asked on
OpenVPN client asking for password
I have downloaded and installed version 3.4.2.3160 on Windows 10 Pro systems. As with this and previous versions, the user has to enter the connection password each time the tunnel is connected. My question, is there some type of config file I can create that will store the password so that when the connection drops, the system is rebooted or the user logs on, that the password does not have to be entered?
1. I do not know the the server configuration that these clients are connecting to, that is controlled by villagemanagement.com (Teamsoft)
2. A call to a Teamsoft support agent told me that the password cannot be saved (not sure if this is true or not)
3. Since the password we have set is lengthy and complex, the users are getting very irate that they have to continually re-enter this password even when the connection drops for a few seconds.
While I am not sure if this matters, but the settings we have set are:
VPN Protocol - Adaptive
Connection Timeout - Continuously Retry
Launch Option - restore Connection
I appreciate any guidance on this.
I am pretty sure the host server configs can disable password saving, and if they did you won't be able to save it..
ASKER
Scott Silva - this is what I am afraid of. Is there any way to override the server config?
ASKER
Masq - Let me look again, but I think they are greyed out.
Check the .opvn for
setenv ALLOW_PASSWORD_SAVE 0
ASKER
MASQ - On the client?
If the server disallows password saving you cannot save passwords...
Host has precedence.
"MASQ - On the client?"
No, Scott and David have this, even if you configure OpenVPN 3.x client to save credentials it makes no difference if the server configuration disables this.
I was looking at the client admin preventing saving which is no help to you :(
the server cannot override that specific setting as it just does not know whether the password was typed or saved.
but they probably distributed openvpn with disabled password saving.
see above @MASQ's post for the config file
on windows it might be set with a reg key at install time. look for disable_save_passwords in the relevant hive (hklm / software / openvpn probably)
if needed, there are alternative vpn software
note that it is fairly likely you are not allowed to override said settings
nb : i see little point in having teamsoft configure your server. managing your own openvpn server is easy enough and actually probably easier than using their ui once it is properly set up.
ASKER
skullnobrains - searched the registry for this setting and came up empty. I looked for a .ovpn or .opvn config file and they do not exist either.
FYI, it is not our server, it is Teamsoft's, we just connect to it for the application. I am confident at this point that they have disabled the password save option.
While I feel they see this as a security risk, it is very annoying having to enter the password at the littlest bleep in the connection.
The .opvn is at C:\Users\<ProfileName>\AppData\Roaming\OpenVPN Connect\profiles
Have had a dig around with OpenVPN 3.x and this may be a potential workaround - provided the server does not intentionally block it.
Find the .opvn that is currently in use at the location above, right-click, open in Notepad and save a back up copy (always using Notepad's Save As "all Files" option). Keep this safe in case you need to restore the original settings.
Make a copy and edit this copy by finding the line in the configuration that reads "auth-user-pass" and append "auth.txt" to this so the line now reads: auth-user-pass auth.txt
Save the amended .opvn using a distinct identifiable name
Now create a new Notepad file
Put the username for the account as the only entry in the first line
In the second line paste your complex password
Save this file as auth.txt (again always using Notepad's Save As "all Files" option)
(NB: Anyone who can access this file has your credentials)
Now copy auth.txt to the .opvn profiles location above.
Right-click on your newly edited .opvn and open with OpenVPN Connect
The Client will offer to import your new file
The new configuration should mean the Username is displayed but now shows as "Locked" in the Edit Profile window
Cross your fingers and connect!
ASKER
Try inserting auth-user-pass auth.txt below "setenv" and above "client"
Ignore my suggestion about "setenv ALLOW_PASSWORD_SAVE 0". That would appear if as the Client Admin you wanted to prevent your local users from saving their credentials - it's not relevant here.
ASKER
1. Confirming the name of the file should be auth.txt?
2. Would you show me the format of that file?
or is it as simple as ?
username=username
password=password
3. Does this file just get placed in C:\Users\username\AppData\Roaming\OpenVPN Connect\profiles?
4. This is what you say the config file should look like:
Sorry to be so dependent.
ASKER
MASQ 0 created the auth.txt file, edited the .ovpn file, rebooted and connection still prompted for password.
Check that the auth.txt file is saved in Notepad using UTF-8 encoding (Save as > All Files)
You could also try changing the username to something random to see if the client is picking it up (even though the password will obviously not work)
but it still looks as if this is being prevented by the Teamsoft configuration.
One other thought though
Try adding
persist-key
persist-tun
after nobind
This won't help with saving the password but may make your connection more stable and at least reduce the number of reconnections that need credentials re-entered.
(All this remains conditional on their server-side configuration)
make sure the file is actually found.
if you are unsure, use the full path. there is no reason why the working directory would be the profiles directory.
beware the \ need to be \\
make sure the allow_passsword_save (capitalized) env var is not set or set to 1.
it is also possible the ability to save passwords was removed at compilation time. it might be the case if you got the soft from the third party.
whatever you do, you can run openvpn from the command line with --verb 2 or more to get verbose logging.
if the password save feature is disabled, you can use a different client. there are many openvpn compatible ones around.
ASKER
As a final step, and many previous, I rebooted the system and then the changes were read correctly. All working now.
If you open the client you should see your connection listed at the top of the window. Click on the edit "pencil" icon and you should see user name and password fields with a checkbox to save the password.
Note that the password is saved in the configuration file unencrypted.