We have many RBs at customer locations in the US that we can access ONLY via the OpenVPN SSL connection.
These systems have been running well for many months.
When we update the configuration by downloading and restoring a backup file we need to decrypt the certificates to get the VPN back online.
We need to decrypt the the certificate with a blank passphrase some how.
This can’t be done while the VPN is active ( our only access) and I see now way to script or API the decrypt step via the OpenVpn connection.
Is there ANY way around this problem? I don’t want to send people on airplanes to run a winbox locally at a customer sites.
a workaround would be to create some other tunnel that does not require certificate, and to ensure encryption of the link you can create ssh tunnel to the board to winbox/telnet or even ssh (overkill) port and login to router though the ssh tunnel, that will encrypt all the traffic or use winbox in secure mode over the l2tp or pptp tunnel
Thanks for the prompt response.
I feared that this would be the answer but I was hoping for something better.
We currently have a good API and script based method via the vpn but it fails is the vpn requires certs.
Our current method uses the API to download a new backup file that has a special “watchdog style” script that reloads the old backup if the new one does not get properly connected in the 10 minute time limit.
We can only hope for some way to decrypt the cert via a script in the future.
as i see it API and ssh only relies on TCP (Layer 4) and to lesser extent to IP (layer 3) changing tunnel will not change Layer 4 and changes to Layer 3 should be easily adjusted