On Fri, Aug 11, 2017 at 6:21 AM, Pasi Kärkkäinen <pa...@iki.fi> wrote:

> Hi,
> On Wed, Aug 09, 2017 at 02:31:58PM +0000, Simon Rozman via Openvpn-devel
> wrote:
> >    Hi!
> >
> >    I am developing an eduVPN client for Windows. Imagine the eduVPN
> client as
> >    a custom OpenVPN GUI. The client uses openvpn.exe for connecting, the
> >    configuration file is provided by eduVPN server once user
> authenticates
> >    using OAuth. User running the eduVPN client is not an administrator.
> >    Elevation is out of the question.
> >
> >
> >    I would like to use the Interactive Service to start openvpn.exe, but
> I
> >    have some problems:
> >
> >
> >    1.       The configuration file is dynamically downloaded by the
> eduVPN
> >    client and stored somewhere user can write (user's temporary folder
> for
> >    example). But the Interactive Service was specifically programmed to
> allow
> >    configurations from "C:\Program Files\OpenVPN\config" folder only. But
> >    user running eduVPN client can't write to this folder.
> >
> Wasn't this changed in the latest version, allowing config files to be
> under user home/profile directory?
The change you are referring to is that OpenVPN-GUI now looks for configs
in the global location and in user's profile with the latter given priority
in case of duplicates.

However, to use the interactive service, config could be in any directory
only if the user is a member of (i) Administrators group OR (ii) a custom
group (named "OpenVPN Administrators" by default). Otherwise only configs
in the pre-defined global location are allowed[*]. This is done to make
sure that admins has control over who is allowed to manipulate routes etc
using the interactive service. Note that only group membership is needed,
the group need not be enabled in the token which means elevation is not


[*] This actual requirement is a bit more relaxed than that as some limited
options are allowed in user-editable configs or command line for all users.
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Openvpn-devel mailing list

Reply via email to