Firewall Problem - My job is on the line
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVPN User
- Posts: 25
- Joined: Fri Dec 24, 2021 4:50 pm
Firewall Problem - My job is on the line
Hi there, I must figure this out. Any help is appreciated!
Facts: 1 client config, with 10 remote servers and option "remote-random". (All remote servers use port 1194)
Problem: We need iptable rules to allow specific server port and IP to be inserted BEFORE the VPN connects, but can't know the IP until AFTER remote-random executes.
Expectation: --up script to grep port and ip right after remote-random has chosen a remote server and add rules before TUN/TAP is opened.
Dirty alternative: remove "remote-random", use external script to shuffle remote server entries and place random entry at the top, then pass that IP to iptable rules.
There has to be a better way though, right?
Facts: 1 client config, with 10 remote servers and option "remote-random". (All remote servers use port 1194)
Problem: We need iptable rules to allow specific server port and IP to be inserted BEFORE the VPN connects, but can't know the IP until AFTER remote-random executes.
Expectation: --up script to grep port and ip right after remote-random has chosen a remote server and add rules before TUN/TAP is opened.
Dirty alternative: remove "remote-random", use external script to shuffle remote server entries and place random entry at the top, then pass that IP to iptable rules.
There has to be a better way though, right?
Last edited by tunnel_boar on Fri Dec 24, 2021 10:17 pm, edited 1 time in total.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Firewall Problem - My job is on the line
You read the manual for --up ?tunnel_boar wrote: ↑Fri Dec 24, 2021 5:26 pmExpectation: --up script to grep port and ip right after remote-random has chosen a remote server and add rules before TUN/TAP is opened
Definitely.
Better get your interview suit dry-cleaned..
-
- OpenVPN User
- Posts: 25
- Joined: Fri Dec 24, 2021 4:50 pm
Re: Firewall Problem - My job is on the line
Hello, @TinCanTech!
Lol, I already brought it to my dry cleaning guy. Our boss/professor asked if somebody can solve this and I was first (loudest) to say yes. It's a "privacy" excersise to create the most secure tunnel possible using only FOSS.
I already have the client/server configs down, and iptables are my specialty, so that's as restrictive as possible too.
Been reading OpenVPN documentation since noon and there is nothing about a pre-up script or the ability to get a return value from remote-random. (I found a feature request though lol)
I tried compiling version 2.5, adding a pipe of $REMOTE_RAN to a txt, but debug shows the variable is null. Gonna play with that some more.
Any push in the right direction would be a godsend.
Lol, I already brought it to my dry cleaning guy. Our boss/professor asked if somebody can solve this and I was first (loudest) to say yes. It's a "privacy" excersise to create the most secure tunnel possible using only FOSS.
I already have the client/server configs down, and iptables are my specialty, so that's as restrictive as possible too.
Been reading OpenVPN documentation since noon and there is nothing about a pre-up script or the ability to get a return value from remote-random. (I found a feature request though lol)
I tried compiling version 2.5, adding a pipe of $REMOTE_RAN to a txt, but debug shows the variable is null. Gonna play with that some more.
Any push in the right direction would be a godsend.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Firewall Problem - My job is on the line
Professor of ..... Silly walks .. ?
-
- OpenVPN User
- Posts: 25
- Joined: Fri Dec 24, 2021 4:50 pm
Re: Firewall Problem - My job is on the line
Nope, Professor X.
Bald guy, drives a Tesla.
Come on man, share that Christmas miracle with me. I've tried everything here.
Bald guy, drives a Tesla.
Come on man, share that Christmas miracle with me. I've tried everything here.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Firewall Problem - My job is on the line
If I tell you then you have not done anything and you will steal my credit.
I don't see any point to an education which is taken so lightly ..
I don't see any point to an education which is taken so lightly ..
-
- OpenVPN User
- Posts: 25
- Joined: Fri Dec 24, 2021 4:50 pm
Re: Firewall Problem - My job is on the line
If the solution is in the docs and I just missed it, please tell me which entry.
If it's a hack you cooked up I'd be happy to fully credit you of course or maybe just a hint would be fine.
You'll be able to find these submissions on the freedom research project site 2022, it's meant for people who live under oppressive governments and regimes.
If it's a hack you cooked up I'd be happy to fully credit you of course or maybe just a hint would be fine.
You'll be able to find these submissions on the freedom research project site 2022, it's meant for people who live under oppressive governments and regimes.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Firewall Problem - My job is on the line
duckduckgo search is inconclusive.tunnel_boar wrote: ↑Fri Dec 24, 2021 9:35 pmYou'll be able to find these submissions on the freedom research project site 2022
There is no such documentation.tunnel_boar wrote: ↑Fri Dec 24, 2021 9:35 pmIf the solution is in the docs and I just missed it, please tell me which entry
For two reasons:
- OpenVPN is FOSS and all the documentation is written by volunteers. Nobody volunteered.
- Figure it out .. This is left an exercise for the reader..
It's a standard approach and it's not even difficult..tunnel_boar wrote: ↑Fri Dec 24, 2021 9:35 pmIf it's a hack you cooked up I'd be happy to fully credit you of course or maybe just a hint would be fine.
As a hint, I'll leave you with this: You are looking at the problem arse about face .. good luck
-
- OpenVPN User
- Posts: 25
- Joined: Fri Dec 24, 2021 4:50 pm
Re: Firewall Problem - My job is on the line
Right, by people who believe information should be free.TinCanTech wrote: ↑Fri Dec 24, 2021 9:47 pm
- OpenVPN is FOSS and all the documentation is written by volunteers.
You're like Darth Sidious, hording knowledge.
I have helped countless people on various forums and mailing lists, because that's what we do in this community.
Nobody is expecting a spoon feed, but a reasonable hint is common courtesy.
What you are doing is pretty much the antithesis to the FOSS spirit.
-
- OpenVPN User
- Posts: 25
- Joined: Fri Dec 24, 2021 4:50 pm
Re: Firewall Problem - My job is on the line
In case somebody is looking for the solution, here's the pre-up patch:
https://community.openvpn.net/openvpn/ticket/284#no1
I'm still trying to figure out how to get the server chosen by remote-random, if anyone would like to offer some advice, that'd be cool.
https://community.openvpn.net/openvpn/ticket/284#no1
I'm still trying to figure out how to get the server chosen by remote-random, if anyone would like to offer some advice, that'd be cool.
Code: Select all
#!/usr/bin/env python3
2 # vim: ft=python :
3
4 import datetime
5 import re
6 import sys
7 import telnetlib
8 import time
9 import traceback
10
11 def retry_telnet_obj():
12 try:
13 return telnetlib.Telnet("localhost", 5194)
14 except ConnectionRefusedError:
15 time.sleep(5)
16 return retry_telnet_obj()
17
18 tel = retry_telnet_obj()
19
20 def management_loop():
21 should_die = False
22 while not should_die:
23 try:
24 result = tel.expect([b">HOLD:Waiting"])
25 if result[0] != -1:
26 print(datetime.datetime.now().strftime("%H:%M"), "openvpn is waiting on a hold release")
27 raise Exception("Replace this line with whatever you need to run as pre-connect code (use subprocess.call() to run external programs)")
28 tel.write(b"hold release\n")
29 print(datetime.datetime.now().strftime("%H:%M"), "right, off you go")
30 except Exception as err:
31 if not isinstance(err, EOFError):
32 traceback.print_exception(err)
33 should_die = True
34
35 try:
36 while True:
37 management_loop()
38 tel.close()
39 tel = retry_telnet_obj()
40 except KeyboardInterrupt:
41 tel.close()
42 sys.exit()
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Firewall Problem - My job is on the line
You are still doing it wrong.
And guilt-tripping me does not work.
ciao
And guilt-tripping me does not work.
ciao
-
- OpenVPN User
- Posts: 25
- Joined: Fri Dec 24, 2021 4:50 pm
Re: Firewall Problem - My job is on the line
Great, patent your brilliant solution, but stop trolling.TinCanTech wrote: ↑Fri Dec 24, 2021 11:08 pmYou are still doing it wrong.
And guilt-tripping me does not work.
ciao
You're dropping one-liners on pretty much 70% of the posts here while having a good laugh. It's getting old.
If someone wants to help out, I'll be checking back daily.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Firewall Problem - My job is on the line
I was helping and then you tried to guilt me into giving you what you wanted .. like a petulant child would.
And that is the reason that I don't give to suckers like you.
The same reason that Santa Claus leaves coal for naughty children.
And that is the reason that I don't give to suckers like you.
The same reason that Santa Claus leaves coal for naughty children.
-
- OpenVPN User
- Posts: 25
- Joined: Fri Dec 24, 2021 4:50 pm
Re: Firewall Problem - My job is on the line
Most definitely, thanks for the help. I wish you happy holidays with all your loved ones.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Firewall Problem - My job is on the line
May you be warmed by the coals which you so richly deserve this festive season.
FYI: David Sommerseth is correct and you should do well to follow his advise.
FYI: David Sommerseth is correct and you should do well to follow his advise.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Firewall Problem - My job is on the line
One final seasonal tip: Don't use openvpn to randomise your shit .. do it yourself.
If you do it this way then you will have the control you desire.
If your Professor is worth his salt then that is probably the answer he was looking for. (he/she, what-ever)
If you do it this way then you will have the control you desire.
If your Professor is worth his salt then that is probably the answer he was looking for. (he/she, what-ever)
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Firewall Problem - My job is on the line
And for the record: My job is on the line ... is immediate guilt-trip ..
You shot yourself in the foot before we had chance to respond.
You f'ed up .. and you claim to know a professor ... do you see the shit we have to put up with ?
I haven't even hit you with the "how to ask a question" thread ...
And then there is http://catb.org/~esr/faqs/smart-questions.html
I think you have spent too long under your rock to continue to ignore reality any longer ..
You shot yourself in the foot before we had chance to respond.
You f'ed up .. and you claim to know a professor ... do you see the shit we have to put up with ?
I haven't even hit you with the "how to ask a question" thread ...
And then there is http://catb.org/~esr/faqs/smart-questions.html
I think you have spent too long under your rock to continue to ignore reality any longer ..
-
- OpenVPN User
- Posts: 25
- Joined: Fri Dec 24, 2021 4:50 pm
Re: Firewall Problem - My job is on the line
Sure, I already did that (mentioned in OP). I wrote a function that reads the remote servers into an array, randomizes them by index and then reinserts, but this is extremely dirty.
A slightly cleaner way is to just have all servers in a txt, use shuf, then sed to reinsert and finally grab the ip, this works too.
I just thought this could be solved internally with a return from remote-random or smth like a simple grep from OpenVPN stdout.
Edit: Fine, my job is probably not on the line, geez. It's just a little clickbait, like you do.
The assignment is real though, and so is the research project.
Relax boomer, you're also not the arch angel of Nazareth here.
A slightly cleaner way is to just have all servers in a txt, use shuf, then sed to reinsert and finally grab the ip, this works too.
I just thought this could be solved internally with a return from remote-random or smth like a simple grep from OpenVPN stdout.
Edit: Fine, my job is probably not on the line, geez. It's just a little clickbait, like you do.
The assignment is real though, and so is the research project.
Relax boomer, you're also not the arch angel of Nazareth here.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Firewall Problem - My job is on the line
When a looser click-baits and guilt-trips me into this sort shit then they deserve everything they get ..
Just like you got .. Double barrelled. And intentionally so ..
But .. putting all that aside,
what you are trying to do with openvpn `grep/log` is not logically possible, unless you want to hack the source code ..
It is also a stupid idea when you consider the right approach.
Just like you got .. Double barrelled. And intentionally so ..
But .. putting all that aside,
what you are trying to do with openvpn `grep/log` is not logically possible, unless you want to hack the source code ..
It is also a stupid idea when you consider the right approach.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Firewall Problem - My job is on the line
Regrets .. ?tunnel_boar wrote: ↑Fri Dec 24, 2021 7:56 pmOur boss/professor asked if somebody can solve this and I was first (loudest) to say yes
If your boss has the back-bone to pay for the answer and not extort it then I'll provide you with what you need.
FOSS need food too ..