Re: [Openvpn-users] Displaying messages to users by means of the GUI?
On 21/11/17 18:16, Selva wrote: On Tue, Nov 21, 2017 at 12:17 PM, fragmentuxwrote: Hi Selva, On 21/11/17 16:32, Selva wrote: Hi, Presume that the user does not have admin rights : A non-admin user could copy the admin protected config file from \program files\openvpn\config -to- \users\$user\openvpn\config and modify it to include the --pull-filter. Will not work in 2.4 unless the user is in OpenVPN Administrators group which requires admin's blessings The user *must* be a member of said group to successfully use the GUI anyway .. Thus, presuming the admin has made the user a member in order to use the VPN at all, the user *can* (I just have on w10) modify the config and run it. Not really. The GUI does not need the user to be a member of the that group to successfully use the interactive service and run as limited user. You can install configs in the global location where user only has read access, and no membership in the said group is needed to use the interactive service. Everything should work with GUI and openvpn running as limited user and the interactive service handling privileged tasks. This is useful even if the user knows the admin password: many users I help are rather clueless and need and appreciate some protection from themselves. Ah .. yes indeed. A nuance I was not aware of till now. Thanks -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Displaying messages to users by means of the GUI?
On Tue, Nov 21, 2017 at 12:17 PM, fragmentuxwrote: > Hi Selva, > > On 21/11/17 16:32, Selva wrote: > >> Hi, >> >>> Presume that the user does not have admin rights : >>> >>> A non-admin user could copy the admin protected config file from \program >>> files\openvpn\config -to- \users\$user\openvpn\config and modify it to >>> include the --pull-filter. >>> >>> >> Will not work in 2.4 unless the user is in OpenVPN Administrators >> group which requires admin's blessings >> > > The user *must* be a member of said group to successfully use the GUI > anyway .. Thus, presuming the admin has made the user a member in order > to use the VPN at all, the user *can* (I just have on w10) modify the > config and run it. Not really. The GUI does not need the user to be a member of the that group to successfully use the interactive service and run as limited user. You can install configs in the global location where user only has read access, and no membership in the said group is needed to use the interactive service. Everything should work with GUI and openvpn running as limited user and the interactive service handling privileged tasks. This is useful even if the user knows the admin password: many users I help are rather clueless and need and appreciate some protection from themselves. Selva -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Displaying messages to users by means of the GUI?
2017-11-21 21:32 GMT+05:00 Selva: > Hi, > > On Tue, Nov 21, 2017 at 10:32 AM, fragmentux wrote: > >> >> >> On 21/11/17 13:20, Gert Doering wrote: >> >>> Hi, >>> >>> On Tue, Nov 21, 2017 at 12:10:05PM +, fragmentux wrote: >>> Could this happen: --pull-filter ignore "echo disable-password-save" .. Or is the string processed prior to the --pull-filter ? >>> >>> A user who is able to modify his local config can do anything he >>> wants, including reading username+password from a clear text file. >>> >>> So, while pull-filter will make openvpn ignore incoming "echo" >>> statements, >>> it has no relevance to the password saving and "who decides?" discussion. >>> >>> (A user who has *admin* rights could even install his own openvpn binary >>> which does whatever he wants) >>> >>> >> Presume that the user does not have admin rights : >> >> A non-admin user could copy the admin protected config file from \program >> files\openvpn\config -to- \users\$user\openvpn\config and modify it to >> include the --pull-filter. >> > > Will not work in 2.4 unless the user is in OpenVPN Administrators > group which requires admin's blessings OR runs openvpn without using > the interactive service which will fail to add routes unless the user has > admin rights. (Some installations that need no extra routes may work > without > needing the service or admin rights, though.) > > That said, a limited user can install "his" own custom GUI in a private > folder > and bypass global settings and any echo directives. Custom GUI will not > bypass the above mentioned validation as that is imposed by the service. > Anyway, the purpose of these options is to help the user and admin to > establish and convey some policies, not to enforce them. > > I generally encourage users to save passwords, lest they paste a > password stickie on the monitor. But sometimes its prudent not to > save passwords (laptops in the wild, for example) and instead of > burdening the user to remember this, I prefer not to show > the password save checkbox. Pushing echo disable-save-passwords > from ccd (or even echo forget-passwords) comes handy in such cases. > By the way the former is still a proposed feature not present in any > released version. > security approach has changed recently https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nits-cybersecurity it is no good to require periodic password change anymore it is good to use password manager > > The commit message states: >> Note: echo commands are processed as and when they are received and in >> the order received. > > With --pull-filter in place should that read *if* and when they are >> received ? > > > "If" is implied by "as and when" -- if not received there is nothing to > process. > Here "received" refers to "received by the GUI" as this is a patch for the > GUI. > That requires the pulled echo to pass through pull-filter and option > parsing. Only > after that it gets sent to the management interface by openvpn and be > received by the GUI. > > Selva > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users > > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Displaying messages to users by means of the GUI?
Hi, On Tue, Nov 21, 2017 at 03:32:51PM +, fragmentux wrote: > Presume that the user does not have admin rights : > > A non-admin user could copy the admin protected config file from > \program files\openvpn\config -to- \users\$user\openvpn\config and > modify it to include the --pull-filter. > > Would running openvpn-GUI on the modified config negate the pushed echo? Of course it would. If you filter push messages, they do not arrive. As for any other pushed option. gert -- now what should I write here... Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Displaying messages to users by means of the GUI?
Hi, On Tue, Nov 21, 2017 at 10:32 AM, fragmentuxwrote: > > > On 21/11/17 13:20, Gert Doering wrote: > >> Hi, >> >> On Tue, Nov 21, 2017 at 12:10:05PM +, fragmentux wrote: >> >>> Could this happen: --pull-filter ignore "echo disable-password-save" .. >>> >>> Or is the string processed prior to the --pull-filter ? >>> >> >> A user who is able to modify his local config can do anything he >> wants, including reading username+password from a clear text file. >> >> So, while pull-filter will make openvpn ignore incoming "echo" statements, >> it has no relevance to the password saving and "who decides?" discussion. >> >> (A user who has *admin* rights could even install his own openvpn binary >> which does whatever he wants) >> >> > Presume that the user does not have admin rights : > > A non-admin user could copy the admin protected config file from \program > files\openvpn\config -to- \users\$user\openvpn\config and modify it to > include the --pull-filter. > Will not work in 2.4 unless the user is in OpenVPN Administrators group which requires admin's blessings OR runs openvpn without using the interactive service which will fail to add routes unless the user has admin rights. (Some installations that need no extra routes may work without needing the service or admin rights, though.) That said, a limited user can install "his" own custom GUI in a private folder and bypass global settings and any echo directives. Custom GUI will not bypass the above mentioned validation as that is imposed by the service. Anyway, the purpose of these options is to help the user and admin to establish and convey some policies, not to enforce them. I generally encourage users to save passwords, lest they paste a password stickie on the monitor. But sometimes its prudent not to save passwords (laptops in the wild, for example) and instead of burdening the user to remember this, I prefer not to show the password save checkbox. Pushing echo disable-save-passwords from ccd (or even echo forget-passwords) comes handy in such cases. By the way the former is still a proposed feature not present in any released version. The commit message states: > Note: echo commands are processed as and when they are received and in > the order received. With --pull-filter in place should that read *if* and when they are > received ? "If" is implied by "as and when" -- if not received there is nothing to process. Here "received" refers to "received by the GUI" as this is a patch for the GUI. That requires the pulled echo to pass through pull-filter and option parsing. Only after that it gets sent to the management interface by openvpn and be received by the GUI. Selva -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Displaying messages to users by means of the GUI?
Hi, On Tue, Nov 21, 2017 at 6:52 AM, Jan Just Keijserwrote: > Hi, > > On 21/11/17 11:02, Ralf Hildebrandt wrote: > >> * Jonathan K. Bullard : >> >>> Hi, >>> >>> On Mon, Nov 20, 2017 at 10:16 AM, Ralf Hildebrandt >>> wrote: >>> My users primarily user Windows (OpenVPN-GUI), Tunnelblick. We do have some Linux users (mainyly using NetworkManager) and even 4 ChromeOS users. Is there any way for me to display informational messages on the users's computer when they're loggin in via VPN? >>> Depending on what you mean by "loggin in via VPN". Do you mean >>> "connecting to the VPN server", >>> >> Exactly that. >> >> Documentation [1] for the management interface's "echo" command says >>> "Essentially the echo command allowed us to pass parameters from the >>> OpenVPN server to the OpenVPN client, and then to the management >>> client (such as a GUI)." >>> >>> Of course it requires the GUI (such as Tunnelblick) to do something >>> with the "parameters". As far as I know, Tunnelblick doesn't currently >>> do anything with these "parameters", but I'm open to extending >>> Tunnelblick to do "something" with them. >>> >> ... >> >> Does the Windows GUI do anything with these "echo" parameters? >>> >> I'll have to test this. >> >> 'Core' OpenVPN certainly is not GUI-aware , and the current Windows > OpenVPN GUI does not do anything with "echo" parameters - FYI, this not correct. See my response earlier in the thread. Though nothing yet that would permit sending custom messages from the server. It would be useful to add something like this to the Windows GUI (and also > NetworkManager , perhaps), as in some companies you need a legal > disclaimer before you start to use a network/application/VPN etc. Something like a static legal disclaimer is easy -- just display it from a "pre" script. No further co-operation from the GUI is needed. For more dynamic stuff, echo could be used to pass short messages (e.g., a 140 char tweet, not 280 -- something like 240 bytes may be the max without jumping through some hoops), but currently the Windows GUI does not pass any such info to scripts. There is a patch in the works to add echo setenv which could be used to export some variables (after name mangling) to the up-script run by the GUI. Selva -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Displaying messages to users by means of the GUI?
On 21/11/17 13:20, Gert Doering wrote: Hi, On Tue, Nov 21, 2017 at 12:10:05PM +, fragmentux wrote: Could this happen: --pull-filter ignore "echo disable-password-save" .. Or is the string processed prior to the --pull-filter ? A user who is able to modify his local config can do anything he wants, including reading username+password from a clear text file. So, while pull-filter will make openvpn ignore incoming "echo" statements, it has no relevance to the password saving and "who decides?" discussion. (A user who has *admin* rights could even install his own openvpn binary which does whatever he wants) Presume that the user does not have admin rights : A non-admin user could copy the admin protected config file from \program files\openvpn\config -to- \users\$user\openvpn\config and modify it to include the --pull-filter. Would running openvpn-GUI on the modified config negate the pushed echo? (Note: this discussion is about the GUI and how it behaves, so there is no service in use to block the secondary use of the GUI on the same config) The commit message states: Note: echo commands are processed as and when they are received and in the order received. With --pull-filter in place should that read *if* and when they are received ? Regards -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Displaying messages to users by means of the GUI?
Hi, On Tue, Nov 21, 2017 at 12:10:05PM +, fragmentux wrote: > Could this happen: --pull-filter ignore "echo disable-password-save" .. > > Or is the string processed prior to the --pull-filter ? A user who is able to modify his local config can do anything he wants, including reading username+password from a clear text file. So, while pull-filter will make openvpn ignore incoming "echo" statements, it has no relevance to the password saving and "who decides?" discussion. (A user who has *admin* rights could even install his own openvpn binary which does whatever he wants) gert -- now what should I write here... Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Displaying messages to users by means of the GUI?
On 21/11/17 01:16, Selva wrote: We always save the username (there has been some complaints about it but as of now that 'feature' remains). I believe this should be removed. (my2c) I know there is a work-around but generally work-arounds are "sticky tape n string" solutions to known bugs .. Windows GUI offers a way for administrators to switch-off the password save feature through a global setting. My proposal is to have an 'echo disable-save-passwords' directive that has the same effect but could be enforced from the server. Could this happen: --pull-filter ignore "echo disable-password-save" .. Or is the string processed prior to the --pull-filter ? Regards -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Displaying messages to users by means of the GUI?
Hi, On 21/11/17 11:02, Ralf Hildebrandt wrote: * Jonathan K. Bullard: Hi, On Mon, Nov 20, 2017 at 10:16 AM, Ralf Hildebrandt wrote: My users primarily user Windows (OpenVPN-GUI), Tunnelblick. We do have some Linux users (mainyly using NetworkManager) and even 4 ChromeOS users. Is there any way for me to display informational messages on the users's computer when they're loggin in via VPN? Depending on what you mean by "loggin in via VPN". Do you mean "connecting to the VPN server", Exactly that. Documentation [1] for the management interface's "echo" command says "Essentially the echo command allowed us to pass parameters from the OpenVPN server to the OpenVPN client, and then to the management client (such as a GUI)." Of course it requires the GUI (such as Tunnelblick) to do something with the "parameters". As far as I know, Tunnelblick doesn't currently do anything with these "parameters", but I'm open to extending Tunnelblick to do "something" with them. ... Does the Windows GUI do anything with these "echo" parameters? I'll have to test this. 'Core' OpenVPN certainly is not GUI-aware , and the current Windows OpenVPN GUI does not do anything with "echo" parameters - they can/might be displayed in the status/log window, but this is usually not visible to the user. Of course, it is possible to add an GUI-specific "up.bat" file to do something with parameters that get pushed from the server, but you'd have to add this to all clients. It would be useful to add something like this to the Windows GUI (and also NetworkManager , perhaps), as in some companies you need a legal disclaimer before you start to use a network/application/VPN etc. JJK -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Displaying messages to users by means of the GUI?
* Jonathan K. Bullard: > Hi, > > On Mon, Nov 20, 2017 at 10:16 AM, Ralf Hildebrandt > wrote: > > My users primarily user Windows (OpenVPN-GUI), Tunnelblick. We do have > > some Linux users (mainyly using NetworkManager) and even 4 ChromeOS > > users. > > > > Is there any way for me to display informational messages on the > > users's computer when they're loggin in via VPN? > > Depending on what you mean by "loggin in via VPN". Do you mean > "connecting to the VPN server", Exactly that. > Documentation [1] for the management interface's "echo" command says > "Essentially the echo command allowed us to pass parameters from the > OpenVPN server to the OpenVPN client, and then to the management > client (such as a GUI)." > > Of course it requires the GUI (such as Tunnelblick) to do something > with the "parameters". As far as I know, Tunnelblick doesn't currently > do anything with these "parameters", but I'm open to extending > Tunnelblick to do "something" with them. ... > Does the Windows GUI do anything with these "echo" parameters? I'll have to test this. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users