Write Protect /var/etc/openvpn/client1.conf


  • Hi

    I need to write protect /var/etc/openvpn/client1.conf because otherwise pfsense overwrites it and my openvpn connection goes down.

    I can only access the root folder when I ssh to my pfsense. Anyone know how to do this? At least have any tips? :)


  • Firstly, why do you need to protect this file?
    It is written by pfSense from the settings you make in the webGUI.
    What is the deficiency/problem in the webGUI that means you feel the need to edit this file directly and then protect it?


  • In order to get it to work with Ipredator I had to edit the file manually. And now I need to protect it to get overwritten from the webgui


  • Can you tell us what exactly did not work with Ipredator, and what edits you needed to make it work?

    Maybe we can help get that fixed. I see there have been a few other threads about Ipredator.

    I suspect that whatever you do to change the protections on the file will be ineffective, because the pfSense code that re-generates it will be running with full root privileges…

    If you really have to, you can edit the pfSense PHP code in /etc/inc that generates the config, to leave out or add in what you need. That would be a real one-off hard-coded hack to get it working, and of course would have to be re-done after each pfSense firmware upgrade.


  • This is what my client1.conf looks like after I´ve modified it

    client
    dev ovpnc1
    dev-type tun
    proto udp
    remote pw.openvpn.ipredator.se 1194
    remote pw.openvpn.ipredator.me 1194
    remote pw.openvpn.ipredator.es 1194
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    script-security 3
    resolv-retry infinite
    nobind
    daemon
    
    auth-user-pass /root/ipredator_password
    auth-retry nointeract
    
    ca /var/etc/openvpn/client1.ca
    
    tls-client
    tls-auth /var/etc/openvpn/client1.tls-auth
    ns-cert-type server
    
    keepalive 10 30
    cipher AES-256-CBC
    persist-key
    persist-tun
    comp-lzo
    tun-mtu 1500
    mssfix 1200
    passtos
    verb 3
    
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    management /var/etc/openvpn/client1.sock unix
    
    

    Isnt there a way to protect a file that not even root can edit?


  • @phil.davis:

    Can you tell us what exactly did not work with Ipredator, and what edits you needed to make it work?

    Maybe we can help get that fixed. I see there have been a few other threads about Ipredator.

    I suspect that whatever you do to change the protections on the file will be ineffective, because the pfSense code that re-generates it will be running with full root privileges…

    If you really have to, you can edit the pfSense PHP code in /etc/inc that generates the config, to leave out or add in what you need. That would be a real one-off hard-coded hack to get it working, and of course would have to be re-done after each pfSense firmware upgrade.

    See post above :)


  • Made a new thread regarding this issue in the openVPN forum

    https://forum.pfsense.org/index.php?topic=84748.0