gmane.network.openvpn.user

Re: (RESOLVED) Openvpn grabs ports on servicerestart

Steve Pallen — 2013-05-13T15:05:33

As suspected, it does appear to be a fd inherit issue in php. Resolved the
issue by using a helper script in php that runs the program with
pcntl_exec. This helper script is run from my php page with
exec("/usr/bin/exec-helper openvpn start", $ret_code);

Thanks for all the help,
Steve

-----Original Message-----
From: Steve Pallen <smpallen99< at >yahoo.com>
Date: Wednesday, 8 May, 2013 12:56 PM
To: Les Mikesell <lesmikesell< at >gmail.com>
Cc: Jon Spriggs <jon< at >sprig.gs>, "openvpn-users< at >lists.sourceforge.net"
<openvpn-users< at >lists.sourceforge.net>
Subject: Re: [Openvpn-users] Openvpn grabs ports on service restart




------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may

Re: Is CSRF hole present in OpenVPN client 2.3.1?

Bowie Frisch — 2013-05-13T06:30:37

Thanks, Gert, for your reply.

________________________________
 From: Gert Doering <gert< at >greenie.muc.de>
To: Bowie Frisch <bowiefrisch< at >yahoo.com> 
Cc: "openvpn-users< at >lists.sourceforge.net" <openvpn-users< at >lists.sourceforge.net> 
Sent: Monday, May 13, 2013 1:22 AM
Subject: Re: [Openvpn-users] Is CSRF hole present in OpenVPN client 2.3.1?

Hi,

On Sun, May 12, 2013 at 05:30:42AM -0700, Bowie Frisch wrote:

As there is no web interface to OpenVPN 2.3, there is no chance for a
XSS exploit :-)

gert

Re: Is CSRF hole present in OpenVPN client 2.3.1?

Bowie Frisch — 2013-05-13T06:30:17

Thanks, David, for your reply.

________________________________
 From: David Sommerseth <openvpn.list< at >topphemmelig.net>
To: Bowie Frisch <bowiefrisch< at >yahoo.com> 
Cc: "openvpn-users< at >lists.sourceforge.net" <openvpn-users< at >lists.sourceforge.net> 
Sent: Monday, May 13, 2013 12:22 AM
Subject: Re: [Openvpn-users] Is CSRF hole present in OpenVPN client 2.3.1?

On 12/05/13 14:30, Bowie Frisch wrote:

The Community Edition does not provide the Admin interface which seems to be 
vulnerable in this case.  The OpenVPN Access Server is basically shipping a 
modified OpenVPN (for the core VPN functionality) and integrates it with a web 
based admin UI.  There is nothing in the core VPN functionality which should 
be vulnerable to this issue.

Re: Is CSRF hole present in OpenVPN client 2.3.1?

Gert Doering — 2013-05-12T17:22:24

Hi,

On Sun, May 12, 2013 at 05:30:42AM -0700, Bowie Frisch wrote:

As there is no web interface to OpenVPN 2.3, there is no chance for a
XSS exploit :-)

gert

Re: Is CSRF hole present in OpenVPN client 2.3.1?

David Sommerseth — 2013-05-12T16:22:54

The Community Edition does not provide the Admin interface which seems to be 
vulnerable in this case.  The OpenVPN Access Server is basically shipping a 
modified OpenVPN (for the core VPN functionality) and integrates it with a web 
based admin UI.  There is nothing in the core VPN functionality which should 
be vulnerable to this issue.

Is CSRF hole present in OpenVPN client 2.3.1?

Bowie Frisch — 2013-05-12T12:30:42

I read there is a security hole called CSRF (cross-site request forgery) hole in OpenVPN Access Server 1.8.4. Click the following link to the article: http://www.h-online.com/security/news/item/CSRF-hole-in-OpenVPN-Access-Server-1860701.html


Does it exist in OpenVPN client 2.3.1 (Community Edition) as well?

Regards.

Bowie
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may_______________________________________________
Openvpn-users mailing list
Openvpn-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: Fwd: (no subject)

Miguel Clara — 2013-05-10T09:54:13

The firewall or some manual route is there certainly (do a route print
on cmd line and check), but OpenVPN is also trying to define that
route... which is why you get the error...

OpenVPN does that if you push that route in server config or push the
default gateway and this turns out to be the same subnet... or if you
client configs (ccd or the client it self) also define that route!

But according to the configs you posted (except ccd - I think you
didn't post those) nothing seems to be defining such route, at least
that's what the log you posted was showing!


On Fri, May 10, 2013 at 10:39 AM,  <forums< at >sidekicker.net> wrote:

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sf

Re: Fwd: (no subject)

Gert Doering — 2013-05-10T09:55:03

Hi,

On Fri, May 10, 2013 at 09:39:23AM +0000, forums< at >sidekicker.net wrote:

Please show a *log* with "verb 4".  That should make clear what's happening.

gert

Re: Fwd: (no subject)

2013-05-10T09:39:23

This is the client.ovpn
client
ns-cert-type server
dev tun
proto udp
remote 84.xxx.xxx.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert xxxxx.crt
key xxxxx.key
comp-lzo
verb 1
fragment 1300
mssfix

Any chance a firewall might cause this type of routing duplicate IP error?






------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may

Fwd: (no subject)

Miguel Clara — 2013-05-09T09:08:16

[sorry forgot the "reply all"

Hum.. If its not the server config pushing the route and its not in
the ccd, you're left with the client config....

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may

Re: (no subject)

2013-05-09T07:35:48

The ccd directory only has files to prevent access to certain certificates.
The is simply a file with the disable directive.
No oter configs.


Ok, I'll do that but this shouldn't affect 192.168.x.x IPs?

The client config file does not have IP address routings. I think  
think the server push should do this.






------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may

Re: (no subject)

Miguel Clara — 2013-05-08T22:41:58

What configs do you have in the ccd dir? ----> /etc/openvpn/ccd

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may

Re: (no subject)

Miguel Clara — 2013-05-08T22:35:16

What configs do you have in the ccd dir? ----> /etc/openvpn/ccd
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may_______________________________________________
Openvpn-users mailing list
Openvpn-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: (no subject)

Jonathan Leroy — 2013-05-08T22:02:42

2013/5/8  <forums< at >sidekicker.net>:

Even in client-specific config file ?

Re: (no subject)

2013-05-08T21:33:32

But I do not specify that route!
Here is the server config:
local 84.xxx.xxx.xx
port 1194 #- port
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
client-config-dir /etc/openvpn/ccd
server 10.8.0.0 255.255.255.0
;push "redirect-gateway def1"
push "route 10.8.0.0 255.255.255.0"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 5 30
comp-lzo
persist-key
;persist-tun
status openvpn-status_tcp.log
verb 3
log /var/log/openvpn_tcp.log
;tun-mtu 1500
;link-mtu 1500
;fragment 1400
;mssfix


Quoting Miguel Clara <miguelmclara< at >gmail.com>:




------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The earl

Re: Openvpn grabs ports on service restart

Les Mikesell — 2013-05-08T17:41:03

That makes sense, but it sounds like one of those 'if it hurts, don't
do it' things...

--
   Les Mikesell
     lesmikesell< at >gmail.com

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may

Re: Openvpn grabs ports on service restart

Steve Pallen — 2013-05-08T16:56:23

So far all suggestions came up empty. However, I'm pretty a colleague
figured it out. 

We suspect its due to the fact that the a child process forked in php
inherits its parents open file descriptors. So, when the parent process
(httpd)  goes away, openvpn now has the open sockets (fd).

I'll let you know when I've confirmed it.

Steve


From: Les Mikesell <lesmikesell< at >gmail.com>
Date: Wednesday, 8 May, 2013 11:15 AM
To: Steve Pallen <smpallen99< at >yahoo.com>
Cc: Jon Spriggs <jon< at >sprig.gs>, "openvpn-users< at >lists.sourceforge.net"
<openvpn-users< at >lists.sourceforge.net>
Subject: Re: [Openvpn-users] Openvpn grabs ports on service restart




------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.n

Re: (no subject)

Miguel Clara — 2013-05-08T16:22:58

"Warning: route gateway is ambiguous:
192.168.1.1 (2 matches)"

It seems that you already have that route on the client, maybe you're
client default GW route is "192.168.1.1"?



On Wed, May 8, 2013 at 5:09 PM, <forums< at >sidekicker.net> wrote:

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may_______________________________________________
Openvpn-users mailing list
Openvpn-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: (no subject)

2013-05-08T16:09:21

Hi
No, IPs are assigned in the 10.8.x.x range as in the log
10.8.0.30
Mon May 06 12:13:22 2013 TAP-WIN32 device [Conexión de área local 5]
opened: \\.\Global\{9D716C9B-7644-47D9-8B9C-0BE8DEB99E2D}.tap
Mon May 06 12:13:22 2013 Notified TAP-Win32 driver to set a DHCP
IP/netmask of 10.8.0.30/255.255.255.252 on interface


Quoting Eric Crist <ecrist< at >secure-computing.net>:




------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Openvpn-users mailing list
Openvpn-users< at >lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: (no subject)

Eric Crist — 2013-05-08T15:24:41

It appears you're assigning VPN IPs in the same IP range as the local LAN.

-----
Eric F Crist



On May 8, 2013, at 10:21:59, forums< at >sidekicker.net wrote:



------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may

(no subject)

2013-05-08T15:21:59

I get the following error from a client connecting to the VPN.
Any ideas on what causes this and how I can resolve it?
This is the only client that has the error and the server is not  
issuing 192.168.x.x as a route

Mon May 06 12:13:18 2013 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2]  
[PKCS11] built on Dec 15 2011
Mon May 06 12:13:18 2013 NOTE: OpenVPN 2.1 requires '--script-security  
2' or higher to call user-defined scripts or executables
Mon May 06 12:13:18 2013 LZO compression initialized
Mon May 06 12:13:18 2013 UDPv4 link local: [undef]
Mon May 06 12:13:18 2013 UDPv4 link remote: 84.xxx.xxx.xx:1194
Mon May 06 12:13:19 2013 [ProxyPlayer.eu] Peer Connection Initiated  
with 84.246.227.39:1194
Mon May 06 12:13:22 2013 TAP-WIN32 device [Conexión de área local 5]  
opened: \\.\Global\{9D716C9B-7644-47D9-8B9C-0BE8DEB99E2D}.tap
Mon May 06 12:13:22 2013 Notified TAP-Win32 driver to set a DHCP  
IP/netmask of 10.8.0.30/255.255.255.252 on interface  
{9D716C9B-7644-47D9-8B9C-0BE8DEB99E2D} [DHCP-serv: 10.8.0.29