gpo to add route via openvpn

Posted on 2011-10-18
Medium Priority
Last Modified: 2012-05-12

can anyone suggest a way to run openvpn as an administrator so standard users can add a route. preferrably via gpo

each computer in our office has an individual vpn connection to a business partners server, so each pc's IP, broadcast and gateway address is different - this prevents just creating a GPO to add a static route. Additionally, the connections each require a unique password, and will often not be used for days at a time, for this reason I'd prefer not to have it running as a service.

Finally, I'd much prefer to not have to make any registry changes on each pc as its bound to be something that gets forgotten about with any new pc's..

So really what I'm looking for is a way to have a GPO that will allow all users to be able to add routes on the fly, without having to make changes to individual pc's.
Question by:jpwoodbridge
  • 7
  • 6

Expert Comment

ID: 36984851
i think logon script would help. just create a batch file with the route add
command in there. and create GPO via security group, associate it to an OU or Domain; however  If it's
based on computer, don't forget to use the Group Policy Loopback Processing
Mode in the computer section of the policy so users can pick up the script regardless where they are


Accepted Solution

pritamdutt earned 2000 total points
ID: 36984894

I have following suggestion for you:

1. Install OpenVPN as service, but configure it to start manually.
2. Grant a normal user right to manage this service, enabling him to Start when desired
- Method 1: Grant rights using Group Policy - Read Steps to Configure Group Policy  here
- Method 2: Grant rights using Subinacl.exe
Use the Subinacl.exe utility from the Windows Resource Kit. The syntax for this is:
SUBINACL /SERVICE \\MachineName\ServiceName /GRANT=[DomainName\]UserName[=Access]

To give the user "John" the right to start and stop the OpenVPN service, log on as administrator and run the following command:

subinacl /SERVICE "OpenVPNService" /GRANT=john=TO

- Method 3: Grant rights using Security templates
This method is very similar to Method 1, but it uses Security templates to change the permissions on system services. To do this, follow these steps:
1.Click Start, click Run, and then type MMC.
2. On the Console menu, click Add/Remove Snap-in.
3. Click Add.
4. Select the Security Configuration and Analysis snap-in, and then click Add.
5. Click Close, and then click OK.
6. In the MMC, right-click the Security Configuration and Analysis item, and then click Open Database.
7. Give a name for the database, and then browse to where you would like to store it.
8. When prompted, select a Security Template to import. For example, the "basicwk.inf" contains values for the standard 9. settings found on a Windows 2000 Professional computer.
9. In the MMC, right-click the Security Configuration and Analysis item, and then click the Analyze Computer now option. Choose a location for the log file, when prompted.
10. After analysis is complete, configure the service permissions as follows:
10.1 Double-click the System Services branch in the MMC.
10.2 Right-click the service that you want to change, and then click Security.
10.3 Click Edit Security.
10.4 Add user accounts as required, and configure the permissions for each account. By default, the user will be granted "Start, stop and pause" permissions.
11. To apply the new settings to the local computer, simply right-click the Security Configuration and Analysis item, and then click the Configure Computer Now option.

It is also possible to export your modified settings from the MMC and apply these to multiple machines using the SECEDIT command-line tool that ships with Windows 2000. For more information on using SECEDIT type the following at the command prompt:
secedit /?
NOTE: Applying the settings in this way will re-apply all of the settings in the template and so may override other file, registry, or service permissions set by other means.

3. Configure Open VPN GUI to control the OpenVPN Service

A default installation of OpenVPN GUI does not give you any way to control the OpenVPN service. There is however two ways to do this. If you are running as administrator, and just want a convenient way to control the OpenVPN Service, you can enable a hidden menu for this. You enable this by setting the following registry value to "1":


Since OpenVPN GUI 1.0-rc2 there is a special mode called "Service Only" that is suitable for users running without admin privileges. This mode changes the behavior of the "Connect" and "Disconnect" actions to start and stop the OpenVPN service instead of launching openvpn.exe directly, like it usually does. It also hides the "Proxy Settings" menu as it has no effect on the service. To enable this mode set the following registry value to "1":


Also remember that a normal user don't have write access to the OpenVPN\config folder, so he won't be able to edit the OpenVPN config file or change his password, unless you give him write access to these files. To hide these menu items set the following registry values to "0":



Hope this helps!


Author Comment

ID: 36985894
Hi pritamdutt,

Thanks for your detailed response, that almost does it for me! :)

I've created a GPO that:
a) sets the registry value for \OpenVPN-GUI\service_only to 1, and
b) grants authenticated users permission to stop/start the vpn service.

This however does not allow the users to type in a password, it just connects straight away and of course fails due to an invalid password. The 'allow_password' registry value is set to 1 already, however I have tried both with and without this value.

Any suggestions on how I can get around this final step?

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.


Expert Comment

ID: 36991715

Have u given the user Write Access to OpenVPN\config folder?

Please check!

Expert Comment

ID: 36991723
Also, in my opinion and experience I prefer to use Certificate Based Authentication for users.

Author Comment

ID: 36992754

Yes, all users have full read/write/modify/delete access to the config folder, all openvpn folders in fact as I'm not concerned about anything be deleted or tampered with.

Unfortunately I'm not in a position to dictate what type of connections or security is used, its a parent company in a way and this is how we have to connect to their server :(

I've tried adding the individual pk12 keys into the Certificate Manager for the local system service, but can't find a way to direct openvpnserv to use the certificate, or if its even possible with the pk12 cert.

When the service is started via the gui, the log file indicates a prompt to enter a password, and then returns an error: could not read private key password from stdin


Expert Comment

ID: 36994159
can u please share the OpenVPN config .ovpn file.


Author Comment

ID: 36996779
#OpenVPN Server conf
dev tun
proto udp
tun-mtu 1500
mssfix 1300
remote fw1.tm2.co.uk 1193
pkcs12 ozJP.p12
cipher BF-CBC
verb 3
ns-cert-type server

and log file output:

Thu Oct 20 00:14:45 2011 OpenVPN 2.1_rc21 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 12 2009
Thu Oct 20 00:14:45 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Enter Private Key Password:
Thu Oct 20 00:14:45 2011 ERROR: could not not read Private Key password from stdin
Thu Oct 20 00:14:45 2011 Exiting

Expert Comment

ID: 36997651
As I can see you are using Password Protected Private key to authenticate with the OpenVPN server.

Unfortunately, There is no way for OpenVPN GUI to hand over a password to the service wrapper, so you can't use passphrase protected private keys or username/password authentication. This means that you must use an un-encrypted private key when using this method. A way to get around the problem with having your private key lying unprotected on your hard drive is to import it to the MS Certificate Store and use the --cryptoapicert option to load it. Remember that the service is running as "Local System" (by default) so you must import the key/cert into the System account, not your user account. (There is work in progress to allow OpenVPN to access also user account key/cert's). To load a key/cert into the System accounts CertStore you must use the Certificates MMC Snap-In, not Internet Explorer.

Hope this helps!

The only option left after this will be to Create a "RunAs" short-cut that saves the administrator password on the local machine.   Steps for same are :
1. Create a normal Short-Cut to openvpn-gui.exe (c:\program files\openvpn\bin\openvpn-gui.exe) on the desktop.
2. Right-click the short-cut and select Properties.
3. In the Target box, insert the following before the path to openvpn-gui.exe: "runas /savecred /user:administrator ".
4. Double-click the new short-cut, and enter the administrator password.


Author Comment

ID: 36998095

I've read about importing the key to the MS Certificate Store, however I'm unsure what to do next. What / how do i use this '--cryptoapicert' option. If openvpn will reference this saved key, then i think all will be working.

im really not wanting to use RUNAS shortcut as it would mean users have admin rights to other applications should they figure it out, which they will.

thanks for your help its much appreciated

Assisted Solution

pritamdutt earned 2000 total points
ID: 36998630
Hi Sorry for the delay was trying to replicate your configuration to see what works out best.

Well here I have found the solution.

Please add addition parameter in your .ovpn file
askpass "pass"
where pass is the name of password file residing in the config directory, and contains password on the first line in plaintext.

Hope this helps!


Assisted Solution

pritamdutt earned 2000 total points
ID: 36998706
In case you don't wish to use the above method you can use the following method using cryptoapicert. For this you need to have a copy of root certificate in .pem format.

1. Copy the Root Cert in config directory, lets say its called cacert.pem
2. Import the User Private Key into Windows by using the following commands:
- Start MMC as Computer Administrator
- Choose Add/Remove Snap-in
- Select Certificates
- Click on Add
- Choose Computer Account When Prompted
- Expand Certificates (Local Computer) -> Personal -> Certificates
- Right-Click on right side pane
- Click All Tasks -> Import
- Choose the Personal Information Exchange Type
- Type password for Private Key
- Click Next
- Click Next
- Click Finish
- You will get message "The Import was successful"
3. Extract Certificate Thumbprint Information
- Double Click on the newly imported Private Key
- Click on Details Tab
- Scrolldown for Thumbprint Field and copy the value after selecting the field
4. Open the client .ovpn file
5. Make following changes to the .ovpn file
- Comment out pkcs12 ozJP.p12 by placing a # in the begining
- Add ca "cacert.pem"
- Add cryptoapicert "THUMB:3e 9b .. paste thumbprint value here"
6. Save and run

Hope this helps!



Author Comment

ID: 37004658

Unfortunately, those don't work either :( Using askpass and a text file then returns an error that:

Options error: You must define CA file (--ca) or CA path (--capath)

if i comment out the pkcs12 line, or:

Sorry, 'Private Key' password cannot be read from a file

if I dont. I've double checked filename and contents and found a few articles on the net which indicate I'm doing it the right way. So i think its something at the server end which is not allowing this to happen.

I've contacted the other company involved to obtain the .pem file, hopefullly that will get around it. Otherwise, I'll just have to convince them to allow a site-to-site vpn through our firewall, not individual client connections.

thanks again for all your help.

Author Closing Comment

ID: 37004660
in all scenarios except this particular one where  a password is required, and no access to .pem or server config is possible, this would (and has in another testing scenario) resolved the problem. thankyou for your detailed answers and suggestions

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question