"Show passwords" missing on VPN config. How to disable admin VPN access?

ko922

New Around Here
Asus RT-AC88U, merlin 386.3_2.

On openvpn i no longer have the "show passwords" option to see the passwords for the users. I now have to delete a user and re-add with a new password if we don't remember the password. The option still shows up for PPTP server.

Also, there is no way to delete/disable the admin user account for VPN access.

Are these bugs or is this normal behavior?
 

RMerlin

Asuswrt-Merlin dev
On openvpn i no longer have the "show passwords" option to see the passwords for the users. I now have to delete a user and re-add with a new password if we don't remember the password. The option still shows up for PPTP server.
Passwords are now encrypted, so they can't be shown.

Also, there is no way to delete/disable the admin user account for VPN access.
Admin user is hardcoded since it already exists for the router management.
 

elorimer

Very Senior Member
Yes, I think VPN access by the admin account is a bit of a gotcha if you have complicated VPN username/passwords but a simpler admin password from LAN only. But you can do something similar.

In the custom configuration, enter
Code:
client-connect /jffs/scripts/ovpn-client-connect.sh # create this script for actions to be performed when the connection is made, such as waking up a web host.  This script has to exist or the server won't start.
Then create the ovpn-client-connect.sh to have at least this:
Code:
 [username=="whatever your admin name is"]  && exit 1  #if the admin user connects, this exits and kills the connection
Credit to @Martineau for this.
 

ko922

New Around Here
Passwords are now encrypted, so they can't be shown.


Admin user is hardcoded since it already exists for the router management.

I realize the admin user is hardcoded for router management but should it be allowed for remote VPN access? Seems counterintuitive from a security perspective.
 

RMerlin

Asuswrt-Merlin dev
I realize the admin user is hardcoded for router management but should it be allowed for remote VPN access? Seems counterintuitive from a security perspective.
It was originally done that way, and reverting this now would break countless installs which are relying on this user for remote access.

I don't see that as a problem, since the router admin would be expected to be managing that router, and therefore have complete unrestricted access to it anyway.
 

elorimer

Very Senior Member
I don't see that as a problem, since the router admin would be expected to be managing that router, and therefore have complete unrestricted access to it anyway
I think it is different though, because the router admin has complete unrestricted access to the router from the LAN side. It is optional whether SSH or Web access is allowed from the WAN side (but here strongly discouraged), so it would be consistent to allow one to add the admin user as a VPN user but not always an allowed user that can't be deleted.

Particularly important if one were going to allow user/password only access, also strongly discouraged.

I suspect that many people have hard passwords for VPN access from the Wild Wild West, but maybe a softer password for logging into the router from the LAN only.
 

RMerlin

Asuswrt-Merlin dev
I suspect that many people have hard passwords for VPN access from the Wild Wild West, but maybe a softer password for logging into the router from the LAN only.
OpenVPN requires more than just a username and a password, it also requires a certificate signed by the router's CA.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top