[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] build-key-pass confusion

  • Subject: Re: [Openvpn-users] build-key-pass confusion
  • From: "Michael D. Berger" <m.d.berger@xxxxxxxx>
  • Date: Wed, 27 Jun 2007 12:05:43 -0400
  • Importance: Normal

> Michael D. Berger wrote:
> > I tried the PEM password as you suggest.  On my WinXP
> > laptop client, if I start OpenVPN on a command line,
> > it does ask for the passphrase.  However, if I start
> > it as a service, there appears to be no opportunity
> > to enter the passphrase.  Any suggestions?
> > Mike.
> Presumably you're starting it as a system service because it needs to
> automatically start without user interaction.  A Windows service (as
> well as Unix/Linux services) can't accept input from a user since
> they're executed before any user has logged in which means there is no
> way to accept user input.  If you want to use a service for automatic
> OpenVPN startup you want to leave the private key unencrypted so that
> the service can read it without input.
> If you really want to leave the private key encrypted and 
> start OpenVPN
> as a service, you can use the `askpass file` option where the file
> specified contains the password to decrypt the private key.  However,
> this really defeats the entire purpose of encrypting the key since an
> attacker who has access to both the private key and this file will be
> able to decrypt it.
> -- 
> Josh

Thanks for this excellent explanation.  Actually, the reason
I want to start as a service is not for automatic start, but
so I can switch to an unprivileged user.  Clearly, as you say,
the askpass idea defeats the purpose.  On the other hand, I
could use the command line and switch users without logging
off the administrator.  I'll try that.

Michael D. Berger

Openvpn-users mailing list