Thanks! Comments below. On Sat, Nov 25, 2017 at 12:27 PM, Selva Nair <selva.n...@gmail.com> wrote: > Hi, > > Thanks for summarising the status and proposals for echo commands. > > Comments below are based on what I have implemented in the > OpenVPN Windows GUI (Windows GUI in the following) and some > changes I've been working on. I refer to the client openvpn process > as the daemon or client daemon and the UI as Windows GUI or GUI. > > On Sat, Nov 25, 2017 at 10:24 AM, Jonathan K. Bullard <jkbull...@gmail.com> > wrote: >> QUESTIONS ABOUT THE OPENVPN WINDOWS GUI: >> >> 1. In the OpenVPN Windows GUI, do "forget-passwords", >> "save-passwords", and "disable-save-passwords" only affect >> auth-user-pass passwords, or do they also affect auth-user-pass >> usernames and private-key passwords? > > > Both auth-user-pass and private key passwords are affected by each > of those commands. Currently the Windows GUI unconditionally saves > the username but that can and may change. So let's say those commands > affect all passwords and possibly username.
I'll have Tunnelblick forget both passwords and the username. That's more like the "forget-passwords" command from the GUI to OpenVPN, which, as I understands it, forgets everything. > Should we support a more fine-grained set of commands as well? Say: > > echo save-auth-username > echo save-auth-password > echo save-private-key-password > > etc., in addition to the blanket 'echo save-passwords' ? I do not think so. Agreed. >> 2. Does OpenVPN Windows GUI send OpenVPN a "forget-passwords" >> command via the management interface when it receives an "echo >> forget-passwords" command? (Note: there are two different > > > No it does not. > >> >> "forget-passwords" commands, each in a different direction: a >> "forget-passwords" command from the GUI to the OpenVPN client, and an >> "echo forget-passwords" command from the OpenVPN client to the GUI.) > > > The Windows GUI considers the password saving in openvpn client daemon > to be completely decoupled from that in the GUI itself. Just as auth-nocache > in > the config has no effect on the password saving feature of the GUI, > 'echo forget-passwords' does not trigger a 'forget-passwords' directive from > the GUI to the client daemon. > > The 'forget-passwords' command can still be sent from the GUI to the > client daemon based on some preferences setting of the GUI or explicit > user action. AFAIK, the Windows GUI does not have an option to do that. That makes sense to me, so Tunnelblick won't send "forget-passwords" to the client daemon when it gets an "echo forget-passwords" command. >> 3. How would the "setenv" command work? Would it be done by >> modifying OpenVPN itself to add a management interface command for the >> GUI to tell OpenVPN to set an environment variable for scripts, >> similar to the way the OpenVPN --setenv option works? OpenVPN itself >> seems to be designed to protect the client computer from the server as >> well as the other way around. (For example,"--pull-filter ignore".) An >> "echo setenv" command would break that protection if it modifies >> variables which have been set by "setenv" in the configuration file or >> --setenv in the command line. > > > What is proposed is 'echo "setenv x y"' to set env variables in the GUI > (actually in the scripts run by the GUI -- see below). Ah, I misunderstood and thought it was setting them for client daemon's scripts. It makes much more sense to set them for scripts run by the GUI. (I didn't know the OpenVPN GUI had such scripts.) I'll have Tunnelblick do it for the scripts that Tunnelblick runs, mangling the names as you describe later. > I view all echo directives as aimed at the GUI and thus do not require any > support from the daemon. I suppose you have a different usage in mind. > Note that it is already possible for the server to set env variables in the > client daemon by pushing 'setenv-opt'. > > In other words, no change in openvpn daemon is needed as the effect is to > have > env variables set in script processes directly run by the GUI, not those run > by openvpn daemon. Thus, these variables are totally independent of those > set > in the daemon itself by 'setenv' and 'setenv-opt' directives, but some of > the safety > features used there could be borrowed (see below): > > The GUI will receive the echo command as > > ECHO,1101519562,setenv name value > > which the GUI will use to define an env variable "mangled(x) = y" in a > connection specific env-set. I propose to mangle the name as OPENVPN_x > as done for setenv-opt in the daemon. In that sense, an admin could think > of 'echo setenv ...' as the same as 'setenv-opt ...' but the former being > directed > to the GUI, the latter to the client daemon. > > Here is the commit message for this in my working branch for Windows GUI > (not yet in the official repo). Note that here 'process' means the GUI > process, > 'script' means a script run by the GUI etc. > > Support for 'setenv name var' using echo > > - Support connection specific env variables. These are merged > with the process environment strings and passed to scripts. > > - To set an env variable, use 'echo "setenv name var"' in the config > or push from the server. This will set "OPENVPN_name=var" in > the connections's env set. Note that "name" is mangled as > "OPENVPN_name" to avoid servers overwriting sensitive variables > such as PATH. Variables are set in the order received and duplicates > removed. > > - Environment variable names are allowed to contain only alpha numeric > characters and underscore as in openvpn.exe. But, unlike openvpn.exe, > invalid names are ignored, not sanitized. > > Note: when the env set is merged with process environment, the > connections env set is listed first, but any duplicates in the > process environment are not removed. > > My current implementation for Windows is here: > https://github.com/selvanair/openvpn-gui/commit/ea9dc3d515537553443826f97ec21427f7f9a8e5 > > Use case: in a local setup I use this to pass the name of a file-server to > the "up-script" run by the GUI so that some drives could be mapped as > the user. > > eg., server pushes: > > echo "setenv smb_server acme-fs1.acme.local" > echo "setenv shares common projects docs" > > and the up-script interprets them. Thanks for all this info; it helps a lot. >> 4. Does "echo save-passwords" override a (presumed) global setting >> that disables it? > > > Good question. I think the current implementation on Windows does > allow this directive to override the global setting, though this was not by > explicit intent. I've to double check this. > > I would think that any global setting (if supported by the GUI) > should not be overridden by directives pushed from the sever. But > considering that this echo command could also be in the config and > its intent may be to enable save-passwords on a per config basis, some > may want to allow it. > > That said, this is an implementation detail: on the Windows GUI, the > global setting to disable-save-passwords is a single registry value and > applies to all configs. > >> >> >> 5. Will "echo disable-save-passwords" override a (presumed) global >> setting that enables it? > > > Windows GUI has no global setting to explicitly enable save-passwords -- > i.e., it is enabled by default. The echo directive 'disable-save-passwords' > would disable it for the particular config independent of any global > settings. OK, thanks. >> COMMENTS ABOUT TUNNELBLICK: >> >> A. Tunnelblick can/will implement "echo disable-save-passwords" >> (in addition to Tunnelblick's existing mechanism for doing so). The >> user will not have a way to override this (even a user who is a >> computer administrator, but I want to think more about that and may >> change my mind). It would also forget saved passwords as if the "echo >> forget-passwords" had been received, because that is what the OpenVPN >> Windows GUI will do (according to Selva). > > > Yes, in my implementation, when disable-save-passwords is received, the > Windows GUI will forget any saved passwords and then disable the > feature. Looks like the sensible thing to do. > >> >> >> B. Tunnelblick can/will implement "echo forget passwords" but I >> need clarification of exactly which "passwords" it affects (see >> question 1, above) and whether Tunnelblick should instruct OpenVPN to >> forget passwords, too. I'm leaning toward doing that because I don't >> think there is any other way for the server to tell the OpenVPN client >> to forget its passwords, so it could be useful. > > > Currently openvpn daemon will forget all passwords on receiving that > command from the GUI. This could affect correct operation of auth-token, > so be careful with this unless Tunnelblick handles auth-token by itself. > The Windows GUI does not save auth-token (not yet). > > In other words, if you do this, a server that uses auth-token will have > difficulty in asking the GUI to forget passwords but not to erase > saved auth-token in the client daemon. Ah, thanks for the heads-up about auth-token; I'll have to look into that. Thanks again, Jon ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
