Cc: the list ---------- Forwarded message --------- From: Selva Nair <[email protected]> Date: Thu, Oct 30, 2025 at 6:06 PM Subject: Re: [Openvpn-devel] [M] Change in openvpn[master]: openvpnserv: validate openvpn-gui process path To: Lev Stipakov <[email protected]>
On Thu, Oct 30, 2025, 17:16 Lev Stipakov <[email protected]> wrote: > Indeed, this is to allow only programs under openvpn/bin talk to > interactive service. > > Are there any valid use cases where any other processes are supposed > to talk to the service? I can think of a few: - use a powershell script to start openvpn for testing or otherwise - run openvpn from task scheduler - use a third party GUI with the service (like eduVPN) In fact we already use it to start openvpn through the automatic service: though that will continue to work with this patch. Anyway, iircc, it was a deliberate decision to leave interactive service as a generic way for running openvpn without admin access, not just as a helper for OpenVPN-GUI. With this change, anyone wanting to write a new UI leveraging the service will have to fork it, or install their program under OpenVPN\bin. In any case what exactly is achieved by locking down the service this way? It's necessary for the service to start a valid openvpn.exe and we do check that. It's also necessary for the GUI to be sure that it's talking to a legitimate openvpn.exe -- we did enforce that the other day. But I fail to see a strong reason to restrict service clients in this manner. What am I missing? Selva
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
