Solved

OpenVPN client: cannot push routes without local admin account

Posted on 2010-08-12
2
2,164 Views
Last Modified: 2012-05-10
We are using pfsense for FW anf Openvpn server. Most of the clients laptops are Windows XP.

The openvpn client with Openvpn GUI work well when it runs on accounts with local admin rights, but if a regular account is used the routes to the LAN subnets are not applied preventing any communication.

These are the errors I get after connecting with a regular user account:

Thu Aug 12 16:16:20 2010 C:\WINDOWS\system32\route.exe ADD 192.168.0.0 MASK 255.255.255.0 192.168.222.25
Thu Aug 12 16:16:20 2010 ROUTE: route addition failed using CreateIpForwardEntry: Network access is denied.   [status=65 if_index=4]
Thu Aug 12 16:16:20 2010 Route addition via IPAPI failed [adaptive]
Thu Aug 12 16:16:20 2010 Route addition fallback to route.exe
Thu Aug 12 16:16:20 2010 C:\WINDOWS\system32\route.exe ADD 192.168.2.0 MASK 255.255.255.0 192.168.222.25
Thu Aug 12 16:16:20 2010 ROUTE: route addition failed using CreateIpForwardEntry: Network access is denied.   [status=65 if_index=4]
Thu Aug 12 16:16:20 2010 Route addition via IPAPI failed [adaptive]
Thu Aug 12 16:16:20 2010 Route addition fallback to route.exe
Thu Aug 12 16:16:20 2010 C:\WINDOWS\system32\route.exe ADD 192.168.222.1 MASK 255.255.255.255 192.168.222.25
Thu Aug 12 16:16:20 2010 ROUTE: route addition failed using CreateIpForwardEntry: Network access is denied.   [status=65 if_index=4]
Thu Aug 12 16:16:20 2010 Route addition via IPAPI failed [adaptive]
Thu Aug 12 16:16:20 2010 Route addition fallback to route.exe

Open in new window


Any way to make the vpn client work properly on XP without local adim rights?
0
Comment
Question by:nji-inm
2 Comments
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
A workaround is to install OpenVPN service, and start/stop that. The service has access to the routing table, so that should work, IF non-admins can start services that is.
0
 

Accepted Solution

by:
nji-inm earned 0 total points
Comment Utility
Thanks for the quick reply Qlemo. I think I found the solution here:

http://thatitguy.com/Community/Wiki/OpenVPN-How-To

Quoting from the article:

"Running OpenVPN GUI as a non-admin user on the Windows PC...
 
  You'll have to give the selected user access to start/stop the OpenVPN service:
  Download subinacl (a component of the XP Resource Kit) from the Microsoft Website.
  Open up a Command Prompt and run the following commands:
 
  cd c:\program files\Windows Resource kits\Tools\
  subinacl /SERVICE "OpenVPNService" /GRANT={username}=TO
  exit
 
 You'll need to change the following registry keys on the client PC: HKLM\Software\OpenVPN-GUI\allow_edit=0
  HKLM\Software\OpenVPN-GUI\allow_password=0
  HKLM\Software\OpenVPN-GUI\allow_proxy=0
 
 
And that's it... at this point, you should be able to log  out and log back in (you'll need to do that *EVERY TIME* you make a  change to the OpenVPN-GUI registry keys!), right click the OpenVPN icon  in the systray, enter your username and password, and get a connection.
 Run OpenVPN-GUI as a NON-Admin user via the Windows XP RUNAS command:You  can save the credentials for a runas shortcut thusly (and thanks to the  OpenVPN site administrator for clueing me in on this...):
  First: toss out the registry entries to start OpenVPN-GUI on bootup:  delete HKLM\Software\Microsoft\Windows\Current Version\Run\openvpn-gui.
  Next, create a regular shortcut on the desktop to OpenVPN-gui (I  usually right-click and drag the binary (C:\Program  Files\OpenVPN\bin\openvpn-gui) to the desktop and select "Create a  shortcut here...").
  Right click the new shortcut and select Properties
  In the "Target:" dialog, enter the following before the path to OpenVPN-gui:
  C:\windows\system32\runas.exe /savecred /user:"LOCAL ADMIN USERNAME"
  Save your shortcut and double-click on it, and you will be presented  with a DOS dialog box asking for the password to the account you  specified. Enter the password, and the service will start, running under  the privileges of the user you specified. NOTE: By saving the  credentials this way, a user can run ANY COMMAND ON THE SYSTEM AS AN  ADMINISTRATOR, simply by changing the last part of the shortcut!!!
This  method is also ONLY AVAILABLE on Windows XP PRO... the /savecred option  is silently ignored when using XP Home or any variant of it (i.e. Media  Center etc.). "
I just tested it and the OpenVPN GUI started with admin credentials without asking for password and everything worked well.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now