VPN Auto-Connection using a standard user in Win7

[Hypothermia]

Hey folks

I work for a hospital and we're currently planning to upgrade about 20 of our laptops used for EMR purposes to Windows 7 x64 Enterprise Edition from Windows XP Professional. I took one of the spare laptops aside to do some testing, making sure all the software would translate well to Windows 7 and ran into a snag with OpenVPN.

Everyone using these laptops has 'Standard' user accounts (no admin rights), so we can limit their access to everything but the essentials. We use OpenVPN as a secure method for our staff to access the medical (ePHI) network, and I'm having a considerable amount of trouble getting the VPN to auto-connect and be manageable via the user.

Preferably I'd like the Open VPN GUI to auto-start for the user at login and connect to the VPN seamlessly Having the GUI running is important because I prefer to give my users a visual representation showing their secure connection into the system is running.

The only viable option for having OpenVPN auto connect I've found is to set the OpenVPN service to automatic and have it run by default. Unfortunately that means if they lose connection, put the laptop to sleep or say go from work to their home with the device? A reboot is required by them to restart the VPN.

The other option I've been toying with is a login script using the runas command, but it fails to push the routes to the client side because they don't have rights to add routes.

The command I use is as follows:

c:\windows\system32\runas.exe /savecred /user:shop "c:\Program Files (x86)\OpenVPN\Bin\openvpn-gui-1.0.3.exe --connect client.ovpn --silent_connection 1 --show_balloon 0"

This does successfully start the OpenVPN GUI at login, however as I said, then it fails to push the routes.

I've also tried just using the --service_only switch and allowing them to just start and stop the service. But, again they don't have rights to start and stop the service.... so I appear to be stuck.

Does anyone have any advice / help to offer in getting this to auto-connect under a non-admin account in Windows 7 (And successfully push the routes)? Any assistance would be appreciated.

Cheers
-H.

[janjust]

in order to add routes to a Windows XP/Vista/7 system the user needs at least 'Network Administrator' privileges - there's little OpenVPN can do about that . You could try adding users to this group only, instead of full 'administrator' privileges, or you could use your 'runas' trick to switch to a user which has the right privileges. I'd make sure to test the case where the connection is broken and re-established, however.

HTH,

JJK

[Hypothermia]

in order to add routes to a Windows XP/Vista/7 system the user needs at least 'Network Administrator' privileges - there's little OpenVPN can do about that . You could try adding users to this group only, instead of full 'administrator' privileges, or you could use your 'runas' trick to switch to a user which has the right privileges. I'd make sure to test the case where the connection is broken and re-established, however.

HTH,

JJK

JJK,

Thanks very much for the tip, I was able to use it to wrangle Windows 7 into doing essentially what I wanted with a lil creativity. I took the user accounts in question that where Standard Users and added them to the 'Network Configuration Operators' group which grants them access to the Route command as well as other networking functions in Windows.

After doing that I drew on another article I'd found online to create Scheduled Tasks in Windows 7 for the actual individual user (that's important or they won't work).

http://www.howtogeek.com/howto/windows- ... ows-vista/

Then I created a shortcut that has scheduled tasks run the named task, and dropped that into the users startup menu. Now? The user can see a visual representation in Windows 7 of their connection, and they can connect / disconnect readily.

Their are a couple of small 'gotchas' however, but I'm able to live with them. First having to add the user to the 'Network Configuration Operators' group, was less than ideal, but it's better than having to make them an administrator.

Second if the user switches from one internet connection to another (IE goes home from work w/ their laptop) and doesn't reset the LT? It still reads the VPN as active even if they'd lost their internet connection. If they simply lose connectivity and regain it on the same wireless network? This is a non-issue as the OpenVPN picks up where it left off. But, the 'connect' and 'disconnect' features in the OpenVPN GUI work flawlessly, so it's just a matter of a little user education to remedy that.

Thank you very much for the assistance your tip helped me vastly in solving this.

EDIT: I suppose I wasn't thinking too clearly, but if anyone out there wants an actual in-depth (step by step) how to on what I've done here I'll write one up. I'm writing one up for myself now because I'm going to have to replicate this procedure on about 25 Laptops in the near-future.