[Openvpn-devel] FYI: OpenVPN client for Windows that is working non-admin - securepoint client

I don't know if this is well known: http://sourceforge.net/projects/securepoint/

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Heiko, HH> The openvpn.exe process security descriptor will be owned by the user the HH> service is run as, i.e. Local System. Ok. I was unsure if the openvpn.exe is started as user x it will be the owner, even if it's started from the service. HH> That's what I meant by "The service HH>

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Heiko, HH> It is false that you cannot set a process' mandatory label to a higher HH> integrity level than the one in the token. That's not what I said. It's not possible to assign an higher level than the user have to a users process. Users can have low and medium, administrators can

Re: [Openvpn-devel] OpenVPN Management Interface

Hallo David, > However, how will this approach make sure that malware don't use such a > (new) openvpn service to redirect all Internet traffic via a third-party > which can analyse everything happening? A malware on openvpn endpoint can analyse all decrypted traffic. No need to redirect. If you

Re: [Openvpn-devel] Project management and direction (WAS: Re: OpenVPN 2.3-alpha1 released)

Hello Alon, ABL> The problem is with the "Meeting Summary"... It breaks the discussion. ACK but you can't prohibit out of bound communication. ABL> Reading IRC logs is way out of valid request... ACK It would be nice if there proper responses on the list. greetings CArsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello David, Thx for explantion of script usage. DS> Well, I can agree to that. But this is all open source. No matter how DS> much restrictions you put into the openvpn product, the user can download DS> the source, add the features missing, and reconnect with a modified DS> OpenVPN version.

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello David, > a) Mounting and un-mounting networked filesystems after the tunnel is up. > Here I even implemented the --route-pre-down script hook, to unmount the > filesystem before the tunnel is taken down. Here's the config extract: This need root rights? > This client has a web server

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Heiko, > Did you try it? No but I understand the concept of security levels in Windows. A user can spawn a process with his rights or with lower rights. > The service should have sufficient rights to modify it I guess. No. If you start a process in users context the user can modify it.

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Heiko, > If that works out, all that is needed is the service increasing the tokens > integrity > level before starting openvpn and the user will have limited access to the > running openvpn process. a) this didn't work, you can lower the level and but not higher b) dll injection is ONE

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Gert, >> Dismiss the hole service starts openvpn in user context. It makes no >> sense. > From a pure security perspective, you're right - maximum security would > be reached by running openvpn.exe in a completely unprivileged context > (unix way: chroot(/var/empty), setuid(nobody)) to

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello, > How will you handle that some users use OpenVPN from Windows, Linux and > maybe even a mobile phone (like N900)? ... where paths are different, > depending on OS and/or distribution. And some paths on Linux (probably > *BSD too?) are different if it is a 32bit architecture or 64bit. Do

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Heiko, > Same here, please share your thoughts on how to reduce complexity. Dismiss the hole service starts openvpn in user context. It makes no sense. see: Message-ID: <1957833067.20120229194...@gmxpro.de> Message-ID: <1787326494.20120229201...@gmxpro.de> greetings Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello, > If openvpn.exe startet in users context the user can manipulate it in > ram arbitrarily. Example: http://blog.didierstevens.com/2009/06/25/bpmtk-injecting-vbscript/ (great blog about process manipulation :-) ) I think there is absolutly no benefit from starting openvpn.exe in user

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Fabian, > Why does the "interactive service" need to start OpenVPN? Yeah, I can't understand that, too. > Why not let the GUI start OpenVPN and let OpenVPN connect to the "interactive > service"? Exactly. If openvpn.exe startet in users context the user can manipulate it in ram

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Alon, > I use [1], a simple perl/kde UI for Linux. > I deleted the .net as I did not maintain it, but it should be simple > for you to convert, or simply run the perl, and write kdialog > replacement. perfect, the gnome variant works with windows, too.

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Heiko, > However it was only an example and thus > didn't have to make any practical sense. =) :-) > You forgot the GUI in this picture. If the service is connected to the > management interface the GUI can't connect anymore. ? If I understand you correctly it works this way:

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Heiko, > The idea to have the service do the privileged operations instead of just > starting openvpn as "Local System" (or whatever) came from the fear of > privilege escalation in the scripts that are run by openvpn. Scripting is a point, but as long as the administrator installs openvpn

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Alon, > Right. This is long existing feature, just that in Windows people > expect to work using UI... I don't expect a UI but usefull documentation. management-notes.txt isn't even bundled with windows binaries :-( I use openvpn since version 1 on windows and wasn't aware that the

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello, > et voila openvpn connects. Use this to disconnect: |forget-passwords |SUCCESS: Passwords were forgotten |signal SIGUSR1 |SUCCESS: signal SIGUSR1 thrown |>HOLD:Waiting for hold release greetings Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Alon, > This is *THE* missing functionality in Windows environment. > It seems that nobody interested in developing proper UI using > management interface for Windows. > Same goes to proper smartcard support. I found that openvpn management interface works as I'd like it. Add the

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello David, > The solution we've ended up with is a OpenVPN service helper which runs > some code parts with admin rights and the OpenVPN binary itself > (openvpn.exe) will run completely unprivileged. Those two instances will > communicate via named pipes, to set up the proper routes and other

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Alon, ABL> This is *THE* missing functionality in Windows environment. ABL> It seems that nobody interested in developing proper UI using ABL> management interface for Windows. ABL> Same goes to proper smartcard support. Developing the UI (command line) would be trivial but to my knowledge

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Samuli, > The OpenVPN community project team is proud to release OpenVPN > 2.3-alpha1. It can be downloaded from here: > > This release includes a few new major features: > * Complete IPv6 support, both transport and payload > *

Re: [Openvpn-devel] First Windows installer snapshot now available

Hello Samuli, > Here's another OpenVPN 2.3 pre-alpha installer which uses Heiko's new > Windows GUI[1]: > > It is more modern (e.g. uses the management interface), Does establishing a VPN

Re: [Openvpn-devel] OemWin2k.inf specify network adapter name

> As long as you're taking comments from the clueless I'll chime in. > It sounds like one of those things that can be changed in > the registry which means to me it's something that the installer > should do. But then I'm clueless when it comes to MS Windows > so this is just a guess. Registry

Re: [Openvpn-devel] Summary of the IRC meeting (14th Apr 2011)

Hello Samuli, > release: this avoids having to sign the TAP-drivers again due to such a > trivial change. Release signing is trivial, too. No need to circumvent it, it's easy to automate. How to Release-Sign File System Drivers http://msdn.microsoft.com/en-us/windows/hardware/gg487543.aspx

Re: [Openvpn-devel] [PATCH] Change the default --tmp-dir path to a more suitable path

Hello David, > On Windows, it will look up %TEMP% and %TMP% first, and if that doesn't give > any clues, it > will fallback to C:\WINDOWS\Temp in the end. I think that's not the right location. Use http://msdn.microsoft.com/en-us/library/system.environment.getfolderpath.aspx with this

Re: [Openvpn-devel] [PATCH 00/13] Fix remaining major issues with Python-based buildsystem

> - embedding manifest files to the executables and DLLs could be easily included: http://msdn.microsoft.com/en-us/library/ms235591(v=vs.80).aspx greetings Carsten

Re: [Openvpn-devel] Help testing OpenVPN 2.2-rc Windows installer?

Hello, > The issue was that the installer did not install msvcr90.dll - that's > now fixed. I haven't checked how the installer does it, but there is a standard procedure to do this! http://support.microsoft.com/kb/326922/en-us Why it should be done correctly:

Re: [Openvpn-devel] Beta 2.2 branch pushed

Hello, > So it was considered better if a new SVN branch for the beta2.2 would be > created, branched out from r5701 (the latest SVN change). Why didn't James switch to git, too? Using svn & git in parallel isn't effective and causes such problems. And as far as I know is git a complete superset

Re: [Openvpn-devel] Summary of the IRC meeting (8th Apr 2010)

Hallo, > umm -- Signing requires unlocking the GnuPG key to get a human > set of eyes, and confirmation that all seems to be well into > the process Not GPG key but code signing certificate. The user that starts build process could unlock the key, BUT if the build machine is not trusted enough

Re: [Openvpn-devel] Summary of the IRC meeting (8th Apr 2010)

Hello, > Discussed driver signing issues with Windows Vista / Windows 7. Agreed > that it should be possible to self-sign the drivers OpenVPN uses. Not for releases, even for public betas this is a no-go. If test signing is enabled DRM content can't be played. Please read the documentation,

Re: [Openvpn-devel] OpenVPN 2.1_rc16 released

Hi, > We are very close to 2.1. I know there's been some discussion about the > Windows client GUI, whether it deserves to live in 2.1. We do have a > new client GUI that we've developed as a part of our Access Server > product and we are open to releasing it with 2.1, however doing so would

Re: [Openvpn-devel] version 2.1

Hello, > wouldn't be it better to release the current version as 2.1 and all > upcoming bugfix can be put into post 2.1? +1 But kick OpenVPN GUI from installer, it is unmaintained old crap (needs adminrights, didn't use management interface) Please set a link to OpenVPN Manager

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.1-rc5 released

Hello Alon, > Oh... Building OpenVPN for Windows is very difficult task now... > I am working to simplify that... building pkcs11-helper with openssl support didn't work for me with mingw. the openssl symlinks don't work. A server that produces nightly builds would be nice ...

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.1-rc5 released

Hello Alon, > True! > Found it! > Patch attached. Please recompile for windows I try to setup a toolchain for windows. greetings Carsten

Re: [Openvpn-devel] Altering routing Tables as non-admin on Windows

Hello Matthew, > specifically by a member of the 'Network Configuration Operators' group, > This group gives more rights to the user than are necessary for just > routing, and may create security problems. Which problems? They can't do harmfull things:

Re: [Openvpn-devel] OpenVPN 2.1_rc3 released

Hello James, > On Vista x64, my understanding is that the TAP driver > would need to be signed by Microsoft themselves. wrong Digital Signatures for Kernel Modules on x64-based Systems Running Windows Vista http://www.microsoft.com/whdc/system/platform/64bit/kmsigning.mspx How to Obtain a

[Openvpn-devel] possible solution for hibernate problem under win32

use WM_POWERBROADCAST and catch PBT_APMRESUMESUSPEND http://msdn.microsoft.com/library/default.asp?url=/library/en-us/power/base/wm_powerbroadcast.asp

[Openvpn-devel] OpenVPN not working after hibernate *workaround* - win32

hi folks, openvpnservice stops responding after resumeing from hibernate (the service didn't crash complete but no more traffic goes through the tunnel). As a workaround I use this script. Please put it in the FAQ or better fix the problem. run this script with task scheduler at system startup

[Openvpn-devel] Bug: OpenVPN-Service didn't respond on WinXP SP2

Hello, I've a problem with OpenVPN 2 (2.00, 2.01, 2.02) on Windows XP SP2 (actual patchlevel). If the server-service runs for a while a tray icon appear with the message "ip adresse beziehen" in english "getting ip adress" (I think). If this happens it is not possible anymore to connect from a