Re: [Openvpn-devel] Help testing OpenVPN 2.2-rc Windows installer?

[Carsten Krüger]

Hello,

> The issue was that the installer did not install msvcr90.dll - that's
> now fixed.

I haven't checked how the installer does it, but there is a standard
procedure to do this!
http://support.microsoft.com/kb/326922/en-us

Why it should be done correctly: http://en.wikipedia.org/wiki/DLL_hell

Additionally good windows software is designed to meet criteria of
windows logo program, even if you don't want to certify it.

The Windows 7 Software Logo Program
http://msdn.microsoft.com/en-us/windows/dd203105.aspx

greetings
Carsten

Re: [Openvpn-devel] [PATCH 00/13] Fix remaining major issues with Python-based buildsystem

[Carsten Krüger]

> - embedding manifest files to the executables and DLLs

could be easily included:
http://msdn.microsoft.com/en-us/library/ms235591(v=vs.80).aspx

greetings
Carsten

Re: [Openvpn-devel] [PATCH] Change the default --tmp-dir path to a more suitable path

[Carsten Krüger]

Hello David,

> On Windows, it will look up %TEMP% and %TMP% first, and if that doesn't give 
> any clues, it
> will fallback to C:\WINDOWS\Temp in the end.

I think that's not the right location.

Use
http://msdn.microsoft.com/en-us/library/system.environment.getfolderpath.aspx

with this constant
CSIDL_LOCAL_APPDATA to locate system/language independant:
"C:\Documents and Settings\username\Local Settings\Application Data"
http://msdn.microsoft.com/en-us/library/bb762494.aspx
and than create OpenVPN\temp at this location.

Windows has no special temp location that is "allowed" from MS.

greetings
Carsten

Re: [Openvpn-devel] Summary of the IRC meeting (14th Apr 2011)

[Carsten Krüger]

Hello Samuli,

> release: this avoids having to sign the TAP-drivers again due to such a
> trivial change.

Release signing is trivial, too.
No need to circumvent it, it's easy to automate.

How to Release-Sign File System Drivers
http://msdn.microsoft.com/en-us/windows/hardware/gg487543.aspx

greetings
Carsten

Re: [Openvpn-devel] OemWin2k.inf specify network adapter name

[Carsten Krüger]

> As long as you're taking comments from the clueless I'll chime in.
> It sounds like one of those things that can be changed in
> the registry which means to me it's something that the installer
> should do.  But then I'm clueless when it comes to MS Windows
> so this is just a guess.

Registry is the wrong way, I think.

With powershell it's easy to rename:
http://blogs.technet.com/b/heyscriptingguy/archive/2005/05/11/how-can-i-rename-a-local-area-connection.aspx

greetings
Carsten

Re: [Openvpn-devel] First Windows installer snapshot now available

[Carsten Krüger]

Hello Samuli,


> Here's another OpenVPN 2.3 pre-alpha installer which uses Heiko's new
> Windows GUI[1]:
> 
> It is more modern (e.g. uses the management interface),

Does establishing a VPN connection now works without administrator
privileges (or to be more precise Network Configuration Operators
membership)?

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Samuli,

> The OpenVPN community project team is proud to release OpenVPN
> 2.3-alpha1. It can be downloaded from here:

> 

> This release includes a few new major features:

>  * Complete IPv6 support, both transport and payload
>  * Optional PolarSSL support (build time configuration)
>  * Improved plug-in API (v3) which can more easily be expanded in the
>future: includes support for direct access to X.509 certificate data in
>plug-ins
>  * Several improvements to the management interface
>  * One-to-one NAT to circumvent IP address conflicts between local and
>remote networks
>  * New OpenVPN-GUI

Are there any chances to get full non-admin support for windows in version 2.3 
final?

I mean strict seperation between OpenVPN service running with local system
privileges (can modify routes, etc.) and usermode part (command line, maybe 
GUI) that
interacts with user (start/stop tunnel, ask for passphrase, pin for smartcard, 
etc.).

In companies that have security in mind it's impossible to allow
roadwarriors to connect via openvpn because they would need admin
privileges.
Give them only the privilege to start/stop the openvpn service didn't help 
because they can't supply credentials.

I'm complaining about this show stoppper for ~4 years :-(

I personally like openvpn very much and would like to deploy it for
our users but I've to buy Cisco because the windows client is better.

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Alon,

ABL> This is *THE* missing functionality in Windows environment.
ABL> It seems that nobody interested in developing proper UI using
ABL> management interface for Windows.
ABL> Same goes to proper smartcard support.

Developing the UI (command line) would be trivial but to my knowledge
(I'm reading the mailinglist for last 7 years) there is no management
interface in openvpn that would allow this.

ABL> In Linux I am using OpenVPN using unprivileged user (completely!) the
ABL> daemon runs under my own user, see[1].

With su this is trivial :-)

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello David,

> The solution we've ended up with is a OpenVPN service helper which runs
> some code parts with admin rights and the OpenVPN binary itself
> (openvpn.exe) will run completely unprivileged.  Those two instances will
> communicate via named pipes, to set up the proper routes and other
> networking parameters.

Why named pipes?

Why don't extend this
http://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html
that it works without admin privileges?

> The time of complaining will come to an end with 2.3 :)  Heiko
> demonstrated his prototype at FOSDEM a few weeks ago.  And it really
> looked very impressive.  But there are some changes to the openvpn code
> base which needs to be applied, in addition to be synced with the GUI
> code base.  So we decided to postpone this particular feature to a later
> alpha release - instead of postponing the first alpha release even more.
>  Just to give Heiko a bit better time to complete his code.  But there
> are so many requesting this feature, we really can't ignore it any more.

> And Heiko is free to flog me if I've said and/or promised too much :)

great 

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello David,

> Have you seen this document?  (management/management-notes.txt)
> 

No.

I connected to management interface and got this:
> Management Interface for OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] 
> built on Dec 15 2011
> Commands:
> auth-retry t   : Auth failure retry mode (none,interact,nointeract).
> bytecount n: Show bytes in/out, update every n secs (0=off).
> echo [on|off] [N|all]  : Like log, but only show messages in echo buffer.
> exit|quit  : Close management session.
> forget-passwords   : Forget passwords entered so far.
> help   : Print this message.
> hold [on|off|release]  : Set/show hold flag to on/off state, or
>  release current hold and start tunnel.
> kill cn: Kill the client instance(s) having common name cn.
> kill IP:port   : Kill the client instance connecting from IP:port.
> load-stats : Show global server load stats.
> log [on|off] [N|all]   : Turn on/off realtime log display
>  + show last N lines or 'all' for entire history.
> mute [n]   : Set log mute level to n, or show level if n is 
> absent.
> needok type action : Enter confirmation for NEED-OK request of 'type',
>  where action = 'ok' or 'cancel'.
> needstr type action: Enter confirmation for NEED-STR request of 'type',
>  where action is reply string.
> net: (Windows only) Show network info and routing table.
> password type p: Enter password p for a queried OpenVPN password.
> pid: Show process ID of the current OpenVPN process.
> pkcs11-id-count: Get number of available PKCS#11 identities.
> pkcs11-id-get index: Get PKCS#11 identity at index.
> signal s   : Send signal s to daemon,
>  s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
> state [on|off] [N|all] : Like log, but show state history.
> status [n] : Show current daemon status info using format #n.
> test n : Produce n lines of output for testing/debugging.
> username type u: Enter username u for a queried OpenVPN username.
> verb [n]   : Set log verbosity level to n, or show if n is absent.
> version: Show current version number.
> http-proxy-fallback   [flags] : Enter dynamic HTTP proxy 
> fallback info.
> http-proxy-fallback-disable : Disable HTTP proxy fallback.
> END

I don't see a command to connect openvpn to a host.

I'd like to install openvpn on windows, install it as a service

---mini_client.ovpn
management localhost 7505
remote myremote.mydomain
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key
---mini_client.ovpn

and than telnet to localhost 7505 and send something like "connect mini_client"

or if it's more complex
---complex_client.ovpn
management localhost 7505
remote myremote.mydomain
dev tun

client
auth-user-pass

ca ca.pem
---complex_client.ovpn

telnet localhost 7505
connect complex_client
u carsten
p test

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Alon,

> This is *THE* missing functionality in Windows environment.
> It seems that nobody interested in developing proper UI using
> management interface for Windows.
> Same goes to proper smartcard support.

I found that openvpn management interface works as I'd like it.

Add the following lines to client.ovpn

management localhost 1000
management-query-passwords
auth-retry interact
management-hold

and start the service.

Use putty to connect to localhost port 1000, format RAW

|>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
|>HOLD:Waiting for hold release
|hold release
|SUCCESS: hold release succeeded
|>PASSWORD:Need 'Auth' username/password
|username Auth here_comes_my_username
|SUCCESS: 'Auth' username entered, but not yet verified
|password Auth here_comes_my_mypassword
|SUCCESS: 'Auth' password entered, but not yet verified

et voila openvpn connects.

I'd like to cry, how long did this works?

I found this in changelog:
2004.11.28 -- Version 2.0-beta18

* Added management interface.  See new --management-*
  options or the full management interface documentation
  in management/management-notes.txt in the tarball.


greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello,

> et voila openvpn connects.

Use this to disconnect:
|forget-passwords
|SUCCESS: Passwords were forgotten
|signal SIGUSR1
|SUCCESS: signal SIGUSR1 thrown
|>HOLD:Waiting for hold release

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello David,

DS> Heiko can probably give a much better answer, but if I remember right,
DS> the argument was this:  Think of a multi-user setup (like a Terminal
DS> Server), the management interface will be accessible for all users on
DS> that server.

a) Who an earth allows users on a terminal server to create VPN-sessions?
What happens if one of the sessions use redirect gateway?
All users are redirected?

b) you can set a password for management interface

I don't think that this is a valid point.

Privilege seperation in openvnp deamon is nice, but is a complete
different thing than management interface access.

I try to compare it with apache.
Apache on linux need root rights to bind to port below 1024 but it
didn't need to have root privilege to serve a page.
So it's a good idea to use root rights to bind to port 80 and than
serve all pages without root rights.

OpenVPN need root rights on linux/administrator rights on windows
(to be more precise network operator rights) to modify routing tables.

In openvpn case it should be something like this:
openvpnserv.exe running as a service, has no privileges and opens
management interface
openvpnhelpserv.exe running as a service has network operator rights
(no need for local system ...)

openvpnserv and openvpnhelpserv could communicate via pipe.

openvpn-management client (could be a perl script) connects to
management interface of openvpnserv.exe to start/stop a tunnel and
supply secrets.

DS> And how this is implemented, the OpenVPN Service will be started
DS> automatically.  The GUI contacts the Service and the service starts the
DS> OpenVPN process with the privileges of the GUI user (IIRC, it was some
DS> neat Windows functions which allows to create processes with privileges
DS> based upon the user credentials of the other side of the named pipe).

The sounds very bad.
The service shouldn't create processes in the name of the user.

DS> This service should be able to (for now only in theory; it has not been
DS> tested yet) handle more users simultaneously.

Pretty useless, see above

DS> However, the management interface will be used in addition too, at least
DS> in the very beginning, where the logging is transferred back to the GUI
DS> and so on.  I don't recall now all the GUI would do via this interface.

Sounds very weird.

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Alon,

> Right. This is long existing feature, just that in Windows people
> expect to work using UI...

I don't expect a UI but usefull documentation.
management-notes.txt isn't even bundled with windows binaries :-(

I use openvpn since version 1 on windows and wasn't aware that the
management interface is working.
Why isn't there at least an example of how to use it?

For example Astaro has a windows client that seems to be not aware of
the management interface.

The guy who wrote http://openvpn.jowisoftware.de/ seems to don't
understand the management interface, too.
He uses the management interface for communication but than spawns
openvpn.exe itself instead of useing the windows service.

I would have deployed openvpn to ~300 employees, if users didn't need
admin privileges.

> Years back I wrote a simple .net to do to this...

Could you please share?
I found that openvpn.exe is extremly unstable on non perfectly friendly
behaving client ...
Now I use the Non-Sucking Service Manager ( http://nssm.cc/ ) instead of 
openvpnserv.exe
to spawn openvpn.exe
It restarts openvpn.exe automatically if it's crashed.

Why is it possible to send "signal SIGTERM" to openvpn.exe via
management interface?
A client could "crash" openvpn on intention.

Why isn't a clear connect/disconnect semantic included?
"hold" and "signal SIGUSR1" ???!!?!?


@openvpn officials:
If non-admin openvpn is working on windows I could have bought OpenVPN Access 
Server instead of Cisco.
I wouldn't like to know how much money OpenVPN Technologies, Inc lost because 
of the lack of good documentation.

Please please please release immediately a minimal command line client (connect,
disconnect, ask for username&password) with example server.conf & client.conf
People have to be aware that it's working!

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Heiko,

> The idea to have the service do the privileged operations instead of just
> starting openvpn as "Local System" (or whatever) came from the fear of
> privilege escalation in the scripts that are run by openvpn.

Scripting is a point, but as long as the administrator installs
openvpn + config + script to a folder that is non writeable for users there
should be no problem.

From hackers point of view (send malicious packets to openvpn client
to exploit a bug) least privileges is a very good idea.

>  So, at least I care that it's not running in privilege mode. Your point is 
> invalid. =P

I created a new user "openvpn", only group membership "network
configuration operator" and add him the right to logon as a service.
Now openvpnserver.exe runs as user openvpn and it works.

According to MS members of this group can't do to much harmfull:
http://support.microsoft.com/kb/297938

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Heiko,

> That's untrue for a while now. We ship the new GUI using the mgmt itf since
> ASG 7.505 which was released in May 2010.

Great to hear!
I'm in medicine business it needs long time to propagate new versions.
I'm only useing astaro to connect to a lab.

> [Advertisement] Maybe you want to take a look at UTM9, beta starts tomorrow.

Definitely!

Is Beta available to non customers?

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Heiko,

> However it was only an example and thus
> didn't have to make any practical sense. =)

:-)

> You forgot the GUI in this picture. If the service is connected to the
> management interface the GUI can't connect anymore.

?
If I understand you correctly it works this way:

openvpnserv.exe spawns openvpn.exe
openvpnhelperserv.exe spawns openvpnhelper.exe

openvpn.exe runs with no privileges at all (local service) and
openvpnhelper.exe with priviliges to modify routing (network configuration 
operator)

openvpn.exe communicates via pipe to openvpnhelper.exe, for example "please add 
a route"

the user client (for example perl script) uses management interface to
connect to openvpn.exe (please establish connection, credentials are xyz)

> Interesting, could you elaborate?

The process needs to much rights.

AFAIK openvpnhelper.exe would than need SE_ASSIGNPRIMARYTOKEN_NAME
Why should it have so much power?

Can you explain the architeture in more detail?

Do you need it for smartcard auth? I don't know the details of Smartcard API ...

> Not users, really. More like session. So you can connect to different server
> simultaneously.

Yeah, that's a point.
But I think it would only need management commands like "connect vpn session 1"
"disconnect vpn session 1", "supply credentials for sessions 1".
Credentials could be more than username/password, for example tls key
or smartcard "connection".

>  Of course this could be used by two different users at the
> same time or different impersonations in the same session, while still running
> ovpn with the credentials of the entity who started openvpn. So the point
> isn't really that many user can connect, but that the running sessions will be
> isolated from each other by the service.

hmm, I'm unsure if you would win something.
If the network communicating process is compromised (exploited from
internet) than it could get all the credentials via normal interface
from processes that holds them.

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Alon,

> I use [1], a simple perl/kde UI for Linux.
> I deleted the .net as I did not maintain it, but it should be simple
> for you to convert, or simply run the perl, and write kdialog
> replacement.

perfect, the gnome variant works with windows, too.
http://www.placella.com/software/zenity/

It only has to be modified minimal that it supports method "Auth"
instead of "Private key"

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

> This is way too complex solution for a simple problem.
> A proper design and discussion should take place before advancing in
> this route.

ACK

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Fabian,

> Why does the "interactive service" need to start OpenVPN?

Yeah, I can't understand that, too.

>  Why not let the GUI start OpenVPN and let OpenVPN connect to the "interactive
> service"?

Exactly.

If openvpn.exe startet in users context the user can manipulate it in
ram arbitrarily.
There is absolutly no better protection than let the user start openvpn.
Because of this openvpn should NOT startet as a user and the user
should not have the right to modify scripts.

I think it would be good to rethink the hole script idea.
Maybe scripts could be only server pushable.

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Gert,

> Part of the assumption here is "the user controls the openvpn config",
> and as such, he can make openvpn.exe run arbitrary scripts anyway - and
> to stop this from being a problem, just run openvpn.exe with your uid.

What operation could be in script that is usefull when it's executed
in user context.

I never used script with openvpn. I've no idea which are real world
applications for it.

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello,

> If openvpn.exe startet in users context the user can manipulate it in
> ram arbitrarily.

Example:
http://blog.didierstevens.com/2009/06/25/bpmtk-injecting-vbscript/
(great blog about process manipulation :-) )

I think there is absolutly no benefit from starting openvpn.exe in
user context via service.

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Heiko,

> Same here, please share your thoughts on how to reduce complexity.

Dismiss the hole service starts openvpn in user context. It makes no
sense.

see:
Message-ID: <1957833067.20120229194...@gmxpro.de>
Message-ID: <1787326494.20120229201...@gmxpro.de>

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello,

> How will you handle that some users use OpenVPN from Windows, Linux and
> maybe even a mobile phone (like N900)? ... where paths are different,
> depending on OS and/or distribution.  And some paths on Linux (probably
> *BSD too?) are different if it is a 32bit architecture or 64bit.

Do have an example for an script? I've no idea what's the exact purpose is,
I've never used scripts in openvpn.

> I doubt it will be highly appreciated that sys-admins need to maintain
> separate script profiles on the server side, for each OS/platform connecting.

Who writes the script? The sysadmin.

> And you would also need to go even further, to also make --plugin only
> pushable too.  Which makes the /usr/lib vs /usr/lib64 scenario a real
> pain for sure.

Why do u want to secure openvpn if there is an option for a user to
inject plugins?
The plugin code do anything.

Are plugins used only on server side or on clientside, too?

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Gert,

>> Dismiss the hole service starts openvpn in user context. It makes no
>> sense.

> From a pure security perspective, you're right - maximum security would
> be reached by running openvpn.exe in a completely unprivileged context
> (unix way: chroot(/var/empty), setuid(nobody)) to make sure that any
> possible bug that is network-exploitable cannot be used to gain access
> to the system.

You misunderstood me, the feature openvpn service creates openvpn
process in user context didn't "work". It creates no additional
security but instead lower it (the service has the privilege to spawn
process in all user contexts).
It has nothing to do with privilege seperation.

My idea is the following:
run openvpnhelperservice with "network operator privileges", run
openvpn.exe als "local service", advance management interface to a
point that is more usefull. Let a client run in users context that
communicates via management interface.
The execution of scripts can be done from client if it's something
like pull git or connect to share.

> Given that people have implemented all the script and plugin hooks because
> someone actually *uses* them, taking this away would not be something
> people like - so you want something that has flexibility, but does not
> have "full system access" (unix: runs as root).

Are there any plugins for windows? What do they do? Do the need to run
in openvpn-context?

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Heiko,

>  If that works out, all that is needed is the service increasing the tokens 
> integrity
> level before starting openvpn and the user will have limited access to the
> running openvpn process.

a) this didn't work, you can lower the level and but not higher
b) dll injection is ONE example of how a user can manipulate his own
process. I'm no expert at hacking windows but you can trust me, it
exists 1001 possibilities to do the same. You have no chance to block
them.

Please drop openvpn-service starts openvpn in the context of the user.
It brings in much complexty for no benefit.

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Heiko,

> Did you try it?

No but I understand the concept of security levels in Windows.
A user can spawn a process with his rights or with lower rights.

>  The service should have sufficient rights to modify it I guess.

No. If you start a process in users context the user can modify it.
There is nothing you could do against.

>> b) dll injection is ONE example of how a user can manipulate his own
>> process. I'm no expert at hacking windows but you can trust me, it
>> exists 1001 possibilities to do the same. You have no chance to block
>> them.

> I file that under FUD until you're more explicit.

I would propose you ask somebody in your company that is experienced
in hacking of windows (maybe someone of the antivir team?)
If a process runs within my security context I can modify it arbitrarily.
That's a very basic concept in operating systems.

I showed you one example how to break your design - injecting a dll.
I'm no expert in hacking processes in windows but from OS design there
have to exists plenty of other ways.

To gave you some ideas, study process hacker.
Try what you could do with your own processes (disable kernel hacker,
otherwise you have full kernel privileges)
http://processhacker.sourceforge.net/
Take a non-admin user, start notepad, start process hacker, go to
properties, view permissions. You could see that on your own process
you have "full control", for example "create thread", "write memory".

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello David,

> a) Mounting and un-mounting networked filesystems after the tunnel is up.
> Here I even implemented the --route-pre-down script hook, to unmount the
> filesystem before the tunnel is taken down.  Here's the config extract:

This need root rights?

> This client has a web server behind it which is available on the public
> internet via the openvpn server which got the public IP address.  To make
> sure the incoming public traffic is returned via the VPN tunnel and not
> the default gateway on the openvpn client, simple ip rules like the ones
> below are used in the route-up.sh

>   /sbin/ip rule add from ${ifconfig_local} table 132
>   /sbin/ip route add default via 10.8.0.1 table 132

> And the route-down.sh takes care of deleting the rule.  This is to avoid
> errors and duplications if openvpn is restarted.  (And there are probably
> other ways to solve this as well, but this is one way)

Need root rights, too?

Maybe it's a good idea to have two type of scripts.
One that is controlled from the administrator and is executed with
admin/root privileges and the other that runs as the user.

> Plugins can be used on both server side and client side.  They can be
> used to extend the logging, or do other more advanced things which is
> easier and cleaner solved in a C program than using plenty of scripts.

In an enterprise setup I would think a plugin should be not modifable by the 
user (i.e. the
user should have no chance to load own modules).

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello David,

Thx for explantion of script usage.

DS> Well, I can agree to that.  But this is all open source.  No matter how
DS> much restrictions you put into the openvpn product, the user can download
DS> the source, add the features missing, and reconnect with a modified
DS> OpenVPN version.

ACK, if he has the complete configuration and all secrets.

But in enterprise scenario the user has only a company configured
machine and his own username/password or smartcard. For example
tls-key could be unkown to user.
The user can't boot his own machine, install patched openvpn and
connect to vpn server because one secret is missing.

That's the reason why I think openvpn shouldn't be started as an user
and config must controlled from enterprise.

Cisco introduced a stupid encryption of key material in .vcf.
The user should be allowed to setup the tunnel on this own.
User can take http://newgre.net/passwordrevealer and Shrewsoft Client
to connect. All enforcements are gone (push redirect-gateway for
example).

DS> be code which is not easily available, so the client can't fake this
DS> operation as well.

ACK

DS> Bottom line is, you can't fully control the client environment.

You can't control the client from a VPN tool. You have to control the
client in enterprise directly. Group policies, software restriction
policies, good ACLs, etc.

DS> What you can do on the client side, is to avoid a third party (think
DS> virus/malware) to figure out that openvpn is installed, and tweak the
DS> config to run code which was not supposed to be run with higher
DS> privileges.

Virus runs with user privileges, config is only modifiable with admin
privileges. No problem. Virus can establish VPN connection, same like
the user.

DS>  So the client should try to lock down things locally, to
DS> reduce the impact from local exploits.

Not the openvpn client but the complete machine.

DS> There's no real way you can make the server enforce restrictions on the 
client.

Full ACK

greetings
Carsten

Re: [Openvpn-devel] Project management and direction (WAS: Re: OpenVPN 2.3-alpha1 released)

[Carsten Krüger]

Hello Alon,

ABL> The problem is with the "Meeting Summary"... It breaks the discussion.

ACK but you can't prohibit out of bound communication.

ABL> Reading IRC logs is way out of valid request...

ACK

It would be nice if there proper responses on the list.

greetings
CArsten

Re: [Openvpn-devel] OpenVPN Management Interface

[Carsten Krüger]

Hallo David,

> However, how will this approach make sure that malware don't use such a
> (new) openvpn service to redirect all Internet traffic via a third-party
> which can analyse everything happening?

A malware on openvpn endpoint can analyse all decrypted traffic.
No need to redirect.
If you have malware on your system you've been lost.
No need to worry about that scenario.

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Heiko,

HH> It is false that you cannot set a process' mandatory label to a higher
HH> integrity level than the one in the token.

That's not what I said.
It's not possible to assign an higher level than the user have to a
users process.

Users can have low and medium, administrators can have hive high and
system services can have system integerity level.

HH> Instead I plan to secure the process (and the probably the pipe handle as
HH> well) against malicious operations by not granting the user any 
sophisticated
HH> access to it, i.e. you can only inject code if you can write the process'
HH> memory. This will be enforced by the security descriptor assigned to the
HH> process by the service at creation time. The service account will own the
HH> process object, so that the user cannot sneak his way in by modifying the
HH> DACL.

Could you please create an tiny example exe for testing?
I think it didn't work either.

I tried the following (disabled kernel process hacker):
1. run an instance of notepad as user Carsten (normal windows user, no admin)
2. entered "testtesttest"
3. run an instance of process hacker as user Carsten
4. tried to write to memory -> worked, closed process hacker
5. run an instance of process hacker as admin and stripped permissions for user 
Carsten completly, closed process hacker
6. run an instance of process hacker as user Carsten
7. tried to write to memory -> failed as you expected
8. add full permissions to process for user Carsten -> works !!!
9. tried to write to memory -> works 

It's my process so it's possible for me to change the permissions !
I think it didn't get better if a service creates a process for me.

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Heiko,

HH> The openvpn.exe process security descriptor will be owned by the user the
HH> service is run as, i.e. Local System.

Ok. I was unsure if the openvpn.exe is started as user x it will be the
owner, even if it's started from the service.

HH>  That's what I meant by "The service
HH> account will own the process object, so that the user cannot sneak his way 
in
HH> by modifying the DACL."

I see.

I'm looking forward to see the next version :-)

greetings
Carsten

[Openvpn-devel] FYI: OpenVPN client for Windows that is working non-admin - securepoint client

[Carsten Krüger]

I don't know if this is well known:
http://sourceforge.net/projects/securepoint/

Re: [Openvpn-devel] FYI: OpenVPN client for Windows that is working non-admin - securepoint client

[Carsten Krüger]

Hello Alon,

ABL> 2012/4/11 Carsten Krüger :
>> I don't know if this is well known:
>> http://sourceforge.net/projects/securepoint/

ABL> No,  I did not know it.
ABL> And it is dutch documentation...

It's german :-)

If you have need for translation - please ask, I'm german.

ABL> From what I understand it uses IPC to run openvpn in privilege account.
ABL> And it uses Qt for UI, which is great.

ABL> It does not handle privilege separation any better than running
ABL> openvpn as privileged service and using the management interface to
ABL> access it.

ACK

greetings
Carsten

[Openvpn-devel] Bug: OpenVPN-Service didn't respond on WinXP SP2

[Carsten Krüger]

Hello,

I've a problem with OpenVPN 2 (2.00, 2.01, 2.02) on Windows XP SP2
(actual patchlevel).
If the server-service runs for a while a tray icon appear with the message
"ip adresse beziehen" in english "getting ip adress" (I think).
If this happens it is not possible anymore to connect from a client.
I can solve the problem only with restarting the openvpn-service.

my config:
proto tcp-server
port 6
dev tap
ifconfig 10.3.0.1 255.255.255.0
secret key.txt
keepalive 10 120
verb 4
mute 10
auth SHA1
cipher AES-128-CBC

Can this happen due to malformed packets on the tcp-port (random
traffic)?

I use hibernate, maybe this is a problem for the tap-device?

greetings
Carsten

[Openvpn-devel] Hibernate bug in OpenVPN or TAP-Driver for Win32

[Carsten Krüger]

Hello,

I'm using hibernate on my openvpn server (tcp-server) and on every 2 or 3 
resumes
it crashs.
The network icon shows up in the tray and it says getting network adress
(in german "Netzwerkadresse beziehen").
If this occurs I can't connect to the server until I restart the
OpenVPN-Server.

greetings
Carsten

[Openvpn-devel] OpenVPN not working after hibernate - 2nd - win32

[Carsten Krüger]

Hi,

the bug is not necessarily in the openvpn service itself but maybe in the
tap32-adapter.
restarting the service is one of the workarounds, restarting the
tap32-adapter (deactivating the device with devcon.exe and than
reactivating it) is the other.

greetings
Carsten

[Openvpn-devel] OpenVPN not working after hibernate *workaround* - win32

[Carsten Krüger]

hi folks,

openvpnservice stops responding after resumeing from hibernate
(the service didn't crash complete but no more traffic goes through the tunnel).

As a workaround I use this script. Please put it in the FAQ or better
fix the problem.

run this script with task scheduler at system startup as an
administrative user (need the right to restart a service)
-restart_openvpn_service_after_hibernate.vbs-
Option Explicit
Dim CurrentTime, LastTime, intSleep
intSleep = 50*1000 ' sleep 50 seconds

Dim objWMIService, objItem, objService, colListOfServices, strComputer, 
strService
strComputer = "."

LastTime=NOW
Do While True ' endless loop
  CurrentTime = NOW
  If ((CurrentTime - 1/24/60)>LastTime) Then
' system was hibernated

' On Error Resume Next
' NB strService is case sensitive.
strService = " 'OpenVPNService' "
Set objWMIService = GetObject("winmgmts:" & 
"{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery ("Select * from 
Win32_Service Where Name =" & strService & " ")
For Each objService in colListOfServices
  objService.StopService()
  WSCript.Sleep 10*1000 ' give service time to stop
  objService.StartService()
Next 

  End If
  LastTime=NOW
  WSCript.Sleep intSleep
Loop
-restart_openvpn_service_after_hibernate.vbs-

greetings
Carsten

[Openvpn-devel] possible solution for hibernate problem under win32

[Carsten Krüger]

use WM_POWERBROADCAST and catch PBT_APMRESUMESUSPEND
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/power/base/wm_powerbroadcast.asp

Re: [Openvpn-devel] OpenVPN 2.1_rc3 released

[Carsten Krüger]

Hello James,

> On Vista x64, my understanding is that the TAP driver
> would need to be signed by Microsoft themselves.

wrong

Digital Signatures for Kernel Modules on x64-based Systems Running Windows Vista
http://www.microsoft.com/whdc/system/platform/64bit/kmsigning.mspx

How to Obtain a Software Publishing Certificate (64bitDriverSigning.doc)

Use the following steps to obtain an SPC for signing your kernel-mode
software that meets the mandatory kernel-mode code-signing policy:
1.  Obtain an SPC from a commercial CA that issues digital
certificates for signing kernel-mode code. The list of CAs who
provide SPCs (or code-signing certificates) that can be used
for kernel-mode code signing is available at the “Microsoft
Cross-certificates for Windows Vista Kernel Mode Code Signing”
Web page listed in “Resource” at the end of this paper.

greetings
Carsten

Re: [Openvpn-devel] Altering routing Tables as non-admin on Windows

[Carsten Krüger]

Hello Matthew,

> specifically by a member of the 'Network Configuration Operators' group,
> This group gives more rights to the user than are necessary for just 
> routing, and may create security problems.

Which problems? They can't do harmfull things:
http://support.microsoft.com/kb/297938/en-us

> All of the above is really provided as a demonstration of a possible
> solution for this problem

Why not run openvpn as a service?

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.1-rc5 released

[Carsten Krüger]

Hello Alon,

> True!
> Found it!

> Patch attached.

Please recompile for windows

I try to setup a toolchain for windows.

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.1-rc5 released

[Carsten Krüger]

> I try to setup a toolchain for windows.

I build lzo-2.0.2 and openssl-0.9.7m (patched)

OPENSSL_DIR=~/openssl-0.9.7m
export OPENSSL_DIR

building openvpn didn't work (maybe it's only to late and I didn't see
an obvious thing)

Carsten@CONROE ~/openvpn-2.1_rc5
$ make -f makefile.w32
gcc -g -O2 -Wall -Wno-unused-function -Wno-unused-variable -mno-cygwin 
-I./openssl/include -I/include -I/include -c crypto.c -o crypto.o
In file included from crypto.c:35:
crypto.h:40:29: openssl/objects.h: No such file or directory
crypto.h:41:26: openssl/rand.h: No such file or directory
crypto.h:42:25: openssl/evp.h: No such file or directory
crypto.h:43:26: openssl/hmac.h: No such file or directory


greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.1-rc5 released

[Carsten Krüger]

Hello James,

> Use ./domake-win to build OpenVPN on Windows (see comments as well in

That file didn't exist in rc5, I found it in rc4.

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.1-rc5 released

[Carsten Krüger]

Hello Alon,

> Oh... Building OpenVPN for Windows is very difficult task now...
> I am working to simplify that...

building pkcs11-helper with openssl support didn't work for me with mingw.
the openssl symlinks don't work.

A server that produces nightly builds would be nice ...

--
what I done till now:

Download + Install
--

MinGW (c-compiler) + MSYS (make, etc) + Perl (alternativly Activestate Perl):
http://www.mingw.org/download.shtml

Man2html:
http://hydra.nac.uci.edu/indiv/ehood/man2html.html

OpenSSL 0.9.7 (need perl):
http://www.openssl.org/source/

LZO 2:
http://www.oberhumer.com/opensource/lzo/download/

pkcs11-helper (need man2html)
http://www.opensc-project.org/files/pkcs11-helper/

nullsoft scriptable install system (NSIS)
http://nsis.sourceforge.net/Download

Windows Driver Development Kit
http://www.microsoft.com/whdc/DevTools/ddk/default.mspx
J:\WINDDK\3790.1830\src\setup\devcon

Platform SDK (Windows Server 2003 R2 Platform SDK)
http://www.microsoft.com/downloads/details.aspx?FamilyId=484269E2-3B89-47E3-8EB7-1F2BE6D7123A&displaylang=en
Service.c
Service.H
(from Simple Service example)

Compile
---
1. patch openssl
2. build openssl
3. build lzo
4. build pkcs11-helper with openssl engine
5. customize install-win32\settings.in
6. run domake-win

greetings
Carsten

[Openvpn-devel] Bug in Windowsinstaller RC7

[Carsten Krüger]

Hello,

i've tried to install openvpn 2.1 RC7 without PKCS#11 DLLs (option in
windows installer).
But than openvpn.exe didn't work (missing pkcs11.dll)

greetings
Carsten

Re: [Openvpn-devel] Alternative GUI for OpenVPN

[Carsten Krüger]

Hello Alon,

> Also, you can let the user to write his own configuration while you
> just manage the connect/disconnect/authentication phases.
> I think this would be best for advance users.

Did the management interface allow this? That would be a security
problem.
Administrator setup two OpenVPN interfaces one with restrictive
firewall, one without.
The user could take the configuration files and exchanges the
used interfaces (change dev-node) -> bad.

I think the management interface should only allow to start/stop
preconfigured configfiles and only clients ones.
For example my computer has an openvpn server instance (should run all the
time) and one client instance.
The client one should be manageable (start, stop, ask user for auth)

Opinions?

greetings
Carsten

PS: It's great that a gui is developed!

Re: [Openvpn-devel] Alternative GUI for OpenVPN

[Carsten Krüger]

> Did the management interface allow this? That would be a security
> problem.

--route-method exe

it would be even greater

greetings
Carsten

PS: That's not a gui problem but a clear management interface one.

Re: [Openvpn-devel] version 2.1

[Carsten Krüger]

Hello,

> wouldn't be it better to release the current version as 2.1 and all
> upcoming bugfix can be put into post 2.1?

+1
But kick OpenVPN GUI from installer, it is unmaintained old crap (needs
adminrights, didn't use management interface)

Please set a link to OpenVPN Manager
http://sourceforge.net/projects/openvpnmngr/

greetings
Carsten

Re: [Openvpn-devel] version 2.1

[Carsten Krüger]

Hello,

> imho keep the current install too (or create 2 different installer) and
> can add the link.

I think it wouldn't be a good idea to propagate openvpn gui for new
installations. It's dead.
Who ever like/need openvpn gui can download it from http://openvpn.se/

Maybe include both GUIs in the installer and mark openvpn gui as
deprecated (no default installation).

greetings
Carsten

Re: [Openvpn-devel] version 2.1

[Carsten Krüger]

Hello James,

> The new GUI is based on the portable WxWidgets library, and carries a
> small footprint, so it shouldn't increase the size of the Windows client
> installer by very much.

Great to hear!

Is there any ETA for 2.1?

greetings
Carsten

Re: [Openvpn-devel] OpenVPN 2.1_rc16 released

[Carsten Krüger]

Hi,

> We are very close to 2.1.  I know there's been some discussion about the
> Windows client GUI, whether it deserves to live in 2.1.  We do have a 
> new client GUI that we've developed as a part of our Access Server 
> product and we are open to releasing it with 2.1, however doing so would
> probably add more RC cycles to the 2.1 release.

> The other option is to just release what we have now, pending a week or
> so of testing on rc16, and get the new Windows client GUI into a 
> post-2.1 release.

> Thoughts?

If the release cycles go fast (for example all in 2-4 weeks), release it with
new Windows client. We are waiting so long, it's not important to release
2.1 in one week. If you think it take much longer, than it's better to
release without.

If openvpn 2.1 runs flawlessly with Windows 7 RC, it would be a
good idea to test the GUI with Windows 7 RC, too.
If openvpn didn't work with Windows 7 RC, it should be major goal for
next openvpn version. Idealy from the beginning of the windows release.

greetings
Carsten

Re: [Openvpn-devel] Summary of the IRC meeting (8th Apr 2010)

[Carsten Krüger]

Hello,

> Discussed driver signing issues with Windows Vista / Windows 7. Agreed
> that it should be possible to self-sign the drivers OpenVPN uses.

Not for releases, even for public betas this is a no-go.
If test signing is enabled DRM content can't be played.

Please read the documentation, it's well documented.
http://www.microsoft.com/whdc/winlogo/drvsign/drvsign.mspx

|Enabling Test Signing
|Use the BCDEdit command-line tool to enable test signing. To use BCDEdit, the 
user must be a member
|of the Administrator group on the system and run the command from an elevated 
command prompt.
|An elevated command prompt can be launched by creating a desktop shortcut to 
cmd.exe,
|right-clicking the shortcut, and then clicking Run as administrator.
|The following shows an example of running BDCEdit at the command prompt:
|// Accept test signed kernel mode signatures
|Bcdedit.exe –set TESTSIGNING ON
|
|// Do not accept test signed kernel mode signatures
|Bcdedit.exe –set TESTSIGNING OFF
|
|The TESTSIGNING boot configuration option determines whether Windows Vista 
accepts test-signed
|kernel-mode binaries. The option is not defined by default, which means that 
digital signatures
|on test-signed kernel-mode drivers will not verify and will not load. When 
Windows Vista accepts
|test-signed kernel-mode binaries, some premium content that is protected may 
not be accessible on the system.

Source: Digital Signatures for Kernel Modules on Systems Running Windows Vista 
- kmsigning.doc

The reason for Kernel-Mode Code Signing is that Microsoft can identify
the author of crashing drivers.

greetings
Carsten

Re: [Openvpn-devel] Summary of the IRC meeting (8th Apr 2010)

[Carsten Krüger]

Hello,

> Thanks for the clarifications! The releases will have signed drivers, of
> course. The idea is to use self-signed drivers for the OpenVPN testing
> tree only. These drivers change rapidly, so an easy, non-bureaucratic
> way to sign the drivers is an absolute necessity.

Where is the problem?
Signing could be easily integrated in build process.
If you crosscompile from *nix you need a windows (virtual)machine with
SSHd to fully automate the process.

Only people that compile the drivers themself need test signing.

greetings
Carsten

Re: [Openvpn-devel] Summary of the IRC meeting (8th Apr 2010)

[Carsten Krüger]

Hallo,

> umm -- Signing requires unlocking the GnuPG key to get a human
> set of eyes, and confirmation that all seems to be well into 
> the process

Not GPG key but code signing certificate.

The user that starts build process could unlock the key, BUT if the
build machine is not trusted enough to put the key unencrypted in
memory you have other problems.

> -- an autosigning from a non-protected key cannot sensibly be
> trusted, particularly with a process that has to run at some 
> point with root access rights

Why should building drivers need root rights?

greetings
Carsten

Re: [Openvpn-devel] Beta 2.2 branch pushed

[Carsten Krüger]

Hello,

> So it was considered better if a new SVN branch for the beta2.2 would be
> created, branched out from r5701 (the latest SVN change).

Why didn't James switch to git, too?
Using svn & git in parallel isn't effective and causes such problems.
And as far as I know is git a complete superset of subversion.

greetings
Carsten