WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network. Check out this quarters report on the threats that shook the industry in Q4 2017.
Windows 7 + OpenVPN + Non Admin Users
Hi,
Just wondering if anyone has a solution to this problem.
The users where openvpn has to be installed, are not administrators in any way of their machines, not even local admins.
The users cannot be any kind of admin otherwise PCI + other compliance is compromised.
Is there any way for the user to be able to run the VPN, and have the routes added, without being an admin ?
Thanks,
Leon
Just wondering if anyone has a solution to this problem.
The users where openvpn has to be installed, are not administrators in any way of their machines, not even local admins.
The users cannot be any kind of admin otherwise PCI + other compliance is compromised.
Is there any way for the user to be able to run the VPN, and have the routes added, without being an admin ?
Thanks,
Leon
Asked:
Who is Participating?
If you can
* install OpenVPN as a service (requires admin privs once)
* install the TUN/TAP adapter (requires admin privs once)
* assign "start service" priv to the users
it should work, just by starting the OpenVPN service manually. If the latter isn't possible at all, the only way is to let OpenVPN Service run automatically all the time.
* install OpenVPN as a service (requires admin privs once)
* install the TUN/TAP adapter (requires admin privs once)
* assign "start service" priv to the users
it should work, just by starting the OpenVPN service manually. If the latter isn't possible at all, the only way is to let OpenVPN Service run automatically all the time.
Thanks - I'll give this a go.
Are you able to provide info on how to assign start service privileges to users ?
Thanks,
Leon
Are you able to provide info on how to assign start service privileges to users ?
Thanks,
Leon
Hi,
Also - running as a service does not appear to allow the user to enter there username/password that are required to connect.
Regards,
Leon
Also - running as a service does not appear to allow the user to enter there username/password that are required to connect.
Regards,
Leon
That's true, you can't provide username and password. Do you really need to do that interactively, or just for identification of the PC? Is it ok to put it into the config file? Else you would need to ask for user and password, and send that over to the OpenVPN process using the telnet management feature of OpenVPN. That again requires a batch command and an external tool called netcat (or a telnet connection which asks for the credentials - but I'm not positive about this option).
The requirement to enter the username/password on each connection is necessary and cannot be stored in a text file.
Security is a must unfortunately.
Regards,
Leon
Security is a must unfortunately.
Regards,
Leon
While your method would most likely work, it isn't really practical in my scenario.
Thanks for your help.
Thanks for your help.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
All Courses
From novice to tech pro — start learning today.
-
Course of the Month8 days, 17 hours left to enrollMonitoring and Operating a Private Cloud with System Center 2012 R2 273 lessons
-----------------
To be able to start a service, users need the privilege assigned by
Download subinacl (part of the Windows Resource kit)
Options for /SERVICE: http://www.eventlogblog.com/blog/2007/11/setting-service-permissions-wi.html.
-----------------
To ask for credentials, you need following settings in each config file:
As soon as OpenVPN is started with above config, you can do (in a batch file):
The management interface of OpenVPN can be used to provide data else given manually, to stop the connection, and many more.
If you want to start the service manually, begin the batch file above with