Hi Selva,

Is there any specific reason, why Interactive Service is so paranoid, knowing 
that it launches openvpn.exe and all external scripts as the interactive user 

The service does privileged operations so some admin has to bless a user to 
allow certain options when launching openvpn.exe. In other words, options 
allowed in user editable configs are restricted unless the user is in a 
designated group.


I don't quite agree. OpenVPN needs elevation to set up connection because it 
runs in user space. IPsec VPN doesn't require elevation for the very same task 
since it runs in kernel space.


Therefore, elevation for OpenVPN is required for technical reasons, not 
security. Thus, an explicit blessing from the admin is an exaggeration.

 I have a work-around for this paradox in my sleeve: the eduVPN setup shall 
create an "eduVPN" subfolder in the "C:\Program Files\OpenVPN\config" folder, 
and grant all users desirable permissions*: a sort of public spool folder.

Setting up such a folder requires admin rights. If your installer has admin 
rights, just add all users to "OpenVPN Administrators" group or set the 
registry key ovpn_admin_group to "Users"


The installer will require admin rights of course. Here we agree installing 
software (VPN especially) needs an admin approval.


Thank you for your excellent advice. I haven't thought of that before. However, 
I will not follow it for the following reason…


eduVPN will not claim OpenVPN for all by itself. It will install it when 
missing, but will leave everything to its defaults. We would still like to 
leave the user an option to make use of OpenVPN for other purposes. Tweaking 
registry is not a step in this direction.

 But that would open the OpenVPN Interactive Service to any user and 
application. This is why we would like your opinion first.

Yes the service will then launch openvpn with arbitrary configs as any user, 
but that is what you want isn't it?


True, I want that indeed. I was just trying to find the official way of doing 
it only to learn it's against OpenVPN team's principles. :(


Well, I'll do it anyway. And I suggest you take it as a compliment: the OpenVPN 
is great for its flexibility so people can and will use it in a million of 
bizarre ways. :)


Best regards,


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Openvpn-devel mailing list

Reply via email to