openvpn-client-export & auth-nocache option



  • When connecting to pfSense (2.4.3.1) OpenVPN via OpenVPN client for Windows (2.4.6) using the *.ovpn configuration file generated by openvpn-client-export (1.4.14) package I get such a warning:
    WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this

    Is there any reason why there is no such option in generated *.ovpn?



  • -auth-nocache
    Don't cache --askpass or --auth-user-pass username/passwords in virtual memory.
    If specified, this directive will cause OpenVPN to immediately forget username/password inputs after they are used. As a result, when OpenVPN needs a username/password, it will prompt for input from stdin, which may be multiple times during the duration of an OpenVPN session.
    
    This directive does not affect the --http-proxy username/password. It is always cached.
    

    I don’t think you’d want to type in your username/password multiple times during the login session and then on every reconnect just to buy some peace of mind.

    On top of that, --auth-nocache can not be implemented 100% reliably on any normal computer, you would need some special secure memory that can guarantee the no cache property of the memory used. As soon as the username/password are read, there is some cached memory that holds the password for a non-zero time.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy