I’ve written the following alias to start an openvpn client more easily than before:
sudo bash -c 'cd OPVN_CONFIGS_DIR && ccrypt --cat _auth.conf.cpt | openvpn --config waw-001.ovpn --auth-user-pass /dev/stdin'
OPVN_CONFIGS_DIR is located in a synced folder (lets say Dropbox for simplicity)
bash -c rather than a simple expansion because this is sometimes run in fish shell
The options I had before:
auth-user-passto store my username + password in clear text. Looks to be the default option with openvpn but seems like a bad idea in general and even more so in my case since the secrets would be stored in a synced folder.
- Enter my openvpn username and password every time which is a pain since the password is a very long random string. I cannot set a password myself, only reset it to another, just as long, random string. (and I’m not comfortable using a CLI password manager that stores passwords in the clipboard like passwordstore.org does)
My issue is that with the previous command openvpn complains about the following:
WARNING: file '/dev/stdin' is group or others accessible
- What are the implications of this warning?
- what is the ‘group’ mentioned in the warning? The
- Is there a better way to manage secrets on the client side with openvpn?