jpwoodbridge
asked on
gpo to add route via openvpn
hi
can anyone suggest a way to run openvpn as an administrator so standard users can add a route. preferrably via gpo
each computer in our office has an individual vpn connection to a business partners server, so each pc's IP, broadcast and gateway address is different - this prevents just creating a GPO to add a static route. Additionally, the connections each require a unique password, and will often not be used for days at a time, for this reason I'd prefer not to have it running as a service.
Finally, I'd much prefer to not have to make any registry changes on each pc as its bound to be something that gets forgotten about with any new pc's..
So really what I'm looking for is a way to have a GPO that will allow all users to be able to add routes on the fly, without having to make changes to individual pc's.
can anyone suggest a way to run openvpn as an administrator so standard users can add a route. preferrably via gpo
each computer in our office has an individual vpn connection to a business partners server, so each pc's IP, broadcast and gateway address is different - this prevents just creating a GPO to add a static route. Additionally, the connections each require a unique password, and will often not be used for days at a time, for this reason I'd prefer not to have it running as a service.
Finally, I'd much prefer to not have to make any registry changes on each pc as its bound to be something that gets forgotten about with any new pc's..
So really what I'm looking for is a way to have a GPO that will allow all users to be able to add routes on the fly, without having to make changes to individual pc's.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi pritamdutt,
Thanks for your detailed response, that almost does it for me! :)
I've created a GPO that:
a) sets the registry value for \OpenVPN-GUI\service_only to 1, and
b) grants authenticated users permission to stop/start the vpn service.
This however does not allow the users to type in a password, it just connects straight away and of course fails due to an invalid password. The 'allow_password' registry value is set to 1 already, however I have tried both with and without this value.
Any suggestions on how I can get around this final step?
Regards,
JP
Thanks for your detailed response, that almost does it for me! :)
I've created a GPO that:
a) sets the registry value for \OpenVPN-GUI\service_only to 1, and
b) grants authenticated users permission to stop/start the vpn service.
This however does not allow the users to type in a password, it just connects straight away and of course fails due to an invalid password. The 'allow_password' registry value is set to 1 already, however I have tried both with and without this value.
Any suggestions on how I can get around this final step?
Regards,
JP
Hi,
Have u given the user Write Access to OpenVPN\config folder?
Please check!
Have u given the user Write Access to OpenVPN\config folder?
Please check!
Also, in my opinion and experience I prefer to use Certificate Based Authentication for users.
ASKER
Hi,
Yes, all users have full read/write/modify/delete access to the config folder, all openvpn folders in fact as I'm not concerned about anything be deleted or tampered with.
Unfortunately I'm not in a position to dictate what type of connections or security is used, its a parent company in a way and this is how we have to connect to their server :(
I've tried adding the individual pk12 keys into the Certificate Manager for the local system service, but can't find a way to direct openvpnserv to use the certificate, or if its even possible with the pk12 cert.
When the service is started via the gui, the log file indicates a prompt to enter a password, and then returns an error: could not read private key password from stdin
Yes, all users have full read/write/modify/delete access to the config folder, all openvpn folders in fact as I'm not concerned about anything be deleted or tampered with.
Unfortunately I'm not in a position to dictate what type of connections or security is used, its a parent company in a way and this is how we have to connect to their server :(
I've tried adding the individual pk12 keys into the Certificate Manager for the local system service, but can't find a way to direct openvpnserv to use the certificate, or if its even possible with the pk12 cert.
When the service is started via the gui, the log file indicates a prompt to enter a password, and then returns an error: could not read private key password from stdin
can u please share the OpenVPN config .ovpn file.
regards,
regards,
ASKER
#OpenVPN Server conf
tls-client
client
dev tun
proto udp
tun-mtu 1500
mssfix 1300
remote fw1.tm2.co.uk 1193
pkcs12 ozJP.p12
cipher BF-CBC
comp-lzo
verb 3
ns-cert-type server
--------------------------
and log file output:
Thu Oct 20 00:14:45 2011 OpenVPN 2.1_rc21 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 12 2009
Thu Oct 20 00:14:45 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Enter Private Key Password:
Thu Oct 20 00:14:45 2011 ERROR: could not not read Private Key password from stdin
Thu Oct 20 00:14:45 2011 Exiting
tls-client
client
dev tun
proto udp
tun-mtu 1500
mssfix 1300
remote fw1.tm2.co.uk 1193
pkcs12 ozJP.p12
cipher BF-CBC
comp-lzo
verb 3
ns-cert-type server
--------------------------
and log file output:
Thu Oct 20 00:14:45 2011 OpenVPN 2.1_rc21 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 12 2009
Thu Oct 20 00:14:45 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Enter Private Key Password:
Thu Oct 20 00:14:45 2011 ERROR: could not not read Private Key password from stdin
Thu Oct 20 00:14:45 2011 Exiting
As I can see you are using Password Protected Private key to authenticate with the OpenVPN server.
Unfortunately, There is no way for OpenVPN GUI to hand over a password to the service wrapper, so you can't use passphrase protected private keys or username/password authentication. This means that you must use an un-encrypted private key when using this method. A way to get around the problem with having your private key lying unprotected on your hard drive is to import it to the MS Certificate Store and use the --cryptoapicert option to load it. Remember that the service is running as "Local System" (by default) so you must import the key/cert into the System account, not your user account. (There is work in progress to allow OpenVPN to access also user account key/cert's). To load a key/cert into the System accounts CertStore you must use the Certificates MMC Snap-In, not Internet Explorer.
Hope this helps!
The only option left after this will be to Create a "RunAs" short-cut that saves the administrator password on the local machine. Steps for same are :
1. Create a normal Short-Cut to openvpn-gui.exe (c:\program files\openvpn\bin\openvpn-
2. Right-click the short-cut and select Properties.
3. In the Target box, insert the following before the path to openvpn-gui.exe: "runas /savecred /user:administrator ".
4. Double-click the new short-cut, and enter the administrator password.
Regards,
Unfortunately, There is no way for OpenVPN GUI to hand over a password to the service wrapper, so you can't use passphrase protected private keys or username/password authentication. This means that you must use an un-encrypted private key when using this method. A way to get around the problem with having your private key lying unprotected on your hard drive is to import it to the MS Certificate Store and use the --cryptoapicert option to load it. Remember that the service is running as "Local System" (by default) so you must import the key/cert into the System account, not your user account. (There is work in progress to allow OpenVPN to access also user account key/cert's). To load a key/cert into the System accounts CertStore you must use the Certificates MMC Snap-In, not Internet Explorer.
Hope this helps!
The only option left after this will be to Create a "RunAs" short-cut that saves the administrator password on the local machine. Steps for same are :
1. Create a normal Short-Cut to openvpn-gui.exe (c:\program files\openvpn\bin\openvpn-
2. Right-click the short-cut and select Properties.
3. In the Target box, insert the following before the path to openvpn-gui.exe: "runas /savecred /user:administrator ".
4. Double-click the new short-cut, and enter the administrator password.
Regards,
ASKER
Hi,
I've read about importing the key to the MS Certificate Store, however I'm unsure what to do next. What / how do i use this '--cryptoapicert' option. If openvpn will reference this saved key, then i think all will be working.
im really not wanting to use RUNAS shortcut as it would mean users have admin rights to other applications should they figure it out, which they will.
thanks for your help its much appreciated
I've read about importing the key to the MS Certificate Store, however I'm unsure what to do next. What / how do i use this '--cryptoapicert' option. If openvpn will reference this saved key, then i think all will be working.
im really not wanting to use RUNAS shortcut as it would mean users have admin rights to other applications should they figure it out, which they will.
thanks for your help its much appreciated
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
Unfortunately, those don't work either :( Using askpass and a text file then returns an error that:
Options error: You must define CA file (--ca) or CA path (--capath)
if i comment out the pkcs12 line, or:
Sorry, 'Private Key' password cannot be read from a file
if I dont. I've double checked filename and contents and found a few articles on the net which indicate I'm doing it the right way. So i think its something at the server end which is not allowing this to happen.
I've contacted the other company involved to obtain the .pem file, hopefullly that will get around it. Otherwise, I'll just have to convince them to allow a site-to-site vpn through our firewall, not individual client connections.
thanks again for all your help.
Unfortunately, those don't work either :( Using askpass and a text file then returns an error that:
Options error: You must define CA file (--ca) or CA path (--capath)
if i comment out the pkcs12 line, or:
Sorry, 'Private Key' password cannot be read from a file
if I dont. I've double checked filename and contents and found a few articles on the net which indicate I'm doing it the right way. So i think its something at the server end which is not allowing this to happen.
I've contacted the other company involved to obtain the .pem file, hopefullly that will get around it. Otherwise, I'll just have to convince them to allow a site-to-site vpn through our firewall, not individual client connections.
thanks again for all your help.
ASKER
in all scenarios except this particular one where a password is required, and no access to .pem or server config is possible, this would (and has in another testing scenario) resolved the problem. thankyou for your detailed answers and suggestions
command in there. and create GPO via security group, associate it to an OU or Domain; however If it's
based on computer, don't forget to use the Group Policy Loopback Processing
Mode in the computer section of the policy so users can pick up the script regardless where they are