5

I have a QNAP TS-253 Pro (QTS 4.2.0), on which a OpenVPN-server is configured and running fine. Since I want to use client-certificates to secure the VPN connections, the built-in configuration on the web interface is of no use at all.

So I imported my config and certificate files via SSH / SCP to /etc/openvpn, restarted the OpenVPN server and it worked well until i rebooted the QNAP NAS. The config was gone back to QNAPs factory default.

It appears, the /etc/openvpn directory is just a symlink to /mnt/ext/opt/vpnopenvpn/etc/openvpn/, which holds the original config from the webinterface of my QNAP. Next thing I tried was to edit the config there, and hoped it won't be replaced at the next boot, but this was not a solution. Rebooted and found the factory-default OpenVPN config files in /mnt/ext/opt/vpnopenvpn/etc/openvpn/.

I digged through many threads on QNAPs official forum, inofficial blog posts, and some init.d-scripts on the QNAP itself to find a way to either turn off the automatic rollout of the factory-default settings or make the QNAP roll out my working configuration to /etc/openvpn.

Here is a list of my unsucessfull tries:

Does anyone know, how to stop QTS to rewrite my configuration files? I dont want to copy the OpenVPN config manually every time the QNAP is rebooted...

HannesS
  • 263

2 Answers2

3

I was looking for a similar solution, because I needed a serverside Open VPN config for fixed IP numbers. My solution was to add a line to the vpn_openvpn.sh file right before it starts the daemon_mgr in my case line 210. 

<snip>
  usr/bin/openssl verify -CAfile /etc/openvpn/keys/ca.crt /etc/openvpn/keys/myserver.crt 2>/dev/null | /bin/grep "OK" >/dev/null
  echo client-config-dir clientconfig >>/etc/openvpn/server.conf
            if [ $? == 0 ] && [ ! -f ${PIDFILE} ]; then
</snip>

I added the line starting with echo. At this point you should also be able to modify the configuration in /etc/openvpn/server.conf

When added here, the line will survive restarts of the OpenVPN Server but as you already painfully experienced, a lot of files get recreated at boot time. This is where the autorun.sh comes into play. How to use it you can find here The exact syntax is based on the type of QNAP NAS you got.

You can add a sed line here to recreate the "fix" at boot time.

sed "210i echo client-config-dir clientconfig >>/etc/openvpn/server.conf" /etc/init.d/vpn_openvpn.sh >/etc/init.d/vpn_openvpn.sh.tmp
rm /etc/init.d/vpn_openvpn.sh
mv /etc/init.d/vpn_openvpn.sh.tmp
chmod +x /etc/init.d/vpn_openvpn.sh
/etc/init.d/vpn_openvpn.sh restart

In your case the autorun.sh should look like this:

sed "210i /bin/sed -i -e 's/client-cert-not-required/#client-cert-not-required/g' /etc/openvpn/server.conf" /etc/init.d/vpn_openvpn.sh >/etc/init.d/vpn_openvpn.sh.tmp
rm /etc/init.d/vpn_openvpn.sh
mv /etc/init.d/vpn_openvpn.sh.tmp /etc/init.d/vpn_openvpn.sh
chmod +x /etc/init.d/vpn_openvpn.sh
/etc/init.d/vpn_openvpn.sh restart

Let me know if it works

Edit: after some rethinking you can do it even shorter

sed -i "210i /bin/sed -i -e 's/client-cert-not-required/#client-cert-not-required/g' /etc/openvpn/server.conf" /etc/init.d/vpn_openvpn.sh 
/etc/init.d/vpn_openvpn.sh restart
TechImpossible
  • 176
0

For removing default gateway pushing in QNAP config:

sed -i -e '/if \[ $? == 0 \] && \[ ! -f ${PIDFILE} \]; then/a\/bin\/sed -i -e \"s/push \\"redirect-gateway def1\\"/#push \\"redirect-gateway def1\\"/g\" /etc/openvpn/server.conf' /etc/init.d/vpn_openvpn.sh

Why not being able to do this by default, and why QNAP have configured their devices so they overwrite configs and are in all strange convention and different directories is such bad practice and a mystery.

People shouldn't need such difficult workarounds and autorun files for such basic stuff on Linux. It's almost as if they wanted to make Linux more confusing and difficult than it is.

NotoriousPyro
  • 121