# Ubiquiti Unifi UDM The Pritunl link client will automatically manage the routing table and port forwarding on the Unifi UDM. This allows for a high availability configuration to handle a failure on the link client. For dual WAN configurations a link client can be configured to port forward each WAN and the link will remain available with one WAN offline. ### Unifi Configuration From the portal click *Manage Users* then click *Add User*. Set the *Name* to `Pritunl API` and set the *Role* to `Limited Admin`. Set the username to `pritunl` and generate a random password. Then select *Administrator* under the *UniFi Network* permissions. Set all the other permissions to *None* then click *Add*. ![](https://1783284711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhDA4eusSNQcv5QfappvI%2Fuploads%2FQjDzYXD7tMMPDZuVshoa%2Fudm0.png?alt=media\&token=54b528f0-9387-4115-93ae-52c004daf7d6) Run the commands below on the instance to install the `pritunl-link` package. The firewalld service must also be disabled. ```shell sudo tee /etc/yum.repos.d/pritunl.repo << EOF [pritunl] name=Pritunl Repository baseurl=https://repo.pritunl.com/stable/yum/oraclelinux/10/ gpgcheck=1 enabled=1 EOF gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp sudo yum -y upgrade sudo yum -y install pritunl-link sudo systemctl stop firewalld sudo systemctl disable firewalld ``` Next run the first command if your Pritunl server does not have a signed HTTPS certificate. The data will be signed and encrypted with AES independently an unsigned certificate will not effect security. Then run the second command to manually set the provider to `unifi`. The next three commands are used to set the Unifi username, password and controller URL. The third command will clear all host URI's, this should be run to ensure previously configured URIs are removed. The fourth command will add the URI, this needs to be replaced by clicking *Get URI* in the Pritunl web console. This command can be run multiple times if more then one link is configured. The `sudo pritunl-link verify-off` line can be left out if the Pritunl server is configured with a valid SSL certificate. It is not necessary to verify the SSL certificate, the sensitive data is encrypted with AES-256 and signed with HMAC SHA-512 using the token and secret in the URI. ```shell sudo pritunl-link provider unifi sudo pritunl-link unifi-username pritunl sudo pritunl-link unifi-password pritunl sudo pritunl-link unifi-controller https://10.10.0.1 sudo pritunl-link verify-off sudo pritunl-link clear sudo pritunl-link add pritunl://token:secret@test.pritunl.com ``` For dual WAN configurations the forwarding interface can be set using the command below. For the first link client use `WAN` and `WAN2` for the second link client. If only one link client is used on a dual WAN configuration the interface must be set to `BOTH`. For single WAN configurations this command is not needed. ```shell sudo pritunl-link unifi-interface WAN ``` If you are using multiple sites you will need to set the site ID using the command below. The site ID can be found in the dashboard url such as `default` in `https://10.0.0.1/network/default/dashboard`. If the site ID is `default` this command is not needed. ```shell sudo pritunl-link unifi-site default ``` The commands below can be run to check the logs and status of the link. The `pritunl-link` service will already be running and connected once the URI is added. ```shell journalctl -u pritunl-link sudo ipsec status ```