[Openvpn-users] AD integration with OpenVPN GUI

Discussion:

Doug Lytle

2017-02-21 13:59:08 UTC

All,

The company that I work for has been migrating to AD. With the new AD, they are also restricting employees to Users instead of Administrators.

With the recent progress of allowing users to communicate with the new OpenVPN service to add routes, will we be able to set this group in AD and have it function, or will it still need to be created on the local machine?

Thanks,

Doug

Gert Doering

2017-02-21 14:20:32 UTC

Permalink

Hi,

Post by Doug Lytle
The company that I work for has been migrating to AD. With the new AD, they are also restricting employees to Users instead of Administrators.
With the recent progress of allowing users to communicate with the new OpenVPN service to add routes, will we be able to set this group in AD and have it function, or will it still need to be created on the local machine?

AD groups should work starting with 2.4.1 - the service changes are in,
the GUI changes are done but waiting for review.

(Selva, correct me if I've misunderstood anything)

gert

--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de

Doug Lytle

2017-02-21 15:15:53 UTC

Permalink

Post by Gert Doering
AD groups should work starting with 2.4.1 - the service changes are in,
the GUI changes are done but waiting for review.
(Selva, correct me if I've misunderstood anything)

Gert,

Thanks for the update! I just downloaded today's build of Master, if this contains the changes, I'm willing to help test.

Doug

Selva Nair

2017-02-21 17:24:47 UTC

Permalink

Post by Doug Lytle

Post by Gert Doering
AD groups should work starting with 2.4.1 - the service changes are in,
the GUI changes are done but waiting for review.
(Selva, correct me if I've misunderstood anything)

Gert,
Thanks for the update! I just downloaded today's build of Master, if this
contains the changes, I'm willing to help test.

Yes, snapshot builds dated Feb 20 or later will have this fix for openvpn
and service. But the GUI included there does not support nested group
membership, so to test please replace the GUI executable by the one here (
https://github.com/selvanair/openvpn-gui/releases/tag/v11.4.0.4) -- this is
based on tht pending PR118 for the GUI. We hope to get it merged soon.

Selva

Selva Nair

2017-02-22 01:18:22 UTC

Permalink

Post by Selva Nair
Yes, snapshot builds dated Feb 20 or later will have this fix for openvpn
and service. But the GUI included there does not support nested group
membership, so to test please replace the GUI executable by the one here (
https://github.com/selvanair/openvpn-gui/releases/tag/v11.4.0.4) -- this
is based on tht pending PR118 for the GUI. We hope to get it merged soon.

I was able to successfully test this. But would like to verify on a
second laptop.
Thanks for testing.
1.) When running the OpenVPN GUI, I get a notice that the Publisher
couldn't be verified, I can hit Yes to bypass the message

Assuming this is my test build gui, its not signed.

2.) I'm using the Up and Down scripts for the GUI to map AD network
drives, of the 3 times tested, one of them gave notice of timing out and no
network drives were mapped.
Manually doubling clicking on the script after connection, mapped
the drives.

I have seen long mapping times and script timeout on first attempt in some
setups. If you use persistent drive mapping, there are some registry keys
under HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider: like
DeferConnection, RestoreConnection, RestoreTimeout etc tweaking which may
help -- I haven't tried.

Selva

Doug Lytle

2017-02-23 14:08:33 UTC

Permalink

I was able to successfully test this. But would like to verify on a second laptop.

Second laptop tested, everything worked great!

Thanks,

Doug