Hi, On Wed, Dec 09, 2015 at 04:03:37PM -0500, Jonathan K. Bullard wrote: > Inspired by Gert Doering (but don't blame him for any of my bad ideas > : ), I'm considering adding a feature to Tunnelblick (a FOSS GUI for > OpenVPN on OS X) that would allow a standard user on a Mac to install > "safe" OpenVPN client configurations without requiring administrator > credentials.
Obviously, I would like this :-) (sorry for never replying to the other
mail reply you sent on my original query) - but I can see that there are
caveats.
A few thoughts on this:
- I think that this should be enabled by the administrator on Tunnelblick
install - so, some shops would like to have it (us!), while others might
consider this "total no-go, never!".
- "iroute" is a server option which controls IP routing inside a
point-to-multipoint server, and can only be set by ccd/ or --client-connect,
so that one is moot
- "ifconfig" and "route" (and by extention, "ifconfig-ipv6" and "route-ipv6")
are not needed in *my* deployment scenario, because as you say, they are
pushed - but then, if I can specify --remote, or control the other side
of the VPN, I can still generate arbitrary route/ifconfig commands and
mess up the client's network config. I do not see a strong security risk
here, as OpenVPN will not execute arbitrary *commands* here, just set
potentially disruptive network configs - and if someone does not want
a user sending traffic into a tunnel, they need to ensure that the server
firewalls it. So the biggest risk is "a user shooting himself in the foot"
In the long run, a totally different approach to this might be what
NetworkManager is doing under Linux and what we plan for the iService on
Windows - OpenVPN is run with user-privileges (so --up etc. cannot do
more harm than the user could do from a terminal window), and the privileged
operations (ifconfig, route) are done by a plugin / --up script / via
a service pipe. I don't know the specifics how NetworkManager is doing it,
but I can find out.
As a matter of reference, this is how "our" configs look like, which should
be fairly typical client-side stuff:
-------------------------------------------------------
client
nobind
dev tun
proto udp
remote mysecretvpnserver.corporate.domain
ns-cert-type server
comp-lzo
auth-nocache
auth-retry interact
reneg-sec 43200
auth-user-pass
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
-------------------------------------------------------
(inline cert is what got this all started - user certs are renewed yearly,
and since half of them are not really able to understand "move this .p12
file to where you stored last one's and where your OpenVPN config is
referencing it" but they *do* understand "click on this link to your new
.ovpn file and have Tunnelblick import it"...)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
