Hi, I am implementing a VPN setup using OpenVPN for a few users most of who use Windows and the server also has to run on Windows. I can't have users running openvpn with root privilege so I've settled on using the service option with a management-interface client running with limited user rights.
I would prefer client keys and certificates handled at the user level with no need for admin privilege to store and replace certificates. Cryptoapicert option works only if the certificate/key are in the system store (not user store). So I am thinking of using the management-external-key option available on 2.3. It currently supports only getting the private key from the MI which is kind of limiting so I have added code to take certificate as well through the MI (patches available if its of interest to others/developers). So here is my question: is there any issues that I should be aware of when the certificate and key (actually not key, only rsa-signature) are provided from the UI? AFAICS TLS erros are not reported back to the management so users using wrong certificates or keys could lead to some flakiness of the whole setup? I use a patched version of OpenVPN MI GUI with certificate and key stored in windows certificate store (under user) and accessed by cryptoapi calls from the UI. One nice thing about this is hardware tokens also would work which is otherwise hard/impossible with OpenVPN running as a service. Any comments would be greatly appreciated. Selva
