From mboxrd@z Thu Jan  1 00:00:00 1970
From: Joshua Branson via Bug reports for GNU Guix <bug-guix@gnu.org>
Subject: bug#39660: openvpn-client-service does not support auth-user-pass
Date: Tue, 18 Feb 2020 09:43:22 -0500
Message-ID: <86pnec9cs5.fsf@dismail.de>
Reply-To: Joshua Branson <jbranso@dismail.de>
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane-mx.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:59019)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1j446V-0003H4-B9
 for bug-guix@gnu.org; Tue, 18 Feb 2020 09:44:04 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1j446U-0001RE-38
 for bug-guix@gnu.org; Tue, 18 Feb 2020 09:44:03 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:33795)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1j446U-0001R6-08
 for bug-guix@gnu.org; Tue, 18 Feb 2020 09:44:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1j446T-0001AH-Tc
 for bug-guix@gnu.org; Tue, 18 Feb 2020 09:44:01 -0500
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.39660.B.15820370174434@debbugs.gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:58980)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <jbranso@dismail.de>) id 1j4461-0003GS-7m
 for bug-guix@gnu.org; Tue, 18 Feb 2020 09:43:34 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <jbranso@dismail.de>) id 1j4460-000196-0p
 for bug-guix@gnu.org; Tue, 18 Feb 2020 09:43:33 -0500
Received: from mx1.dismail.de ([78.46.223.134]:16053)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <jbranso@dismail.de>) id 1j445z-00016E-F8
 for bug-guix@gnu.org; Tue, 18 Feb 2020 09:43:31 -0500
Received: from mx1.dismail.de (localhost [127.0.0.1])
 by mx1.dismail.de (OpenSMTPD) with ESMTP id 14f9fdf7
 for <bug-guix@gnu.org>; Tue, 18 Feb 2020 15:43:26 +0100 (CET)
Received: from smtp1.dismail.de (<unknown> [10.240.26.11])
 by mx1.dismail.de (OpenSMTPD) with ESMTP id fb37472c
 for <bug-guix@gnu.org>; Tue, 18 Feb 2020 15:43:26 +0100 (CET)
Received: from smtp1.dismail.de (localhost [127.0.0.1])
 by smtp1.dismail.de (OpenSMTPD) with ESMTP id 90645ab1
 for <bug-guix@gnu.org>; Tue, 18 Feb 2020 15:43:26 +0100 (CET)
Received: by dismail.de (OpenSMTPD) with ESMTPSA id 1e4d07e4
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for <bug-guix@gnu.org>;
 Tue, 18 Feb 2020 15:43:25 +0100 (CET)
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane-mx.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane-mx.org@gnu.org>
To: 39660@debbugs.gnu.org


Hello,

I recently bought a vpn service from expressvpn.  They have a closed
source app to connect, but of course we do not want to use that.
Luckily, they allow a manual connection via openvpn.  I downloaded
their script to manually connect.  It looks like they require all
manual connections to authenticate via a username and password.

Their support team told me that the manually connection must
authenticate via a username and password.  They do not support any
other manual connection.  Guix's openvpn-client-service does not
support authenticating via a username and password.

According to this forum thread
(https://forums.openvpn.net/viewtopic.php?t=11342), I was able to
manually connect to expressvpn.  via "sudo expressvpn
my_expressvpn_<countryname>.ovpn". by changing

"auth-user-pass" to "auth-user-pass login.conf".

login.conf looks like

#+BEGIN_SRC text
username
password
#+END_SRC

The express vpn file that I downloaded looks like this:

#+BEGIN_SRC text
dev tun
fast-io
persist-key
persist-tun
nobind
remote someaddress.expressnetw.com 1195

remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass login.conf

<cert>
-----BEGIN CERTIFICATE-----
secret info
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
secret info
-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
secret info
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
secret info
-----END CERTIFICATE-----
</ca>
#+END_SRC

A solution would be to modify our current openvpn-client-service to
allow authentication via a username and password, or to supply a
configuration file.

Also it looks like expressvpn may one day move to wireguard:

https://www.expressvpn.com/blog/expressvpn-wireguard-update/


I hope this helps!

Thanks,

Joshua