It is currently 23.10.2017 18:43


All times are UTC




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: Best solution for OpenVPN client running as limited user
PostPosted: 12.10.2009 05:05 
DES
DES

Joined: 12.10.2009 04:52
Posts: 3
I've seen a few options for running OpenVPN client (OpenVPN GUI to be specific) on limited user accounts.

  • using a runas shortcut with the /savecred switch. Not to appealing to me, it's very easy to get full access to the system by editing the config and then accessing files through the file open dialog of notepad.
  • running openvpn as a service. could be great, but the client can't hand off passwords to the service as i understand it.
  • Adding the user to network Configuration Operators Group. Works, but unfortunately it allows the user, and malware, to make critical network changes like dns hijacking, etc.

What specific right does the user need? The right to specify gateways, change routers, etc? I there a reduced version of the third option that can be done using the global policy editor, giving them the rights they need but without too much control?

I'm curious how others have dealth with this issue.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Best solution for OpenVPN client running as limited user
PostPosted: 12.10.2009 10:01 
openvpn.eu Admin
openvpn.eu Admin
User avatar

Joined: 23.01.2006 08:05
Posts: 3321
Location: near Vienna
Hello

With version 2.1 you should be able to open the TAP device as non-admin user. Adding routes require additional privileges, as you already noticed. Be aware that you must install the TAP device as admin on each computer you want to run OpenVPN on.

_________________
regards,
note
Please take a look at our rules. Besucht mal unsere Wiki !


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Best solution for OpenVPN client running as limited user
PostPosted: 12.10.2009 10:22 
DES
DES

Joined: 12.10.2009 04:52
Posts: 3
note wrote:
Hello

With version 2.1 you should be able to open the TAP device as non-admin user. Adding routes require additional privileges, as you already noticed. Be aware that you must install the TAP device as admin on each computer you want to run OpenVPN on.


But isn't there always going to be an additional route created when establishing the connection? For example, my openvpn connection connections me to the office LAN at 10.22.44.x, so doesn't that require creating a route for IPs matching this pattern?


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Best solution for OpenVPN client running as limited user
PostPosted: 12.10.2009 12:59 
openvpn.eu Admin
openvpn.eu Admin
User avatar

Joined: 23.01.2006 08:05
Posts: 3321
Location: near Vienna
Yes, the OpenVPN application will add/delete routes, so the user who executes it must have the permissions to alter the system's routing table.

_________________
regards,
note
Please take a look at our rules. Besucht mal unsere Wiki !


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Best solution for OpenVPN client running as limited user
PostPosted: 12.10.2009 16:50 
DES
DES

Joined: 12.10.2009 04:52
Posts: 3
note wrote:
Yes, the OpenVPN application will add/delete routes, so the user who executes it must have the permissions to alter the system's routing table.


I'm a bit confused, what's the advantage of being to access the TAP driver if you can't use it?

I wonder if a new policy could be added to allow for this? I added NC_Repair and now the LUA users can do connection repair. Here's the NC_ policies i've found so far, I'm not sure which would allow for creating routes:

NC_AddRemoveComponents
NC_AdvancedSettings
NC_AllowAdvancedTCPIPConfig
NC_ChangeBindState
NC_DeleteAllUserConnection
NC_DeleteConnection
NC_DialupPrefs
NC_IPConfigOperation
NC_IpStateChecking
NC_LanChangeProperties
NC_LanConnect
NC_LanProperties
NC_NewConnectionWizard
NC_RasAllUserProperties
NC_RasChangeProperties
NC_RasConnect
NC_RasMyProperties
NC_RenameConnection
NC_RenameMyRasConnection
NC_Repair
NC_Statistics


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Best solution for OpenVPN client running as limited user
PostPosted: 12.10.2009 18:53 
AES 256 bit
AES 256 bit

Joined: 08.02.2007 21:52
Posts: 276
Location: Wien
Quote:
I'm a bit confused, what's the advantage of being to access the TAP driver if you can't use it?


You might want to let users just control the status of the network adapter without giving them full access to the network configuration.

Quote:
I wonder if a new policy could be added to allow for this? I added NC_Repair and now the LUA users can do connection repair. Here's the NC_ policies i've found so far, I'm not sure which would allow for creating routes:


As far as I understand, NC_* registry keys are used to control just the GUI elements of the network configuration - so programatic access to the network configuration is not controlled by setting registry keys.

AFAIK, access to the routing table can be limited exclusively by placing the user in the correct group:
http://msdn.microsoft.com/en-us/library/aa365860(VS.85).aspx

By using the OpenVPN service and OpenVPNs management interface it's possible to hand passwords and/or PKCS11 information to the OpenVPN service from a unprivileged GUI application. (an example for an alternative GUI: http://sourceforge.net/projects/openvpnmngr/)


Top
Offline Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ]  Moderator: Moderators

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Theme created StylerBB.net