Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

2016-08-24 Thread Selva Nair
On Wed, Aug 24, 2016 at 4:14 AM, Jan Just Keijser  wrote:

> Hi,
>
> On 23/08/16 14:34, Gert Doering wrote:
> > On Tue, Aug 23, 2016 at 01:55:23AM +0100, debbie10t wrote:
> >> I need to use --up/--down/--client-connect/disconnect et al ..
> > You can, but they will run with the user privileges of the user that
> > runs openvpn-gui by default.  If you need more privileges, you need
> > to run openvpn.exe or the gui with admin privs.
> >
> >> How does one run openvpn on *windows* without these "considered"
> >> security flaws ? or are we all just "lambs to the slaughter"
> >> from here on in ?
> > You can use openvpnserv2 to run openvpn.exe with admin privs (and no
> > gui), or you can set [x] run as admin on the openvpn-gui (as it was done
> > for 2.3.x).
> >
> > Most people on windows only need privileges to add/delete routes and
> > configure IP addresses - this is what the iservice will give you, without
> > the potential dangers of running openvpn and all scripts with full
> > admin privs.
> >
> just for my understanding: how would a user run an up/down script with
> *USER* credentials (necessary to map a share or printer, for example) in
> this scenario?
>

This requires a non-standard setup. Before iservice was available, we
solved this issue like this: start all connections at boot-time using the
automatic service holding them using management-hold. Then MI-GUI running
as user was used to control the connection (hold release to connect, hold
on + SIGHUP to disconnect and put back on hold). In that case scripts run
by openvpn executed as admin (we allowed no such scripts) and scripts run
by the GUI ran as user. The latter was used for mapping drives.

iservice made all this much simpler --- start the GUI as user and
everything runs as user (ordinary users do not care what happens under the
hood of iservice) or start the GUI as admin and everything runs as admin
(in this case iservice will not be used, but all of that is transparent to
the user).

Going forward, I have a patch in the making (well, it works but needs some
refining) that will allow the GUI to control (connect, disconnect etc..)
prestarted instances so that more advanced users who want to start openvpn
at boot time can still control it using the GUI running as user. In this
case, the prestarted instance could use iservice or be started as admin
depending on the user's need. Obviously, such a use case would be aimed at
"clueful" users.

Selva
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

2016-08-24 Thread Samuli Seppänen
Il 24/08/2016 16:25, Jan Just Keijser ha scritto:

>> Iservice works like this (we have a documentation page coming, but that's
>> not there yet)
>>
>>   - the GUI runs as "me" (gert)
>>   - the iservice runs as "local service", maximum privileges
>>   - the GUI connects to the iservice, and asks it "run openvpn.exe with
>> the following arguments, using the credentials of the user the GUI
>> runs
>> with" (windows can do this - pass credentials across a pipe, which
>> you
>> can't fake)
>>   - the iservice forks openvpn.exe, and runs this as user (gert), and
>> keeps a "service pipe" between iservice and openvpn.exe
>>   - if openvpn.exe wants to do ifconfig/route/dns stuff, it sends these
>> as requests over the service pipe to the iservice, who will then
>> execute them (and clean up should openvpn crash)
>>   - --up scripts are run by openvpn.exe itself, which is already running
>> as "gert", so, all privileges are nicely in place
>>
>> so this cannot be used anymore for privilege escalation to admin (by
>> running an --up script from openvpn which is run-as-admin).
>>
> thanks for your explanation - all clear to me now. All we have to do now
> is to document this and add some tests to the buildbot ;)
>

And why have perfectly good explanation get lost in the depths of a 
mailing list archive:



Feel free to improve further :)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

2016-08-24 Thread Jan Just Keijser
Hi Gert,

On 24/08/16 14:53, Gert Doering wrote:
> On Wed, Aug 24, 2016 at 11:11:53AM +0200, Jan Just Keijser wrote:
 just for my understanding: how would a user run an up/down script with
 *USER* credentials (necessary to map a share or printer, for example) in
 this scenario?
> [..]
>> Actually, how would a (clueless) user do this at all, using the
>> interactive service?  which part should be run with admin privs, which
>> part shouldn't ?which credentials are available to the interactive
>> service (and any up/down scripts it may run) ?   should a user use a GUI
>> up/down script (I know the old GUI supported this) instead?
> If the iservice is around, it's all totally straightforward :-) - you
> run your --up script from the config.ovpn and it is run with your user
> credentials.
>
> Iservice works like this (we have a documentation page coming, but that's
> not there yet)
>
>   - the GUI runs as "me" (gert)
>   - the iservice runs as "local service", maximum privileges
>   - the GUI connects to the iservice, and asks it "run openvpn.exe with
> the following arguments, using the credentials of the user the GUI runs
> with" (windows can do this - pass credentials across a pipe, which you
> can't fake)
>   - the iservice forks openvpn.exe, and runs this as user (gert), and
> keeps a "service pipe" between iservice and openvpn.exe
>   - if openvpn.exe wants to do ifconfig/route/dns stuff, it sends these
> as requests over the service pipe to the iservice, who will then
> execute them (and clean up should openvpn crash)
>   - --up scripts are run by openvpn.exe itself, which is already running
> as "gert", so, all privileges are nicely in place
>
> so this cannot be used anymore for privilege escalation to admin (by
> running an --up script from openvpn which is run-as-admin).
>
thanks for your explanation - all clear to me now. All we have to do now 
is to document this and add some tests to the buildbot ;)

JJK


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

2016-08-24 Thread Gert Doering
Hi,

On Wed, Aug 24, 2016 at 11:11:53AM +0200, Jan Just Keijser wrote:
> >> just for my understanding: how would a user run an up/down script with
> >> *USER* credentials (necessary to map a share or printer, for example) in
> >> this scenario?
[..]
> Actually, how would a (clueless) user do this at all, using the 
> interactive service?  which part should be run with admin privs, which 
> part shouldn't ?which credentials are available to the interactive 
> service (and any up/down scripts it may run) ?   should a user use a GUI 
> up/down script (I know the old GUI supported this) instead?

If the iservice is around, it's all totally straightforward :-) - you
run your --up script from the config.ovpn and it is run with your user
credentials.

Iservice works like this (we have a documentation page coming, but that's
not there yet)

 - the GUI runs as "me" (gert)
 - the iservice runs as "local service", maximum privileges
 - the GUI connects to the iservice, and asks it "run openvpn.exe with
   the following arguments, using the credentials of the user the GUI runs
   with" (windows can do this - pass credentials across a pipe, which you
   can't fake)
 - the iservice forks openvpn.exe, and runs this as user (gert), and
   keeps a "service pipe" between iservice and openvpn.exe
 - if openvpn.exe wants to do ifconfig/route/dns stuff, it sends these
   as requests over the service pipe to the iservice, who will then
   execute them (and clean up should openvpn crash)
 - --up scripts are run by openvpn.exe itself, which is already running
   as "gert", so, all privileges are nicely in place

so this cannot be used anymore for privilege escalation to admin (by
running an --up script from openvpn which is run-as-admin).

gert


-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

2016-08-24 Thread debbie10t


On 24/08/16 10:11, Jan Just Keijser wrote:
> Hi,
>
> On 24/08/16 10:45, Samuli Seppänen wrote:
>> Il 24/08/2016 11:14, Jan Just Keijser ha scritto:
>>> Hi,
>>>
>>> On 23/08/16 14:34, Gert Doering wrote:
 On Tue, Aug 23, 2016 at 01:55:23AM +0100, debbie10t wrote:
> I need to use --up/--down/--client-connect/disconnect et al ..
 You can, but they will run with the user privileges of the user that
 runs openvpn-gui by default.  If you need more privileges, you need
 to run openvpn.exe or the gui with admin privs.

> How does one run openvpn on *windows* without these "considered"
> security flaws ? or are we all just "lambs to the slaughter"
> from here on in ?
 You can use openvpnserv2 to run openvpn.exe with admin privs (and no
 gui), or you can set [x] run as admin on the openvpn-gui (as it was
 done
 for 2.3.x).

 Most people on windows only need privileges to add/delete routes and
 configure IP addresses - this is what the iservice will give you,
 without
 the potential dangers of running openvpn and all scripts with full
 admin privs.

>>> just for my understanding: how would a user run an up/down script with
>>> *USER* credentials (necessary to map a share or printer, for example) in
>>> this scenario?
>> You mean when running OpenVPN-GUI as admin, but wanting the map a
>> share as a non-privileged user?
>>
> Actually, how would a (clueless) user do this at all, using the
> interactive service?  which part should be run with admin privs, which
> part shouldn't ?which credentials are available to the interactive
> service (and any up/down scripts it may run) ?   should a user use a GUI
> up/down script (I know the old GUI supported this) instead?
>
>
An --up to map a network drive would work with user creds. eg: net use x: \*

My initial problem was running server side scripts which are intended to do
more complex stuff.  But run-as-admin for the GUI is totally sufficient for
my needs.  I simply did not understand that the scripts are run as the user
who loaded the GUI not the iservice.

thanks

--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

2016-08-24 Thread Jan Just Keijser
Hi,

On 24/08/16 10:45, Samuli Seppänen wrote:
> Il 24/08/2016 11:14, Jan Just Keijser ha scritto:
>> Hi,
>>
>> On 23/08/16 14:34, Gert Doering wrote:
>>> On Tue, Aug 23, 2016 at 01:55:23AM +0100, debbie10t wrote:
 I need to use --up/--down/--client-connect/disconnect et al ..
>>> You can, but they will run with the user privileges of the user that
>>> runs openvpn-gui by default.  If you need more privileges, you need
>>> to run openvpn.exe or the gui with admin privs.
>>>
 How does one run openvpn on *windows* without these "considered"
 security flaws ? or are we all just "lambs to the slaughter"
 from here on in ?
>>> You can use openvpnserv2 to run openvpn.exe with admin privs (and no
>>> gui), or you can set [x] run as admin on the openvpn-gui (as it was 
>>> done
>>> for 2.3.x).
>>>
>>> Most people on windows only need privileges to add/delete routes and
>>> configure IP addresses - this is what the iservice will give you, 
>>> without
>>> the potential dangers of running openvpn and all scripts with full
>>> admin privs.
>>>
>> just for my understanding: how would a user run an up/down script with
>> *USER* credentials (necessary to map a share or printer, for example) in
>> this scenario?
>
> You mean when running OpenVPN-GUI as admin, but wanting the map a 
> share as a non-privileged user?
>
Actually, how would a (clueless) user do this at all, using the 
interactive service?  which part should be run with admin privs, which 
part shouldn't ?which credentials are available to the interactive 
service (and any up/down scripts it may run) ?   should a user use a GUI 
up/down script (I know the old GUI supported this) instead?

JJK


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

2016-08-24 Thread Samuli Seppänen
Il 24/08/2016 11:14, Jan Just Keijser ha scritto:
> Hi,
>
> On 23/08/16 14:34, Gert Doering wrote:
>> On Tue, Aug 23, 2016 at 01:55:23AM +0100, debbie10t wrote:
>>> I need to use --up/--down/--client-connect/disconnect et al ..
>> You can, but they will run with the user privileges of the user that
>> runs openvpn-gui by default.  If you need more privileges, you need
>> to run openvpn.exe or the gui with admin privs.
>>
>>> How does one run openvpn on *windows* without these "considered"
>>> security flaws ? or are we all just "lambs to the slaughter"
>>> from here on in ?
>> You can use openvpnserv2 to run openvpn.exe with admin privs (and no
>> gui), or you can set [x] run as admin on the openvpn-gui (as it was done
>> for 2.3.x).
>>
>> Most people on windows only need privileges to add/delete routes and
>> configure IP addresses - this is what the iservice will give you, without
>> the potential dangers of running openvpn and all scripts with full
>> admin privs.
>>
> just for my understanding: how would a user run an up/down script with
> *USER* credentials (necessary to map a share or printer, for example) in
> this scenario?

You mean when running OpenVPN-GUI as admin, but wanting the map a share 
as a non-privileged user?

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

2016-08-24 Thread Jan Just Keijser
Hi,

On 23/08/16 14:34, Gert Doering wrote:
> On Tue, Aug 23, 2016 at 01:55:23AM +0100, debbie10t wrote:
>> I need to use --up/--down/--client-connect/disconnect et al ..
> You can, but they will run with the user privileges of the user that
> runs openvpn-gui by default.  If you need more privileges, you need
> to run openvpn.exe or the gui with admin privs.
>
>> How does one run openvpn on *windows* without these "considered"
>> security flaws ? or are we all just "lambs to the slaughter"
>> from here on in ?
> You can use openvpnserv2 to run openvpn.exe with admin privs (and no
> gui), or you can set [x] run as admin on the openvpn-gui (as it was done
> for 2.3.x).
>
> Most people on windows only need privileges to add/delete routes and
> configure IP addresses - this is what the iservice will give you, without
> the potential dangers of running openvpn and all scripts with full
> admin privs.
>
just for my understanding: how would a user run an up/down script with 
*USER* credentials (necessary to map a share or printer, for example) in 
this scenario?

JJK


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

2016-08-23 Thread Gert Doering
Hi,

On Tue, Aug 23, 2016 at 01:55:23AM +0100, debbie10t wrote:
> I need to use --up/--down/--client-connect/disconnect et al ..

You can, but they will run with the user privileges of the user that
runs openvpn-gui by default.  If you need more privileges, you need
to run openvpn.exe or the gui with admin privs.

> How does one run openvpn on *windows* without these "considered"
> security flaws ? or are we all just "lambs to the slaughter"
> from here on in ?

You can use openvpnserv2 to run openvpn.exe with admin privs (and no
gui), or you can set [x] run as admin on the openvpn-gui (as it was done
for 2.3.x).

Most people on windows only need privileges to add/delete routes and
configure IP addresses - this is what the iservice will give you, without
the potential dangers of running openvpn and all scripts with full
admin privs.

(Since you already use git master snapshots, you already have the new
stuff - and since it works for you, nothing to be afraid)

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

2016-08-22 Thread Selva Nair
Hi,

On Mon, Aug 22, 2016 at 8:55 PM, debbie10t  wrote:

>
> I need to use --up/--down/--client-connect/disconnect et al ..
>
> How does one run openvpn on *windows* without these "considered"
> security flaws ? or are we all just "lambs to the slaughter"
> from here on in ?


I wouldn't call it a security flaw. Its just that using interactive service
is more secure as openvpn and all scripts it calls run with limited
privileges. It has its limitations but may meet the needs of vast majority
of installations. So, going forward,  using interactive service would be
the recommended way.

But, some users do need to run scripts as admin and the only option is to
go ahead and run openvpn as admin -- either through the automatic service,
or directly from command line or whatever way is convenient. We should just
call that advanced usage, less secure and should be used only if absolutely
necessary.

Interestingly, running scripts as user has advantages in some use cases --
often scripts just do things like mapping a drive and has to be done as
user and not as admin for it to work on modern versions of windows. This is
the case with most client installations I have. Interactive service made it
easier/automatic to run scripts as the logged in user and not as admin.

If there are widely used tasks requiring admin privilege, we could add
support for that to the interactive service. Reducing the need for running
scripts as admin would be a good goal. This has to be done carefully
though, to keep the service code running as admin to a minimum.

Selva
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

2016-08-22 Thread debbie10t


On 20/08/16 19:41, David Sommerseth wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 19/08/16 18:13, debbie10t wrote:
>> Hi,
>>
>> On 05/08/16 03:04, Selva Nair wrote:
>>> On Thu, Aug 4, 2016 at 6:53 PM, debbie10t 
>>> wrote:
>>>
 Hi

 So windows 10 as a Server.

 ===

 General details: Non admin Win10 unmodified user Using OVPN
 GUI OVPN Interactive service started and used Win10 Tun Server
 (auto + manual) IPv4 + IPv6 In average constant use ~20 Clients
 virtual, local and remote win xp/7/10 +linux


 Selva,

 If you have any specific tests please send me details.
>> You are probably aware but for completeness:
>>
>> --up/--down scripts are *not* run with elevated privs and so they
>> fail .. even when logged in as administrator and when using GUI +
>> Interactive service.
> This was an explicit design detail which was strived for with the new
> interactive service - as a security enhancements.  Otherwise it would
> be trivial for non-admins to get elevated privileges when they should
> not have that (think larger companies/enterprises with centrally
> managed policies).
>
>> The /good old/ openvpnservice works fine.
> Which is considered not secure for many reasons.
>
As is "par for the course" ..


On 22/08/16 21:49, David Sommerseth wrote:

It is fully accepted to ask again if something is unclear and the
questions are reasonably well asked.


I need to use --up/--down/--client-connect/disconnect et al ..

How does one run openvpn on *windows* without these "considered"
security flaws ? or are we all just "lambs to the slaughter"
from here on in ?


Digging my own ing grave ...

-- 


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

2016-08-20 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 19/08/16 18:13, debbie10t wrote:
> Hi,
> 
> On 05/08/16 03:04, Selva Nair wrote:
>> On Thu, Aug 4, 2016 at 6:53 PM, debbie10t 
>> wrote:
>> 
>>> Hi
>>> 
>>> So windows 10 as a Server.
>>> 
>>> ===
>>> 
>>> General details: Non admin Win10 unmodified user Using OVPN
>>> GUI OVPN Interactive service started and used Win10 Tun Server
>>> (auto + manual) IPv4 + IPv6 In average constant use ~20 Clients
>>> virtual, local and remote win xp/7/10 +linux
>>> 
>>> 
>>> Selva,
>>> 
>>> If you have any specific tests please send me details.
> 
> You are probably aware but for completeness:
> 
> --up/--down scripts are *not* run with elevated privs and so they
> fail .. even when logged in as administrator and when using GUI +
> Interactive service.

This was an explicit design detail which was strived for with the new
interactive service - as a security enhancements.  Otherwise it would
be trivial for non-admins to get elevated privileges when they should
not have that (think larger companies/enterprises with centrally
managed policies).

> The /good old/ openvpnservice works fine.

Which is considered not secure for many reasons.


- -- 
kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAle4pEAACgkQDC186MBRfrrrsgCfXtthxn8npLvjLubqjVdCqAch
KOMAoKB8G/aqwShhRZnFA66MR+D7Q2rr
=8Kl4
-END PGP SIGNATURE-

--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

2016-08-19 Thread debbie10t
Hi,

On 05/08/16 03:04, Selva Nair wrote:
> On Thu, Aug 4, 2016 at 6:53 PM, debbie10t  wrote:
>
>> Hi
>>
>> So windows 10 as a Server.
>>
>> ===
>>
>> General details:
>> Non admin Win10 unmodified user
>> Using OVPN GUI
>> OVPN Interactive service started and used
>> Win10 Tun Server (auto + manual)
>> IPv4 + IPv6 In average constant use
>> ~20 Clients virtual, local and remote
>> win xp/7/10 +linux
>>
>>
>> Selva,
>>
>> If you have any specific tests please send me details.

You are probably aware but for completeness:

--up/--down scripts are *not* run with elevated privs
and so they fail .. even when logged in as administrator
and when using GUI + Interactive service.

The /good old/ openvpnservice works fine.

-- 


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

2016-08-07 Thread Selva Nair
Hi,

On Sun, Aug 7, 2016 at 8:55 AM, Илья Шипицин  wrote:

> I also noticed, that "openvpn administrators" membership is required.
>
> Should we modify installer to make it adf current user to that group?
>
With multiple users on a system, the installer will have to choose which
users are to be added etc. Also for newly created users the membership will
not be automatic.

For simple setups with one or two users who have access to the admin
password, I think, the current setup where the GUI provides a way to add
themselves to the group looks good enough. In a vast majority of cases
where users are also administrators everything is automatic: UAC will
ensure that the GUI runs with limited rights and thus use the interactive
service, and the service will permit config from any location because of
user's membership in the "Administrators" group.

For more complex setups, I suppose the sysadm would want to fine-tune
membership in the "OpenVPN Administrtaors" group as needed.

Selva


Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

2016-08-07 Thread Selva Nair
On Sun, Aug 7, 2016 at 8:55 AM, debbie10t  wrote:

> On 07/08/16 13:46, debbie10t wrote:
> >
> >
> > On 05/08/16 03:04, Selva Nair wrote:
> >> On Thu, Aug 4, 2016 at 6:53 PM, debbie10t  wrote:
> >>
> >>> Hi
> >>>
> >>> So windows 10 as a Server.
>
> I should also mention finding this odd error in the log:
>
> WARNING: 'link-mtu' is used inconsistently, local='link-mtu zu',
> remote='link-mtu 1602'


Caused by windows not supporting %zu. A patch to fix it is being discussed
on the list as we speak..

Selva


Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

2016-08-07 Thread Илья Шипицин
I also noticed, that "openvpn administrators" membership is required.

Should we modify installer to make it adf current user to that group?

7 авг. 2016 г. 17:48 пользователь "debbie10t"  написал:

>
>
> On 05/08/16 03:04, Selva Nair wrote:
> > On Thu, Aug 4, 2016 at 6:53 PM, debbie10t  wrote:
> >
> >> Hi
> >>
> >> So windows 10 as a Server.
> >>
> >>
> >> If you have any specific tests please send me details.
> >>
> > Tasks needing admin access happens early on when the server starts so
> this
> > looks good especially since you tested ipv6 as well.
> >
> > One thing to try:
> > With the server running, edit the config to change the tunnel network (ip
> > and pool) and issue a SIGHUP to re-read the config (reconnect from the
> GUI
> > status window will do this). The old routes should get torn down (log
> will
> > show route deletion via service succeeded) the ip should change to the
> new
> > one and new routes get added etc.
> This worked no problem.
>
> >
> > Although not related to the interactive service, you could also test
> > running the server on a port < 1024. This being windows I suppose binding
> > to "privileged" ports doesn't require admin rights.
> >
> >
> Have not tried this yet.
>
>
> However, during my testing the following happened:
>
> I installed the first server in /program files/openvpn/config and running
> as standard-user with openvpn GUI & IService, this worked no problem.
>
> Then I tried with the config file in /users/user/openvpn/config and running
> as standard-user:user with gui & IService, Starting the server, I was
> prompted
> to add my user to the openvpn administrators group.
>
> I am not sure if this is intended behaviour, that the group membership is
> *only* prompted when using user/openvpn/config/file.ovpn ?
>
> --
>
>
> 
> --
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>


Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

2016-08-07 Thread debbie10t



On 07/08/16 13:46, debbie10t wrote:



On 05/08/16 03:04, Selva Nair wrote:

On Thu, Aug 4, 2016 at 6:53 PM, debbie10t  wrote:


Hi

So windows 10 as a Server.


I should also mention finding this odd error in the log:

WARNING: 'link-mtu' is used inconsistently, local='link-mtu zu', 
remote='link-mtu 1602'


--




Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

2016-08-07 Thread debbie10t



On 05/08/16 03:04, Selva Nair wrote:

On Thu, Aug 4, 2016 at 6:53 PM, debbie10t  wrote:


Hi

So windows 10 as a Server.


If you have any specific tests please send me details.


Tasks needing admin access happens early on when the server starts so this
looks good especially since you tested ipv6 as well.

One thing to try:
With the server running, edit the config to change the tunnel network (ip
and pool) and issue a SIGHUP to re-read the config (reconnect from the GUI
status window will do this). The old routes should get torn down (log will
show route deletion via service succeeded) the ip should change to the new
one and new routes get added etc.

This worked no problem.



Although not related to the interactive service, you could also test
running the server on a port < 1024. This being windows I suppose binding
to "privileged" ports doesn't require admin rights.



Have not tried this yet.


However, during my testing the following happened:

I installed the first server in /program files/openvpn/config and running
as standard-user with openvpn GUI & IService, this worked no problem.

Then I tried with the config file in /users/user/openvpn/config and running
as standard-user:user with gui & IService, Starting the server, I was 
prompted

to add my user to the openvpn administrators group.

I am not sure if this is intended behaviour, that the group membership is
*only* prompted when using user/openvpn/config/file.ovpn ?

--




Re: [Openvpn-devel] Win10 Tun Server +Standard W10 User +OVPN Interactive Service +OVPN GUI

2016-08-05 Thread Selva Nair
On Thu, Aug 4, 2016 at 6:53 PM, debbie10t  wrote:

> Hi
>
> So windows 10 as a Server.
>
> ===
>
> General details:
>Non admin Win10 unmodified user
>Using OVPN GUI
>OVPN Interactive service started and used
>Win10 Tun Server (auto + manual)
>IPv4 + IPv6 In average constant use
>~20 Clients virtual, local and remote
>win xp/7/10 +linux
>
> (Todo: --server-bridge/tap .. maybe)
>
> Tested using:
>cfg 1. --server & --server-ipv6 *no* CCD files in use
>cfg 2. --ifconfig & --ifconfig-ipv6 CCD files in use
>
> Reminder: --keep6alive --ping6 etc
> See:
> https://forums.openvpn.net/viewtopic.php?f=4&t=22119#p63274
>
> ===
>
>
> 24 hours now with Zero hiccups.
>

Glad to know..


>
> Selva,
>
> If you have any specific tests please send me details.
>

Tasks needing admin access happens early on when the server starts so this
looks good especially since you tested ipv6 as well.

One thing to try:
With the server running, edit the config to change the tunnel network (ip
and pool) and issue a SIGHUP to re-read the config (reconnect from the GUI
status window will do this). The old routes should get torn down (log will
show route deletion via service succeeded) the ip should change to the new
one and new routes get added etc.

Although not related to the interactive service, you could also test
running the server on a port < 1024. This being windows I suppose binding
to "privileged" ports doesn't require admin rights.

Thanks,

Selva