[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] build-key-pass confusion

  • Subject: Re: [Openvpn-users] build-key-pass confusion
  • From: Todd and Margo Chester <ToddAndMargo@xxxxxxxxxxx>
  • Date: Wed, 27 Jun 2007 22:44:51 -0700

Dave wrote:
> ...
>> Dave wrote:
>>> Interesting, it definitely does work for me, and I'm using 
>> the stock 
>>> openvpngui build.  Pretty much, as soon an you try to 
>> connect a simple 
>>> dialog box pops up asking for the passphrase.  I use this 
>> on a daily 
>>> basis.
>> Does this mean I can
>> 1) start the server side as a service?
>> 2) use openvpn-gui to connect the
>> client to the server and be prompted
>> for a password when I try to connect
>> to the server?
>> 3) the "password" is to access the
>> certificate on the client, not
>> a challenge from the server?
> ...
> Yes, yes, and yes.
> 1)  starting the server side as a service doesn't involve the openvpngui
> (which is for the client functionality).  I should qualify this statement by
> saying that starting as a service happens before anyone logs in, so the
> _servers_ key file, if encrypted with a passphrase, may give you problems
> since noone interactive is present to provide the passphrase.  Personally I
> run my server on unix, but if I were to run it on NT I would probably make
> the key file readable only to Local System and deny everyone else.  And not
> encrypt it.
> 2)  yes, my openvpngui at least, prompts for the private key passphrase.
> Again I do this multiple times per day.  I'm pretty sure the stock build
> behaves this way.  (I did a custom build so I could enable the feature to
> change the passphrase from the gui, which is not turned on in the stock
> build.)  I could send you my openvpn-gui-1.0.3.exe if you think it might
> help diagnose your problem.
> 3)  Yes, the password is on the private key (not the cert, but the private
> key associated with the cert).  It's used to decrypt the private key locally
> and is not transmitted in any form, encrypted, hashed or otherwise, to the
> server.
> -Dave
Thank you!  I will give it a try.  I am now confident about what I
am doing.  :-)  (I will let you know if I need you special gui.)
OpenVPN mailing lists