- IPsec Versus OpenVPN
- Requirements for the OpenVPN Solution
- Setting Up the Public Key Infrastructure (PKI)
- Setting Up the VPN Serve
- Configuring OpenVPN
- Configuring a Sample Client
- Connecting to the Server
- Configuring the Routing
- Working with Unprivileged Users
- Advantages and Disadvantages of This Solution
Working with Unprivileged Users
This article assumes that you're installing the client as an administrator. Running OpenVPN with unprivileged users takes some additional effort. The main obstacle is that opening the tunnel requires administrator privileges. Fortunately, with a few permission changes it's possible to trigger the OpenVPN service to open the tunnel.
Microsoft has published a tool called SubInACL in the Windows 2000 Resource Kit; this tool transfers security information between users. The logged-in administrator's service privileges is copied to the user (bob, in this case) who will be allowed to control the OpenVPN service:
subinacl /SERVICE "OpenVPNService" /GRANT=bob=TO
The OpenVPN GUI menu has to start the service instead of the executable in non-privileged user mode. The following lines must be inserted into the Windows registry:
HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI\allow_service=1 HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI\service_only=1 HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI\allow_edit=0 HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI\allow_password=0
Another important issue is that the service can't handle password-protected keys; the key has to be stored in the Microsoft certificate store and the configuration file has to be changed accordingly. The certificate store requires a PKCS12 file, which must be generated with an OpenSSL command and imported into the local machine's certificate store. It's very important to use the local machine's store, as this is the only location that the service can access. To edit the local machine's certificate, use the Microsoft Management Console (MMC).
To generate the key, use the following OpenSSL command:
openssl pkcs12 -export - in bob.crt -inkey bob.key -out bob.p12
In the configuration file, the files cert and key have to be replaced with the following line:
cryptoapicert "THUMB:<copy your thumbprint here>"
The thumbprint is a unique identifier for the key and can be found on the Details page if the key is opened in the MMC.
After this configuration, the user bob can use the OpenVPN GUI.