Here is a useful freeopenvpn batch script which skip UAC & which works for everyone (I think)

Discussion:

(too old to reply)

Bill Powell

2024-02-21 07:23:18 UTC

A few times a day I use the script below to connect to a free VPN named
https://www.freeopenvpn.org/

It's open to everyone without needing to create an account.
So this script, if improved, would greatly benefit everyone using it.

Most of freeopenvpn setup is static, but the password changes constantly.
Config: USA_freeopenvpn_tcp.ovpn (the contents change about twice a year)
Username: freeopenvpn (this remains the same for years)
Password/PIN: This 9-digit number changes a few times a day

For the username and password, I usually add this line to the config files:
for %f in (*.ovpn) do type C:\freeopenvpn\freeopenvpninclude.txt >> %f
Where the "freeopenvpninclude.txt" file contains this single line:
auth-user-pass C:\\freeopenvpn\\freeopenvpnauthuserpass.txt
And where the "freeopenvpnauthurserpass.txt" file contains two lines:
freeopenvpn
123456789
Where nothing changes quickly except that one 9-digit password above.

I don't use the OpenVPN GUI since I connect to the VPN via
doubleclicking the batch file below, whose last line is
what skirts around the Windows UAC popups (yes, I know, if you
don't like that part, just uncomment the part above it then),
and I don't feel like typing the VPN password each time which
is the second point of having the script (instead of the OpenVPN GUI).

Here's the current short script which, if the username/password
is already set, will work for anyone without need for user input.

RUN-ONLY BATCH SCRIPT:
@echo off
set configfile=USA_freeopenvpn_tcp.ovpn
REM set configfile=USA_freeopenvpn_udp.ovpn
set configcmd=C:\Program Files\OpenVPN\bin\openvpn.exe
set configdir=C:\freeopenvpn\config\
REM %configcmd% %configdir%%configfile%
c:\windows\system32\runas.exe /user:administrator /savecred "%configcmd% %configdir%%configfile%"

But a few times a day, the 9-digit password changes so user input
is required. To do that, I run this setup-and-run script instead.

SETUP-AND-RUN BATCH SCRIPT:
@echo off
echo "Append the username/password to all freeopenvpn ovpn config files"
echo "auth-user-pass C:\\freeopenvpn\\freeopenvpnauthuserpass.txt"
pause
echo "Get the latest 9-digit password from https://www.freeopenvpn.org/premium.php"
"C:\Users\username\AppData\Local\Epic Privacy Browser\Application\epic.exe" "https://www.freeopenvpn.org/premium.php" &
set /p user_input=Enter 9-digit password here"
echo %user_input%
REM it might be nice to count the number of digits to ensure it's 9 in number
pause
echo "Paste that latest 9-digit password into the freeopenvpnauthuserpass.txt file"
C:\Windows\notepad.exe "C:\\freeopenvpn\\freeopenvpnauthuserpass.txt" &
pause
cd C:\\freeopenvpn\
set configfile=USA_freeopenvpn_tcp.ovpn
REM set configfile=USA_freeopenvpn_udp.ovpn
set configcmd=C:\Program Files\OpenVPN\bin\openvpn.exe
set configdir=C:\freeopenvpn\config\
REM %configcmd% %configdir%%configfile%
c:\windows\system32\runas.exe /user:administrator /savecred "%configcmd% %configdir%%configfile%"

The reason this is posted is to help others connect to the same free
freeopenvpn VPN service without needing to invoke the OpenVPN GUI.

While I'm well aware that some people won't like that it bypasses
UAC, all they have to do to NOT bypass UAC is uncomment the
penultimate line and comment out the last line so that's not where
improvements are going to be found (unless you have a better solution,
which, yes, I know, involves shortcuts & the Windows task manager).

But that's complicated.
This is simple.
And I'm not worried about my kids or my dog accessing my computer.

If you can improve this file (other than the UAC part), then that
would be useful to thousands of people since it works for everyone.

AllanH

2024-02-21 09:40:56 UTC

Permalink

Post by Bill Powell
A few times a day I use the script below to connect to a free VPN named
https://www.freeopenvpn.org/
It's open to everyone without needing to create an account.
So this script, if improved, would greatly benefit everyone using it.
Most of freeopenvpn setup is static, but the password changes constantly.
Config: USA_freeopenvpn_tcp.ovpn (the contents change about twice a year)
Username: freeopenvpn (this remains the same for years)
Password/PIN: This 9-digit number changes a few times a day
for %f in (*.ovpn) do type C:\freeopenvpn\freeopenvpninclude.txt >> %f
auth-user-pass C:\\freeopenvpn\\freeopenvpnauthuserpass.txt
freeopenvpn
123456789
Where nothing changes quickly except that one 9-digit password above.
I don't use the OpenVPN GUI since I connect to the VPN via
doubleclicking the batch file below, whose last line is
what skirts around the Windows UAC popups (yes, I know, if you
don't like that part, just uncomment the part above it then),
and I don't feel like typing the VPN password each time which
is the second point of having the script (instead of the OpenVPN GUI).
Here's the current short script which, if the username/password
is already set, will work for anyone without need for user input.
@echo off
set configfile=USA_freeopenvpn_tcp.ovpn
REM set configfile=USA_freeopenvpn_udp.ovpn
set configcmd=C:\Program Files\OpenVPN\bin\openvpn.exe
set configdir=C:\freeopenvpn\config\
REM %configcmd% %configdir%%configfile%
c:\windows\system32\runas.exe /user:administrator /savecred "%configcmd% %configdir%%configfile%"
But a few times a day, the 9-digit password changes so user input
is required. To do that, I run this setup-and-run script instead.
@echo off
echo "Append the username/password to all freeopenvpn ovpn config files"
echo "auth-user-pass C:\\freeopenvpn\\freeopenvpnauthuserpass.txt"
pause
echo "Get the latest 9-digit password from https://www.freeopenvpn.org/premium.php"
"C:\Users\username\AppData\Local\Epic Privacy Browser\Application\epic.exe" "https://www.freeopenvpn.org/premium.php" &
set /p user_input=Enter 9-digit password here"
echo %user_input%
REM it might be nice to count the number of digits to ensure it's 9 in number
pause
echo "Paste that latest 9-digit password into the freeopenvpnauthuserpass.txt file"
C:\Windows\notepad.exe "C:\\freeopenvpn\\freeopenvpnauthuserpass.txt" &
pause
cd C:\\freeopenvpn\
set configfile=USA_freeopenvpn_tcp.ovpn
REM set configfile=USA_freeopenvpn_udp.ovpn
set configcmd=C:\Program Files\OpenVPN\bin\openvpn.exe
set configdir=C:\freeopenvpn\config\
REM %configcmd% %configdir%%configfile%
c:\windows\system32\runas.exe /user:administrator /savecred "%configcmd% %configdir%%configfile%"
The reason this is posted is to help others connect to the same free
freeopenvpn VPN service without needing to invoke the OpenVPN GUI.
While I'm well aware that some people won't like that it bypasses
UAC, all they have to do to NOT bypass UAC is uncomment the
penultimate line and comment out the last line so that's not where
improvements are going to be found (unless you have a better solution,
which, yes, I know, involves shortcuts & the Windows task manager).
But that's complicated.
This is simple.
And I'm not worried about my kids or my dog accessing my computer.
If you can improve this file (other than the UAC part), then that
would be useful to thousands of people since it works for everyone.

This looked like an interesting way to use OpenVPN.
I'm having a problem with the SETUP-AND-RUN BATCH SCRIPT.
I modified the URL that displays the password to https://www.freeopenvpn.org/premium.php?cntid=USA&lang=en.
The original URL redirected to https://www.freeopenvpn.org/.
If the browser window is not already open, the user input will not work.
If it is open, it works fine.
Do you know the reason for that?

--
Using Opera's mail client:
https://web.archive.org/web/20130226002115/http://www.opera.com/mail/
https://web.archive.org/web/20130709005515/http://help.opera.com/Windows/12.10/en/mail.html
https://web.archive.org/web/20130223015023/http://www.opera.com/browser/tutorials/mail/

Bill Powell

2024-02-21 20:10:10 UTC

Permalink

Post by AllanH
This looked like an interesting way to use OpenVPN.

It's universal. Should work for everyone. Free VPN. Any time they want.

The goal, always, is to duplicate in batch what you already do manually.
The problem, always, is Windows 10 is designed for manual use (not batch).

You need to flip a few trick switches in Windows to make it batching work.
So if it doesn't work for you - it's probably one of those trick switches.

BTW, there is one "magic" keyboard button which you MUST KNOW ABOUT!

It's the magic "F4" button. When you close an openvpn log Window, all the
normal Windows methods work - but - eventually they screw up your route.

Don't ask me why because I don't know why not closing with "F4" eventually
screws up the route (if you do it enough, and I do it all day every day).

So always use the magic "F4" key to close any working openvpn log window!

However, if the VPN connection isn't working, for example on an expired
password, then you can close the batch openvpn log window any way you like.

Post by AllanH
I'm having a problem with the SETUP-AND-RUN BATCH SCRIPT.

But does the plain short run script work?
Because if the simple script doesn't work, the "fancy" script can't.

The reason is the aforementioned Windows tricks to make batching work.

Post by AllanH
I modified the URL that displays the password to https://www.freeopenvpn.org/premium.php?cntid=USA&lang=en.
The original URL redirected to https://www.freeopenvpn.org/.

Great idea. THANK YOU FOR IMPROVING batching for everyone, plus for me!

As you obviously noticed, the original script required an extra keyclick
once the web browser popped up. Let me try your improvement URL first.

Test1: Manual (start Epic Privacy Browser & paste in the suggested URI)
https://www.freeopenvpn.org/premium.php?cntid=USA&lang=en

When batching, I have a devil of a time escaping funky characters,
which is why I can't put the following into a REM statement.
REM for %f in (*.ovpn) do type C:\freeopenvpn\include.txt >> %f
And I can't get that to work inside the batch script for some reason.

Probably I need double backslashes but the percent sign is causing
problems in the REM statement so I have to escape that % somehow.

Which is too bad, because that append step should also be automatic,
even though it's only needed about once every six months or so, and
even though there are only two freeopenvpn configuration files (tcp,udp).

But your funky characters worked fine without extra escape escapades.

Test2: With the web browser already open, run the setup-and-run script:
This worked (password was 327112703) where you may have noticed the
script should automatically add the password but I don't know how
to do that in batch so I echo it to the screen for a cut and paste.

THANK YOU for the improvement which knocked off one button press!

Test3: With the web browser NOT already open, run it again.
Well, that worked perfectly. It brought up the browser & to the right page.

Post by AllanH
If the browser window is not already open, the user input will not work.
If it is open, it works fine.
Do you know the reason for that?

See above. It worked fine for me whether or not the browser was already
open. I used the Epic Privacy Browser but I don't see how that matters.
https://cdn.epicbrowser.com/v120/mini_installer.exe

Since it's a universal script, maybe someone else can check it as I've been
using these batch methods for freeopenvpn so long I forget all the Windows
switches I had to flip in order to turn Windows (which is a graphical user
interface) into a batch user interface (see my other post in this thread).

Having said that, thank you for eliminating one keystroke.

There are two others we can figure out how to remove maybe together.
1. At the beginning, check if the authuserpass is already added,
and if not, add it automatically (but this only is needed once
every few months, and there are only one or two config files involved).

2. When getting the password, after typing it, I echo it and then
I copy it into my clipboard and then when the editing window
comes up, I paste it into that Notepad (or vim) editing window.

But it would be nice to just wipe out the existing password
in the two-line file to automatically put this new password in.

Or... just replace the password authuserpass within the actual
config file which will be run at the end of the script.

There were three extra button pushes, where you eliminated one.
So those are the only two extra button pushes left to eliminate.

AllanH

2024-02-21 21:37:26 UTC

Permalink

Post by Bill Powell

Post by AllanH
If the browser window is not already open, the user input will not work.
If it is open, it works fine.
Do you know the reason for that?

See above. It worked fine for me whether or not the browser was already
open. I used the Epic Privacy Browser but I don't see how that matters.
https://cdn.epicbrowser.com/v120/mini_installer.exe
Since it's a universal script, maybe someone else can check it as I've been
using these batch methods for freeopenvpn so long I forget all the Windows
switches I had to flip in order to turn Windows (which is a graphical user
interface) into a batch user interface (see my other post in this thread).
Having said that, thank you for eliminating one keystroke.
There are two others we can figure out how to remove maybe together.
1. At the beginning, check if the authuserpass is already added,
and if not, add it automatically (but this only is needed once
every few months, and there are only one or two config files involved).
2. When getting the password, after typing it, I echo it and then
I copy it into my clipboard and then when the editing window
comes up, I paste it into that Notepad (or vim) editing window.
But it would be nice to just wipe out the existing password
in the two-line file to automatically put this new password in.
Or... just replace the password authuserpass within the actual
config file which will be run at the end of the script.
There were three extra button pushes, where you eliminated one.
So those are the only two extra button pushes left to eliminate.

I appreciate your detailed reply.
I have a little experience with batch files, but not much experience with VPN Clients.

I tried the batch file with both of my Chromium-based browsers, with the same result.
The user input would work if the browsers were open and would not if they were not open.
I don't know what the problem would be.

Does the last line of your batch file that executes openvpn.exe display anything?
Since it didn't for me, I didn't think it worked correctly.

One reason I may not continue with OpenVPN is it caused an issue with connecting to my Wi-Fi after a reboot.
It's not the type of software I would use very often.

Bill Powell

2024-02-21 22:56:33 UTC

Permalink

Post by AllanH
I appreciate your detailed reply.

Most people give one word answers.
That's because they don't care.
I do.

Post by AllanH
I have a little experience with batch files, but not much experience with VPN Clients.

I guess I'm the opposite. So we can work well together.

The reason I choose the openvpn protocol is the client is well proven.
But notice that almost every openvpn site wants you to use THEIR client.

There's NEVER a reason to use their client.
They want to lock you into using their client.

Where some people are fooled into thinking that client is special.
It's not.

The client I suggest for _all_ openvpn configuration files is this one.
https://openvpn.net/community-downloads/
https://swupdate.openvpn.org/community/releases/OpenVPN-2.6.9-I001-amd64.msi
Name: OpenVPN-2.6.9-I001-amd64.msi
Size: 5369856 bytes (5244 KiB)
SHA256: 0B1DDA1AABA754467A6D7AC4E64E178E783AEC5E7FD717882CF5B296A40320AB

It works for EVERY config file you can find that uses the openvpn protocol.
https://www.freeopenvpn.org/
https://www.vpngate.net/en/
https://www.tunnelbear.com/
https://vanwa.tech/
https://protonvpn.com/

I just tried to find the protonvpn site for the config files, but notice
how extremely difficult they make it for you to _find_ the text configs.
They don't want you to know that's the ONLY thing you need from them!

Here they explain for Linux users how to use openvpn clients.
https://protonvpn.com/download-linux
Where they FINALLY (after ten minutes of searching) show you how to get
the text config files (which is all you ever need with openvpn protocols).
https://protonvpn.com/support/linux-openvpn/

Unfortunately you have to log into their web site to get their config
files which is ridiculous because the whole point is anonymity.
https://protonvpn.com/support/vpn-config-download/

Also vanwa took too long and tunnelbear seems to have the same problem
as does protonvpn which is two problems both of which are artificial.
1. They want you to use their client (but you don't need their client).
2. You have to create an account to get the text configuration files
which defeats the whole purpose of being anonymous while on VPN.

All you ever need, on any platform, is the text configuration file.
And the openvpn client for that platform.

That's it.
They're giving you garbage if they force you to do more than that.

Post by AllanH
I tried the batch file with both of my Chromium-based browsers, with the same result.
The user input would work if the browsers were open and would not if they were not open.
I don't know what the problem would be.

We both agree something funny is going on that shouldn't be happening.
1. We both agree the browser shouldn't matter.
2. And we both agree the link URI shouldn't matter.
3. And we both agree that we shouldn't need the browser to be open.

What happened to me makes no sense, but the first time I tested it,
everything worked fine and even a few more times, but now it hangs.

WTF?
Makes no sense.

But as a result, I believe you.
What we need is for someone else to test it to see what happens to them
now that they're on the lookout for running it a few times in a row.

Post by AllanH
Does the last line of your batch file that executes openvpn.exe display anything?
Since it didn't for me, I didn't think it worked correctly.

In the very end, your original window dies and up pops in its place
another command window so there is only going to be one window at a time.

The last line of THAT openvpn log window will always say (let me check)
OK. The password hasn't changed (327112703) so let's move forward.

This is the last line of _any_ openvpn config file showing it worked.
2024-02-21 22:37:41 Initialization Sequence Completed

However, you could check with a curl if you want to make sure.
%comspec% /k curl ifconfig.me
%comspec% /k curl icanhazip.com

For gory detail, here is the ENTIRE second window (the first just dies).
024-02-21 22:37:29 DEPRECATED OPTION: --max-routes option ignored.The number of routes is unlimited as of OpenVPN 2.4. This option will be removed in a future version, please remove it from your configuration.
2024-02-21 22:37:29 OpenVPN 2.5.8 [git:none/0357ceb877687faa] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 2 2022
2024-02-21 22:37:29 Windows version 10.0 (Windows 10 or greater) 64bit
2024-02-21 22:37:29 library versions: OpenSSL 1.1.1s 1 Nov 2022, LZO 2.10
2024-02-21 22:37:29 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2024-02-21 22:37:29 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2024-02-21 22:37:30 TCP/UDP: Preserving recently used remote address: [AF_INET]85.239.52.173:12352
2024-02-21 22:37:30 UDP link local: (not bound)
2024-02-21 22:37:30 UDP link remote: [AF_INET]85.239.52.173:12352
2024-02-21 22:37:30 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-02-21 22:37:30 VERIFY OK: depth=1, O=5fa2b89021f9231b1afdb036, CN=5fa2b89021f9231b1afdb043
2024-02-21 22:37:30 VERIFY KU OK
2024-02-21 22:37:30 Validating certificate extended key usage
2024-02-21 22:37:30 NOTE: --mute triggered...
2024-02-21 22:37:30 4 variation(s) on previous 3 message(s) suppressed by --mute
2024-02-21 22:37:30 [5fa2b89521f9231b1afdb050] Peer Connection Initiated with [AF_INET]85.239.52.173:12352
2024-02-21 22:37:36 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
2024-02-21 22:37:36 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2024-02-21 22:37:36 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
2024-02-21 22:37:36 NOTE: --mute triggered...
2024-02-21 22:37:36 1 variation(s) on previous 3 message(s) suppressed by --mute
2024-02-21 22:37:36 open_tun
2024-02-21 22:37:36 tap-windows6 device [Local Area Connection] opened
2024-02-21 22:37:36 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.235.0/192.168.235.239/255.255.255.0 [SUCCEEDED]
2024-02-21 22:37:36 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.235.239/255.255.255.0 on interface {8970EFE9-1460-429C-B94D-FD7EAC28BF7C} [DHCP-serv: 192.168.235.0, lease-time: 31536000]
2024-02-21 22:37:36 Successful ARP Flush on interface [16] {8970EFE9-1460-429C-B94D-FD7EAC28BF7C}
2024-02-21 22:37:36 IPv4 MTU set to 1500 on interface 16 using SetIpInterfaceEntry()
2024-02-21 22:37:41 Initialization Sequence Completed

Remember you MUST use the magic "F4" key to close that thing.
If you don't, nothing bad seems to happen, but over time,
your router table is all messed up until you reboot.

So just always close it with the magic "F4" key.

Post by AllanH
One reason I may not continue with OpenVPN is it caused an issue
with connecting to my Wi-Fi after a reboot.

I disagree. I can't imagine how openvpn matters at all.
Once you kill it properly, you're back to where you were.
I think you're not killing it properly.
If you don't kill openvpn properly, you can screw up your router table.
Ask me how I know this.

However, a reboot (in my experience) always cleans up the router table.
Although see below that I reboot without a gateway while others don't do that.

Post by AllanH
It's not the type of software I would use very often.

Again, I do NOT think openvpn is the source of your network issues.
However, as I said, you MUST shut down openvpn windows properly.

In addition, with respect to networking, killswitches are de rigueur.

I have the killswitch set up for that which is from liquidvpn
which I modified for my use many years ago & it works perfectly.
<https://metager.org/meta/meta.ger3?eingabe=liquidvpn%20killswitch>

I have a shortcut on my taskbar that I tap to toggle the gateway.
a. If, for whatever reason, Windows boots
b. Windows boots to no gateway set
c. I tap the killswitch toggle shorcut, and I have a gateway

This is useful when I use torrents, for example, where the process is
a. I go on vpn and then I immediately toggle the gateway
b. This doesn't affect the VPN - nor the local 192.168 network
c. But it prevents anything from going out the router on a non-VPN IP

If, for example, the VPN drops (which happens)
d. The gateway is unset - so the Windows icon goes to offline

Instantly. There is zero delay. It's as perfect as is Mary Poppins.

To get back online, I simply do two things:
e. I kill the bittorrent client
f. I tap the stopsign killswitch toggle on my taskbar
g. Now I'm back online

This ensures that if the VPN drops, there will be no network
outside the local LAN. It seems hard to find the liquidVPN killswitch
(see search above) but there are plenty out there and I already
gave the basic code in another post in this thread.

BTW, in addition, I don't like that Windows update reboots my PC.
On the net.

So I set up Windows to reboot to no gateway at all.
Then I hit the killswitch toggle and only then it's on Wi-Fi.

The killswitch then serves multiple purposes.
The killswitch is also useful for when installing software.
As lots of software phones home.

That software can't phone home if I toggle the killswitch.
You may notice I gave you an offline Epic Browser URL too.
Otherwise you get a netstub which I never use if I can avoid them.

As for the killswitch toggle, it's set up as a Windows scheduled
task & it works absolutely wonderfully forever once you set it up.

I don't know how people live without a killswitch toggle.

Bill Powell

2024-02-21 22:05:39 UTC

Permalink

Post by Bill Powell
Test3: With the web browser NOT already open, run it again.
Well, that worked perfectly. It brought up the browser & to the right page.

I ran the test for AllanH a few more times with the new URI and it does
hang up. Not in the beginning though. But after a few uses. WTF?

I'm going back to the old URL (maybe that's why I did it in the first
place). If someone can test this out, that would be useful to know why.

The old URL works consistently.
https://www.freeopenvpn.org/

The new URI hangs the script after a few independent uses.
https://www.freeopenvpn.org/premium.php?cntid=USA&lang=en

This makes no sense. So it's a browser-interacting-with-a-script issue.

But why would the script work perfectly a few times.
And then hang in the middle after opening the browser?

Without any changes in between?

Newyana2

2024-02-21 14:08:40 UTC

Permalink

"Bill Powell" <***@anarchists.org> wrote

|A few times a day I use the script below to connect to a free VPN named
| https://www.freeopenvpn.org/
|
| It's open to everyone without needing to create an account.
| So this script, if improved, would greatly benefit everyone using it.
|
Personally I'd write a VBScript. Why ride in a horse and buggy when
you have a car? But if DOS is what you know and it works for your,
that's up to you.

I'm posting mainly for something else that people might find
useful. Recently I've been setting up a new computer with
the thought that I might actually switch over to Win10. One
of the more useful tidbits I came across:

I was trying to figure out why drag-drop files didn't work in
my own software. I'd written a simple program to remove all
file restrictions on any folder (recursive) or file dropped into the
path text field of the program window. (Otherwise it's necesary
to browse for the file/folder.)

I thought maybe drag/drop was just broken in Win10. Then I noticed
that it worked on one computer but not another. Very weird. Finally I
figured it out: UAC set to its lowest level is still restricted and
nagging. Worse, it breaks things on Win10. In this case it's that any
object dragged to an elevate process window can't be dropped.
(Win7 doesn't do that.)

It turns out there's something called Limited User Account (LUA)
which is a lock the remains when UAC is turned down. Apparently
there's now a setting in the UAC window for it, but I don't see it
on my system. Yet it's an easy Registry hack:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

Add a 32-bit dword value named EnableLUA, if it's not there. Set the
value to 0. Reboot. Drag-drop then works and it seems to stop the
nags. I'm guessing that setting would save you from problems in your
code. But if you want LUA handcuffs then just leave the code as is.
What does it matter, really? You're only elevating for that occasion.

Bill Powell

2024-02-21 19:31:59 UTC

Permalink

Post by Newyana2
It turns out there's something called Limited User Account (LUA)
which is a lock the remains when UAC is turned down. Apparently
there's now a setting in the UAC window for it, but I don't see it
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
Add a 32-bit dword value named EnableLUA, if it's not there. Set the
value to 0. Reboot. Drag-drop then works and it seems to stop the
nags. I'm guessing that setting would save you from problems in your
code. But if you want LUA handcuffs then just leave the code as is.
What does it matter, really? You're only elevating for that occasion.

Thank you for that information where I also had some irritating Windows
issues years ago when I would select a dozen or two dozen free open vpn
configuration files from vpngate.net to run them in batch, where Windows 10
would run them in sequence, one by one, until one of them worked.

That particular website is designed on purpose to thwart big-nation
censorship so on purpose only some free config files work at any moment.

Specifically, the config files come and go, and then come back, and
then they go again, so they only work for a few days before they
stop working and then they work again, and also often if you run
them multiple times they work so they must be set to work only on the
third or whatever try as there are some that are consistently set.

But no big deal. It's easy to deal with that if you script in batch
reproducing what you do manually - but Windows 10 was designed for
manual use and not for batch use, so you need to set up a few tricks.

The tricks I did are described below - which make it all work smoothly.

1. Install the OpenVPN daemon and batch executable.
https://openvpn.net/community-downloads/
https://swupdate.openvpn.org/community/releases/OpenVPN-2.6.9-I001-amd64.msi
Name: OpenVPN-2.6.9-I001-amd64.msi
Size: 5369856 bytes (5244 KiB)
SHA256: 0B1DDA1AABA754467A6D7AC4E64E178E783AEC5E7FD717882CF5B296A40320AB
2. Obtain any number of openvpn files from vpngate.net using wget.
https://www.vpngate.net/en/
A hundred config filse are available at a time, which rotate constantly.
You can manually obtain them by rightclicking on "OpenVPN Config file".
3. Set the doubleclick-action Windows 10 file association for *.ovpn to
open using the "OpenVPN Daemon" instead of using the "OpenVPN GUI".
4. Set the double-click executable permissions for the openvpn.exe
executable to "Run as administrator" by rightclicking & properties.
5. Optionally set open vpn log windows to open up in the same spot
as you could have twenty open until one works where I haven't
figured out how to killall without killing the one that finally
worked so you want to just click the Windows X to close in one spot.
Right click in the top bar of that running log file to select
"Properties" & go to the "Layout" tab and then position the log
window as you want all of the windows to appear and then uncheck
the checkbox for "Let system position window" & press OK.
6. Add a 32-bit DWORD so you can run more than 15 files at a time.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
Name : MultipleInvokePromptMinimum
Type : DWORD
Default : 15 (decimal)
Change to: 50 (decimal)

Given the anti-censorship stance of the vpngate.net web site, that
turns out to be a good use model with almost no manual effort.

a. Daily you wget a few dozen (up to about 50) free config files.
b. You select a bunch (maybe a dozen or so) & rightclick execute.
c. One by one, they open in sequence until one invariably works.

Then you are on VPN, which you can check by running a simple curl.
%comspec% /k curl ifconfig.me
%comspec% /k curl icanhazip.com

Optionally hit the software killswitch to toggle the gateway.
set defgw=192.168.0.1
set "ip="
for /f "tokens=2,3 delims={,}" %%a in ('"WMIC NICConfig where IPEnabled="True" get DefaultIPGateway /value | find "I" "') do if not defined ip set ip=%%~a
IF "%ip%"=="%defgw%" ( %comspec% /c %windir%\system32\route.exe delete 0.0.0.0 %defgw%) ELSE ( %comspec% /c %windir%\system32\route.exe add 0.0.0.0 mask 0.0.0.0 %defgw%)
exit

To get off of VPN, you simply press the magic "F4" keyboard key.
And then you toggle the killswitch (if you optionally employed it)
which sets the gateway back to the original default gateway.

There are about a dozen Windows 10 tricks involved but the end
result is simply duplicating in batch what you already do manually.

Newyana2

2024-02-21 20:53:07 UTC

Permalink

"Bill Powell" <***@anarchists.org> wrote

|
| There are about a dozen Windows 10 tricks involved but the end
| result is simply duplicating in batch what you already do manually.

Wow. I was impressed with myself for making Proton VPN work. :)
But I'm fortunate that I don't need it. I only used it once because
I was on hotel wifi.

Bill Powell

2024-02-21 22:01:44 UTC

Permalink

Post by Newyana2
| There are about a dozen Windows 10 tricks involved but the end
| result is simply duplicating in batch what you already do manually.
Wow. I was impressed with myself for making Proton VPN work. :)
But I'm fortunate that I don't need it. I only used it once because
I was on hotel wifi.

When it comes to VPN, there are two kinds of people (IMHO).
1. The kind of person who just wants to change his IP address.
2. The kind of person who is worried about what he's doing.

I'm only trying to change the IP address. So any free vpn works for me.

I'm not in the least worried about what I'm doing since I'm only trying to
get some privacy out of a web site if I have to visit it with Firefox or
Ungoogled Chromium instead of Epic, Opera or Tor.

The kind who is worried about what he's doing will have far more stringent
requirements of a VPN service than the kind who just wants an IP address.

Now we all know lots of web sites hate proxy IP addresses, so that's where
having the choice of a few thousand free openvpn config files is handy.

I lost my wget script long ago but at the time it would not only get the
vpngate.net config files by the thousands every day, but it would run a
test to delete the stale ones and then it would geolocate the country.

It would put the countries into a folder for each country so I could select
a dozen Germany openvpn config files and one of them would work for me.

While the scripts I provided work for me (which means they work for
everyone as my Windows is just a normal setup), they could be improved.

MUST:
a. I just reproduced the problem that AllanH experienced.
With the old URI, it worked every time but with the new URI,
it works at first, even with a closed browser, but then it hangs.

Makes no sense to me yet why, but I'm going back to the old URI.

SHOULD:
b. It would be nice to automatically modify the password.
Currently I type it, and when it spits it back, I copy/paste that
into the editor that opens up in the next step of the process.

c. It might be useful to add the choice of any number of countries.
https://www.freeopenvpn.org/premium.php?cntid=USA&lang=en
https://www.freeopenvpn.org/premium.php?cntid=UK&lang=en
https://www.freeopenvpn.org/premium.php?cntid=Germany&lang=en

COULD:
d. We could automate adding the authuserpass to a new config file
(but that's only needed once every few months for only two files)
for %f in (*.ovpn) do type C:\\freeopenvpn\freeopenvpninclude.txt >> %f
e. We could automate the first-time-use of 'savecred' for Windows
(but you only need to set the admin password once)
f. We could eliminate /savecred by setting it up as a scheduled task
g. We could give the user the choice of tcp or udp (but who cares?)

What other creeping elegance could improve this for everyone out there?

Peter

2024-02-21 22:14:19 UTC

Permalink

Post by Bill Powell
What other creeping elegance could improve this for everyone out there?

You could add a check for nine characters which are also all numbers.

Oliver

2024-02-21 22:08:55 UTC

Permalink

I would think the batch scripts would work for any free VPN outfit.

ProtonVPN offers free service with lower speeds in three countries.
https://privacycanada.net/best-free-vpn/

Newyana2

2024-02-22 21:26:42 UTC

Permalink

"Oliver" <***@invalid.net> wrote

|
| I would think the batch scripts would work for any free VPN outfit.
|

Maybe. I don't know a lot about this. It sounds like Bill is
using some kind of super-safe service. Proton was just a GUI
requiring a couple of clicks, as I recall. There'd be nothing
to need a script for.

Oliver

2024-02-23 01:46:53 UTC

Permalink

Post by Newyana2
| I would think the batch scripts would work for any free VPN outfit.
|
Maybe. I don't know a lot about this.

All you ever need is the openvpn client and a batch configuration file.

Post by Newyana2
It sounds like Bill is using some kind of super-safe service.

All he's doing is using the openvpn client with a batch config file.

Post by Newyana2
Proton was just a GUI requiring a couple of clicks, as I recall.

Every VPN service tries to get you hooked on their particular GUI.
But their GUI is a proprietary wrapper around OpenVPN underlying code.

The OP's point is you never need the proprietary ProtonMail GUI.
You only need the configuration files & the login/password (if used).

Post by Newyana2
There'd be nothing to need a script for.

The OP isn't using the GUI. He's just clicking on his batch script.

The advantage is that he can mix and match any number of servers as these
config files can be a mix and match of a dozen different VPN services.

All he needs from the various VPN services are the text config files.
With his methods, you can connect to thousands of free VPNs at any time.

AllanH

2024-02-23 08:45:39 UTC

Permalink

Post by Oliver
The OP isn't using the GUI. He's just clicking on his batch script.
The advantage is that he can mix and match any number of servers as these
config files can be a mix and match of a dozen different VPN services.
All he needs from the various VPN services are the text config files.
With his methods, you can connect to thousands of free VPNs at any time.

I wonder what percentage of those with a VPN client use it all the time.
From what I know of them, there is usually a tradeoff with a much lower connection speed.

Oliver

2024-02-23 19:24:23 UTC

Permalink

Post by AllanH
I wonder what percentage of those with a VPN client use it all the time.
From what I know of them, there is usually a tradeoff with a much lower connection speed.

Depends on the use model of course, like everything else you do.

If you need high anonymity, the loss of connection speed of the
tor browser bundle might be worth the inevitable cost in speed.

But some things don't matter if you lose a bit of speed doing them.

An example is posting to usenet where you only need to be on the VPN
service for a few seconds to send and then you can disconnect after that.

Another example is setting up a new account for something like protonmail
which won't allow you to use Tor to set up that account but you can use Tor
after you've already set up the account. They never know your real IP.

Another example is downloading torrents of course, where in that case
you'll be connected for a half hour or so while you're using the VPN,
but this saves you from getting a notice from your ISP from the DMCA.

For those who are on the same VPN all day every day, I don't think there is
any utility in the batch scripts listed in this thread. They're more useful
for those who connect and disconnect when they do things, for example,
let's say they want to run a google search using native Chrome, they might
not want that search to be archived to their IP address.

1. Click the batch file (and it chooses a random VPN IP address).
2. Start Chrome and run that google search.
3. Tap F4 to kill the random IP address.

It slightly slows down the google search but that's the only drawback.
The advantage is Google doesn't know that it's your IP address this way.

AllanH

2024-02-23 20:28:39 UTC

Permalink

Post by Oliver

Post by AllanH
I wonder what percentage of those with a VPN client use it all the time.
From what I know of them, there is usually a tradeoff with a much lower
connection speed.

Depends on the use model of course, like everything else you do.
If you need high anonymity, the loss of connection speed of the
tor browser bundle might be worth the inevitable cost in speed.
But some things don't matter if you lose a bit of speed doing them.
An example is posting to usenet where you only need to be on the VPN
service for a few seconds to send and then you can disconnect after that.
Another example is setting up a new account for something like protonmail
which won't allow you to use Tor to set up that account but you can use Tor
after you've already set up the account. They never know your real IP.
Another example is downloading torrents of course, where in that case
you'll be connected for a half hour or so while you're using the VPN,
but this saves you from getting a notice from your ISP from the DMCA.
For those who are on the same VPN all day every day, I don't think there is
any utility in the batch scripts listed in this thread. They're more useful
for those who connect and disconnect when they do things, for example,
let's say they want to run a google search using native Chrome, they might
not want that search to be archived to their IP address.
1. Click the batch file (and it chooses a random VPN IP address).
2. Start Chrome and run that google search.
3. Tap F4 to kill the random IP address.
It slightly slows down the google search but that's the only drawback.
The advantage is Google doesn't know that it's your IP address this way.

Thanks for your interesting reply.

Newyana2

2024-02-23 14:08:26 UTC

Permalink

"Oliver" <***@invalid.net> wrote

| The OP's point is you never need the proprietary ProtonMail GUI.
| You only need the configuration files & the login/password (if used).
|
| > There'd be nothing to need a script for.
|
| The OP isn't using the GUI. He's just clicking on his batch script.
|
| The advantage is that he can mix and match any number of servers as these
| config files can be a mix and match of a dozen different VPN services.
|
| All he needs from the various VPN services are the text config files.
| With his methods, you can connect to thousands of free VPNs at any time.

Thanks for the explanation. This is mostly new to me. Sorry
to be thick, but I'm still confused about how it all works. If I'm
understanding correctly, openVPN is the software commonly used
for the actual data transfer between servers, as well as between
client and server.

VPN is a masking service offered by mostly commercial
servers that offer to let you connect to them as a pass-through
in order to prevent tracking of your location and to encrypt your
web activities. Most such servers charge for the service.
Freeopenvpn seems to be some kind of non-profit running on
donations, providing free VPN service.

Thus, the scripts are about avoiding software rather than using
a different kind of VPN setup. I don't see any advantage there,
but to each their own.

Is all that about right? Yet freeopenvpn is not listed on any
sites that run articles such as "The Top VPN services of 2024".
I feel like I'm missing a piece of the puzzle here.

I tried downloading a config file from freeopenvpn. I see a long
base-64 key. So the deal is that one must install the openVPN client,
then that uses the downloaded .ovpn keys? So you're using
freeopenvpn as a service and skipping the GUI? But I assume
the script doesn't obviate the need to use some kind of
server -- free or paid. It's just bypassing a GUI?

Then, what are all the various server options in different countries?
Are those all non-profits, like the way that universities often
host Linux packages?

In other words, if I set up free Proton it shows me a list of
server options in different countries. In freeopenvpn presumably
you pick one such server, download the key, then feed that to
the openVPN software, and away you go. I'm curious about the
financial aspect. And how the client service relates to the various
server choices.

With email, for example, you either pay money for the server
access or you pay in spyware (as with gmail, yahoo, etc). I'm
curious how this works with VPN. Your link says to watch out for
free VPN because it's sleazy spyware. But then they recommend
some free VPNs. So, something like freeopenvpn -- is that a
politically motivated, non-profit, legit free VPN server? Or is it
reasonable to assume they're selling data to pay the bills? Their
website is very limited in terms of information.

And what exactly does the VPN service provide? The first jump
into the network of VPN servers? That seems to imply that unlike
email, VPN communication itself is mainly provided by non-profits.

Oliver

2024-02-23 19:24:41 UTC

Permalink

Post by Newyana2
Thanks for the explanation. This is mostly new to me. Sorry
to be thick, but I'm still confused about how it all works. If I'm
understanding correctly, openVPN is the software commonly used
for the actual data transfer between servers, as well as between
client and server.

There are many "protocols" used for VPN where "openvpn" is just one of
those protocols. That the client is also called "OpenVPN" is just a
coincidence, although they certainly chose the name for that reason.

Post by Newyana2
VPN is a masking service offered by mostly commercial
servers that offer to let you connect to them as a pass-through
in order to prevent tracking of your location and to encrypt your
web activities. Most such servers charge for the service.
Freeopenvpn seems to be some kind of non-profit running on
donations, providing free VPN service.

Remember in the olden days you'd look up 'screenshot' software and you'd
get a billion hits (all shills, all ads, all scams) since everyone wanted
it and nobody knew there was a "print screen" key on your own keyboard?

It's the same with VPN.
Nearly 100% of what you find in a search on VPN on the net, is a shill.
Don't believe a word they say.

Post by Newyana2
Thus, the scripts are about avoiding software rather than using
a different kind of VPN setup. I don't see any advantage there,
but to each their own.

What's the advantage to you of two things.
1. You can choose any IP address you want
2. Your traffic through your ISP is encrypted

Most people don't care so much about the latter.
But it's useful to have the choice of an IP address that isn't yours.

Post by Newyana2
Is all that about right? Yet freeopenvpn is not listed on any
sites that run articles such as "The Top VPN services of 2024".
I feel like I'm missing a piece of the puzzle here.

See above.
All the VPN hits you're going to find in a basic search are shills.

If shills are where you're getting all your data, you may as well be
getting all your information about gasoline from Chevron ads, and all your
information about cigarettes from Marlboro ads, and all your information
about soda from Pepsi advertisements.

Post by Newyana2
I tried downloading a config file from freeopenvpn. I see a long
base-64 key. So the deal is that one must install the openVPN client,
then that uses the downloaded .ovpn keys? So you're using
freeopenvpn as a service and skipping the GUI? But I assume
the script doesn't obviate the need to use some kind of
server -- free or paid. It's just bypassing a GUI?

Huh? This isn't rocket science. It works the same on Android and Linux and
Mac as it does on Windows. All you ever need are the same things for all.
1. The openvpn client
2. The openvpn text configuration file

The only difference with the OP's suggestion is the former is a batch file
that calls the openvpn client executable (and not the openvpn client GUI).

Post by Newyana2
Then, what are all the various server options in different countries?
Are those all non-profits, like the way that universities often
host Linux packages?

You're making it sound like having the option of Germany or the UK or Spain
or France or the USA is a bad thing? Why? It's a good thing.

The only difference between Japan and Korea is the text file.

Post by Newyana2
In other words, if I set up free Proton it shows me a list of
server options in different countries. In freeopenvpn presumably
you pick one such server, download the key, then feed that to
the openVPN software, and away you go. I'm curious about the
financial aspect. And how the client service relates to the various
server choices.

There is probably no more complicated subject on this planet than how to
truly get effective "protection" from the likes of the five eyes out there.

If you stole a helicopter and are now hiding from the three Russian
intelligence services, then I don't think these free VPNs are for you.

If you're doing anything even remotely nefarious, then I don't think these
free VPN services are for you either.

But if all you want to do is the two things listed above, then these free
VPNs could be for you, especially if you connect and disconnect from them
frequently as you might with sending out a usenet post or sign into a web
page to access some content (or just to run a google search in Firefox).

Post by Newyana2
With email, for example, you either pay money for the server
access or you pay in spyware (as with gmail, yahoo, etc).

I think you are unduly influenced by advertising because there are free
mail servers (such as protonmail by the way) which say they don't do that.

Post by Newyana2
I'm curious how this works with VPN. Your link says to watch out for
free VPN because it's sleazy spyware. But then they recommend
some free VPNs. So, something like freeopenvpn -- is that a
politically motivated, non-profit, legit free VPN server? Or is it
reasonable to assume they're selling data to pay the bills? Their
website is very limited in terms of information.

If you get all your information about drugs from your local drug dealer's
advertisements, then you're not getting the real scoop on the drugs.

You need to use technical sources. Not advertisements for your data.
Look up the technical aspect of the openvpn protocol for example.

All you need to implement it, on any platform, is:
1. a text config file
2. an openvpn client (which can be an executable run from batch)

Post by Newyana2
And what exactly does the VPN service provide? The first jump
into the network of VPN servers? That seems to imply that unlike
email, VPN communication itself is mainly provided by non-profits.

If you're Osama bin Laden and you have the five eyes after you, then I
don't think these free VPN services are going to work for you.

But if all you want to do is run a google search from native Firefox where
you don't want Google to know what IP address you came from, then running a
batch script that pulls out a random IP address, could be useful to you.

Larry Wolff

2024-02-21 21:28:16 UTC

Permalink

Post by Bill Powell
REM %configcmd% %configdir%%configfile%
c:\windows\system32\runas.exe /user:administrator /savecred "%configcmd% %configdir%%configfile%"

There is one step you did long ago to make the 'savecred' option work.
I forget what it is, but it is one-time thing.

Googling what that might be, I found a stackexchange with /savecred
but I know it doesn't work until you "do something" - but what?

HKLM\Microsoft\Windows\CurrentVersion\App Paths\admin.exe
C:\path\admim.bat
Where admin.bat sets an obvious color when it invokes an admin window.
Win+R | admin <CarriageReturn>
Which runs this batch file.
@ECHO OFF
SETLOCAL ENABLEEXTENSIONS
IF NOT "%~1"=="" goto :START
SET LogFile=%TEMP%\admin.vbs"
Echo Set UAC = CreateObject("Shell.Application") >"%LogFile%"
Echo UAC.ShellExecute "%~f0", "%cd%", "", "runas", 1 >>"%LogFile%"
Start "" /MIN "%LogFile%"
goto :EOF
:START
cmd /k "CD /D "%*" & Echo Administrator: & color 4F"
REM runas.exe /user:administrator /savecred "put your command here instead, to skip UAC"
:EOF

The stackexchange doesn't say you need any registry changes beforehand
but this explains you need to run it once with the admin password.
https://robotronic.net/blogenRunasSavecred.html

Blog Runas Savecred
Run as administrator from standard user with runas savecred command
Run application with administrator privileges as normal user without administrator rights by runas command in Windows.

Use runas in command line, in a batch file or a shortcut with the program.exe you want to run as administrator.
In example my program.exe is >> cmd.exe << and my administrator account is my local administrator account >> localadmin <<.
My command is

Post by Bill Powell

runas /user:localadmin cmd.exe <<

Runas command

After execute this runas command, you will be asked to enter the password of the administrator account.
Runas password

You cannot pass the password to runas command as argument,
but with the parameter savecred you can store credentials in credential manager, to avoid entering the password on each call.

Post by Bill Powell

runas /user:localadmin /savecred cmd.exe <<

Runas savecred
Now you are asked for the password only once, the next calls with savecred parameter you don't have to enter this password to run this application as administrator.
Beside the missing password parameter, there are two other problems with runas savecred

1. It is not recommended, because username and password are stored in the windows credential manager of this profile and
can used to execute every program with credentials of the administrator.
Better storing the credentials for each program separate, instead of using runas savecred.

2. The application is not running with elevated privileges or it is blocked by the UAC (User Access Control).
As solution you can allow specific applications to run with administrator permissions, elevated privileges and bypass the UAC

This can do by
1. using an encrypted file with administrator credentials only for the authorized application
or
2. an application manager that control selected application to run as administrator.

Both is not possible with runas savecred, but the following simple solutions can do it.

1. RunAsSpc store login information for each application in a separate encrypted file.
or
2. RunAsRob manage and start applications with administrator rights and elevated privileges from a user account.

With RunAsRob you can authorize specific applications or complete folders and its contents you want to allow running with administrator privileges.
By this tool you can limit administrator rights to a few applications or delegate particular administrator tasks fast and easy.

The principle is very simple, clear to understand, safe and easy to configure.
You just have to authorize the task, folder or program file.
After the application.exe run via runasrob.exe, RunAsRob compare this application and its path if it is an allowed directory and start the application with appropriate rights.

A call can do by drag and drop application.exe over runasrob.exe, a shortcut, a script or any other way by the command

Post by Bill Powell

C:\Program Files\RunasRob\runasrob.exe C:\path\application.exe <<

RunAsRob Screenshot
RunAsRob RunAsAdmin Screenshot
There are lot of other runas tools or utilities you can run application with administrator rights.