|
|
On Thu, 2006-08-03 at 18:14 -0300, Andrew And wrote: > > I am using "openvpn-2.0.7-gui-1.0.3-install.exe" and I am using in > winXP when I am like ADMINISTRATOR. But I need to use OpenVPN > with users differents of the administrator, how can I use OpenVPN Gui > with users differents of the administrator? > <snip> We encountered the same issue for one of the clients for whom we were creating a highly secure environment using the ISCS open source network security management project (http://iscs.sourceforge.net). After using it to restrict all LAN and Remote Access to as needed access using ISCS, we did not want to open the door by having users running with admin privileges. This is from an old internal engineering document of ours: We were dissatisfied with the some of the user limitations of OpenVPN. If the user did not have administrator privileges, we seemed to be left with two choices: 1. Install OpenVPN as a service. This has two major disadvantages – all the configs are started at once which eliminates the ability to choose individual configurations and one cannot encrypt and password protect the private key. It also requires using something like subinctl to give the user the ability to control the service. 2. Allow a standard user to run OpenVPN using the RunAs feature. This requires entering the administrator password every time OpenVPN is started on Win2K. One can save the password in XP but it creates a security hole where users can potentially run other applications as the administrator. We worked around all these problems by using CPAU from http://www.joeware.net/win/free/tools/cpau.htm which allows us to encrypt the administrator password and use it only for OpenVPN. The OpenVPN installation must be run as an administrative user. The user is prompted if they want to run OpenVPN as a different (non-privileged) user. If so, they are prompted for the administrative user's password and the non-privileged user's ID. We install CPAU to the user's computer and then, during the installation routine, run the command: CPAU.exe -u <administrator user> -p <administrator password> -enc -hide -file OpenVPN.cpau -ex openvpn-gui.exe We then run OpenVPN from a batch file placed on the user's desktop and start menu which consists of the following single line: "C:\Program Files\openvpn\bin\CPAU.exe" -lwop -dec -file "C:\Program Files\openvpn\bin\OpenVPN.cpau" This allows the non-privileged user to run OpenVPN as a privileged user (and thus able to set OpenVPN routes as needed) without the above mentioned limitations. They can start and stop individual configurations and use encrypted private keys. We also wrote the installer scripts to prompt for the admin password, handle all the CPAU stuff automatically and do all kinds of neat things. If you'd like, I can post the installer file although it is quite long. I'll also be away starting tomorrow and so probably can't do so until Monday. Good luck - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx Financially sustainable open source development http://www.opensourcedevel.com ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-08/msg00051.html on line 244 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-08/msg00051.html on line 244 |