Manually customize the OpenVPN server configuration

[cygofi]

Is it possible to manually customize the configuration of an OpenVPN server instance?
Gladly also in a custom file via SSH. I would like to add additional options.

I have tried to edit the file /var/etc/openvpn/instance-<SERVER_ID>.conf, but this is overwritten every time the OpenVPN server is restarted.

Under Servers [legacy] there was still the "Advanced" field where you could add your own options, which unfortunately no longer exists under the new "Instances". I want to set up a future-oriented system and I assume that the "legacy" menus will no longer be available in the future.

Why do I have to edit the configuration manually?
My plan is to use the OpenVPN server plugin openvpn-auth-oauth2 (https://github.com/jkroepke/openvpn-auth-oauth2) for OAuth2 authentication. For this, the options management-client-auth and auth-user-pass-optional must also be set for the OpenVPN server. However, the option auth-user-pass-verify must not be set. Depending on the configuration, other options may also need to be set.



Of course, it would be great if the OpenVPN plugin openvpn-auth-oauth2 could be integrated directly into OPNsese in the future, but this is certainly nothing that can be realized in the short term.

[maclinuxfree]

Hello,

I need custom options as well.

tun-mtu in my case.

Where can I set it?

[maclinuxfree]

I rolled back to OpenVPN legacy for now.

[TooTired]

I agree 100% with this post.  I have written a topic recently about my OPNsense VM that I want to use to grant external users access to locally hosted video game servers.  My configuration works really well with high throughput for dev tun however I need dev tap.  I can browse the web connected using dev tap however cannot ping my home network (or host machine) where the game server(s) will reside.

OPNsense seems like a nice all-in-one package until you start to use it.  Now rather than look at one simple server.conf file I have to look in a tree of webpages.  It's a lot more difficult.  As a matter of fact I have done something very similar in the past and I could essentially modify my existing server.conf however I cannot simply copy/paste it to OPNsense.

[Kamislav]

+1 for option to specify custom config lines

+1 for option to prowide custom config file

[Kamislav]

+1 for option to specify custom config lines

+1 for option to prowide custom config file

After more investigation I have found, that this functionality is beeing removed from OPNSense for security reasons (user with GUI access can abuse some config to run privileged commands and thus bypass security - based on real security issue from the past).
So what you can do is to implement needed options/configurations to be set using the GUI. It is not so hard, you need to modify few files under the /usr/local/opnsense/mvc/app/ path. Actualy there are still legacy blocks of code, so it is a bit messy. I think enyone with average knowledge about php and MVC frameworks can do this for you. Also consider of providing it as a patch for comunity.

[jeremias.winter]

This is still a problem. I also need tun-mtu and am therefore currently forced to use the legacy server, with the deprecation notice looming over it.

There even was a related GitHub issue once:
https://github.com/opnsense/core/issues/6758
-- It was about the "port-share" option, but the underlying issue is the same (not being able to set OpenVPN options through the GUI).
This was denied as "not planned".

I really hope that this can be improved. I do understand that OpenVPN options are a nightmare and OpnSense wants to keep the UI tidy, but this feels like Apple removing well-needed features because they think that "you should not need this".

[maverickcdn]

This is still a problem. I also need tun-mtu and am therefore currently forced to use the legacy server, with the deprecation notice looming over it.

Are you enabling advanced settings... see screenshots
You cannot view this attachment.You cannot view this attachment.