On Fri, Aug 11, 2017 at 10:05 AM, Simon Rozman via Openvpn-devel <
openvpn-devel@lists.sourceforge.net> wrote:

> But that's what I wanted in the first place, as I believe Interactive
> Service "security" scheme makes no sense.
> Why does OpenVPN restrict non-admin users from using Interactive Service in
> the first place, while Windows' out-of-the-box VPN connects them just fine?
> If you are afraid a malware would start connecting - they already can:
> using
> Windows' VPN.

AFAIK, Windows VPN can be setup without admin rights only if the connection
is not shared with other users. Thus a limited user cannot redirect traffic
of all users. In openvpn we do not have a provision for such a separation
-- at least not as yet.

> Flushing ARP cache, client DNS registration, and other tasks OpenVPN can't
> perform as non-admin user is a technical issue of OpenVPN running in user
> space. Not a security one. Interactive Service overcomes that, but in the
> same time it assumes it's a security sensitive issue.

These tasks normally require admin rights (or some privilege like Network
Configuration Operators). So admin has to decide who is allowed to do such

> This limitation can and will be turned off with one or another simple
> administrator task (performed by eduVPN setup). So, this is no biggie...

Yes, a simple "administrator task" is all that is required to provide extra
privileges to users. In case of interactive service its supposed to be done
at the time of installation.

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Openvpn-devel mailing list

Reply via email to