Link to home
Create AccountLog in
Avatar of Rick Barwig
Rick BarwigFlag for United States of America

asked on

OpenVPN client asking for password

I have downloaded and installed version 3.4.2.3160 on Windows 10 Pro systems. As with this and previous versions, the user has to enter the connection password each time the tunnel is connected. My question, is there some type of config file I can create that will store the password so that when the connection drops, the system is rebooted or the user logs on, that the password does not have to be entered?

1. I do not know the the server configuration that these clients are connecting to, that is controlled by villagemanagement.com (Teamsoft)
2. A call to a Teamsoft support agent told me that the password cannot be saved (not sure if this is true or not)
3. Since the password we have set is lengthy and complex, the users are getting very irate that they have to continually re-enter this password even when the connection drops for a few seconds.

While I am not sure if this matters, but the settings we have set are:

VPN Protocol - Adaptive
Connection Timeout - Continuously Retry
Launch Option - restore Connection

I appreciate any guidance on this.

Avatar of ☠ MASQ ☠
☠ MASQ ☠

If you open the client you should see your connection listed at the top of the window.  Click on the edit "pencil" icon and you should see user name and password fields with a checkbox to save the password.

Note that the password is saved in the configuration file unencrypted.

I am pretty sure the host server configs can disable password saving, and if they did you won't be able to save it..


Avatar of Rick Barwig

ASKER

Scott Silva - this is what I am afraid of. Is there any way to override the server config?

Masq - Let me look again, but I think they are greyed out.

Check the .opvn for


setenv ALLOW_PASSWORD_SAVE 0

Open in new window

MASQ - On the client?

The server can override the client settings.

If the server disallows password saving you cannot save passwords...

Host has precedence.


"MASQ - On the client?"

No, Scott and David have this, even if you configure OpenVPN 3.x client to save credentials it makes no difference if the server configuration disables this.

I was looking at the client admin preventing saving which is no help to you :(

the server cannot override that specific setting as it just does not know whether the password was typed or saved.

but they probably distributed openvpn with disabled password saving.

see above @MASQ's post for the config file

on windows it might be set with a reg key at install time. look for disable_save_passwords in the relevant hive (hklm / software / openvpn probably)

if needed, there are alternative vpn software

note that it is fairly likely you are not allowed to override said settings


nb : i see little point in having teamsoft configure your server. managing your own openvpn server is easy enough and actually probably easier than using their ui once it is properly set up.

skullnobrains - searched the registry for this setting and came up empty.  I looked for a .ovpn or .opvn config file and they do not exist either.  


FYI, it is not our server, it is Teamsoft's, we just connect to it for the application.  I am confident at this point that they have disabled the password save option.

While I feel they see this as a security risk, it is very annoying having to enter the password at the littlest bleep in the connection.

The .opvn is at C:\Users\<ProfileName>\AppData\Roaming\OpenVPN Connect\profiles


Have had a dig around with OpenVPN 3.x and this may be a potential workaround - provided the server does not intentionally block it.

Find the .opvn that is currently in use at the location above, right-click, open in Notepad and save a back up copy (always using Notepad's Save As "all Files" option).  Keep this safe in case you need to restore the original settings.
Make a copy and edit this copy by finding the line in the configuration that reads "auth-user-pass" and append "auth.txt" to this so the line now reads: auth-user-pass auth.txt
Save the amended .opvn using a distinct identifiable name


Now create a new Notepad file
Put the username for the account as the only entry in the first line
In the second line paste your complex password
Save this file as auth.txt (again always using Notepad's Save As "all Files" option)
(NB: Anyone who can access this file has your credentials)

Now copy auth.txt to the .opvn profiles location above.
Right-click on your newly edited .opvn and open with OpenVPN Connect
The Client will offer to import your new file

The new configuration should mean the Username is displayed but now shows as "Locked" in the Edit Profile window

Cross your fingers and connect!

MASQ

If I were to add setenv ALLOW_PASSWORD_SAVE 0  to this file, where would I place that entry?  Additionally, can you tell me where I might enter the username and password?  Would go into this file too? Where?


User generated image


Try inserting auth-user-pass auth.txt below "setenv" and above "client"


Ignore my suggestion about "setenv ALLOW_PASSWORD_SAVE 0". That would appear if as the Client Admin you wanted to prevent your local users from saving their credentials - it's not relevant here.




1. Confirming the name of the file should be auth.txt?

2. Would you show me the format of that file?

or is it as simple as ?

            username=username 

            password=password

3. Does this file just get placed in C:\Users\username\AppData\Roaming\OpenVPN Connect\profiles?

4. This is what you say the config file should look like:

User generated image


Sorry to be so dependent.

ASKER CERTIFIED SOLUTION
Avatar of ☠ MASQ ☠
☠ MASQ ☠

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer

MASQ 0 created the auth.txt file, edited the .ovpn file, rebooted and connection still prompted for password.

Check that the auth.txt file is saved in Notepad using UTF-8 encoding (Save as > All Files)

You could also try changing the username to something random to see if the client is picking it up (even though the password will obviously not work)

but it still looks as if this is being prevented by the Teamsoft configuration.


One other thought though


Try adding 

persist-key
persist-tun


after nobind


This won't help with saving the password but may make your connection more stable and at least reduce the number of reconnections that need credentials re-entered.


(All this remains conditional on their server-side configuration)



make sure the file is actually found.

if you are unsure, use the full path. there is no reason why the working directory would be the profiles directory.

beware the \ need to be \\


make sure the allow_passsword_save (capitalized) env var is not set or set to 1.


it is also possible the ability to save passwords was removed at compilation time. it might be the case if you got the soft from the third party.


whatever you do, you can run openvpn from the command line with --verb 2 or more to get verbose logging.


if the password save feature is disabled, you can use a different client. there are many openvpn compatible ones around.

As a final step, and many previous, I rebooted the system and then the changes were read correctly.  All working now.