Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenVPN auth override and auth.txt perms #265

Open
ciphersimian opened this issue Apr 7, 2024 · 1 comment
Open

OpenVPN auth override and auth.txt perms #265

ciphersimian opened this issue Apr 7, 2024 · 1 comment

Comments

@ciphersimian
Copy link

ciphersimian commented Apr 7, 2024

Two problems:

  1. vopono overrides the OpenVPN auth to a hardcoded value for some reason: --auth-user-pass /home/.../.config/vopono/proton/openvpn/auth.txt precluding the use of auth-user-pass in the config
  2. It keeps changing the permissions of that file and every time it starts up it prints the message:
1712524542.815358 40 WARNING: file '/home/.../.config/vopono/proton/openvpn/auth.txt' is group or others accessible

but it did that itself... if I change the file to 600:

$ chmod 600 /home/.../.config/vopono/proton/openvpn/auth.txt
$ ls -l /home/.../.config/vopono/proton/openvpn/auth.txt
-rw------- 1 ... ... 57 Apr  7 14:44 /home/.../.config/vopono/proton/openvpn/auth.txt

then run vopono...

it keeps changing it back to:

$ ls -l /home/.../.config/vopono/proton/openvpn/auth.txt
-rw-r----- 1 ... ... 57 Apr  7 14:44 /home/.../.config/vopono/proton/openvpn/auth.txt
@jamesmcm
Copy link
Owner

Thanks,

  1. was to avoid having to enter the password every time, across all OpenVPN providers. The other issue is that we can't pass the stdin and read back the stdout directly, since we ultimately want it to run in the background. So we'd need to read OpenVPN's stdout to see if it asks for the password and communicate that back - I'm not sure if it's really worth the extra complexity.

  2. is caused by https://github.com/jamesmcm/vopono/blob/master/vopono_core/src/util/mod.rs#L140-L163 - this was originally added to ensure the configs are readable, but since the way vopono is invoked has changed with the sudo crate, etc. now I don't think this should even be necessary anymore. But could also be fixed to not make the auth files group readable.

Do you have a use case where 1. is important? As in my experience they are randomly generated credentials from the providers anyway.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants