Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

[Gert Doering]

Hi,

On Tue, Aug 23, 2016 at 01:55:23AM +0100, debbie10t wrote:
> I need to use --up/--down/--client-connect/disconnect et al ..

You can, but they will run with the user privileges of the user that
runs openvpn-gui by default.  If you need more privileges, you need
to run openvpn.exe or the gui with admin privs.

> How does one run openvpn on *windows* without these "considered"
> security flaws ? or are we all just "lambs to the slaughter"
> from here on in ?

You can use openvpnserv2 to run openvpn.exe with admin privs (and no
gui), or you can set [x] run as admin on the openvpn-gui (as it was done
for 2.3.x).

Most people on windows only need privileges to add/delete routes and
configure IP addresses - this is what the iservice will give you, without
the potential dangers of running openvpn and all scripts with full
admin privs.

(Since you already use git master snapshots, you already have the new
stuff - and since it works for you, nothing to be afraid)

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

[Gert Doering]

Hi,

On Tue, Aug 23, 2016 at 01:55:23AM +0100, debbie10t wrote:
> I need to use --up/--down/--client-connect/disconnect et al ..

You can, but they will run with the user privileges of the user that
runs openvpn-gui by default.  If you need more privileges, you need
to run openvpn.exe or the gui with admin privs.

> How does one run openvpn on *windows* without these "considered"
> security flaws ? or are we all just "lambs to the slaughter"
> from here on in ?

You can use openvpnserv2 to run openvpn.exe with admin privs (and no
gui), or you can set [x] run as admin on the openvpn-gui (as it was done
for 2.3.x).

Most people on windows only need privileges to add/delete routes and
configure IP addresses - this is what the iservice will give you, without
the potential dangers of running openvpn and all scripts with full
admin privs.

(Since you already use git master snapshots, you already have the new
stuff - and since it works for you, nothing to be afraid)

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

[debbie10t]

On 20/08/16 19:41, David Sommerseth wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 19/08/16 18:13, debbie10t wrote:
>> Hi,
>>
>> On 05/08/16 03:04, Selva Nair wrote:
>>> On Thu, Aug 4, 2016 at 6:53 PM, debbie10t 
>>> wrote:
>>>
 Hi

 So windows 10 as a Server.

 ===

 General details: Non admin Win10 unmodified user Using OVPN
 GUI OVPN Interactive service started and used Win10 Tun Server
 (auto + manual) IPv4 + IPv6 In average constant use ~20 Clients
 virtual, local and remote win xp/7/10 +linux


 Selva,

 If you have any specific tests please send me details.
>> You are probably aware but for completeness:
>>
>> --up/--down scripts are *not* run with elevated privs and so they
>> fail .. even when logged in as administrator and when using GUI +
>> Interactive service.
> This was an explicit design detail which was strived for with the new
> interactive service - as a security enhancements.  Otherwise it would
> be trivial for non-admins to get elevated privileges when they should
> not have that (think larger companies/enterprises with centrally
> managed policies).
>
>> The /good old/ openvpnservice works fine.
> Which is considered not secure for many reasons.
>
As is "par for the course" ..


On 22/08/16 21:49, David Sommerseth wrote:

It is fully accepted to ask again if something is unclear and the
questions are reasonably well asked.


I need to use --up/--down/--client-connect/disconnect et al ..

How does one run openvpn on *windows* without these "considered"
security flaws ? or are we all just "lambs to the slaughter"
from here on in ?


Digging my own ing grave ...

-- 


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

[debbie10t]

On 20/08/16 19:41, David Sommerseth wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 19/08/16 18:13, debbie10t wrote:
>> Hi,
>>
>> On 05/08/16 03:04, Selva Nair wrote:
>>> On Thu, Aug 4, 2016 at 6:53 PM, debbie10t 
>>> wrote:
>>>
 Hi

 So windows 10 as a Server.

 ===

 General details: Non admin Win10 unmodified user Using OVPN
 GUI OVPN Interactive service started and used Win10 Tun Server
 (auto + manual) IPv4 + IPv6 In average constant use ~20 Clients
 virtual, local and remote win xp/7/10 +linux


 Selva,

 If you have any specific tests please send me details.
>> You are probably aware but for completeness:
>>
>> --up/--down scripts are *not* run with elevated privs and so they
>> fail .. even when logged in as administrator and when using GUI +
>> Interactive service.
> This was an explicit design detail which was strived for with the new
> interactive service - as a security enhancements.  Otherwise it would
> be trivial for non-admins to get elevated privileges when they should
> not have that (think larger companies/enterprises with centrally
> managed policies).
>
>> The /good old/ openvpnservice works fine.
> Which is considered not secure for many reasons.
>
As is "par for the course" ..


On 22/08/16 21:49, David Sommerseth wrote:

It is fully accepted to ask again if something is unclear and the
questions are reasonably well asked.


I need to use --up/--down/--client-connect/disconnect et al ..

How does one run openvpn on *windows* without these "considered"
security flaws ? or are we all just "lambs to the slaughter"
from here on in ?


Digging my own ing grave ...

-- 


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

[debbie10t]

Hi,

On 05/08/16 03:04, Selva Nair wrote:
> On Thu, Aug 4, 2016 at 6:53 PM, debbie10t  wrote:
>
>> Hi
>>
>> So windows 10 as a Server.
>>
>> ===
>>
>> General details:
>> Non admin Win10 unmodified user
>> Using OVPN GUI
>> OVPN Interactive service started and used
>> Win10 Tun Server (auto + manual)
>> IPv4 + IPv6 In average constant use
>> ~20 Clients virtual, local and remote
>> win xp/7/10 +linux
>>
>>
>> Selva,
>>
>> If you have any specific tests please send me details.

You are probably aware but for completeness:

--up/--down scripts are *not* run with elevated privs
and so they fail .. even when logged in as administrator
and when using GUI + Interactive service.

The /good old/ openvpnservice works fine.

-- 


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

[debbie10t]

Hi,

On 05/08/16 03:04, Selva Nair wrote:
> On Thu, Aug 4, 2016 at 6:53 PM, debbie10t  wrote:
>
>> Hi
>>
>> So windows 10 as a Server.
>>
>> ===
>>
>> General details:
>> Non admin Win10 unmodified user
>> Using OVPN GUI
>> OVPN Interactive service started and used
>> Win10 Tun Server (auto + manual)
>> IPv4 + IPv6 In average constant use
>> ~20 Clients virtual, local and remote
>> win xp/7/10 +linux
>>
>>
>> Selva,
>>
>> If you have any specific tests please send me details.

You are probably aware but for completeness:

--up/--down scripts are *not* run with elevated privs
and so they fail .. even when logged in as administrator
and when using GUI + Interactive service.

The /good old/ openvpnservice works fine.

-- 


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

[Selva Nair]

Hi,

On Sun, Aug 7, 2016 at 8:55 AM, Илья Шипицин  wrote:

> I also noticed, that "openvpn administrators" membership is required.
>
> Should we modify installer to make it adf current user to that group?
>
With multiple users on a system, the installer will have to choose which
users are to be added etc. Also for newly created users the membership will
not be automatic.

For simple setups with one or two users who have access to the admin
password, I think, the current setup where the GUI provides a way to add
themselves to the group looks good enough. In a vast majority of cases
where users are also administrators everything is automatic: UAC will
ensure that the GUI runs with limited rights and thus use the interactive
service, and the service will permit config from any location because of
user's membership in the "Administrators" group.

For more complex setups, I suppose the sysadm would want to fine-tune
membership in the "OpenVPN Administrtaors" group as needed.

Selva

Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

[Selva Nair]

On Sun, Aug 7, 2016 at 8:55 AM, debbie10t  wrote:

> On 07/08/16 13:46, debbie10t wrote:
> >
> >
> > On 05/08/16 03:04, Selva Nair wrote:
> >> On Thu, Aug 4, 2016 at 6:53 PM, debbie10t  wrote:
> >>
> >>> Hi
> >>>
> >>> So windows 10 as a Server.
>
> I should also mention finding this odd error in the log:
>
> WARNING: 'link-mtu' is used inconsistently, local='link-mtu zu',
> remote='link-mtu 1602'


Caused by windows not supporting %zu. A patch to fix it is being discussed
on the list as we speak..

Selva

Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

[Илья Шипицин]

I also noticed, that "openvpn administrators" membership is required.

Should we modify installer to make it adf current user to that group?

7 авг. 2016 г. 17:48 пользователь "debbie10t"  написал:

>
>
> On 05/08/16 03:04, Selva Nair wrote:
> > On Thu, Aug 4, 2016 at 6:53 PM, debbie10t  wrote:
> >
> >> Hi
> >>
> >> So windows 10 as a Server.
> >>
> >>
> >> If you have any specific tests please send me details.
> >>
> > Tasks needing admin access happens early on when the server starts so
> this
> > looks good especially since you tested ipv6 as well.
> >
> > One thing to try:
> > With the server running, edit the config to change the tunnel network (ip
> > and pool) and issue a SIGHUP to re-read the config (reconnect from the
> GUI
> > status window will do this). The old routes should get torn down (log
> will
> > show route deletion via service succeeded) the ip should change to the
> new
> > one and new routes get added etc.
> This worked no problem.
>
> >
> > Although not related to the interactive service, you could also test
> > running the server on a port < 1024. This being windows I suppose binding
> > to "privileged" ports doesn't require admin rights.
> >
> >
> Have not tried this yet.
>
>
> However, during my testing the following happened:
>
> I installed the first server in /program files/openvpn/config and running
> as standard-user with openvpn GUI & IService, this worked no problem.
>
> Then I tried with the config file in /users/user/openvpn/config and running
> as standard-user:user with gui & IService, Starting the server, I was
> prompted
> to add my user to the openvpn administrators group.
>
> I am not sure if this is intended behaviour, that the group membership is
> *only* prompted when using user/openvpn/config/file.ovpn ?
>
> --
>
>
> 
> --
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>

Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

[debbie10t]

On 07/08/16 13:46, debbie10t wrote:



On 05/08/16 03:04, Selva Nair wrote:

On Thu, Aug 4, 2016 at 6:53 PM, debbie10t  wrote:


Hi

So windows 10 as a Server.


I should also mention finding this odd error in the log:

WARNING: 'link-mtu' is used inconsistently, local='link-mtu zu', 
remote='link-mtu 1602'


--

Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

[debbie10t]

On 05/08/16 03:04, Selva Nair wrote:

On Thu, Aug 4, 2016 at 6:53 PM, debbie10t  wrote:


Hi

So windows 10 as a Server.


If you have any specific tests please send me details.


Tasks needing admin access happens early on when the server starts so this
looks good especially since you tested ipv6 as well.

One thing to try:
With the server running, edit the config to change the tunnel network (ip
and pool) and issue a SIGHUP to re-read the config (reconnect from the GUI
status window will do this). The old routes should get torn down (log will
show route deletion via service succeeded) the ip should change to the new
one and new routes get added etc.

This worked no problem.



Although not related to the interactive service, you could also test
running the server on a port < 1024. This being windows I suppose binding
to "privileged" ports doesn't require admin rights.



Have not tried this yet.


However, during my testing the following happened:

I installed the first server in /program files/openvpn/config and running
as standard-user with openvpn GUI & IService, this worked no problem.

Then I tried with the config file in /users/user/openvpn/config and running
as standard-user:user with gui & IService, Starting the server, I was 
prompted

to add my user to the openvpn administrators group.

I am not sure if this is intended behaviour, that the group membership is
*only* prompted when using user/openvpn/config/file.ovpn ?

--