Non-Admin usage of OpenVPN on Windows
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 5
- Joined: Thu Jun 02, 2011 8:00 am
Non-Admin usage of OpenVPN on Windows
Hi community, I know OpenVPN client on Windows require Administrator rights to work properly. This is just because OpenVPN needs to add and remove route entries(these operations require Admin privilege) on local system.
This restriction(of Administrator rights to use OpenVPN) can be removed with the help of Windows service. This Windows service would run all time on behalf of user having Admin rights. Route add and delete calls that require Admin rights could be moved to this Windows service so that OpenVPN works even for restricted users. OpenVPN and this Windows service could communicate through some IPC mechanism like pipes etc.
I was recently studying OpenVPN and these facts came around me and thought what I need could already be available in some form. (Yes, I need to make OpenVPN client work even for restricted user)
My query is - Is there already such a solution available or developed by any of the community members for OpenVPN?
If yes, I would love to reuse the code. And-
If no, I will create such Windows service and would love to contribute it to the OpenVPN community source.
Regards
beckman16
This restriction(of Administrator rights to use OpenVPN) can be removed with the help of Windows service. This Windows service would run all time on behalf of user having Admin rights. Route add and delete calls that require Admin rights could be moved to this Windows service so that OpenVPN works even for restricted users. OpenVPN and this Windows service could communicate through some IPC mechanism like pipes etc.
I was recently studying OpenVPN and these facts came around me and thought what I need could already be available in some form. (Yes, I need to make OpenVPN client work even for restricted user)
My query is - Is there already such a solution available or developed by any of the community members for OpenVPN?
If yes, I would love to reuse the code. And-
If no, I will create such Windows service and would love to contribute it to the OpenVPN community source.
Regards
beckman16
~beckman16
- dazo
- OpenVPN Inc.
- Posts: 155
- Joined: Mon Jan 11, 2010 10:14 am
- Location: dazo :: #openvpn-devel @ libera.chat
Re: Non-Admin usage of OpenVPN on Windows
I believe there are some work going on to do this in the new OpenVPN GUI. You'll find the project here:
http://sourceforge.net/projects/openvpn-gui/
This is a separate project from the OpenVPN Community project, but we have good connection with the developer there. I believe he would appreciate to get some help too. This new updated GUI is planned for the the OpenVPN 2.3 release as well.
http://sourceforge.net/projects/openvpn-gui/
This is a separate project from the OpenVPN Community project, but we have good connection with the developer there. I believe he would appreciate to get some help too. This new updated GUI is planned for the the OpenVPN 2.3 release as well.
-
- OpenVpn Newbie
- Posts: 5
- Joined: Thu Jun 02, 2011 8:00 am
Re: Non-Admin usage of OpenVPN on Windows
Thanks dazo, I sent message to OpenVPN-GUI admin at sourceforge with my queries.
Current source of OpenVPN-GUI does not seems to have such Windows service code, hope thats in some other branch or alpha phase.
Current source of OpenVPN-GUI does not seems to have such Windows service code, hope thats in some other branch or alpha phase.
~beckman16
-
- OpenVpn Newbie
- Posts: 1
- Joined: Tue Jun 14, 2011 11:07 pm
Re: Non-Admin usage of OpenVPN on Windows
What might be even more useful (note restrained sarcasm) would be an OpenVPN GUI that didn't pop up a pretty little balloon telling me the VPN connection had been made OK and turn the icon green when in fact the setting up of routes had failed for the above reason and so I effectively wasn't on the VPN.
What's a guy supposed to do about this? Visit a "what is my IP address" honeypot every time I go on the VPN just to make sure that everybody knows I'm using one? If I can't trust the OpenVPN system then what exactly is the point? I suppose the point is that you can't get your money back for something that's free.
What's a guy supposed to do about this? Visit a "what is my IP address" honeypot every time I go on the VPN just to make sure that everybody knows I'm using one? If I can't trust the OpenVPN system then what exactly is the point? I suppose the point is that you can't get your money back for something that's free.
-
- OpenVpn Newbie
- Posts: 5
- Joined: Thu Jun 02, 2011 8:00 am
Re: Non-Admin usage of OpenVPN on Windows
@gtrfjyufngtrv, while it is true that OpenvpnGUI have some bugs such as you mentioned but remember no one is charging us for using Openvpn. These guys have invested their valuable time and your comment sounds like they did this for nothing. The least they would expect is a sense of respect for themselves from users for making it available free of charge. I hope you understand my viewpoint and take it in positive sense.
~beckman16
-
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Jul 19, 2011 1:40 pm
Re: Non-Admin usage of OpenVPN on Windows
I have some experience with another VPN client, which is from Sonicwall. It adds routes on the client to the VPN network without requiring the Windows user to have administrative privileges. I'm not entirely sure, but I suspect it sets the route using DHCP option 33 or 249.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Jul 19, 2011 1:40 pm
-
- OpenVpn Newbie
- Posts: 1
- Joined: Wed Jan 04, 2012 9:34 am
- Location: Ada, Michigan
Re: Non-Admin usage of OpenVPN on Windows
Hey Jeff,
Thanks for sharing this solution, it has solved the VPN issue that I am facing on my Windows.
Dominic
sinus infection remedies
sinus infection remedies
- dazo
- OpenVPN Inc.
- Posts: 155
- Joined: Mon Jan 11, 2010 10:14 am
- Location: dazo :: #openvpn-devel @ libera.chat
Re: Non-Admin usage of OpenVPN on Windows
Instead of just ranting. You can file a proper bug report in the proper place, and then things can get fixed - unless you're capable of fixing it yourself. The proper place to file such a report in the GUI is here:gtrfjyufngtrv wrote: What's a guy supposed to do about this? Visit a "what is my IP address" honeypot every time I go on the VPN just to make sure that everybody knows I'm using one? If I can't trust the OpenVPN system then what exactly is the point? I suppose the point is that you can't get your money back for something that's free.
http://sourceforge.net/tracker/?group_i ... id=1327094
And you might even want to pay attention to the openvpn-devel mailing list as well, where the GUI has been discussed too.
http://thread.gmane.org/gmane.network.openvpn.devel
(sign-up is here, if you want to be more involved: http://sourceforge.net/projects/openvpn/support)
And there are big changes on the way in the GUI. You might also find some interest in this wiki page:
https://community.openvpn.net/openvpn/w ... Separation
So again, instead of just ranting - try rather to spend your energy getting involved, and you'll see that you get much more back in the end.
-
- OpenVpn Newbie
- Posts: 2
- Joined: Wed Jun 13, 2012 9:02 am
Re: Non-Admin usage of OpenVPN on Windows
any news about this fix ?? I am using openvpn in Windows Active Directory environment, and it's very crucial to me to make this work without admin rights.
Any work around ?? I try to make a different user with admin rights and set the openvpn service to work with this user but apparently it nor work as expect.
I am open to any suggestions.
Any work around ?? I try to make a different user with admin rights and set the openvpn service to work with this user but apparently it nor work as expect.
I am open to any suggestions.
-
- OpenVpn Newbie
- Posts: 1
- Joined: Fri Oct 11, 2013 3:07 pm
Re: Non-Admin usage of OpenVPN on Windows
version 2.0
Give authenticated users modify permission to c:\program files\openvpn\log folder.
Connect with openvpn and check eventlog Application and Services Logs\Microsoft\Windows\Network Profile\Operational look for Event 4003 right click on it and Attack Task To This Event.
Give it a name, start a program, program : wscript.exe, add arguments c:\pathofthescript\openvpn_route.vbs, AND Run with highest Privilegs.
openvpn_route.vbs ( change logfile and openvpnadaptername) :
Give authenticated users modify permission to c:\program files\openvpn\log folder.
Connect with openvpn and check eventlog Application and Services Logs\Microsoft\Windows\Network Profile\Operational look for Event 4003 right click on it and Attack Task To This Event.
Give it a name, start a program, program : wscript.exe, add arguments c:\pathofthescript\openvpn_route.vbs, AND Run with highest Privilegs.
openvpn_route.vbs ( change logfile and openvpnadaptername) :
Code: Select all
On error resume next
logfile = "C:\Program Files\OPENVPN\Log\yourlogfilename.log"
OpenVPNAdapterName = "OPENVPN"
A=""
Set WSHShell = wscript.createObject("wscript.shell")
Dim objFSO, strLine, objReadFile,a
Set objFSO = CreateObject("Scripting.FileSystemObject")
set objShare = Wscript.CreateObject("HNetCfg.HNetShare.1")
set objEveryColl = objShare.EnumEveryConnection
if (IsObject(objEveryColl) = TRUE) then
for each objNetConn in objEveryColl
set objShareCfg = objShare.INetSharingConfigurationForINetConnection(objNetConn)
if (IsObject(objShareCfg) = TRUE) then
set objNCProps = objShare.NetConnectionProps(objNetConn)
if (IsObject(objNCProps) = TRUE) then
if objNCProps.Name = OpenVPNAdapterName and objNCProps.Status = 2 then
RouteADD
end if
end if
end if
next
end if
Function RouteADD
Set objReadFile = objFSO.OpenTextFile(logfile, 1, False)
Do Until objReadFile.AtEndOfStream
strLine = objReadFile.ReadLine
if instr(strLine, "C:\Windows\system32\route.exe") Then
A = Mid(strLine,46,90)
WSHShell.Run A
End If
Loop
set objFSO = nothing
end function
-
- OpenVpn Newbie
- Posts: 2
- Joined: Tue Feb 04, 2014 6:39 pm
Re: Non-Admin usage of OpenVPN on Windows
So I just set this on my domain work computer and works great when attached to event id 4003. The strange thing is I've tried to set it up on other domain computers with the same version of Windows 7 but they aren't displaying event ID 4003, only 4002 and 4001. I've tried this on 2 other computers so far and I am very confused. I'm using the same OpenVPN client as with my workstation. Anyone have experience OpenVPN GUI not logging event 4003?
-
- OpenVpn Newbie
- Posts: 2
- Joined: Tue Feb 04, 2014 6:39 pm
Re: Non-Admin usage of OpenVPN on Windows
I figured it out. It had nothing to do with event ID 4003 or even using that script. All that was required for me to do is add the account to "Network Configuration Operators" on the local machine account and run the shortcut in compatibility for XP SP3.
- krzee
- Forum Team
- Posts: 728
- Joined: Fri Aug 29, 2008 5:42 pm
Re: Non-Admin usage of OpenVPN on Windows
non-admin usage is now available in 2.4, more info here:
https://github.com/OpenVPN/openvpn-gui/
https://github.com/OpenVPN/openvpn-gui/