On Tue, 25 Jan 2005, Didier Conchaudron wrote:
Exactly. I've still been to lazy/busy to work on OpenVPN GUI 2.0, so I felt that I wanted to share some knowledge about the solutions that are currently availible for running OpenVPN as a non-admin user.
Your article shows too that some features are still missing in the field to make openvpn a professional software of choice.
Yes, latest patch Peter sent, didn't work, and I havn't had time debugging it, and I honestly lack some knowledge about cryptoapi todo that.
It's still unclear to me whether it's whether the system is supposed to have access to user keys or not though. I though a user key in the CertStore were encrypted with the users password somehow, and therefor only available to that user. Is this not true, or are the keys decrypted when a user logs on so it becomes available to the system as well as long as the user is logged on?
- You talk about the enhanced service wrapper, it's not yet clear for me what are it's job with openvpn and the GUI. I've understand that the service should be always running, able to receive GUI orders to start/stop required tunnels. the service wrapper assign a management port to the starting openvpn process and then give it to the GUI in order to make it albe to monitor the tunnel startup. If the tunnel need to decrypt a private key, the way the password is given depends on the config file. If the private key is on disk, openvpn will ask the the GUI to give it using the management socket, and if the private key is into the IE cert store, it's windows or the manufacturer CSP that will ask for the password throw a windows based window.
Yes, I think you described the process fairly correct. Say you have a typical client config like this:
dev tun remote myserver.com tls-client ca ca.crt cert mathias.crt key mathias.key pull nobind
When running from cmd-line your private key password is retrieved from stdin. When you use the new service wrapper and GUI, the following will happend:
1. The service is started at boot-time, but not launching any tunnels (per default)
2. The GUI is started when a user logs on. When a user clicks "Connect", the GUI will connect to the service wrapper (SW) and tell it to start the corresponding config.
3. The SW will launch openvpn.exe with the specified config, and append "--service exiteventX X --management 127.0.0.1 XXXX --management-query-passwords" to the cmd-line.
4. The SW passes back the selected management port to the GUI.
5. The SW connects to the management interface of the started openvpn process.
6. When OpenVPN need any passwords it will now query for these over the management interface instead, and the GUI can pass this on as dialogs to the user. The GUI will also be able to monitor OpenVPN's status as well as get the log in real time over the manangement interface.
After 2.0 release, this ability to make non-admin users able to connect to remote network with great security features will probably be a major challenge.
The challange left to solve that I see, is how to make keys in the CertStore and on smartcards available to openvpn when it is running as system.
Mathias Sundman wrote:I've written a small HowTo on running OpenVPN / OpenVPN GUI as a non-admin user in Windows.