System flags on embedded install



  • Hi,

    I am trying to make a contents of a config file fixed, as the UI does not support the parameters I need. I was able to do the modifications in a VMware install, however, I cannot set the immutable flag on my embedded system:

    chflags schg /var/etc/openvpn/client1.conf
    

    No matter what flags I set, the contents of the file always get replaced with the config generated from the UI.


  • Rebel Alliance Developer Netgate

    What you are attempting to do is unsupported. Unsupported parameters in OpenVPN can be placed in the advanced options in the GUI and used that way. There is rarely a need to alter the config in the way you are attempting to do.

    The system immutable flag is only honorored when kern.securelevel is 0 or higher I believe (we run at -1), changing that would have other unintended consequences.



  • The problem is, that the advanced field is not enough - I need to remove elements of the auto-generated config and there is no way to do it via UI.. and the parameters cannot be overridden in the advanced section as far as I know.


  • Rebel Alliance Developer Netgate

    Then you could either edit the source directly to remove them, or manage openvpn manually outside the GUI.

    You might look at 2.2 for a test, the GUI has quite a few more options that may be relevant.

    If you explain more about what you're attempting to do, there may be a better solution.



  • sorry, I am a bit new - by source, do you mean the intermediate state from the UI?

    Briefly - I am setting up a OpenVPN client with IPredator provider. The only way I could get it to work was to remove "key" and "cert" parts of the config file, as they are not in use for the particular provider. I was able to provide all the extra parameters just fine in the advanced section but I got stuck on trying to override/remove the key and cert. I did not find a way how to "invalidate" them via the advanced params.


  • Rebel Alliance Developer Netgate

    On 2.2 you can setup a user/pass in the GUI plus disable the use of a client certificate.

    That is not currently supported on 2.1.x, but it's easy to do on 2.2.

    Though there could be other issues with your config on 2.2 that may make it unsuitable for your needs, however. If you decide to try it, make sure to have a good backup plan to get back to your current setup.



  • I think that upgrading to 2.2 is a bit beyond the time I've got to finalise the config - is there any way to override the auth method in the 2.1.5 without resorting to system flags?


  • Rebel Alliance Developer Netgate

    Not currently, no. You might search around the forum for that vpn provider name - it's possible that someone else has a patch or other suggestion.



  • Ok, thank you very much!

    @jimp:

    Then you could either edit the source directly to remove them

    What did you mean by this though?


  • Rebel Alliance Developer Netgate

    Edit /etc/inc/openvpn.inc and find the lines with the items you don't want and remove them from there.



  • @jimp:

    Edit /etc/inc/openvpn.inc and find the lines with the items you don't want and remove them from there.

    Ok, I will look into those - I understand that I would need to re-apply the fixes when updating to new version but is there anything more to "worry" about?


  • Rebel Alliance Developer Netgate

    Lots to worry about, mostly if you break the syntax in the file you could break OpenVPN or other areas of the system as a consequence.

    Otherwise, aside from the fact that you'll have to redo the edit after a firmware update, it should be OK.

    Keep the gun pointed away from your foot during the process.