Adding passwords to a passwordless configuration

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
epnh
OpenVpn Newbie
Posts: 2
Joined: Sat May 13, 2023 4:44 pm

Adding passwords to a passwordless configuration

Post by epnh » Sat May 13, 2023 5:13 pm

New OpenVPN user here. I just finished installing OpenVPN on a Centos 7 server using these instructions:

https://www.cyberciti.biz/faq/centos-7- ... 5-minutes/

I then installed clients for Windows 10 and MacOS (Macbook Air notebook). This is the one I installed for Win10:

https://openvpn.net/community-downloads/ file OpenVPN-2.6.3-I003-amd64.msi

...and this is the one I used for MacOS:

https://openvpn.net/client-connect-vpn-for-mac-os/

After some messing around with port forwarding and such, I got it all working.

During the server installation I was asked:

Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
1) Add a passwordless client
2) Use a password for the client
Select an option [1-2] 1

The default was 1 (passwordless) so I selected that.

To my knowledge I'm not using a client on the server machine (CentOS 7), my clients are on Win10 and MacOS as described above.

It all works just fine, but it seems like it's way too easy for me to VPN into my network. I get it that I have a private key and all, and no one should be able to VPN in without that key file, but what if my laptop is stolen? If they can figure out my password to get into the laptop, they'll have all they need to get into my network. Even if they can't figure out my password, they could dismount the hard drive and get the .ovpn file from there and install it on their client installation (and no, I don't have my hard drive encrypted... probably should do that).

I've seen several discussions on how to add passwords but they all assume I'm on THEIR network with THEIR OpenVPN installation, or they assume I'm on an enterprise network with Access Server. Neither of those is the case.

So, how do I go about adding a password requirement after the fact?

epnh
OpenVpn Newbie
Posts: 2
Joined: Sat May 13, 2023 4:44 pm

Re: Adding passwords to a passwordless configuration

Post by epnh » Sat May 13, 2023 6:20 pm

epnh wrote:
Sat May 13, 2023 5:13 pm
During the server installation I was asked:

Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
1) Add a passwordless client
2) Use a password for the client
Select an option [1-2] 1

The default was 1 (passwordless) so I selected that.

To my knowledge I'm not using a client on the server machine (CentOS 7), my clients are on Win10 and MacOS as described above.
OK, I get it. It wasn't asking me about a client to be installed on the server machine, it was asking me if I wanted to add a password to the .ovpn file that the client machine gets.

I also discovered (by trying it on a machine I don't care about) that if I uninstall the whole thing and reinstall from scratch, and run the installation script again, I can answer "2" to that question and it will do what I want.

It's just that having to uninstall the whole thing and start over is kind of extreme... sort of like "reinstall Windows" every time you run into a Windows problem.

Is there an easier and more direct way?

Fadim
OpenVPN User
Posts: 40
Joined: Mon May 15, 2023 12:14 pm

Re: Adding passwords to a passwordless configuration

Post by Fadim » Fri May 19, 2023 8:38 am

Hi @epnh,
First of all, your security concerns are completely valid. The good news is that you don't have to reinstall everything. You can generate a new client certificate and key with a passphrase without starting from scratch. Here's a general idea:
1.Access your OpenVPN server.
2.Go to the EasyRSA directory (usually it's /etc/openvpn/easy-rsa).
3. Run ./easyrsa build-client-full client1 nopass. Replace client1 with your client name. This generates a new key without a passphrase.
4.Run ./easyrsa build-client-full client1. This time don't include the nopass option. You'll be prompted to enter a passphrase.
5.The new key is created in the pki/private directory. Replace the old key in your client's .ovpn file with the new one.

Remember to keep your passphrase safe and confidential.

Post Reply