Indeed, this is to allow only programs under openvpn/bin talk to interactive service.
Are there any valid use cases where any other processes are supposed to talk to the service? Note that this is not related to the original MSFT report - a malicious process running as a pipe server received a connection from openvpn-gui and impersonated as a user of openvpn-gui. El jue, 30 oct 2025 a las 20:12, Gert Doering (<[email protected]>) escribió: > > Hi, > > On Thu, Oct 30, 2025 at 12:56:35PM -0400, Selva Nair wrote: > > Do we really want to do this? I thought allowing any user process to use > > the interactive service was deliberate: the only restriction being user > > whitelisted as "OpenVPNAdministrators" or else we allow only a limited set > > of config directives. > > > > Currently, starting openvpn.exe through the service using a script or a > > custom application works. Without having to install it in the "OpenVPN/bin" > > directory. Do we want to take away that functionality? The threat being > > addressed here is unclear to me. > > I'm also sceptic on this. > > The report was, if I understand this correctly, about "non logged in > users" to be able to access the pipe (by means of whatever means windows > has for this). "Only allow programs from openvpn\bin\ to access the > pipe" fixes something else. > > gert > > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > > Gert Doering - Munich, Germany [email protected] -- -Lev _______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
