[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] OpenVPN, Vista and privilege elevation


  • Subject: Re: [Openvpn-users] OpenVPN, Vista and privilege elevation
  • From: Jaume Poch <jaume.poch@xxxxxxxxx>
  • Date: Wed, 23 Jan 2008 09:55:52 +0100

Hello,
I did this stopping UAC, without openvpn-gui (only the command), and
putting the user in the "Network Configuration Operators" group. Then
the users can turn on and off the connection whatever they want.
I only had problems in one of my Vistas that had problems with the dhcp
server and I reinstalled the vista and the problem was solved.
The problem is that I don't know how is the impact of stop the UAC in
the security concerns.
Hope it helps

El dt 22 de 01 del 2008 a les 13:41 -0500, en/na Colin Ryan va escriure:
> If you set the openvpn-gui with "Run As Administrator" rights it will 
> ask for the privilege, however as a non-admin user this is more than 
> just "please allow", it requires providing an admin account 
> password...which defeats the purpose of having a non-admin account.
> 
> I've tried running the service as a specific admin user, problem is that 
> the non-admin user has no privileges to start the service.
> I've tried running the GUI as "run as admin" but as above requires admin 
> password.
> 
> The one thing that kind of appears to work is to install Open-VPN with 
> the service as an Admin, manually change the services to run 
> specifically as an admin user and to "auto start"...
> 
> In the quick test of this I did it seemed to kinda work (only quickly 
> tried it once) but am unsure about the ramifications of having that 
> openvpnservice continually trying to open connections...which is the 
> apparent result of this configuration.
> 
> Again....appears there is nothing clean here.
> 
> I'd love to hear that I'm wrong.
> 
> 
> Quentin Garnier wrote:
> > Le Tue, 22 Jan 2008 13:30:21 -0500,
> > Colin Ryan <colinr@xxxxxxxx> a écrit :
> >
> >   
> >> To the best of my knowledge you are out of luck unless.
> >>
> >> You jump through all the M$ hoops and sign your installer and your 
> >> binaries, and if customized your driver. Then figure out the
> >> appropriate catalog and installer parameters to allow the appropriate
> >> automagic escalations.
> >>
> >> Not saying I know exactly how to do all this but I am quite confident 
> >> that unless you go down this path it's pointless.
> >>
> >> Oh... or disable UAC.
> >>     
> >
> > I could live with UAC asking for authorization to do the task, but it
> > doesn't do that.  I just get the error in the logs when it adds the
> > routes.
> >
> > And that's non-service mode.  The "failed to open OpenVPNService" error
> > from the GUI in service mode probably isn't an UAC failure.  Or is it?
> >
> > Quentin Garnier.
> >
> >   
> >> Quentin Garnier wrote:
> >>     
> >>> Hi all,
> >>>
> >>> I've been rolling out a custom Windows installer of OpenVPN 2.0.9
> >>> and the GUI to my users for some time now.  While OpenVPN does
> >>> connect on Vista, it fails to add the required routes to the
> >>> internal network, which makes it rather useless for my users.
> >>>
> >>> I've been trying to work around that issue today, but so far I've
> >>> failed.
> >>>
> >>> The things I considered:
> >>>
> >>>   * route-method exe => requires privilege elevation
> >>>   * route-method ipapi => fails with 2.0.9, requires privilege
> >>>     elevation with 2.1rc4
> >>>
> >>> At that point, I thought my only solution was to use OpenVPN as a
> >>> service, which means I still need 2.1rc4 to get ipapi working.
> >>>
> >>> Alas, I'm unable to make OpenVPN-as-a-service work with a
> >>> configuration where the private key is password-protected.  Simply
> >>> starting the service doesn't work, of course, as it complains about
> >>> not being able to read the passphrase, but what's more worrisome is
> >>> the GUI failing to, I quote, "open OpenVPNService".
> >>>
> >>> Anyone has a solution?  The point is to have an installation package
> >>> that ships with my own config and lets the user just click the icon,
> >>> enter the password and connect afterwards.
> >>>
> >>> I'm not afraid of trying diffs, I can probably set up a MinGW
> >>> environment to recompile openvpn.exe pretty easily.
> >>>
> >>> Quentin Garnier.
> >>>
> >>> -------------------------------------------------------------------------
> >>> This SF.net email is sponsored by: Microsoft
> >>> Defy all challenges. Microsoft(R) Visual Studio 2008.
> >>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> >>> _______________________________________________
> >>> Openvpn-users mailing list
> >>> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> >>> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> >>>   
> >>>       
> >>     
> >
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Microsoft
> > Defy all challenges. Microsoft(R) Visual Studio 2008.
> > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > _______________________________________________
> > Openvpn-users mailing list
> > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> > https://lists.sourceforge.net/lists/listinfo/openvpn-users
> >   
> 
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
-- 

Jaume Poch Blanch

Systems Engineer

Scytl, Secure Electronic Voting

Tuset20 · 08006 Barcelona

Phone: + 34 934 230 324

Fax + 34 933 251 028

http://www.scytl.com

 

NOTICE: The information in this e-mail and in any of its attachments is
confidential and intended solely for the attention and use of the named
addressee(s). If you are not the intended recipient, any disclosure,
copying, distribution or retaining of this message or any part of it,
without the prior written consent of Scytl Secure Electronic Voting, SA
is prohibited and may be unlawful. If you have received this in error,
please contact the sender and delete the material from any computer.

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users