OpenVPN on QNAP QTS 4.2 edited config resets after boot

5

1

I have a QNAP TS-253 Pro (QTS 4.2.0), on which a OpenVPN-server is configured and running fine. Since I want to use client-certificates to secure the VPN connections, the built-in configuration on the web interface is of no use at all.

So I imported my config and certificate files via SSH / SCP to /etc/openvpn, restarted the OpenVPN server and it worked well until i rebooted the QNAP NAS. The config was gone back to QNAPs factory default.

It appears, the /etc/openvpn directory is just a symlink to /mnt/ext/opt/vpnopenvpn/etc/openvpn/, which holds the original config from the webinterface of my QNAP. Next thing I tried was to edit the config there, and hoped it won't be replaced at the next boot, but this was not a solution. Rebooted and found the factory-default OpenVPN config files in /mnt/ext/opt/vpnopenvpn/etc/openvpn/.

I digged through many threads on QNAPs official forum, inofficial blog posts, and some init.d-scripts on the QNAP itself to find a way to either turn off the automatic rollout of the factory-default settings or make the QNAP roll out my working configuration to /etc/openvpn.

Here is a list of my unsucessfull tries:

Does anyone know, how to stop QTS to rewrite my configuration files? I dont want to copy the OpenVPN config manually every time the QNAP is rebooted...

HannesS

Posted 2015-10-23T15:41:22.637

Reputation: 153

found this comment after restarting vpn_openvpn.sh, server.conf resets to default values in the qnap forum (http://forum.qnap.com/viewtopic.php?t=83804). Seems not to be about your problem but maybe you can get help there.

– marsh-wiggle – 2015-10-24T11:04:18.257

I'm sorry, I already tried the workaround suggested there without success :( – HannesS – 2015-10-25T10:15:53.420

Answers

3

I was looking for a similar solution, because I needed a serverside Open VPN config for fixed IP numbers. My solution was to add a line to the vpn_openvpn.sh file right before it starts the daemon_mgr in my case line 210. 

<snip>
  usr/bin/openssl verify -CAfile /etc/openvpn/keys/ca.crt /etc/openvpn/keys/myserver.crt 2>/dev/null | /bin/grep "OK" >/dev/null
  echo client-config-dir clientconfig >>/etc/openvpn/server.conf
            if [ $? == 0 ] && [ ! -f ${PIDFILE} ]; then
</snip>

I added the line starting with echo. At this point you should also be able to modify the configuration in /etc/openvpn/server.conf

When added here, the line will survive restarts of the OpenVPN Server but as you already painfully experienced, a lot of files get recreated at boot time. This is where the autorun.sh comes into play. How to use it you can find here The exact syntax is based on the type of QNAP NAS you got.

You can add a sed line here to recreate the "fix" at boot time.

sed "210i echo client-config-dir clientconfig >>/etc/openvpn/server.conf" /etc/init.d/vpn_openvpn.sh >/etc/init.d/vpn_openvpn.sh.tmp
rm /etc/init.d/vpn_openvpn.sh
mv /etc/init.d/vpn_openvpn.sh.tmp
chmod +x /etc/init.d/vpn_openvpn.sh
/etc/init.d/vpn_openvpn.sh restart

In your case the autorun.sh should look like this:

sed "210i /bin/sed -i -e 's/client-cert-not-required/#client-cert-not-required/g' /etc/openvpn/server.conf" /etc/init.d/vpn_openvpn.sh >/etc/init.d/vpn_openvpn.sh.tmp
rm /etc/init.d/vpn_openvpn.sh
mv /etc/init.d/vpn_openvpn.sh.tmp /etc/init.d/vpn_openvpn.sh
chmod +x /etc/init.d/vpn_openvpn.sh
/etc/init.d/vpn_openvpn.sh restart

Let me know if it works

Edit: after some rethinking you can do it even shorter

sed -i "210i /bin/sed -i -e 's/client-cert-not-required/#client-cert-not-required/g' /etc/openvpn/server.conf" /etc/init.d/vpn_openvpn.sh 
/etc/init.d/vpn_openvpn.sh restart

TechImpossible

Posted 2015-10-23T15:41:22.637

Reputation: 176

Looks very promising, I will try it when I return to office tomorrow :) thanks in advance for sharing! – HannesS – 2015-10-25T10:14:27.860

Works like a charm. I had some trouble trying to fit multiple lines in the sed command as it would not accept \n as newline, but finally i have my config up and running. Thanks you! I even used the config disk for storing my configuration files and copying them in autorun.sh - so they can be edited there conveniently. – HannesS – 2015-10-26T12:42:02.063

Glad I could help. – TechImpossible – 2015-10-26T20:20:43.563

I have problems to keep my settings for /etc/config/smb.conf. I think your answer could be the solution. But I don't understand your answer - sorry. Maybe you can explain it a little bit more general (for all config-files). – buhtz – 2016-09-09T09:28:41.320

The point in Tech's answer is to replace or generate a script, that is loaded at boot time of the NAS. It could be applied to all config files, regardless of their purpose (ovpn, smb, cron etc...) The autorun.sh in his linked wiki article is run everytime the QNAP is restarted, so we edit it to create our own config files and scripts at every reboot. If you can provide some details, where exactly you are struggeling, maybe we can support you better :) – HannesS – 2016-09-13T19:30:50.130

0

For removing default gateway pushing in QNAP config:

sed -i -e '/if \[ $? == 0 \] && \[ ! -f ${PIDFILE} \]; then/a\/bin\/sed -i -e \"s/push \\"redirect-gateway def1\\"/#push \\"redirect-gateway def1\\"/g\" /etc/openvpn/server.conf' /etc/init.d/vpn_openvpn.sh

Why not being able to do this by default, and why QNAP have configured their devices so they overwrite configs and are in all strange convention and different directories is such bad practice and a mystery.

People shouldn't need such difficult workarounds and autorun files for such basic stuff on Linux. It's almost as if they wanted to make Linux more confusing and difficult than it is.

NotoriousPyro

Posted 2015-10-23T15:41:22.637

Reputation: 101

Asked: 2015-10-23T15:41:22.637

Viewed: 4 807 times

Active: 2016-11-04T22:43:58.633