gpo to add route via openvpn

Posted on 2011-10-18
Last Modified: 2012-05-12

can anyone suggest a way to run openvpn as an administrator so standard users can add a route. preferrably via gpo

each computer in our office has an individual vpn connection to a business partners server, so each pc's IP, broadcast and gateway address is different - this prevents just creating a GPO to add a static route. Additionally, the connections each require a unique password, and will often not be used for days at a time, for this reason I'd prefer not to have it running as a service.

Finally, I'd much prefer to not have to make any registry changes on each pc as its bound to be something that gets forgotten about with any new pc's..

So really what I'm looking for is a way to have a GPO that will allow all users to be able to add routes on the fly, without having to make changes to individual pc's.
Question by:jpwoodbridge
    LVL 6

    Expert Comment

    i think logon script would help. just create a batch file with the route add
    command in there. and create GPO via security group, associate it to an OU or Domain; however  If it's
    based on computer, don't forget to use the Group Policy Loopback Processing
    Mode in the computer section of the policy so users can pick up the script regardless where they are

    LVL 9

    Accepted Solution


    I have following suggestion for you:

    1. Install OpenVPN as service, but configure it to start manually.
    2. Grant a normal user right to manage this service, enabling him to Start when desired
    - Method 1: Grant rights using Group Policy - Read Steps to Configure Group Policy  here
    - Method 2: Grant rights using Subinacl.exe
    Use the Subinacl.exe utility from the Windows Resource Kit. The syntax for this is:
    SUBINACL /SERVICE \\MachineName\ServiceName /GRANT=[DomainName\]UserName[=Access]

    To give the user "John" the right to start and stop the OpenVPN service, log on as administrator and run the following command:

    subinacl /SERVICE "OpenVPNService" /GRANT=john=TO

    - Method 3: Grant rights using Security templates
    This method is very similar to Method 1, but it uses Security templates to change the permissions on system services. To do this, follow these steps:
    1.Click Start, click Run, and then type MMC.
    2. On the Console menu, click Add/Remove Snap-in.
    3. Click Add.
    4. Select the Security Configuration and Analysis snap-in, and then click Add.
    5. Click Close, and then click OK.
    6. In the MMC, right-click the Security Configuration and Analysis item, and then click Open Database.
    7. Give a name for the database, and then browse to where you would like to store it.
    8. When prompted, select a Security Template to import. For example, the "basicwk.inf" contains values for the standard 9. settings found on a Windows 2000 Professional computer.
    9. In the MMC, right-click the Security Configuration and Analysis item, and then click the Analyze Computer now option. Choose a location for the log file, when prompted.
    10. After analysis is complete, configure the service permissions as follows:
    10.1 Double-click the System Services branch in the MMC.
    10.2 Right-click the service that you want to change, and then click Security.
    10.3 Click Edit Security.
    10.4 Add user accounts as required, and configure the permissions for each account. By default, the user will be granted "Start, stop and pause" permissions.
    11. To apply the new settings to the local computer, simply right-click the Security Configuration and Analysis item, and then click the Configure Computer Now option.

    It is also possible to export your modified settings from the MMC and apply these to multiple machines using the SECEDIT command-line tool that ships with Windows 2000. For more information on using SECEDIT type the following at the command prompt:
    secedit /?
    NOTE: Applying the settings in this way will re-apply all of the settings in the template and so may override other file, registry, or service permissions set by other means.

    3. Configure Open VPN GUI to control the OpenVPN Service

    A default installation of OpenVPN GUI does not give you any way to control the OpenVPN service. There is however two ways to do this. If you are running as administrator, and just want a convenient way to control the OpenVPN Service, you can enable a hidden menu for this. You enable this by setting the following registry value to "1":


    Since OpenVPN GUI 1.0-rc2 there is a special mode called "Service Only" that is suitable for users running without admin privileges. This mode changes the behavior of the "Connect" and "Disconnect" actions to start and stop the OpenVPN service instead of launching openvpn.exe directly, like it usually does. It also hides the "Proxy Settings" menu as it has no effect on the service. To enable this mode set the following registry value to "1":


    Also remember that a normal user don't have write access to the OpenVPN\config folder, so he won't be able to edit the OpenVPN config file or change his password, unless you give him write access to these files. To hide these menu items set the following registry values to "0":



    Hope this helps!


    Author Comment

    Hi pritamdutt,

    Thanks for your detailed response, that almost does it for me! :)

    I've created a GPO that:
    a) sets the registry value for \OpenVPN-GUI\service_only to 1, and
    b) grants authenticated users permission to stop/start the vpn service.

    This however does not allow the users to type in a password, it just connects straight away and of course fails due to an invalid password. The 'allow_password' registry value is set to 1 already, however I have tried both with and without this value.

    Any suggestions on how I can get around this final step?

    LVL 9

    Expert Comment


    Have u given the user Write Access to OpenVPN\config folder?

    Please check!
    LVL 9

    Expert Comment

    Also, in my opinion and experience I prefer to use Certificate Based Authentication for users.

    Author Comment


    Yes, all users have full read/write/modify/delete access to the config folder, all openvpn folders in fact as I'm not concerned about anything be deleted or tampered with.

    Unfortunately I'm not in a position to dictate what type of connections or security is used, its a parent company in a way and this is how we have to connect to their server :(

    I've tried adding the individual pk12 keys into the Certificate Manager for the local system service, but can't find a way to direct openvpnserv to use the certificate, or if its even possible with the pk12 cert.

    When the service is started via the gui, the log file indicates a prompt to enter a password, and then returns an error: could not read private key password from stdin

    LVL 9

    Expert Comment

    can u please share the OpenVPN config .ovpn file.


    Author Comment

    #OpenVPN Server conf
    dev tun
    proto udp
    tun-mtu 1500
    mssfix 1300
    remote 1193
    pkcs12 ozJP.p12
    cipher BF-CBC
    verb 3
    ns-cert-type server

    and log file output:

    Thu Oct 20 00:14:45 2011 OpenVPN 2.1_rc21 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 12 2009
    Thu Oct 20 00:14:45 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Enter Private Key Password:
    Thu Oct 20 00:14:45 2011 ERROR: could not not read Private Key password from stdin
    Thu Oct 20 00:14:45 2011 Exiting
    LVL 9

    Expert Comment

    As I can see you are using Password Protected Private key to authenticate with the OpenVPN server.

    Unfortunately, There is no way for OpenVPN GUI to hand over a password to the service wrapper, so you can't use passphrase protected private keys or username/password authentication. This means that you must use an un-encrypted private key when using this method. A way to get around the problem with having your private key lying unprotected on your hard drive is to import it to the MS Certificate Store and use the --cryptoapicert option to load it. Remember that the service is running as "Local System" (by default) so you must import the key/cert into the System account, not your user account. (There is work in progress to allow OpenVPN to access also user account key/cert's). To load a key/cert into the System accounts CertStore you must use the Certificates MMC Snap-In, not Internet Explorer.

    Hope this helps!

    The only option left after this will be to Create a "RunAs" short-cut that saves the administrator password on the local machine.   Steps for same are :
    1. Create a normal Short-Cut to openvpn-gui.exe (c:\program files\openvpn\bin\openvpn-gui.exe) on the desktop.
    2. Right-click the short-cut and select Properties.
    3. In the Target box, insert the following before the path to openvpn-gui.exe: "runas /savecred /user:administrator ".
    4. Double-click the new short-cut, and enter the administrator password.


    Author Comment


    I've read about importing the key to the MS Certificate Store, however I'm unsure what to do next. What / how do i use this '--cryptoapicert' option. If openvpn will reference this saved key, then i think all will be working.

    im really not wanting to use RUNAS shortcut as it would mean users have admin rights to other applications should they figure it out, which they will.

    thanks for your help its much appreciated
    LVL 9

    Assisted Solution

    Hi Sorry for the delay was trying to replicate your configuration to see what works out best.

    Well here I have found the solution.

    Please add addition parameter in your .ovpn file
    askpass "pass"
    where pass is the name of password file residing in the config directory, and contains password on the first line in plaintext.

    Hope this helps!

    LVL 9

    Assisted Solution

    In case you don't wish to use the above method you can use the following method using cryptoapicert. For this you need to have a copy of root certificate in .pem format.

    1. Copy the Root Cert in config directory, lets say its called cacert.pem
    2. Import the User Private Key into Windows by using the following commands:
    - Start MMC as Computer Administrator
    - Choose Add/Remove Snap-in
    - Select Certificates
    - Click on Add
    - Choose Computer Account When Prompted
    - Expand Certificates (Local Computer) -> Personal -> Certificates
    - Right-Click on right side pane
    - Click All Tasks -> Import
    - Choose the Personal Information Exchange Type
    - Type password for Private Key
    - Click Next
    - Click Next
    - Click Finish
    - You will get message "The Import was successful"
    3. Extract Certificate Thumbprint Information
    - Double Click on the newly imported Private Key
    - Click on Details Tab
    - Scrolldown for Thumbprint Field and copy the value after selecting the field
    4. Open the client .ovpn file
    5. Make following changes to the .ovpn file
    - Comment out pkcs12 ozJP.p12 by placing a # in the begining
    - Add ca "cacert.pem"
    - Add cryptoapicert "THUMB:3e 9b .. paste thumbprint value here"
    6. Save and run

    Hope this helps!



    Author Comment


    Unfortunately, those don't work either :( Using askpass and a text file then returns an error that:

    Options error: You must define CA file (--ca) or CA path (--capath)

    if i comment out the pkcs12 line, or:

    Sorry, 'Private Key' password cannot be read from a file

    if I dont. I've double checked filename and contents and found a few articles on the net which indicate I'm doing it the right way. So i think its something at the server end which is not allowing this to happen.

    I've contacted the other company involved to obtain the .pem file, hopefullly that will get around it. Otherwise, I'll just have to convince them to allow a site-to-site vpn through our firewall, not individual client connections.

    thanks again for all your help.

    Author Closing Comment

    in all scenarios except this particular one where  a password is required, and no access to .pem or server config is possible, this would (and has in another testing scenario) resolved the problem. thankyou for your detailed answers and suggestions

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now