[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] build-key-pass confusion

  • Subject: Re: [Openvpn-users] build-key-pass confusion
  • From: Peter Barwich <pbarwich@xxxxxxxxxxx>
  • Date: Fri, 29 Jun 2007 13:26:49 +0100

Re: [Openvpn-users] build-key-pass confusion
Peter Barwich <pbarwich@xxxxxxxxxxx>
Thu, 28 Jun 2007 07:40:51 +0100


Not sure why you need a custom build of openvpngui. V 1.03 has a registry setting in HKLM\SOFTWARE\OPENVPN-GUI which enables changing passphrase from the gui (allow_password) See http://openvpn.se/install.txt.

But there's a problem. If you enable and enter a pass phrase (must be at least 8 digits) then, as expected, you get a dialogue box asking for the phrase when you connect from the gui. But then, after disconnecting from the gui, you try to connect by starting ovpn as a service the process fails. This is because the act of enabling a pass phrase has actually changed your key file (its header now includes the word ENCRYTPEDDEK) and starting as a service does not throw up a passphrase dialogue box. If then, from the gui, you try and change the passphrase, it will not allow you to enter a blank phrase. In effect you cannot remove the encryption from your keyfile. Thus you cannot revert to running ovpn as a service.

The message is. Keep a copy of your working key file if you experiment with this. You can then simply copy it back to the config directory to restore the situation to NOT requiring a passphrase, and you can therefore revert to using ovpn as a service should you so wish.

Take care,


Re: [Openvpn-users] build-key-pass confusion
"Dave" <dev@xxxxxxxxxxxxxx>
Wed, 27 Jun 2007 18:51:43 -0500
"'Todd and Margo Chester'" <ToddAndMargo@xxxxxxxxxxx>, <openvpn-users@xxxxxxxxxxxxxxxxxxxxx>
"'Todd and Margo Chester'" <ToddAndMargo@xxxxxxxxxxx>, <openvpn-users@xxxxxxxxxxxxxxxxxxxxx>

Dave wrote:
Interesting, it definitely does work for me, and I'm using 
the stock 
openvpngui build.  Pretty much, as soon an you try to 
connect a simple 
dialog box pops up asking for the passphrase.  I use this 
on a daily 
Does this mean I can

1) start the server side as a service?

2) use openvpn-gui to connect the
client to the server and be prompted
for a password when I try to connect
to the server?

3) the "password" is to access the
certificate on the client, not
a challenge from the server?

Yes, yes, and yes.

1)  starting the server side as a service doesn't involve the openvpngui
(which is for the client functionality).  I should qualify this statement by
saying that starting as a service happens before anyone logs in, so the
_servers_ key file, if encrypted with a passphrase, may give you problems
since noone interactive is present to provide the passphrase.  Personally I
run my server on unix, but if I were to run it on NT I would probably make
the key file readable only to Local System and deny everyone else.  And not
encrypt it.

2)  yes, my openvpngui at least, prompts for the private key passphrase.
Again I do this multiple times per day.  I'm pretty sure the stock build
behaves this way.  (I did a custom build so I could enable the feature to
change the passphrase from the gui, which is not turned on in the stock
build.)  I could send you my openvpn-gui-1.0.3.exe if you think it might
help diagnose your problem.

3)  Yes, the password is on the private key (not the cert, but the private
key associated with the cert).  It's used to decrypt the private key locally
and is not transmitted in any form, encrypted, hashed or otherwise, to the


This is completely false.  If you have an encrypted private key file you can easily decrypt it by using the following openssl command: `openssl rsa -in encrypted.key -out unencrypted.key`.  Likewise, you can encrypt an unencrypted key with `openssl rsa -in unencrypted.key -des3 -out encrypted.key`.  Obviously to read an encrypted key you must provide the passphrase and to encrypt you must choose a passphrase for the output file.

Well thank you Josh. Completely false you say.

The problem is that when I use openvpn or openvpngui, I don't necessarily know the details of the openssl commands. The point I was making is that if a user simply uses the openvpngui to create a passphrase for his keys it provides no way to remove it. And note also I said that "in effect you cannot remove the encryption from your keyfile." I am sure, and I will check, that using openssl can do this. But remember that users of openvpngui are Windows users by definition. They have done no explicit install of openssl, and do not necessarily have much knowledge of using it. It would be nice therefore, to tell them to preserve their key before letting openvpngui encrypt it.

Or maybe you think that only Linux users deserve ovpn....

My point stands. If you use openvpngui to set a passphrase on your key you cannot use openvpngui to remove it.

So take care,

And finally, just to confirm, your command, Josh, to decrypt the private file (openssl rsa -in encrypted.key -out unencrypted.key), does, indeed, work perfectly. Thanks for drawing my attention to this.