Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi, 2012/3/13 Heiko Hund : > On Monday 12 March 2012 19:01:41 Alon Bar-Lev wrote: >> What is the baseline? This what we should agree first... >> Should openvpn daemon be run on completely unprivileged account or not. > > I don't support the idea about running openvpn.exe with elevated privileges.

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

> Hi > > On Monday 12 March 2012 19:01:41 Alon Bar-Lev wrote: >> Although I tried to go farther... that what James suggested. >> What is the baseline? This what we should agree first... >> Should openvpn daemon be run on completely unprivileged account or not. > I don't support the idea about runn

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi On Monday 12 March 2012 19:01:41 Alon Bar-Lev wrote: > Although I tried to go farther... that what James suggested. > What is the baseline? This what we should agree first... > Should openvpn daemon be run on completely unprivileged account or not. I don't support the idea about running openvp

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Great Summary! Although I tried to go farther... that what James suggested. What is the baseline? This what we should agree first... Should openvpn daemon be run on completely unprivileged account or not. On Mon, Mar 12, 2012 at 4:31 PM, Samuli Seppänen wrote: > > Hi all, > > I had a brief email

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi all, I had a brief email discussion about the OpenVPN privilege separation thing with James Yonan and realized that even after having read all relevant emails a couple of times, I still had a fairly vague idea of various approaches suggested here. So, to clarify my own thoughts (and to hopefull

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Heiko, HH> The openvpn.exe process security descriptor will be owned by the user the HH> service is run as, i.e. Local System. Ok. I was unsure if the openvpn.exe is started as user x it will be the owner, even if it's started from the service. HH> That's what I meant by "The service HH>

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi Carsten, On Friday 09 March 2012 17:09:07 Carsten Krüger wrote: > I tried the following (disabled kernel process hacker): > 1. run an instance of notepad as user Carsten (normal windows user, no > admin) 2. entered "testtesttest" > 3. run an instance of process hacker as user Carsten > 4. tried

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi Fabian, On Friday 09 March 2012 16:34:19 Fabian Knittel wrote: > Does your > approach prevent the user from injecting code into the OpenVPN > process? Or does it only prevent the user from directly accessing the > pipe? (IIUC you would need the integrity level approach to prevent the > former s

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012/3/9 Carsten Krüger : > Hello Heiko, > > HH> It is false that you cannot set a process' mandatory label to a higher > HH> integrity level than the one in the token. > > That's not what I said. > It's not possible to assign an higher level than the user have to a > users process. > > Users can h

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Heiko, HH> It is false that you cannot set a process' mandatory label to a higher HH> integrity level than the one in the token. That's not what I said. It's not possible to assign an higher level than the user have to a users process. Users can have low and medium, administrators can have

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi Heiko, Am 9. März 2012 14:42 schrieb Heiko Hund : > Instead I plan to secure the process (and the probably the pipe handle as > well) against malicious operations by not granting the user any sophisticated > access to it, i.e. you can only inject code if you can write the process' > memory. Thi

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Thursday 01 March 2012 12:11:37 Heiko Hund wrote: > On Thursday 01 March 2012 11:59:11 Carsten Krüger wrote: > > No. If you start a process in users context the user can modify it. > > There is nothing you could do against. > > I'll do some tests next week and post my findings here. Sorry, hav

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

I've used "--route-nopull" together with specific "--route" statements to work around VPN setups that didn't work under specific circumstances (the server pushes a heap of routes, some of which caused problems in my setup [*], and I only wanted to reach a specific subnet via the VPN). +1 I'

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi, On Thu, Mar 01, 2012 at 11:58:39AM +0100, Heiko Hund wrote: > Is there a use case for --route on the client? I've used "--route-nopull" together with specific "--route" statements to work around VPN setups that didn't work under specific circumstances (the server pushes a heap of routes, some

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello David, Thx for explantion of script usage. DS> Well, I can agree to that. But this is all open source. No matter how DS> much restrictions you put into the openvpn product, the user can download DS> the source, add the features missing, and reconnect with a modified DS> OpenVPN version.

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/03/12 13:15, Carsten Krüger wrote: > Hello David, > >> a) Mounting and un-mounting networked filesystems after the tunnel >> is up. Here I even implemented the --route-pre-down script hook, to >> unmount the filesystem before the tunnel is taken

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello David, > a) Mounting and un-mounting networked filesystems after the tunnel is up. > Here I even implemented the --route-pre-down script hook, to unmount the > filesystem before the tunnel is taken down. Here's the config extract: This need root rights? > This client has a web server behi

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Thursday 01 March 2012 11:59:11 Carsten Krüger wrote: > No. If you start a process in users context the user can modify it. > There is nothing you could do against. I'll do some tests next week and post my findings here. Heiko -- Heiko Hund | Software Engineer | Phone +49-721-25516-237 | Fax

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 29/02/12 20:37, Carsten Krüger wrote: > Hello, > >> How will you handle that some users use OpenVPN from Windows, Linux >> and maybe even a mobile phone (like N900)? ... where paths are >> different, depending on OS and/or distribution. And some p

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Heiko, > Did you try it? No but I understand the concept of security levels in Windows. A user can spawn a process with his rights or with lower rights. > The service should have sufficient rights to modify it I guess. No. If you start a process in users context the user can modify it. T

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Thursday 01 March 2012 10:40:51 Carsten Krüger wrote: > > If that works out, all that is needed is the service increasing the > > tokens integrity> > > level before starting openvpn and the user will have limited access to the > > running openvpn process. > > a) this didn't work, you can low

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wednesday 29 February 2012 16:59:03 Fabian Knittel wrote: > If users can manipulate their openvpn session to do whatever they want > they can also manipulate what gets sent over the named pipe. (I'm not > necessarily talking about malformed messages; I'm talking about > manipulating the routing

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Heiko, > If that works out, all that is needed is the service increasing the tokens > integrity > level before starting openvpn and the user will have limited access to the > running openvpn process. a) this didn't work, you can lower the level and but not higher b) dll injection is ONE e

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Gert, >> Dismiss the hole service starts openvpn in user context. It makes no >> sense. > From a pure security perspective, you're right - maximum security would > be reached by running openvpn.exe in a completely unprivileged context > (unix way: chroot(/var/empty), setuid(nobody)) to make

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wednesday 29 February 2012 19:18:00 Carsten Krüger wrote: > > If openvpn.exe startet in users context the user can manipulate it in > > ram arbitrarily. > > Example: > http://blog.didierstevens.com/2009/06/25/bpmtk-injecting-vbscript/ > (great blog about process manipulation :-) ) Took a look,

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Thu, Mar 1, 2012 at 11:24 AM, Heiko Hund wrote: > > On Thursday 01 March 2012 09:22:38 Alon Bar-Lev wrote: > > Also, (technically) impersonation token cannot be used for network > > access. > > So the solution of impersonating to user will not allow a script to > > mount remote filesystem. > >

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Thursday 01 March 2012 09:22:38 Alon Bar-Lev wrote: > Also, (technically) impersonation token cannot be used for network access. > So the solution of impersonating to user will not allow a script to > mount remote filesystem. You can't create a process with an impersonation token that's why a p

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012/3/1 Heiko Hund > > On Wednesday 29 February 2012 18:43:18 Carsten Krüger wrote: > > What operation could be in script that is usefull when it's executed > > in user context. > > On Windows you could mount a CIFS share from the corporate LAN to the > drive > letter a user expects her data at,

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wednesday 29 February 2012 18:43:18 Carsten Krüger wrote: > What operation could be in script that is usefull when it's executed > in user context. On Windows you could mount a CIFS share from the corporate LAN to the drive letter a user expects her data at, for example. Heiko -- Heiko Hund

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Thu, Mar 1, 2012 at 12:45 AM, Jason Haar wrote: > A comment on your [1] reference. The issue of remote-user vs enterprise > is an old one - that affects many software applications - not just > openvpn. I personally think the proper solution is to implement NAC: > make "the network/enterprise" a

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

> > > I never used script with openvpn. I've no idea which are real world > > applications for it. > > Scripts are for creative uses that the programmers of openvpn have not > foreseen. Like "after the VPN is up, auto-sync all your git repositories" > or "open up a few xterms with ssh's to $intern

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

A comment on your [1] reference. The issue of remote-user vs enterprise is an old one - that affects many software applications - not just openvpn. I personally think the proper solution is to implement NAC: make "the network/enterprise" audit the remote host and only allow it if it meets expectati

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wed, Feb 29, 2012 at 11:59 PM, Gert Doering wrote: > But I'm leaving this discussion now.  Heiko is doing the implementation > work, James, David and I have agreed (and told the list via IRC session > minutes!) that we think it's a useful way forward, and this is developing > into a bikeshed.

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi, On Wed, Feb 29, 2012 at 11:36:46PM +0200, Alon Bar-Lev wrote: > > Scripts are for creative uses that the programmers of openvpn have not > > foreseen.  Like "after the VPN is up, auto-sync all your git repositories" > > or "open up a few xterms with ssh's to $internalhosts". > > > > David had

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012/2/29 Gert Doering : > Hi, > > On Wed, Feb 29, 2012 at 07:43:18PM +0100, Carsten Krüger wrote: >> > Part of the assumption here is "the user controls the openvpn config", >> > and as such, he can make openvpn.exe run arbitrary scripts anyway - and >> > to stop this from being a problem, just ru

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi, On Wed, Feb 29, 2012 at 08:25:31PM +0100, Carsten Krüger wrote: > > Same here, please share your thoughts on how to reduce complexity. > > Dismiss the hole service starts openvpn in user context. It makes no > sense. From a pure security perspective, you're right - maximum security would be

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi, On Wed, Feb 29, 2012 at 07:43:18PM +0100, Carsten Krüger wrote: > > Part of the assumption here is "the user controls the openvpn config", > > and as such, he can make openvpn.exe run arbitrary scripts anyway - and > > to stop this from being a problem, just run openvpn.exe with your uid. > >

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello, > How will you handle that some users use OpenVPN from Windows, Linux and > maybe even a mobile phone (like N900)? ... where paths are different, > depending on OS and/or distribution. And some paths on Linux (probably > *BSD too?) are different if it is a 32bit architecture or 64bit. Do

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 29/02/12 19:40, Carsten Krüger wrote: > > I think it would be good to rethink the hole script idea. Maybe > scripts could be only server pushable. How will you handle that some users use OpenVPN from Windows, Linux and maybe even a mobile phone (l

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Heiko, > Same here, please share your thoughts on how to reduce complexity. Dismiss the hole service starts openvpn in user context. It makes no sense. see: Message-ID: <1957833067.20120229194...@gmxpro.de> Message-ID: <1787326494.20120229201...@gmxpro.de> greetings Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello, > If openvpn.exe startet in users context the user can manipulate it in > ram arbitrarily. Example: http://blog.didierstevens.com/2009/06/25/bpmtk-injecting-vbscript/ (great blog about process manipulation :-) ) I think there is absolutly no benefit from starting openvpn.exe in user conte

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Gert, > Part of the assumption here is "the user controls the openvpn config", > and as such, he can make openvpn.exe run arbitrary scripts anyway - and > to stop this from being a problem, just run openvpn.exe with your uid. What operation could be in script that is usefull when it's execu

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Fabian, > Why does the "interactive service" need to start OpenVPN? Yeah, I can't understand that, too. > Why not let the GUI start OpenVPN and let OpenVPN connect to the "interactive > service"? Exactly. If openvpn.exe startet in users context the user can manipulate it in ram arbitrar

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi Gert, 2012/2/29 Gert Doering : > The model we follow is "openvpn.exe has the same permissions that you > already have, so there is no benefit in manipulating anything". That was my initial assumption, which would imply that there's no reason to restrict access to the named pipe (apart from mak

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wednesday 29 February 2012 15:28:31 Fabian Knittel wrote: > To ensure this in classic Linux this would mean that the OpenVPN > process needs to run as a _different_ user than the GUI user or else > the GUI user could freely manipulate the program using, e.g. ptrace. I > know that similar manipul

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi, On Wed, Feb 29, 2012 at 04:28:31PM +0100, Fabian Knittel wrote: > To ensure this in classic Linux this would mean that the OpenVPN > process needs to run as a _different_ user than the GUI user or else > the GUI user could freely manipulate the program using, e.g. ptrace. I > know that similar

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi Heiko, 2012/2/29 Heiko Hund : > On Wednesday 29 February 2012 14:07:01 Fabian Knittel wrote: [...] >> (There must be something missing, otherwise >> I don't get why you call it "interactive service" ...?) > > It's interactive in contrast to the other already existing service, that just > starts

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi Fabian On Wednesday 29 February 2012 14:07:01 Fabian Knittel wrote: > Let's see whether I understood the design. After initial setup, the > GUI has a connection via the mgmt interface to OpenVPN and OpenVPN has > a connection via the "privilege interface" to the "interactive > service". OpenVPN

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

I disagree, open source project is not different than any other software project. OK, I'll bite. I disagree with the above entirely. Open-source project *is* different "from any other project" - vastly so - not least because it is open for scrutiny by the whole community, not just individ

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wed, Feb 29, 2012 at 4:01 PM, Heiko Hund wrote: > On Wednesday 29 February 2012 13:45:49 Alon Bar-Lev wrote: >> I don't understand you attitude, I am not trying to take anything from you, >> and I don't think you can find anything in my record that had negative >> impact on this (or any other)

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi Heiko, Am 29. Februar 2012 13:18 schrieb Heiko Hund : > [...] There will be a new service, I called it > interactive service. The GUI/client connects to a named pipe of that service. > It passes the working directory, command line options and stdin input for > openpvn to the service. The servic

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wednesday 29 February 2012 13:45:49 Alon Bar-Lev wrote: > I don't understand you attitude, I am not trying to take anything from you, > and I don't think you can find anything in my record that had negative > impact on this (or any other) project. And I do know one or two things in > security an

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wed, Feb 29, 2012 at 3:25 PM, Heiko Hund wrote: >> Anyway, if there was a design process, I will appreciate if you can send a >> design document, as this is not a small/niche feature, it will effect >> the majority of Windows users. > > Yeah, like the design project phase for the build system r

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wednesday 29 February 2012 13:15:16 Alon Bar-Lev wrote: > IRC is synchronous way of communication, it is no suitable for distributed > volunteer team. > Proper discussion of design is done differently, perfecting a design > document and interface specifications. > > If there was such process,

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wed, Feb 29, 2012 at 3:05 PM, Heiko Hund wrote: > On Wednesday 29 February 2012 12:54:18 Alon Bar-Lev wrote: >> What I wrote is simple. > > Wrote where? In this thread or C code that tackles the issue? I'm confused. > >> In order to push a project in coherent direction, a proper design >> discu

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wednesday 29 February 2012 12:51:41 Carsten Krüger wrote: > > This is way too complex solution for a simple problem. > > A proper design and discussion should take place before advancing in > > this route. > > ACK Same here, please share your thoughts on how to reduce complexity. Heiko -- He

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wednesday 29 February 2012 12:54:18 Alon Bar-Lev wrote: > What I wrote is simple. Wrote where? In this thread or C code that tackles the issue? I'm confused. > In order to push a project in coherent direction, a proper design > discussion stage should be done. Yeah, you missed that one obviou

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi, On Wed, Feb 29, 2012 at 01:18:05PM +0100, Heiko Hund wrote: > or can one pass FDs through unix sockets? On most modern unixes, you can. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wed, Feb 29, 2012 at 2:49 PM, Heiko Hund wrote: > On Wednesday 29 February 2012 12:40:45 Alon Bar-Lev wrote: >> 2012/2/29 Heiko Hund >> This is way too complex solution for a simple problem. >> A proper design and discussion should take place before advancing in >> this route. > > And this was

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

> This is way too complex solution for a simple problem. > A proper design and discussion should take place before advancing in > this route. ACK greetings Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wednesday 29 February 2012 12:40:45 Alon Bar-Lev wrote: > 2012/2/29 Heiko Hund > This is way too complex solution for a simple problem. > A proper design and discussion should take place before advancing in > this route. And this was a way too simple explanation on why you think it is too comp

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012/2/29 Heiko Hund > > On Wednesday 29 February 2012 11:38:17 Carsten Krüger wrote: > > > You forgot the GUI in this picture. If the service is connected to the > > > management interface the GUI can't connect anymore. > > > > ? > > If I understand you correctly it works this way: > > > > openvp

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wednesday 29 February 2012 11:38:17 Carsten Krüger wrote: > > You forgot the GUI in this picture. If the service is connected to the > > management interface the GUI can't connect anymore. > > ? > If I understand you correctly it works this way: > > openvpnserv.exe spawns openvpn.exe > openvpn

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Alon, > I use [1], a simple perl/kde UI for Linux. > I deleted the .net as I did not maintain it, but it should be simple > for you to convert, or simply run the perl, and write kdialog > replacement. perfect, the gnome variant works with windows, too. http://www.placella.com/software/zenit

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Heiko, > However it was only an example and thus > didn't have to make any practical sense. =) :-) > You forgot the GUI in this picture. If the service is connected to the > management interface the GUI can't connect anymore. ? If I understand you correctly it works this way: openvpnserv

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wednesday 29 February 2012 11:05:36 Carsten Krüger wrote: > > [Advertisement] Maybe you want to take a look at UTM9, beta starts > > tomorrow. > Definitely! > > Is Beta available to non customers? Yes, it will be announced at http://astaro.org in the "Beta Versions" section and you can get sp

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Heiko, > That's untrue for a while now. We ship the new GUI using the mgmt itf since > ASG 7.505 which was released in May 2010. Great to hear! I'm in medicine business it needs long time to propagate new versions. I'm only useing astaro to connect to a lab. > [Advertisement] Maybe you wan

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Tuesday 28 February 2012 722:09:13 Carsten Krüger wrote: > DS> Heiko can probably give a much better answer, but if I remember right, > DS> the argument was this: Think of a multi-user setup (like a Terminal > DS> Server), the management interface will be accessible for all users on > DS> that

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Heiko, > The idea to have the service do the privileged operations instead of just > starting openvpn as "Local System" (or whatever) came from the fear of > privilege escalation in the scripts that are run by openvpn. Scripting is a point, but as long as the administrator installs openvpn

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Tuesday 28 February 2012 22:47:56 Carsten Krüger wrote: > For example Astaro has a windows client that seems to be not aware of > the management interface. That's untrue for a while now. We ship the new GUI using the mgmt itf since ASG 7.505 which was released in May 2010. > @openvpn officia

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wed, Feb 29, 2012 at 12:16 PM, Heiko Hund wrote: > > On Tuesday 28 February 2012 18:38:57 Alon Bar-Lev wrote: > > > Even though, the new communication pipe between the "helper service" > > > and > > > openvpn.exe  might gain more features with time, which might cover > > > much > > > of what th

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Tuesday 28 February 2012 20:34:18 Carsten Krüger wrote: > Add the following lines to client.ovpn > > management localhost 1000 > management-query-passwords > auth-retry interact > management-hold > > and start the service. That's

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Tuesday 28 February 2012 18:38:57 Alon Bar-Lev wrote: > > Even though, the new communication pipe between the "helper service" and > > openvpn.exe might gain more features with time, which might cover much > > of what the management interface provides today too. But we're _not_ > > trying to k

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On 29/02/12 11:47, Carsten Krüger wrote: > I found that openvpn.exe is extremly unstable on non perfectly > friendly behaving client ... Now I use the Non-Sucking Service Manager > ( http://nssm.cc/ ) instead of openvpnserv.exe to spawn openvpn.exe It > restarts openvpn.exe automatically if it's cr

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012/2/29 Carsten Krüger : >> Years back I wrote a simple .net to do to this... > > Could you please share? > I found that openvpn.exe is extremly unstable on non perfectly friendly > behaving client ... I use [1], a simple perl/kde UI for Linux. I deleted the .net as I did not maintain it, but it

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Alon, > Right. This is long existing feature, just that in Windows people > expect to work using UI... I don't expect a UI but usefull documentation. management-notes.txt isn't even bundled with windows binaries :-( I use openvpn since version 1 on windows and wasn't aware that the managem

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello David, DS> Heiko can probably give a much better answer, but if I remember right, DS> the argument was this: Think of a multi-user setup (like a Terminal DS> Server), the management interface will be accessible for all users on DS> that server. a) Who an earth allows users on a terminal se

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012/2/28 Carsten Krüger : > Hello Alon, > >> This is *THE* missing functionality in Windows environment. >> It seems that nobody interested in developing proper UI using >> management interface for Windows. >> Same goes to proper smartcard support. > > I found that openvpn management interface wor

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello, > et voila openvpn connects. Use this to disconnect: |forget-passwords |SUCCESS: Passwords were forgotten |signal SIGUSR1 |SUCCESS: signal SIGUSR1 thrown |>HOLD:Waiting for hold release greetings Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Alon, > This is *THE* missing functionality in Windows environment. > It seems that nobody interested in developing proper UI using > management interface for Windows. > Same goes to proper smartcard support. I found that openvpn management interface works as I'd like it. Add the following

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi, On Tue, Feb 28, 2012 at 06:31:03PM +0100, Carsten Krüger wrote: > Are there any chances to get full non-admin support for windows in version > 2.3 final? Work is going on on full privilege separation for windows. It's not done yet, so we'll see whether it will make 2.3 (which was the initia

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello David, > Have you seen this document? (management/management-notes.txt) > No. I connected to management interface and got this: > Management Interface

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/02/12 19:42, Alon Bar-Lev wrote: > 2012/2/28 David Sommerseth : >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> On 28/02/12 19:17, Carsten Krüger wrote: >>> Hello Alon, >>> >>> ABL> This is *THE* missing functionality in Windows environm

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/02/12 19:29, Carsten Krüger wrote: > Hello David, > >> The solution we've ended up with is a OpenVPN service helper which >> runs some code parts with admin rights and the OpenVPN binary >> itself (openvpn.exe) will run completely unprivileged.

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012/2/28 David Sommerseth : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 28/02/12 19:17, Carsten Krüger wrote: >> Hello Alon, >> >> ABL> This is *THE* missing functionality in Windows environment. ABL> >> It seems that nobody interested in developing proper UI using ABL> >> management

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Tue, Feb 28, 2012 at 8:25 PM, David Sommerseth wrote: >> This is *THE* missing functionality in Windows environment. It seems >> that nobody interested in developing proper UI using management >> interface for Windows. Same goes to proper smartcard support. > > I believe Jan Just Keijser and He

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/02/12 19:17, Carsten Krüger wrote: > Hello Alon, > > ABL> This is *THE* missing functionality in Windows environment. ABL> > It seems that nobody interested in developing proper UI using ABL> > management interface for Windows. ABL> Same goes to

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello David, > The solution we've ended up with is a OpenVPN service helper which runs > some code parts with admin rights and the OpenVPN binary itself > (openvpn.exe) will run completely unprivileged. Those two instances will > communicate via named pipes, to set up the proper routes and other

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/02/12 19:07, Alon Bar-Lev wrote: > 2012/2/28 Carsten Krüger : >>> * New OpenVPN-GUI >> >> Are there any chances to get full non-admin support for windows in >> version 2.3 final? >> >> I mean strict seperation between OpenVPN service running wi

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Alon, ABL> This is *THE* missing functionality in Windows environment. ABL> It seems that nobody interested in developing proper UI using ABL> management interface for Windows. ABL> Same goes to proper smartcard support. Developing the UI (command line) would be trivial but to my knowledge

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/02/12 18:31, Carsten Krüger wrote: > Hello Samuli, > >> The OpenVPN community project team is proud to release OpenVPN >> 2.3-alpha1. It can be downloaded from here: > >> > >> This rel

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012/2/28 Carsten Krüger : >>  * New OpenVPN-GUI > > Are there any chances to get full non-admin support for windows in version > 2.3 final? > > I mean strict seperation between OpenVPN service running with local system > privileges (can modify routes, etc.) and usermode part (command line, maybe

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Samuli, > The OpenVPN community project team is proud to release OpenVPN > 2.3-alpha1. It can be downloaded from here: > > This release includes a few new major features: > * Complete IPv6 support, both transport and payload > *