Hi !
I plan to use openVPN Client as a Windows service to allow non-admin users to successfully connect.
By now everything works great.
The problem with this configuration is that username and password have to be stored in a text file, so it is not very secure...
Is there a way to encrypt the password in the text file ?
Regards,
auth-user-pass file and encrypted password ?
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
kris92
- OpenVpn Newbie
- Posts: 2
- Joined: Wed Jun 01, 2011 12:02 pm
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: auth-user-pass file and encrypted password ?
depends on how the password is processed by the server;
if the password needs to be passed onto e.g. a pam module then the password must first be decrypted before it can be fed to pam; thus, even if you were to encrypt the password then it must be in a format that can again be DEcrypted.
if all you need to do is match the password (or its hash) against a hash in a file , then you can store an encrypted or hashed password.
if the password needs to be passed onto e.g. a pam module then the password must first be decrypted before it can be fed to pam; thus, even if you were to encrypt the password then it must be in a format that can again be DEcrypted.
if all you need to do is match the password (or its hash) against a hash in a file , then you can store an encrypted or hashed password.
-
defsdoor
- OpenVpn Newbie
- Posts: 7
- Joined: Wed Jun 01, 2011 12:23 pm
Re: auth-user-pass file and encrypted password ?
This modified version of the original Windows GUI http://openvpn-mi-gui.inside-security.de/ supports the openvpn management interface.
If you have user and password in a text file you might as well not have user/pass authentication so prompting the user is the way to go.
With this version of the windows GUI you can prompt the user for their username and password with something like this in your client config file.
management 127.0.0.1 7777
management-hold
management-query-passwords
auth-retry interact
On my server I have a bespoke authentication plugin that I literally knocked up that uses htpasswd managed password files for authentication. On the server side I have
auth-user-pass-verify "/etc/openvpn/openvpn-passwd /etc/openvpn/passwd" via-file
where /etc/openvpn/passwd is my htpasswd managed file and the following C program compiles into openvpn-passwd -
http://openvpn.defsdoor.org/openvpn-passwd.c
If you have hundreds of users then using htpasswd authentication may start to be too resourceful - it will do a scan to match on the entire passwd file each time. When I hit this limit I will start indexing the file with a separate binary-chop index.
If you have user and password in a text file you might as well not have user/pass authentication so prompting the user is the way to go.
With this version of the windows GUI you can prompt the user for their username and password with something like this in your client config file.
management 127.0.0.1 7777
management-hold
management-query-passwords
auth-retry interact
On my server I have a bespoke authentication plugin that I literally knocked up that uses htpasswd managed password files for authentication. On the server side I have
auth-user-pass-verify "/etc/openvpn/openvpn-passwd /etc/openvpn/passwd" via-file
where /etc/openvpn/passwd is my htpasswd managed file and the following C program compiles into openvpn-passwd -
http://openvpn.defsdoor.org/openvpn-passwd.c
If you have hundreds of users then using htpasswd authentication may start to be too resourceful - it will do a scan to match on the entire passwd file each time. When I hit this limit I will start indexing the file with a separate binary-chop index.
-
kris92
- OpenVpn Newbie
- Posts: 2
- Joined: Wed Jun 01, 2011 12:02 pm
Re: auth-user-pass file and encrypted password ?
Thanks for your replies.
I've installed the modified version of the original Windows GUI from http://openvpn-mi-gui.inside-security.de
It works fine and this is exactly what i need.
Why the official GUI doesn't provide the same features as this modified GUI ? it should....maybe as an option in the setup process will be great...
Best regards
I've installed the modified version of the original Windows GUI from http://openvpn-mi-gui.inside-security.de
It works fine and this is exactly what i need.
Why the official GUI doesn't provide the same features as this modified GUI ? it should....maybe as an option in the setup process will be great...
Best regards
-
defsdoor
- OpenVpn Newbie
- Posts: 7
- Joined: Wed Jun 01, 2011 12:23 pm
Re: auth-user-pass file and encrypted password ?
The original gui doesn't seem to be maintained anymore but I believe that that modified version will be the standard in a forthcoming release.
The one mentioned on the wiki http://sourceforge.net/projects/openvpn-gui/ doesn't work with service started management interfaces so is completely pointless at the moment (imho).
The modified one I pointed you to seem to work flawlessly though and with some registry changes to limit user options is great for end users.
I've recently setup a 4 instance openvpn server for load distribution across 4 CPUs with a view to rolling out 400 clients. As part of this I have scripted client addition, password setting and installation zip file building so the install is easy.
Below is my installation batch file template - this is used to create a per-client installation with %%CLIENT%% being replaced with the client name when the zip file is built. It might prove useful.
INSTALL.BAT
PERMS.BAT
The Zip file contents look like this -
You might notice it also installs tightvnc. The registry files setup the openvpn gui and tightvnc settings.
I include subinacl and xxmklink to allow the service rights to be grants and create shortcuts to startup.
It also uses sc to set the services to auto start and to start them.
It's a bit heath robinson in some respects - but it seems to work.
The one mentioned on the wiki http://sourceforge.net/projects/openvpn-gui/ doesn't work with service started management interfaces so is completely pointless at the moment (imho).
The modified one I pointed you to seem to work flawlessly though and with some registry changes to limit user options is great for end users.
I've recently setup a 4 instance openvpn server for load distribution across 4 CPUs with a view to rolling out 400 clients. As part of this I have scripted client addition, password setting and installation zip file building so the install is easy.
Below is my installation batch file template - this is used to create a per-client installation with %%CLIENT%% being replaced with the client name when the zip file is built. It might prove useful.
INSTALL.BAT
Code: Select all
@ECHO OFF
REM OPENVPN INSTALLATION HELPER BATCH FILE
REM
REM IN CURRENT DIR SHOULD BE ALL THE INSTALLATION FILES EXTRACTED FROM
REM ZIP FILE
REM
IF EXIST "C:\Program Files (x86)" GOTO BIT64
SET PROGDIR=C:\Program Files
SET OS=32
GOTO DONE
:BIT64
SET PROGDIR=C:\Program Files (x86)
SET OS=64
:DONE
FOR /F %%I IN ("%0") DO SET BATDIR=%%~dpI
ECHO The batch file is located in directory %BATDIR%
ECHO.
CD /D %BATDIR%
SET BATDIR=
REM FIRST INSTALL OPENVPN GUI
.\openvpn-2.2.0-install.exe
REM ECHO INSTALLING AUTH OPENVPN EXE
MOVE "%PROGDIR%\OpenVPN\bin\openvpn-gui-1.0.3.exe" "%PROGDIR%\OpenVPN\bin\openvpn-gui-1.0.3.exe.org"
COPY openvpn-mi.exe "%PROGDIR%\OpenVPN\bin\openvpn-gui-1.0.3.exe"
ECHO INSTALLING CONFIG FILE
COPY office.ovpn "%PROGDIR%\OpenVPN\config\"
ECHO INSTALLING CERTIFICATES
COPY ca.crt "%PROGDIR%\OpenVPN\config\"
COPY %%CLIENT%%.crt "%PROGDIR%\OpenVPN\config\"
COPY %%CLIENT%%.key "%PROGDIR%\OpenVPN\config\"
COPY ta.key "%PROGDIR%\OpenVPN\config\"
ECHO UPDATING REGISTRY
regedit /S openvpn%OS%.reg
regedit /S vnc%OS%.reg
ECHO INSTALLING VNC SERVER
tightvnc-2.0.2-setup.exe
ECHO STARTING OPENVPN SERVICE
sc config openvpnservice start= auto
sc start openvpnservice
ECHO STARTING VNC SERVER
sc config tvnserver start= auto
sc start tvnserver
ECHO INSTALLING STARTUP LINKS
xxmklink "%ALLUSERSPROFILE%\Start Menu\Programs\Startup\openvpngui.lnk" "%PROGDIR%\OpenVPN\bin\openvpn-gui-1.0.3.exe" "" "%PROGDIR%"
ECHO INSTALLATION COMPLETE
CALL PERMS.BAT
PAUSE
"%ALLUSERSPROFILE%\Start Menu\Programs\Startup\openvpngui.lnk"
Code: Select all
FOR /F %%I IN ("%0") DO SET BATDIR=%%~dpI
ECHO The batch file is located in directory %BATDIR%
ECHO.
CD /D %BATDIR%
SET BATDIR=
ECHO Enter user names to grant service stop/start to.
:nameloop
SET NAME=
SET /P NAME=Username:
IF "%NAME%" == "" GOTO done
ECHO %NAME%
SUBINACL /SERVICE "OpenVPNService" /GRANT=%NAME%=TO
GOTO nameloop
:done
Code: Select all
-rw-r--r-- 1 root root 1432 May 12 18:36 ca.crt
-rw------- 1 root root 636 May 12 18:42 ta.key
-rw-r--r-- 1 root root 290304 May 19 16:43 subinacl.exe
-rw-r--r-- 1 root root 85504 May 19 16:43 openvpn-mi.exe
-rwxr--r-- 1 root root 1098 May 19 16:43 openvpn32.reg
-rw-r--r-- 1 root root 1405368 May 19 16:43 openvpn-2.2.0-install.exe
-rw-r--r-- 1 root root 49152 May 20 21:34 xxmklink.exe
-rw-r--r-- 1 root root 657656 May 20 21:49 tightvnc-2.0.2-setup.exe
-rwxr--r-- 1 root root 2572 May 20 21:56 vnc32.reg
-rw-r--r-- 1 root root 340 May 25 15:56 perms.bat
-rwxr--r-- 1 root root 1158 May 26 14:48 openvpn64.reg
-rwxr--r-- 1 root root 2616 May 26 14:49 vnc64.reg
-rw-r--r-- 1 root root 1084 Jun 1 14:50 office.ovpn
-rw-r--r-- 1 root root 1608 Jun 1 14:50 install.bat
-rw------- 1 root root 887 Jun 1 14:50 fredbloggs.key
-rw-r--r-- 1 root root 4040 Jun 1 14:50 fredbloggs.crt
I include subinacl and xxmklink to allow the service rights to be grants and create shortcuts to startup.
It also uses sc to set the services to auto start and to start them.
It's a bit heath robinson in some respects - but it seems to work.