Re: [Openvpn-devel] OpenVPN 2.3-alpha1 / GUI

2012-03-01 Thread Gert Doering
Hi, On Thu, Mar 01, 2012 at 10:11:23AM +0100, Heiko Hund wrote: > UL/DL stats added to the tool tip of the tray icon however is easy > to implement and interesting enough to anyone that I like it immediately. Blinkenlight good! gert -- USENET is *not* the non-clickable part of WWW!

Re: [Openvpn-devel] Project management and direction (WAS: Re: OpenVPN 2.3-alpha1 released)

2012-03-01 Thread Samuli Seppänen
Il 01.03.2012 14:49, Alon Bar-Lev ha scritto: > On Thu, Mar 1, 2012 at 12:41 PM, Samuli Seppänen wrote: >> 1) Preliminary topic list is sent to openvpn-devel ml >> 2) The actual meeting (fully open) >> 3) The meeting summary + complete chatlog is sent to openvpn-devel ml >> >>

Re: [Openvpn-devel] Project management and direction (WAS: Re: OpenVPN 2.3-alpha1 released)

2012-03-01 Thread Carsten Krüger
Hello Alon, ABL> The problem is with the "Meeting Summary"... It breaks the discussion. ACK but you can't prohibit out of bound communication. ABL> Reading IRC logs is way out of valid request... ACK It would be nice if there proper responses on the list. greetings CArsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012-03-01 Thread Carsten Krüger
Hello David, Thx for explantion of script usage. DS> Well, I can agree to that. But this is all open source. No matter how DS> much restrictions you put into the openvpn product, the user can download DS> the source, add the features missing, and reconnect with a modified DS> OpenVPN version.

[Openvpn-devel] Fwd: [DISCUSSION] OpenVPN privilege separation (Windows)

2012-03-01 Thread Alon Bar-Lev
Sending this again, as it seems people did not receive it. -- Forwarded message -- From: Alon Bar-Lev List-Post: openvpn-devel@lists.sourceforge.net Date: Wed, Feb 29, 2012 at 8:52 PM Subject: [DISCUSSION] OpenVPN privilege separation (Windows) To:

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012-03-01 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/03/12 13:15, Carsten Krüger wrote: > Hello David, > >> a) Mounting and un-mounting networked filesystems after the tunnel >> is up. Here I even implemented the --route-pre-down script hook, to >> unmount the filesystem before the tunnel is

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012-03-01 Thread Carsten Krüger
Hello David, > a) Mounting and un-mounting networked filesystems after the tunnel is up. > Here I even implemented the --route-pre-down script hook, to unmount the > filesystem before the tunnel is taken down. Here's the config extract: This need root rights? > This client has a web server

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012-03-01 Thread Heiko Hund
On Thursday 01 March 2012 11:59:11 Carsten Krüger wrote: > No. If you start a process in users context the user can modify it. > There is nothing you could do against. I'll do some tests next week and post my findings here. Heiko -- Heiko Hund | Software Engineer | Phone +49-721-25516-237 | Fax

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012-03-01 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 29/02/12 20:37, Carsten Krüger wrote: > Hello, > >> How will you handle that some users use OpenVPN from Windows, Linux >> and maybe even a mobile phone (like N900)? ... where paths are >> different, depending on OS and/or distribution. And some

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012-03-01 Thread Carsten Krüger
Hello Heiko, > Did you try it? No but I understand the concept of security levels in Windows. A user can spawn a process with his rights or with lower rights. > The service should have sufficient rights to modify it I guess. No. If you start a process in users context the user can modify it.

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012-03-01 Thread Heiko Hund
On Thursday 01 March 2012 10:40:51 Carsten Krüger wrote: > > If that works out, all that is needed is the service increasing the > > tokens integrity> > > level before starting openvpn and the user will have limited access to the > > running openvpn process. > > a) this didn't work, you can

[Openvpn-devel] Project management and direction (WAS: Re: OpenVPN 2.3-alpha1 released)

2012-03-01 Thread Samuli Seppänen
Changing the topic line to something more descriptive. Hope nobody minds. >>> I only recommend the OpenVPN project manager to hold with this solution, >>> and manage a proper design process, there are people here who can help, if >>> the process is managed correctly. >> Alon, there is a process.

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012-03-01 Thread Carsten Krüger
Hello Heiko, > If that works out, all that is needed is the service increasing the tokens > integrity > level before starting openvpn and the user will have limited access to the > running openvpn process. a) this didn't work, you can lower the level and but not higher b) dll injection is ONE

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012-03-01 Thread Carsten Krüger
Hello Gert, >> Dismiss the hole service starts openvpn in user context. It makes no >> sense. > From a pure security perspective, you're right - maximum security would > be reached by running openvpn.exe in a completely unprivileged context > (unix way: chroot(/var/empty), setuid(nobody)) to

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012-03-01 Thread Heiko Hund
On Wednesday 29 February 2012 19:18:00 Carsten Krüger wrote: > > If openvpn.exe startet in users context the user can manipulate it in > > ram arbitrarily. > > Example: > http://blog.didierstevens.com/2009/06/25/bpmtk-injecting-vbscript/ > (great blog about process manipulation :-) ) Took a

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012-03-01 Thread Alon Bar-Lev
On Thu, Mar 1, 2012 at 11:24 AM, Heiko Hund wrote: > > On Thursday 01 March 2012 09:22:38 Alon Bar-Lev wrote: > > Also, (technically) impersonation token cannot be used for network > > access. > > So the solution of impersonating to user will not allow a script to > > mount

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012-03-01 Thread Alon Bar-Lev
2012/3/1 Heiko Hund > > On Wednesday 29 February 2012 18:43:18 Carsten Krüger wrote: > > What operation could be in script that is usefull when it's executed > > in user context. > > On Windows you could mount a CIFS share from the corporate LAN to the > drive > letter a

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012-03-01 Thread Heiko Hund
On Wednesday 29 February 2012 18:43:18 Carsten Krüger wrote: > What operation could be in script that is usefull when it's executed > in user context. On Windows you could mount a CIFS share from the corporate LAN to the drive letter a user expects her data at, for example. Heiko -- Heiko Hund

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012-03-01 Thread Alon Bar-Lev
On Thu, Mar 1, 2012 at 12:45 AM, Jason Haar wrote: > A comment on your [1] reference. The issue of remote-user vs enterprise > is an old one - that affects many software applications - not just > openvpn. I personally think the proper solution is to implement NAC: > make