Solved

Windows 7 + OpenVPN + Non Admin Users

Posted on 2010-09-08
8
1,883 Views
Last Modified: 2012-05-10
Hi,

Just wondering if anyone has a solution to this problem.

The users where openvpn has to be installed, are not administrators in any way of their machines, not even local admins.

The users cannot be any kind of admin otherwise PCI + other compliance is compromised.

Is there any way for the user to be able to run the VPN, and have the routes added, without being an admin ?

Thanks,

Leon
0
Comment
Question by:gjdonkeh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 69

Expert Comment

by:Qlemo
ID: 33631979
If you can
* install OpenVPN as a service (requires admin privs once)
* install the TUN/TAP adapter (requires admin privs once)
* assign "start service" priv to the users
it should work, just by starting the OpenVPN service manually. If the latter isn't possible at all, the only way is to let OpenVPN Service run automatically all the time.
0
 
LVL 3

Author Comment

by:gjdonkeh
ID: 33635370
Thanks - I'll give this a go.

Are you able to provide info on how to assign start service privileges to users ?

Thanks,

Leon
0
 
LVL 3

Author Comment

by:gjdonkeh
ID: 33635467
Hi,

Also - running as a service does not appear to allow the user to enter there username/password that are required to connect.

Regards,

Leon
0
Watch Anatomy of a Wi-Fi Hack On-Demand

In less than a weekend, anyone with Internet access and some free time can become a Wi-Fi MitM to wreak havoc on your network. View our Wi-Fi Expert in an on-demand episode of our Secure Wi-Fi mini-series as he explores the motives, execution, and anatomy of a Wi-Fi hack.

 
LVL 69

Expert Comment

by:Qlemo
ID: 33636926
That's true, you can't provide username and password. Do you really need to do that interactively, or just for identification of the PC? Is it ok to put it into the config file? Else you would need to ask for user and password, and send that over to the OpenVPN process using the telnet management feature of OpenVPN. That again requires a batch command and an external tool called netcat (or a telnet connection which asks for the credentials - but I'm not positive about this option).
0
 
LVL 3

Author Comment

by:gjdonkeh
ID: 33637522
The requirement to enter the username/password on each connection is necessary and cannot be stored in a text file.

Security is a must unfortunately.

Regards,

Leon
0
 
LVL 69

Accepted Solution

by:
Qlemo earned 500 total points
ID: 33640849
Ok, that is getting more complicated then.

-----------------

To be able to start a service, users need the privilege assigned by
subinacl /SERVICE "OpenVPNService" /GRANT=MyUser=TO
TO is Start and Stop
 
Download subinacl (part of the Windows Resource kit)
Options for /SERVICE: http://www.eventlogblog.com/blog/2007/11/setting-service-permissions-wi.html.

-----------------

To ask for credentials, you need following settings in each config file:
management 127.0.0.1 65500management-query-passwords
Then download netcat (best thru http://joncraton.org/files/nc111nt.zip, you will only need the nc.exe file from that zip).

As soon as OpenVPN is started with above config, you can do (in a batch file):
@echo offset /P usr=Username: set /P pwd=Password: (echo username Auth "%usr%"& echo password Auth "%pwd%"& echo quit) | nc -i 1 127.0.0.1 65500
65500 is an arbitrary port number I chose by random. You can use other port numbers, of course, but you need to change them in both the config and the nc.exe command line.

The management interface of OpenVPN can be used to provide data else given manually, to stop the connection, and many more.

If you want to start the service manually, begin the batch file above with
sc start OpenVPN
(before the set /P's). Since the user needs some time to enter the credentials, that should be sufficient for OpenVPN to do the necessary inits and start communicating with the OpenVPN server, and the management commands come just in time.

0
 
LVL 3

Author Closing Comment

by:gjdonkeh
ID: 33927793
While your method would most likely work, it isn't really practical in my scenario.

Thanks for your help.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 33933382
Why? You can automate it without much ado, all steps contained in my description. That's the only way how you can get around the permission issue.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
pptp through Cisco ASA5505 V7 5 31
Clientless VPN Access 23 39
BgInfo help 5 59
How to remove duplicates eficiently without sorting 5 26
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
OfficeMate Freezes on login or does not load after login credentials are input.
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question