Dear serverfault community,
I am currently migrating a "normal" IPTABLES firewall with an OpenVPN server to a new box containing Endian Community Firewall 2.5.1.
The new Endian firewall contains an OpenVPN server; however, I can not use the new server with those settings since the VPN users have special requirements.
Therefore I replaced the VPN server configuration on the Endian box (and also the template for the VPN configuration file).
The issue is that I have to use tun0 as a device, not tap0. Endian doesn't support tun0 naturally and somehow uses tap0 as the VPN device.
This leads to IPTABLES rules which only apply to tap devices. I therefore had to apply some IPTABLES rules manually in order to get OpenVPN with the old configuration and tun0 device working.
When I reboot my new Endian box, those rules are overwritten again (tap0 instead of tun0). I tracked down why these IPTABLES rules are generated with tap0: /var/efw/openvpn/settings -> PURPLE_DEVICE=tap0
Endian uses this file to generate the IPTABLES rules. When I change the value for PURPLE_DEVICE to tun0 and regenrate the IPTABLES rules it all works. Unfortunately a reboot of the Endian box overwrites the settings file and I did not find out how I can prevent Endian from doing so.
So - how can I change the settings file permanently so it always contains PURPLE_DEVICE= tun0?
I already edited /usr/lib/efw/openvpn/default/settings, but unfortunately this seems not to have any effect at all.
I can't set an immutable bit on this file since Endian doesn't support it.
Editing /usr/lib/python2.4/site-packages/endian/restartscripts/openvpnjob.py did the trick: The function get_tap() searches for tap devices; simply switch the search to tun.