OpenVPN on Windows XP and Vista

Updated:

Note : This page may contain outdated information and/or broken links; some of the formatting may be mangled due to the many different code-bases this site has been through in over 20 years; my opinions may have changed etc. etc.

Just a quick post this time, as I thought this may help others in the same situation I found myself in recently. At work, we’ve been using OpenVPN which works a treat with Unix clients; Windows clients (Vista in particular) were more problematic, though. None of our regular users have admin privileges (for obvious reasons), but this caused problems with the routing setup: users could use the GUI tool, but could not create the necessary routes required to direct traffic over the VPN. We experimented for a while with setting up persistent routes, but this didn’t work for multiple users. I’d read all kinds of posts about running the executables as an Administrator, disabling Vista UAC, registry tweaks and other voodoo - either they didn’t work, or they were unacceptable in our environment.

I then hit upon a simple workaround that also seems to work on Windows XP: Just add the user to the "Network Configuration Operators" group: Administrative Tools -> Computer Management -> Local Users and Groups -> Groups -> Network Configuration Operators Now, everything works right out of the box on Vista SP1 with the 2.1RC builds of OpenVPN (OpenVPN 2.1_rc15 was the version we tested). You have to install this as an Administrator, and you do have to be happy with giving your VPN users slightly elevated privileges - but at least it stops way short of having to give them administrator rights. For reference, here’s the client config file as well :

client
script-security 3 system
dev tun
proto udp
remote <openvpn server address> 1194
nobind
persist-key
persist-tun
ca ca.crt
cert <user.name>.crt
key <user.name>.key
cipher BF-CBC
comp-lzo
verb 3
mute 20
route-method exe
route-delay 2

Comments