-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Friday, 2 April 2021 20:51, Selva Nair <selva.n...@gmail.com> wrote: > Hi, > > On Fri, Apr 2, 2021 at 3:21 PM tincantech via Openvpn-users > openvpn-users@lists.sourceforge.net wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > Hi, > > I have had to test this myself because I am a little shocked .. > > Using the Windows GUI and an up script named like so: > > 'my_vpn_01_up.bat' > > which is kept in the openvpn\config folder of the users home, > > DOES allow data to be passed over the newly established VPN. > > And does NOT require explicit '--script-security 2' to be set. > > Where as, a script configured inside the config with --up > > does NOT allow data to be passed over the newly established VPN. > > And it also requires that '--script-security 2' be explicitly set. > > I can only say that: > > --up foo and similar scripts allow arbitrary commands to be executed while > scripts executed by the GUI is hard-coded to "<profile>_up.bat" etc. > Of course the content of the batch script could be anything but it > doesn't have the same threat like a command embedded in a config file. If I distribute my VPN client as a Zip file then what ever name I give the VPN config file, I will obviously make the batch file the same. * provider.ovpn * provider_up.bat This is certainly not a difficult hurdle to side-step. > It's easy for an unsuspecting user to "import" a config file downloaded > from somewhere, but to get the batch file into the right location they > have to deliberately copy it there. One can say that we treat that > action as equivalent to "--script-security 2". See Zip above.. Unsuspecting users is exactly who I thought the OpenVPN wanted to protect. > That said, anyone using configs and associated files received from an > untrusted party is taking a risk. At the very least do not run the GUI as admin. Yes, at least the batch file will only be run as the user. Although, any sophisticated adversary will ensure their attack only requires user privs. > As for sending data over the link, not sure I follow. Anything run > with user's privileges after the tunnel is established can potentially > use the tunnel. The Windows GUI effectively achieves the same point which Gert makes about Unix. On Unix you can send a task into background and wait for the tunnel to become active. On Windows you use the GUI to delay running an associated *_up batch file. This was a surprise, having had time to consider it, I guess it is not so unpleasant. But I'm still not convinced.. -- Thanks R</profile></selva.n...@gmail.com> -----BEGIN PGP SIGNATURE----- Version: ProtonMail wsBzBAEBCAAGBQJgZ69IACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ14kAgAw0y8J9uBSDAON3iIKWcpnUXWkKjTA1E24CGw3ri89yGJHLlX BYBLe7zE1QtJkin97VAsaEdnAIg9v6jCVHyLU4i8MHgODmn732OVPRYJg3JC mw5v40INGXXhRAZ51LNzO4yI6uDBe1KNbnXVlXptO+xALNcnVMbRh+nEzWK2 XBLoWl7HIugx88VaNS7AUjjJm9AJ7EIFCuCoDRvrTrVeKMyAWaf7CtYIq9kn hCuUP3+pcdHPmZfjJurID96dkrwjYg4bx90PRH7zizQC77N/t7uYtYKd4lnw rm3yq9sN7sFZ3cQl60M4cWeD6yXgC8j505Vf9rJFpsizFFfwnD17Mw== =Nwgg -----END PGP SIGNATURE-----
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
