this resource was the policy.

Eventually I ended up copying a policy from the AWS website, and then comparing my copy to theirs, moving parts of the Statement block over and testing.

In the end i had my entire policy in their structure, and it worked. So i ran a diff…..turns out i had – Sid:: SendReceiveDelete rather than – Sid: SendReceiveDelete.

It would be really good if AWS could improve the error message to highlight at least the line of the policy that has an issue…it would have saved a lot of time!

Getting settled in

It’s now the Sunday of my first complete week in Sweden.

I hoped I’d have sorted more out than I have. After being offered a job last week, I got the contract through on Tuesday and went straight down to Skatteverket to register and get a personnummer.

This seemed to go well, as the person there said we’d brought down more than enough evidence. As Sofia & I have lived together for the last few years, I was eligible for a personnummer on two counts. First because I have a job in Sweden, and second because me and Sofia have lived and do live together. The person at skatteverket gave the same estimate as she gave to Sofia when she reregistered as being in Sweden – upto two months! However Sofia got reregistered within a few days, so I’m hoping it goes quicker for me too. I’ve read online people in the last month getting their number through within a week, so perhaps something may arrive next Monday or Tuesday….

What is a personnummer?

A personnummer is essentially like a national insurance number in the UK, however whilst in the UK it only really is used related to tax and benefits, in Sweden it’s used for absolutely everything.

After going to Skatteverket we went to a bank to try and get a bank account, however was told that I can’t do that without Swedish ID. This seems to be slightly incorrect, as the law apparently is like the UK where they need to be able to confirm my identity. As the personnummer is used for everything, an ID with this on confirms my identity. However, it does seem that it should be possible without a personnummer and  just using my EU passport.

We may go down again next week and try again.

The long journey

A few days ago I completed quite a long drive from the UK to Sweden. The journey length was about 1100 miles. The route I took was :


All in all I spread the drive over three days, the first driving in the afternoon to Dover where I stayed over night. Then on the next morning I took the ferry over to Dunkirk with my brother and we drove through France, Belgium, the Netherlands to Bremen, Germany. Then the final day we drove Bremen to Sweden.

It was a long drive, and ideally it would have been better to spend a few more days and get to see a little more, however we had to try and get there as soon as possible.

Now, I’ve got to get setup with everything I need to start my new job at the end of October.

The final countdown

Yesterday we finally exchanged contracts on the sale of our house. That means that on the 28th September we will complete the sale, and can begin our move to Sweden.

We’ve been planning this for a while now, so it’s quite exciting to finally know that it’s happening – though also slightly nerve racking, given the large number of things to organise before completion.

I still need to find work, which I’m in the process of applying for a number of jobs. Hopefully I’m able to find something interesting to work on.

Client auto connect with openvpn

This is here for my future reference more than anything. I have a Raspberry Pi   (Referred to as Raspberry Pi A = rpA) that dials into another raspberry pi (referrred to as Raspberry Pi B = rpB) I have at home. Due to limits on the router rpA is connected to, I can’t setup any port forwarding – meaning there’s no easy way to connect into it. To solve this, I set up an openvpn server on rpB, that rpA dials into. I can then connect via the tunnel that’s created.

I don’t have easy physical access to rpA, so it needs to be able to come back up following a power outage etc, so I’ve added various bits of automation and reporting to keep an eye on things. It reports to my web server, so if there’s a problem with the vpn, but the rest of things are working, I can see this and it will help me narrow down the issue

Recently rpA stopped responding both via vpn and to my web server. I was able to get someone to check it had power, was connected to the router etc, so the assumption now is that it’s either a physical hardware problem, or a corrupt sd card. I did keep a backup of the sd card, however got rid of it a few months ago during some over enthusiastic tidying up of my server.

When I first setup rpA, I had some issues getting openvpn to autostart and connect – I have come across the same issues now setting the new image up, so am documenting the solution here:

First this assumes you’ve setup your openvpn server,  and then created some keys – there’s plenty of instructions online that talk you through adding the keys, and then creating an OPVN file – this is a file that contains the configuration as well as the various keys needed to connect.

I use password protected certificates to connect to the vpn. The first issue to overcome is how to supply the password on autostart. Adding the following line to the client config achieves this:

askpass /etc/openvpn/server.pass

And then that file contains the password for your certificate.

Looking in /etc/init.d/openvpn we can see it sources /etc/default/openvpn for some variables. Let’s look there. In /etc/default/openvpn there’s this line:


This needs uncommenting, and will mean on startup openvpn will connect to each *.conf file in /etc/openvpn/

However, when you run :

service openvpn start

/var/log/daemon.log only reads:

Aug 28 12:38:36 rpA systemd[1]: Started OpenVPN service.


Answer: Systemd.

I don’t understand why both configs are supplied – surely if being installed on a system that uses systemd, we should just install the systemd start scripts?

Nevermind. What we need to do is symlink in info to our vpn, and enable that through systemctl:

Openvpn under systemd controls which profiles to start by adding openvpn@<Name of Config File>.service.

First, symlink the openvpn@.service into your systemd directory using the name of your config file in /etc/openvpn/. For example, if you have /etc/openvpn/myConfig.conf you would type:

ln -s /lib/systemd/system/openvpn@.service /etc/systemd/system/openvpn@myConfig.service

We then need to enable and start the service:

systemctl enable openvpn@myConfig.service
systemctl start openvpn@myConfig.service

We should then check it’s started. Looking in /var/log/daemon.log should show us more output, plus we can check the network adapters to make sure we have the correct tunnel adapter:


tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

That looks fine. Next try a reboot and make sure your connection is re-established!