[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] build-key-pass confusion

  • Subject: Re: [Openvpn-users] build-key-pass confusion
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Wed, 27 Jun 2007 12:40:14 -0500
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID578LFAROu0060X29

Michael D. Berger wrote:

> Actually, the reason
> I want to start as a service is not for automatic start, but
> so I can switch to an unprivileged user.  Clearly, as you say,
> the askpass idea defeats the purpose.  On the other hand, I
> could use the command line and switch users without logging
> off the administrator.  I'll try that.
I don't know if keeping the VPN up between users logging off is
important for you, but if your ultimate goal is to allow a non-admin
user to connect to the VPN, I have a solution that works nicely for me. 
In several cases I wanted to give a non-admin user the ability to use
the OpenVPN-GUI menu to connect & disconnect.  I wrote a small script
that I called OpenVPN-GUI-wrapper which can be run by a non-admin user. 
When executed, it elevates its own privileges to that of a local
administrator account (the username and password are statically defined
in the script.)  Then the script uses its elevated privileges to start
the real OpenVPN-GUI executable.  The net result is that the non-admin
user sees the tray icon as if they started it, but anything done using
the GUI interface gives that user admin rights.

This works nicely, but has a couple of minor disadvantages.  First, the
OpenVPN GUI process is running as a local administrator, so if that is a
threat to your security this may not be a good choice.  Often the risk
is minimal, but technically someone could get an administrator level
text editor through the "edit this config" option in the GUI menu (the
highly security conscious will note that the default text editor could
be changed to a command prompt in a privilege elevation attack.)  The
other notable disadvantage is that the account and password are
statically compiled into the resulting executable.  While decompiling
can be "disallowed" when compiling, a savvy individual might still be
able to decompile the wrapper and get the account credentials used. 
This threat can be mitigated by using local credentials (which I
recommend anyway,) and possibly by setting up a dedicated account for
this purpose.

Below is a copy of the script's source code, which is written in a
Windows-specific scripting language called AutoIt v3 (compiler available
for free download at http://autoitscript.com/autoit3/ .)  With any luck
email line-resizing won't cut this up, but if it does you might have to

*-----Begin file: OpenVPN-GUI-wrapper.au3-----*
#cs -- Start Comment Block
This script runs the specified OpenVPN GUI executable with provided
account credentials. If placed in a user's startup folder, it will launch
the OpenVPN GUI process on the user's desktop with admin rights.

You are free to use and modify this code for both personal and commercial
purposes. If you redistribute this code or use it for commercial
purposes, this notice must stay in tact.

Optionally, you may choose to use this code under the GPLv2 licensing

This script written by Josh Cepek <josh DOT cepek AT usa DOT net>
#ce -- End Comment Block

;Define the administrator username & password - this can be any account
;with the required privilages

Global $account = "Administrator"
Global $password = "admin-password"

;By default the domain will be the local computer. This could be changed
;to a domain, but that use is discouraged due to security implications

Global $domain = @ComputerName

;Now define the executable location

Global $program = "C:\Program Files\OpenVPN\bin\openvpn-gui.exe"

;Set the credentials

RunAsSet($account, $domain, $password)

;Run the program. The 2nd paramater is the working directory, which is
;set to the same directory that the executable is in

Run($program, StringMid($program, 1, StringInStr($program, "\", default,
*-----End File: OpenVPN-GUI-wrapper.au3-----*


Attachment: signature.asc
Description: OpenPGP digital signature