Not linux, but Debian

[evadogstar]

Unfortunately, It's only Debian client, not linux :( It does not work on fedora :( and request at least resolvconf to be installed (Debial package)

[Dragon2fly]

@evadogstar Thank you for testing my program. As you have noticed that this program only works on Debian based OS, not Redhat based. Making it work on Fedora requires a lot of code changing and testing. For started, could you tell me which Fedora version are you using? And why is resolvconf requested?

[Dragon2fly]

@evadogstar I've just tested it on Fedora25 (64bit). In the source code, replacing only apt-get into dnf and then it work just fine! Not so many code changed as I thought! Openvpn and Git are already there on Fedora but not Python2.7, that's just weird compared to Ubuntu.

When it didn't work for you. Exactly what did you do and what is the error message?

[evadogstar]

@Dragon2fly Fedora24
I start it with ./run cli then I get the error message about lack of dependencies resolvconf Then if try to install it on Debian way :)
Is resolvconf used to fix DNS leak only?

Maybe it is possible to add the additional option to use up and down script for openvpn instead of your only Debian way? It can be done with append 3 lines to conf.ovpn from vpngate to the end:

nscript-securety 2 
up $userscriptpath
down $userscriptpath

Need only to add to your script config $usercriptpath, and if it is defined by user then no need of resolvconf and user can set up his own up and down vpn-handler script, portable to his system (openvpn way).

other procs:

• portability
• more flexible
• with vpn-handler-script user can fix not only his DNS, but also add some iptables rules when openvpn start and remove them when it's down. With such script we can fix any leak of traffic if remote vpngate server down suddenly.
• also vpn-handler script can provide portable way to notify user of vpn status. At the handler script user can add and use any program to be notified e.g. notify-send "$(hostname): LINK IS UP."

take a look at the example of vpn-handler script here: https://www.qubes-os.org/doc/vpn/ (search for qubes-vpn-handler.sh) and openvpn-client.ovpn also available on the doc. Need only to write it ti the end of the openvnconfig.ovpn as already noticed :)

[Dragon2fly]

@evadogstar I rechecked the cli code. resolvconf was there from the first time I wrote the script. It is used in userscript to change the DNS in the way that you described. But then I found it unstable. There were many times that it didn't reset the DNS as expected. So I decided to make my code handle the DNS itself. resolvconf is no longer needed. I'm sorry for not deleting it out of the new code.

I updated the code. Now Fedora/CentOS user only need to install python2.7 . The rest dependencies should be automatically install without error. Automatically select apt-get on Debian based and yum/dnf on Redhat based OS.

About executing a userscript, since I didn't trust OpenVPN to do the job, I would like to let my code handle it too. Do you have an example script file that I can test with?

About notification, the code already provided an app indicator which also has a nice notification itself. Sadly, it required gir1.2-appindicator package to make this code from gi.repository import AppIndicator3 run without error. I seem can not install it on Fedora.

I will make the code use notify-send if app indicator failed later.

Can use test both cli and tui again to see if there is any error?
Thank you.

[evadogstar]

@Dragon2fly Thanks for fast update. I will test it now, but about the up/down script as "advanced option". Please, If possible add this possibility. I'm on Qubes (with Fedora template) and as already expected my system and config need some additional actions to be executed on connect/disconnect to prevent vpn leaks.

The documentation page https://www.qubes-os.org/doc/vpn/ where anti leak script is available and described perfectly. Paragraph:
Set up a ProxyVM as a VPN gateway using iptables and CLI scripts Step 3-5. But it's for my system. On the comment below I will try to describe the same for any "regular" system way.

Again. Thank you!

p.s. Tested and now script works fine! THANKS!

To make it more customize need the up/down script and run openvpn client from specific usergroup (described below), but maybe it's hard to archive.

[evadogstar]

@Dragon2fly Oh. Sorry. I started re-write the original anti-leak script from Qubes and have troubles. I'm not advanced unix user to rewrite iptables rules from Qubes example for any regular system unix based. My system already have some specific PR-QBS group in iptables list to re-translate DNS request as a bridge. But it's not necessary for testing.

The original idea of Qubes is to set up qvpn group at the system and then give the internet access only to this group. Then we will start any script (vpn-with-gate and openvpn) as qvpn group member to get the internet access only for this programs. Then with iptables we can route traffic through vpn. If suddenly vpn down then every app will lose connection and not leak.
Sorry, maybe it's very specific task.

To test openvpn up/down script we do not need all of this. We can test that it works with something like this:

~/vpn-handler.sh:

#!/bin/bash
set -e
export PATH="$PATH:/usr/sbin:/sbin"

case "$1" in

up)
    su - -c 'notify-send "$(hostname): LINK IS UP." --icon=network-idle' user
;;
down)
su - -c 'notify-send "$(hostname): LINK IS DOWN !" --icon=dialog-error' user
;;
esac

Then sudo chmod +x vpn-handler.sh

Then add to extra optionsto (tmp_vpn) if $vpn-handler defined:

extra_option = ['script-security 2\r\n', 
'up \'~/vpn-handler.sh up\' 2\r\n',
'down \'~/vpn-handler.sh down\'']

vpn-handler.sh - must be variable from config (sorry, does not know how to do it on python)
Seems up/down script is the simple task.

UPDATE
I'm already done some test. I add r.sh to start your script from specific usergroup:

#!/bin/bash 
groupadd -rf qvpn ; sleep 2s
sg qvpn -c "./run cli"

Then I connect to vpn with your script and check the process list with ps ax o pid,group,gid,comm. Unfortunately, openvpn client run from root, not from group that your script start from (qvpn). :)

UPDATE
Got it. python run as root from ./run script. And as a result openvpn proccess also run as root.
The main question now: is it possible to also manage groups of subproccess from python to add the possibility to start all requested internet programs from this group if need (openvpn, ping, etc)?

Sorry for this big comments and my speak mistakes :)

[Dragon2fly]

@evadogstar I updated my program again. You just need to modify the user_script.sh file to do your jobs, no need to mess with config.ini.

OpenVPN required root privilege to run, thus my program must acquire it too. Consequently, all script called by my program will inherit root, so does user_script.sh.

is it possible to also manage groups of subproccess from python to add the possibility to start all requested internet programs from this group if need (openvpn, ping, etc)?

Yes, it is possible. You can always write another starter.py or starter.sh to do such a kind of action. But if you only need to call them after vpn tunnel is establish, better to leave them to user_script.sh.

Again, I hope you can test the updated program and report if it work or not.
Thank you.

[evadogstar]

Thanks :) It works! But I need to do more tests.

Now, I see only one problem:
post_action('down') need to be at except KeyboardInterrupt: to execute down when tunnel terminated by user CTLR+C.

UPDATE
Successfully run the script from another usergroup with the following command added to ./run script `sudo sg qvmp -c "python vpnproxy_cli.py $arg" openvpn works fine :)
Now, I will test anli leak with iptables. As I already wrote I will try to setup rules to give the internet access only to qvpn usergroup.

UPDATE
Is it possible to export "DNS list" from your script to user_script.sh as environment variable?
$vpn_dns with values of dns "8.8.8.8 7.7.7.7 8.8.8.8" ?

Maybe change
up = 'bash user_script.sh up'.split()
to something like this (hope I'm correct) :

DNSLIST = DNS.replace(',', '') // format [IP1 IP2 IP3]
up = 'bash env vpn_dns="' + DNSLIST +'" ; user_script.sh up'.split()

This need to add each DNS to iptables to give access only to such ips to prevent any access to other IPs by firewall.

[Dragon2fly]

post_action('down') need to be at except KeyboardInterrupt: to execute down when tunnel terminated by user CTLR+C.

Hasn't it already worked that way? No matter how the vpn tunnel is terminated, post_action is always executed.

Is it possible to export "DNS list" from your script to user_script.sh as environment variable?
$vpn_dns with values of dns "8.8.8.8 7.7.7.7 8.8.8.8" ?

DNS values are stored in config.ini. If you want to export them to user_script, make a script to copy that values from config.ini to user_script. That script should also be called within user_script.

If you want to change DNS within user_script.sh, disable the fix_dns in config.ini, then use your $vpn_dns variable. Another way is that you make another starter script which will change the config.ini's dns according to the users / usergroups...

Currently, since all settings are must be store in config.ini, I prefer the way from main program to user_script to be a one-way route.

[evadogstar]

Hasn't it already worked that way? No matter how the vpn tunnel is terminated, post_action is always executed.
I retest this again. I'm looking for notify-send window, it does not show on ctrl+c, but (sorry) down script executed. I see "Called Down script" message. All is okey with this.

Currently, since all settings are must be store in config.ini, I prefer the way from main program to user_script to be a one-way route.

Maybe it's my bad English or some misunderstanding :) But I'm also offered to get DNS from the main program and per-define environment variable with DNS list to user_script when it called. Then user_script can be used with "DNS fix enabled". You "DNS fix" only add new dns. But need to allow access to them at firewall with user_script if our system use firewall to prevent leaks.

I'm about something like this:
master...evadogstar:patch-1

Sorry for trouble you :)

[Dragon2fly]

Sorry for misunderstanding you. So you need the DNS appeared in the user_script.sh so that you can inform your firewall to allow connections to them. It is better not to change the source code of main program since other people don't have that need. Instead, let do entire job within user_script.sh only. The below code will parse DNS from config.ini, remove , and store the result in dns variable.

dns=$(cat config.ini | grep -o -P '(?<=^dns = ).*')
dns="${dns//,/}"
echo $dns

Then, just use your dns to do what ever needed with your firewall.

Perhaps, you should write about your use-case somewhere for other people to follow.

Thanks :)

[evadogstar]

Thanks! I will test it soon!
It will be used with QubesOS as ProxyVM (VpnVM) :)

[evadogstar]

Perfect. Thank you! Now it work fine 👍

p.s. is it ok if i will create new issue to discuss?

[Dragon2fly]

Feel free to do it :) . This issue is about running on Redhat based OS and has been solved. I'll close it now.