[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] OpenVPN, Vista and privilege elevation


  • Subject: Re: [Openvpn-users] OpenVPN, Vista and privilege elevation
  • From: Colin Ryan <colinr@xxxxxxxx>
  • Date: Tue, 22 Jan 2008 13:41:40 -0500

If you set the openvpn-gui with "Run As Administrator" rights it will 
ask for the privilege, however as a non-admin user this is more than 
just "please allow", it requires providing an admin account 
password...which defeats the purpose of having a non-admin account.

I've tried running the service as a specific admin user, problem is that 
the non-admin user has no privileges to start the service.
I've tried running the GUI as "run as admin" but as above requires admin 
password.

The one thing that kind of appears to work is to install Open-VPN with 
the service as an Admin, manually change the services to run 
specifically as an admin user and to "auto start"...

In the quick test of this I did it seemed to kinda work (only quickly 
tried it once) but am unsure about the ramifications of having that 
openvpnservice continually trying to open connections...which is the 
apparent result of this configuration.

Again....appears there is nothing clean here.

I'd love to hear that I'm wrong.


Quentin Garnier wrote:
> Le Tue, 22 Jan 2008 13:30:21 -0500,
> Colin Ryan <colinr@xxxxxxxx> a écrit :
>
>   
>> To the best of my knowledge you are out of luck unless.
>>
>> You jump through all the M$ hoops and sign your installer and your 
>> binaries, and if customized your driver. Then figure out the
>> appropriate catalog and installer parameters to allow the appropriate
>> automagic escalations.
>>
>> Not saying I know exactly how to do all this but I am quite confident 
>> that unless you go down this path it's pointless.
>>
>> Oh... or disable UAC.
>>     
>
> I could live with UAC asking for authorization to do the task, but it
> doesn't do that.  I just get the error in the logs when it adds the
> routes.
>
> And that's non-service mode.  The "failed to open OpenVPNService" error
> from the GUI in service mode probably isn't an UAC failure.  Or is it?
>
> Quentin Garnier.
>
>   
>> Quentin Garnier wrote:
>>     
>>> Hi all,
>>>
>>> I've been rolling out a custom Windows installer of OpenVPN 2.0.9
>>> and the GUI to my users for some time now.  While OpenVPN does
>>> connect on Vista, it fails to add the required routes to the
>>> internal network, which makes it rather useless for my users.
>>>
>>> I've been trying to work around that issue today, but so far I've
>>> failed.
>>>
>>> The things I considered:
>>>
>>>   * route-method exe => requires privilege elevation
>>>   * route-method ipapi => fails with 2.0.9, requires privilege
>>>     elevation with 2.1rc4
>>>
>>> At that point, I thought my only solution was to use OpenVPN as a
>>> service, which means I still need 2.1rc4 to get ipapi working.
>>>
>>> Alas, I'm unable to make OpenVPN-as-a-service work with a
>>> configuration where the private key is password-protected.  Simply
>>> starting the service doesn't work, of course, as it complains about
>>> not being able to read the passphrase, but what's more worrisome is
>>> the GUI failing to, I quote, "open OpenVPNService".
>>>
>>> Anyone has a solution?  The point is to have an installation package
>>> that ships with my own config and lets the user just click the icon,
>>> enter the password and connect afterwards.
>>>
>>> I'm not afraid of trying diffs, I can probably set up a MinGW
>>> environment to recompile openvpn.exe pretty easily.
>>>
>>> Quentin Garnier.
>>>
>>> -------------------------------------------------------------------------
>>> This SF.net email is sponsored by: Microsoft
>>> Defy all challenges. Microsoft(R) Visual Studio 2008.
>>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>>> _______________________________________________
>>> Openvpn-users mailing list
>>> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
>>> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>>>   
>>>       
>>     
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>   

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users