[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] build-key-pass confusion

  • Subject: Re: [Openvpn-users] build-key-pass confusion
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Thu, 28 Jun 2007 02:16:52 -0500
  • Openpgp: id=2E5A5127
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID009LFbHq70254X36

Peter Barwich wrote:

Not sure why you need a custom build of openvpngui. V 1.03 has a registry setting in HKLM\SOFTWARE\OPENVPN-GUI which enables changing passphrase from the gui (allow_password) See http://openvpn.se/install.txt.

But there's a problem. If you enable and enter a pass phrase (must be at least 8 digits) then, as expected, you get a dialogue box asking for the phrase when you connect from the gui. But then, after disconnecting from the gui, you try to connect by starting ovpn as a service the process fails. This is because the act of enabling a pass phrase has actually changed your key file (its header now includes the word ENCRYTPEDDEK) and starting as a service does not throw up a passphrase dialogue box. If then, from the gui, you try and change the passphrase, it will not allow you to enter a blank phrase. In effect you cannot remove the encryption from your keyfile. Thus you cannot revert to running ovpn as a service.

The message is. Keep a copy of your working key file if you experiment with this. You can then simply copy it back to the config directory to restore the situation to NOT requiring a passphrase, and you can therefore revert to using ovpn as a service should you so wish.

This is completely false.  If you have an encrypted private key file you can easily decrypt it by using the following openssl command: `openssl rsa -in encrypted.key -out unencrypted.key`.  Likewise, you can encrypt an unencrypted key with `openssl rsa -in unencrypted.key -des3 -out encrypted.key`.  Obviously to read an encrypted key you must provide the passphrase and to encrypt you must choose a passphrase for the output file.


Attachment: signature.asc
Description: OpenPGP digital signature