OpenVPN client pass login credentials and passphrase in Linux
Broadcast message from root:
Password entry required for 'Enter Private Key Password:' (PID 7380).
Please enter password with the systemd-tty-ask-password-agent tool.
If you want the OpenVPN systemd service to automatically start the OpenVPN connection on boot, but it requires a password or credential to be passed you will need to make some changes to your configuration file. Both can be combined if required.
This post assumes your OpenVPN connection is started as root.
Pass Login Credentials
FIrst we need to store the credentials in a file, the first line of the file must be the login name, and the second line of the file the password that belongs to the login. Create the file as root at the following location.
sudo nano /etc/openvpn/credentials.secret
With the following contents;
MyLoginOrAccountName
MyPassword
README! Make sure that only, and only, root can read this file and no other user on your machine.
# Give only root read/write access to the file
sudo chmod 600 /etc/openvpn/credentials.secret
As last, add the following line to your OpenVPN client configuration, most likely located at /etc/openvpn/clients/
;
auth-user-pass /etc/openvpn/credentials.secret
Pass The Passphrase
If your client configuration's private key is password protected we will have to do almost the same steps as above. First create a file containing the password of the private key.
sudo nano /etc/openvpn/password.secret
With the content your password.
MySuperSecurePassphrase
Another readme! Make sure the file is only accessible by root.
# Give only root read/write access to the file
sudo chmod 600 /etc/openvpn/password.secret
As last, add the following line to your OpenVPN client configuration, most likely located at /etc/openvpn/clients/
;
askpass /etc/openvpn/password.secret
Security, security, security!
Again for your own good since your password is stored in clear text, make sure that it is only readable by the user that is opening the OpenVPN connection, most probably root. Linux file permissions are your friend.
Note also if you are using this VPN connection in a professional context, there is probably a company policy that doesn't allow this, you will make your CISO
1 sad. After all, the use of credentials or passwords indicate elevated access to prevent misuse. In any case; if ever your machine is compromised notify your IT responsible.Read also
https://en.wikipedia.org/wiki/Chief_information_security_officer
cached copy