Hi Simon,

Adding to what I wrote in my reply to your private email:

> I am developing an eduVPN client for Windows. Imagine the eduVPN client as
> a custom OpenVPN GUI. The client uses openvpn.exe for connecting, the
> configuration file is provided by eduVPN server once user authenticates
> using OAuth. User running the eduVPN client is not an administrator.
> Elevation is out of the question.
> I would like to use the Interactive Service to start openvpn.exe, but I
> have some problems:
> 1.       The configuration file is dynamically downloaded by the eduVPN
> client and stored somewhere user can write (user's temporary folder for
> example). But the Interactive Service was specifically programmed to allow
> configurations from "C:\Program Files\OpenVPN\config" folder only. But user
> running eduVPN client can't write to this folder.
> 2.       Interactive Service can launch openvpn.exe using any
> configuration file if user is a member of the "OpenVPN Administrators"
> group. Then, I would need to add all users of the computer to that group,
> again requiring elevation.
> Is there any specific reason, why Interactive Service is so paranoid,
> knowing that it launches openvpn.exe and all external scripts as the
> interactive user anyway?

The service does privileged operations so some admin has to bless a user to
allow certain options when launching openvpn.exe. In other words, options
allowed in user editable configs are restricted unless the user is in a
designated group.

An admin installing openvpn can change this behaviour by customizing the
ovpn_admin_group and/or by adding users to that group.

> I have a work-around for this paradox in my sleeve: the eduVPN setup shall
> create an "eduVPN" subfolder in the "C:\Program Files\OpenVPN\config"
> folder, and grant all users desirable permissions*: a sort of public spool
> folder.

Setting up such a folder requires admin rights. If your installer has admin
rights, just add all users to "OpenVPN Administrators" group or set the
registry key ovpn_admin_group to "Users"

> But that would open the OpenVPN Interactive Service to any user and
> application. This is why we would like your opinion first.

Yes the service will then launch openvpn with arbitrary configs as any
user, but that is what you want isn't it?


Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Openvpn-devel mailing list

Reply via email to