Pass private key password to openvpn command directly in Ubuntu 10.10

Question

I tried the method with different parameter

I have password.
Here below password is mypassword

1)

root$ echo mypassword || openvpn client.conf.ovpn

the result was display:

mypassword

2)

root$ openvpn client.warriors.conf.ovpn || echo mypassword

the result was display:

Thu Jun 28 00:00:00 2012 us=757575 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables  
Enter Private Key Password:

(still need to enter password manualy )

I don't want to have to enter the password manually. How can I achieve this?

3) DUDE

After running the script it exit out with following:

Fri Jun 29 11:56:59 2012 us=707916   cf_max = 0
Fri Jun 29 11:56:59 2012 us=707925   cf_per = 0
Fri Jun 29 11:56:59 2012 us=707934   max_clients = 1024
Fri Jun 29 11:56:59 2012 us=707944   max_routes_per_client = 256
Fri Jun 29 11:56:59 2012 us=707953   auth_user_pass_verify_script = '[UNDEF]'
Fri Jun 29 11:56:59 2012 us=707963   auth_user_pass_verify_script_via_file = DISABLED
Fri Jun 29 11:56:59 2012 us=707973   ssl_flags = 0
Fri Jun 29 11:56:59 2012 us=707982   port_share_host = '[UNDEF]'
Fri Jun 29 11:56:59 2012 us=707992   port_share_port = 0
Fri Jun 29 11:56:59 2012 us=708001   client = ENABLED
Fri Jun 29 11:56:59 2012 us=708010   pull = ENABLED
Fri Jun 29 11:56:59 2012 us=708020   auth_user_pass_file = '[UNDEF]'
Fri Jun 29 11:56:59 2012 us=708032 OpenVPN 2.1.0 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 12 2010
Fri Jun 29 11:56:59 2012 us=708131 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Enter Private Key Password:
Fri Jun 29 11:56:59 2012 us=726649 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Jun 29 11:56:59 2012 us=726805 WARNING: file 'client-team-20110222.key' is group or others accessible
Fri Jun 29 11:56:59 2012 us=727136 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Fri Jun 29 11:56:59 2012 us=875611 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Jun 29 11:56:59 2012 us=876742 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Fri Jun 29 11:56:59 2012 us=876777 Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Fri Jun 29 11:56:59 2012 us=876788 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Fri Jun 29 11:56:59 2012 us=876810 Local Options hash (VER=V4): 'd902a8f8'
Fri Jun 29 11:56:59 2012 us=876825 Expected Remote Options hash (VER=V4): '7e078940'
Fri Jun 29 11:56:59 2012 us=877124 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Fri Jun 29 11:56:59 2012 us=877145 Attempting to establish TCP connection with [AF_INET]89.105.130.193:444 [nonblock]
Fri Jun 29 11:57:00 2012 us=877280 TCP connection established with [AF_INET]89.105.130.193:444
Fri Jun 29 11:57:00 2012 us=877337 Socket Buffers: R=[87380->131072] S=[16384->131072]
Fri Jun 29 11:57:00 2012 us=877353 TCPv4_CLIENT link local: [undef]
Fri Jun 29 11:57:00 2012 us=877364 TCPv4_CLIENT link remote: [AF_INET]89.105.130.193:444
Fri Jun 29 11:57:00 2012 us=877568 TLS: Initial packet from [AF_INET]89.105.130.193:444, sid=c5d843bc e9f3e6ab
Fri Jun 29 11:57:04 2012 us=105788 VERIFY OK: depth=1, /C=IE/ST=NA/L=DUB/O=ABC.OpenVPN/OU=server-terminus/CN=terminus/emailAddress=ops@abc.com
Fri Jun 29 11:57:04 2012 us=106189 VERIFY OK: nsCertType=SERVER
Fri Jun 29 11:57:04 2012 us=106202 VERIFY OK: depth=0, /C=IE/ST=NA/O=abc.OpenVPN/OU=server-terminus/CN=terminus/emailAddress=ops@abc.com
root@bond$

exit in this way is it normal.

Hi, By "Enter Private key Password", which password is the openvpn actually expecting? Is it the username or root password? Or a password that should be provided by the server to the client. Because I have tried all my passwords but I get the following error "Error: private key password verification failed" — Suhas Chikkanna, Jun 19 '17 at 17:29

score 93 · Answer 1 · edited Jun 05 '14 at 22:55

93

In my openvpn.conf:

...
askpass /etc/openvpn/jdoe.pass   <<< new line here
ca /etc/openvpn/jdoe_ca.crt
cert /etc/openvpn/jdoe.crt
key /etc/openvpn/jdoe.key
...

The file /etc/openvpn/jdoe.pass just contains the password. You can chmod this file to 600. This method save my life... ;-)

Ubuntu 12.04.4 LTS
OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 13 2014

edited Jun 05 '14 at 22:55

Lucas Zamboulis

2,494
5
24
27

answered Jun 05 '14 at 22:22

Stéphane Millien

3,238
22
36

Does it work also when using pkcs12 option instead of ca, cert and key? – Piotr Dobrogost Feb 26 '17 at 21:14
Hi, By "Enter Private key Password", which password is the openvpn actually expecting? Is it the username or root password? Or a password that should be provided by the server to the client. Because I have tried all my passwords but I get the following error "Error: private key password verification failed" – Suhas Chikkanna Jun 19 '17 at 17:30
2

Hi, this password is in fact the passphrase used to unlock the key 'jdoe.key'. – Stéphane Millien Jul 28 '17 at 07:53
`askpass /etc/openvpn/jdoe.pass` is inserted in the server `openvpn.conf` file, not in the `client.ovpn` file? – Luis Oct 22 '18 at 22:01
2

Hi, askpass is inserted in the client side. – Stéphane Millien Oct 26 '18 at 12:21

pevik · Answer 2 · 2017-02-22T17:43:36.427

15

How about storing it into a file and using --askpass /your/file? --askpass option was added in OpenVPN version 2.0-beta20, Maverick has version 2.1.0-3ubuntu1.

edited Feb 22 '17 at 17:43

answered Feb 15 '14 at 19:13

pevik

4,523
3
33
44

score 7 · Answer 3 · edited Apr 13 '17 at 12:36

7

Try a shell script such as:

#!/usr/bin/expect -f
spawn openvpn client.warriors.conf.open
match_max 100000
expect "*?assword:*"
send -- "mypassword"
send -- "\r"
expect eof

You'll need to chmod +x this, you can also set it as an environment variable so you don't have to type out the directory.

Looks like they got this script to work: https://unix.stackexchange.com/questions/9055/establish-openvpn-tunnel-in-bash-script

edited Apr 13 '17 at 12:36

Community

1
1

answered Jun 28 '12 at 07:52

Sturm

4,105
3
24
39

You may also need to install expect, depending on your system it may be in the repos, try apt-get install expect. – Sturm Jun 28 '12 at 07:54
I have pasted my trminal output is it exiting out in same way. – bond Jun 29 '12 at 06:44
what does "match_max" options ? where it comes from? – Tebe May 08 '15 at 20:29

Simon Kesteloot · Answer 4 · 2015-08-13T08:11:43.190

0

I think you just swipe | and || operator.

| plug standard output o the previous command to standard input of the next command.

|| launch second command only if first command fail (exit code != 0).

this command should work.

root$ echo mypassword | openvpn client.conf.ovpn

edited Aug 13 '15 at 08:11

answered Aug 10 '15 at 10:14

Simon Kesteloot

47
1
5

2

openvpn doesn't allow input password from stdin. It show: `Please enter password with the systemd-tty-ask-password-agent tool!` – Finn Jan 23 '17 at 14:38
1

for me this solution worked flawlessly with a small modification: `cat ~/.pass-file | openvpn start-session ...` – Juliette May 08 '23 at 06:21

Pass private key password to openvpn command directly in Ubuntu 10.10

4 Answers4

Linked