Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

> Hi > > On Monday 12 March 2012 19:01:41 Alon Bar-Lev wrote: >> Although I tried to go farther... that what James suggested. >> What is the baseline? This what we should agree first... >> Should openvpn daemon be run on completely unprivileged account or not. > I don't support the idea about

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi On Monday 12 March 2012 19:01:41 Alon Bar-Lev wrote: > Although I tried to go farther... that what James suggested. > What is the baseline? This what we should agree first... > Should openvpn daemon be run on completely unprivileged account or not. I don't support the idea about running

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Great Summary! Although I tried to go farther... that what James suggested. What is the baseline? This what we should agree first... Should openvpn daemon be run on completely unprivileged account or not. On Mon, Mar 12, 2012 at 4:31 PM, Samuli Seppänen wrote: > > Hi all, >

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi all, I had a brief email discussion about the OpenVPN privilege separation thing with James Yonan and realized that even after having read all relevant emails a couple of times, I still had a fairly vague idea of various approaches suggested here. So, to clarify my own thoughts (and to

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Heiko, HH> The openvpn.exe process security descriptor will be owned by the user the HH> service is run as, i.e. Local System. Ok. I was unsure if the openvpn.exe is started as user x it will be the owner, even if it's started from the service. HH> That's what I meant by "The service HH>

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi Carsten, On Friday 09 March 2012 17:09:07 Carsten Krüger wrote: > I tried the following (disabled kernel process hacker): > 1. run an instance of notepad as user Carsten (normal windows user, no > admin) 2. entered "testtesttest" > 3. run an instance of process hacker as user Carsten > 4.

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi Fabian, On Friday 09 March 2012 16:34:19 Fabian Knittel wrote: > Does your > approach prevent the user from injecting code into the OpenVPN > process? Or does it only prevent the user from directly accessing the > pipe? (IIUC you would need the integrity level approach to prevent the > former

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012/3/9 Carsten Krüger : > Hello Heiko, > > HH> It is false that you cannot set a process' mandatory label to a higher > HH> integrity level than the one in the token. > > That's not what I said. > It's not possible to assign an higher level than the user have to a > users

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Heiko, HH> It is false that you cannot set a process' mandatory label to a higher HH> integrity level than the one in the token. That's not what I said. It's not possible to assign an higher level than the user have to a users process. Users can have low and medium, administrators can

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi Heiko, Am 9. März 2012 14:42 schrieb Heiko Hund : > Instead I plan to secure the process (and the probably the pipe handle as > well) against malicious operations by not granting the user any sophisticated > access to it, i.e. you can only inject code if you can write

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Thursday 01 March 2012 12:11:37 Heiko Hund wrote: > On Thursday 01 March 2012 11:59:11 Carsten Krüger wrote: > > No. If you start a process in users context the user can modify it. > > There is nothing you could do against. > > I'll do some tests next week and post my findings here. Sorry,

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

I've used "--route-nopull" together with specific "--route" statements to work around VPN setups that didn't work under specific circumstances (the server pushes a heap of routes, some of which caused problems in my setup [*], and I only wanted to reach a specific subnet via the VPN). +1

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi, On Thu, Mar 01, 2012 at 11:58:39AM +0100, Heiko Hund wrote: > Is there a use case for --route on the client? I've used "--route-nopull" together with specific "--route" statements to work around VPN setups that didn't work under specific circumstances (the server pushes a heap of routes,

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello David, Thx for explantion of script usage. DS> Well, I can agree to that. But this is all open source. No matter how DS> much restrictions you put into the openvpn product, the user can download DS> the source, add the features missing, and reconnect with a modified DS> OpenVPN version.

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/03/12 13:15, Carsten Krüger wrote: > Hello David, > >> a) Mounting and un-mounting networked filesystems after the tunnel >> is up. Here I even implemented the --route-pre-down script hook, to >> unmount the filesystem before the tunnel is

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello David, > a) Mounting and un-mounting networked filesystems after the tunnel is up. > Here I even implemented the --route-pre-down script hook, to unmount the > filesystem before the tunnel is taken down. Here's the config extract: This need root rights? > This client has a web server

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Thursday 01 March 2012 11:59:11 Carsten Krüger wrote: > No. If you start a process in users context the user can modify it. > There is nothing you could do against. I'll do some tests next week and post my findings here. Heiko -- Heiko Hund | Software Engineer | Phone +49-721-25516-237 | Fax

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 29/02/12 20:37, Carsten Krüger wrote: > Hello, > >> How will you handle that some users use OpenVPN from Windows, Linux >> and maybe even a mobile phone (like N900)? ... where paths are >> different, depending on OS and/or distribution. And some

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Heiko, > Did you try it? No but I understand the concept of security levels in Windows. A user can spawn a process with his rights or with lower rights. > The service should have sufficient rights to modify it I guess. No. If you start a process in users context the user can modify it.

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Thursday 01 March 2012 10:40:51 Carsten Krüger wrote: > > If that works out, all that is needed is the service increasing the > > tokens integrity> > > level before starting openvpn and the user will have limited access to the > > running openvpn process. > > a) this didn't work, you can

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Heiko, > If that works out, all that is needed is the service increasing the tokens > integrity > level before starting openvpn and the user will have limited access to the > running openvpn process. a) this didn't work, you can lower the level and but not higher b) dll injection is ONE

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Gert, >> Dismiss the hole service starts openvpn in user context. It makes no >> sense. > From a pure security perspective, you're right - maximum security would > be reached by running openvpn.exe in a completely unprivileged context > (unix way: chroot(/var/empty), setuid(nobody)) to

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wednesday 29 February 2012 19:18:00 Carsten Krüger wrote: > > If openvpn.exe startet in users context the user can manipulate it in > > ram arbitrarily. > > Example: > http://blog.didierstevens.com/2009/06/25/bpmtk-injecting-vbscript/ > (great blog about process manipulation :-) ) Took a

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Thu, Mar 1, 2012 at 11:24 AM, Heiko Hund wrote: > > On Thursday 01 March 2012 09:22:38 Alon Bar-Lev wrote: > > Also, (technically) impersonation token cannot be used for network > > access. > > So the solution of impersonating to user will not allow a script to > > mount

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012/3/1 Heiko Hund > > On Wednesday 29 February 2012 18:43:18 Carsten Krüger wrote: > > What operation could be in script that is usefull when it's executed > > in user context. > > On Windows you could mount a CIFS share from the corporate LAN to the > drive > letter a

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wednesday 29 February 2012 18:43:18 Carsten Krüger wrote: > What operation could be in script that is usefull when it's executed > in user context. On Windows you could mount a CIFS share from the corporate LAN to the drive letter a user expects her data at, for example. Heiko -- Heiko Hund

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Thu, Mar 1, 2012 at 12:45 AM, Jason Haar wrote: > A comment on your [1] reference. The issue of remote-user vs enterprise > is an old one - that affects many software applications - not just > openvpn. I personally think the proper solution is to implement NAC: > make

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

> > > I never used script with openvpn. I've no idea which are real world > > applications for it. > > Scripts are for creative uses that the programmers of openvpn have not > foreseen. Like "after the VPN is up, auto-sync all your git repositories" > or "open up a few xterms with ssh's to

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

A comment on your [1] reference. The issue of remote-user vs enterprise is an old one - that affects many software applications - not just openvpn. I personally think the proper solution is to implement NAC: make "the network/enterprise" audit the remote host and only allow it if it meets

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wed, Feb 29, 2012 at 11:59 PM, Gert Doering wrote: > But I'm leaving this discussion now.  Heiko is doing the implementation > work, James, David and I have agreed (and told the list via IRC session > minutes!) that we think it's a useful way forward, and this is

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi, On Wed, Feb 29, 2012 at 11:36:46PM +0200, Alon Bar-Lev wrote: > > Scripts are for creative uses that the programmers of openvpn have not > > foreseen.  Like "after the VPN is up, auto-sync all your git repositories" > > or "open up a few xterms with ssh's to $internalhosts". > > > > David had

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012/2/29 Gert Doering : > Hi, > > On Wed, Feb 29, 2012 at 07:43:18PM +0100, Carsten Krüger wrote: >> > Part of the assumption here is "the user controls the openvpn config", >> > and as such, he can make openvpn.exe run arbitrary scripts anyway - and >> > to stop this from

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi, On Wed, Feb 29, 2012 at 08:25:31PM +0100, Carsten Krüger wrote: > > Same here, please share your thoughts on how to reduce complexity. > > Dismiss the hole service starts openvpn in user context. It makes no > sense. From a pure security perspective, you're right - maximum security would be

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi, On Wed, Feb 29, 2012 at 07:43:18PM +0100, Carsten Krüger wrote: > > Part of the assumption here is "the user controls the openvpn config", > > and as such, he can make openvpn.exe run arbitrary scripts anyway - and > > to stop this from being a problem, just run openvpn.exe with your uid. >

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello, > How will you handle that some users use OpenVPN from Windows, Linux and > maybe even a mobile phone (like N900)? ... where paths are different, > depending on OS and/or distribution. And some paths on Linux (probably > *BSD too?) are different if it is a 32bit architecture or 64bit. Do

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 29/02/12 19:40, Carsten Krüger wrote: > > I think it would be good to rethink the hole script idea. Maybe > scripts could be only server pushable. How will you handle that some users use OpenVPN from Windows, Linux and maybe even a mobile phone

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Heiko, > Same here, please share your thoughts on how to reduce complexity. Dismiss the hole service starts openvpn in user context. It makes no sense. see: Message-ID: <1957833067.20120229194...@gmxpro.de> Message-ID: <1787326494.20120229201...@gmxpro.de> greetings Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello, > If openvpn.exe startet in users context the user can manipulate it in > ram arbitrarily. Example: http://blog.didierstevens.com/2009/06/25/bpmtk-injecting-vbscript/ (great blog about process manipulation :-) ) I think there is absolutly no benefit from starting openvpn.exe in user

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Fabian, > Why does the "interactive service" need to start OpenVPN? Yeah, I can't understand that, too. > Why not let the GUI start OpenVPN and let OpenVPN connect to the "interactive > service"? Exactly. If openvpn.exe startet in users context the user can manipulate it in ram

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi Gert, 2012/2/29 Gert Doering : > The model we follow is "openvpn.exe has the same permissions that you > already have, so there is no benefit in manipulating anything". That was my initial assumption, which would imply that there's no reason to restrict access to the

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wednesday 29 February 2012 15:28:31 Fabian Knittel wrote: > To ensure this in classic Linux this would mean that the OpenVPN > process needs to run as a _different_ user than the GUI user or else > the GUI user could freely manipulate the program using, e.g. ptrace. I > know that similar

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi, On Wed, Feb 29, 2012 at 04:28:31PM +0100, Fabian Knittel wrote: > To ensure this in classic Linux this would mean that the OpenVPN > process needs to run as a _different_ user than the GUI user or else > the GUI user could freely manipulate the program using, e.g. ptrace. I > know that

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi Heiko, 2012/2/29 Heiko Hund : > On Wednesday 29 February 2012 14:07:01 Fabian Knittel wrote: [...] >> (There must be something missing, otherwise >> I don't get why you call it "interactive service" ...?) > > It's interactive in contrast to the other already existing

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi Fabian On Wednesday 29 February 2012 14:07:01 Fabian Knittel wrote: > Let's see whether I understood the design. After initial setup, the > GUI has a connection via the mgmt interface to OpenVPN and OpenVPN has > a connection via the "privilege interface" to the "interactive > service".

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

I disagree, open source project is not different than any other software project. OK, I'll bite. I disagree with the above entirely. Open-source project *is* different "from any other project" - vastly so - not least because it is open for scrutiny by the whole community, not just

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wed, Feb 29, 2012 at 4:01 PM, Heiko Hund wrote: > On Wednesday 29 February 2012 13:45:49 Alon Bar-Lev wrote: >> I don't understand you attitude, I am not trying to take anything from you, >> and I don't think you can find anything in my record that had negative >> impact

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi Heiko, Am 29. Februar 2012 13:18 schrieb Heiko Hund : > [...] There will be a new service, I called it > interactive service. The GUI/client connects to a named pipe of that service. > It passes the working directory, command line options and stdin input for > openpvn to

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wednesday 29 February 2012 13:45:49 Alon Bar-Lev wrote: > I don't understand you attitude, I am not trying to take anything from you, > and I don't think you can find anything in my record that had negative > impact on this (or any other) project. And I do know one or two things in > security

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wed, Feb 29, 2012 at 3:25 PM, Heiko Hund wrote: >> Anyway, if there was a design process, I will appreciate if you can send a >> design document, as this is not a small/niche feature, it will effect >> the majority of Windows users. > > Yeah, like the design project

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wednesday 29 February 2012 13:15:16 Alon Bar-Lev wrote: > IRC is synchronous way of communication, it is no suitable for distributed > volunteer team. > Proper discussion of design is done differently, perfecting a design > document and interface specifications. > > If there was such process,

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wed, Feb 29, 2012 at 3:05 PM, Heiko Hund wrote: > On Wednesday 29 February 2012 12:54:18 Alon Bar-Lev wrote: >> What I wrote is simple. > > Wrote where? In this thread or C code that tackles the issue? I'm confused. > >> In order to push a project in coherent direction,

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wednesday 29 February 2012 12:51:41 Carsten Krüger wrote: > > This is way too complex solution for a simple problem. > > A proper design and discussion should take place before advancing in > > this route. > > ACK Same here, please share your thoughts on how to reduce complexity. Heiko --

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wednesday 29 February 2012 12:54:18 Alon Bar-Lev wrote: > What I wrote is simple. Wrote where? In this thread or C code that tackles the issue? I'm confused. > In order to push a project in coherent direction, a proper design > discussion stage should be done. Yeah, you missed that one

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wed, Feb 29, 2012 at 2:49 PM, Heiko Hund wrote: > On Wednesday 29 February 2012 12:40:45 Alon Bar-Lev wrote: >> 2012/2/29 Heiko Hund >> This is way too complex solution for a simple problem. >> A proper design and discussion should take place

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wednesday 29 February 2012 12:40:45 Alon Bar-Lev wrote: > 2012/2/29 Heiko Hund > This is way too complex solution for a simple problem. > A proper design and discussion should take place before advancing in > this route. And this was a way too simple explanation on why

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012/2/29 Heiko Hund > > On Wednesday 29 February 2012 11:38:17 Carsten Krüger wrote: > > > You forgot the GUI in this picture. If the service is connected to the > > > management interface the GUI can't connect anymore. > > > > ? > > If I understand you correctly it works

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wednesday 29 February 2012 11:38:17 Carsten Krüger wrote: > > You forgot the GUI in this picture. If the service is connected to the > > management interface the GUI can't connect anymore. > > ? > If I understand you correctly it works this way: > > openvpnserv.exe spawns openvpn.exe >

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Alon, > I use [1], a simple perl/kde UI for Linux. > I deleted the .net as I did not maintain it, but it should be simple > for you to convert, or simply run the perl, and write kdialog > replacement. perfect, the gnome variant works with windows, too.

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Heiko, > However it was only an example and thus > didn't have to make any practical sense. =) :-) > You forgot the GUI in this picture. If the service is connected to the > management interface the GUI can't connect anymore. ? If I understand you correctly it works this way:

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Wednesday 29 February 2012 11:05:36 Carsten Krüger wrote: > > [Advertisement] Maybe you want to take a look at UTM9, beta starts > > tomorrow. > Definitely! > > Is Beta available to non customers? Yes, it will be announced at http://astaro.org in the "Beta Versions" section and you can get

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Tuesday 28 February 2012 722:09:13 Carsten Krüger wrote: > DS> Heiko can probably give a much better answer, but if I remember right, > DS> the argument was this: Think of a multi-user setup (like a Terminal > DS> Server), the management interface will be accessible for all users on > DS> that

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Heiko, > The idea to have the service do the privileged operations instead of just > starting openvpn as "Local System" (or whatever) came from the fear of > privilege escalation in the scripts that are run by openvpn. Scripting is a point, but as long as the administrator installs openvpn

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Tuesday 28 February 2012 20:34:18 Carsten Krüger wrote: > Add the following lines to client.ovpn > > management localhost 1000 > management-query-passwords > auth-retry interact > management-hold > > and start the service.

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Tuesday 28 February 2012 18:38:57 Alon Bar-Lev wrote: > > Even though, the new communication pipe between the "helper service" and > > openvpn.exe might gain more features with time, which might cover much > > of what the management interface provides today too. But we're _not_ > > trying to

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On 29/02/12 11:47, Carsten Krüger wrote: > I found that openvpn.exe is extremly unstable on non perfectly > friendly behaving client ... Now I use the Non-Sucking Service Manager > ( http://nssm.cc/ ) instead of openvpnserv.exe to spawn openvpn.exe It > restarts openvpn.exe automatically if it's

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012/2/29 Carsten Krüger : >> Years back I wrote a simple .net to do to this... > > Could you please share? > I found that openvpn.exe is extremly unstable on non perfectly friendly > behaving client ... I use [1], a simple perl/kde UI for Linux. I deleted the .net as I did not

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Alon, > Right. This is long existing feature, just that in Windows people > expect to work using UI... I don't expect a UI but usefull documentation. management-notes.txt isn't even bundled with windows binaries :-( I use openvpn since version 1 on windows and wasn't aware that the

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012/2/28 Carsten Krüger : > Hello Alon, > >> This is *THE* missing functionality in Windows environment. >> It seems that nobody interested in developing proper UI using >> management interface for Windows. >> Same goes to proper smartcard support. > > I found that openvpn

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello, > et voila openvpn connects. Use this to disconnect: |forget-passwords |SUCCESS: Passwords were forgotten |signal SIGUSR1 |SUCCESS: signal SIGUSR1 thrown |>HOLD:Waiting for hold release greetings Carsten

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Alon, > This is *THE* missing functionality in Windows environment. > It seems that nobody interested in developing proper UI using > management interface for Windows. > Same goes to proper smartcard support. I found that openvpn management interface works as I'd like it. Add the

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hi, On Tue, Feb 28, 2012 at 06:31:03PM +0100, Carsten Krüger wrote: > Are there any chances to get full non-admin support for windows in version > 2.3 final? Work is going on on full privilege separation for windows. It's not done yet, so we'll see whether it will make 2.3 (which was the

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/02/12 19:42, Alon Bar-Lev wrote: > 2012/2/28 David Sommerseth : >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> On 28/02/12 19:17, Carsten Krüger wrote: >>> Hello Alon, >>> >>> ABL> This is *THE* missing

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/02/12 19:29, Carsten Krüger wrote: > Hello David, > >> The solution we've ended up with is a OpenVPN service helper which >> runs some code parts with admin rights and the OpenVPN binary >> itself (openvpn.exe) will run completely unprivileged.

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012/2/28 David Sommerseth : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 28/02/12 19:17, Carsten Krüger wrote: >> Hello Alon, >> >> ABL> This is *THE* missing functionality in Windows environment. ABL> >> It seems that nobody interested in developing

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

On Tue, Feb 28, 2012 at 8:25 PM, David Sommerseth wrote: >> This is *THE* missing functionality in Windows environment. It seems >> that nobody interested in developing proper UI using management >> interface for Windows. Same goes to proper smartcard support. > > I

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/02/12 19:17, Carsten Krüger wrote: > Hello Alon, > > ABL> This is *THE* missing functionality in Windows environment. ABL> > It seems that nobody interested in developing proper UI using ABL> > management interface for Windows. ABL> Same goes

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello David, > The solution we've ended up with is a OpenVPN service helper which runs > some code parts with admin rights and the OpenVPN binary itself > (openvpn.exe) will run completely unprivileged. Those two instances will > communicate via named pipes, to set up the proper routes and other

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/02/12 19:07, Alon Bar-Lev wrote: > 2012/2/28 Carsten Krüger : >>> * New OpenVPN-GUI >> >> Are there any chances to get full non-admin support for windows in >> version 2.3 final? >> >> I mean strict seperation between

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Alon, ABL> This is *THE* missing functionality in Windows environment. ABL> It seems that nobody interested in developing proper UI using ABL> management interface for Windows. ABL> Same goes to proper smartcard support. Developing the UI (command line) would be trivial but to my knowledge

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/02/12 18:31, Carsten Krüger wrote: > Hello Samuli, > >> The OpenVPN community project team is proud to release OpenVPN >> 2.3-alpha1. It can be downloaded from here: > >> > >> This

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

2012/2/28 Carsten Krüger : >>  * New OpenVPN-GUI > > Are there any chances to get full non-admin support for windows in version > 2.3 final? > > I mean strict seperation between OpenVPN service running with local system > privileges (can modify routes, etc.) and usermode part

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

Hello Samuli, > The OpenVPN community project team is proud to release OpenVPN > 2.3-alpha1. It can be downloaded from here: > > This release includes a few new major features: > * Complete IPv6 support, both transport and payload > *