I would like to change configuration settings on one of our firewalls in a remote office. Is there any way to change these settings while logged in, then restart openvpn? I tried changing them via the config files logging in through ssh, then rebooting the firewall, but the settings were reset back. The remote system was configured by someone else on site at the time (they are no longer with the company), and they didn’t setup dns or domain settings in openvpn. This means people remotely logging into this remote office have to look at a shared spreadsheet to know what system has what IP on the network, and internal automation tools are being hardcoded to ip addresses instead of hostnames (all systems are dhcp but ipfire has a list of macs for each system to retain the same ip on reboot).
You need to open a hole on red so you can access from the outside. That has security considerations. But, if you do, then you can maintain ssh connection with the remote office.
openvpn server configuration in
you can start/kill/restart vpn with
You cant do it over the vpn, as it would be like pulling the ladder away whilst you are up it.
There is a few ways to do it.
As Paul says open an external port ie 444 from the firewall to an ip you trust. then use browser to modify, you can safely then stop the vpn whilst you modify. Easiest method.
If you have ssh access but not web admin access. Assuming you have ssh access without vpn use. Port forward 444 port locally. You can do that using putty, in the ssh section. Google it. Then use a browser to connect to https://127.0.0.1:444 say. You can now modify the openvpn setup.
If you only have vpn access:- You could tunnel an ssh connection backout the way to an ssh server. You then set up a listening port on that machine. That allows you to connect to it and it should tunnel back to the ipfire box. Its complicated setup, but can be done. I have used this technique where I had no access to a firewall.
for example:- on firewall: ssh -fTN -R 2222:localhost:222 ausername@host_on_internet. This will start an SSH session on ipfire host and go into the background. It connects to the host called host_on_internet and redirects port 222 from the firewall to host_on_the_internet. If you now jump onto the box host_on_the internet you can connect to the ipfire machine by entering:- ssh -p 2222 root@localhost.
Note you will need a user that you can login to on host_on_internet.
note: I did say it was complicated Be very careful to get it right as if you don’t and you shut down the VPN, you could loose all connectivity. Perhaps test the method out on another host first that you have access to.
If you have ssh access, and feel confident you could modify the openvpn config files by hand.
Take a tar backup first. Again if ssh is over VPN be careful as when you restart the VPN may not start.
Sorry for not getting back to this. Work has me pulled in multiple directions.
I have tried remotely ssh to the firewall, and making the modifications directly to the files prior to a full server reboot, but they seem to have been overwritten when the service shutdown for reboot.
Another option I was gearing up to try was ipsec, but it is a PITA to configure for an Ubuntu client (all of the docs are for Windows/Mac/Android). I don’t do Windows or Mac, and using my cell phone for this, while doable, is rather tedious (I have done remote server management before on my cell phone while attempting to have a romantic dinner at an Italian restaurant - gave management hell for bugging me on a Saturday).
I would like to strongly discourage everyone from modifying the system configuration files. They will be overwritten or might simply create a setup that does not work.
OpenVPN needs to be restarted when the configuration is being changed. For some reason OpenVPN does not support this at all.
The problem is with a remote firewall system. So far, my options seem to be:
- Manually edit the files and hope they take after a system update/reboot. Yes, this is risky and I DON’T recommend it unless you know EXACTLY what you are doing. For me, that required setting up a test network in my house (I have a LOT of spare systems, so easy enough) and experimenting. Haven’t been fully successful though, I’m guessing the system has security settings in place to prevent this. And I haven’t had a lot of time to focus on this (we are seriously short staffed, being a young startup)
- Backup the system, restore backup in test network, make changes, test changes, backup, restore to remote firewall. Haven’t tried this method. Worth experimenting.
- Get IPSec VPN working. So far, the only issue is that I don’t have Windows or Mac, and getting it working on Ubuntu is … challenging. With a backup VPN, it should be easy to stop openvpn and reconfigure. Again, copious spare time.
- Fly to India and fix the system in our office directly. Yea, not really an option.
I would recommend option 4. Paid holidays in India sounds not so bad after all
But serious, my spontanious idea: if you have a client in that remote network, maybe you can get a user to install Anydesk, Teamviewer, LogMeIn etc. so you can control his/her computer as if you were there. So you could modify OpenVPN while not being connected through OpenVPN and restart it. Then uninstall Teamviewer or whatever tool you’ve used.
And if everything breaks, you can still fly to India
Oh… and HAPPY 2021 everyone!