Firewall Problem - My job is on the line

[tunnel_boar]

Hi there, I must figure this out. Any help is appreciated!

Facts: 1 client config, with 10 remote servers and option "remote-random". (All remote servers use port 1194)

Problem: We need iptable rules to allow specific server port and IP to be inserted BEFORE the VPN connects, but can't know the IP until AFTER remote-random executes.

Expectation: --up script to grep port and ip right after remote-random has chosen a remote server and add rules before TUN/TAP is opened.

Dirty alternative: remove "remote-random", use external script to shuffle remote server entries and place random entry at the top, then pass that IP to iptable rules.

There has to be a better way though, right?

[TinCanTech]

Expectation: --up script to grep port and ip right after remote-random has chosen a remote server and add rules before TUN/TAP is opened

You read the manual for --up ?

There has to be a better way though, right?

Definitely.

My job is on the line

Better get your interview suit dry-cleaned..

[tunnel_boar]

Hello, @TinCanTech!

Lol, I already brought it to my dry cleaning guy. Our boss/professor asked if somebody can solve this and I was first (loudest) to say yes. It's a "privacy" excersise to create the most secure tunnel possible using only FOSS.

I already have the client/server configs down, and iptables are my specialty, so that's as restrictive as possible too.

Been reading OpenVPN documentation since noon and there is nothing about a pre-up script or the ability to get a return value from remote-random. (I found a feature request though lol)

I tried compiling version 2.5, adding a pipe of $REMOTE_RAN to a txt, but debug shows the variable is null. Gonna play with that some more.

Any push in the right direction would be a godsend.

[TinCanTech]

Our boss/professor asked if somebody can solve this

Professor of ..... Silly walks .. ?

[tunnel_boar]

Nope, Professor X.
Bald guy, drives a Tesla.

Come on man, share that Christmas miracle with me. I've tried everything here.

[TinCanTech]

If I tell you then you have not done anything and you will steal my credit.

I don't see any point to an education which is taken so lightly ..

[tunnel_boar]

If the solution is in the docs and I just missed it, please tell me which entry.

If it's a hack you cooked up I'd be happy to fully credit you of course or maybe just a hint would be fine.

You'll be able to find these submissions on the freedom research project site 2022, it's meant for people who live under oppressive governments and regimes.

[TinCanTech]

You'll be able to find these submissions on the freedom research project site 2022

duckduckgo search is inconclusive.

If the solution is in the docs and I just missed it, please tell me which entry

There is no such documentation.

For two reasons:

• OpenVPN is FOSS and all the documentation is written by volunteers. Nobody volunteered.
• Figure it out .. This is left an exercise for the reader..

If it's a hack you cooked up I'd be happy to fully credit you of course or maybe just a hint would be fine.

It's a standard approach and it's not even difficult..

As a hint, I'll leave you with this: You are looking at the problem arse about face .. good luck

[tunnel_boar]

• OpenVPN is FOSS and all the documentation is written by volunteers.

Right, by people who believe information should be free.

You're like Darth Sidious, hording knowledge.

I have helped countless people on various forums and mailing lists, because that's what we do in this community.

Nobody is expecting a spoon feed, but a reasonable hint is common courtesy.
What you are doing is pretty much the antithesis to the FOSS spirit.

[tunnel_boar]

In case somebody is looking for the solution, here's the pre-up patch:
https://community.openvpn.net/openvpn/ticket/284#no1

I'm still trying to figure out how to get the server chosen by remote-random, if anyone would like to offer some advice, that'd be cool.

Code: Select all

	#!/usr/bin/env python3
2	# vim: ft=python :
3	
4	import datetime
5	import re
6	import sys
7	import telnetlib
8	import time
9	import traceback
10	
11	def retry_telnet_obj():
12	    try:
13	        return telnetlib.Telnet("localhost", 5194)
14	    except ConnectionRefusedError:
15	        time.sleep(5)
16	        return retry_telnet_obj()
17	
18	tel = retry_telnet_obj()
19	
20	def management_loop():
21	    should_die = False
22	    while not should_die:
23	        try:
24	            result = tel.expect([b">HOLD:Waiting"])
25	            if result[0] != -1:
26	                print(datetime.datetime.now().strftime("%H:%M"), "openvpn is waiting on a hold release")
27	                raise Exception("Replace this line with whatever you need to run as pre-connect code (use subprocess.call() to run external programs)")
28	                tel.write(b"hold release\n")
29	                print(datetime.datetime.now().strftime("%H:%M"), "right, off you go")
30	        except Exception as err:
31	            if not isinstance(err, EOFError):
32	                traceback.print_exception(err)
33	            should_die = True
34	
35	try:
36	    while True:
37	        management_loop()
38	        tel.close()
39	        tel = retry_telnet_obj()
40	except KeyboardInterrupt:
41	    tel.close()
42	    sys.exit()

[TinCanTech]

You are still doing it wrong.

And guilt-tripping me does not work.

ciao

[tunnel_boar]

You are still doing it wrong.

And guilt-tripping me does not work.
ciao

Great, patent your brilliant solution, but stop trolling.

You're dropping one-liners on pretty much 70% of the posts here while having a good laugh. It's getting old.

If someone wants to help out, I'll be checking back daily.

[TinCanTech]

I was helping and then you tried to guilt me into giving you what you wanted .. like a petulant child would.

And that is the reason that I don't give to suckers like you.

The same reason that Santa Claus leaves coal for naughty children.

[tunnel_boar]

Most definitely, thanks for the help. I wish you happy holidays with all your loved ones.

[TinCanTech]

May you be warmed by the coals which you so richly deserve this festive season.



FYI: David Sommerseth is correct and you should do well to follow his advise.

[TinCanTech]

One final seasonal tip: Don't use openvpn to randomise your shit .. do it yourself.

If you do it this way then you will have the control you desire.

If your Professor is worth his salt then that is probably the answer he was looking for. (he/she, what-ever)

[TinCanTech]

And for the record: My job is on the line ... is immediate guilt-trip ..

You shot yourself in the foot before we had chance to respond.

You f'ed up .. and you claim to know a professor ... do you see the shit we have to put up with ?

I haven't even hit you with the "how to ask a question" thread ...

And then there is http://catb.org/~esr/faqs/smart-questions.html

I think you have spent too long under your rock to continue to ignore reality any longer ..

[tunnel_boar]

Sure, I already did that (mentioned in OP). I wrote a function that reads the remote servers into an array, randomizes them by index and then reinserts, but this is extremely dirty.

A slightly cleaner way is to just have all servers in a txt, use shuf, then sed to reinsert and finally grab the ip, this works too.

I just thought this could be solved internally with a return from remote-random or smth like a simple grep from OpenVPN stdout.

Edit: Fine, my job is probably not on the line, geez. It's just a little clickbait, like you do.
The assignment is real though, and so is the research project.
Relax boomer, you're also not the arch angel of Nazareth here.

[TinCanTech]

When a looser click-baits and guilt-trips me into this sort shit then they deserve everything they get ..

Just like you got .. Double barrelled. And intentionally so ..

But .. putting all that aside,

what you are trying to do with openvpn `grep/log` is not logically possible, unless you want to hack the source code ..

It is also a stupid idea when you consider the right approach.

[TinCanTech]

Our boss/professor asked if somebody can solve this and I was first (loudest) to say yes

Regrets .. ?

If your boss has the back-bone to pay for the answer and not extort it then I'll provide you with what you need.

FOSS need food too ..