[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] build-key-pass confusion


  • Subject: Re: [Openvpn-users] build-key-pass confusion
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Wed, 27 Jun 2007 10:48:00 -0500
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID442LFAPWg0360X36

Michael D. Berger wrote:
> I tried the PEM password as you suggest.  On my WinXP
> laptop client, if I start OpenVPN on a command line,
> it does ask for the passphrase.  However, if I start
> it as a service, there appears to be no opportunity
> to enter the passphrase.  Any suggestions?
> Mike.
Presumably you're starting it as a system service because it needs to
automatically start without user interaction.  A Windows service (as
well as Unix/Linux services) can't accept input from a user since
they're executed before any user has logged in which means there is no
way to accept user input.  If you want to use a service for automatic
OpenVPN startup you want to leave the private key unencrypted so that
the service can read it without input.

If you really want to leave the private key encrypted and start OpenVPN
as a service, you can use the `askpass file` option where the file
specified contains the password to decrypt the private key.  However,
this really defeats the entire purpose of encrypting the key since an
attacker who has access to both the private key and this file will be
able to decrypt it.

-- 
Josh


Attachment: signature.asc
Description: OpenPGP digital signature