Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    System flags on embedded install

    Scheduled Pinned Locked Moved Hardware
    12 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      petr
      last edited by

      Hi,

      I am trying to make a contents of a config file fixed, as the UI does not support the parameters I need. I was able to do the modifications in a VMware install, however, I cannot set the immutable flag on my embedded system:

      chflags schg /var/etc/openvpn/client1.conf
      

      No matter what flags I set, the contents of the file always get replaced with the config generated from the UI.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        What you are attempting to do is unsupported. Unsupported parameters in OpenVPN can be placed in the advanced options in the GUI and used that way. There is rarely a need to alter the config in the way you are attempting to do.

        The system immutable flag is only honorored when kern.securelevel is 0 or higher I believe (we run at -1), changing that would have other unintended consequences.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • P
          petr
          last edited by

          The problem is, that the advanced field is not enough - I need to remove elements of the auto-generated config and there is no way to do it via UI.. and the parameters cannot be overridden in the advanced section as far as I know.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Then you could either edit the source directly to remove them, or manage openvpn manually outside the GUI.

            You might look at 2.2 for a test, the GUI has quite a few more options that may be relevant.

            If you explain more about what you're attempting to do, there may be a better solution.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • P
              petr
              last edited by

              sorry, I am a bit new - by source, do you mean the intermediate state from the UI?

              Briefly - I am setting up a OpenVPN client with IPredator provider. The only way I could get it to work was to remove "key" and "cert" parts of the config file, as they are not in use for the particular provider. I was able to provide all the extra parameters just fine in the advanced section but I got stuck on trying to override/remove the key and cert. I did not find a way how to "invalidate" them via the advanced params.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                On 2.2 you can setup a user/pass in the GUI plus disable the use of a client certificate.

                That is not currently supported on 2.1.x, but it's easy to do on 2.2.

                Though there could be other issues with your config on 2.2 that may make it unsuitable for your needs, however. If you decide to try it, make sure to have a good backup plan to get back to your current setup.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • P
                  petr
                  last edited by

                  I think that upgrading to 2.2 is a bit beyond the time I've got to finalise the config - is there any way to override the auth method in the 2.1.5 without resorting to system flags?

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Not currently, no. You might search around the forum for that vpn provider name - it's possible that someone else has a patch or other suggestion.

                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • P
                      petr
                      last edited by

                      Ok, thank you very much!

                      @jimp:

                      Then you could either edit the source directly to remove them

                      What did you mean by this though?

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        Edit /etc/inc/openvpn.inc and find the lines with the items you don't want and remove them from there.

                        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • P
                          petr
                          last edited by

                          @jimp:

                          Edit /etc/inc/openvpn.inc and find the lines with the items you don't want and remove them from there.

                          Ok, I will look into those - I understand that I would need to re-apply the fixes when updating to new version but is there anything more to "worry" about?

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            Lots to worry about, mostly if you break the syntax in the file you could break OpenVPN or other areas of the system as a consequence.

                            Otherwise, aside from the fact that you'll have to redo the edit after a firmware update, it should be OK.

                            Keep the gun pointed away from your foot during the process.

                            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.