Changes between Version 28 and Version 29 of MunichHackathon2013


Ignore:
Timestamp:
11/16/13 13:41:19 (11 years ago)
Author:
Gert Döring
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • MunichHackathon2013

    v28 v29  
    132132      * handle overlapping IPv6 server address and pushed IPv6 routes ("2001:608::/32 and server inside 2001:608::/32 -> recursive routing").  This is done for IPv4 but not IPv6 yet.  Ask OS for default gateway, install route to OpenVPN server to that gateway, then install pushed routes.  Cleanup on exit.
    133133      * --block-ipv6 for mobile clients (blocking inside OpenVPN)
     134
     135* windows and the interactive service
     136   * privileged service running
     137   * GUI talks to service, service runs openvpn process with user rights, but restricted permissions against access from elsewhere
     138   * routes get installed by having openvpn signal the service that routes should be installed/removed/...
     139   
     140   * gain: users do not need to run gui with admin rights, and openvpn process does not run with admin rights
     141   * remaining attack angle: install unauthorized routes
     142   * it can be locked down by only permitting .ovpn profiles from a given non-user-writeable path (registry setting at installation)
     143
     144   * on XP, this is actually not needed (only Vista and up), so the installer could decide to not install the service at all, as network programming on XP needs "netsh" while Vista and up have a decent API for that.
     145   * "do not put any extra effort on XP, but do not break it on purpose"