protonvpn-cli: decrease OpenVPN privileges?

Questions about applications and software
Forum rules
Before you post please read how to get help
Post Reply
Glosoli
Level 1
Level 1
Posts: 19
Joined: Sat Feb 03, 2018 10:26 am

protonvpn-cli: decrease OpenVPN privileges?

Post by Glosoli » Fri Nov 09, 2018 12:11 pm

When setting up protonvpn-cli, it asks if I want to "Decrease OpenVPN privileges". What does it mean? Should I choose yes or no?

redlined
Level 3
Level 3
Posts: 129
Joined: Wed Jun 06, 2018 8:12 pm
Location: Mile High, Green State (Denver, CO:)

Re: protonvpn-cli: decrease OpenVPN privileges?

Post by redlined » Fri Nov 09, 2018 1:59 pm

Glosoli wrote:
Fri Nov 09, 2018 12:11 pm
When setting up protonvpn-cli, it asks if I want to "Decrease OpenVPN privileges". What does it mean? Should I choose yes or no?
hi Glosoli!

Please know that I am new to linux although I have used VPN (especially OpenVPN) for a long time in windows. So please take the following as considerations rather than advice coming from a knowledgable user. saying that....

Normally OpenVPN runs as root, it sounds as if protonvpn-cli configures ovpn to run with lower privilege, probably by invoking --user and --group settings and as long as protonvpn-cli script implements this correctly there should be no issue. However, if not done correctly then your vpn may not be able to reconnect in that session, since it would no longer have permissions required to. To maqke matters worse, if VPN drops for any reason, coupled with a failure to reconnect you may end up with a straight through to the internets connection has happened in the background to restore internet connectivity unless precautions are taken to block all connections except those through the VPN (TUN or TAP) adapter.

Couple considerations for you:
Is there a reason you want to use the protonvpn-cli instead of Network Manager (NM) for creating and managing your VPN connection?

The reason I ask is twofold, NM at least has a visible VPN indicator (small lock on lower right corner of NM tray icon) as well has options to reconnect automagically and has notifications letting you know if/when conection is made or dropped. Second reason is I didn't like what I read about the proton client on reddit, both the OP and the comment from user "ProtonMail" found here: https://www.reddit.com/r/ProtonVPN/comm ... tonvpncli/

If you want NM to handle the task, which it does very nicely, then follow the providers steps in generating a config to import into NM on this page:
https://protonvpn.com/support/linux-vpn-setup/ in particular follow the Usage "Option A: Linux VPN setup using the Network Manager" instructions.

If your preference is set on using protonvpn-cli then the best bet may be to ask the dev team, they do appear very helpful and responsive as seen in the 289 comments to their support page posting: https://protonvpn.com/support/linux-vpn-tool/

Hope this helps!
Moem kōan 42: Should tool manufacturers be required to fix their products so that you cannot use their saws to cut the tree branch that you're sitting on?

(The answer to the ultimate question of life, the universe and everything is... 42!!;)

Glosoli
Level 1
Level 1
Posts: 19
Joined: Sat Feb 03, 2018 10:26 am

Re: protonvpn-cli: decrease OpenVPN privileges?

Post by Glosoli » Fri Nov 09, 2018 3:03 pm

Hi Redlined, thanks for replying.

The reason I prefer to use protonvpn-cli is because I always get DNS leaks with NM. I used to know a workaourd for the DNS leaks on Mint 18.3, but it doesn't work anymore on Linux Mint 19.

As for the risk of the VPN disconnecting, I've set up Firewall rules, so that all my traffic goes through the VPN and it blocks everything in case the VPN drops.

redlined
Level 3
Level 3
Posts: 129
Joined: Wed Jun 06, 2018 8:12 pm
Location: Mile High, Green State (Denver, CO:)

Re: protonvpn-cli: decrease OpenVPN privileges?

Post by redlined » Fri Nov 09, 2018 3:34 pm

Glosoli wrote:
Fri Nov 09, 2018 3:03 pm
Hi Redlined, thanks for replying.

The reason I prefer to use protonvpn-cli is because I always get DNS leaks with NM. I used to know a workaourd for the DNS leaks on Mint 18.3, but it doesn't work anymore on Linux Mint 19.

As for the risk of the VPN disconnecting, I've set up Firewall rules, so that all my traffic goes through the VPN and it blocks everything in case the VPN drops.
ah yes, DNS leaking is a bit harder to prevent in Linux (versus using block-outside-dns ovpn setting for windows)... However, it can be done using NM by setting the ehternet or wifi adapter to use no DNS, either static IP address or DHCP Address only (and leave DNS blank). Then enforce that system-wide with firewall rules to block all in/out on all except the TUN (or TAP) adapter created for OpenVPN to operate on.
for example, when I run sudo ufw status verbose I get:

Code: Select all

anyuser@OEMTUFFBOOK:~$ sudo ufw status verbose
[sudo] password for anyuser: 
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), disabled (routed)
New profiles: skip
To                         Action      From
--                         ------      ----
Anywhere                   ALLOW OUT   Anywhere on tun0          
1194/udp                   ALLOW OUT   Anywhere                  
anyuser@OEMTUFFBOOK:~$ 
(note, the 1194/UDP rule is to allow OpenVPN to reconnect to VPN server after drops. These rules are obviously very permissive,but for my intents and purposes it works, for now :D

For more on this see the good discussion and advice from phd21 and pippin in my thread here: [SOLVED] UFW script for VPN drop protection (kill switch)
Moem kōan 42: Should tool manufacturers be required to fix their products so that you cannot use their saws to cut the tree branch that you're sitting on?

(The answer to the ultimate question of life, the universe and everything is... 42!!;)

Glosoli
Level 1
Level 1
Posts: 19
Joined: Sat Feb 03, 2018 10:26 am

Re: protonvpn-cli: decrease OpenVPN privileges?

Post by Glosoli » Fri Nov 09, 2018 4:30 pm

hey, that's a lot of interesting and useful info.
I'll read the thread and try and improve my knowledge on the matter.

Thank you for your help :D

User avatar
phd21
Level 17
Level 17
Posts: 7286
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: protonvpn-cli: decrease OpenVPN privileges?

Post by phd21 » Fri Nov 09, 2018 5:13 pm

Hi Glosoli,

I just read your post and the good replies to it. Here are my thoughts on this as well.

I setup the protonvpn-cli on my system as well and I do not remember it asking, if I want to "Decrease OpenVPN privileges".

To install this open a console terminal, type in, or copy & paste, each line below one by one: Click "Select All" above command, right-click the highlighted command, select Copy (or Ctrl+Insert), click in the console terminal window, and right click paste ("Shift+Insert" or "Ctrl+Shift+v"), repeat for each command.
install dependencies

Code: Select all

sudo apt-get install dialog python wget
install the ProtonVPN Linux Client

Code: Select all

wget "https://github.com/ProtonVPN/protonvpn-cli/raw/master/protonvpn-cli.sh" -O "protonvpn-cli.sh" && sudo bash protonvpn-cli.sh --install
If you have already tried to install the ProtonVPN client and it failed, or you want a newer version, then run the command below before re-running the installation command again.

Code: Select all

sudo rm -r protonvpn-cli
On Nov 4, 2018 I received a message saying they added an option "-m" for a menu to their Linux client

Code: Select all

pvpn -m
You can use the Network Manager (NM) to "import vpn" for ProtonVPN servers without DNS leaks as well, see link below.
[SOLVED]How to fix dns leaks? - Linux Mint Forums
viewtopic.php?f=157&t=270477&hilit=resolvconf


Hope this helps ...
Phd21: Mint KDE 17.3 & 18.3, 64-bit Awesome OS, Ancient Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram,256gb SDD, Video: Intel 4 Graphics, DVD Lightscribe. Why I use KDE?:https://opensource.com/life/15/4/9-reasons-to-use-kde

Glosoli
Level 1
Level 1
Posts: 19
Joined: Sat Feb 03, 2018 10:26 am

Re: protonvpn-cli: decrease OpenVPN privileges?

Post by Glosoli » Sat Nov 10, 2018 8:28 pm

phd21 wrote:
Fri Nov 09, 2018 5:13 pm
I setup the protonvpn-cli on my system as well and I do not remember it asking, if I want to "Decrease OpenVPN privileges".
Hi phd21, thanks for replying.

I believe they introduced it with the latest update. You'd only notice when creating a new profile.
Also, thanks for letting me know about the thread on DNS leaks. It was an interesting and useful read.

User avatar
phd21
Level 17
Level 17
Posts: 7286
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: protonvpn-cli: decrease OpenVPN privileges?

Post by phd21 » Sat Nov 10, 2018 8:49 pm

Hi Glosoli,

You are welcome...

After replying to your post I ran the instructions I quoted for installing the "protonvpn-cli" (removed older version first) and it worked fine and updated to the newer version.
Phd21: Mint KDE 17.3 & 18.3, 64-bit Awesome OS, Ancient Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram,256gb SDD, Video: Intel 4 Graphics, DVD Lightscribe. Why I use KDE?:https://opensource.com/life/15/4/9-reasons-to-use-kde

Glosoli
Level 1
Level 1
Posts: 19
Joined: Sat Feb 03, 2018 10:26 am

Re: protonvpn-cli: decrease OpenVPN privileges?

Post by Glosoli » Sat Nov 10, 2018 10:35 pm

phd21 wrote:
Sat Nov 10, 2018 8:49 pm
Hi Glosoli,

You are welcome...

After replying to your post I ran the instructions I quoted for installing the "protonvpn-cli" (removed older version first) and it worked fine and updated to the newer version.
Did you choose to decrease openVPN privileges?

User avatar
phd21
Level 17
Level 17
Posts: 7286
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: protonvpn-cli: decrease OpenVPN privileges?

Post by phd21 » Sat Nov 10, 2018 11:00 pm

HI Glosoli,

I have never been asked that question when installing this on my KDE systems.
Phd21: Mint KDE 17.3 & 18.3, 64-bit Awesome OS, Ancient Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram,256gb SDD, Video: Intel 4 Graphics, DVD Lightscribe. Why I use KDE?:https://opensource.com/life/15/4/9-reasons-to-use-kde

Post Reply

Return to “Software & Applications”