Undo overwrite configuration files OpenVPN

NethServer Version: Latest
Module: openvpn
Hello!
Since the OpenVPN module does not have enough standard settings for my configuration, I have to fix some configuration files manually. But after rebooting the server, all changes are naturally overwritten. I would like to know what to do, so that they will not be overwritten?

Hi, what settings You need to be persistent?

You’ll need to spend some minutes reading the developer manual:
http://docs.nethserver.org/projects/nethserver-devel/en/v7/templates.html

I’d like to add more options to the openvpn page, what options do you need?

BTW, your modifications are overwritten when you change the configuration, not when you reboot.

I would like to see several network routes.

I did not change the configuration, I just restarted the server …

I took the liberty to (google) translate the topic title into English. @kelevra if the translation is not adequate, please feel free to replace it with a better English translation.

@kelevra, if understand Your problem routes can be added with “static routes” under GUI or via CLI “db”
@filippo_carletti hi, l also/already asked for a few options mainly for security improvements like:
–cipher and
–auth-nocache option

or
server certificate validation options

Would be great to have them in GUI, not only through templates. Cheers.

It may happen that the routes do not rise after the fall of the VPN. And why superfluous if OpenVPN itself knows how. There are so many interesting features in it that I would like to see in nethserver.

Both options seems to be targeted to expert users, we could put them in an Advanced section (folded by default).
But I’ll prefer to offer sensible defaults.
AFAIU, we should change the default BF-CBC cipher to something safer like AES-128-CBC.
Regarding the auth-nocache, it may become a default, right?

Our policy is to try to leave original defaults, hoping the software authors chose sensible defaults.
Your suggestions are really valuable to us.

1 Like

Thanks fo reply, I think these options are also very important for NONexpert users while they may not know the risk of using BF-CBC or not using server certificate check: MiTM atack. The “advanced section” is a good option. By the way I like NS a lot :wink: and appreciate Your work.

2 Likes

I’d open an issue titled “OpenVPN hardening” or something like that and collect there all improvements to the default configuration.
What about SWEET32 (https://community.openvpn.net/openvpn/wiki/SWEET32)?

1 Like

To begin with, adding a few routes would not be bad:подмигивать:

@filippo_carletti, thats why I’m using AES-256, also dh2048 file not dh1024. I’m always open to other security improvements (not only for OpenVpn). The site You mention I’ve already check before is nice knowledge base.

We can’t change the default configuration without breaking existing client configurations.
But I agree to add a new option inside the web interface.

We could also add a simple text area where the admin can put extra routes.

If you agree on these points, I can add the improvements inside the public roadmap.

That would be good.:Подмигивать:

Some “workaround” can come if you change settings and after that changing the file permissions to only read :wink:

Added to the todo-list https://github.com/orgs/NethServer/projects/1#card-2023309

2 Likes