Hello everybody.
I am running an 11.1 openSUSE system. Since my provider does require openVPN =/>2.1 I updated the version that originally came with the system (2.09) by compiling form source.
I am getting the following debug message in KVPNc (KDE3.5):
ebug: Preserving network environment
debug: openvpn: /usr/sbin/openvpn
debug: Default interface: "wlan0".
debug: IP address of default interface: "192.168.1.64".
debug: chmod of /root/.kde/share/apps/kvpnc/openvpn._home_user_Software_swissvpn_swissvpn.up (a+x) started.
debug: chmod of /root/.kde/share/apps/kvpnc/openvpn._home_user_Software_swissvpn_swissvpn.down (a+x) started.
info: Trying to connect to server "connect-openvpn.swissvpn.net" with ...
debug: Setting DNS_UPDATE "NO".
debug: Starting Openvpn management handler...
debug: [openvpn] Wed Nov 9 10:41:04 2011 OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Nov 9 2011
debug: [openvpn] Wed Nov 9 10:41:04 2011 MANAGEMENT: TCP Socket listening on 127.0.0.1:2222
debug: [openvpn] Wed Nov 9 10:41:04 2011 Need password(s) from management interface, waiting...
debug: [openvpn] Wed Nov 9 10:41:04 2011 MANAGEMENT: Client connected from 127.0.0.1:2222
info: Send username...
info: Send password...
debug: [openvpn] Wed Nov 9 10:41:04 2011 MANAGEMENT: CMD 'username Auth swissvpntest'
debug: [openvpn] Wed Nov 9 10:41:04 2011 MANAGEMENT: CMD ''
debug: [openvpn] Wed Nov 9 10:41:04 2011 MANAGEMENT: CMD 'password ...]'
debug: [openvpn] Wed Nov 9 10:41:04 2011 MANAGEMENT: CMD ''
**debug: [openvpn] Wed Nov 9 10:41:04 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables**
debug: [openvpn] Wed Nov 9 10:41:04 2011 LZO compression initialized
debug: [openvpn] Wed Nov 9 10:41:04 2011 Control Channel MTU parms L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
debug: [openvpn] Wed Nov 9 10:41:04 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
debug: [openvpn] Wed Nov 9 10:41:14 2011 RESOLVE: NOTE: connect-openvpn.swissvpn.net resolves to 2 addresses
debug: [openvpn] Wed Nov 9 10:41:14 2011 Data Channel MTU parms L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
debug: [openvpn] Wed Nov 9 10:41:14 2011 Local Options hash (VER=V4): '69109d17'
debug: [openvpn] Wed Nov 9 10:41:14 2011 Expected Remote Options hash (VER=V4): 'c0103fa8'
debug: [openvpn] Wed Nov 9 10:41:14 2011 Attempting to establish TCP connection with 80.254.79.87:443 [nonblock]
debug: [openvpn] Wed Nov 9 10:41:15 2011 TCP connection established with 80.254.79.87:443
info: [openvpn]: Low level connection to connect-openvpn.swissvpn.net established.
debug: [openvpn] Wed Nov 9 10:41:15 2011 TCPv4_CLIENT link local: [undef]
debug: [openvpn] Wed Nov 9 10:41:15 2011 TCPv4_CLIENT link remote: 80.254.79.87:443
debug: [openvpn] Wed Nov 9 10:41:15 2011 TLS: Initial packet from 80.254.79.87:443, sid=7ebfb213 86134499
debug: [openvpn] Wed Nov 9 10:41:15 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
debug: [openvpn] Wed Nov 9 10:41:16 2011 VERIFY OK: depth=1, /C=CH/ST=ZH/L=Regensdorf/O=Monzoon_Networks_AG/OU=OpenVPN_CA/CN=OpenVPN-CA/emailAddress=operations@monzoon.net
debug: [openvpn] Wed Nov 9 10:41:16 2011 VERIFY OK: nsCertType=SERVER
debug: [openvpn] Wed Nov 9 10:41:16 2011 VERIFY OK: depth=0, /C=CH/ST=ZH/O=Monzoon_Networks_AG/OU=OpenVPN_server/CN=server/emailAddress=operations@monzoon.net
debug: [openvpn] Wed Nov 9 10:41:17 2011 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1544', remote='link-mtu 1543'
debug: [openvpn] Wed Nov 9 10:41:17 2011 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
debug: [openvpn] Wed Nov 9 10:41:17 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
debug: [openvpn] Wed Nov 9 10:41:17 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
debug: [openvpn] Wed Nov 9 10:41:17 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
debug: [openvpn] Wed Nov 9 10:41:17 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
debug: [openvpn] Wed Nov 9 10:41:17 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
debug: [openvpn] Wed Nov 9 10:41:17 2011 [server] Peer Connection Initiated with 80.254.79.87:443
debug: [openvpn] Wed Nov 9 10:41:18 2011 Bad LZO decompression header byte: 69
debug: [openvpn] Wed Nov 9 10:41:19 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
debug: [openvpn] Wed Nov 9 10:41:19 2011 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 80.254.79.157,dhcp-option DNS 80.254.77.39,route-gateway 80.254.76.129,topology subnet,ping 10,ping-restart 60,socket-flags TCP_NODELAY,ifconfig 80.254.76.211 255.255.255.128'
debug: [openvpn] Wed Nov 9 10:41:19 2011 OPTIONS IMPORT: timers and/or timeouts modified
debug: [openvpn] Wed Nov 9 10:41:19 2011 OPTIONS IMPORT: --socket-flags option modified
debug: [openvpn] Wed Nov 9 10:41:19 2011 Socket flags: TCP_NODELAY=1 succeeded
debug: [openvpn] Wed Nov 9 10:41:19 2011 OPTIONS IMPORT: --ifconfig/up options modified
debug: [openvpn] Wed Nov 9 10:41:19 2011 OPTIONS IMPORT: route options modified
debug: [openvpn] Wed Nov 9 10:41:19 2011 OPTIONS IMPORT: route-related options modified
debug: [openvpn] Wed Nov 9 10:41:19 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
debug: [openvpn] Wed Nov 9 10:41:19 2011 ROUTE default_gateway=192.168.1.254
debug: [openvpn] Wed Nov 9 10:41:19 2011 TUN/TAP device tun0 opened
debug: Tunnel device: tun0
debug: Tunnel interface IP: 80.254.76.211
debug: [openvpn] Wed Nov 9 10:41:19 2011 TUN/TAP TX queue length set to 100
debug: [openvpn] Wed Nov 9 10:41:19 2011 /sbin/ifconfig tun0 80.254.76.211 netmask 255.255.255.128 mtu 1500 broadcast 80.254.76.255
debug: [openvpn] Wed Nov 9 10:41:19 2011 /root/.kde/share/apps/kvpnc/openvpn._home_user_Software_swissvpn_swissvpn.up tun0 1500 1544 80.254.76.211 255.255.255.128 init
debug: [openvpn] Wed Nov 9 10:41:19 2011 **WARNING: External program may not be called unless '--script-security 2' or higher is enabled. Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier. See --help text or man page for detailed info.**
debug: [openvpn] Wed Nov 9 10:41:19 2011 MANAGEMENT: Client disconnected
debug: [openvpn] Wed Nov 9 10:41:19 2011 WARNING: Failed running command (--up/--down): external program fork failed
debug: [openvpn] Wed Nov 9 10:41:19 2011 Exiting
I am unsure what this means, it does not refer to file security level of the distribution, so far is clear. Anybody nows what the program is exactly complaining about? Where do I define the script security?
Thank you.
On 11/09/2011 10:56 AM, stakanov wrote:
> I am running an 11.1 openSUSE system.
openSUSE 11.1 past its end of life on January 14th 2011 and is no longer
supported (cite: <http://en.opensuse.org/Lifetime>) suggest you install
a supported version (11.4 is the latest released version, and 12.1 will
be released in a few days)
My gosh Denver.
If you wouldn’t have told me this (I am a total newbe) I would have totally passed over the fact that 11.1 is out of “support”! Ouf course it is.
Out of support, I hope, is out of professional support from Novell / Attachmate. Because AFAIK this is a forum where people are not paid for supporting whatever user of openSUSE whatever his version is. At least I see it that way. I try to help when I can in this forum, but when I cannot, I am humbly quiet and do not write things.
Maybe, sometimes, this might be a good idea for others too.
I have 11.1 running on a X201 thinkpad with Arrandale processor. It has a i915 chipset and I am having already a thread out there, to update MESA. Well and then, there is my ISP that requires openVPN 2.1 minimum. That is why (since Evergreen does not has this in the repos) I am compiling openVPN from the source. So to make this one time for all clear, in the moment for reasons that are personal, I am NOT able to update 11.1. I DO own and maintain 3 machines with 11.4 currently. So I DO know about the existence of the newer version. And if you do not want to give assistance to my queries, it would be a nice gesture, not to “assist”. I receive from time to time help from people having solutions to give. I am uttermost grateful in these cases.
But your contribution, sorry to say this, was unnecessary and in my view counterproductive, as it will lower the probability to get help on this query.
Thank you for your understanding.
On 2011-11-09 18:26, stakanov wrote:
>
> And if you do not want
> to give assistance to my queries, it would be a nice gesture, not to
> “assist”. I receive from time to time help from people having solutions
> to give. I am uttermost grateful in these cases.
> But your contribution, sorry to say this, was unnecessary and in my
> view counterproductive, as it will lower the probability to get help on
> this query.
If, as is the case, you are aware that you are using an unsupported
version, you should say that in your initial post, or any of us will
immediately tell you that you are using such a version before attempting to
offer help.
It is your fault that DD had to post that.
That said, no, I do not know what scripts they are refering to. Perhaps
internal scripts of the application. But the phrase ‘–script-security 2’
in the error message refers to an option in the command line calling the
program you have to use, so I would suggest reading its manual.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
On 11/09/2011 06:26 PM, stakanov wrote:
>
> But your contribution, sorry to say this, was unnecessary and in my
> view counterproductive, as it will lower the probability to get help on
> this query.
unnecessary? apparently not…
–
DD
openSUSE®, the “German Automobiles” of operating systems
I suppose you wanted to say: you should tell that in the subject line of your post. I will. Thank you.
Well the scripts effectively I found them in openVPN.
--script-security level mode : mode='execve' (default) or 'system', level=
0 -- strictly no calling of external programs
1 -- (default) only call built-ins such as ifconfig
2 -- allow calling of built-ins and scripts
3 -- allow password to be passed to scripts via env
But the problem is therefore how Kvpnc calls OpenVPN. Now this will not be easy to find out I guess, some config. Will try. Thank you for the advice.
On Wed, 09 Nov 2011 19:56:10 +0000, stakanov wrote:
> DenverD;2402131 Wrote:
>> On 11/09/2011 06:26 PM, stakanov wrote:
>> >
>> > But your contribution, sorry to say this, was unnecessary and in my
>> > view counterproductive, as it will lower the probability to get help
>> on
>> > this query.
>>
>> unnecessary? apparently not…
>>
>> –
>> DD openSUSE®, the “German Automobiles” of operating systems
> Get yourself a life
Let’s avoid getting personal with this. A smiley face doesn’t make it OK
to say stuff like this.
On 2011-11-09 21:16, stakanov wrote:
> I suppose you wanted to say: you should tell that in the subject line
> of your post. I will. Thank you.
Not there, in the body. Like I’m using version… say 10.0 (I know it is
old, I’m aware of that, but I have special needs for it (you can explain a
bit)). Thus you avoid that we try to tell you the warning about an old
version
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
You are right Carlos. After 980 contributions, 3 years of constant permanence… you are totally right, I could well not be aware of using an outdated version. Hombre, esto te lo certifico como cualidad. Cuando bromas, bromas de verdad. Un hombre con grande espíritu humorístico. Je, je, je. Que te vaya bien.
stakanov wrote: I am running an 11.1 openSUSE system. Since my provider does require openVPN =/>2.1 I updated the version that originally came with the system (2.09) by compiling form source.
Nobody compiles software from source when the system is till supported. Why should one.
I think the scripts refer to what the openvpn access server is pushing to your client. In the access server documentation you will find that it works very differently on Windows, OS X and Linux. All the scripts are supported only on Windows AFAIK.
Also AFAIK the scripts are something like adding a logical interface, changing DNS settings, changing routing table, possibly running external applications if configured on the server. Anyway I think that your problem could only be solved by Kvpnc developer and I think they will laugh at You as I guess this version of Kvpnc is long out of support and no one will bother to even look at it.
Why don’t You run openvpn directly from the command line to avoid Kvpnc bugs ?