[Openvpn-devel] Altering routing Tables as non-admin on Windows
I've recently come back to looking at openvpn, after discovering that it now handles most things 'out of the box' for non-admins on Windows a requirement on our managed machines). The one problem I've discovered is that as openvpn starts, it tries to alter the routing tables on the client to route through the VPN. However, these routing rules can only be changed by an admin - or more specifically by a member of the 'Network Configuration Operators' group, This group gives more rights to the user than are necessary for just routing, and may create security problems. I've come up with a solution for this, for which I've written a 'proof-of-concept' script - please don't use this in service, as its not really been tested! The idea is that a Windows Service runs and in some way monitors the VPN connection (tailing a log file, having a socket which it can be connected to on, etc). the routing rules that are normally implemented by the openvpn command itself are moved to this service, and when 'triggered' it runs the routing commands. The service runs as an account with appropriate privileges to make these changes. There is no need to 'undo' these rules, since when the vpn is disconnected, and the tun device disappears, the network stack tidies up the routing table accordingly. I've implemented this as a test using a VBS script, which watches the OpenVPN log file for successful connections. The script is here: http://www.see.ed.ac.uk/~mrichar1/openvpn-routing/ And relies on the srvany/instsrv tools from Microsoft. download all the files to c:\openvpn-routing\ To install: instsrv.exe OPENVPN-Routing c:\openvpn-routing\srvany.exe then edit the registry: HKLM\CurrentControlSet\Services\OPENVPN-Routing\Parameters\ Create String 'Application' - value of: cscript c:\openvpn-routing\monitor.vbs At the moment the script doesn't change the routing tables - instead it launches notepad to show its working - change the notepad line to the appropriate route commands to actually use it. All of the above is really provided as a demonstration of a possible solution for this problem - its written in vbs for simplicity, but I imagine (not being familiar with the openvpn code-base) that it would be possible to reproduce in a more suitable language and bundle as part of the openvpn package, and use a better mechanism than tailing the log file to make the call to the service to change the routing table. Just a thought on solving this problem. Comments etc welcome! Matthew -- = Matthew Richardson School of Engineering and Electronics, The University of Edinburgh, King's Buildings, Mayfield Rd, Edinburgh EH9 3JL - 0131 650 8747, FAX: 0131 650 6554 m.richard...@ed.ac.uk =
Re: [Openvpn-devel] Altering routing Tables as non-admin on Windows
Hello Matthew, > specifically by a member of the 'Network Configuration Operators' group, > This group gives more rights to the user than are necessary for just > routing, and may create security problems. Which problems? They can't do harmfull things: http://support.microsoft.com/kb/297938/en-us > All of the above is really provided as a demonstration of a possible > solution for this problem Why not run openvpn as a service? greetings Carsten
[Openvpn-devel] persist-key required, even as root
This may be a bug in OpenVPN 2.1_rc4. On a SIGUSR1 signal (usually by a ping-restart), OpenVPN writes this to the log: Mon Oct 15 15:39:55 2007 SIGUSR1[hard,] received, process restarting Mon Oct 15 15:39:55 2007 Restart pause, 2 second(s) Mon Oct 15 15:39:57 2007 Cannot load private key file [[INLINE]]: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib Mon Oct 15 15:39:57 2007 Error: private key password verification failed Mon Oct 15 15:39:57 2007 Exiting I get this even when running OpenVPN as root. The man page suggests using --persist-key when this happens. When the option is present, everything is OK, but I don't think that OpenVPN should have trouble re-reading the file if the process is running as root, no? Matt.
Re: [Openvpn-devel] Altering routing Tables as non-admin on Windows
MR> If this has changed, and there is a way MR> to interact with the service as non-admin then I will certainly look MR> into this... take subinacl to change the ACL of the openvpn-service http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en users need the right to start/stop the service I just replied to Carsten to thank him for pointing me to this, and then discovered something which is a show-stopper for me - if run as a service, OpenVPN can only do certificate authentication, not user/password auth, since there is no way to pass the auth details to the service: http://www.openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html We would prefer to use password auth instead of certificate distribution in our environment. However, the page given above states: "There is work in progress to enhance the OpenVPN Service so it can be controlled via a TCP socket. This will allow individual tunnels to started and stopped at will, as well as supplying OpenVPN with the password used to encrypt the private key. OpenVPN GUI 2.0 will be rewritten to make use of this service." which seems to cover what I would like to see in OpenVPN. Can anyone shed any more light on this? Matthew
Re: [Openvpn-devel] Strange VPN Problem
Client's firewall is off. I have full access from my home pc (which is another network on our 4 network routed VPN). In an attempt to relieve bandwidth bottlenecks, I've converted our network into a mesh. It used to be our main office was the central hub for all VPN traffic. But, when these weird issues started coming up, I made a mesh network. However, the same problems still exist. It did relieve the slow RDP connections between 2 of our offices, but this one problem (having some ports work, but not others) was present before and after the change. Barry Ross Cameron wrote: perhapse firewall settings on the machine u're trying to RDP to? On 15/10/2007, Barry Michels wrote: I am having a strange problem with 2.0.9. I have a routed VPN connection and can ping from/to any pc between networks. I can even VNC into any machine. But, RDP fails. I have the MTU set to 1000 after finding a reference that indicated that may fix the problem. Any suggestions? Barry
[Openvpn-devel] OpenVPN and OpenSSL FIPS
Hi All: I have OpenVPN-2.0.9 working with the OpenSSL FIPS module. What I've done is added an --enable-fips option to configure which defines a USE_FIPS environment variable. I also created a static variable which is set to 1 if FIPS mode is enabled and 0 if disabled. I created a function used to enable fips mode, by call FIPS_mode_set that I call at the top of the main function in openvpn.c. I added a call to this function in each of the function calls in crypto.c and ssl.c that tests if fips mode is set and if not enables it if USE_FIPS is defined. I also changed the md5sum() function to a sha1sum() function since md5 is not approved in FIPS mode. The changes are wrapped in #ifdef USE_FIPS or #ifndef USE_FIPS as appropriate. I have a couple questions I hope someone can help me with, so I can get a patch put together for those that are interested. 1) Where is the best place to put the function and static variable definitions. Should I create a new header and source file along the lines of fipsmode.h and fipsmode.c or add them to existing files? 2) On Linux there is apparently an issue with threads when running as a daemon and the FIPS prng. A work around found on the OpenSSL mailing list is to disable fips mode just prior to daemonizing and re-enable it afterward. Right now I am doing this in the possibly_become_daemon() function in init.c. Are there any crypto operations taking place at this point? Should this be done somewhere besides the possibly_become_daemon() function? I've been working my way through the code to make sure I haven't missed anything, but would appreciate any pointers. Thanks, Steve --
Re: [Openvpn-devel] OpenVPN and OpenSSL FIPS
Hi! You can post your patch here... But better rebase to BETA-2.1 Then people may help you. Best Regards, Alon Bar-Lev On 10/17/07, Steve Rector wrote: > Hi All: > > I have OpenVPN-2.0.9 working with the OpenSSL FIPS module. What I've done > is added an --enable-fips option to configure which defines a USE_FIPS > environment variable. I also created a static variable which is set to 1 > if FIPS mode is enabled and 0 if disabled. I created a function used to > enable fips mode, by call FIPS_mode_set that I call at the top of the main > function in openvpn.c. I added a call to this function in each of the > function calls in crypto.c and ssl.c that tests if fips mode is set and if > not enables it if USE_FIPS is defined. I also changed the md5sum() > function to a sha1sum() function since md5 is not approved in FIPS mode. > The changes are wrapped in #ifdef USE_FIPS or #ifndef USE_FIPS as > appropriate. > > I have a couple questions I hope someone can help me with, so I can get a > patch put together for those that are interested. 1) Where is the best > place to put the function and static variable definitions. Should I > create a new header and source file along the lines of fipsmode.h and > fipsmode.c or add them to existing files? > > 2) On Linux there is apparently an issue with threads when running as a > daemon and the FIPS prng. A work around found on the OpenSSL mailing list > is to disable fips mode just prior to daemonizing and re-enable it > afterward. Right now I am doing this in the possibly_become_daemon() > function in init.c. Are there any crypto operations taking place at this > point? Should this be done somewhere besides the possibly_become_daemon() > function? > > I've been working my way through the code to make sure I haven't missed > anything, but would appreciate any pointers. > > Thanks, > Steve > > > -- > > > - > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel >
