We are already using OpenVPN with the CC100. With the additional information from this forum and the YouTube how-to video (https://www.youtube.com/watch?v=H4c7NQiCalk) regarding the extra OVPN config lines
Our question is now the following:
Is it possible to deploy the profile configuration without using the UI (WBM > Security > OpenVPN / IPsec), for example by copying it to the controller via SCP, and then configuring it via terminal (SSH) to
store the configuration, and
enable OpenVPN using the previously stored profile configuration?
What commands would be required for this?
Our goal is to perform this step without any user interaction (UI).
Everything what you can do from WBM you can do by scripts from /etc/config-tools (thats how WBM works, it runs scripts using php). So there is /etc/config-tools/vpncfg
/etc/config-tools ./vpncfg --help
Usage: vpncfg -h|--help
vpncfg vpn CMD
vpncfg VPN CMD
vpncfg crt CMD
vpncfg file CMD [OPTIONS]
Basic commands:
-h, --help prints this help
vpn - general commands:
vpncfg vpn CMD
--get-full-status returns all status information using json format,
including the list of certificates from --get-cert-command
VPN - OpenVPN/IPsec common commands:
vpncfg VPN CMD executs command for a selected type of vpn framework.
VPN can be set to either ipsec or ovpn and there are
the following types of CMD commands:
--is-enabled returns enabled|disabled if VPN is started on boot
--enable enables VPN on boot
--disable disables VPN on boot
--is-running returns running|stopped status of the VPN
--start starts VPN service
--stop stops VPN service
--restart restarts VPN service
--reload orders VPN to reload configuration files
crt - certificate commands:
vpncfg crt CMD
--get-list returns a list of certificates using json format
key - private keys commands:
vpncfg key CMD
--get-list returns a list of private keys using json format
file - file commands:
vpncfg file CMD [OPTIONS]
--store FILE SRC_FILE
copies content of a file designated by SRC_FILE to its
correct name. If the file already exists it will be
overwritten. FILE parameter names a type of a file
which might be one of: cert, key, ipsec.conf, ipsec.secrets
openvpn.conf. Source files shall be stored inside
/tmp/vpncfg/ directory.
--read FILE drops content of a file on std out. Allowed are the following
FILE values: ipsec.conf, openvpn.conf.
--remove FILE [NAME] removes a file completely. In case of the FILE argument
allowed are all values from --store command, but in case
of the cert and key files also NAME of the file must be given.
--copy FILE USER GROUP copies content of a FILE to a /tmp/vpncfg-out/FILE location.
FILE values: ipsec.conf, openvpn.conf.
The copied file will be owned by USER:GROUP with access
rights set to 0600.
Example:
vpncfg ipsec --is-enabled
vpncfg file --store cert user_certificate.pem
The full source file path is:
/tmp/vpncfg/user_certificate.pem
You can also edit directly OpenVPN config file: /etc/openvpn/openvpn.conf and then just reload configuration and enable OpenVPN with commands
thank you very much for your detailed explanation.
We were aware that /etc/config-tools is used in the background; however, it only became clear through your response that vpncfg is the corresponding script behind it. This clarification was particularly valuable for us. With this insight, and the additional guidance from the --help description, we are now able to proceed effectively.