OpenVPN vs Win7

OpenVPN is a cool tool for doing quick and easy VPN connections that work. At least it is easy as long as you don’t drop administrative privileges for the common user. To get the VPN working, it is needed to set up routes to get the traffic to its destination which requires administrative permissions. But do we want that? Do we really want to give the user the chance to mess with the system that much?

In my personal opinion, a user shouldn’t have more permission than he needs. The less, the better. But how to work around that issue without opening too much?

The solution to our problem is done with some more fine grained permissions – we use lusrmgr.msc to add the specific VPN user to the Network-Configuration Operators which enables the user to modify network settings like routing. The next thing we need to change is the checkbox “Run as administrator” at the compatibility settings of the OpenVPN-GUI. That way, we need to enter a password everytime OpenVPN GUI starts, but in exchange we get the permissions needed, as we are in the proper group to mess around with the network settings.

You may also like...

1 Response

  1. daniel says:

    Yep. That should work. In my case I used Steel RunAs (there was a free version somewhere) to allow OpenVPN GUI to be run as administrator..

    That was because in my case it was risky to let the users add routes. Of course an application running with full privileges is risky too.

    Also running OpenVPN as a service does not require Admin privileges, but in some cases it can be messy. I use it like that in some clients.

    http://www.steelsonic.com/steelrunas.htm

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.