HowTo? Update/replace specific binary in Embedded nano 1.2.3 RC2??



  • I have an embedded pfSense 1.2.3 RC2.

    I am trying to replace existing functionality I have with a stand-alone OpenVPN gateway (ESXi VM) by using the pfSense internal OpenVPN service. The idea is to remove points of failure (internal network connectivity, ESXi host hardware, VM issues). I've not had any problems to date but I'm just trying to ensure I have remote access if something goes down.

    My problem is that the features I want to use are part of the OpenVPN 2.1 RC19 train and pfSense uses the 2.0.9 version. (the primary feature is –port-share since need to use 443 for two services)

    Is there a way I can just update the needed binary files without manually building a image file or creating a package?

    I'm a little rusty on the BSD internals but quite familiar with Linux - though I've unfortunately never dealt with embedded flash filesystems... If someone can point me in the right direction I'd appreciate it.

    BTW - I don't need to modify the GUI as I should be able to pass the arguments for the features I need through the 'custom options' text-box in the existing PHP form.



  • ;D
    OK, got no responses or help but I found a way to make it work.

    Since I didn't get any direction from those in the know, I'm surprised that I didn't even get a single response to this thread… oh well. - PLEASE let me know if there is any problem anyone can see with going about this in the way that I have.

    What I wanted was to get the newer 2.1 RC version of the OpenVPN daemon on a pfSense 1.2.3 RC2 nano embedded installation.

    First off - I started with a fresh install of pfSense 1.2.3 RC2 nano (August 31st snapshot) and installed the OpenVPN Enhancements 1.0 package to get additional options in the web config that I wanted. I then completed the OpenVPN configuration and verified that I had a working tunnel with certificate authentication.

    Then I completed the following:
    1. SSH to firewall
     a. access shell
     b. exec /etc/rc.conf_mount_rw to remount root filesystem as read-write mode.
     c. exec pkg_add -r openvpn-devel (this took a while)
     d. exec /etc/rc.conf_mount_ro to remount root filesystem back to read-only mode.
    2. Reboot firewall (don't know if this should be needed but my web console stopped responding until I did this)
    3. SSH to firewall
     a. access shell
     b. exec openvpn --version to verify that I now have OpenVPN 2.1 RC15 installed.
    4. From pfSense webConfig
     a. Now OpenVPN service fails to start - checked logs and found that an additional security option was needed for custom scripting.
       i. Added --script-security 2; to the custom options text-box in OpenVPN config page.
     b. Verified that daemon starts and tunnel again works.
    -- Now - finally for the option I wanted to use.
    5. Again from pfSense webConfig OpenVPN config page.
     a. Add the additional custom configuration to the text-box.
       i. Added --port-share 10.255.255.10 443;
         (Line now reads: --script-security 2; --port-share 10.255.255.10 443;)
     b. Saved configuration. (this should cause the OpenVPN process to reload it's config)
    6. Testing:
     a. Pointed web browser to https://my-external-ip and successfully was passed to my web server content
     b. Used my external test client and connected to my-external-ip port 443 with no changes to my configuration except the port number.

    Success! I now have an embedded pfSense firewall with a single external IP and am sharing TCP:443 between OpenVPN and my web service without having to use an additional system as I was previously.

    Granted to all that noticed - The 2.1 RC15 version of OpenVPN is Pre Release Code and they say not to use it for production environments. Saying that I have used the 2.1 RC train for quite some time on my home network without any issues whatsoever - including this port-share option.

    Again - if you know of ANY reason why what I did was against best practices please let me know!

    One caveat I can see is that I'm now using the openvpn-devel package - if I use a pfSense package in the future that re-installs or upates the 'openvpn' package it may overwrite my daemon binaries in which case I'd have to reinstall the openvpn-devel package. Other than that I'm using the standard pfSense / OpenVPN Enhancements 1.0 configuration methods so I think I'll be safe.

    I hope my spending time on this helps someone else down the line. I'm sure this method could be used for other services as well.

    As I understand it in fact one could install any FreeBSD package they wanted as long as they configure that package to not need read-write access to the root filesystem and understand that /var will be cleaned when the system reboots. To get around this one might be able to use cheap USB storage or network storage for stateful storage for non-critical services... I digress - I'm sure someone has a thread on that elsewhere on this site.


Log in to reply