Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2323
  • Last Modified:

OpenVPN client: cannot push routes without local admin account

We are using pfsense for FW anf Openvpn server. Most of the clients laptops are Windows XP.

The openvpn client with Openvpn GUI work well when it runs on accounts with local admin rights, but if a regular account is used the routes to the LAN subnets are not applied preventing any communication.

These are the errors I get after connecting with a regular user account:

Thu Aug 12 16:16:20 2010 C:\WINDOWS\system32\route.exe ADD 192.168.0.0 MASK 255.255.255.0 192.168.222.25
Thu Aug 12 16:16:20 2010 ROUTE: route addition failed using CreateIpForwardEntry: Network access is denied.   [status=65 if_index=4]
Thu Aug 12 16:16:20 2010 Route addition via IPAPI failed [adaptive]
Thu Aug 12 16:16:20 2010 Route addition fallback to route.exe
Thu Aug 12 16:16:20 2010 C:\WINDOWS\system32\route.exe ADD 192.168.2.0 MASK 255.255.255.0 192.168.222.25
Thu Aug 12 16:16:20 2010 ROUTE: route addition failed using CreateIpForwardEntry: Network access is denied.   [status=65 if_index=4]
Thu Aug 12 16:16:20 2010 Route addition via IPAPI failed [adaptive]
Thu Aug 12 16:16:20 2010 Route addition fallback to route.exe
Thu Aug 12 16:16:20 2010 C:\WINDOWS\system32\route.exe ADD 192.168.222.1 MASK 255.255.255.255 192.168.222.25
Thu Aug 12 16:16:20 2010 ROUTE: route addition failed using CreateIpForwardEntry: Network access is denied.   [status=65 if_index=4]
Thu Aug 12 16:16:20 2010 Route addition via IPAPI failed [adaptive]
Thu Aug 12 16:16:20 2010 Route addition fallback to route.exe

Open in new window


Any way to make the vpn client work properly on XP without local adim rights?
0
nji-inm
Asked:
nji-inm
1 Solution
 
QlemoC++ DeveloperCommented:
A workaround is to install OpenVPN service, and start/stop that. The service has access to the routing table, so that should work, IF non-admins can start services that is.
0
 
nji-inmAuthor Commented:
Thanks for the quick reply Qlemo. I think I found the solution here:

http://thatitguy.com/Community/Wiki/OpenVPN-How-To

Quoting from the article:

"Running OpenVPN GUI as a non-admin user on the Windows PC...
 
  You'll have to give the selected user access to start/stop the OpenVPN service:
  Download subinacl (a component of the XP Resource Kit) from the Microsoft Website.
  Open up a Command Prompt and run the following commands:
 
  cd c:\program files\Windows Resource kits\Tools\
  subinacl /SERVICE "OpenVPNService" /GRANT={username}=TO
  exit
 
 You'll need to change the following registry keys on the client PC: HKLM\Software\OpenVPN-GUI\allow_edit=0
  HKLM\Software\OpenVPN-GUI\allow_password=0
  HKLM\Software\OpenVPN-GUI\allow_proxy=0
 
 
And that's it... at this point, you should be able to log  out and log back in (you'll need to do that *EVERY TIME* you make a  change to the OpenVPN-GUI registry keys!), right click the OpenVPN icon  in the systray, enter your username and password, and get a connection.
 Run OpenVPN-GUI as a NON-Admin user via the Windows XP RUNAS command:You  can save the credentials for a runas shortcut thusly (and thanks to the  OpenVPN site administrator for clueing me in on this...):
  First: toss out the registry entries to start OpenVPN-GUI on bootup:  delete HKLM\Software\Microsoft\Windows\Current Version\Run\openvpn-gui.
  Next, create a regular shortcut on the desktop to OpenVPN-gui (I  usually right-click and drag the binary (C:\Program  Files\OpenVPN\bin\openvpn-gui) to the desktop and select "Create a  shortcut here...").
  Right click the new shortcut and select Properties
  In the "Target:" dialog, enter the following before the path to OpenVPN-gui:
  C:\windows\system32\runas.exe /savecred /user:"LOCAL ADMIN USERNAME"
  Save your shortcut and double-click on it, and you will be presented  with a DOS dialog box asking for the password to the account you  specified. Enter the password, and the service will start, running under  the privileges of the user you specified. NOTE: By saving the  credentials this way, a user can run ANY COMMAND ON THE SYSTEM AS AN  ADMINISTRATOR, simply by changing the last part of the shortcut!!!
This  method is also ONLY AVAILABLE on Windows XP PRO... the /savecred option  is silently ignored when using XP Home or any variant of it (i.e. Media  Center etc.). "
I just tested it and the OpenVPN GUI started with admin credentials without asking for password and everything worked well.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now