Security concerns: script security, certificate verification, encryption

brick41

I have these two messages in my OpenVPN log when I connect to Private Internet Access (PIA):

Apr 23 15:20:23 	openvpn[11043]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

How do I see what the current script-security setting is? When it says the configuration may be allowed to call user-defined scripts, does that mean that the server can basically execute whatever it wants on my box? Or does it mean something different?

Apr 23 15:20:23 	openvpn[11043]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

I have ca.crt listed as the CA file: ca /etc/pia/ca.crt
So why does it say no server certificate verification has been enabled? Isn't it using PIA's ca.crt?

Also a bit unrelated but has anyone with PIA OpenVPN been able to get anything other than Blowfish 128 CBC working as the encryption method? I've tried AES256+HMAC SHA1/256 but neither works.

Thanks

jimp

@brick41:

Apr 23 15:20:23 	openvpn[11043]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

How do I see what the current script-security setting is? When it says the configuration may be allowed to call user-defined scripts, does that mean that the server can basically execute whatever it wants on my box? Or does it mean something different?

We run it with a script-security of 3, which allows (local) scripts, and allows passwords to be passed via environment variables, etc. Things that are necessary for how we hook things into OpenVPN.

@brick41:

Apr 23 15:20:23 	openvpn[11043]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

I have ca.crt listed as the CA file: ca /etc/pia/ca.crt
So why does it say no server certificate verification has been enabled? Isn't it using PIA's ca.crt?

That's the CA certificate not the server certificate. There are some additional options that can be added (e.g. "verify-x509-name vpnservercn name" and "ns-cert-type server") for extra security but we don't have those as options in the GUI at the moment.

brick41

@jimp:

@brick41:

Apr 23 15:20:23 	openvpn[11043]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

How do I see what the current script-security setting is? When it says the configuration may be allowed to call user-defined scripts, does that mean that the server can basically execute whatever it wants on my box? Or does it mean something different?

We run it with a script-security of 3, which allows (local) scripts, and allows passwords to be passed via environment variables, etc. Things that are necessary for how we hook things into OpenVPN.

Can you clarify this, does allowing local scripts mean that the server can execute local scripts on my box?

jimp

The scripts must be local.

If you need more clarification, you may need to check with the OpenVPN project directly.

Here is the option explained in their documentations.

–script-security level
              This  directive offers policy-level control over OpenVPN's usage
              of external programs and scripts.  Lower level values  are  more
              restrictive,  higher  values  are more permissive.  Settings for
              level:

0 -- Strictly no calling of external programs.
              1 -- (Default) Only call built-in executables such as  ifconfig,
              ip, route, or netsh.
              2  --  Allow  calling  of  built-in executables and user-defined
              scripts.
              3 -- Allow passwords to be passed to scripts  via  environmental
              variables (potentially unsafe).

OpenVPN  releases before v2.3 also supported a method flag which
              indicated how OpenVPN should call external commands and scripts.
              This could be either execve or system.  As of OpenVPN v2.3, this
              flag is no longer  accepted.  In  most  *nix  environments  the
              execve() approach has been used without any issues.

To run scripts in Windows in earlier OpenVPN versions you needed
              to either add a full path to the script  interpreter  which  can
              parse  the  script  or use the system flag to run these scripts.
              As of OpenVPN v2.3 it is now a strict requirement to  have  full
              path  to  the  script  interpreter  when running non-executables
              files.  This is not needed for executable files, such  as  .exe,
              .com,  .bat  or  .cmd  files.  For example, if you have a Visual
              Basic script, you must use this syntax now:

--up 'C:\Windows\System32\wscript.exe C:\Program\ Files\OpenVPN\config\my-up-script.vbs'

Please note the single quote marks and the escaping of the back-
              slashes () and the space character.

The reason the support for the system flag was removed is due to
              the security implications with shell expansions  when  executing
              scripts via the system() call.