| Version 1 (modified by , 12 years ago) (diff) |
|---|
Introduction
Much of this text is adapted from Alon Bar-Lev's emails to the openvpn-devel list, with many useful additions from James Yonan and other people.
Use-cases
Standalone workstations
Standalone workstations and their VPN clients are controlled by the end-user.
Enterprise workstations
Enterprise workstations and their VPN clients are controlled by the enterprise system administrator(s). The goal is to lock down client workstations as much as possible, so that a compromised client does not allow access to the enterprise network; this access could otherwise be exploited by malware or a remote, active human attacker.
For the VPN client this translates to a few important requirements
- Non-privileges users can't read, copy or modify the VPN configuration
- Workstations can't have simultaneous access to an untrusted network (e.g. the public Internet) and the VPN network. If they did, malware could spread from the untrusted network to the enterprise network
Privilege separation in different contexts
OpenVPN consists of several different, interacting components:
- TUN/TAP device: a virtual Ethernet interface
- OpenVPN: a tunneling daemon
- OpenVPN configuration files
- Network utilities: ifconfig, route, etc.
- OpenVPN GUI: used by the interactive user to control OpenVPN
Each component can be isolated to run as an operating system user with varying levels of privileges. Here we use the following split:
- Interactive user: a real human user with minimal privileges, should only run end-user applications (such as OpenVPN-GUI)
- OpenVPN user: the user OpenVPN is running as (e.g. "nobody" on many Linuxes)
- Privileged user: the user doing privileged operations (e.g. adding routes or bringing up the TUN/TAP interface)
Depending on the use-case, different levels of privileges are needed to satisfy all the requirements:
| Component | Standalone | Enterprise |
| TUN/TAP | Access by the interactive user | Accessed by the OpenVPN user |
| OpenVPN | Run by the interactive user | Run by the OpenVPN user |
| OpenVPN configuration | Read/write by the interactive user | Read by OpenVPN, read/write by administrator |
| Network utilities | Run by a privileged user | Run by a privileged user |
| OpenVPN GUI | Run by the interactive user | Run by the interactive user |
External links
- OpenVPN privilege separation (Windows) (mailing list thread)
