Page 1 of 1

OpenVPN 2.1 requires '--script-security 2' or higher...

Posted: Sat Dec 04, 2010 4:23 am
by DasFox
Ok I'm an OpenVPN newbie, I'm just using OpenVPN to connect to services for anonymity is all.

I'm running Linux and I place the certs, key and .opvn files under /etc/openvpn

Then I typically run openvpn from the terminal as;

openvpn --script-security 0 --auth-nocache --config /etc/openvpn/keys/openvpn.ovpn --ca /etc/openvpn/certs/ca.crt --comp-lzo yes

Or sometimes as --script-security 0, or --script-security 2

Since I'm just a end-user connecting only to an anonymous VPN service do I really need to run my script like this?

Or should I just run it as; ( Do I need the --script-security, what's that all about?)

openvpn --auth-nocache --config /etc/openvpn/keys/openvpn.ovpn --ca /etc/openvpn/certs/ca.crt --comp-lzo yes

Also if the server has in the .opvn file 'comp-lzo' then in order for me to take advantage of compression I run in the cmd line - --comp-lzo yes?


Re: OpenVPN 2.1 requires '--script-security 2' or higher...

Posted: Wed Dec 29, 2010 5:56 am
by DasFox
Can someone please tell me if I get the config files from a VPN service for Linux do I need to then run --script-security I don't understand this script-security?

Right now when starting OpenVPN in Linux this is all I typically run;

openvpn --auth-nocache --config /etc/openvpn/config.conf --ca /etc/openvpn/certs/ca.crt


Re: OpenVPN 2.1 requires '--script-security 2' or higher...

Posted: Wed Dec 29, 2010 6:08 am
by ecrist
Check out the man page. There is a section specifically talking about --script-security and what it is used for.

We really can't tell you much more without seeing your config files. --comp-lzo needs to be enabled at both ends to make use of compressions. All the --option options can be put in your config file, by the way, so you only need to run:

Code: Select all

$ openvpn --config /path/to/config.conf
Hope this helps.

Re: OpenVPN 2.1 requires '--script-security 2' or higher...

Posted: Wed Dec 29, 2010 7:21 am
by DasFox
I read the man page but to me it doesn't say much, tell me much, other then when I see what the different numbers represent, like 1 as example, 1 -- (Default) Only call built-in executables such as ifconfig, ip, route, or netsh. This makes me think to use this so that nothing can try to run and create an attack against me trying to run something else... Of course since I don't understand this, then I'm not sure...

For looking at the config files, well consider you are going to pay $10 a month to some VPN service you found on the web that you are going to use, so you are just going to run openvpn --config /path/to/config.conf is all?

I have no particular config files to show I'm just testing out some services...

I've run openvpn --config /path/to/config.conf before and it always complaines about the path for the .crt and this has happened with every VPN service I have tried.

I get a message like this;

Tue Dec 28 21:43:28 2010 Cannot load CA certificate file ca.crt path (null) (SSL_CTX_load_verify_locations): error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
Tue Dec 28 21:43:28 2010 Exiting

So that is why I always run it as; openvpn --auth-nocache --config /etc/openvpn/config.conf --ca /etc/openvpn/certs/ca.crt


Re: OpenVPN 2.1 requires '--script-security 2' or higher...

Posted: Wed Dec 29, 2010 2:36 pm
by ecrist
You need to use the full path to your SSL certificates in the config file. It is possible to use paths relative to the config file, but we recommend using full paths to avoid any problems.

Regarding the script security config option, it's referring to local scripts. What this means is, if you have a local script to setup DNS or additional routing, or other things, you need to enable script-security 2. I am guessing you don't run such a script, and can probably omit that option. This is only a warning in any case.