Non-Admin usage of OpenVPN on Windows

This is where we can discuss what we would like to see added or changed in OpenVPN.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
beckman16
OpenVpn Newbie
Posts: 5
Joined: Thu Jun 02, 2011 8:00 am

Non-Admin usage of OpenVPN on Windows

Post by beckman16 » Thu Jun 02, 2011 9:16 am

Hi community, I know OpenVPN client on Windows require Administrator rights to work properly. This is just because OpenVPN needs to add and remove route entries(these operations require Admin privilege) on local system.

This restriction(of Administrator rights to use OpenVPN) can be removed with the help of Windows service. This Windows service would run all time on behalf of user having Admin rights. Route add and delete calls that require Admin rights could be moved to this Windows service so that OpenVPN works even for restricted users. OpenVPN and this Windows service could communicate through some IPC mechanism like pipes etc.

I was recently studying OpenVPN and these facts came around me and thought what I need could already be available in some form. (Yes, I need to make OpenVPN client work even for restricted user)

My query is - Is there already such a solution available or developed by any of the community members for OpenVPN?

If yes, I would love to reuse the code. And-
If no, I will create such Windows service and would love to contribute it to the OpenVPN community source.

Regards
beckman16
~beckman16

User avatar
dazo
OpenVPN Inc.
Posts: 155
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ libera.chat

Re: Non-Admin usage of OpenVPN on Windows

Post by dazo » Thu Jun 02, 2011 9:22 am

I believe there are some work going on to do this in the new OpenVPN GUI. You'll find the project here:
http://sourceforge.net/projects/openvpn-gui/

This is a separate project from the OpenVPN Community project, but we have good connection with the developer there. I believe he would appreciate to get some help too. This new updated GUI is planned for the the OpenVPN 2.3 release as well.

beckman16
OpenVpn Newbie
Posts: 5
Joined: Thu Jun 02, 2011 8:00 am

Re: Non-Admin usage of OpenVPN on Windows

Post by beckman16 » Thu Jun 02, 2011 10:28 am

Thanks dazo, I sent message to OpenVPN-GUI admin at sourceforge with my queries.
Current source of OpenVPN-GUI does not seems to have such Windows service code, hope thats in some other branch or alpha phase.
~beckman16

gtrfjyufngtrv
OpenVpn Newbie
Posts: 1
Joined: Tue Jun 14, 2011 11:07 pm

Re: Non-Admin usage of OpenVPN on Windows

Post by gtrfjyufngtrv » Tue Jun 14, 2011 11:17 pm

What might be even more useful (note restrained sarcasm) would be an OpenVPN GUI that didn't pop up a pretty little balloon telling me the VPN connection had been made OK and turn the icon green when in fact the setting up of routes had failed for the above reason and so I effectively wasn't on the VPN.

What's a guy supposed to do about this? Visit a "what is my IP address" honeypot every time I go on the VPN just to make sure that everybody knows I'm using one? If I can't trust the OpenVPN system then what exactly is the point? I suppose the point is that you can't get your money back for something that's free.

beckman16
OpenVpn Newbie
Posts: 5
Joined: Thu Jun 02, 2011 8:00 am

Re: Non-Admin usage of OpenVPN on Windows

Post by beckman16 » Wed Jun 15, 2011 6:48 am

@gtrfjyufngtrv, while it is true that OpenvpnGUI have some bugs such as you mentioned but remember no one is charging us for using Openvpn. These guys have invested their valuable time and your comment sounds like they did this for nothing. The least they would expect is a sense of respect for themselves from users for making it available free of charge. I hope you understand my viewpoint and take it in positive sense.
~beckman16

Jeff
OpenVpn Newbie
Posts: 3
Joined: Tue Jul 19, 2011 1:40 pm

Re: Non-Admin usage of OpenVPN on Windows

Post by Jeff » Tue Jul 19, 2011 2:59 pm

I have some experience with another VPN client, which is from Sonicwall. It adds routes on the client to the VPN network without requiring the Windows user to have administrative privileges. I'm not entirely sure, but I suspect it sets the route using DHCP option 33 or 249.

Jeff
OpenVpn Newbie
Posts: 3
Joined: Tue Jul 19, 2011 1:40 pm

Re: Non-Admin usage of OpenVPN on Windows

Post by Jeff » Tue Jul 19, 2011 8:02 pm

I posted a very partial solution here.

topic8477.html

dominicmaltby
OpenVpn Newbie
Posts: 1
Joined: Wed Jan 04, 2012 9:34 am
Location: Ada, Michigan

Re: Non-Admin usage of OpenVPN on Windows

Post by dominicmaltby » Wed Jan 04, 2012 9:38 am

Jeff wrote:I posted a very partial solution here.

topic8477.html
Hey Jeff,

Thanks for sharing this solution, it has solved the VPN issue that I am facing on my Windows.

User avatar
dazo
OpenVPN Inc.
Posts: 155
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ libera.chat

Re: Non-Admin usage of OpenVPN on Windows

Post by dazo » Tue Mar 20, 2012 10:05 am

gtrfjyufngtrv wrote: What's a guy supposed to do about this? Visit a "what is my IP address" honeypot every time I go on the VPN just to make sure that everybody knows I'm using one? If I can't trust the OpenVPN system then what exactly is the point? I suppose the point is that you can't get your money back for something that's free.
Instead of just ranting. You can file a proper bug report in the proper place, and then things can get fixed - unless you're capable of fixing it yourself. The proper place to file such a report in the GUI is here:

http://sourceforge.net/tracker/?group_i ... id=1327094

And you might even want to pay attention to the openvpn-devel mailing list as well, where the GUI has been discussed too.

http://thread.gmane.org/gmane.network.openvpn.devel
(sign-up is here, if you want to be more involved: http://sourceforge.net/projects/openvpn/support)

And there are big changes on the way in the GUI. You might also find some interest in this wiki page:

https://community.openvpn.net/openvpn/w ... Separation

So again, instead of just ranting - try rather to spend your energy getting involved, and you'll see that you get much more back in the end.

endyrx
OpenVpn Newbie
Posts: 2
Joined: Wed Jun 13, 2012 9:02 am

Re: Non-Admin usage of OpenVPN on Windows

Post by endyrx » Wed Jun 13, 2012 11:56 am

any news about this fix ?? I am using openvpn in Windows Active Directory environment, and it's very crucial to me to make this work without admin rights.
Any work around ?? I try to make a different user with admin rights and set the openvpn service to work with this user but apparently it nor work as expect.
I am open to any suggestions.

Cri
OpenVpn Newbie
Posts: 1
Joined: Fri Oct 11, 2013 3:07 pm

Re: Non-Admin usage of OpenVPN on Windows

Post by Cri » Fri Oct 11, 2013 10:27 pm

version 2.0 :)

Give authenticated users modify permission to c:\program files\openvpn\log folder.

Connect with openvpn and check eventlog Application and Services Logs\Microsoft\Windows\Network Profile\Operational look for Event 4003 right click on it and Attack Task To This Event.
Give it a name, start a program, program : wscript.exe, add arguments c:\pathofthescript\openvpn_route.vbs, AND Run with highest Privilegs.


openvpn_route.vbs ( change logfile and openvpnadaptername) :

Code: Select all

On error resume next
logfile = "C:\Program Files\OPENVPN\Log\yourlogfilename.log"
OpenVPNAdapterName = "OPENVPN" 
A=""

Set WSHShell = wscript.createObject("wscript.shell")
Dim objFSO, strLine, objReadFile,a 
Set objFSO = CreateObject("Scripting.FileSystemObject")
set objShare = Wscript.CreateObject("HNetCfg.HNetShare.1")
set objEveryColl = objShare.EnumEveryConnection
if (IsObject(objEveryColl) = TRUE) then
  for each objNetConn in objEveryColl
     set objShareCfg = objShare.INetSharingConfigurationForINetConnection(objNetConn)
    if (IsObject(objShareCfg) = TRUE) then
     set objNCProps = objShare.NetConnectionProps(objNetConn)
     if (IsObject(objNCProps) = TRUE) then
        if objNCProps.Name = OpenVPNAdapterName and objNCProps.Status = 2 then  
        RouteADD
	end if
      end if
        
     end if
  next
end if
    
Function RouteADD
Set objReadFile = objFSO.OpenTextFile(logfile, 1, False)
Do Until objReadFile.AtEndOfStream
strLine = objReadFile.ReadLine
if instr(strLine, "C:\Windows\system32\route.exe") Then
A = Mid(strLine,46,90)
WSHShell.Run A
End If
Loop
set objFSO = nothing
end function

jindra
OpenVpn Newbie
Posts: 2
Joined: Tue Feb 04, 2014 6:39 pm

Re: Non-Admin usage of OpenVPN on Windows

Post by jindra » Tue Feb 04, 2014 6:41 pm

So I just set this on my domain work computer and works great when attached to event id 4003. The strange thing is I've tried to set it up on other domain computers with the same version of Windows 7 but they aren't displaying event ID 4003, only 4002 and 4001. I've tried this on 2 other computers so far and I am very confused. I'm using the same OpenVPN client as with my workstation. Anyone have experience OpenVPN GUI not logging event 4003?

jindra
OpenVpn Newbie
Posts: 2
Joined: Tue Feb 04, 2014 6:39 pm

Re: Non-Admin usage of OpenVPN on Windows

Post by jindra » Tue Feb 04, 2014 9:21 pm

I figured it out. It had nothing to do with event ID 4003 or even using that script. All that was required for me to do is add the account to "Network Configuration Operators" on the local machine account and run the shortcut in compatibility for XP SP3.

User avatar
krzee
Forum Team
Posts: 728
Joined: Fri Aug 29, 2008 5:42 pm

Re: Non-Admin usage of OpenVPN on Windows

Post by krzee » Mon Dec 19, 2016 6:08 pm

non-admin usage is now available in 2.4, more info here:
https://github.com/OpenVPN/openvpn-gui/

Post Reply