OpenVPN Service

Advanced feature discussion, beta programs and unsupported "Labs" features.
79 posts Page 8 of 8
by ankh » Mon Aug 14, 2017 6:22 pm
And installing the new version raises a couple more questions:

> 2017-08-14 18:16:26 WARNING: this configuration may cache passwords in memory
> -- use the auth-nocache option to prevent this

How? Looks like a command line setting; I don't see it in the GUI for Tunnelblick

and

> DNS servers '208.201.224.33 208.201.224.11' will be used for DNS queries when the VPN is active
> NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick.
> This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN.
> Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.

Uh, Sonic folks, advice please?
by forest » Mon Aug 14, 2017 6:32 pm
ankh wrote:
DNS servers '208.201.224.33 208.201.224.11' will be used for DNS queries when the VPN is active


Those are Sonic DNS servers, so (assuming DNS queries are routed through the VPN) you're fine on that front.
by bmah » Mon Aug 14, 2017 10:15 pm
ankh wrote:
And installing the new version raises a couple more questions:

> 2017-08-14 18:16:26 WARNING: this configuration may cache passwords in memory
> -- use the auth-nocache option to prevent this

How? Looks like a command line setting; I don't see it in the GUI for Tunnelblick


Right, so programs such as Tunnelblick are basically front-end GUIs for the command-line OpenVPN program(s). What you are seeing is output from that command-line program. Tunnelblick may or may not have a means in its UI to manipulate the command-line arguments.

In the specific case of the message above, my rather handwavy understanding is that you don't necessarily need to be concerned, and that since it's a warning it's not an "OMG you're gonna get pwned" kind of thing. I believe I saw this in some testing as well for what it's worth.

Bruce.
by drew.phillips » Wed Aug 16, 2017 8:42 am
ankh wrote:
And installing the new version raises a couple more questions:

> 2017-08-14 18:16:26 WARNING: this configuration may cache passwords in memory
> -- use the auth-nocache option to prevent this

How? Looks like a command line setting; I don't see it in the GUI for Tunnelblick


The password could only be read from memory if a program running on your computer had access to that memory and tried to read it. If you use the --auth-nocache option, be aware that if the VPN connection drops, it won't be able to reconnect automatically and any programs running may start transmitting data over your regular connection.

To avoid that problem, I usually use "auth-user-pass /path/to/creds.txt" where creds.txt is a file with the username on the first line and the password on the second. This prevents the caching in memory and let's the connection work without typing your password every time. Just make sure the permissions on that file are set so it's only readable by you. On Linux, consider encrypting your home directory which will render that file unreadable if your hard drive is ever accessed externally.
Drew Phillips
Programmer / System Operations, Sonic.net
by virtualmike » Wed Aug 16, 2017 9:38 pm
Hey, Drew ... I have the OVPN client installed on a Windows machine, an Android phone, and an iPad. I installed when OVPN moved from beta to production.

Do I need to look for updates and apply them? Or do they update automatically? Or are no updates required? ...thanks!
by drew.phillips » Thu Aug 17, 2017 3:23 pm
virtualmike wrote:
Hey, Drew ... I have the OVPN client installed on a Windows machine, an Android phone, and an iPad. I installed when OVPN moved from beta to production.

Do I need to look for updates and apply them? Or do they update automatically? Or are no updates required? ...thanks!


The Android OpenVPN client should update automatically as new versions are available, as would the iPad client.

For Windows, you'll need to periodically check for and download updates to the new version. I strongly suggest checking out the open-source client OpenVPN GUI located at https://openvpn.net/index.php/open-sour ... loads.html It is more robust than the Connect client, and is more frequently updated.

That said, our server has been upgraded and I am not aware of any successful attacks in the wild (against Sonic or any other provider) regarding the exploits that were discovered. Each of them were extremely difficult to successfully exploit in any meaningful way, and if anyone was successful in doing so, it wasn't announced publicly.
Drew Phillips
Programmer / System Operations, Sonic.net
by virtualmike » Thu Aug 17, 2017 9:49 pm
Thanks for the information. I'd hoped the Android and iOS versions would update automatically through the respective app stores.

For the Windows version, I went to the OpenVPN site and downloaded the current installer (openvpn-install-2.4.3-I602.exe), but it appears to install at a different location. Should I uninstall the current version (from the Sonic installer) first?

Poking around the currently installed version, I found a log that appears to be checking for updates. Here are the last two lines:

Code: Select all

2017-08-17 19:28:16-0700 [MyHTTPPageGetter,client] SoftwareUpdate: Update query error on http://swupdate.openvpn.net/updates/2.0.
18.202/MSI.txt: HTTP GET returned status 404 (HTTP404)
2017-08-17 19:28:16-0700 [MyHTTPPageGetter,client] Schedule swupdate monitor in 9902 seconds, range=(120,14400), error=False, initial=False


What would you advise? ...thanks!
by drew.phillips » Fri Aug 18, 2017 9:39 am
virtualmike wrote:
For the Windows version, I went to the OpenVPN site and downloaded the current installer (openvpn-install-2.4.3-I602.exe), but it appears to install at a different location. Should I uninstall the current version (from the Sonic installer) first?

Poking around the currently installed version, I found a log that appears to be checking for updates. Here are the last two lines:

Code: Select all

2017-08-17 19:28:16-0700 [MyHTTPPageGetter,client] SoftwareUpdate: Update query error on http://swupdate.openvpn.net/updates/2.0.
18.202/MSI.txt: HTTP GET returned status 404 (HTTP404)
2017-08-17 19:28:16-0700 [MyHTTPPageGetter,client] Schedule swupdate monitor in 9902 seconds, range=(120,14400), error=False, initial=False


What would you advise? ...thanks!


That's interesting about the updater, I wasn't aware of that. And it's also always disappointing to see these updaters using plain HTTP, but in this case it appears broken anyway.

I personally don't use OpenVPN Connect (the Sonic installed one) and use the community OpenVPN GUI. Since it is a totally separate program, it does install to a different location (but there's no problem having both installed at once).

To use the GUI, download the User Locked profile (.ovpn file) by logging in at https://ovpn.sonic.net and then saving that to C:\Program Files\OpenVPN\config so it appears as a connection when you run the OpenVPN GUI program. Some pretty old, not-so-great documentation is available here: https://community.openvpn.net/openvpn/wiki/OpenVPN-GUI

You can rename "client.ovpn" to "Sonic.ovpn" so it appears in the menu as "Sonic". Then, to connect, run OpenVPN GUI, it will appear as a tray icon at the bottom right of your screen, then right click that icon and click Connect. It will prompt for your credentials, then open a connection dialog showing the status, and once it connects, will disappear and show a tooltip saying you are connected and show your VPN IP.

Which client you use comes down to preference but the GUI supports some features like failover servers (not currently used by Sonic), additional ciphers, doesn't need to run as Admin, and it's open source so it seems to be more actively developed. The benefit of the Connect client is that it provides a zero-configuration setup for our users rather than having to download the client, then the profile, and copy it to a config directory to get things working.
Drew Phillips
Programmer / System Operations, Sonic.net
by virtualmike » Fri Aug 18, 2017 11:09 pm
With one minor stumble, it worked like a charm! This post was sent while on the GUI client. Thanks so much for the concise instructions.

I certainly understand the usefulness of the Connect client, but I also appreciate the ability to keep current.

The little stumble was connecting to ovpn.sonic.net. After logging in, the screen presented to me was to download the Connect client, with no other options. What I did was retype the URL in the address bar, and then I saw the entire menu, including the option to download the User Locked Profile.

Might I recommend your message be saved to the Sonic Wiki so that others who search for "VPN" will see it?

Thanks again. ...cheers!
79 posts Page 8 of 8

Who is online

In total there are 2 users online :: 0 registered, 0 hidden and 2 guests (based on users active over the past 5 minutes)
Most users ever online was 422 on Sat May 26, 2012 5:28 am

Users browsing this forum: No registered users and 2 guests