= OpenVPN as non privileged user = The entire process that is described here [http://youtu.be/DxQaVf8iAJk|can be watched at youtube here]. These days a lot of users do not work as privileged user, they do not have administrative rights on their computers. If such a user needs to establish an OpenVPN connection (OpenVPN and OpenVPN-GUI are already installed) the connection will be established but the necessary routes are not set. Setting routes in Windows has some requirements: {{{ ---------------------------------------- | Operating System | ADM | NCO | RHP | ---------------------------------------- | Windows XP | X | | | ---------------------------------------- | Windows XP | | X | | ---------------------------------------- | Windows 7 | X | | | ---------------------------------------- | Windows 7 | | X | X | ---------------------------------------- | Windows 8 | X | | | ---------------------------------------- | Windows 8 | | X | X | ---------------------------------------- }}} {{{ RHP = run with highest privileges but in context of a non-administrative user ADM = Member of group "Administrators" NCO = Member of group "Network Configuration Operators" }}} Note: Since Windows 7 being **only** a member of the **"Network Configuration Operators"** group **is not enough** to be able to set routes. There are some OpenVPN-Clients that are able to establish connections and setting routes without administrative privileges but they are either unstable [[http://sourceforge.net/projects/securepoint/|SecurePoint SSL VPN]]) or do not have all necessary features ([[http://openvpn-mi-gui.inside-security.de/|OpenVPN MI GUI]]). They both use a service (running as administrator) and communicate with the service from user mode. But sometimes your configuration does not allow "service mode" and so you are stuck. == Solution for Windows XP == Add the non privileged user (e.g. bob) to the group {{{ Network Configuration Operators }}} You can do this with the following command {{{ net localgroup "Network Configuration Operators" bob /add }}} and OpenVPN-GUI will perfectly work without administrative privileges. **This solution does no longer work with Windows 7 and above.** == New and working solution for Windows 7 (and above) == In July 2013 I had an idea. Why not creating a scheduled task at logon of any user that **automatically** creates another Scheduled Task for the non privileged user that is currently logging on. This **automatically** created task will put the user in the group "Network Configuration Operators" and then start OpenVPN GUI **automatically** at the next logon of this (non privileged) user (with highest privileges). You need to walk through some small steps to achieve this goal. === 2 scripts that help us === ==== Script 1 create_main_task_only_runonce.cmd ==== {{{ @ECHO OFF CLS REM Detect current user (should be an administrator) SET USER=%USERNAME% SET DOM=%USERDOMAIN% SET ACCOUNT=%DOM%\%USER% SET TASKNAME=OpenVPN Logon Task Creator (main) REM Where to store the created XML-File SET XML=%temp%\%RANDOM%_temp.xml REM What to start via the generated task SET TOSTART=C:\ProgramData\OpenVPN\create_usertask.cmd ECHO ^ > "%XML%" ECHO ^ >> "%XML%" echo. ^ >> "%XML%" echo. ^2001-01-01T01:01:01.01^ >> "%XML%" echo. ^Der PCFreak^ >> "%XML%" echo. ^This task will be executed at logon of any user. The script will then determine the username and domain/computer of this user. The user will then added to the group "Network Configuration Operators" and additionally a new scheduled task with name "%DOM%_%USER%_openvpn" will be created. The automatically created task will be set up to only run when the specific, detected user logs on. This task will then start OpenVPN-GUI with highest privileges at logon.^ >> "%XML%" echo. ^ >> "%XML%" echo. ^ >> "%XML%" echo. ^ >> "%XML%" echo. ^2001-01-01T01:01:01^ >> "%XML%" echo. ^true^ >> "%XML%" echo. ^ >> "%XML%" echo. ^ >> "%XML%" echo. ^ >> "%XML%" echo. ^ >> "%XML%" echo. ^%ACCOUNT%^ >> "%XML%" echo. ^Password^ >> "%XML%" echo. ^HighestAvailable^ >> "%XML%" echo. ^ >> "%XML%" echo. ^ >> "%XML%" echo. ^ >> "%XML%" echo. ^IgnoreNew^ >> "%XML%" echo. ^false^ >> "%XML%" echo. ^false^ >> "%XML%" echo. ^true^ >> "%XML%" echo. ^false^ >> "%XML%" echo. ^false^ >> "%XML%" echo. ^ >> "%XML%" echo. ^true^ >> "%XML%" echo. ^false^ >> "%XML%" echo. ^ >> "%XML%" echo. ^true^ >> "%XML%" echo. ^true^ >> "%XML%" echo. ^false^ >> "%XML%" echo. ^false^ >> "%XML%" echo. ^false^ >> "%XML%" echo. ^P3D^ >> "%XML%" echo. ^7^ >> "%XML%" echo. ^ >> "%XML%" echo. ^ >> "%XML%" echo. ^ >> "%XML%" echo. ^"%TOSTART%"^ >> "%XML%" echo. ^ >> "%XML%" echo. ^ >> "%XML%" echo ^ >> "%XML%" REM Create the task using schtasks REM use /f to make sure we can re-create this task on demand %windir%\system32\schtasks.exe /create /TN "%TASKNAME%" /XML "%XML%" /RU %ACCOUNT% /RP "" /F REM Delete temporary XML FILE DEL /Q "%XML%" }}} Please verify the variable **TOSTART** at the beginning of the script. It must represent the physical location of **create_usertask.cmd** (our second script). ==== Script 2 create_usertask.cmd ==== {{{ @ECHO OFF CLS REM Some Variables REM Where to store the created XML-File SET XML=%temp%\%RANDOM%_temp.xml REM Name of the Network Configuration Operators group (without quotes) SET NGROUP=Network Configuration Operators REM What to start via the generated task SET TOSTART=C:\Program Files\OpenVPN\bin\openvpn-gui.exe REM We need to find the domain/computer and username of the user that is logging on REM We run under a different user context so we need a trick to do that REM Session to search, usually "console" SET SESSION=console REM Process to search, usually "explorer.exe" SET PROCESS=explorer.exe for /f "usebackq tokens=8,9 delims=\ " %%a IN (`tasklist /fi "SESSIONNAME eq %SESSION%" /FI "IMAGENAME eq %PROCESS%" /V /NH`) do ( SET DOM=%%a SET USER=%%b SET ACCOUNT=%%a\%%b ) echo The detected user was %USER% in domain/computer %DOM% . ECHO ^ > "%XML%" ECHO. ^ >> "%XML%" ECHO. ^ >> "%XML%" ECHO. ^StopExisting^ >> "%XML%" ECHO. ^false^ >> "%XML%" ECHO. ^false^ >> "%XML%" ECHO. ^true^ >> "%XML%" ECHO. ^false^ >> "%XML%" ECHO. ^false^ >> "%XML%" ECHO. ^ >> "%XML%" ECHO. ^true^ >> "%XML%" ECHO. ^false^ >> "%XML%" ECHO. ^ >> "%XML%" ECHO. ^true^ >> "%XML%" ECHO. ^true^ >> "%XML%" ECHO. ^false^ >> "%XML%" ECHO. ^false^ >> "%XML%" ECHO. ^false^ >> "%XML%" ECHO. ^false^ >> "%XML%" ECHO. ^false^ >> "%XML%" ECHO. ^PT0S^ >> "%XML%" ECHO. ^7^ >> "%XML%" ECHO. ^ >> "%XML%" ECHO. ^ >> "%XML%" ECHO. ^ >> "%XML%" ECHO. ^"%TOSTART%"^ >> "%XML%" ECHO. ^ >> "%XML%" ECHO. ^ >> "%XML%" ECHO. ^ >> "%XML%" ECHO. ^2013-07-11T11:39:44.2138665^ >> "%XML%" ECHO. ^Der PCFreak^ >> "%XML%" echo. ^This task will run when the user %ACCOUNT% logs on. It will then start OpenVPN-GUI with in the context of this user with highest privileges at logon of this user.^ >> "%XML%" ECHO. ^ >> "%XML%" ECHO. ^ >> "%XML%" ECHO. ^ >> "%XML%" ECHO. ^%ACCOUNT%^ >> "%XML%" ECHO. ^InteractiveToken^ >> "%XML%" ECHO. ^HighestAvailable^ >> "%XML%" ECHO. ^ >> "%XML%" ECHO. ^ >> "%XML%" ECHO. ^ >> "%XML%" ECHO. ^ >> "%XML%" ECHO. ^true^ >> "%XML%" ECHO. ^%ACCOUNT%^ >> "%XML%" ECHO. ^ >> "%XML%" ECHO. ^ >> "%XML%" ECHO. ^ >> "%XML%" REM Create the task using schtasks REM do not use /f since we only want to create this task once! %windir%\system32\schtasks.exe /create /xml "%XML%" /tn "%DOM%_%USER%_openvpn" /DELAY 0000:25 REM Add the user to the Network Configuration Operators group net localgroup "%NGROUP%" %ACCOUNT% /add REM Delete temporary XML FILE DEL /Q "%XML%" }}} Take a look at the beginning of the script and change the variables **NGROUP** and **TOSTART** to your localized version of the **Network Configuration Operators** group and your location of **openvpn-gui.exe**. === Install OpenVPN-GUI === Do a default installation of OpenVPN-GUI and also copy the necessary connection profiles to the target machine. ** Do this as administrative user. ** === Prepare and fix Registry Keys === Start OpenVPN-GUI once as an administrative user. This will create the following registry key: {{{ HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI }}} Close OpenVPN-GUI. Open the registry editor (regedit.exe) and take a look at this registry key: {{{ HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI\log_dir }}} By default it points to {{{ C:\Program Files\OpenVPN\log }}} This folder is not writeable by nonprivileged users, so they will get error messages when connecting. Just change it to {{{ %temp%\OpenVPN\log }}} With this change, a nonprivileged user logs to his personal temp folder, e.g. {{{ C:\Users\user1\AppData\Local\Temp\OpenVPN\log }}} === Copy script files to target === Create the folder {{{ C:\Programdata\OpenVPN }}} and copy the above 2 script files {{{ create_usertask.cmd create_main_task_only_runonce.cmd }}} to this directory. ** Please double-check and make sure, that this files cannot be changed by non-privileged users! ** === Setup the main task === Use explorer.exe and jump to the directory where you stored the 2 scripts from above, usually {{{ C:\ProgramData\OpenVPN }}} Right-click **create_main_task_only_runonce.cmd** and select **Run as administrator**. A command prompt will open and ask you for the password of the administrative account. Enter it correctly. [[Image(https://dl.dropboxusercontent.com/u/682899/_do_not_delete_/pictures%20for%20openvpn%20wiki%20openvpn.net/001-openvpn.png)]] If everything went right, you have now a new scheduled task in the **Task Scheduler Library** with the name {{{ OpenVPN Logon Task Creator (main) }}} [[Image(https://dl.dropboxusercontent.com/u/682899/_do_not_delete_/pictures%20for%20openvpn%20wiki%20openvpn.net/002-openvpn.png)]] It is setup to run {{{ with the administrators account with highest privileges at logon of any user executing C:\Programdata\OpenVPN\create_usertask.cmd }}} **Verify the automated generation of this task**. === Change OpenVPN-GUI shortcut === We now change the shortcut(s) that start OpenVPN to a different target.They are usually located here: {{{ C:\Users\Public\Desktop\OpenVPN GUI.lnk C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\OpenVPN\OpenVPN GUI.lnk }}} Change all shortcuts to the following settings (via properties). {{{ Target: %windir%\System32\schtasks.exe /RUN /TN "%USERDOMAIN%_%USERNAME%_openvpn" Icon : C:\Program Files\OpenVPN\icon.ico (or any other icon you like) }}} [[Image(https://dl.dropboxusercontent.com/u/682899/_do_not_delete_/pictures%20for%20openvpn%20wiki%20openvpn.net/003-openvpn.png)]] The rest of the settings can be left to their defaults. == Test it! == Logon as a nonprivileged user, let's assume, the username is **user1** and he is logging on to machine **win7x64-vm**. The following will happen. === First logon === ==== Main scheduled task will execute ==== The "main" scheduled task **OpenVPN Logon Task Creator (main)** will run. It will programmatically {{{ add user1 to the localgroup "Network Configuration Operators" create a userspecific scheduled task with the name win7x64_user1_openvpn }}} [[Image(https://dl.dropboxusercontent.com/u/682899/_do_not_delete_/pictures%20for%20openvpn%20wiki%20openvpn.net/004-openvpn.png)]] Since we changed the target for the OpenVPN-GUI shortcuts, the user can now already click the OpenVPN-GUI desktop icon, which will then run the scheduled task **win7x64_user1_openvpn** on demand. **win7x64_user1_openvpn** will then execute **openvpn-gui.exe** in the users context but with **highest privileges**. === Security related information === There are 2 registry keys, that are dangerous and can allow the user to open an administrative prompt on the machine. They are {{{ HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI\editor and HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI\log_viewer }}} When using my method and click on ** View Log ** or ** Edit config **, by default notepad.exe will open (and of course) with highest privileges. To fix this, you should change the registry to an executable (you created), that shows an error message. I did this with a small AutoIT-Script, that does exactly that. I called it {{{ notallowed.exe }}} The source is added to this Wiki page as {{{ notallowed.au3 }}} ** Without this change your installation is vulnerable and normal users can get an elevated command prompt, so absolutely change this registry keys!!!! ** So I additionally changed the registry for OpenVPN-GUI to {{{ Key : HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI Name : editor Value: C:\ProgramData\OpenVPN\notallowed.exe Key : HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI Name : log_viewer Value: C:\ProgramData\OpenVPN\notallowed.exe }}} Here is a screenshot: [[Image(https://dl.dropboxusercontent.com/u/682899/_do_not_delete_/pictures%20for%20openvpn%20wiki%20openvpn.net/005-openvpn.png)]] When notallowed.exe is executed it just shows this message: [[Image(https://dl.dropboxusercontent.com/u/682899/_do_not_delete_/pictures%20for%20openvpn%20wiki%20openvpn.net/006-openvpn.png)]] === Future logons === ==== Main scheduled task will execute ==== Since the **main** task has already run previously, it will **NOT** recreate the users personal scheduled task. - It does nothing. ==== User task will execute ==== Since the **user** task **win7x64_user1_openvpn** was present at logon, it get's executed and starts **openvpn-gui.exe**. So after the user logged in, he/she has the OpenVPN-GUI running in the system tray and is ready to establish connections **without administrative privileges** == Summary == My personal opinion is, that this is a nice workaround for the **nonprivileged user problem**. It can easily be deployed, it is **Open Source** and you can change it to your needs. If you use, change or blog it, please keep a line in your code, that refers to me (Der PCFreak) and my Blog ([http://blog.pcfreak.de]). If I have time, I will add some screenshots and I am planning to create a video on Youtube, that shows exactly how it works. Since this was the first time I posted to this Wiki, I hope I made no mistakes and no errors. Thank you for reading!