Opened 5 years ago

Closed 3 years ago

#51528 closed enhancement (fixed)

openvpn2: passwordsave variant

Reported by: ewen-naos-nz (Ewen McNeill) Owned by: macports-tickets@…
Priority: Normal Milestone:
Component: ports Version:
Keywords: Cc:
Port: openvpn2

Description

Some OpenVPN servers (particular Sophos UTM and Mikrotik) are configured to authenticate with a user/password combination either in addition to or instead of the TLS certificate. By default openvpn2 requires the user to enter this username/password on the console every time the VPN starts.

For about 10 years openvpn2 has had an option to load these details from a file instead of entering them on the console on each run ("auth-user-pass FILENAME"). However to use this feature openvpn2 must be built with "--enable-password-save". Without that configure time option (eg, default MacPorts), trying to use this feature results in:

Tue May 31 15:41:05 2016 Sorry, 'Auth' password cannot be read from a file

The attached trivial patch adds a variant "+passwordsave" which enables compiling with "--enable-password-save":

ewen@ashram:/usr/local/ports$ port variants openvpn2
openvpn2 has the variants:
   passwordsave: Build with --enable-password-save
   universal: Build for multiple architectures
ewen@ashram:/usr/local/ports$ 

After configuring for local ports, the patched version of the Portfile was tested with:

portindex -f
sudo port install -k openvpn2 +passwordsave

and then "auth-user-pass FILENAME" works. (To reduce the security risk the referenced file with the username/password should be "chmod +400" or similar, and ideally the password should only be used for the VPN credentials (as it is stored in plain text); I'm not sure how strictly OpenVPN checks the file permissions.)

Obviously this is not ideal for a shared system, and so it should not be the default. But on a single-user workstation, interacting frequently with VPN servers that rely on the client storing the VPN credentials, it might be an acceptable tradeoff.

Please consider merging this patch to add the optional variant, so MacPort users have the option of enabling this feature if it is appropriate for their environment.

Ewen

Attachments (2)

openvpn2-passwordsave-variant.diff (787 bytes) - added by ewen-naos-nz (Ewen McNeill) 5 years ago.
Add "+passwordsave" variant to openvpn2 Portfile
openvpn2-2.4.3-passwordsave-variant.diff (504 bytes) - added by ewen-naos-nz (Ewen McNeill) 3 years ago.
+passwordsave variant, for openvpn 2.4.3

Download all attachments as: .zip

Change History (6)

Changed 5 years ago by ewen-naos-nz (Ewen McNeill)

Add "+passwordsave" variant to openvpn2 Portfile

comment:1 Changed 5 years ago by mf2k (Frank Schima)

Owner: changed from macports-tickets@… to jul_bsd@…
Version: 2.3.4

In the future, please Cc the port maintainers (port info --maintainers openvpn2), if any.

The revision should not be increased when adding a variant because no one with it installed will see any change.

Last edited 3 years ago by mf2k (Frank Schima) (previous) (diff)

comment:2 Changed 4 years ago by mf2k (Frank Schima)

Owner: changed from jul_bsd@… to macports-tickets@…

See #52039.

Changed 3 years ago by ewen-naos-nz (Ewen McNeill)

+passwordsave variant, for openvpn 2.4.3

comment:3 Changed 3 years ago by ewen-naos-nz (Ewen McNeill)

I reminded by the announcement of several OpenVPN bugs this week that I'm still having to manually maintain my own version of the openvpn2 port, to support a "+passwordsave" variant, which I have to remember to manually update when the in-MacPorts port is updated, to avoid missing out on (security) updates.

The patch is literally four lines, adding a "passwordsave" variant entry to the Portfile, which is entirely user opt-in, so it seems to me it would be entirely safe to be merged into the MacPorts version of the Portfile. But it needs someone with commit access to merge it. (Last time I asked it turned out the previous openvpn2 port maintainer no longer had time for MacPorts. It appears no one has officially taken over, but there have been updates to the `openvpn2` Portfile in the last year...)

I've just uploaded openvpn2-2.4.3-passwordsave-variant.diff, which is an updated version of the patch that will directly apply to the current (2.4.3) Portfile. Could someone with commit access please apply it?

Thanks very much in advance,

Ewen

comment:4 Changed 3 years ago by mf2k (Frank Schima)

Resolution: fixed
Status: newclosed

In 3001997b525cbfbc368858eb16a88e8841115660/macports-ports:

openvpn2: Add passwordsave variant

Closes: #51528

Note: See TracTickets for help on using tickets.