?
Solved

OpenVPN client: cannot push routes without local admin account

Posted on 2010-08-12
2
Medium Priority
?
2,269 Views
Last Modified: 2012-05-10
We are using pfsense for FW anf Openvpn server. Most of the clients laptops are Windows XP.

The openvpn client with Openvpn GUI work well when it runs on accounts with local admin rights, but if a regular account is used the routes to the LAN subnets are not applied preventing any communication.

These are the errors I get after connecting with a regular user account:

Thu Aug 12 16:16:20 2010 C:\WINDOWS\system32\route.exe ADD 192.168.0.0 MASK 255.255.255.0 192.168.222.25
Thu Aug 12 16:16:20 2010 ROUTE: route addition failed using CreateIpForwardEntry: Network access is denied.   [status=65 if_index=4]
Thu Aug 12 16:16:20 2010 Route addition via IPAPI failed [adaptive]
Thu Aug 12 16:16:20 2010 Route addition fallback to route.exe
Thu Aug 12 16:16:20 2010 C:\WINDOWS\system32\route.exe ADD 192.168.2.0 MASK 255.255.255.0 192.168.222.25
Thu Aug 12 16:16:20 2010 ROUTE: route addition failed using CreateIpForwardEntry: Network access is denied.   [status=65 if_index=4]
Thu Aug 12 16:16:20 2010 Route addition via IPAPI failed [adaptive]
Thu Aug 12 16:16:20 2010 Route addition fallback to route.exe
Thu Aug 12 16:16:20 2010 C:\WINDOWS\system32\route.exe ADD 192.168.222.1 MASK 255.255.255.255 192.168.222.25
Thu Aug 12 16:16:20 2010 ROUTE: route addition failed using CreateIpForwardEntry: Network access is denied.   [status=65 if_index=4]
Thu Aug 12 16:16:20 2010 Route addition via IPAPI failed [adaptive]
Thu Aug 12 16:16:20 2010 Route addition fallback to route.exe

Open in new window


Any way to make the vpn client work properly on XP without local adim rights?
0
Comment
Question by:nji-inm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 70

Expert Comment

by:Qlemo
ID: 33425385
A workaround is to install OpenVPN service, and start/stop that. The service has access to the routing table, so that should work, IF non-admins can start services that is.
0
 

Accepted Solution

by:
nji-inm earned 0 total points
ID: 33430405
Thanks for the quick reply Qlemo. I think I found the solution here:

http://thatitguy.com/Community/Wiki/OpenVPN-How-To

Quoting from the article:

"Running OpenVPN GUI as a non-admin user on the Windows PC...
 
  You'll have to give the selected user access to start/stop the OpenVPN service:
  Download subinacl (a component of the XP Resource Kit) from the Microsoft Website.
  Open up a Command Prompt and run the following commands:
 
  cd c:\program files\Windows Resource kits\Tools\
  subinacl /SERVICE "OpenVPNService" /GRANT={username}=TO
  exit
 
 You'll need to change the following registry keys on the client PC: HKLM\Software\OpenVPN-GUI\allow_edit=0
  HKLM\Software\OpenVPN-GUI\allow_password=0
  HKLM\Software\OpenVPN-GUI\allow_proxy=0
 
 
And that's it... at this point, you should be able to log  out and log back in (you'll need to do that *EVERY TIME* you make a  change to the OpenVPN-GUI registry keys!), right click the OpenVPN icon  in the systray, enter your username and password, and get a connection.
 Run OpenVPN-GUI as a NON-Admin user via the Windows XP RUNAS command:You  can save the credentials for a runas shortcut thusly (and thanks to the  OpenVPN site administrator for clueing me in on this...):
  First: toss out the registry entries to start OpenVPN-GUI on bootup:  delete HKLM\Software\Microsoft\Windows\Current Version\Run\openvpn-gui.
  Next, create a regular shortcut on the desktop to OpenVPN-gui (I  usually right-click and drag the binary (C:\Program  Files\OpenVPN\bin\openvpn-gui) to the desktop and select "Create a  shortcut here...").
  Right click the new shortcut and select Properties
  In the "Target:" dialog, enter the following before the path to OpenVPN-gui:
  C:\windows\system32\runas.exe /savecred /user:"LOCAL ADMIN USERNAME"
  Save your shortcut and double-click on it, and you will be presented  with a DOS dialog box asking for the password to the account you  specified. Enter the password, and the service will start, running under  the privileges of the user you specified. NOTE: By saving the  credentials this way, a user can run ANY COMMAND ON THE SYSTEM AS AN  ADMINISTRATOR, simply by changing the last part of the shortcut!!!
This  method is also ONLY AVAILABLE on Windows XP PRO... the /savecred option  is silently ignored when using XP Home or any variant of it (i.e. Media  Center etc.). "
I just tested it and the OpenVPN GUI started with admin credentials without asking for password and everything worked well.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question