Discussion:
[Openvpn-users] HowTo Run OpenVPN as a non-admin user in Windows
Mathias Sundman
2005-01-25 11:18:04 UTC
Permalink
I've written a small HowTo on running OpenVPN / OpenVPN GUI as a non-admin
user in Windows.

http://www.nilings.se/openvpn/files/howto/openvpn-howto_run_openvpn_as_nonadmin.html

If anyone knows of any other way todo this, or has suggestions on how to
improve this documenation, please let me know.

--
_____________________________________________________________
Mathias Sundman (^) ASCII Ribbon Campaign
OpenVPN GUI for Windows X NO HTML/RTF in e-mail
http://www.nilings.se/openvpn / \ NO Word docs in e-mail
Didier Conchaudron
2005-01-25 11:55:01 UTC
Permalink
Great job!

This howto seems really usefull. It present temporary solutions for
people who wants to start tunnels as non-admin.

Your article shows too that some features are still missing in the field
to make openvpn a professional software of choice.

- Full certificate support: actually, the SYSTEM account can't access to
users certificates and private keys which are located into IE cert
store. People with smart cards are actually unable to use them as users
only.
But really big thanks to Peter for is initial release of the cryptoapi
patch.

- You talk about the enhanced service wrapper, it's not yet clear for me
what are it's job with openvpn and the GUI. I've understand that the
service should be always running, able to receive GUI orders to
start/stop required tunnels. the service wrapper assign a management
port to the starting openvpn process and then give it to the GUI in
order to make it albe to monitor the tunnel startup. If the tunnel need
to decrypt a private key, the way the password is given depends on the
config file. If the private key is on disk, openvpn will ask the the GUI
to give it using the management socket, and if the private key is into
the IE cert store, it's windows or the manufacturer CSP that will ask
for the password throw a windows based window.
So, each one of the 3 components, openvpn binary, the gui and the
service, has to talk to the two others. Is that right?

After 2.0 release, this ability to make non-admin users able to connect
to remote network with great security features will probably be a major
challenge.

Didier
Post by Mathias Sundman
I've written a small HowTo on running OpenVPN / OpenVPN GUI as a
non-admin user in Windows.
http://www.nilings.se/openvpn/files/howto/openvpn-howto_run_openvpn_as_nonadmin.html
If anyone knows of any other way todo this, or has suggestions on how to
improve this documenation, please let me know.
--
_____________________________________________________________
Mathias Sundman (^) ASCII Ribbon Campaign
OpenVPN GUI for Windows X NO HTML/RTF in e-mail
http://www.nilings.se/openvpn / \ NO Word docs in e-mail
Mathias Sundman
2005-01-25 12:29:03 UTC
Permalink
Post by Didier Conchaudron
Great job!
This howto seems really usefull. It present temporary solutions for people
who wants to start tunnels as non-admin.
Exactly. I've still been to lazy/busy to work on OpenVPN GUI 2.0, so I
felt that I wanted to share some knowledge about the solutions that are
currently availible for running OpenVPN as a non-admin user.
Post by Didier Conchaudron
Your article shows too that some features are still missing in the field to
make openvpn a professional software of choice.
- Full certificate support: actually, the SYSTEM account can't access to
users certificates and private keys which are located into IE cert store.
People with smart cards are actually unable to use them as users only.
Yes, latest patch Peter sent, didn't work, and I havn't had time debugging
it, and I honestly lack some knowledge about cryptoapi todo that.

It's still unclear to me whether it's whether the system is supposed to
have access to user keys or not though. I though a user key in the
CertStore were encrypted with the users password somehow, and therefor
only available to that user. Is this not true, or are the keys decrypted
when a user logs on so it becomes available to the system as well as long
as the user is logged on?
Post by Didier Conchaudron
- You talk about the enhanced service wrapper, it's not yet clear for me
what are it's job with openvpn and the GUI. I've understand that the service
should be always running, able to receive GUI orders to start/stop required
tunnels. the service wrapper assign a management port to the starting openvpn
process and then give it to the GUI in order to make it albe to monitor the
tunnel startup. If the tunnel need to decrypt a private key, the way the
password is given depends on the config file. If the private key is on disk,
openvpn will ask the the GUI to give it using the management socket, and if
the private key is into the IE cert store, it's windows or the manufacturer
CSP that will ask for the password throw a windows based window.
So, each one of the 3 components, openvpn binary, the gui and the service,
has to talk to the two others. Is that right?
Yes, I think you described the process fairly correct. Say you have a
typical client config like this:

dev tun
remote myserver.com
tls-client
ca ca.crt
cert mathias.crt
key mathias.key
pull
nobind

When running from cmd-line your private key password is retrieved from
stdin. When you use the new service wrapper and GUI, the following will
happend:

1. The service is started at boot-time, but not launching any tunnels (per
default)

2. The GUI is started when a user logs on. When a user clicks "Connect",
the GUI will connect to the service wrapper (SW) and tell it to start the
corresponding config.

3. The SW will launch openvpn.exe with the specified config, and append
"--service exiteventX X --management 127.0.0.1 XXXX
--management-query-passwords" to the cmd-line.

4. The SW passes back the selected management port to the GUI.

5. The SW connects to the management interface of the started openvpn
process.

6. When OpenVPN need any passwords it will now query for these over the
management interface instead, and the GUI can pass this on as dialogs to
the user. The GUI will also be able to monitor OpenVPN's status as well as
get the log in real time over the manangement interface.
Post by Didier Conchaudron
After 2.0 release, this ability to make non-admin users able to connect to
remote network with great security features will probably be a major
challenge.
The challange left to solve that I see, is how to make keys in the
CertStore and on smartcards available to openvpn when it is running as
system.

/Mathias
Post by Didier Conchaudron
Post by Mathias Sundman
I've written a small HowTo on running OpenVPN / OpenVPN GUI as a non-admin
user in Windows.
http://www.nilings.se/openvpn/files/howto/openvpn-howto_run_openvpn_as_nonadmin.html
If anyone knows of any other way todo this, or has suggestions on how to
improve this documenation, please let me know.
--
_____________________________________________________________
Mathias Sundman (^) ASCII Ribbon Campaign
OpenVPN GUI for Windows X NO HTML/RTF in e-mail
http://www.nilings.se/openvpn / \ NO Word docs in e-mail
Didier Conchaudron
2005-01-25 13:45:01 UTC
Permalink
Post by Mathias Sundman
Exactly. I've still been to lazy/busy to work on OpenVPN GUI 2.0, so I
felt that I wanted to share some knowledge about the solutions that are
currently availible for running OpenVPN as a non-admin user.
My work on the SW is quite compromised too some time, probably for the
same reasons ;-)
Post by Mathias Sundman
Post by Didier Conchaudron
Your article shows too that some features are still missing in the
field to make openvpn a professional software of choice.
- Full certificate support: actually, the SYSTEM account can't access
to users certificates and private keys which are located into IE cert
store. People with smart cards are actually unable to use them as
users only.
Yes, latest patch Peter sent, didn't work, and I havn't had time
debugging it, and I honestly lack some knowledge about cryptoapi todo that.
I think Peter was in the right way to solve the users certs problem.
Looking at MSDN docs, it seems possible to make a SYSTEM account able to
get user certs via cryptoapi. Btw, some xp are missing too.
Post by Mathias Sundman
It's still unclear to me whether it's whether the system is supposed to
have access to user keys or not though. I though a user key in the
CertStore were encrypted with the users password somehow, and therefor
only available to that user. Is this not true, or are the keys decrypted
when a user logs on so it becomes available to the system as well as
long as the user is logged on?
First, when you import a p12 into IeCertStore, you can crypt the p12 so
Ie will ask you for the password in order to inmport the p12. But this
password is independant of the password protecting the private key. So
the p12 password will be asked just one time at import.
If you private key is protected by a password, Ie will not ask you for
the password during import, but this password will be asked by the
default CSP(a window of Ie in fact) each time an apps need to access to
the private key. The process is the same when you use a smart card, the
only difference is that the CSP is from your smart card manufacturer, so
the password can be a PIN code on the card reader(like mine) or a window
on your computer.
A basic non-protected private key imported via p12 into Ie certstore can
be accessible via SYSTEM account, I guess. That's the point I need
confirmation too.
Post by Mathias Sundman
5. The SW connects to the management interface of the started openvpn
process.
My SW don't. The only reason I could need to is to monitor the process
startup, but openvpn-gui will do this so I think it's not necessary to
ask for status twice.
Post by Mathias Sundman
Post by Didier Conchaudron
After 2.0 release, this ability to make non-admin users able to
connect to remote network with great security features will probably
be a major challenge.
The challange left to solve that I see, is how to make keys in the
CertStore and on smartcards available to openvpn when it is running as
system.
I think we need an expert ;-) Peter?

Didier
Mathias Sundman
2005-01-25 13:52:00 UTC
Permalink
Post by Didier Conchaudron
Post by Mathias Sundman
5. The SW connects to the management interface of the started openvpn
process.
My SW don't. The only reason I could need to is to monitor the process
startup, but openvpn-gui will do this so I think it's not necessary to ask
for status twice.
Sorry, it was a typo. I ment the GUI connects to the management interface
of OpenVPN.
--
_____________________________________________________________
Mathias Sundman (^) ASCII Ribbon Campaign
OpenVPN GUI for Windows X NO HTML/RTF in e-mail
http://www.nilings.se/openvpn / \ NO Word docs in e-mail
Mathias Sundman
2005-01-25 14:25:01 UTC
Permalink
Post by Mathias Sundman
Post by Didier Conchaudron
Your article shows too that some features are still missing in the field
to make openvpn a professional software of choice.
- Full certificate support: actually, the SYSTEM account can't access to
users certificates and private keys which are located into IE cert store.
People with smart cards are actually unable to use them as users only.
It's still unclear to me whether it's whether the system is supposed to
have access to user keys or not though. I though a user key in the
CertStore were encrypted with the users password somehow, and therefor only
available to that user. Is this not true, or are the keys decrypted when a
user logs on so it becomes available to the system as well as long as the
user is logged on?
First, when you import a p12 into IeCertStore, you can crypt the p12 so Ie
will ask you for the password in order to inmport the p12. But this password
is independant of the password protecting the private key. So the p12
password will be asked just one time at import.
If you private key is protected by a password, Ie will not ask you for the
password during import, but this password will be asked by the default CSP(a
window of Ie in fact) each time an apps need to access to the private key.
The process is the same when you use a smart card, the only difference is
that the CSP is from your smart card manufacturer, so the password can be a
PIN code on the card reader(like mine) or a window on your computer.
A basic non-protected private key imported via p12 into Ie certstore can be
accessible via SYSTEM account, I guess. That's the point I need confirmation
too.
So, what you're saying is that if I import a non encrypted private key to
into the IeCertStore, it will be saved in cleartext on my system?

Again, I thought one of the benefits with using the CryptoStore was that
windows protected the key by encrypting it with the normal user logon
credentials somehow.

If what you say is true, then an originally unencypted private key
imported to the CertStore, can almost as easily as a file, be retrieved
from a stolen laptop's harddrive.

Are you sure about that?
--
_____________________________________________________________
Mathias Sundman (^) ASCII Ribbon Campaign
OpenVPN GUI for Windows X NO HTML/RTF in e-mail
http://www.nilings.se/openvpn / \ NO Word docs in e-mail
Didier Conchaudron
2005-01-25 14:36:01 UTC
Permalink
Post by Mathias Sundman
So, what you're saying is that if I import a non encrypted private key
to into the IeCertStore, it will be saved in cleartext on my system?
I hope not! if your import a non-encrypted private key, the system or
another program that need access to your private key will be able to
using the MS cryptoapi. The way windows physically store the certs/keys
is not the matter for our purpose.
Post by Mathias Sundman
Again, I thought one of the benefits with using the CryptoStore was that
windows protected the key by encrypting it with the normal user logon
credentials somehow.
Perhaps, but if an application need to access to your key, which is not
intentionnaly protected, windows will give access to this key. It does
on my system, I haven't to give any password to give access to my key.
Post by Mathias Sundman
If what you say is true, then an originally unencypted private key
imported to the CertStore, can almost as easily as a file, be retrieved
from a stolen laptop's harddrive.
If the guy has admin access, probably. that's why using a smart card is
better ;-)
Post by Mathias Sundman
Are you sure about that?
Just test it. Make a p12 with a non-protected private key and try to
start a tunnel with openvpn, it will start without any password.
Now What I am saying is not that the file contain a non-encrypted key,
maybe windows crypted it with a user account based password, but get the
key is transparent.

Didier
Patrik Lybing
2005-01-25 12:28:02 UTC
Permalink
Hello,

I got two questions, the first one should be rather easy for you experts :P
I use Windows, and Ive so far set the IP, the subnet, and the gateway for
the tap device, manually. But if I want to use the DHCP, how do I proceed.

In the configuration; ifconfig iphere subnethere, is clear to me.

But it is the route option Im wondering about.

The reason for that I want to use DHCP instead, is that Ive been
experiencing weird resets of some kind. I use a IP I get from the remote VPN
network on IRC, but I keep getting disconnected from IRC, randomly.
I dont know if using DHCP instead, would make this problem go away, I doubt
that, but Ive tried everything else. Maybe someone on this list have a
clue..

Nothing in the logfiles seems to give me any clue.

Excuse any bad spelling.

//Patrik, Sweden
Jon Bendtsen
2005-01-25 20:02:03 UTC
Permalink
Post by Patrik Lybing
Hello,
I got two questions, the first one should be rather easy for you experts :P
I use Windows, and Ive so far set the IP, the subnet, and the gateway for
the tap device, manually. But if I want to use the DHCP, how do I proceed.
read the manual.
You need to configure a pool of ip addresses.
ifconfig-pool 10.8.0.4 10.8.0.255
And you need to tell windows how it's ip is set.
push "dhcp-option NBT 2"
Post by Patrik Lybing
In the configuration; ifconfig iphere subnethere, is clear to me.
But it is the route option Im wondering about.
You tell it to route with the opposite end of the tunnel as the gateway.
So, when your pool assigns you .6 then you use .5 as the gateway.
push "route 172.16.0.0 255.255.0.0 default"
Then it will send it by the right address.



JonB

James Yonan
2005-01-25 16:27:03 UTC
Permalink
Post by Mathias Sundman
I've written a small HowTo on running OpenVPN / OpenVPN GUI as a non-admin
user in Windows.
http://www.nilings.se/openvpn/files/howto/openvpn-howto_run_openvpn_as_nonadmin.html
If anyone knows of any other way todo this, or has suggestions on how to
improve this documenation, please let me know.
Looks great, thanks for putting this together!

I will add to the articles page on the next web site update.

James
Loading...