Community Support Forum
 
  OpenVPN.net  •  Forum Index  •  FAQ  

It is currently Fri Apr 25, 2014 8:01 am


Forum rules


If you would like help, here is a few things you will want to do in order to help us help you.

**Post your configs from client and server, without comments. you can strip comments in linux/bsd with something like this:
grep -vE '^#|^;|^$' server.conf
**Tell us your goal.
**If you are having problems connecting, post your logfiles from server and client after using verb 4 in both configs


Also, there are 2 things you should be aware of:

**Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
**You ONLY want to use dev tap if you are tunneling layer2 traffic, if you are using IP traffic you want tun. If you are using tap only for windows file sharing, look into running a WINS server instead.



Post new topic Reply to topic  [ 5 posts ] 
 auth-user-pass file and encrypted password ? 
Author Message
 Post subject: auth-user-pass file and encrypted password ?
PostPosted: Wed Jun 01, 2011 12:09 pm 
OpenVpn Newbie

Joined: Wed Jun 01, 2011 12:02 pm
Posts: 2
Hi !

I plan to use openVPN Client as a Windows service to allow non-admin users to successfully connect.
By now everything works great.

The problem with this configuration is that username and password have to be stored in a text file, so it is not very secure...

Is there a way to encrypt the password in the text file ?

Regards,


Offline
 Profile  
 
 Post subject: Re: auth-user-pass file and encrypted password ?
PostPosted: Wed Jun 01, 2011 12:16 pm 
Forum Team
User avatar

Joined: Fri Aug 20, 2010 2:57 pm
Posts: 2702
Location: Amsterdam
depends on how the password is processed by the server;
if the password needs to be passed onto e.g. a pam module then the password must first be decrypted before it can be fed to pam; thus, even if you were to encrypt the password then it must be in a format that can again be DEcrypted.
if all you need to do is match the password (or its hash) against a hash in a file , then you can store an encrypted or hashed password.

_________________
JJK / Jan Just Keijser
http://www.nikhef.nl/~janjust/vpn/OpenVPN2-Cookbook/index.html
http://www.nikhef.nl/~janjust/vpn/OpenVPN2-Cookbook/errata.html


Offline
 Profile  
 
 Post subject: Re: auth-user-pass file and encrypted password ?
PostPosted: Wed Jun 01, 2011 12:32 pm 
OpenVpn Newbie

Joined: Wed Jun 01, 2011 12:23 pm
Posts: 7
This modified version of the original Windows GUI http://openvpn-mi-gui.inside-security.de/ supports the openvpn management interface.

If you have user and password in a text file you might as well not have user/pass authentication so prompting the user is the way to go.

With this version of the windows GUI you can prompt the user for their username and password with something like this in your client config file.

management 127.0.0.1 7777
management-hold
management-query-passwords
auth-retry interact

On my server I have a bespoke authentication plugin that I literally knocked up that uses htpasswd managed password files for authentication. On the server side I have

auth-user-pass-verify "/etc/openvpn/openvpn-passwd /etc/openvpn/passwd" via-file

where /etc/openvpn/passwd is my htpasswd managed file and the following C program compiles into openvpn-passwd -
http://openvpn.defsdoor.org/openvpn-passwd.c

If you have hundreds of users then using htpasswd authentication may start to be too resourceful - it will do a scan to match on the entire passwd file each time. When I hit this limit I will start indexing the file with a separate binary-chop index.


Offline
 Profile  
 
 Post subject: Re: auth-user-pass file and encrypted password ?
PostPosted: Wed Jun 01, 2011 10:13 pm 
OpenVpn Newbie

Joined: Wed Jun 01, 2011 12:02 pm
Posts: 2
Thanks for your replies.

I've installed the modified version of the original Windows GUI from http://openvpn-mi-gui.inside-security.de

It works fine and this is exactly what i need.

Why the official GUI doesn't provide the same features as this modified GUI ? it should....maybe as an option in the setup process will be great...

Best regards


Offline
 Profile  
 
 Post subject: Re: auth-user-pass file and encrypted password ?
PostPosted: Thu Jun 02, 2011 8:31 am 
OpenVpn Newbie

Joined: Wed Jun 01, 2011 12:23 pm
Posts: 7
The original gui doesn't seem to be maintained anymore but I believe that that modified version will be the standard in a forthcoming release.

The one mentioned on the wiki http://sourceforge.net/projects/openvpn-gui/ doesn't work with service started management interfaces so is completely pointless at the moment (imho).

The modified one I pointed you to seem to work flawlessly though and with some registry changes to limit user options is great for end users.

I've recently setup a 4 instance openvpn server for load distribution across 4 CPUs with a view to rolling out 400 clients. As part of this I have scripted client addition, password setting and installation zip file building so the install is easy.

Below is my installation batch file template - this is used to create a per-client installation with %%CLIENT%% being replaced with the client name when the zip file is built. It might prove useful.

INSTALL.BAT
Code:
@ECHO OFF
REM OPENVPN INSTALLATION HELPER BATCH FILE
REM
REM IN CURRENT DIR SHOULD BE ALL THE INSTALLATION FILES EXTRACTED FROM
REM ZIP FILE
REM

IF EXIST "C:\Program Files (x86)" GOTO  BIT64
SET PROGDIR=C:\Program Files
SET OS=32
GOTO DONE
:BIT64
SET PROGDIR=C:\Program Files (x86)
SET OS=64
:DONE

FOR /F %%I IN ("%0") DO SET BATDIR=%%~dpI
ECHO The batch file is located in directory %BATDIR%
ECHO.
CD /D %BATDIR%
SET BATDIR=

REM FIRST INSTALL OPENVPN GUI
.\openvpn-2.2.0-install.exe

REM ECHO INSTALLING AUTH OPENVPN EXE
MOVE "%PROGDIR%\OpenVPN\bin\openvpn-gui-1.0.3.exe" "%PROGDIR%\OpenVPN\bin\openvpn-gui-1.0.3.exe.org"
COPY openvpn-mi.exe "%PROGDIR%\OpenVPN\bin\openvpn-gui-1.0.3.exe"

ECHO INSTALLING CONFIG FILE
COPY office.ovpn "%PROGDIR%\OpenVPN\config\"

ECHO INSTALLING CERTIFICATES
COPY ca.crt "%PROGDIR%\OpenVPN\config\"
COPY %%CLIENT%%.crt "%PROGDIR%\OpenVPN\config\"
COPY %%CLIENT%%.key "%PROGDIR%\OpenVPN\config\"
COPY ta.key "%PROGDIR%\OpenVPN\config\"

ECHO UPDATING REGISTRY
regedit /S openvpn%OS%.reg
regedit /S vnc%OS%.reg

ECHO INSTALLING VNC SERVER
tightvnc-2.0.2-setup.exe

ECHO STARTING OPENVPN SERVICE
sc config openvpnservice start= auto
sc start openvpnservice

ECHO STARTING VNC SERVER
sc config tvnserver start= auto
sc start tvnserver

ECHO INSTALLING STARTUP LINKS
xxmklink "%ALLUSERSPROFILE%\Start Menu\Programs\Startup\openvpngui.lnk" "%PROGDIR%\OpenVPN\bin\openvpn-gui-1.0.3.exe" "" "%PROGDIR%"

ECHO INSTALLATION COMPLETE

CALL PERMS.BAT
PAUSE
"%ALLUSERSPROFILE%\Start Menu\Programs\Startup\openvpngui.lnk"


PERMS.BAT
Code:
FOR /F %%I IN ("%0") DO SET BATDIR=%%~dpI
ECHO The batch file is located in directory %BATDIR%
ECHO.
CD /D %BATDIR%
SET BATDIR=

ECHO Enter user names to grant service stop/start to.
:nameloop
SET NAME=
SET /P NAME=Username:
IF "%NAME%" == "" GOTO done
ECHO %NAME%
SUBINACL /SERVICE "OpenVPNService" /GRANT=%NAME%=TO
GOTO nameloop
:done


The Zip file contents look like this -
Code:
-rw-r--r-- 1 root root    1432 May 12 18:36 ca.crt
-rw------- 1 root root     636 May 12 18:42 ta.key
-rw-r--r-- 1 root root  290304 May 19 16:43 subinacl.exe
-rw-r--r-- 1 root root   85504 May 19 16:43 openvpn-mi.exe
-rwxr--r-- 1 root root    1098 May 19 16:43 openvpn32.reg
-rw-r--r-- 1 root root 1405368 May 19 16:43 openvpn-2.2.0-install.exe
-rw-r--r-- 1 root root   49152 May 20 21:34 xxmklink.exe
-rw-r--r-- 1 root root  657656 May 20 21:49 tightvnc-2.0.2-setup.exe
-rwxr--r-- 1 root root    2572 May 20 21:56 vnc32.reg
-rw-r--r-- 1 root root     340 May 25 15:56 perms.bat
-rwxr--r-- 1 root root    1158 May 26 14:48 openvpn64.reg
-rwxr--r-- 1 root root    2616 May 26 14:49 vnc64.reg
-rw-r--r-- 1 root root    1084 Jun  1 14:50 office.ovpn
-rw-r--r-- 1 root root    1608 Jun  1 14:50 install.bat
-rw------- 1 root root     887 Jun  1 14:50 fredbloggs.key
-rw-r--r-- 1 root root    4040 Jun  1 14:50 fredbloggs.crt


You might notice it also installs tightvnc. The registry files setup the openvpn gui and tightvnc settings.
I include subinacl and xxmklink to allow the service rights to be grants and create shortcuts to startup.
It also uses sc to set the services to auto start and to start them.

It's a bit heath robinson in some respects - but it seems to work.


Offline
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 


 Who is online 

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


phpBB SEO
[ Time : 0.190s | 12 Queries | GZIP : On ]

 
Index  |  FAQ


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group