Hi, On Fri, Apr 2, 2021 at 3:21 PM tincantech via Openvpn-users <openvpn-users@lists.sourceforge.net> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hi, > > I have had to test this myself because I am a little shocked .. > > Using the Windows GUI and an up script named like so: > 'my_vpn_01_up.bat' > which is kept in the openvpn\config folder of the users home, > DOES allow data to be passed over the newly established VPN. > And does NOT require explicit '--script-security 2' to be set. > > Where as, a script configured inside the config with --up > does NOT allow data to be passed over the newly established VPN. > And it also requires that '--script-security 2' be explicitly set.
I can only say that: --up foo and similar scripts allow arbitrary commands to be executed while scripts executed by the GUI is hard-coded to "<profile>_up.bat" etc. Of course the content of the batch script could be anything but it doesn't have the same threat like a command embedded in a config file. It's easy for an unsuspecting user to "import" a config file downloaded from somewhere, but to get the batch file into the right location they have to deliberately copy it there. One can say that we treat that action as equivalent to "--script-security 2". That said, anyone using configs and associated files received from an untrusted party is taking a risk. At the very least do not run the GUI as admin. As for sending data over the link, not sure I follow. Anything run with user's privileges after the tunnel is established can potentially use the tunnel. Selva _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
