[Openvpn-devel] FYI: OpenVPN client for Windows that is working non-admin - securepoint client

[Carsten Krüger]

I don't know if this is well known:
http://sourceforge.net/projects/securepoint/

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Heiko,

HH> The openvpn.exe process security descriptor will be owned by the user the
HH> service is run as, i.e. Local System.

Ok. I was unsure if the openvpn.exe is started as user x it will be the
owner, even if it's started from the service.

HH>  That's what I meant by "The service
HH> account will own the process object, so that the user cannot sneak his way 
in
HH> by modifying the DACL."

I see.

I'm looking forward to see the next version :-)

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Heiko,

HH> It is false that you cannot set a process' mandatory label to a higher
HH> integrity level than the one in the token.

That's not what I said.
It's not possible to assign an higher level than the user have to a
users process.

Users can have low and medium, administrators can have hive high and
system services can have system integerity level.

HH> Instead I plan to secure the process (and the probably the pipe handle as
HH> well) against malicious operations by not granting the user any 
sophisticated
HH> access to it, i.e. you can only inject code if you can write the process'
HH> memory. This will be enforced by the security descriptor assigned to the
HH> process by the service at creation time. The service account will own the
HH> process object, so that the user cannot sneak his way in by modifying the
HH> DACL.

Could you please create an tiny example exe for testing?
I think it didn't work either.

I tried the following (disabled kernel process hacker):
1. run an instance of notepad as user Carsten (normal windows user, no admin)
2. entered "testtesttest"
3. run an instance of process hacker as user Carsten
4. tried to write to memory -> worked, closed process hacker
5. run an instance of process hacker as admin and stripped permissions for user 
Carsten completly, closed process hacker
6. run an instance of process hacker as user Carsten
7. tried to write to memory -> failed as you expected
8. add full permissions to process for user Carsten -> works !!!
9. tried to write to memory -> works 

It's my process so it's possible for me to change the permissions !
I think it didn't get better if a service creates a process for me.

greetings
Carsten

Re: [Openvpn-devel] OpenVPN Management Interface

[Carsten Krüger]

Hallo David,

> However, how will this approach make sure that malware don't use such a
> (new) openvpn service to redirect all Internet traffic via a third-party
> which can analyse everything happening?

A malware on openvpn endpoint can analyse all decrypted traffic.
No need to redirect.
If you have malware on your system you've been lost.
No need to worry about that scenario.

greetings
Carsten

Re: [Openvpn-devel] Project management and direction (WAS: Re: OpenVPN 2.3-alpha1 released)

[Carsten Krüger]

Hello Alon,

ABL> The problem is with the "Meeting Summary"... It breaks the discussion.

ACK but you can't prohibit out of bound communication.

ABL> Reading IRC logs is way out of valid request...

ACK

It would be nice if there proper responses on the list.

greetings
CArsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello David,

Thx for explantion of script usage.

DS> Well, I can agree to that.  But this is all open source.  No matter how
DS> much restrictions you put into the openvpn product, the user can download
DS> the source, add the features missing, and reconnect with a modified
DS> OpenVPN version.

ACK, if he has the complete configuration and all secrets.

But in enterprise scenario the user has only a company configured
machine and his own username/password or smartcard. For example
tls-key could be unkown to user.
The user can't boot his own machine, install patched openvpn and
connect to vpn server because one secret is missing.

That's the reason why I think openvpn shouldn't be started as an user
and config must controlled from enterprise.

Cisco introduced a stupid encryption of key material in .vcf.
The user should be allowed to setup the tunnel on this own.
User can take http://newgre.net/passwordrevealer and Shrewsoft Client
to connect. All enforcements are gone (push redirect-gateway for
example).

DS> be code which is not easily available, so the client can't fake this
DS> operation as well.

ACK

DS> Bottom line is, you can't fully control the client environment.

You can't control the client from a VPN tool. You have to control the
client in enterprise directly. Group policies, software restriction
policies, good ACLs, etc.

DS> What you can do on the client side, is to avoid a third party (think
DS> virus/malware) to figure out that openvpn is installed, and tweak the
DS> config to run code which was not supposed to be run with higher
DS> privileges.

Virus runs with user privileges, config is only modifiable with admin
privileges. No problem. Virus can establish VPN connection, same like
the user.

DS>  So the client should try to lock down things locally, to
DS> reduce the impact from local exploits.

Not the openvpn client but the complete machine.

DS> There's no real way you can make the server enforce restrictions on the 
client.

Full ACK

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello David,

> a) Mounting and un-mounting networked filesystems after the tunnel is up.
> Here I even implemented the --route-pre-down script hook, to unmount the
> filesystem before the tunnel is taken down.  Here's the config extract:

This need root rights?

> This client has a web server behind it which is available on the public
> internet via the openvpn server which got the public IP address.  To make
> sure the incoming public traffic is returned via the VPN tunnel and not
> the default gateway on the openvpn client, simple ip rules like the ones
> below are used in the route-up.sh

>   /sbin/ip rule add from ${ifconfig_local} table 132
>   /sbin/ip route add default via 10.8.0.1 table 132

> And the route-down.sh takes care of deleting the rule.  This is to avoid
> errors and duplications if openvpn is restarted.  (And there are probably
> other ways to solve this as well, but this is one way)

Need root rights, too?

Maybe it's a good idea to have two type of scripts.
One that is controlled from the administrator and is executed with
admin/root privileges and the other that runs as the user.

> Plugins can be used on both server side and client side.  They can be
> used to extend the logging, or do other more advanced things which is
> easier and cleaner solved in a C program than using plenty of scripts.

In an enterprise setup I would think a plugin should be not modifable by the 
user (i.e. the
user should have no chance to load own modules).

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Heiko,

> Did you try it?

No but I understand the concept of security levels in Windows.
A user can spawn a process with his rights or with lower rights.

>  The service should have sufficient rights to modify it I guess.

No. If you start a process in users context the user can modify it.
There is nothing you could do against.

>> b) dll injection is ONE example of how a user can manipulate his own
>> process. I'm no expert at hacking windows but you can trust me, it
>> exists 1001 possibilities to do the same. You have no chance to block
>> them.

> I file that under FUD until you're more explicit.

I would propose you ask somebody in your company that is experienced
in hacking of windows (maybe someone of the antivir team?)
If a process runs within my security context I can modify it arbitrarily.
That's a very basic concept in operating systems.

I showed you one example how to break your design - injecting a dll.
I'm no expert in hacking processes in windows but from OS design there
have to exists plenty of other ways.

To gave you some ideas, study process hacker.
Try what you could do with your own processes (disable kernel hacker,
otherwise you have full kernel privileges)
http://processhacker.sourceforge.net/
Take a non-admin user, start notepad, start process hacker, go to
properties, view permissions. You could see that on your own process
you have "full control", for example "create thread", "write memory".

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Heiko,

>  If that works out, all that is needed is the service increasing the tokens 
> integrity
> level before starting openvpn and the user will have limited access to the
> running openvpn process.

a) this didn't work, you can lower the level and but not higher
b) dll injection is ONE example of how a user can manipulate his own
process. I'm no expert at hacking windows but you can trust me, it
exists 1001 possibilities to do the same. You have no chance to block
them.

Please drop openvpn-service starts openvpn in the context of the user.
It brings in much complexty for no benefit.

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Gert,

>> Dismiss the hole service starts openvpn in user context. It makes no
>> sense.

> From a pure security perspective, you're right - maximum security would
> be reached by running openvpn.exe in a completely unprivileged context
> (unix way: chroot(/var/empty), setuid(nobody)) to make sure that any
> possible bug that is network-exploitable cannot be used to gain access
> to the system.

You misunderstood me, the feature openvpn service creates openvpn
process in user context didn't "work". It creates no additional
security but instead lower it (the service has the privilege to spawn
process in all user contexts).
It has nothing to do with privilege seperation.

My idea is the following:
run openvpnhelperservice with "network operator privileges", run
openvpn.exe als "local service", advance management interface to a
point that is more usefull. Let a client run in users context that
communicates via management interface.
The execution of scripts can be done from client if it's something
like pull git or connect to share.

> Given that people have implemented all the script and plugin hooks because
> someone actually *uses* them, taking this away would not be something
> people like - so you want something that has flexibility, but does not
> have "full system access" (unix: runs as root).

Are there any plugins for windows? What do they do? Do the need to run
in openvpn-context?

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello,

> How will you handle that some users use OpenVPN from Windows, Linux and
> maybe even a mobile phone (like N900)? ... where paths are different,
> depending on OS and/or distribution.  And some paths on Linux (probably
> *BSD too?) are different if it is a 32bit architecture or 64bit.

Do have an example for an script? I've no idea what's the exact purpose is,
I've never used scripts in openvpn.

> I doubt it will be highly appreciated that sys-admins need to maintain
> separate script profiles on the server side, for each OS/platform connecting.

Who writes the script? The sysadmin.

> And you would also need to go even further, to also make --plugin only
> pushable too.  Which makes the /usr/lib vs /usr/lib64 scenario a real
> pain for sure.

Why do u want to secure openvpn if there is an option for a user to
inject plugins?
The plugin code do anything.

Are plugins used only on server side or on clientside, too?

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Heiko,

> Same here, please share your thoughts on how to reduce complexity.

Dismiss the hole service starts openvpn in user context. It makes no
sense.

see:
Message-ID: <1957833067.20120229194...@gmxpro.de>
Message-ID: <1787326494.20120229201...@gmxpro.de>

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello,

> If openvpn.exe startet in users context the user can manipulate it in
> ram arbitrarily.

Example:
http://blog.didierstevens.com/2009/06/25/bpmtk-injecting-vbscript/
(great blog about process manipulation :-) )

I think there is absolutly no benefit from starting openvpn.exe in
user context via service.

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Fabian,

> Why does the "interactive service" need to start OpenVPN?

Yeah, I can't understand that, too.

>  Why not let the GUI start OpenVPN and let OpenVPN connect to the "interactive
> service"?

Exactly.

If openvpn.exe startet in users context the user can manipulate it in
ram arbitrarily.
There is absolutly no better protection than let the user start openvpn.
Because of this openvpn should NOT startet as a user and the user
should not have the right to modify scripts.

I think it would be good to rethink the hole script idea.
Maybe scripts could be only server pushable.

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Alon,

> I use [1], a simple perl/kde UI for Linux.
> I deleted the .net as I did not maintain it, but it should be simple
> for you to convert, or simply run the perl, and write kdialog
> replacement.

perfect, the gnome variant works with windows, too.
http://www.placella.com/software/zenity/

It only has to be modified minimal that it supports method "Auth"
instead of "Private key"

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Heiko,

> However it was only an example and thus
> didn't have to make any practical sense. =)

:-)

> You forgot the GUI in this picture. If the service is connected to the
> management interface the GUI can't connect anymore.

?
If I understand you correctly it works this way:

openvpnserv.exe spawns openvpn.exe
openvpnhelperserv.exe spawns openvpnhelper.exe

openvpn.exe runs with no privileges at all (local service) and
openvpnhelper.exe with priviliges to modify routing (network configuration 
operator)

openvpn.exe communicates via pipe to openvpnhelper.exe, for example "please add 
a route"

the user client (for example perl script) uses management interface to
connect to openvpn.exe (please establish connection, credentials are xyz)

> Interesting, could you elaborate?

The process needs to much rights.

AFAIK openvpnhelper.exe would than need SE_ASSIGNPRIMARYTOKEN_NAME
Why should it have so much power?

Can you explain the architeture in more detail?

Do you need it for smartcard auth? I don't know the details of Smartcard API ...

> Not users, really. More like session. So you can connect to different server
> simultaneously.

Yeah, that's a point.
But I think it would only need management commands like "connect vpn session 1"
"disconnect vpn session 1", "supply credentials for sessions 1".
Credentials could be more than username/password, for example tls key
or smartcard "connection".

>  Of course this could be used by two different users at the
> same time or different impersonations in the same session, while still running
> ovpn with the credentials of the entity who started openvpn. So the point
> isn't really that many user can connect, but that the running sessions will be
> isolated from each other by the service.

hmm, I'm unsure if you would win something.
If the network communicating process is compromised (exploited from
internet) than it could get all the credentials via normal interface
from processes that holds them.

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Heiko,

> The idea to have the service do the privileged operations instead of just
> starting openvpn as "Local System" (or whatever) came from the fear of
> privilege escalation in the scripts that are run by openvpn.

Scripting is a point, but as long as the administrator installs
openvpn + config + script to a folder that is non writeable for users there
should be no problem.

From hackers point of view (send malicious packets to openvpn client
to exploit a bug) least privileges is a very good idea.

>  So, at least I care that it's not running in privilege mode. Your point is 
> invalid. =P

I created a new user "openvpn", only group membership "network
configuration operator" and add him the right to logon as a service.
Now openvpnserver.exe runs as user openvpn and it works.

According to MS members of this group can't do to much harmfull:
http://support.microsoft.com/kb/297938

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Alon,

> Right. This is long existing feature, just that in Windows people
> expect to work using UI...

I don't expect a UI but usefull documentation.
management-notes.txt isn't even bundled with windows binaries :-(

I use openvpn since version 1 on windows and wasn't aware that the
management interface is working.
Why isn't there at least an example of how to use it?

For example Astaro has a windows client that seems to be not aware of
the management interface.

The guy who wrote http://openvpn.jowisoftware.de/ seems to don't
understand the management interface, too.
He uses the management interface for communication but than spawns
openvpn.exe itself instead of useing the windows service.

I would have deployed openvpn to ~300 employees, if users didn't need
admin privileges.

> Years back I wrote a simple .net to do to this...

Could you please share?
I found that openvpn.exe is extremly unstable on non perfectly friendly
behaving client ...
Now I use the Non-Sucking Service Manager ( http://nssm.cc/ ) instead of 
openvpnserv.exe
to spawn openvpn.exe
It restarts openvpn.exe automatically if it's crashed.

Why is it possible to send "signal SIGTERM" to openvpn.exe via
management interface?
A client could "crash" openvpn on intention.

Why isn't a clear connect/disconnect semantic included?
"hold" and "signal SIGUSR1" ???!!?!?


@openvpn officials:
If non-admin openvpn is working on windows I could have bought OpenVPN Access 
Server instead of Cisco.
I wouldn't like to know how much money OpenVPN Technologies, Inc lost because 
of the lack of good documentation.

Please please please release immediately a minimal command line client (connect,
disconnect, ask for username) with example server.conf & client.conf
People have to be aware that it's working!

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello,

> et voila openvpn connects.

Use this to disconnect:
|forget-passwords
|SUCCESS: Passwords were forgotten
|signal SIGUSR1
|SUCCESS: signal SIGUSR1 thrown
|>HOLD:Waiting for hold release

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Alon,

> This is *THE* missing functionality in Windows environment.
> It seems that nobody interested in developing proper UI using
> management interface for Windows.
> Same goes to proper smartcard support.

I found that openvpn management interface works as I'd like it.

Add the following lines to client.ovpn

management localhost 1000
management-query-passwords
auth-retry interact
management-hold

and start the service.

Use putty to connect to localhost port 1000, format RAW

|>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
|>HOLD:Waiting for hold release
|hold release
|SUCCESS: hold release succeeded
|>PASSWORD:Need 'Auth' username/password
|username Auth here_comes_my_username
|SUCCESS: 'Auth' username entered, but not yet verified
|password Auth here_comes_my_mypassword
|SUCCESS: 'Auth' password entered, but not yet verified

et voila openvpn connects.

I'd like to cry, how long did this works?

I found this in changelog:
2004.11.28 -- Version 2.0-beta18

* Added management interface.  See new --management-*
  options or the full management interface documentation
  in management/management-notes.txt in the tarball.


greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello David,

> The solution we've ended up with is a OpenVPN service helper which runs
> some code parts with admin rights and the OpenVPN binary itself
> (openvpn.exe) will run completely unprivileged.  Those two instances will
> communicate via named pipes, to set up the proper routes and other
> networking parameters.

Why named pipes?

Why don't extend this
http://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html
that it works without admin privileges?

> The time of complaining will come to an end with 2.3 :)  Heiko
> demonstrated his prototype at FOSDEM a few weeks ago.  And it really
> looked very impressive.  But there are some changes to the openvpn code
> base which needs to be applied, in addition to be synced with the GUI
> code base.  So we decided to postpone this particular feature to a later
> alpha release - instead of postponing the first alpha release even more.
>  Just to give Heiko a bit better time to complete his code.  But there
> are so many requesting this feature, we really can't ignore it any more.

> And Heiko is free to flog me if I've said and/or promised too much :)

great 

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Alon,

ABL> This is *THE* missing functionality in Windows environment.
ABL> It seems that nobody interested in developing proper UI using
ABL> management interface for Windows.
ABL> Same goes to proper smartcard support.

Developing the UI (command line) would be trivial but to my knowledge
(I'm reading the mailinglist for last 7 years) there is no management
interface in openvpn that would allow this.

ABL> In Linux I am using OpenVPN using unprivileged user (completely!) the
ABL> daemon runs under my own user, see[1].

With su this is trivial :-)

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

[Carsten Krüger]

Hello Samuli,

> The OpenVPN community project team is proud to release OpenVPN
> 2.3-alpha1. It can be downloaded from here:

> 

> This release includes a few new major features:

>  * Complete IPv6 support, both transport and payload
>  * Optional PolarSSL support (build time configuration)
>  * Improved plug-in API (v3) which can more easily be expanded in the
>future: includes support for direct access to X.509 certificate data in
>plug-ins
>  * Several improvements to the management interface
>  * One-to-one NAT to circumvent IP address conflicts between local and
>remote networks
>  * New OpenVPN-GUI

Are there any chances to get full non-admin support for windows in version 2.3 
final?

I mean strict seperation between OpenVPN service running with local system
privileges (can modify routes, etc.) and usermode part (command line, maybe 
GUI) that
interacts with user (start/stop tunnel, ask for passphrase, pin for smartcard, 
etc.).

In companies that have security in mind it's impossible to allow
roadwarriors to connect via openvpn because they would need admin
privileges.
Give them only the privilege to start/stop the openvpn service didn't help 
because they can't supply credentials.

I'm complaining about this show stoppper for ~4 years :-(

I personally like openvpn very much and would like to deploy it for
our users but I've to buy Cisco because the windows client is better.

greetings
Carsten

Re: [Openvpn-devel] First Windows installer snapshot now available

[Carsten Krüger]

Hello Samuli,


> Here's another OpenVPN 2.3 pre-alpha installer which uses Heiko's new
> Windows GUI[1]:
> 
> It is more modern (e.g. uses the management interface),

Does establishing a VPN connection now works without administrator
privileges (or to be more precise Network Configuration Operators
membership)?

greetings
Carsten

Re: [Openvpn-devel] OemWin2k.inf specify network adapter name

[Carsten Krüger]

> As long as you're taking comments from the clueless I'll chime in.
> It sounds like one of those things that can be changed in
> the registry which means to me it's something that the installer
> should do.  But then I'm clueless when it comes to MS Windows
> so this is just a guess.

Registry is the wrong way, I think.

With powershell it's easy to rename:
http://blogs.technet.com/b/heyscriptingguy/archive/2005/05/11/how-can-i-rename-a-local-area-connection.aspx

greetings
Carsten

Re: [Openvpn-devel] Summary of the IRC meeting (14th Apr 2011)

[Carsten Krüger]

Hello Samuli,

> release: this avoids having to sign the TAP-drivers again due to such a
> trivial change.

Release signing is trivial, too.
No need to circumvent it, it's easy to automate.

How to Release-Sign File System Drivers
http://msdn.microsoft.com/en-us/windows/hardware/gg487543.aspx

greetings
Carsten

Re: [Openvpn-devel] [PATCH] Change the default --tmp-dir path to a more suitable path

[Carsten Krüger]

Hello David,

> On Windows, it will look up %TEMP% and %TMP% first, and if that doesn't give 
> any clues, it
> will fallback to C:\WINDOWS\Temp in the end.

I think that's not the right location.

Use
http://msdn.microsoft.com/en-us/library/system.environment.getfolderpath.aspx

with this constant
CSIDL_LOCAL_APPDATA to locate system/language independant:
"C:\Documents and Settings\username\Local Settings\Application Data"
http://msdn.microsoft.com/en-us/library/bb762494.aspx
and than create OpenVPN\temp at this location.

Windows has no special temp location that is "allowed" from MS.

greetings
Carsten

Re: [Openvpn-devel] [PATCH 00/13] Fix remaining major issues with Python-based buildsystem

[Carsten Krüger]

> - embedding manifest files to the executables and DLLs

could be easily included:
http://msdn.microsoft.com/en-us/library/ms235591(v=vs.80).aspx

greetings
Carsten

Re: [Openvpn-devel] Help testing OpenVPN 2.2-rc Windows installer?

[Carsten Krüger]

Hello,

> The issue was that the installer did not install msvcr90.dll - that's
> now fixed.

I haven't checked how the installer does it, but there is a standard
procedure to do this!
http://support.microsoft.com/kb/326922/en-us

Why it should be done correctly: http://en.wikipedia.org/wiki/DLL_hell

Additionally good windows software is designed to meet criteria of
windows logo program, even if you don't want to certify it.

The Windows 7 Software Logo Program
http://msdn.microsoft.com/en-us/windows/dd203105.aspx

greetings
Carsten

Re: [Openvpn-devel] Beta 2.2 branch pushed

[Carsten Krüger]

Hello,

> So it was considered better if a new SVN branch for the beta2.2 would be
> created, branched out from r5701 (the latest SVN change).

Why didn't James switch to git, too?
Using svn & git in parallel isn't effective and causes such problems.
And as far as I know is git a complete superset of subversion.

greetings
Carsten

Re: [Openvpn-devel] Summary of the IRC meeting (8th Apr 2010)

[Carsten Krüger]

Hallo,

> umm -- Signing requires unlocking the GnuPG key to get a human
> set of eyes, and confirmation that all seems to be well into 
> the process

Not GPG key but code signing certificate.

The user that starts build process could unlock the key, BUT if the
build machine is not trusted enough to put the key unencrypted in
memory you have other problems.

> -- an autosigning from a non-protected key cannot sensibly be
> trusted, particularly with a process that has to run at some 
> point with root access rights

Why should building drivers need root rights?

greetings
Carsten

Re: [Openvpn-devel] Summary of the IRC meeting (8th Apr 2010)

[Carsten Krüger]

Hello,

> Discussed driver signing issues with Windows Vista / Windows 7. Agreed
> that it should be possible to self-sign the drivers OpenVPN uses.

Not for releases, even for public betas this is a no-go.
If test signing is enabled DRM content can't be played.

Please read the documentation, it's well documented.
http://www.microsoft.com/whdc/winlogo/drvsign/drvsign.mspx

|Enabling Test Signing
|Use the BCDEdit command-line tool to enable test signing. To use BCDEdit, the 
user must be a member
|of the Administrator group on the system and run the command from an elevated 
command prompt.
|An elevated command prompt can be launched by creating a desktop shortcut to 
cmd.exe,
|right-clicking the shortcut, and then clicking Run as administrator.
|The following shows an example of running BDCEdit at the command prompt:
|// Accept test signed kernel mode signatures
|Bcdedit.exe –set TESTSIGNING ON
|
|// Do not accept test signed kernel mode signatures
|Bcdedit.exe –set TESTSIGNING OFF
|
|The TESTSIGNING boot configuration option determines whether Windows Vista 
accepts test-signed
|kernel-mode binaries. The option is not defined by default, which means that 
digital signatures
|on test-signed kernel-mode drivers will not verify and will not load. When 
Windows Vista accepts
|test-signed kernel-mode binaries, some premium content that is protected may 
not be accessible on the system.

Source: Digital Signatures for Kernel Modules on Systems Running Windows Vista 
- kmsigning.doc

The reason for Kernel-Mode Code Signing is that Microsoft can identify
the author of crashing drivers.

greetings
Carsten

Re: [Openvpn-devel] OpenVPN 2.1_rc16 released

[Carsten Krüger]

Hi,

> We are very close to 2.1.  I know there's been some discussion about the
> Windows client GUI, whether it deserves to live in 2.1.  We do have a 
> new client GUI that we've developed as a part of our Access Server 
> product and we are open to releasing it with 2.1, however doing so would
> probably add more RC cycles to the 2.1 release.

> The other option is to just release what we have now, pending a week or
> so of testing on rc16, and get the new Windows client GUI into a 
> post-2.1 release.

> Thoughts?

If the release cycles go fast (for example all in 2-4 weeks), release it with
new Windows client. We are waiting so long, it's not important to release
2.1 in one week. If you think it take much longer, than it's better to
release without.

If openvpn 2.1 runs flawlessly with Windows 7 RC, it would be a
good idea to test the GUI with Windows 7 RC, too.
If openvpn didn't work with Windows 7 RC, it should be major goal for
next openvpn version. Idealy from the beginning of the windows release.

greetings
Carsten

Re: [Openvpn-devel] version 2.1

[Carsten Krüger]

Hello,

> wouldn't be it better to release the current version as 2.1 and all
> upcoming bugfix can be put into post 2.1?

+1
But kick OpenVPN GUI from installer, it is unmaintained old crap (needs
adminrights, didn't use management interface)

Please set a link to OpenVPN Manager
http://sourceforge.net/projects/openvpnmngr/

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.1-rc5 released

[Carsten Krüger]

Hello Alon,

> Oh... Building OpenVPN for Windows is very difficult task now...
> I am working to simplify that...

building pkcs11-helper with openssl support didn't work for me with mingw.
the openssl symlinks don't work.

A server that produces nightly builds would be nice ...

--
what I done till now:

Download + Install
--

MinGW (c-compiler) + MSYS (make, etc) + Perl (alternativly Activestate Perl):
http://www.mingw.org/download.shtml

Man2html:
http://hydra.nac.uci.edu/indiv/ehood/man2html.html

OpenSSL 0.9.7 (need perl):
http://www.openssl.org/source/

LZO 2:
http://www.oberhumer.com/opensource/lzo/download/

pkcs11-helper (need man2html)
http://www.opensc-project.org/files/pkcs11-helper/

nullsoft scriptable install system (NSIS)
http://nsis.sourceforge.net/Download

Windows Driver Development Kit
http://www.microsoft.com/whdc/DevTools/ddk/default.mspx
J:\WINDDK\3790.1830\src\setup\devcon

Platform SDK (Windows Server 2003 R2 Platform SDK)
http://www.microsoft.com/downloads/details.aspx?FamilyId=484269E2-3B89-47E3-8EB7-1F2BE6D7123A=en
Service.c
Service.H
(from Simple Service example)

Compile
---
1. patch openssl
2. build openssl
3. build lzo
4. build pkcs11-helper with openssl engine
5. customize install-win32\settings.in
6. run domake-win

greetings
Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.1-rc5 released

[Carsten Krüger]

Hello Alon,

> True!
> Found it!

> Patch attached.

Please recompile for windows

I try to setup a toolchain for windows.

greetings
Carsten

Re: [Openvpn-devel] Altering routing Tables as non-admin on Windows

[Carsten Krüger]

Hello Matthew,

> specifically by a member of the 'Network Configuration Operators' group,
> This group gives more rights to the user than are necessary for just 
> routing, and may create security problems.

Which problems? They can't do harmfull things:
http://support.microsoft.com/kb/297938/en-us

> All of the above is really provided as a demonstration of a possible
> solution for this problem

Why not run openvpn as a service?

greetings
Carsten

Re: [Openvpn-devel] OpenVPN 2.1_rc3 released

[Carsten Krüger]

Hello James,

> On Vista x64, my understanding is that the TAP driver
> would need to be signed by Microsoft themselves.

wrong

Digital Signatures for Kernel Modules on x64-based Systems Running Windows Vista
http://www.microsoft.com/whdc/system/platform/64bit/kmsigning.mspx

How to Obtain a Software Publishing Certificate (64bitDriverSigning.doc)

Use the following steps to obtain an SPC for signing your kernel-mode
software that meets the mandatory kernel-mode code-signing policy:
1.  Obtain an SPC from a commercial CA that issues digital
certificates for signing kernel-mode code. The list of CAs who
provide SPCs (or code-signing certificates) that can be used
for kernel-mode code signing is available at the “Microsoft
Cross-certificates for Windows Vista Kernel Mode Code Signing”
Web page listed in “Resource” at the end of this paper.

greetings
Carsten

[Openvpn-devel] possible solution for hibernate problem under win32

[Carsten Krüger]

use WM_POWERBROADCAST and catch PBT_APMRESUMESUSPEND
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/power/base/wm_powerbroadcast.asp

[Openvpn-devel] OpenVPN not working after hibernate *workaround* - win32

[Carsten Krüger]

hi folks,

openvpnservice stops responding after resumeing from hibernate
(the service didn't crash complete but no more traffic goes through the tunnel).

As a workaround I use this script. Please put it in the FAQ or better
fix the problem.

run this script with task scheduler at system startup as an
administrative user (need the right to restart a service)
-restart_openvpn_service_after_hibernate.vbs-
Option Explicit
Dim CurrentTime, LastTime, intSleep
intSleep = 50*1000 ' sleep 50 seconds

Dim objWMIService, objItem, objService, colListOfServices, strComputer, 
strService
strComputer = "."

LastTime=NOW
Do While True ' endless loop
  CurrentTime = NOW
  If ((CurrentTime - 1/24/60)>LastTime) Then
' system was hibernated

' On Error Resume Next
' NB strService is case sensitive.
strService = " 'OpenVPNService' "
Set objWMIService = GetObject("winmgmts:" & 
"{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery ("Select * from 
Win32_Service Where Name =" & strService & " ")
For Each objService in colListOfServices
  objService.StopService()
  WSCript.Sleep 10*1000 ' give service time to stop
  objService.StartService()
Next 

  End If
  LastTime=NOW
  WSCript.Sleep intSleep
Loop
-restart_openvpn_service_after_hibernate.vbs-

greetings
Carsten

[Openvpn-devel] Bug: OpenVPN-Service didn't respond on WinXP SP2

[Carsten Krüger]

Hello,

I've a problem with OpenVPN 2 (2.00, 2.01, 2.02) on Windows XP SP2
(actual patchlevel).
If the server-service runs for a while a tray icon appear with the message
"ip adresse beziehen" in english "getting ip adress" (I think).
If this happens it is not possible anymore to connect from a client.
I can solve the problem only with restarting the openvpn-service.

my config:
proto tcp-server
port 6
dev tap
ifconfig 10.3.0.1 255.255.255.0
secret key.txt
keepalive 10 120
verb 4
mute 10
auth SHA1
cipher AES-128-CBC

Can this happen due to malformed packets on the tcp-port (random
traffic)?

I use hibernate, maybe this is a problem for the tap-device?

greetings
Carsten