I am developing an eduVPN client for Windows. Imagine the eduVPN client as a
custom OpenVPN GUI. The client uses openvpn.exe for connecting, the
configuration file is provided by eduVPN server once user authenticates
using OAuth. User running the eduVPN client is not an administrator.
Elevation is out of the question.


I would like to use the Interactive Service to start openvpn.exe, but I have
some problems:


1.       The configuration file is dynamically downloaded by the eduVPN
client and stored somewhere user can write (user's temporary folder for
example). But the Interactive Service was specifically programmed to allow
configurations from "C:\Program Files\OpenVPN\config" folder only. But user
running eduVPN client can't write to this folder.

2.       Interactive Service can launch openvpn.exe using any configuration
file if user is a member of the "OpenVPN Administrators" group. Then, I
would need to add all users of the computer to that group, again requiring


Is there any specific reason, why Interactive Service is so paranoid,
knowing that it launches openvpn.exe and all external scripts as the
interactive user anyway?


I have a work-around for this paradox in my sleeve: the eduVPN setup shall
create an "eduVPN" subfolder in the "C:\Program Files\OpenVPN\config"
folder, and grant all users desirable permissions*: a sort of public spool


But that would open the OpenVPN Interactive Service to any user and
application. This is why we would like your opinion first.


Best regards,

Simon Rozman

Amebis, d. o. o., Kamnik


* By desirable permissions I mean: SYSTEM/Administrators = full access,
Users = create new files, CREATOR OWNER = R/W)


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Openvpn-devel mailing list

Reply via email to