"Show passwords" missing on VPN config. How to disable admin VPN access?

[ko922]

Asus RT-AC88U, merlin 386.3_2.

On openvpn i no longer have the "show passwords" option to see the passwords for the users. I now have to delete a user and re-add with a new password if we don't remember the password. The option still shows up for PPTP server.

Also, there is no way to delete/disable the admin user account for VPN access.

Are these bugs or is this normal behavior?

 

[RMerlin]

On openvpn i no longer have the "show passwords" option to see the passwords for the users. I now have to delete a user and re-add with a new password if we don't remember the password. The option still shows up for PPTP server.

Passwords are now encrypted, so they can't be shown.

Also, there is no way to delete/disable the admin user account for VPN access.

Admin user is hardcoded since it already exists for the router management.

 

[elorimer]

Yes, I think VPN access by the admin account is a bit of a gotcha if you have complicated VPN username/passwords but a simpler admin password from LAN only. But you can do something similar.

In the custom configuration, enter

client-connect /jffs/scripts/ovpn-client-connect.sh # create this script for actions to be performed when the connection is made, such as waking up a web host.  This script has to exist or the server won't start.

Then create the ovpn-client-connect.sh to have at least this:

 [username=="whatever your admin name is"]  && exit 1  #if the admin user connects, this exits and kills the connection

Credit to @Martineau for this.

 

[ko922]

Passwords are now encrypted, so they can't be shown.


Admin user is hardcoded since it already exists for the router management.

I realize the admin user is hardcoded for router management but should it be allowed for remote VPN access? Seems counterintuitive from a security perspective.

 

[RMerlin]

I realize the admin user is hardcoded for router management but should it be allowed for remote VPN access? Seems counterintuitive from a security perspective.

It was originally done that way, and reverting this now would break countless installs which are relying on this user for remote access.

I don't see that as a problem, since the router admin would be expected to be managing that router, and therefore have complete unrestricted access to it anyway.

 

[elorimer]

I don't see that as a problem, since the router admin would be expected to be managing that router, and therefore have complete unrestricted access to it anyway

I think it is different though, because the router admin has complete unrestricted access to the router from the LAN side. It is optional whether SSH or Web access is allowed from the WAN side (but here strongly discouraged), so it would be consistent to allow one to add the admin user as a VPN user but not always an allowed user that can't be deleted.

Particularly important if one were going to allow user/password only access, also strongly discouraged.

I suspect that many people have hard passwords for VPN access from the Wild Wild West, but maybe a softer password for logging into the router from the LAN only.

 

[RMerlin]

I suspect that many people have hard passwords for VPN access from the Wild Wild West, but maybe a softer password for logging into the router from the LAN only.

OpenVPN requires more than just a username and a password, it also requires a certificate signed by the router's CA.