Re: [Openvpn-devel] OVPN Interactive Service for non-admin users
On Fri, Aug 11, 2017 at 10:05 AM, Simon Rozman via Openvpn-devel < openvpn-devel@lists.sourceforge.net> wrote: > > But that's what I wanted in the first place, as I believe Interactive > Service "security" scheme makes no sense. > > Why does OpenVPN restrict non-admin users from using Interactive Service in > the first place, while Windows' out-of-the-box VPN connects them just fine? > If you are afraid a malware would start connecting - they already can: > using > Windows' VPN. > AFAIK, Windows VPN can be setup without admin rights only if the connection is not shared with other users. Thus a limited user cannot redirect traffic of all users. In openvpn we do not have a provision for such a separation -- at least not as yet. > > Flushing ARP cache, client DNS registration, and other tasks OpenVPN can't > perform as non-admin user is a technical issue of OpenVPN running in user > space. Not a security one. Interactive Service overcomes that, but in the > same time it assumes it's a security sensitive issue. > These tasks normally require admin rights (or some privilege like Network Configuration Operators). So admin has to decide who is allowed to do such actions. > This limitation can and will be turned off with one or another simple > administrator task (performed by eduVPN setup). So, this is no biggie... > Yes, a simple "administrator task" is all that is required to provide extra privileges to users. In case of interactive service its supposed to be done at the time of installation. Selva -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OVPN Interactive Service for non-admin users
Hi, On Fri, Aug 11, 2017 at 6:21 AM, Pasi Kärkkäinen wrote: > Hi, > > On Wed, Aug 09, 2017 at 02:31:58PM +, Simon Rozman via Openvpn-devel > wrote: > >Hi! > > > >I am developing an eduVPN client for Windows. Imagine the eduVPN > client as > >a custom OpenVPN GUI. The client uses openvpn.exe for connecting, the > >configuration file is provided by eduVPN server once user > authenticates > >using OAuth. User running the eduVPN client is not an administrator. > >Elevation is out of the question. > > > > > >I would like to use the Interactive Service to start openvpn.exe, but > I > >have some problems: > > > > > >1. The configuration file is dynamically downloaded by the > eduVPN > >client and stored somewhere user can write (user's temporary folder > for > >example). But the Interactive Service was specifically programmed to > allow > >configurations from "C:\Program Files\OpenVPN\config" folder only. But > >user running eduVPN client can't write to this folder. > > > > > Wasn't this changed in the latest version, allowing config files to be > under user home/profile directory? > > The change you are referring to is that OpenVPN-GUI now looks for configs in the global location and in user's profile with the latter given priority in case of duplicates. However, to use the interactive service, config could be in any directory only if the user is a member of (i) Administrators group OR (ii) a custom group (named "OpenVPN Administrators" by default). Otherwise only configs in the pre-defined global location are allowed[*]. This is done to make sure that admins has control over who is allowed to manipulate routes etc using the interactive service. Note that only group membership is needed, the group need not be enabled in the token which means elevation is not required. Selva [*] This actual requirement is a bit more relaxed than that as some limited options are allowed in user-editable configs or command line for all users. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OVPN Interactive Service for non-admin users
Hi, > > Wasn't this changed in the latest version, allowing config files to be under > user home/profile directory? > Nope, 2.4.3 refuses to run the openvpn.exe if --config points to an .ovpn file in the user home directory (namely user's temporary folder). I also did a brief openvpnserv source code audit not to find anything supporting it. If you add that option, that would void entire Interactive Service "security" scheme, wouldn't it? But that's what I wanted in the first place, as I believe Interactive Service "security" scheme makes no sense. Why does OpenVPN restrict non-admin users from using Interactive Service in the first place, while Windows' out-of-the-box VPN connects them just fine? If you are afraid a malware would start connecting - they already can: using Windows' VPN. Flushing ARP cache, client DNS registration, and other tasks OpenVPN can't perform as non-admin user is a technical issue of OpenVPN running in user space. Not a security one. Interactive Service overcomes that, but in the same time it assumes it's a security sensitive issue. This limitation can and will be turned off with one or another simple administrator task (performed by eduVPN setup). So, this is no biggie... Just me ranting. :) Best regards, Simon smime.p7s Description: S/MIME cryptographic signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OVPN Interactive Service for non-admin users
Hi, On Wed, Aug 09, 2017 at 02:31:58PM +, Simon Rozman via Openvpn-devel wrote: >Hi! > >I am developing an eduVPN client for Windows. Imagine the eduVPN client as >a custom OpenVPN GUI. The client uses openvpn.exe for connecting, the >configuration file is provided by eduVPN server once user authenticates >using OAuth. User running the eduVPN client is not an administrator. >Elevation is out of the question. > > >I would like to use the Interactive Service to start openvpn.exe, but I >have some problems: > > >1. The configuration file is dynamically downloaded by the eduVPN >client and stored somewhere user can write (user's temporary folder for >example). But the Interactive Service was specifically programmed to allow >configurations from "C:\Program Files\OpenVPN\config" folder only. But >user running eduVPN client can't write to this folder. > Wasn't this changed in the latest version, allowing config files to be under user home/profile directory? -- Pasi -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OVPN Interactive Service for non-admin users
Hi, > But that would open the OpenVPN Interactive Service to any user and > application. This is why we would like your opinion first. > > Yes the service will then launch openvpn with arbitrary configs as any > user, but that is what you want isn't it? > > > > True, I want that indeed. I was just trying to find the official way of > doing it only to learn it's against OpenVPN team's principles. :( > The official way is to add the user to the designated group which by default is expected to be named "OpenVPN Administrators". Recursive group membership will work, so you could create a group named, say, "eduVPN Users" or just use "Users" and add that to "OpenVPN Administrators" group at install time (and remove it on uninstall). Personally I would avoid tweaking permissions of a folder inside "Program Files\OpenVPN\config\" Selva -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OVPN Interactive Service for non-admin users
Hi Selva, Is there any specific reason, why Interactive Service is so paranoid, knowing that it launches openvpn.exe and all external scripts as the interactive user anyway? The service does privileged operations so some admin has to bless a user to allow certain options when launching openvpn.exe. In other words, options allowed in user editable configs are restricted unless the user is in a designated group. I don't quite agree. OpenVPN needs elevation to set up connection because it runs in user space. IPsec VPN doesn't require elevation for the very same task since it runs in kernel space. Therefore, elevation for OpenVPN is required for technical reasons, not security. Thus, an explicit blessing from the admin is an exaggeration. I have a work-around for this paradox in my sleeve: the eduVPN setup shall create an "eduVPN" subfolder in the "C:\Program Files\OpenVPN\config" folder, and grant all users desirable permissions*: a sort of public spool folder. Setting up such a folder requires admin rights. If your installer has admin rights, just add all users to "OpenVPN Administrators" group or set the registry key ovpn_admin_group to "Users" The installer will require admin rights of course. Here we agree installing software (VPN especially) needs an admin approval. Thank you for your excellent advice. I haven't thought of that before. However, I will not follow it for the following reason… eduVPN will not claim OpenVPN for all by itself. It will install it when missing, but will leave everything to its defaults. We would still like to leave the user an option to make use of OpenVPN for other purposes. Tweaking registry is not a step in this direction. But that would open the OpenVPN Interactive Service to any user and application. This is why we would like your opinion first. Yes the service will then launch openvpn with arbitrary configs as any user, but that is what you want isn't it? True, I want that indeed. I was just trying to find the official way of doing it only to learn it's against OpenVPN team's principles. :( Well, I'll do it anyway. And I suggest you take it as a compliment: the OpenVPN is great for its flexibility so people can and will use it in a million of bizarre ways. :) Best regards, Simon smime.p7s Description: S/MIME cryptographic signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] OVPN Interactive Service for non-admin users
Hi Simon, Adding to what I wrote in my reply to your private email: > I am developing an eduVPN client for Windows. Imagine the eduVPN client as > a custom OpenVPN GUI. The client uses openvpn.exe for connecting, the > configuration file is provided by eduVPN server once user authenticates > using OAuth. User running the eduVPN client is not an administrator. > Elevation is out of the question. > > > > I would like to use the Interactive Service to start openvpn.exe, but I > have some problems: > > > > 1. The configuration file is dynamically downloaded by the eduVPN > client and stored somewhere user can write (user's temporary folder for > example). But the Interactive Service was specifically programmed to allow > configurations from "C:\Program Files\OpenVPN\config" folder only. But user > running eduVPN client can't write to this folder. > > 2. Interactive Service can launch openvpn.exe using any > configuration file if user is a member of the "OpenVPN Administrators" > group. Then, I would need to add all users of the computer to that group, > again requiring elevation. > > > > Is there any specific reason, why Interactive Service is so paranoid, > knowing that it launches openvpn.exe and all external scripts as the > interactive user anyway? > The service does privileged operations so some admin has to bless a user to allow certain options when launching openvpn.exe. In other words, options allowed in user editable configs are restricted unless the user is in a designated group. An admin installing openvpn can change this behaviour by customizing the ovpn_admin_group and/or by adding users to that group. > > > I have a work-around for this paradox in my sleeve: the eduVPN setup shall > create an "eduVPN" subfolder in the "C:\Program Files\OpenVPN\config" > folder, and grant all users desirable permissions*: a sort of public spool > folder. > Setting up such a folder requires admin rights. If your installer has admin rights, just add all users to "OpenVPN Administrators" group or set the registry key ovpn_admin_group to "Users" > > > But that would open the OpenVPN Interactive Service to any user and > application. This is why we would like your opinion first. > Yes the service will then launch openvpn with arbitrary configs as any user, but that is what you want isn't it? Regards, Selva -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel