[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Re: HowTo Run OpenVPN as a non-admin user in Windows

  • Subject: Re: [Openvpn-users] Re: HowTo Run OpenVPN as a non-admin user in Windows
  • From: Didier Conchaudron <didier@xxxxxxxxxxxxxxx>
  • Date: Tue, 25 Jan 2005 16:43:45 +0100

Mathias Sundman wrote:

Exactly. I've still been to lazy/busy to work on OpenVPN GUI 2.0, so I felt that I wanted to share some knowledge about the solutions that are currently availible for running OpenVPN as a non-admin user.

My work on the SW is quite compromised too some time, probably for the same reasons ;-)

Your article shows too that some features are still missing in the field to make openvpn a professional software of choice.

- Full certificate support: actually, the SYSTEM account can't access to users certificates and private keys which are located into IE cert store. People with smart cards are actually unable to use them as users only.

Yes, latest patch Peter sent, didn't work, and I havn't had time debugging it, and I honestly lack some knowledge about cryptoapi todo that.

I think Peter was in the right way to solve the users certs problem. Looking at MSDN docs, it seems possible to make a SYSTEM account able to get user certs via cryptoapi. Btw, some xp are missing too.

It's still unclear to me whether it's whether the system is supposed to have access to user keys or not though. I though a user key in the CertStore were encrypted with the users password somehow, and therefor only available to that user. Is this not true, or are the keys decrypted when a user logs on so it becomes available to the system as well as long as the user is logged on?

First, when you import a p12 into IeCertStore, you can crypt the p12 so Ie will ask you for the password in order to inmport the p12. But this password is independant of the password protecting the private key. So the p12 password will be asked just one time at import.
If you private key is protected by a password, Ie will not ask you for the password during import, but this password will be asked by the default CSP(a window of Ie in fact) each time an apps need to access to the private key. The process is the same when you use a smart card, the only difference is that the CSP is from your smart card manufacturer, so the password can be a PIN code on the card reader(like mine) or a window on your computer.
A basic non-protected private key imported via p12 into Ie certstore can be accessible via SYSTEM account, I guess. That's the point I need confirmation too.

5. The SW connects to the management interface of the started openvpn process.

My SW don't. The only reason I could need to is to monitor the process startup, but openvpn-gui will do this so I think it's not necessary to ask for status twice.

After 2.0 release, this ability to make non-admin users able to connect to remote network with great security features will probably be a major challenge.

The challange left to solve that I see, is how to make keys in the CertStore and on smartcards available to openvpn when it is running as system.

I think we need an expert ;-) Peter?


Openvpn-users mailing list