[SOLVED] Windows 10 Client & Script Hooks

How to customize and extend your OpenVPN installation.
Post Reply
DapperDave
OpenVpn Newbie
Posts: 9
Joined: Thu Jan 09, 2020 8:43 pm

[SOLVED] Windows 10 Client & Script Hooks

Post by DapperDave » Tue Jan 14, 2020 5:52 pm

I'm a Linux guy who is having a difficult time solving a permissions issue (at least that's what I think it is). The Windows 10 version is 1909 and the OpenVPN community versions is 2.4.8. The problem is my cmd scripts used to work in Windows but now they have stopped. OpenVPN has no problem assigning the pushed ip's and routes for the Tap device, however it will no longer execute scripts on Windows 10 clients. The scripts work fine from the user and administrator command prompts (currently I am only writing to a file), but when OpenVPN calls the scripts I get errors in the log and the scripts have not written to the file. This is the feedback from the OpenVPN log;

Code: Select all

Tue Jan 14 09:00:04 2020 us=682202 C:\Users\david\OpenVPN\config\david\scripts\client-tap.cmd Tap 1500 1584 192.168.252.216 255.255.255.192 init
Tue Jan 14 09:00:04 2020 us=682202 env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem
This is the client configuration

Code: Select all

client
dev tapbr0
dev-node Tap
resolv-retry infinite
remote 192.168.111.129 1194 udp
lport 1193
lladdr aa:aa:aa:aa:aa:aa
writepid "C:\\Users\\david\\OpenVPN\\log\\tapbr0.pid"

# control of devices and routing paused until hook script resolved
# server pushes ip addresses and routes
#route-noexec
#ifconfig-noexec
script-security 2
up            		"C:\\Users\\david\\OpenVPN\\config\\david\\scripts\\client-tap.cmd"
#route-up      	"C:\\Users\\david\\OpenVPN\\config\\david\\scripts\\client-tap.cmd"
#route-pre-down  "C:\\Users\\david\\OpenVPN\\config\\david\\scripts\\client-tap.cmd"
#down          	"C:\\Users\\david\\OpenVPN\\config\\david\\scripts\\client-tap.cmd"

remote-cert-tls server
ca          "C:\\Users\\david\\OpenVPN\\config\\david\\ca.crt"
cert        "C:\\Users\\david\\OpenVPN\\config\\david\\david.crt"
key         "C:\\Users\\david\\OpenVPN\\config\\david\\david.key"
tls-auth    "C:\\Users\\david\\OpenVPN\\config\\david\\ta.key" 1

# Tried with and without user/group
user david
group administrators

persist-key
persist-tun
mute-replay-warnings
keepalive 10 120
cipher AES-256-CBC
auth SHA256
status      "C:\\Users\\david\\OpenVPN\\log\\david-status"
verb 10
log         "C:\\Users\\david\\OpenVPN\\log\\david.log"
verb 4
explicit-exit-notify 1
I have chased down the 'System" errors in the event viewer, assigning ownership of the CLSID/APPID keys to 'administrators' and then elevating 'launch, activation, and access' permissions for 'ShellServiceHost' and 'Immersive Shell' in component services for all users the errors requested, including "local service" and "system". Now the system logs show warnings that current permissions for 'NT AUTHORITY\SYSTEM' does not have permission to 'do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.WscDataProtection, Windows.SecurityCenter.WscBrokerManager and Windows.SecurityCenter.SecurityAppBroker'. Searching the in registry I found the keys for these COM applications and changed ownership to 'administrators', but I can not find where to elevate launch permissions as they are not in 'component services'. All of these errors coincide with the rebooting of the machine.

After looking carefully through the event viewer I found errors coinciding with the running of the OpenVPN executables, they are located in 'App and Service logs-> Microsoft-> Windows-> Security-LessPriviledgedAppContainer';

Code: Select all

Access to the a resource has been denied for a less privileged app container at ‎2020‎-‎01‎-‎14T17:16:14.938755000Z (StackHash: 0xA0A5A162).
From this error I am assuming the OpenVPN executables have been relegated to a 'less privileged sandbox', and the running of scripts isn't allowed. I can't find where to elevate the privlages of the app or app containers (I have set all instances of executables and shortcuts to 'run as administrator'). Has anyone else run into this problem? I can't find this topic in the forum so it may just be me (egads!). Any help or insight would be greatly appreciated. Thanks, Dave
Last edited by DapperDave on Wed Jan 15, 2020 2:55 am, edited 3 times in total.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7579
Joined: Fri Jun 03, 2016 1:17 pm

Re: Windows 10 Client & Script Hooks

Post by TinCanTech » Tue Jan 14, 2020 6:31 pm

Are you using the OpenVPN-GUI to start your VPN client ?

If so try from an administrator cmd prompt instead. Let me know if that helps ..

DapperDave
OpenVpn Newbie
Posts: 9
Joined: Thu Jan 09, 2020 8:43 pm

Re: Windows 10 Client & Script Hooks

Post by DapperDave » Tue Jan 14, 2020 7:44 pm

Hi TinCanTech, thank-you for your prompt response. I have tried running both the gui and service/daemon openvpn instances from the administrator command prompt;

"c:\program files\openvpn\bin\openvpn.exe" --config "c:\users\david\openvpn\config\david\david.ovpn"
"c:\program files\openvpn\bin\openvpn-gui.exe" --config "c:\users\david\openvpn\config\david\david.ovpn"

I have also tried running the service/daemon as an "elevated privilege" task when the wireless connects to the target SSID. All with the same result, the script doesn't write to the file, the ovpn log shows the 'env_block' error and the 'event viewer' shows the LessPriviledgedAppContainer error as described.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7579
Joined: Fri Jun 03, 2016 1:17 pm

Re: Windows 10 Client & Script Hooks

Post by TinCanTech » Tue Jan 14, 2020 8:09 pm

DapperDave wrote:
Tue Jan 14, 2020 7:44 pm
"c:\program files\openvpn\bin\openvpn.exe" --config "c:\users\david\openvpn\config\david\david.ovpn"
What does the complete --log at --verb 4 show for this ?


Please see:
viewtopic.php?f=30&t=22603#p68963

DapperDave
OpenVpn Newbie
Posts: 9
Joined: Thu Jan 09, 2020 8:43 pm

Re: Windows 10 Client & Script Hooks

Post by DapperDave » Tue Jan 14, 2020 8:25 pm

Here is the OpenVPN log @ vebosity 4

Code: Select all

Tue Jan 14 10:30:17 2020 NOTE: --user option is not implemented on Windows
Tue Jan 14 10:30:17 2020 NOTE: --group option is not implemented on Windows
Tue Jan 14 10:30:17 2020 us=37904 Current Parameter Settings:
Tue Jan 14 10:30:17 2020 us=37904   config = 'david.ovpn'
Tue Jan 14 10:30:17 2020 us=37904   mode = 0
Tue Jan 14 10:30:17 2020 us=37904   show_ciphers = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   show_digests = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   show_engines = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   genkey = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   key_pass_file = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   show_tls_ciphers = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   connect_retry_max = 0
Tue Jan 14 10:30:17 2020 us=37904 Connection profiles [0]:
Tue Jan 14 10:30:17 2020 us=37904   proto = udp
Tue Jan 14 10:30:17 2020 us=37904   local = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   local_port = '1868'
Tue Jan 14 10:30:17 2020 us=37904   remote = '192.168.252.193'
Tue Jan 14 10:30:17 2020 us=37904   remote_port = '1867'
Tue Jan 14 10:30:17 2020 us=37904   remote_float = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   bind_defined = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   bind_local = ENABLED
Tue Jan 14 10:30:17 2020 us=37904   bind_ipv6_only = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   connect_retry_seconds = 5
Tue Jan 14 10:30:17 2020 us=37904   connect_timeout = 120
Tue Jan 14 10:30:17 2020 us=37904   socks_proxy_server = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   socks_proxy_port = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   tun_mtu = 1500
Tue Jan 14 10:30:17 2020 us=37904   tun_mtu_defined = ENABLED
Tue Jan 14 10:30:17 2020 us=37904   link_mtu = 1500
Tue Jan 14 10:30:17 2020 us=37904   link_mtu_defined = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   tun_mtu_extra = 32
Tue Jan 14 10:30:17 2020 us=37904   tun_mtu_extra_defined = ENABLED
Tue Jan 14 10:30:17 2020 us=37904   mtu_discover_type = -1
Tue Jan 14 10:30:17 2020 us=37904   fragment = 0
Tue Jan 14 10:30:17 2020 us=37904   mssfix = 1450
Tue Jan 14 10:30:17 2020 us=37904   explicit_exit_notification = 1
Tue Jan 14 10:30:17 2020 us=37904 Connection profiles END
Tue Jan 14 10:30:17 2020 us=37904   remote_random = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   ipchange = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   dev = 'tapbr0'
Tue Jan 14 10:30:17 2020 us=37904   dev_type = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   dev_node = 'Tap'
Tue Jan 14 10:30:17 2020 us=37904   lladdr = '86:3a:4b:12:a6:32'
Tue Jan 14 10:30:17 2020 us=37904   topology = 1
Tue Jan 14 10:30:17 2020 us=37904   ifconfig_local = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   ifconfig_remote_netmask = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   ifconfig_noexec = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   ifconfig_nowarn = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   ifconfig_ipv6_local = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   ifconfig_ipv6_netbits = 0
Tue Jan 14 10:30:17 2020 us=37904   ifconfig_ipv6_remote = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   shaper = 0
Tue Jan 14 10:30:17 2020 us=37904   mtu_test = 0
Tue Jan 14 10:30:17 2020 us=37904   mlock = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   keepalive_ping = 10
Tue Jan 14 10:30:17 2020 us=37904   keepalive_timeout = 120
Tue Jan 14 10:30:17 2020 us=37904   inactivity_timeout = 0
Tue Jan 14 10:30:17 2020 us=37904   ping_send_timeout = 10
Tue Jan 14 10:30:17 2020 us=37904   ping_rec_timeout = 120
Tue Jan 14 10:30:17 2020 us=37904   ping_rec_timeout_action = 2
Tue Jan 14 10:30:17 2020 us=37904   ping_timer_remote = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   remap_sigusr1 = 0
Tue Jan 14 10:30:17 2020 us=37904   persist_tun = ENABLED
Tue Jan 14 10:30:17 2020 us=37904   persist_local_ip = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   persist_remote_ip = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   persist_key = ENABLED
Tue Jan 14 10:30:17 2020 us=37904   passtos = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   resolve_retry_seconds = 1000000000
Tue Jan 14 10:30:17 2020 us=37904   resolve_in_advance = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   username = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   groupname = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   chroot_dir = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   cd_dir = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   writepid = 'C:\Users\david\OpenVPN\log\tapbr0.pid'
Tue Jan 14 10:30:17 2020 us=37904   up_script = 'C:\Users\david\OpenVPN\config\david\scripts\client-tap.cmd'
Tue Jan 14 10:30:17 2020 us=37904   down_script = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   down_pre = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   up_restart = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   up_delay = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   daemon = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   inetd = 0
Tue Jan 14 10:30:17 2020 us=37904   log = ENABLED
Tue Jan 14 10:30:17 2020 us=37904   suppress_timestamps = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   machine_readable_output = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   nice = 0
Tue Jan 14 10:30:17 2020 us=37904   verbosity = 4
Tue Jan 14 10:30:17 2020 us=37904   mute = 0
Tue Jan 14 10:30:17 2020 us=37904   gremlin = 0
Tue Jan 14 10:30:17 2020 us=37904   status_file = 'C:\Users\david\OpenVPN\log\david-status'
Tue Jan 14 10:30:17 2020 us=37904   status_file_version = 1
Tue Jan 14 10:30:17 2020 us=37904   status_file_update_freq = 60
Tue Jan 14 10:30:17 2020 us=37904   occ = ENABLED
Tue Jan 14 10:30:17 2020 us=37904   rcvbuf = 0
Tue Jan 14 10:30:17 2020 us=37904   sndbuf = 0
Tue Jan 14 10:30:17 2020 us=37904   sockflags = 0
Tue Jan 14 10:30:17 2020 us=37904   fast_io = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   comp.alg = 0
Tue Jan 14 10:30:17 2020 us=37904   comp.flags = 0
Tue Jan 14 10:30:17 2020 us=37904   route_script = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   route_default_gateway = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   route_default_metric = 0
Tue Jan 14 10:30:17 2020 us=37904   route_noexec = ENABLED
Tue Jan 14 10:30:17 2020 us=37904   route_delay = 5
Tue Jan 14 10:30:17 2020 us=37904   route_delay_window = 30
Tue Jan 14 10:30:17 2020 us=37904   route_delay_defined = ENABLED
Tue Jan 14 10:30:17 2020 us=37904   route_nopull = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   route_gateway_via_dhcp = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   allow_pull_fqdn = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   Pull filters:
Tue Jan 14 10:30:17 2020 us=37904     ignore "route-method"
Tue Jan 14 10:30:17 2020 us=37904   management_addr = '127.0.0.1'
Tue Jan 14 10:30:17 2020 us=37904   management_port = '25340'
Tue Jan 14 10:30:17 2020 us=37904   management_user_pass = 'stdin'
Tue Jan 14 10:30:17 2020 us=37904   management_log_history_cache = 250
Tue Jan 14 10:30:17 2020 us=37904   management_echo_buffer_size = 100
Tue Jan 14 10:30:17 2020 us=37904   management_write_peer_info_file = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   management_client_user = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   management_client_group = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   management_flags = 6
Tue Jan 14 10:30:17 2020 us=37904   shared_secret_file = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   key_direction = 1
Tue Jan 14 10:30:17 2020 us=37904   ciphername = 'AES-256-CBC'
Tue Jan 14 10:30:17 2020 us=37904   ncp_enabled = ENABLED
Tue Jan 14 10:30:17 2020 us=37904   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Tue Jan 14 10:30:17 2020 us=37904   authname = 'SHA256'
Tue Jan 14 10:30:17 2020 us=37904   prng_hash = 'SHA1'
Tue Jan 14 10:30:17 2020 us=37904   prng_nonce_secret_len = 16
Tue Jan 14 10:30:17 2020 us=37904   keysize = 0
Tue Jan 14 10:30:17 2020 us=37904   engine = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   replay = ENABLED
Tue Jan 14 10:30:17 2020 us=37904   mute_replay_warnings = ENABLED
Tue Jan 14 10:30:17 2020 us=37904   replay_window = 64
Tue Jan 14 10:30:17 2020 us=37904   replay_time = 15
Tue Jan 14 10:30:17 2020 us=37904   packet_id_file = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   use_iv = ENABLED
Tue Jan 14 10:30:17 2020 us=37904   test_crypto = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   tls_server = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   tls_client = ENABLED
Tue Jan 14 10:30:17 2020 us=37904   key_method = 2
Tue Jan 14 10:30:17 2020 us=37904   ca_file = 'C:\Users\david\OpenVPN\config\david\ca.crt'
Tue Jan 14 10:30:17 2020 us=37904   ca_path = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   dh_file = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   cert_file = 'C:\Users\david\OpenVPN\config\david\david.crt'
Tue Jan 14 10:30:17 2020 us=37904   extra_certs_file = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   priv_key_file = 'C:\Users\david\OpenVPN\config\david\david.key'
Tue Jan 14 10:30:17 2020 us=37904   pkcs12_file = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   cryptoapi_cert = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   cipher_list = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   cipher_list_tls13 = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   tls_cert_profile = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   tls_verify = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   tls_export_cert = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   verify_x509_type = 0
Tue Jan 14 10:30:17 2020 us=37904   verify_x509_name = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   crl_file = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   ns_cert_type = 0
Tue Jan 14 10:30:17 2020 us=37904   remote_cert_ku[i] = 65535
Tue Jan 14 10:30:17 2020 us=37904   remote_cert_ku[i] = 0
Tue Jan 14 10:30:17 2020 us=37904   remote_cert_ku[i] = 0
Tue Jan 14 10:30:17 2020 us=37904   remote_cert_ku[i] = 0
Tue Jan 14 10:30:17 2020 us=37904   remote_cert_ku[i] = 0
Tue Jan 14 10:30:17 2020 us=37904   remote_cert_ku[i] = 0
Tue Jan 14 10:30:17 2020 us=37904   remote_cert_ku[i] = 0
Tue Jan 14 10:30:17 2020 us=37904   remote_cert_ku[i] = 0
Tue Jan 14 10:30:17 2020 us=37904   remote_cert_ku[i] = 0
Tue Jan 14 10:30:17 2020 us=37904   remote_cert_ku[i] = 0
Tue Jan 14 10:30:17 2020 us=37904   remote_cert_ku[i] = 0
Tue Jan 14 10:30:17 2020 us=37904   remote_cert_ku[i] = 0
Tue Jan 14 10:30:17 2020 us=37904   remote_cert_ku[i] = 0
Tue Jan 14 10:30:17 2020 us=37904   remote_cert_ku[i] = 0
Tue Jan 14 10:30:17 2020 us=37904   remote_cert_ku[i] = 0
Tue Jan 14 10:30:17 2020 us=37904   remote_cert_ku[i] = 0
Tue Jan 14 10:30:17 2020 us=37904   remote_cert_eku = 'TLS Web Server Authentication'
Tue Jan 14 10:30:17 2020 us=37904   ssl_flags = 0
Tue Jan 14 10:30:17 2020 us=37904   tls_timeout = 2
Tue Jan 14 10:30:17 2020 us=37904   renegotiate_bytes = -1
Tue Jan 14 10:30:17 2020 us=37904   renegotiate_packets = 0
Tue Jan 14 10:30:17 2020 us=37904   renegotiate_seconds = 3600
Tue Jan 14 10:30:17 2020 us=37904   handshake_window = 60
Tue Jan 14 10:30:17 2020 us=37904   transition_window = 3600
Tue Jan 14 10:30:17 2020 us=37904   single_session = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   push_peer_info = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   tls_exit = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   tls_auth_file = 'C:\Users\david\OpenVPN\config\david\ta.key'
Tue Jan 14 10:30:17 2020 us=37904   tls_crypt_file = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_protected_authentication = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_protected_authentication = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_protected_authentication = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_protected_authentication = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_protected_authentication = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_protected_authentication = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_protected_authentication = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_protected_authentication = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_protected_authentication = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_protected_authentication = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_protected_authentication = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_protected_authentication = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_protected_authentication = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_protected_authentication = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_protected_authentication = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_protected_authentication = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_private_mode = 00000000
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_private_mode = 00000000
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_private_mode = 00000000
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_private_mode = 00000000
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_private_mode = 00000000
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_private_mode = 00000000
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_private_mode = 00000000
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_private_mode = 00000000
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_private_mode = 00000000
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_private_mode = 00000000
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_private_mode = 00000000
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_private_mode = 00000000
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_private_mode = 00000000
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_private_mode = 00000000
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_private_mode = 00000000
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_private_mode = 00000000
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_cert_private = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_cert_private = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_cert_private = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_cert_private = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_cert_private = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_cert_private = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_cert_private = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_cert_private = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_cert_private = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_cert_private = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_cert_private = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_cert_private = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_cert_private = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_cert_private = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_cert_private = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_cert_private = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_pin_cache_period = -1
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_id = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   pkcs11_id_management = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   server_network = 0.0.0.0
Tue Jan 14 10:30:17 2020 us=37904   server_netmask = 0.0.0.0
Tue Jan 14 10:30:17 2020 us=37904   server_network_ipv6 = ::
Tue Jan 14 10:30:17 2020 us=37904   server_netbits_ipv6 = 0
Tue Jan 14 10:30:17 2020 us=37904   server_bridge_ip = 0.0.0.0
Tue Jan 14 10:30:17 2020 us=37904   server_bridge_netmask = 0.0.0.0
Tue Jan 14 10:30:17 2020 us=37904   server_bridge_pool_start = 0.0.0.0
Tue Jan 14 10:30:17 2020 us=37904   server_bridge_pool_end = 0.0.0.0
Tue Jan 14 10:30:17 2020 us=37904   ifconfig_pool_defined = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   ifconfig_pool_start = 0.0.0.0
Tue Jan 14 10:30:17 2020 us=37904   ifconfig_pool_end = 0.0.0.0
Tue Jan 14 10:30:17 2020 us=37904   ifconfig_pool_netmask = 0.0.0.0
Tue Jan 14 10:30:17 2020 us=37904   ifconfig_pool_persist_filename = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   ifconfig_pool_persist_refresh_freq = 600
Tue Jan 14 10:30:17 2020 us=37904   ifconfig_ipv6_pool_defined = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   ifconfig_ipv6_pool_base = ::
Tue Jan 14 10:30:17 2020 us=37904   ifconfig_ipv6_pool_netbits = 0
Tue Jan 14 10:30:17 2020 us=37904   n_bcast_buf = 256
Tue Jan 14 10:30:17 2020 us=37904   tcp_queue_limit = 64
Tue Jan 14 10:30:17 2020 us=37904   real_hash_size = 256
Tue Jan 14 10:30:17 2020 us=37904   virtual_hash_size = 256
Tue Jan 14 10:30:17 2020 us=37904   client_connect_script = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   learn_address_script = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   client_disconnect_script = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   client_config_dir = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   ccd_exclusive = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   tmp_dir = 'C:\Users\david\AppData\Local\Temp\'
Tue Jan 14 10:30:17 2020 us=37904   push_ifconfig_defined = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   push_ifconfig_local = 0.0.0.0
Tue Jan 14 10:30:17 2020 us=37904   push_ifconfig_remote_netmask = 0.0.0.0
Tue Jan 14 10:30:17 2020 us=37904   push_ifconfig_ipv6_defined = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   push_ifconfig_ipv6_local = ::/0
Tue Jan 14 10:30:17 2020 us=37904   push_ifconfig_ipv6_remote = ::
Tue Jan 14 10:30:17 2020 us=37904   enable_c2c = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   duplicate_cn = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   cf_max = 0
Tue Jan 14 10:30:17 2020 us=37904   cf_per = 0
Tue Jan 14 10:30:17 2020 us=37904   max_clients = 1024
Tue Jan 14 10:30:17 2020 us=37904   max_routes_per_client = 256
Tue Jan 14 10:30:17 2020 us=37904   auth_user_pass_verify_script = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   auth_user_pass_verify_script_via_file = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   auth_token_generate = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   auth_token_lifetime = 0
Tue Jan 14 10:30:17 2020 us=37904   client = ENABLED
Tue Jan 14 10:30:17 2020 us=37904   pull = ENABLED
Tue Jan 14 10:30:17 2020 us=37904   auth_user_pass_file = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   show_net_up = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   route_method = 3
Tue Jan 14 10:30:17 2020 us=37904   block_outside_dns = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   ip_win32_defined = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   ip_win32_type = 3
Tue Jan 14 10:30:17 2020 us=37904   dhcp_masq_offset = 0
Tue Jan 14 10:30:17 2020 us=37904   dhcp_lease_time = 31536000
Tue Jan 14 10:30:17 2020 us=37904   tap_sleep = 0
Tue Jan 14 10:30:17 2020 us=37904   dhcp_options = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   dhcp_renew = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   dhcp_pre_release = DISABLED
Tue Jan 14 10:30:17 2020 us=37904   domain = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   netbios_scope = '[UNDEF]'
Tue Jan 14 10:30:17 2020 us=37904   netbios_node_type = 0
Tue Jan 14 10:30:17 2020 us=37904   disable_nbt = DISABLED
Tue Jan 14 10:30:17 2020 us=37904 OpenVPN 2.4.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2019
Tue Jan 14 10:30:17 2020 us=37904 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Jan 14 10:30:17 2020 us=37904 library versions: OpenSSL 1.1.0l  10 Sep 2019, LZO 2.10
Enter Management Password:
Tue Jan 14 10:30:17 2020 us=53535 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Jan 14 10:30:17 2020 us=53535 Need hold release from management interface, waiting...
Tue Jan 14 10:30:17 2020 us=511662 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Jan 14 10:30:17 2020 us=615486 MANAGEMENT: CMD 'state on'
Tue Jan 14 10:30:17 2020 us=615486 MANAGEMENT: CMD 'log all on'
Tue Jan 14 10:30:17 2020 us=800103 MANAGEMENT: CMD 'echo all on'
Tue Jan 14 10:30:17 2020 us=815726 MANAGEMENT: CMD 'bytecount 5'
Tue Jan 14 10:30:17 2020 us=815726 MANAGEMENT: CMD 'hold off'
Tue Jan 14 10:30:17 2020 us=815726 MANAGEMENT: CMD 'hold release'
Tue Jan 14 10:30:17 2020 us=815726 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Jan 14 10:30:17 2020 us=815726 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jan 14 10:30:17 2020 us=815726 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jan 14 10:30:17 2020 us=815726 Control Channel MTU parms [ L:1653 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Tue Jan 14 10:30:17 2020 us=815726 Data Channel MTU parms [ L:1653 D:1450 EF:121 EB:411 ET:32 EL:3 ]
Tue Jan 14 10:30:17 2020 us=815726 Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1601,tun-mtu 1532,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Tue Jan 14 10:30:17 2020 us=815726 Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1601,tun-mtu 1532,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Tue Jan 14 10:30:17 2020 us=815726 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.252.193:1867
Tue Jan 14 10:30:17 2020 us=815726 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Jan 14 10:30:17 2020 us=815726 UDP link local (bound): [AF_INET][undef]:1868
Tue Jan 14 10:30:17 2020 us=815726 UDP link remote: [AF_INET]192.168.252.193:1867
Tue Jan 14 10:30:17 2020 us=815726 MANAGEMENT: >STATE:1579026617,WAIT,,,,,,
Tue Jan 14 10:30:17 2020 us=815726 MANAGEMENT: >STATE:1579026617,AUTH,,,,,,
Tue Jan 14 10:30:17 2020 us=815726 TLS: Initial packet from [AF_INET]192.168.252.193:1867, sid=802bf6f2 52790b73
Tue Jan 14 10:30:17 2020 us=831349 VERIFY OK: depth=1, C=CA, ST=BC, L=Kelowna, O=HomeNetwork, OU=Family, CN=gate, name=home.net, emailAddress=dlyon@synctl.com
Tue Jan 14 10:30:17 2020 us=831349 VERIFY KU OK
Tue Jan 14 10:30:17 2020 us=831349 Validating certificate extended key usage
Tue Jan 14 10:30:17 2020 us=831349 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Jan 14 10:30:17 2020 us=831349 VERIFY EKU OK
Tue Jan 14 10:30:17 2020 us=831349 VERIFY OK: depth=0, C=CA, ST=BC, L=Kelowna, O=HomeNetwork, OU=Family, CN=gate, name=home.net, emailAddress=dlyon@synctl.com
Tue Jan 14 10:30:17 2020 us=862598 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Jan 14 10:30:17 2020 us=862598 [gate] Peer Connection Initiated with [AF_INET]192.168.252.193:1867
Tue Jan 14 10:30:18 2020 us=910569 MANAGEMENT: >STATE:1579026618,GET_CONFIG,,,,,,
Tue Jan 14 10:30:18 2020 us=910569 SENT CONTROL [gate]: 'PUSH_REQUEST' (status=1)
Tue Jan 14 10:30:18 2020 us=910569 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DOMAIN home.net,dhcp-option DNS 192.168.252.194,dhcp-option NTP 192.168.252.194,sndbuf 393216,rcvbuf 393216,route-gateway dhcp,ping 10,ping-restart 120,ifconfig 192.168.252.216 255.255.255.192,peer-id 0,cipher AES-256-GCM'
Tue Jan 14 10:30:18 2020 us=910569 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jan 14 10:30:18 2020 us=910569 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Tue Jan 14 10:30:18 2020 us=910569 Socket Buffers: R=[65536->393216] S=[65536->393216]
Tue Jan 14 10:30:18 2020 us=910569 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jan 14 10:30:18 2020 us=910569 OPTIONS IMPORT: route-related options modified
Tue Jan 14 10:30:18 2020 us=910569 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Jan 14 10:30:18 2020 us=910569 OPTIONS IMPORT: peer-id set
Tue Jan 14 10:30:18 2020 us=910569 OPTIONS IMPORT: adjusting link_mtu to 1656
Tue Jan 14 10:30:18 2020 us=910569 OPTIONS IMPORT: data channel crypto options modified
Tue Jan 14 10:30:18 2020 us=910569 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Jan 14 10:30:18 2020 us=910569 Data Channel MTU parms [ L:1584 D:1450 EF:52 EB:411 ET:32 EL:3 ]
Tue Jan 14 10:30:18 2020 us=910569 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jan 14 10:30:18 2020 us=910569 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jan 14 10:30:18 2020 us=910569 interactive service msg_channel=620
Tue Jan 14 10:30:18 2020 us=910569 open_tun
Tue Jan 14 10:30:18 2020 us=910569 TAP-WIN32 device [Tap] opened: \\.\Global\{A3E6AFBC-C371-4381-BA91-08DDC3604DF4}.tap
Tue Jan 14 10:30:18 2020 us=910569 TAP-Windows Driver Version 9.24 
Tue Jan 14 10:30:18 2020 us=910569 TAP-Windows MTU=1500
Tue Jan 14 10:30:18 2020 us=926172 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.252.216/255.255.255.192 on interface {A3E6AFBC-C371-4381-BA91-08DDC3604DF4} [DHCP-serv: 192.168.252.192, lease-time: 31536000]
Tue Jan 14 10:30:18 2020 us=926172 DHCP option string: 0f08686f 6d652e6e 65740604 c0a8fcc2 2a04c0a8 fcc2
Tue Jan 14 10:30:18 2020 us=926172 Successful ARP Flush on interface [15] {A3E6AFBC-C371-4381-BA91-08DDC3604DF4}
Tue Jan 14 10:30:18 2020 us=941790 Sorry, but I don't know how to configure link layer addresses on this operating system.
Tue Jan 14 10:30:18 2020 us=941790 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Jan 14 10:30:18 2020 us=941790 MANAGEMENT: >STATE:1579026618,ASSIGN_IP,,192.168.252.216,,,,
Tue Jan 14 10:30:18 2020 us=941790 C:\Users\david\OpenVPN\config\david\scripts\client-tap.cmd Tap 1500 1584 192.168.252.216 255.255.255.192 init
Tue Jan 14 10:30:18 2020 us=941790 env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem
Tue Jan 14 10:30:24 2020 us=323429 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
Tue Jan 14 10:30:24 2020 us=323429 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Jan 14 10:30:24 2020 us=323429 Initialization Sequence Completed
Tue Jan 14 10:30:24 2020 us=323429 MANAGEMENT: >STATE:1579026624,CONNECTED,SUCCESS,192.168.252.216,192.168.252.193,1867,,
Tue Jan 14 10:30:32 2020 us=12467 TCP/UDP: Closing socket
Tue Jan 14 10:30:32 2020 us=12467 Closing TUN/TAP interface
Tue Jan 14 10:30:32 2020 us=64823 TAP: DHCP address released
Tue Jan 14 10:30:32 2020 us=111703 SIGTERM[soft,exit-with-notification] received, process exiting
Tue Jan 14 10:30:32 2020 us=111703 MANAGEMENT: >STATE:1579026632,EXITING,exit-with-notification,,,,,
Thanks, Dave

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7579
Joined: Fri Jun 03, 2016 1:17 pm

Re: Windows 10 Client & Script Hooks

Post by TinCanTech » Tue Jan 14, 2020 8:33 pm

I see no error, OpenVPN has run your script to completion.

DapperDave
OpenVpn Newbie
Posts: 9
Joined: Thu Jan 09, 2020 8:43 pm

Re: Windows 10 Client & Script Hooks

Post by DapperDave » Tue Jan 14, 2020 8:52 pm

Actually, no it doesn't. When I run the scripts from either the user or administrator command prompt, the scripts write to the file as prescribed. However, when OpenVPN is run, the file has not been written to, and the "env_block" error shows in the OpenVPN log and a "less privilaged app" error in the event viewer.

"Tue Jan 14 10:30:18 2020 us=941790 env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem"

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7579
Joined: Fri Jun 03, 2016 1:17 pm

Re: Windows 10 Client & Script Hooks

Post by TinCanTech » Tue Jan 14, 2020 10:05 pm

DapperDave wrote:
Tue Jan 14, 2020 8:52 pm
When I run the scripts from either the user or administrator command prompt, the scripts write to the file as prescribed.
OK.
DapperDave wrote:
Tue Jan 14, 2020 8:52 pm
However, when OpenVPN is run, the file has not been written to
We can explorer that. Would need to see your script.
DapperDave wrote:
Tue Jan 14, 2020 8:52 pm
and the "env_block" error shows in the OpenVPN log
That is not an error.

Env_block is what Windows users commonly know as "set".
DapperDave wrote:
Tue Jan 14, 2020 8:52 pm
and a "less privilaged app" error in the event viewer.
This is curious but may not even be related.

OpenVPN has a particularity whereby it does not pass the parent process environmental variables to a child. (Unless otherwise configured to do so)

DapperDave
OpenVpn Newbie
Posts: 9
Joined: Thu Jan 09, 2020 8:43 pm

Re: Windows 10 Client & Script Hooks

Post by DapperDave » Wed Jan 15, 2020 2:20 am

Hi, here is the script, it's pretty basic as I just want it to run;

Code: Select all

@echo off
set path=%HOMEDRIVE%\users\%USERNAME%\OpenVPN
set log=%path%\log\tapbr0-script.log
echo "started %1 - %2 - %3 - %4 - %5 - %6 - %7" >> "%log%"
exit /B 0
when running from the command prompt "c:\users\david\openvpn\config\david\scripts\client-tap.cmd 10 20 30 40 50 60 70" it results in the file "c:\users\david\openvpn\logs\tapbr0-script.log" being created and written to with this as the contents;

Code: Select all

started 10 - 20 - 30 - 40 - 50 - 60 - 70
I delete this log and run openvpn, I get no file creation. If I leave the file I get no appending. I an sure the script is not running.

Thanks, Dave

DapperDave
OpenVpn Newbie
Posts: 9
Joined: Thu Jan 09, 2020 8:43 pm

Re: Windows 10 Client & Script Hooks

Post by DapperDave » Wed Jan 15, 2020 2:26 am

Okay, I feel like an idiot. The environmental variables are not available to openvpn. Once replaced with a hard string the script is writing...…
Thanks for your help...

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7579
Joined: Fri Jun 03, 2016 1:17 pm

Re: Windows 10 Client & Script Hooks

Post by TinCanTech » Wed Jan 15, 2020 2:57 am

Apart from myself, there are no idiots here :lol:

It is a security feature and so it trips many over. You got it now 8-)

OpenVPN would also like to know if you have any issues using the Windows GUI with your scripts.

tschoening
OpenVpn Newbie
Posts: 14
Joined: Tue Jan 28, 2020 7:47 pm

Re: Windows 10 Client & Script Hooks

Post by tschoening » Tue Jan 28, 2020 7:51 pm

DapperDave wrote:
Wed Jan 15, 2020 2:26 am
Okay, I feel like an idiot. The environmental variables are not available to openvpn. Once replaced with a hard string the script is writing...…
If you don't already know it, form my experience those kinds of problems can easily be debugged by running Process Monitor and looking at errors about wrong paths, insufficient permissions or simply be searching expected file names.

https://docs.microsoft.com/en-us/sysint ... ds/procmon

pinknemo13
OpenVpn Newbie
Posts: 1
Joined: Sat Mar 28, 2020 12:15 pm

Re: Windows 10 Client & Script Hooks

Post by pinknemo13 » Sat Mar 28, 2020 12:16 pm

TinCanTech wrote:
Tue Jan 14, 2020 6:31 pm
Are you using the OpenVPN-GUI to start your VPN client ?

If so try from an administrator cmd prompt instead. Let me know if that helps ..
Thanks, tried with admin CMD and it worked.

Regards

Post Reply