OPNSense storing VPN client passwords in clear text

Started by guest38025, April 21, 2023, 10:07:46 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 21, 2023, 10:07:46 PM
Hello All,

I noticed that the openvpn client user and pass are stored in clear text in the openvpn directory, "/var/etc/openvpn" on the firewall filesystem. The user and pass is stored in a file there named client1.up in clear text.

Is this a known issue, or expected behavior?

Thanks
April 22, 2023, 09:34:21 AM #1
Open a shell and run:

ls -ltrh /var/etc/openvpn/

Are any files world readable? They should only be accessible by root

Bart...
April 22, 2023, 01:11:38 PM #2
What would you expect how credentials should be saved if they have to be automatically provided? Even with asymmetric authentication, a client has to prove its identify. OpnSense just uses the means provided by OpenVPN in that the credentials are stored as plain text.

While one could encrypt those private credentials, there must be a way to get at the real data, such that anyone  knowing how to decrypt it can also steal it. Since OpnSense is open source, this is obviously a hen-and-egg problem.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages1
User actions