From 6c91726eaf52005239b2f8640144e7abb714a8aa Mon Sep 17 00:00:00 2001
From: Selva Nair <selva.nair@gmail.com>
Date: Mon, 10 Oct 2022 22:12:15 -0400
Subject: [PATCH] Forget passwords while stopping persistent connections

In case of persistent connections, openvpn.exe is still running
after a disconnect, and another user can restart it without needing
credentials using cached passwords. Avoid this by sending
"forget-passwords" to the management interface before disconnect.

Only persistent connections are affected.

In openvpn.exe versions >= 2.5.8, this will also clear cached
auth_token, if present.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
---
 openvpn.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/openvpn.c b/openvpn.c
index c5435fa..b3c2d71 100644
--- a/openvpn.c
+++ b/openvpn.c
@@ -1809,6 +1809,7 @@ DisconnectDaemon(connection_t *c)
     {
         if (c->manage.connected > 1) /* connected and ready for input */
         {
+            ManagementCommand(c, "forget-passwords", NULL, regular);
             ManagementCommand(c, "hold on", NULL, regular);
             ManagementCommand(c, "signal SIGHUP", NULL, regular);
         }