Kill switch script requires elevation

Got a problem with Viscosity or need help? Ask here!

ivy

Posts: 1
Joined: Thu Oct 29, 2020 12:52 am

Post by ivy » Thu Oct 29, 2020 12:59 am
Hello,

I am trying to use kill switch script as described in knowledge base. This is how my bat file looks like.
Code: Select all
netsh interface set interface "Ethernet" admin=DISABLED
The problem is that it does not work unless it is used with right click and run as administrator. I followed guide through. This is what my configuration file in Viscosity included in:
Code: Select all
route-pre-down "C:\\Program Files\\Common Files\\Viscosity\\Scripts\\disable-network.bat"
I tried to run the script itself; it works with administrator rights. However, nothing happens when I run it via Viscosity. Do I miss any step here?

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Thu Oct 29, 2020 11:01 am
Hi ivy,

Please ensure you have followed all the steps here or the route-pre-down script will not run - https://sparklabs.com/support/kb/articl ... ect-occurs

The log may also have information on why the script is not run - https://sparklabs.com/support/kb/articl ... envpn-log/

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

HelplessRube

Posts: 7
Joined: Mon Jan 04, 2021 7:50 am

Post by HelplessRube » Mon Jan 04, 2021 8:01 am
I'm also having problems with this. I'm using Viscosity 1.9 (1695) on two different computers - Windows 10 x86 64 bit and Windows 10 ARM 64.

On the x86 system, the spark lab instructions work fine, but on the ARM 64 system, the command fails with an error:

WARNING: Failed running command (--up/--down): returned error code 1

I'm pretty sure I'm following all of the posted instructions. The script works when called directly from an elevated command prompt.

Has anyone else gotten this to work in windows 10 ARM? Any chance this is a bug in the ARM version?

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Mon Jan 04, 2021 9:13 am
Hi HelplessRube,

As a test to ensure you have configured everything correctly, please go to Preferences -> Advanced and enable "Allow unsafe OpenVPN commands to be used".

There is no reason why this shouldn't be working on ARM64 specifically however we will investigate when we can to make sure.

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

HelplessRube

Posts: 7
Joined: Mon Jan 04, 2021 7:50 am

Post by HelplessRube » Mon Jan 04, 2021 11:44 am
I have tried either way - same error code.

BTW - it wasn't clear to me whether this setting was necessary. The instructions don't refer to enabling this setting, and the x86 version worked fine without enabling it.

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Mon Jan 04, 2021 12:37 pm
Hi HelplessRube,

All that should be required is the AllowOpenVPNScripts setting to be set.

We've just run through a test on ARM64. The only change that was nessecary, which we will update the documentation and Viscosity in the next beta to reflect in messages, is using "Program Files (x86)" instead of "Program Files" for the script path, as the Service still runs somewhat in x86 mode. Please try changing your script location and path in the configuration to "C:\Program Files (x86)\Common Files\Viscosity\Scripts". Please ensure you are copying files around, not moving them, otherwise they will retain their user permissions and the service will not deem them secure to run, even with Allow Unsafe Commands checked.

If you're still having issues, could you please post a complete copy of your log as well as your configuration (Shift+Right click the connection and select View Configuration Data), you're welcome to sensor anything private.

https://sparklabs.com/support/kb/articl ... ect-occurs

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

HelplessRube

Posts: 7
Joined: Mon Jan 04, 2021 7:50 am

Post by HelplessRube » Mon Jan 04, 2021 2:19 pm
Thanks for the support. I'm still having a couple of issues.

First, looks like I do have to turn on the "Allow unsafe OpenVPN commands to be used" setting. If I don't, the connections refuse to start and give the error:
Error: The OpenVPN script is not located in the required directory (C:\Program Files\Common Files\Viscosity\Scripts). Only scripts installed in this directory (or sub-directory) can be used. Please move the script, or enable the "Allow unsafe OpenVPN commands to be used" option.
So, I'm guessing additional file paths may need to be white-listed to support this situation for ARM64.

Second, it is still not working for me with the new path. I still get the same error as before when calling the script with the new path, once "unsafe scripts" is enabled.

I'm running the 21277 prerelease build with 64 bit emulation, so not sure if that would throw a further wrench into the works here as to path being referenced.

Here is the disconnect log:
Code: Select all
Jan 03 9:52:56 PM: State changed to Disconnecting
Jan 03 9:52:56 PM: SIGTERM received, sending exit notification to peer
Jan 03 9:52:57 PM: C:\Program Files (x86)\Common Files\Viscosity\Scripts\disable-network.bat [address] [#] [#] [ip] 255.255.255.0 init
Jan 03 9:52:57 PM: WARNING: Failed running command (--up/--down): returned error code 1
Jan 03 9:52:57 PM: State changed to Disconnected
Jan 03 9:52:57 PM: State changed to Disconnected
Here is config data:
Code: Select all
#-- Config Auto Generated By Viscosity --#

#viscosity protocol openvpn
#viscosity name [name]
#viscosity autoreconnect false
#viscosity dns automatic
#viscosity usepeerdns true
#viscosity manageadapter true
#viscosity startonopen false
remote [ip] 1194 udp
nobind
dev tun
tun-mtu 1500
ping 15
ping-restart 0
persist-tun
persist-key
pull
auth-user-pass
tls-client
ca ca.crt
remote-cert-tls server
tls-auth ta.key 1
proto udp
route-pre-down "C:\\Program Files (x86)\\Common Files\\Viscosity\\Scripts\\disable-network.bat"
dev-node [node]
auth SHA512
cipher AES-256-CBC
fast-io
verb 3
comp-lzo no
reneg-sec 0
ping-timer-rem
mssfix 1450
tun-mtu-extra 32
remote-random
resolv-retry infinite

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Mon Jan 04, 2021 2:52 pm
Hi HelplessRube,
Mon Jan 04, 2021 2:19 pmHelplessRube wrote:
I'm running the 21277 prerelease build with 64 bit emulation, so not sure if that would throw a further wrench into the works here as to path being referenced.
I'm afraid it does. In this case, it should be looking in C:\Program Files\Common Files, rather than x86 on the current release versions of Windows. More importantly, there are bugs in the emulator at the moment that can cause issues, for example in this case batch is probably trying to run ARM64 netsh from an x64 shell which may be why it's failing outright if that functionality hasn't been added to the emulator yet. We'd be interested to know if a more simple script, for example "echo test > C:\test.txt" would work.

Until these features make their way into pre-release builds, we can't commit development time to them as they are subject to change, usually in huge ways. If you can force ViscosityService and Viscosity to run 32-bit, this may resolve this specific issue.

Getting rid of the last snippets of non-ARM64-native code in Viscosity is on our agenda for a future release.

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

HelplessRube

Posts: 7
Joined: Mon Jan 04, 2021 7:50 am

Post by HelplessRube » Mon Jan 04, 2021 4:06 pm
Thanks for the information. The simple "test" script does work.

HelplessRube

Posts: 7
Joined: Mon Jan 04, 2021 7:50 am

Post by HelplessRube » Thu Jan 07, 2021 6:29 am
Here is a script that ended up working for me:
Code: Select all
"C:\Windows\SysWOW64\netsh.exe" interface set interface "Wi-Fi" admin=DISABLED
The call to this specific netsh executable succeeds, while a call to "C:\Windows\System32\netsh.exe" fails.
10 posts Page 1 of 1