Jump to content
Not connected, Your IP: 3.81.222.152

Recommended Posts

OS = Linux (Slackware)

Eddie Version 2.13.6 comes with OpenVPN 2.4.3, due to CVE-2018-9336 I decided to try out the updated version (=2.4.6).  It works but I get this disturbing warning in the log with 2.4.6
 

WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure

 

I reverted back to the OpenVPN included with Eddie and the warning is gone.  I will stick with the version 2.4.3 but I wonder if anyone know why flag --management has an issue.

BTW, if I use OpenVPN 2.4.6 directly (without executing Eddie), I do not receive that warning.  But I also do not use flag --management.  Does that flag buy me any extra functionality ?

Thanks

 

Share this post


Link to post

I am a happy Airvpn customer. I also have this warning message on my arch systems when i use Eddie. My password is stored in Eddie's interface. Should i consider changing something? Is my configuration secure ? I have only changed the protocol to TCP, 443, 1IP as  i have issues and very low speed with "automatic" and UDP.

 

I thought of posting my questions under frpergflf's thread as they are quite similar to his considerations. I think. I hope i don't break forum rules and don't become annoying to frpergflf!

 

Share this post


Link to post

I have the very same question!

 

What does this means?:

 

"OpenVPN > WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure"
 

There's some info about this here: https://github.com/OpenVPN/openvpn/commit/4db7715a3aa62f2e8d8234c1852fb141f62318e2

 

It is not recommended to use --management on a TCP port without alsoadding a password authentication, as this can easily be abused by otherusers or processes being able to connect to the managmement interface.

But, what does it means for us, Airvpn users?

Share this post


Link to post

I have the very same question!

 

What does this means?:

 

"OpenVPN > WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure"

 

There's some info about this here: https://github.com/OpenVPN/openvpn/commit/4db7715a3aa62f2e8d8234c1852fb141f62318e2

 

It is not recommended to use --management on a TCP port without alsoadding a password authentication, as this can easily be abused by otherusers or processes being able to connect to the managmement interface.

But, what does it means for us, Airvpn users?

From what i understand, I, because i use Arch systems and frpergflf, because he chose to use the latest openvpn version get the same warning message. I assume frpergflf like me uses already password but Eddie demonstrates the warning message. So i asked in the forum if Eddie secures our settings. I am linux user by experience and not by deep knowledge of protocols and scripting so i cannot analyze further and i rely on support and specialized opinions to get a better result for my settings. I suppose if i had the knowledge i wouldn't have the time to do more because of my insane working hours. So i can not even tell what does really means for us, Airvpn users.

Share this post


Link to post

I've got the same message, using Manjaro linux:

 

I 2018.05.19 12:49:54 - Eddie version: 2.13.6 / linux_x64, System: Linux, Name: Manjaro Linux \r  (\n) (\l), Version: Linux manjaro 4.14.40-1-MANJARO #1 SMP PREEMPT Wed May 9 20:10:25 UTC 2018 x86_64 GNU/Linux, Mono/.Net Framework: v4.0.30319
. 2018.05.19 12:49:54 - Reading options from /home/varttaanen/.airvpn/AirVPN.xml
. 2018.05.19 12:49:56 - Command line arguments (2): path="/home/varttaanen/.airvpn" console.mode="none"
I 2018.05.19 12:49:57 - OpenVPN Driver - Found, /dev/net/tun
I 2018.05.19 12:49:57 - OpenVPN - Version: 2.4.6 - OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10 (/usr/bin/openvpn)
I 2018.05.19 12:49:57 - SSH - Version: OpenSSH_7.7p1, OpenSSL 1.1.0h  27 Mar 2018 (/usr/bin/ssh)
W 2018.05.19 12:49:57 - SSL - Not available
I 2018.05.19 12:49:57 - curl - Version: 7.60.0 (/usr/bin/curl)
I 2018.05.19 12:49:57 - Certification Authorities: /usr/share/AirVPN/cacert.pem
. 2018.05.19 12:49:57 - Updating systems & servers data ...
I 2018.05.19 12:49:58 - Session starting.
. 2018.05.19 12:49:58 - Systems & servers data update completed
I 2018.05.19 12:50:05 - Checking authorization ...
! 2018.05.19 12:50:05 - Connecting to Sheliak (Netherlands, Alblasserdam)
. 2018.05.19 12:50:05 - SSH > OpenSSH_7.7p1, OpenSSL 1.1.0h  27 Mar 2018
. 2018.05.19 12:50:05 - SSH > debug1: Reading configuration data /etc/ssh/ssh_config
. 2018.05.19 12:50:05 - SSH > debug1: Connecting to 213.152.162.113 [213.152.162.113] port 22.
. 2018.05.19 12:50:05 - SSH > debug1: Connection established.
. 2018.05.19 12:50:05 - SSH > debug1: permanently_set_uid: 0/0
. 2018.05.19 12:50:05 - SSH > debug1: key_load_public: No such file or directory
. 2018.05.19 12:50:05 - SSH > debug1: identity file /home/varttaanen/.airvpn/f1a987693e9fc3c755a7fac0c465567036b15d62c904784bd67538391a3825ad.tmp.key type -1
. 2018.05.19 12:50:05 - SSH > debug1: key_load_public: No such file or directory
. 2018.05.19 12:50:05 - SSH > debug1: identity file /home/varttaanen/.airvpn/f1a987693e9fc3c755a7fac0c465567036b15d62c904784bd67538391a3825ad.tmp.key-cert type -1
. 2018.05.19 12:50:05 - SSH > debug1: Local version string SSH-2.0-OpenSSH_7.7
. 2018.05.19 12:50:06 - SSH > debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u1
. 2018.05.19 12:50:06 - SSH > debug1: match: OpenSSH_6.7p1 Debian-5+deb8u1 pat OpenSSH* compat 0x04000000
. 2018.05.19 12:50:06 - SSH > debug1: Authenticating to 213.152.162.113:22 as 'sshtunnel'
. 2018.05.19 12:50:06 - SSH > debug1: SSH2_MSG_KEXINIT sent
. 2018.05.19 12:50:06 - SSH > debug1: SSH2_MSG_KEXINIT received
. 2018.05.19 12:50:06 - SSH > debug1: kex: algorithm: curve25519-sha256@libssh.org
. 2018.05.19 12:50:06 - SSH > debug1: kex: host key algorithm: ecdsa-sha2-nistp256
. 2018.05.19 12:50:06 - SSH > debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
. 2018.05.19 12:50:06 - SSH > debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
. 2018.05.19 12:50:06 - SSH > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
. 2018.05.19 12:50:06 - SSH > debug1: Server host key: ecdsa-sha2-nistp256 SHA256:1mPY0Ju8byn3wcM+h/zjNKmoaWL0MiAKdQ0XR13LU6U
. 2018.05.19 12:50:06 - SSH > Warning: Permanently added '213.152.162.113' (ECDSA) to the list of known hosts.
. 2018.05.19 12:50:06 - SSH > debug1: rekey after 134217728 blocks
. 2018.05.19 12:50:06 - SSH > debug1: SSH2_MSG_NEWKEYS sent
. 2018.05.19 12:50:06 - SSH > debug1: expecting SSH2_MSG_NEWKEYS
. 2018.05.19 12:50:06 - SSH > debug1: SSH2_MSG_NEWKEYS received
. 2018.05.19 12:50:06 - SSH > debug1: rekey after 134217728 blocks
. 2018.05.19 12:50:06 - SSH > debug1: SSH2_MSG_SERVICE_ACCEPT received
. 2018.05.19 12:50:07 - SSH > debug1: Authentications that can continue: publickey,password
. 2018.05.19 12:50:07 - SSH > debug1: Next authentication method: publickey
. 2018.05.19 12:50:07 - SSH > debug1: Trying private key: /home/varttaanen/.airvpn/f1a987693e9fc3c755a7fac0c465567036b15d62c904784bd67538391a3825ad.tmp.key
. 2018.05.19 12:50:07 - SSH > debug1: Authentication succeeded (publickey).
. 2018.05.19 12:50:07 - SSH > Authenticated to 213.152.162.113 ([213.152.162.113]:22).
. 2018.05.19 12:50:07 - SSH > debug1: Local connections to LOCALHOST:33274 forwarded to remote address 127.0.0.1:2018
. 2018.05.19 12:50:07 - SSH > debug1: Local forwarding listening on ::1 port 33274.
. 2018.05.19 12:50:07 - SSH > debug1: channel 0: new [port listener]
. 2018.05.19 12:50:07 - SSH > debug1: Local forwarding listening on 127.0.0.1 port 33274.
. 2018.05.19 12:50:07 - SSH > debug1: channel 1: new [port listener]
. 2018.05.19 12:50:07 - SSH > debug1: Requesting no-more-sessions@openssh.com
. 2018.05.19 12:50:07 - SSH > debug1: Entering interactive session.
. 2018.05.19 12:50:07 - SSH > debug1: pledge: network
W 2018.05.19 12:50:07 - OpenVPN > WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
. 2018.05.19 12:50:07 - OpenVPN > OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
. 2018.05.19 12:50:07 - OpenVPN > library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
. 2018.05.19 12:50:07 - Connection to OpenVPN Management Interface
. 2018.05.19 12:50:07 - OpenVPN > MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:3100
. 2018.05.19 12:50:07 - OpenVPN > Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
. 2018.05.19 12:50:07 - OpenVPN > Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
. 2018.05.19 12:50:07 - OpenVPN > TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:33274
. 2018.05.19 12:50:07 - OpenVPN > Socket Buffers: R=[87380->87380] S=[16384->16384]
. 2018.05.19 12:50:07 - OpenVPN > Attempting to establish TCP connection with [AF_INET]127.0.0.1:33274 [nonblock]
. 2018.05.19 12:50:07 - OpenVPN > TCP connection established with [AF_INET]127.0.0.1:33274
. 2018.05.19 12:50:07 - SSH > debug1: Connection to port 33274 forwarding to 127.0.0.1 port 2018 requested.
. 2018.05.19 12:50:07 - OpenVPN > TCP_CLIENT link local: (not bound)
. 2018.05.19 12:50:07 - OpenVPN > TCP_CLIENT link remote: [AF_INET]127.0.0.1:33274
. 2018.05.19 12:50:07 - SSH > debug1: channel 2: new [direct-tcpip]
. 2018.05.19 12:50:07 - SSH > debug1: Remote: Pty allocation disabled.
. 2018.05.19 12:50:07 - SSH > debug1: Remote: X11 forwarding disabled.
. 2018.05.19 12:50:07 - SSH > debug1: Remote: Forced command.
. 2018.05.19 12:50:07 - OpenVPN > MANAGEMENT: Client connected from [AF_INET]127.0.0.1:3100
. 2018.05.19 12:50:07 - OpenVPN > TLS: Initial packet from [AF_INET]127.0.0.1:33274, sid=021672ee 0f1506d9
. 2018.05.19 12:50:08 - OpenVPN > VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
. 2018.05.19 12:50:08 - OpenVPN > VERIFY KU OK
. 2018.05.19 12:50:08 - OpenVPN > Validating certificate extended key usage
. 2018.05.19 12:50:08 - OpenVPN > ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
. 2018.05.19 12:50:08 - OpenVPN > VERIFY EKU OK
. 2018.05.19 12:50:08 - OpenVPN > VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
. 2018.05.19 12:50:08 - OpenVPN > Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
. 2018.05.19 12:50:08 - OpenVPN > [server] Peer Connection Initiated with [AF_INET]127.0.0.1:33274
. 2018.05.19 12:50:09 - OpenVPN > SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
. 2018.05.19 12:50:10 - OpenVPN > PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.50.0.1,comp-lzo no,route-gateway 10.50.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.50.13.160 255.255.0.0'
. 2018.05.19 12:50:10 - OpenVPN > OPTIONS IMPORT: timers and/or timeouts modified
. 2018.05.19 12:50:10 - OpenVPN > OPTIONS IMPORT: compression parms modified
. 2018.05.19 12:50:10 - OpenVPN > OPTIONS IMPORT: --ifconfig/up options modified
. 2018.05.19 12:50:10 - OpenVPN > OPTIONS IMPORT: route options modified
. 2018.05.19 12:50:10 - OpenVPN > OPTIONS IMPORT: route-related options modified
. 2018.05.19 12:50:10 - OpenVPN > OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
. 2018.05.19 12:50:10 - OpenVPN > Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
. 2018.05.19 12:50:10 - OpenVPN > Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
. 2018.05.19 12:50:10 - OpenVPN > Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
. 2018.05.19 12:50:10 - OpenVPN > Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
. 2018.05.19 12:50:10 - OpenVPN > ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=wlp4s0b1 HWADDR=5c:ac:4c:a0:b4:b0
. 2018.05.19 12:50:10 - OpenVPN > TUN/TAP device tun0 opened
. 2018.05.19 12:50:10 - OpenVPN > TUN/TAP TX queue length set to 100
. 2018.05.19 12:50:10 - OpenVPN > do_ifconfig, tt->did_ifconfig_ipv6_setup=0
. 2018.05.19 12:50:10 - OpenVPN > /usr/bin/ip link set dev tun0 up mtu 1500
. 2018.05.19 12:50:10 - OpenVPN > /usr/bin/ip addr add dev tun0 10.50.13.160/16 broadcast 10.50.255.255
. 2018.05.19 12:50:15 - OpenVPN > /usr/bin/ip route add 127.0.0.1/32 via 192.168.1.1
. 2018.05.19 12:50:15 - OpenVPN > /usr/bin/ip route add 0.0.0.0/1 via 10.50.0.1
. 2018.05.19 12:50:15 - OpenVPN > /usr/bin/ip route add 128.0.0.0/1 via 10.50.0.1
. 2018.05.19 12:50:15 - OpenVPN > /usr/bin/ip route add 213.152.162.113/32 via 192.168.1.1
. 2018.05.19 12:50:15 - /etc/resolv.conf moved to /etc/resolv.conf.eddie as backup
. 2018.05.19 12:50:15 - DNS of the system updated to VPN DNS (Rename method: /etc/resolv.conf generated)
. 2018.05.19 12:50:15 - Flushing DNS
I 2018.05.19 12:50:15 - Checking route
I 2018.05.19 12:50:16 - Checking DNS
! 2018.05.19 12:50:18 - Connected.
. 2018.05.19 12:50:18 - OpenVPN > Initialization Sequence Completed
. 2018.05.19 12:59:59 - Updating systems & servers data ...
. 2018.05.19 13:00:01 - Systems & servers data update completed
. 2018.05.19 13:10:02 - Updating systems & servers data ...
. 2018.05.19 13:10:03 - Systems & servers data update completed
 

 


Win7 | Manjaro Gnome | Eddie stable

Share this post


Link to post

Has anyone tried using OpenVPN without Eddie? I run OpenVPN 2.4.6 on Arch and get no such log message. I'm not sure what this warning actually refers to but authentication to AirVPN servers (via OpenVPN) is not based on passwords but keys. But why should this be insecure or discouraged?

Share this post


Link to post

Has anyone tried using OpenVPN without Eddie? I run OpenVPN 2.4.6 on Arch and get no such log message. I'm not sure what this warning actually refers to but authentication to AirVPN servers (via OpenVPN) is not based on passwords but keys. But why should this be insecure or discouraged?

 I been using airvpn on arch through the netwrok manager's options for more than 6 months without any problems. I switched to Eddie because i think it allows bigger variation on my choices and easier switching of servers and more. Let's think about the scenario the server u r hooked on is having troubles or becomes slow , u hv to create a new connection in network manager and get out of ur network. Waste of time! In a average pc, even on VM, eddie won't  overload the desktop.

On my BSD mashines i don' have this freedom. Got to select servers and use them. If my selected server is buggy i have to diagnose and change manually the rc. settings, at least this is my way. For i hvn't found still a way to do it fast and easy, the Eddie's way.

 Ofcourse someone may pay for a vpn service and the same time consider Eddie untrusty or may use cubesOs on his everyday work and bridge vpn's and Tor chains. This is not me!

Share this post


Link to post

Well I noticed there are new tgz edde packages available.  Those packages include openvpn 2.4.6.  I do not have access to my Slackware system right now, but I will try the new packages and see if that solves the issue.

I fully expect the issue is now fixed with eddie version 2.14_5

EDIT: Yes, the new version solves theissue

John

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...