Text only | Text with Images

OPNsense Forum

Archive => 23.1 Legacy Series => Topic started by: guest38025 on April 21, 2023, 10:07:46 PM

Title: OPNSense storing VPN client passwords in clear text
Post by: guest38025 on April 21, 2023, 10:07:46 PM
Hello All,

I noticed that the openvpn client user and pass are stored in clear text in the openvpn directory, "/var/etc/openvpn" on the firewall filesystem. The user and pass is stored in a file there named client1.up in clear text.

Is this a known issue, or expected behavior?

Thanks
Title: Re: OPNSense storing VPN client passwords in clear text
Post by: bartjsmit on April 22, 2023, 09:34:21 AM
Open a shell and run:

ls -ltrh /var/etc/openvpn/

Are any files world readable? They should only be accessible by root

Bart...
Title: Re: OPNSense storing VPN client passwords in clear text
Post by: meyergru on April 22, 2023, 01:11:38 PM
What would you expect how credentials should be saved if they have to be automatically provided? Even with asymmetric authentication, a client has to prove its identify. OpnSense just uses the means provided by OpenVPN in that the credentials are stored as plain text.

While one could encrypt those private credentials, there must be a way to get at the real data, such that anyone  knowing how to decrypt it can also steal it. Since OpnSense is open source, this is obviously a hen-and-egg problem.
Text only | Text with Images