Inspired by a thread [1] about sending a message from the server to
the client's GUI (and then displaying it to the user), I would like to
discuss standardizing the management interface's "echo" commands. It
would be nice if the OpenVPN Windows GUI, Tunnelblick, and other GUIs
implemented the commands in a compatible way.
Although this may be of interest to the OpenVPN developers, I think it
is mostly of interest to OpenVPN users. (There isn't a list for
"OpenVPN administrators", which would be the best target.)
CURRENT STATUS OF THE ECHO COMMANDS
Tunnelblick (I'm the developer) does not do anything with "echo"
commands; it doesn't ask the management interface for them.
According to an email in the above-referenced thread from Selva Nair,
the OpenVPN Windows GUI currently implements the following:
- "echo forget-passwords": delete passwords internally saved by the GUI
but do not disable the password save feature. Useful when pushed
from the server so that it gets processed after authentication. Also see
management-notes.txt in openvpn docs.
- "echo save-passwords": enables private-key and auth-user-pass passwords
to be saved. Will be effective at startup only if present in the config
file. If pushed from the server, will get used for subsequent
password prompts. Essentially this has the effect of presenting
the password
dialogs to the user with save-password checkbox selected. The
user may still
uncheck it during the dialog.
And the following are being considered:
- "echo disable-save-passwords": stops the user from being able to
save passwords.
- "echo setenv": sets an environment variable for use by scripts.
QUESTIONS ABOUT THE OPENVPN WINDOWS GUI:
1. In the OpenVPN Windows GUI, do "forget-passwords",
"save-passwords", and "disable-save-passwords" only affect
auth-user-pass passwords, or do they also affect auth-user-pass
usernames and private-key passwords?
2. Does OpenVPN Windows GUI send OpenVPN a "forget-passwords"
command via the management interface when it receives an "echo
forget-passwords" command? (Note: there are two different
"forget-passwords" commands, each in a different direction: a
"forget-passwords" command from the GUI to the OpenVPN client, and an
"echo forget-passwords" command from the OpenVPN client to the GUI.)
3. How would the "setenv" command work? Would it be done by
modifying OpenVPN itself to add a management interface command for the
GUI to tell OpenVPN to set an environment variable for scripts,
similar to the way the OpenVPN --setenv option works? OpenVPN itself
seems to be designed to protect the client computer from the server as
well as the other way around. (For example,"--pull-filter ignore".) An
"echo setenv" command would break that protection if it modifies
variables which have been set by "setenv" in the configuration file or
--setenv in the command line.
4. Does "echo save-passwords" override a (presumed) global setting
that disables it?
5. Will "echo disable-save-passwords" override a (presumed) global
setting that enables it?
COMMENTS ABOUT TUNNELBLICK:
A. Tunnelblick can/will implement "echo disable-save-passwords"
(in addition to Tunnelblick's existing mechanism for doing so). The
user will not have a way to override this (even a user who is a
computer administrator, but I want to think more about that and may
change my mind). It would also forget saved passwords as if the "echo
forget-passwords" had been received, because that is what the OpenVPN
Windows GUI will do (according to Selva).
B. Tunnelblick can/will implement "echo forget passwords" but I
need clarification of exactly which "passwords" it affects (see
question 1, above) and whether Tunnelblick should instruct OpenVPN to
forget passwords, too. I'm leaning toward doing that because I don't
think there is any other way for the server to tell the OpenVPN client
to forget its passwords, so it could be useful.
C. Tunnelblick can/will implement "echo save-passwords" only for
configurations that are not set up to to *disallow* it.
D. Tunnelblick can/will implement "echo setenv" assuming the
management interface is modified to implement a command to do it or
there is some other acceptable way to do it securely.
E. Tunnelblick's settings can affect all configurations or
individual configurations, and each setting can be "protected" so that
only a computer administrator can change it. That protection is set up
when Tunnelblick or the configuration is installed.
Best regards,
Jon Bullard
[1]
https://sourceforge.net/p/openvpn/mailman/openvpn-users/thread/20171120151612.nbipfbmui74pdadn%40charite.de/#msg36130244
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
