[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] OpenVPN on Windows 2000 without administrators priviledge

  • Subject: Re: [Openvpn-users] OpenVPN on Windows 2000 without administrators priviledge
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Mon, 28 May 2007 10:26:36 -0500
  • Z-usanet-msgid: XID239LebPAM0342X40

I've dealt with a similar setup, and a solution I came up with was to launch the OpenVPN GUI process itself as a local administrator account.  In this case, we couldn't run a service because the private RSA key needed to remain encrypted with user-input to decrypt.  What I did was write a wrapper executable that issues an NT "RunAs" command on the real OpenVPN GUI process as a local administrator account.  By placing this in the user's Startup folder rather than running the OpenVPN GUI process directly, the GUI process is accessible to the user but runs with administrator rights.

This works nicely, but has a couple of minor disadvantages.  First, the OpenVPN GUI process is running as a local administrator, so if that is a threat to your security this may not be a good choice.  We thought the risk was minimal, but technically someone could get an administrator level text editor through the "edit this config" option in the GUI menu.  The other notable disadvantage is that the account and password are statically compiled into the resulting executable.  While decompiling can be "disallowed" when compiling, a savvy individual might still be able to decompile the wrapper and get the account credentials used.  This threat can be mitigated by using local credentials (which I recommend anyway,) and possibly by setting up a dedicated account for this purpose.

Attached is the script's source code, which is written in a Windows-specific scripting language called AutoIt v3 (compiler available for free download here.)  It features the ability to create executables that have no runtime requirements.

Janicko Zeppelin wrote:
I have one problem with openvpn on Windows 2000. I install OpenVPN-gui and I can use OpenVPN with non administrators user. This user don't known administrator password.
When I create tunnel to my OpenVPN server, Windows 2000 don't create a route to specific destination, or default route (from server configuration). For Windows XP and Windows 2003 I found many solution, but this don't work on Windows 2000.

It's possible resolve this problem ?
#cs -- Start Comment Block
This script runs the specified OpenVPN GUI executable with provided
account credentials. If placed in a user's startup folder, it will launch
the OpenVPN GUI process on the user's desktop with admin rights.

You are free to use this code for both personal and commercial purposes.
If you redistribute this code or use it for commercial purposes, this
notice must stay in tact.

This script written by Josh Cepek <josh DOT cepek AT usa DOT net>
#ce -- End Comment Block

;Define the administrator username & password - this can be any account
;with the required privilages

Global $account = "Administrator"
Global $password = "admin-password"

;By default the domain will be the local computer. This could be changed
;to a domain, but that use is discouraged due to security implications

Global $domain = @ComputerName

;Now define the executable location

Global $program = "C:\Program Files\OpenVPN\bin\openvpn-gui.exe"

;Set the credentials

RunAsSet($account, $domain, $password)

;Run the program. The 2nd paramater is the working directory, which is
;set to the same directory that the executable is in

Run($program, StringMid($program, 1, StringInStr($program, "\", default, -1)))

Attachment: signature.asc
Description: OpenPGP digital signature