OpenVPN is a cool tool for doing quick and easy VPN connections that work. At least it is easy as long as you don’t drop administrative privileges for the common user. To get the VPN working, it is needed to set up routes to get the traffic to its destination which requires administrative permissions. But do we want that? Do we really want to give the user the chance to mess with the system that much?
In my personal opinion, a user shouldn’t have more permission than he needs. The less, the better. But how to work around that issue without opening too much?
The solution to our problem is done with some more fine grained permissions – we use lusrmgr.msc to add the specific VPN user to the Network-Configuration Operators which enables the user to modify network settings like routing. The next thing we need to change is the checkbox “Run as administrator” at the compatibility settings of the OpenVPN-GUI. That way, we need to enter a password everytime OpenVPN GUI starts, but in exchange we get the permissions needed, as we are in the proper group to mess around with the network settings.