openvpn-client-export & auth-nocache option
vcurious last edited by
When connecting to pfSense (22.214.171.124) OpenVPN via OpenVPN client for Windows (2.4.6) using the *.ovpn configuration file generated by openvpn-client-export (1.4.14) package I get such a warning:
WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Is there any reason why there is no such option in generated *.ovpn?
kpa last edited by
-auth-nocache Don't cache --askpass or --auth-user-pass username/passwords in virtual memory. If specified, this directive will cause OpenVPN to immediately forget username/password inputs after they are used. As a result, when OpenVPN needs a username/password, it will prompt for input from stdin, which may be multiple times during the duration of an OpenVPN session. This directive does not affect the --http-proxy username/password. It is always cached.
I don’t think you’d want to type in your username/password multiple times during the login session and then on every reconnect just to buy some peace of mind.
On top of that, --auth-nocache can not be implemented 100% reliably on any normal computer, you would need some special secure memory that can guarantee the no cache property of the memory used. As soon as the username/password are read, there is some cached memory that holds the password for a non-zero time.