openvpn2: passwordsave variant

[ewen-naos-nz (Ewen McNeill)]

Some OpenVPN servers (particular Sophos UTM and Mikrotik) are configured to authenticate with a user/password combination either in addition to or instead of the TLS certificate. By default openvpn2 requires the user to enter this username/password on the console every time the VPN starts.

For ​about 10 years openvpn2 has had an option to load these details from a file instead of entering them on the console on each run ("auth-user-pass FILENAME"). However ​to use this feature openvpn2 must be built with "--enable-password-save". Without that configure time option (eg, default MacPorts), trying to use this feature results in:

Tue May 31 15:41:05 2016 Sorry, 'Auth' password cannot be read from a file

The attached trivial patch adds a variant "+passwordsave" which enables compiling with "--enable-password-save":

ewen@ashram:/usr/local/ports$ port variants openvpn2
openvpn2 has the variants:
   passwordsave: Build with --enable-password-save
   universal: Build for multiple architectures
ewen@ashram:/usr/local/ports$ 

After ​configuring for local ports, the patched version of the Portfile was tested with:

portindex -f
sudo port install -k openvpn2 +passwordsave

and then "auth-user-pass FILENAME" works. (To reduce the security risk the referenced file with the username/password should be "chmod +400" or similar, and ideally the password should only be used for the VPN credentials (as it is stored in plain text); I'm not sure how strictly OpenVPN checks the file permissions.)

Obviously this is not ideal for a shared system, and so it should not be the default. But on a single-user workstation, interacting frequently with VPN servers that rely on the client storing the VPN credentials, it might be an acceptable tradeoff.

Please consider merging this patch to add the optional variant, so MacPort users have the option of enabling this feature if it is appropriate for their environment.

Ewen

[ewen-naos-nz (Ewen McNeill)]

Add "+passwordsave" variant to openvpn2 Portfile

[mf2k (Frank Schima)]

In the future, please Cc the port maintainers (port info --maintainers openvpn2), if any.

The revision should not be increased when adding a variant because no one with it installed will see any change.

[mf2k (Frank Schima)]

See #52039.

[ewen-naos-nz (Ewen McNeill)]

+passwordsave variant, for openvpn 2.4.3

[ewen-naos-nz (Ewen McNeill)]

I reminded by the announcement of several OpenVPN bugs this week that I'm still having to manually maintain my own version of the openvpn2 port, to support a "+passwordsave" variant, which I have to remember to manually update when the in-MacPorts port is updated, to avoid missing out on (security) updates.

The patch is literally four lines, adding a "passwordsave" variant entry to the Portfile, which is entirely user opt-in, so it seems to me it would be entirely safe to be merged into the MacPorts version of the Portfile. But it needs someone with commit access to merge it. (Last time I asked it turned out the previous openvpn2 port maintainer no longer had time for MacPorts. It appears no one has officially taken over, but there have been updates to the ​`openvpn2` Portfile in the last year...)

I've just uploaded ​openvpn2-2.4.3-passwordsave-variant.diff, which is an updated version of the patch that will directly apply to the current (2.4.3) ​Portfile. Could someone with commit access please apply it?

Thanks very much in advance,

Ewen

[mf2k (Frank Schima)]

In 3001997b525cbfbc368858eb16a88e8841115660/macports-ports:

openvpn2: Add passwordsave variant

Closes: #51528