[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Re: HowTo Run OpenVPN as a non-admin user in Windows

  • Subject: [Openvpn-users] Re: HowTo Run OpenVPN as a non-admin user in Windows
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Tue, 25 Jan 2005 15:21:44 +0100 (CET)

On Tue, 25 Jan 2005, Didier Conchaudron wrote:

Great job!

This howto seems really usefull. It present temporary solutions for people who wants to start tunnels as non-admin.

Exactly. I've still been to lazy/busy to work on OpenVPN GUI 2.0, so I felt that I wanted to share some knowledge about the solutions that are currently availible for running OpenVPN as a non-admin user.

Your article shows too that some features are still missing in the field to make openvpn a professional software of choice.

- Full certificate support: actually, the SYSTEM account can't access to users certificates and private keys which are located into IE cert store. People with smart cards are actually unable to use them as users only.

Yes, latest patch Peter sent, didn't work, and I havn't had time debugging it, and I honestly lack some knowledge about cryptoapi todo that.

It's still unclear to me whether it's whether the system is supposed to have access to user keys or not though. I though a user key in the CertStore were encrypted with the users password somehow, and therefor only available to that user. Is this not true, or are the keys decrypted when a user logs on so it becomes available to the system as well as long as the user is logged on?

- You talk about the enhanced service wrapper, it's not yet clear for me what are it's job with openvpn and the GUI. I've understand that the service should be always running, able to receive GUI orders to start/stop required tunnels. the service wrapper assign a management port to the starting openvpn process and then give it to the GUI in order to make it albe to monitor the tunnel startup. If the tunnel need to decrypt a private key, the way the password is given depends on the config file. If the private key is on disk, openvpn will ask the the GUI to give it using the management socket, and if the private key is into the IE cert store, it's windows or the manufacturer CSP that will ask for the password throw a windows based window.
So, each one of the 3 components, openvpn binary, the gui and the service, has to talk to the two others. Is that right?

Yes, I think you described the process fairly correct. Say you have a typical client config like this:

dev tun
remote myserver.com
ca ca.crt
cert mathias.crt
key mathias.key

When running from cmd-line your private key password is retrieved from stdin. When you use the new service wrapper and GUI, the following will happend:

1. The service is started at boot-time, but not launching any tunnels (per default)

2. The GUI is started when a user logs on. When a user clicks "Connect", the GUI will connect to the service wrapper (SW) and tell it to start the corresponding config.

3. The SW will launch openvpn.exe with the specified config, and append "--service exiteventX X --management XXXX --management-query-passwords" to the cmd-line.

4. The SW passes back the selected management port to the GUI.

5. The SW connects to the management interface of the started openvpn process.

6. When OpenVPN need any passwords it will now query for these over the management interface instead, and the GUI can pass this on as dialogs to the user. The GUI will also be able to monitor OpenVPN's status as well as get the log in real time over the manangement interface.

After 2.0 release, this ability to make non-admin users able to connect to remote network with great security features will probably be a major challenge.

The challange left to solve that I see, is how to make keys in the CertStore and on smartcards available to openvpn when it is running as system.


Mathias Sundman wrote:
I've written a small HowTo on running OpenVPN / OpenVPN GUI as a non-admin user in Windows.


If anyone knows of any other way todo this, or has suggestions on how to improve this documenation, please let me know.

Mathias Sundman                  (^)   ASCII Ribbon Campaign
OpenVPN GUI for Windows           X    NO HTML/RTF in e-mail
http://www.nilings.se/openvpn    / \   NO Word docs in e-mail

____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users