Hi, On Tue, Aug 18, 2020 at 03:29:19PM -0400, Selva Nair wrote: > > If you already have SYSTEM, accessing wintun from openvpn directly will > > also work and should bring quite a bit of speed improvement. > > I was wrong to assume that this just works. Looking at it again, the current > implementation of wintun support does not seem to cover this. Meaning the > only working approach is to use the interactive service.
Indeed, you are right. Somewhere on the track we lost the ability
to do wintun "from OpenVPN" if we *have* SYSTEM.
This is the code in tun.c
if (tt->options.msg_channel)
{
ret = service_register_ring_buffers(tt);
}
else
{
msg(M_FATAL, "ERROR: Wintun requires SYSTEM privileges and therefore "
"should be used with interactive service. If you want to "
"use openvpn from command line, you need to do SYSTEM "
"elevation yourself (for example with psexec).");
}
... so while I'm happy that we got rid of impersonating SYSTEM, the current
code does not even try anymore, just assumes "if there is no message channel,
we have not enough privileges".
OTOH the message is severely misleading now, since it suggests "having
the right privileges will make this work".
This needs fixing - either we *try*, and if we fail, print the message
about insufficient privileges, or we change the message to actually
print something like "Wintun support is only possible if the interactive
service is used. Do not run from the CLI. Use the GUI in non-admin mode.".
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
