Custom OVPN Directives disabled from 2.18.9 version

[quorion 0]

Why custom OVPN directives are disabled in eddie source code from 2.18.9 version?

I need custom OVPN directives!

I can't use eddie's netblock. I need the maximum security guaranteed by my custom scripts.

Please, fix it. Thanky you very much.

[OpenSourcerer 1435]

A few people hinted at this behavior which clearly is a bug, but not yet confirmed by the developers.

Can't understand the other thing, though. NetLock doesn't work? What custom scripts and what are they doing exactly? Bit of an uncertainty, there.

[Staff 9972]

@quorion

Hello!

What is your Operating System exact version? Do you experience problems with OpenVPN custom directives, events or both?

About events: since Eddie 2.18 events open a shell with your user privileges and run inside that shell what you specify with your user privileges and no more with superuser privileges. It's an essential security feature, it was too reckless and dangerous to run any event with root/administrator privileges. Now it's users' responsibility to escalate privileges, when absolutely necessary, from a binary or a script linked to an event.

Kind regards
 

[hovialobo2 0]

Hello staff,

I have the same needs as giganerd.

This is my problem:

On Debian Buster, in eddie-ui preferences:

OPVN directives external files: /tmp/directives_test
Append Custom directives

/tmp/directives_test

~~~
script-security 2
up /usr/local/bin/up.sh
down /usr/local/bin/down.sh
~~~

/usr/local/bin/up.sh
(Permissions 755)

~~~
#!/bin/bash

echo "Running up.sh"

# everyone can write in /tmp
echo "Hello world" > /tmp/up.log
~~~

/usr/local/bin/down.sh
(Permissions 755)

~~~
#!/bin/bash

echo "Running down.sh"

# everyone can write in /tmp
echo "Hello world" > /tmp/down.log
~~~

Run eddie-ui version 2.18.9 and 2.19.2: there aren't messages from echo command in eddie-ui's log and /tmp/up.log, /tmp/down.log are missing.

New fresh install.

Run eddie-ui old stable version 2.16.3 (same options). In eddie-ui's log there are the messages from echo command and /tmp/up.log, /tmp/down.log are ok.

I really need it to work. Thank you for all your help.
 

Edited ... by hovialobo2

[Staff 9972]

Hello!

"up" and "down" are no more allowed by Eddie. Consider to replace them with Eddie's events (VPN Up, VPN down), so you are sure that the scripts or binaries run by the events are NOT run with superuser privileges. OpenVPN would run them with superuser privileges, which is very risky snd makes your system vulnerable to attacks aimed to privilege escalation.

Kind regards
 

[hovialobo2 0]

@Staff
 

1 hour ago, Staff said:

"up" and "down" are no more allowed by Eddie.

OpenVPN exports a series of environmental variables for use by user-defined scripts, in 'up' and 'down' (man openvpn)..

I use those environmental variables in my scripts 'up' and 'down'.

Are those variables available in Eddie's events (VPN Up, VPN down)? I really need them.

Thank you.


 

[ravenkor 0]

17 hours ago, Staff said:

"up" and "down" are no more allowed by Eddie.

Without 'up' and 'down' directives, eddie is too limited.

Eddie's events (VPN Up, VPN down) do not replace OVPN directives ('up' and 'down').

Fix it.

[Staff 9972]

@ravenkor

The surface attack would increase dramatically, therefore it's unlikely that they will be re-allowed in the future. If you know exactly what you're doing and you have understood how your scenario might be exploited to escalate privileges and gain control of your machine by an attacker who could manage to break in with limited (normal user) privileges, consider to run OpenVPN directly (without Eddie) so you can have a granular as well as thorough control of your security environment.

Kind regards