Jump to content
Not connected, Your IP: 3.230.76.153
quorion

Custom OVPN Directives disabled from 2.18.9 version

Recommended Posts

Why custom OVPN directives are disabled in eddie source code from 2.18.9 version?

I need custom OVPN directives!

I can't use eddie's netblock. I need the maximum security guaranteed by my custom scripts.

Please, fix it. Thanky you very much.

Share this post


Link to post

A few people hinted at this behavior which clearly is a bug, but not yet confirmed by the developers.

Can't understand the other thing, though. NetLock doesn't work? What custom scripts and what are they doing exactly? Bit of an uncertainty, there. :)


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post
@quorion

Hello!

What is your Operating System exact version? Do you experience problems with OpenVPN custom directives, events or both?

About events: since Eddie 2.18 events open a shell with your user privileges and run inside that shell what you specify with your user privileges and no more with superuser privileges. It's an essential security feature, it was too reckless and dangerous to run any event with root/administrator privileges. Now it's users' responsibility to escalate privileges, when absolutely necessary, from a binary or a script linked to an event.

Kind regards
 

Share this post


Link to post
Posted ... (edited)

Hello staff,

I have the same needs as giganerd.

This is my problem:

On Debian Buster, in eddie-ui preferences:

OPVN directives external files: /tmp/directives_test
Append Custom directives

/tmp/directives_test

~~~
script-security 2
up /usr/local/bin/up.sh
down /usr/local/bin/down.sh
~~~

/usr/local/bin/up.sh
(Permissions 755)

~~~
#!/bin/bash

echo "Running up.sh"

# everyone can write in /tmp
echo "Hello world" > /tmp/up.log
~~~

/usr/local/bin/down.sh
(Permissions 755)

~~~
#!/bin/bash

echo "Running down.sh"

# everyone can write in /tmp
echo "Hello world" > /tmp/down.log
~~~

Run eddie-ui version 2.18.9 and 2.19.2: there aren't messages from echo command in eddie-ui's log and /tmp/up.log, /tmp/down.log are missing.

New fresh install.

Run eddie-ui old stable version 2.16.3 (same options). In eddie-ui's log there are the messages from echo command and /tmp/up.log, /tmp/down.log are ok.

I really need it to work. Thank you for all your help.
 

Edited ... by hovialobo2

Share this post


Link to post

Hello!

"up" and "down" are no more allowed by Eddie. Consider to replace them with Eddie's events (VPN Up, VPN down), so you are sure that the scripts or binaries run by the events are NOT run with superuser privileges. OpenVPN would run them with superuser privileges, which is very risky snd makes your system vulnerable to attacks aimed to privilege escalation.

Kind regards
 

Share this post


Link to post
@Staff
 
1 hour ago, Staff said:

"up" and "down" are no more allowed by Eddie.



OpenVPN exports a series of environmental variables for use by user-defined scripts, in 'up' and 'down' (man openvpn)..

I use those environmental variables in my scripts 'up' and 'down'.

Are those variables available in Eddie's events (VPN Up, VPN down)? I really need them.

Thank you.


 

Share this post


Link to post
17 hours ago, Staff said:

"up" and "down" are no more allowed by Eddie.

Without 'up' and 'down' directives, eddie is too limited.

Eddie's events (VPN Up, VPN down) do not replace OVPN directives ('up' and 'down').

Fix it.

Share this post


Link to post
@ravenkor

The surface attack would increase dramatically, therefore it's unlikely that they will be re-allowed in the future. If you know exactly what you're doing and you have understood how your scenario might be exploited to escalate privileges and gain control of your machine by an attacker who could manage to break in with limited (normal user) privileges, consider to run OpenVPN directly (without Eddie) so you can have a granular as well as thorough control of your security environment.

Kind regards
 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...