Question: What is the best way to automate/script Vopono? (Mostly in regard to sudo/authorization) #150
Comments
I just realized, that asking this was a bit dumb. Vopono itself, obviously, executes arbitrary commands, so setting |
|
I just use NOPASSWD all the time on my personal devices. The NOPASSWD specific entry should work too. The ideal option would be to use capabilities (we really only need sudo for the network namespace configuration), but I'm pretty certain there are still some areas lacking there. Another option would be to separate the network namespace creation from the process execution into separate binaries, although the execution part will still need enough capabilities to be able to execute in the new network namespace - it does a bind mount IIRC, I also did a bit of work trying to avoid shelling out in the unfinished libvopono. Neither of those are small changes though. |
Are you not worried that everybody that gains access to your main user (physically, or via a remote exploit) easily can get root access? Configuring
Do you think running Vopono in a container would be easy to set up? This would make it possible to restrict what Vopono/root can do.
Is I might have found another way to do what I'm trying to archive. Basically, the steps would be:
This way, I'd only have to type the password of the Do you see any problem with that approach? I spent most of today to experiment with this idea (mostly researching how to do things), and when I thought I finished it, something broke... x) I think this happened because I created and killed Vopono (and Privoxy) many times while creating my script. When I run Vopono from my regular user (which previously always worked), I get the following output: Do you have any idea, what the problem could be? I guess, restarting my computer would fix the issue, but my script would basically start and kill Vopono similar often.
Regarding the troubleshooting information: ip addr: ip link: ping 10.200.1.2:
Seems to hang, nothing happens. sudo nft list tables / sudo nft list table nat:
sudo iptables -t nat -L sudo ip netns exec ping 10.200.1.1 / Cannot open network namespace "ping": No such file or directory:
sudo ip netns exec vopono_c_Dt2VWW2Ui1J ip addr /
(I've taken I'm using Arch and the 'aur/vopono-bin' package, in case that is relevant. |
|
When I execute the command that failed, I get the following output: So I guess, the cleanup didn't work when I killed Vopono. Is there a way to trigger the cleanup somehow? |
It is an issue, but anything that runs as my user could already encrypt all my files, etc. anyway, so the best option is to only run trusted FOSS as much as possible.
In theory it's possible, but it changes what the tool is/does. Like at the moment all of the hard work is in setting up the network namespace (and its firewall rules), and then it's just spawning processes inside that. If it were a container, you'd want to just do that in the container (to be fair, most of the code would be identical for the firewall, etc.), but then you need to set up bridging between the containers and presumably spawn your other app in a container too - which is problematic for torrent clients, etc. that need access to the host filesystem. So it could mean much more configuration for the app side if you just want to run a normal web browser, etc. - it might be doable though. I actually used LXC for this back in 2015, and in the end I realised it was more effort than it was worth getting stuff like X forwarding to work, PulseAudio, etc. - and discovered network namespaces 🙂
This would eventually be the idea, but it's quite a lot of work. Maybe I could start by just separating out the current code (even though it shells out) because it is pretty useful. I also wrote a bit about the possibility for a GUI here - https://www.reddit.com/r/archlinux/comments/u1qj2v/vpn_kill_switches_do_not_always_work/i4g7dp5/?context=3 - it might be cool to do it though, even if it's just a simple PyTK thing for example.
I think this is the best approach atm, and it's similar to what other tools do too (Jackett, etc.)
Usually it means the kernel has updated and you need to reboot.
Oops, it seems this is an edge case where somehow the lock file was deleted but the resources weren't deleted? It's strange, usually if it fails to delete them the lockfile will still be there, and then it will delete them when you execute vopono next time. I'd recommend deleting them manually ( |
Thank you, @jamesmcm! That fixed it. I guess this happened because I killed Vopono forcefully, and switched between users (my regular user, and the Haha, that's true. Because of that, I'm interested in switching to Qubes OS, which makes it easy to run special-purpose VMs (i.e. one VM for email, one for the browser, one for the dev environment, etc.).
I think, that would be a great approach. The code that shells out can still be replaced gradually then. I'd like to make Privoxy listen on an address that is only reachable from my machine, if possible. Would that be the following IP address?
If so, is there an easy way to access that IP from within the executed program/script, so I can generate the needed Privoxy config file? I tried When I execute Vopono there seem to be several errors:
Verbose output via `-v` optionI get the same output with Is that something to worry about? The |
Not at the moment, but it could be set like the Line 464 in d9854ce Regarding the errors, I think the OpenVPN log binding doesn't matter (it seems to read the log fine anyway). But the ip6tables one may be an issue and seems to be related to this - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=515752 - I'll try to test that change, i..e checking we use The sudo one is strange, it's almost like it isn't quoting the command properly and is interpreting the other options as options for sudo 🤔 |
|
After implementing #154 I was finally able to run Privoxy through Vopono! With a bit of luck, I should be able to implement my 'VPN changer' script tomorrow (or rather, to test it. It basically is complete). Do you think, this information would be useful to others and should be added to the user guide? Otherwise, I'd just post it here. |
|
Yeah it'd be great to add it to the guide, I want to add instructions for Jackett too, |
Have you seen netns-exec? It seems to do something similar to Vopono, and seems to not shell out (and has only the I've finally gotten my 'VPN changer' script working... Doing this in Bash (as an example for the scripting guide), was pretty painful... I will write the real version most definitely not in Bash... ;) The guide section is basically finished, but I'm going to wait with my PR until I've gotten my real use case working, which will probably be more like a Unix Socket-base API around Vopono. Just in case, I discover more caveats, or find out more useful information. While developing the Bash script I sometimes got a few new errors: Is that something to worry about? Do I need to restore some config file somehow, like the backup of the |
|
Thanks, I'll check that out. It's useful, tbh the only thing still requiring shelling out is setting the nftables firewall rules (but there are a lot of them) and iptables support too. If the errors are only in the destructors just check that the state is okay afterwards (nothing left dirty). But that said, it would be good to fix the panics if you can pinpoint the causes? |
Yes, I believe the errors happened mostly during the teardown process. How would I check that the state is okay? Everything seems to work fine.
I believe the errors happened only when my script wasn't able to kill previous Vopono instances*. When I then killed the script at some point via So the errors should only happen when automating Vopono (and hopefully, my scripting section will help people to avoid these errors). * The problem was basically, that Vopono restarts itself via This took me longer to figure out, than I'd like to admit... x) |
|
Oh, I see what you mean, only the one running with sudo handles SIGINT - https://github.com/jamesmcm/vopono/blob/master/src/exec.rs#L479-L507 In theory we could use another thread and a channel to do it with both processes, I'm not 100% sure how the sudo crate handles it though. |
I actually started implementing a fix, but when I figured out a workaround (just executing Vopono via For some reason, When I read the man page of But I just did an experiment: ...so it actually should work. My workaround is to start Vopono directly via But this most likely should be fixed, if possible. Besides reducing potential problems for other people who'd like to automate Vopono (and don't read the scripting guide), and making the guide a tiny bit easier, it would also eliminate one of the dependencies in my Rust version of the script. Do you have any idea why Vopono started via As far as I remember, that should work (if I remember the Vopono doesn't restart itself if it is already runs with root privileges, right? Maybe I can have another look tomorrow. But I haven't as much time available anymore as I had last week, so I'm not sure if I can fix it now. I also noticed that Vopono (if started without |
|
What I forgot: Fixing the above probably also fix the issue that Vopono sometimes can't be killed via Ctrl-C (which happened to me a few times). |
|
@jamesmcm: Is there any chance that your last commits have broken OpenVPN support? I've updated my system (including Vopono), and now Vopono always hangs on: Full logAfter some time, I got the following output: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
Thank you so much for creating Vopono! So far, it seems to work very well :)
I'm wondering what the best way would be to script Vopono.
For example, let's say, I'd like to change my VPN connection every 30 minutes, and I'm running Privoxy within Vopono (this way, I could just configure my browser to use Privoxy as HTTP proxy, and I wouldn't have to restart my browser every 30 minutes):
$ vopono -v exec --provider azirevpn -k -u root -f 8118 --server norway "privoxy --chroot --user privoxy /etc/privoxy/config"The scripting part would be easy, of course, but after 30 minutes (I believe) the script would ask for my password again.
What would be the best way to avoid this?
For example, I could run my script as root. But that seems to lead to problems with Vopono (from the issues I've read). Besides that, for the obvious reasons, I'd like to avoid running my script as root.
Another option would be to switch to passwordless sudo (disabling the requirement to enter the password, when executing a command via
sudo), which I would like to avoid as well.It seems, the SUDO_ASKPASS environment variable could be used to provide the password, but I'm not sure how to do this securely.
The last option I see, would be to set
NOPASSWDonly for/usr/bin/voponoviasudoers:my_user host_name=NOPASSWD: /usr/bin/voponoThis looks the most promising to me, but I never did something like this, and I have no clue if that would be secure.
Is there any way, an attacker that got access to my system could use Vopono to execute arbitrary commands? Vopono seems to interact with several complex systems, so I guess even you can't be sure about that, but I may be wrong.
If this option turns out to be secure, I believe it would be good to add it to the
systemdsection of the user guide. You are mentioning passwordless sudo access, but I interpreted this as "passwordless sudo access for everything". But maybe this interpretation is wrong, and you meant settingNOPASSWDonly forvopono.Thanks again, for your work! :)
The text was updated successfully, but these errors were encountered: