Recover OpenVPN Saved Password

Question

I am changing a users laptop and they have saved their username and passowrd in the OpenVPN GUI. Naturally they don't know their password because they entered them a while back and click "save password". Is there anyway to recover these details so that I can migrate them to the new laptop without having to get the VPN account reset (which would be quite a lot more difficult that it should be!).

Both laptops are Windows 10.

I have copied the .ovpn, p12 and .key files over but the GUI still prompts for the username and password. There is no password text file inside the config directory (under OpenVPN under Program Files).

I've search the registry too but couldn't find the info there.

EDIT: To be clear I don't actually need to "recover" the password. If it is encrypted in a registry key for example, that is fine, I could export the key from the old laptop and import it on the new one. I need to find a way to copy the details from laptop1 to laptop2.

Alex · Answer 1 · 2020-08-11T12:48:38.837

The Powershell script in this link gets the password for me: OpenVPN Password Recovery

The registry names on my computer are a bit different; my version:

$keys = Get-ChildItem "HKCU:\Software\OpenVPN-GUI\configs"
$items = $keys | ForEach-Object {Get-ItemProperty $_.PsPath}
foreach ($item in $items)
{
  $encryptedbytes=$item.'auth-data'
  $entropy=$item.'entropy'
  $entropy=$entropy[0..(($entropy.Length)-2)]
$decryptedbytes = [System.Security.Cryptography.ProtectedData]::Unprotect(
    $encryptedBytes, 
    $entropy, 
    [System.Security.Cryptography.DataProtectionScope]::CurrentUser)
Write-Host ([System.Text.Encoding]::Unicode.GetString($decryptedbytes))
}

You may also need to execute Add-Type -AssemblyName System.Security in Powershell to make it work.

edit: on windows 10, OpenVPN v11.9, $encryptedbytes=$item.'key-data'

score 20 · Accepted Answer · edited Mar 13 '20 at 11:26

20

Per the OpenVPN GUI source code, saved passwords are stored in the registry under HKCU\Software\OpenVPN-GUI\configs.

edited Mar 13 '20 at 11:26

JW0914

9,096

answered Oct 22 '18 at 07:03

Devesh Logendran

501

score 3 · Answer 3 · edited Apr 04 '23 at 10:06

My version is working on Windows 10/11 x64. It requires no Admin rights after executing following commands:

Set-ExecutionPolicy RemoteSigned
Add-Type -AssemblyName System.Security

#openvpn-password-recovery.ps1
$keys = Get-ChildItem "HKCU:\Software\OpenVPN-GUI\configs"
$items = $keys | ForEach-Object {Get-ItemProperty $_.PsPath}
foreach ($item in $items)
{
Write-Host ($item.'PSChildName')
  $username=$encryptedbytes=$item.'username'
  Write-Host ([System.Text.Encoding]::Unicode.GetString($username))
$encryptedbytes=$item.'auth-data'
  $entropy=$item.'entropy'
  $entropy=$entropy[0..(($entropy.Length)-2)]
$decryptedbytes = [System.Security.Cryptography.ProtectedData]::Unprotect(
    $encryptedBytes, 
    $entropy, 
    [System.Security.Cryptography.DataProtectionScope]::CurrentUser)
Write-Host ([System.Text.Encoding]::Unicode.GetString($decryptedbytes))
  Write-Host (' ')
}

Blackengine · Answer 4 · 2023-01-06T07:39:22.513

I have same problem after migrating from windows 10 with corporate openVPN config to windows 11 workplace. Scripts in this thread did not help me. And i made my own. May be this help someone else... Just replace registry path in Get-ItemPropertyValue with yours stored path and run this script in power shell window... Working in Windows 10x64, OpenVPN 2.4.9

$keyBinEncrupted = Get-ItemPropertyValue 'HKCU:\SOFTWARE\OpenVPN-GUI\configs\corpnet' 'key-data'
$entropyBin = Get-ItemPropertyValue 'HKCU:\SOFTWARE\OpenVPN-GUI\configs\corpnet' 'entropy'
$entropyBin = $entropyBin[0..(($entropyBin.Length)-2)]
$keyBinDecrupted = [System.Security.Cryptography.ProtectedData]::Unprotect(
    $keyBinEncrupted,
    $entropyBin,
    [System.Security.Cryptography.DataProtectionScope]::CurrentUser)
Write-Host ([System.Text.Encoding]::Unicode.GetString($keyBinDecrupted))

score 0 · Answer 5 · answered Aug 07 '21 at 07:05

Adding to the answer from Alex:

You can also easily extract the username as well if required by adding the following two lines:

$username=$encryptedbytes=$item.'username'
Write-Host ([System.Text.Encoding]::Unicode.GetString($username))

Also note that depending on your PowerShell config, you might need to run the following two commands first before the script can work (to allow scripts and enable the security types needed for the decryption process):

set-executionpolicy remotesigned 
Add-Type -AssemblyName System.Security

Recover OpenVPN Saved Password

5 Answers5