Use alternate Openvpn configuration:

- Remove dh parameters (server side only)
- Remove cert data
- Remove key data and `KEY_PASSPHRASE`, encrypted private key

internal/configuration/settings/openvpn.go

@@ -49,15 +49,6 @@ type OpenVPN struct {
 	// It can be set to the empty string to be ignored.
 	// It cannot be nil in the internal state.
 	ClientKey *string
-	// EncryptedPrivateKey is the content of an encrypted
-	// private key for OpenVPN. It defaults to the empty string
-	// meaning it is not to be used. KeyPassphrase must be set
-	// if this one is set.
-	EncryptedPrivateKey *string
-	// KeyPassphrase is the key passphrase to be used by OpenVPN
-	// to decrypt the EncryptedPrivateKey. It defaults to the
-	// empty string and must be set if EncryptedPrivateKey is set.
-	KeyPassphrase *string
 	// PIAEncPreset is the encryption preset for
 	// Private Internet Access. It can be set to an
 	// empty string for other providers.
@@ -123,11 +114,6 @@ func (o OpenVPN) validate(vpnProvider string) (err error) {
 		return fmt.Errorf("client key: %w", err)
 	}
 
-	err = validateOpenVPNEncryptedPrivateKey(vpnProvider, *o.EncryptedPrivateKey)
-	if err != nil {
-		return fmt.Errorf("encrypted private key: %w", err)
-	}
-
 	const maxMSSFix = 10000
 	if *o.MSSFix > maxMSSFix {
 		return fmt.Errorf("%w: %d is over the maximum value of %d",
@@ -215,42 +201,23 @@ func validateOpenVPNClientKey(vpnProvider, clientKey string) (err error) {
 	return nil
 }
 
-func validateOpenVPNEncryptedPrivateKey(vpnProvider,
-	encryptedPrivateKey string) (err error) {
-	if vpnProvider == providers.VPNSecure && encryptedPrivateKey == "" {
-		return ErrMissingValue
-	}
-
-	if encryptedPrivateKey == "" {
-		return nil
-	}
-
-	_, err = extract.PEM([]byte(encryptedPrivateKey))
-	if err != nil {
-		return fmt.Errorf("extracting encrypted PEM private key: %w", err)
-	}
-
-	return nil
-}
-
 func (o *OpenVPN) copy() (copied OpenVPN) {
 	return OpenVPN{
-		Version:             o.Version,
-		User:                o.User,
-		Password:            o.Password,
-		ConfFile:            helpers.CopyStringPtr(o.ConfFile),
-		Ciphers:             helpers.CopyStringSlice(o.Ciphers),
-		Auth:                helpers.CopyStringPtr(o.Auth),
-		ClientCrt:           helpers.CopyStringPtr(o.ClientCrt),
-		ClientKey:           helpers.CopyStringPtr(o.ClientKey),
-		EncryptedPrivateKey: helpers.CopyStringPtr(o.EncryptedPrivateKey),
-		PIAEncPreset:        helpers.CopyStringPtr(o.PIAEncPreset),
-		IPv6:                helpers.CopyBoolPtr(o.IPv6),
-		MSSFix:              helpers.CopyUint16Ptr(o.MSSFix),
-		Interface:           o.Interface,
-		ProcessUser:         o.ProcessUser,
-		Verbosity:           helpers.CopyIntPtr(o.Verbosity),
-		Flags:               helpers.CopyStringSlice(o.Flags),
+		Version:      o.Version,
+		User:         o.User,
+		Password:     o.Password,
+		ConfFile:     helpers.CopyStringPtr(o.ConfFile),
+		Ciphers:      helpers.CopyStringSlice(o.Ciphers),
+		Auth:         helpers.CopyStringPtr(o.Auth),
+		ClientCrt:    helpers.CopyStringPtr(o.ClientCrt),
+		ClientKey:    helpers.CopyStringPtr(o.ClientKey),
+		PIAEncPreset: helpers.CopyStringPtr(o.PIAEncPreset),
+		IPv6:         helpers.CopyBoolPtr(o.IPv6),
+		MSSFix:       helpers.CopyUint16Ptr(o.MSSFix),
+		Interface:    o.Interface,
+		ProcessUser:  o.ProcessUser,
+		Verbosity:    helpers.CopyIntPtr(o.Verbosity),
+		Flags:        helpers.CopyStringSlice(o.Flags),
 	}
 }
 
@@ -265,7 +232,6 @@ func (o *OpenVPN) mergeWith(other OpenVPN) {
 	o.Auth = helpers.MergeWithStringPtr(o.Auth, other.Auth)
 	o.ClientCrt = helpers.MergeWithStringPtr(o.ClientCrt, other.ClientCrt)
 	o.ClientKey = helpers.MergeWithStringPtr(o.ClientKey, other.ClientKey)
-	o.EncryptedPrivateKey = helpers.MergeWithStringPtr(o.EncryptedPrivateKey, other.EncryptedPrivateKey)
 	o.PIAEncPreset = helpers.MergeWithStringPtr(o.PIAEncPreset, other.PIAEncPreset)
 	o.IPv6 = helpers.MergeWithBool(o.IPv6, other.IPv6)
 	o.MSSFix = helpers.MergeWithUint16(o.MSSFix, other.MSSFix)
@@ -287,7 +253,6 @@ func (o *OpenVPN) overrideWith(other OpenVPN) {
 	o.Auth = helpers.OverrideWithStringPtr(o.Auth, other.Auth)
 	o.ClientCrt = helpers.OverrideWithStringPtr(o.ClientCrt, other.ClientCrt)
 	o.ClientKey = helpers.OverrideWithStringPtr(o.ClientKey, other.ClientKey)
-	o.EncryptedPrivateKey = helpers.OverrideWithStringPtr(o.EncryptedPrivateKey, other.EncryptedPrivateKey)
 	o.PIAEncPreset = helpers.OverrideWithStringPtr(o.PIAEncPreset, other.PIAEncPreset)
 	o.IPv6 = helpers.OverrideWithBool(o.IPv6, other.IPv6)
 	o.MSSFix = helpers.OverrideWithUint16(o.MSSFix, other.MSSFix)
@@ -307,7 +272,6 @@ func (o *OpenVPN) setDefaults(vpnProvider string) {
 	o.Auth = helpers.DefaultStringPtr(o.Auth, "")
 	o.ClientCrt = helpers.DefaultStringPtr(o.ClientCrt, "")
 	o.ClientKey = helpers.DefaultStringPtr(o.ClientKey, "")
-	o.EncryptedPrivateKey = helpers.DefaultStringPtr(o.EncryptedPrivateKey, "")
 
 	var defaultEncPreset string
 	if vpnProvider == providers.PrivateInternetAccess {
@@ -352,10 +316,6 @@ func (o OpenVPN) toLinesNode() (node *gotree.Node) {
 		node.Appendf("Client key: %s", helpers.ObfuscateData(*o.ClientKey))
 	}
 
-	if *o.EncryptedPrivateKey != "" {
-		node.Appendf("Encrypted private key: %s", helpers.ObfuscateData(*o.ClientKey))
-	}
-
 	if *o.PIAEncPreset != "" {
 		node.Appendf("Private Internet Access encryption preset: %s", *o.PIAEncPreset)
 	}

internal/configuration/sources/env/openvpn.go

@@ -40,8 +40,6 @@ func (r *Reader) readOpenVPN() (
 		return openVPN, fmt.Errorf("environment variable OPENVPN_CLIENTKEY: %w", err)
 	}
 
-	openVPN.KeyPassphrase = r.readOpenVPNKeyPassphrase()
-
 	openVPN.PIAEncPreset = r.readPIAEncryptionPreset()
 
 	openVPN.IPv6, err = envToBoolPtr("OPENVPN_IPV6")
@@ -85,15 +83,6 @@ func (r *Reader) readOpenVPNPassword() (password string) {
 	return password
 }
 
-func (r *Reader) readOpenVPNKeyPassphrase() (passphrase *string) {
-	passphrase = new(string)
-	*passphrase = getCleanedEnv("OPENVPN_KEY_PASSPHRASE")
-	if *passphrase == "" {
-		return nil
-	}
-	return passphrase
-}
-
 func readBase64OrNil(envKey string) (valueOrNil *string, err error) {
 	value := getCleanedEnv(envKey)
 	if value == "" {

internal/configuration/sources/files/openvpn.go

@@ -11,7 +11,6 @@ const (
 	OpenVPNClientKeyPath = "/gluetun/client.key"
 	// OpenVPNClientCertificatePath is the OpenVPN client certificate filepath.
 	OpenVPNClientCertificatePath = "/gluetun/client.crt"
-	openVPNEncryptedPrivateKey   = "/gluetun/encrypted-private-key"
 )
 
 func (r *Reader) readOpenVPN() (settings settings.OpenVPN, err error) {
@@ -25,10 +24,5 @@ func (r *Reader) readOpenVPN() (settings settings.OpenVPN, err error) {
 		return settings, fmt.Errorf("client certificate: %w", err)
 	}
 
-	settings.EncryptedPrivateKey, err = ReadFromFile(openVPNEncryptedPrivateKey)
-	if err != nil {
-		return settings, fmt.Errorf("cannot read client encrypted private key: %w", err)
-	}
-
 	return settings, nil
 }

internal/provider/utils/openvpn.go

@@ -193,13 +193,6 @@ func OpenVPNConfig(provider OpenVPNProviderSettings,
 		lines.addLines(WrapOpenvpnDHParameters(provider.DHParameters))
 	}
 
-	if *settings.EncryptedPrivateKey != "" {
-		lines.add("askpass", openvpn.AskPassPath)
-		keyData, err := extract.PEM([]byte(*settings.EncryptedPrivateKey))
-		panicOnError(err, "cannot extract PEM of encrypted private key")
-		lines.addLines(WrapOpenvpnEncryptedKey(keyData))
-	}
-
 	if *settings.ClientCrt != "" {
 		certData, err := extract.PEM([]byte(*settings.ClientCrt))
 		panicOnError(err, "cannot extract client crt")

internal/provider/vpnsecure/openvpnconf.go

@@ -19,9 +19,7 @@ func (p *Provider) OpenVPNConfig(connection models.Connection,
 			"comp-lzo",
 			"float",
 		},
-		CA:           "MIIEJjCCAw6gAwIBAgIJAMkzh6p4m6XfMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOWTERMA8GA1UEBxMITmV3IFlvcmsxFTATBgNVBAoTDHZwbnNlY3VyZS5tZTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEB2cG5zZWN1cmUubWUwIBcNMTcwNTA2MTMzMTQyWhgPMjkzODA4MjYxMzMxNDJaMGkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOWTERMA8GA1UEBxMITmV3IFlvcmsxFTATBgNVBAoTDHZwbnNlY3VyZS5tZTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEB2cG5zZWN1cmUubWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiClT1wcZ6oovYjSxUJIQplrBSQRKB44uymC8evohzK7q67x0NE2sLz5Zn9ZiC7RnXQCtEqJfHqjuqjaH5MghjhUDnRbZS/8ElxdGKn9FPvs9b+aTVGSfrQm5KKoVigwAye3ilNiWAyy6MDlBeoKluQ4xW7SGiVZRxLcJbLAmjmfCjBS7eUGbtA8riTkIegFo4WFiy9G76zQWw1V26kDhyzcJNT4xO7USMPUeZthy13g+zi9+rcILhEAnl776sIil6w8UVK8xevFKBlOPk+YyXlo4eZiuppq300ogaS+fX/0mfD7DDE+Gk5/nCeACDNiBlfQ3ol/De8Cm60HWEUtZVAgMBAAGjgc4wgcswHQYDVR0OBBYEFBJyf4mpGT3dIu65/1zAFqCgGxZoMIGbBgNVHSMEgZMwgZCAFBJyf4mpGT3dIu65/1zAFqCgGxZooW2kazBpMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTlkxETAPBgNVBAcTCE5ldyBZb3JrMRUwEwYDVQQKEwx2cG5zZWN1cmUubWUxIzAhBgkqhkiG9w0BCQEWFHN1cHBvcnRAdnBuc2VjdXJlLm1lggkAyTOHqnibpd8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEArbTAibGQilY4Lu2RAVPjNx14SfojueBroeN7NIpAFUfbifPQRWvLamzRfxFTO0PXRc2pw/It7oa8yM7BsZj0vOiZY2p1JBHZwKom6tiSUVENDGW6JaYtiaE8XPyjfA5Yhfx4FefmaJ1veDYid18S+VVpt+Y+UIUxNmg1JB3CCUwbjl+dWlcvDBy4+jI+sZ7A1LF3uX64ZucDQ/XrpuopHhvDjw7g1PpKXsRqBYL+cpxUI7GrINBa/rGvXqv/NvFH8bguggknWKxKhd+jyMqkW3Ws258e0OwHz7gQ+tTJ909tR0TxJhZGkHatNSbpwW1Y52A972+9gYJMadSfm4bUHA==", //nolint:lll
-		Cert:         "MIIC9jCCAd6gAwIBAgICaUgwDQYJKoZIhvcNAQELBQAwaTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5ZMREwDwYDVQQHEwhOZXcgWW9yazEVMBMGA1UEChMMdnBuc2VjdXJlLm1lMSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QHZwbnNlY3VyZS5tZTAiGA8yMDIxMTAxNzEwMzEyNVoYDzIwMzEwMTAzMTAzMTI1WjBXMQswCQYDVQQGEwJVUzEPMA0GA1UECwwGT2ZmaWNlMRMwEQYDVQQDDApzdW5pbHdvb2RzMRUwEwYDVQQKDAx2cG5zZWN1cmUubWUxCzAJBgNVBAgMAk5ZMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkyNu1EDFWAoThW6hOPA7XNVAFhmeba+bzd1BFWvQgQo+c3U+tWxDorOv0CRM13hjDXK0DL0PIaEzXLp5B911AJoj1WAkBsc6KKYz0bBFc3waRAzXpn1zcSX0e3wh/A1KIJiXPFCzBRiaSHyFNjpE24ofyO1cTw3T5HnNNWExMoQIDAQABozowODAMBgNVHRMBAf8EAjAAMCgGCWCGSAGG+EIBDQQbFhlDcmVhdGVkIHdpdGggdnBuc2kgMC40LjE2MA0GCSqGSIb3DQEBCwUAA4IBAQDKJwjjYR9/l4ynxw98E9BC58Odj+383fMsoODxoJmADg4WtQ/GrteahlgYXTZK/YPBeO9WVHi1zSN3FZh55IRtatDHxHYI6PLxOrmulRCDxMrUoHY8Vyp6fP5sXhYt3iE9mEAVpSjdMCnR4w6lzhp7dBOoOXw5WvyWOUnoKffesW5/3UtCimTBhTQ/d63liaPND1qn4f/Q54oaSs7A7MTxYYWvw6K41QnDNmao+SsHbRTYntyBeF+L4WqmPVXbDIsDdBed2hVqBlLTvMmvsdxnKOIbX+oPdiV+Cb7CGWw/MS5rLpDm0Ncf2JoPzgb+ZiHdfcTJ41Lq8394ooL0Stbo",                                                                                                                                                                                                                                                                                                                                                                                                                         //nolint:lll
-		DHParameters: "MIIBCAKCAQEA2nIBfOf2HCXLv7+mhRxldAcCSTS53F856erWjbqt2E9Q9+7kikDJw4J/AbT5oSu4BqPHfxYZjO/t7W2ihHsH68utBehpaPNRG864NzsbPb8yA5BOb9uJK2gxJ0558bhIHOvxQ3/ypqOxQlnMt/rvdzdU3BBFE1TQ4N15aB2CxVJRQUjR/ANinv6H4htlRcapei/aaOe99xWeEqmN8E3OwlPDdHE+uqJOU9/erQ3gZKeHRS/RUvN4H/s1o941TMbGbAPog+9wf5coA6P1o7uuHto3/phGHYSN8Na01eWOoNHPhwhgZqoBWmhQNX3NlRgENcpwGUS308gwrtT/BDKyuwIBAg==",                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         //nolint:lll
+		CA: "MIIEJjCCAw6gAwIBAgIJAMkzh6p4m6XfMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOWTERMA8GA1UEBxMITmV3IFlvcmsxFTATBgNVBAoTDHZwbnNlY3VyZS5tZTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEB2cG5zZWN1cmUubWUwIBcNMTcwNTA2MTMzMTQyWhgPMjkzODA4MjYxMzMxNDJaMGkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOWTERMA8GA1UEBxMITmV3IFlvcmsxFTATBgNVBAoTDHZwbnNlY3VyZS5tZTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEB2cG5zZWN1cmUubWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiClT1wcZ6oovYjSxUJIQplrBSQRKB44uymC8evohzK7q67x0NE2sLz5Zn9ZiC7RnXQCtEqJfHqjuqjaH5MghjhUDnRbZS/8ElxdGKn9FPvs9b+aTVGSfrQm5KKoVigwAye3ilNiWAyy6MDlBeoKluQ4xW7SGiVZRxLcJbLAmjmfCjBS7eUGbtA8riTkIegFo4WFiy9G76zQWw1V26kDhyzcJNT4xO7USMPUeZthy13g+zi9+rcILhEAnl776sIil6w8UVK8xevFKBlOPk+YyXlo4eZiuppq300ogaS+fX/0mfD7DDE+Gk5/nCeACDNiBlfQ3ol/De8Cm60HWEUtZVAgMBAAGjgc4wgcswHQYDVR0OBBYEFBJyf4mpGT3dIu65/1zAFqCgGxZoMIGbBgNVHSMEgZMwgZCAFBJyf4mpGT3dIu65/1zAFqCgGxZooW2kazBpMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTlkxETAPBgNVBAcTCE5ldyBZb3JrMRUwEwYDVQQKEwx2cG5zZWN1cmUubWUxIzAhBgkqhkiG9w0BCQEWFHN1cHBvcnRAdnBuc2VjdXJlLm1lggkAyTOHqnibpd8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEArbTAibGQilY4Lu2RAVPjNx14SfojueBroeN7NIpAFUfbifPQRWvLamzRfxFTO0PXRc2pw/It7oa8yM7BsZj0vOiZY2p1JBHZwKom6tiSUVENDGW6JaYtiaE8XPyjfA5Yhfx4FefmaJ1veDYid18S+VVpt+Y+UIUxNmg1JB3CCUwbjl+dWlcvDBy4+jI+sZ7A1LF3uX64ZucDQ/XrpuopHhvDjw7g1PpKXsRqBYL+cpxUI7GrINBa/rGvXqv/NvFH8bguggknWKxKhd+jyMqkW3Ws258e0OwHz7gQ+tTJ909tR0TxJhZGkHatNSbpwW1Y52A972+9gYJMadSfm4bUHA==", //nolint:lll
 	}
 	return utils.OpenVPNConfig(providerSettings, connection, settings)
 }

internal/vpn/openvpn.go

@@ -34,13 +34,6 @@ func setupOpenVPN(ctx context.Context, fw Firewall,
 		}
 	}
 
-	if *settings.OpenVPN.KeyPassphrase != "" {
-		err := openvpnConf.WriteAskPassFile(*settings.OpenVPN.KeyPassphrase)
-		if err != nil {
-			return nil, "", fmt.Errorf("writing askpass file: %w", err)
-		}
-	}
-
 	if err := fw.SetVPNConnection(ctx, connection, settings.OpenVPN.Interface); err != nil {
 		return nil, "", fmt.Errorf("failed allowing VPN connection through firewall: %w", err)
 	}