[Solved] Openvpn - prompt for password on client

vap0rtranz · February 3, 2018, 2:19pm

Can I get openvpn client to prompt for a password?

My company's OpenVPN Server has 2FA via OTP, so I cannot set a static password.

It looks like the LEDE built openvpn package is only daemonized?? I've poked around /etc/config to try to get the daemonized version to prompt but not finding how and someone else had this issue w/ no reply [0].

Is there a non-daemonized version of openvpn? or a way to use it on the CLI and not via init.d? I'm fine with ssh'ing into the router to setup the VPN tunnel.

[0] https://superuser.com/questions/1213328/openvpn-askpass-option-issues

root@homebrew:/etc/openvpn# /etc/init.d/openvpn start
root@homebrew:/etc/openvpn# cat openvpn.log 
Sat Feb  3 07:59:04 2018 OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Feb  3 07:59:04 2018 library versions: OpenSSL 1.0.2n  7 Dec 2017, LZO 2.10
Sat Feb  3 07:59:04 2018 neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Auth Username:'.  If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.

vap0rtranz · February 3, 2018, 2:23pm

OK poked around a bit more and got a little further. Using openvpn directly on CLI will open tty for input but similar error: instead of cannot ask for username it's now cannot ask for private key password, even though I actually get prompted for the password.

Odd!

root@homebrew:/etc/openvpn# openvpn --config /etc/openvpn/rh-brq.conf --askpass 
Enter Private Key Password:
root@homebrew:/etc/openvpn# cat openvpn.log 
Sat Feb  3 08:22:08 2018 OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Feb  3 08:22:08 2018 library versions: OpenSSL 1.0.2n  7 Dec 2017, LZO 2.10
Sat Feb  3 08:22:08 2018 neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'.  If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Sat Feb  3 08:22:08 2018 Exiting due to fatal error

vap0rtranz · February 3, 2018, 2:35pm

Nm. Solved it. --askpass is password to private key. --auth-user-pass is username/passwd combo. I just needed the later.

root@homebrew:/etc/openvpn# openvpn --config /etc/openvpn/rh-brq.conf --askpass --auth-user-pass
Enter Private Key Password:
Enter Auth Username:
Enter Auth Password:
root@homebrew:/etc/openvpn# openvpn --config /etc/openvpn/rh-brq.conf --auth-user-pass
Enter Auth Username:
Enter Auth Password: