Introduction

OpenVPN Interactive Service, also known as "iservice" or "OpenVPNServiceInteractive", is a Windows system service which allows unprivileged users to do certain privileged operations required by OpenVPN, such as adding routes. This removes the need to always run OpenVPN as administrator, which was the case for long time, and continues to be the case for OpenVPN 2.3.x.

Recent Git "master" versions of OpenVPN contain the Interactive Service code, and recent ​OpenVPN-GUI versions can make use of it. If you want to test this new fucntionality, please grab a recent Git "master" ​Windows snapshot installer.

How it works

Here is a brief explanation of how the Interactive Service works, based on ​Gert's email to openvpn-devel mailing list. The example user, "joe", is not an administrator, and does not have any other extra privileges.

• OpenVPN-GUI runs as an "joe"
• Interactive Service runs as a local Windows service with maximum privileges
• OpenVPN-GUI connects to the Interactive Service and asks it "run openvpn.exe with the following arguments, using the "joe"'s credentials
  • Windows can do this - pass credentials across a pipe, which you can't fake
• Interactive Service forks openvpn.exe, and runs this as user ("joe"), and keeps a "service pipe" between Interactive Service and openvpn.exe
• if openvpn.exe wants to do ifconfig/route/dns stuff, it sends these as requests over the service pipe to the Interactive Service, which will then execute them (and clean up should openvpn crash)
• --up scripts are run by openvpn.exe itself, which is already running as "joe", all privileges are nicely in place

This cannot be used anymore for privilege escalation to admin (by running an --up script from openvpn which is run-as-admin).