On Mon, Aug 22, 2016 at 8:55 PM, debbie10t <debbie...@gmail.com> wrote:

> I need to use --up/--down/--client-connect/disconnect et al ..
> How does one run openvpn on *windows* without these "considered"
> security flaws ? or are we all just "lambs to the slaughter"
> from here on in ?

I wouldn't call it a security flaw. Its just that using interactive service
is more secure as openvpn and all scripts it calls run with limited
privileges. It has its limitations but may meet the needs of vast majority
of installations. So, going forward,  using interactive service would be
the recommended way.

But, some users do need to run scripts as admin and the only option is to
go ahead and run openvpn as admin -- either through the automatic service,
or directly from command line or whatever way is convenient. We should just
call that advanced usage, less secure and should be used only if absolutely

Interestingly, running scripts as user has advantages in some use cases --
often scripts just do things like mapping a drive and has to be done as
user and not as admin for it to work on modern versions of windows. This is
the case with most client installations I have. Interactive service made it
easier/automatic to run scripts as the logged in user and not as admin.

If there are widely used tasks requiring admin privilege, we could add
support for that to the interactive service. Reducing the need for running
scripts as admin would be a good goal. This has to be done carefully
though, to keep the service code running as admin to a minimum.

Openvpn-devel mailing list

Reply via email to