Disabling single OpenVPN Server

marlu

The idea is to issue a command via SSH to enable the option "Disable this server" in the web-GUI. (Not the whole OpenVPN-Process but only a specific instance)

My problem is, that I can't find this option anywhere in the config (in the filesystem) or via the PHP-Shell/pfSense tools.
I was expecting to just find it as an entry when looking up all configured servers via:

print_r($config['openvpn']);
exec;

but the "Disable this server" option is just nowhere to be found in the output.
The question is therefore: Where can I find this option, and is there a clean way to toggle it via SSH, or is there a way to do it even smoother?

jimp

It's there.

pfSense shell: var_dump($config['openvpn']['openvpn-server'][9]);
pfSense shell: exec
array(53) {
[...]
  ["disable"]=>
  string(0) ""
[...]

pfSense shell: print_r($config['openvpn']['openvpn-server'][9]);
pfSense shell: exec
Array
(
 [...]
    [disable] => 
 [...]

There is no set way to disable a VPN from the shell. You can stop the service, but anything that would trigger a restart of services would make it start back up.

marlu

That is very strange. I would have assumed it to be as you describe. However I can't find it..(not even after toggeling and saving that option)

output from the commands..:

Spoiler

array(56) {
["vpnid"]=>
string(1) "1"
["mode"]=>
string(15) "server_tls_user"
["authmode"]=>
string(14) "Local Database"
["protocol"]=>
string(3) "UDP"
["dev_mode"]=>
string(3) "tun"
["interface"]=>
string(3) "any"
["ipaddr"]=>
string(0) ""
["local_port"]=>
string(4) "1194"
["description"]=>
string(10) "PrivateVPN"
["custom_options"]=>
string(0) ""
["tls"]=>
string(876) ""
["tls_type"]=>
string(4) "auth"
["caref"]=>
string(13) ""
["crlref"]=>
string(0) ""
["certref"]=>
string(13) ""
["dh_length"]=>
string(4) "2048"
["ecdh_curve"]=>
string(4) "none"
["cert_depth"]=>
string(1) "1"
["strictusercn"]=>
string(0) ""
["crypto"]=>
string(11) "AES-128-GCM"
["digest"]=>
string(6) "SHA256"
["engine"]=>
string(4) "none"
["tunnel_network"]=>
string(11) ""
["tunnel_networkv6"]=>
string(0) ""
["remote_network"]=>
string(0) ""
["remote_networkv6"]=>
string(0) ""
["gwredir"]=>
string(0) ""
["gwredir6"]=>
string(0) ""
["local_network"]=>
string(14) ""
["local_networkv6"]=>
string(0) ""
["maxclients"]=>
string(0) ""
["compression"]=>
string(0) ""
["compression_push"]=>
string(0) ""
["passtos"]=>
string(0) ""
["client2client"]=>
string(3) "yes"
["dynamic_ip"]=>
string(3) "yes"
["topology"]=>
string(6) "subnet"
["serverbridge_dhcp"]=>
string(0) ""
["serverbridge_interface"]=>
string(4) "none"
["serverbridge_routegateway"]=>
string(0) ""
["serverbridge_dhcp_start"]=>
string(0) ""
["serverbridge_dhcp_end"]=>
string(0) ""
["dns_domain"]=>
string(10) "example.org"
["dns_server1"]=>
string(8) ""
["dns_server2"]=>
string(11) ""
["dns_server3"]=>
string(0) ""
["dns_server4"]=>
string(0) ""
["sndrcvbuf"]=>
string(0) ""
["push_register_dns"]=>
string(3) "yes"
["netbios_enable"]=>
string(0) ""
["netbios_ntype"]=>
string(1) "0"
["netbios_scope"]=>
string(0) ""
["create_gw"]=>
string(4) "both"
["verbosity_level"]=>
string(1) "1"
["ncp-ciphers"]=>
string(11) "AES-128-GCM"
["ncp_enable"]=>
string(7) "enabled"
}

This is all on 2.4.4-RELEASE-p3 (amd64)
VPN config was done with fairly "standard" settings in the wizard.

Edit: changed so spoiler actually works.

jimp

The disable entry is only present when the entry is disabled. When it's enabled, it's not there. It doesn't get set to yes/no/etc. If it's there, the entry is considered disabled. If it's not there, it's enabled.

marlu

Okay, but the entry is never shown...which is why I couldn't find it with my diff on the output before/after disabling the VPN.

I believe I have found the issue, why that "disable" would not show up in the config, even though the VPN was set to disabled. I had to restart the whole system (which isn't really an option) to get the config to show the entry.

Do I somehow need to force an update? My way of doing it so far is:

1. Log into web-GUI and change the status of the chosen VPN to disabled.
2. Log into the ssh-php and issue the command and observe the output

When does that config-file actually come into play?
Only on restart? If yes, then a script accessing the web-GUI and activating the setting would be needed. I would love to not do it that way, as it is IMO a non-optimal way of doing things..

jimp

If you change the status in the GUI and save, it would always be immediately reflected in config.xml.

Unless your disk is doing something really funky with caching writes, it should be there as soon as the config is written.