Dear serverfault community,
I am currently migrating a "normal" IPTABLES firewall with an OpenVPN server to a new box containing Endian Community Firewall 2.5.1.
The new Endian firewall contains an OpenVPN server; however, I can not use the new server with those settings since the VPN users have special requirements.
Therefore I replaced the VPN server configuration on the Endian box (and also the template for the VPN configuration file).
The issue is that I have to use tun0 as a device, not tap0. Endian doesn't support tun0 naturally and somehow uses tap0 as the VPN device.
This leads to IPTABLES rules which only apply to tap devices.
I therefore had to apply some IPTABLES rules manually in order to get OpenVPN with the old configuration and tun0 device working.
When I reboot my new Endian box, those rules are overwritten again (tap0 instead of tun0).
I tracked down why these IPTABLES rules are generated with tap0:
/var/efw/openvpn/settings
-> PURPLE_DEVICE=tap0
Endian uses this file to generate the IPTABLES rules. When I change the value for PURPLE_DEVICE to tun0 and regenrate the IPTABLES rules it all works.
Unfortunately a reboot of the Endian box overwrites the settings file and I did not find out how I can prevent Endian from doing so.
So – how can I change the settings file permanently so it always contains PURPLE_DEVICE= tun0?
I already edited /usr/lib/efw/openvpn/default/settings, but unfortunately this seems not to have any effect at all.
I can't set an immutable bit on this file since Endian doesn't support it.
Best Answer
Editing /usr/lib/python2.4/site-packages/endian/restartscripts/openvpnjob.py did the trick: The function get_tap() searches for tap devices; simply switch the search to tun.