OpenVPN on Windows XP and Vista

Mark's blog

OpenVPN on Windows XP and Vista

Sysadmin

Just a quick post this time, as I thought this may help others in the same situation I found myself in recently. At work, we've been using OpenVPN which works a treat with Unix clients; Windows clients (Vista in particular) were more problematic, though.

None of our regular users have admin privileges (for obvious reasons), but this caused problems with the routing setup: users could use the GUI tool, but could not create the necessary routes required to direct traffic over the VPN. We experimented for a while with setting up persistent routes, but this didn't work for multiple users. I'd read all kinds of posts about running the executables as an Administrator, disabling Vista UAC, registry tweaks and other voodoo - either they didn't work, or they were unacceptable in our environment.

I then hit upon a simple workaround that also seems to work on Windows XP: Just add the user to the "Network Configuration Operators" group:

Administrative Tools -> Computer Management -> Local Users and Groups -> Groups -> Network Configuration Operators

Now, everything works right out of the box on Vista SP1 with the 2.1RC builds of OpenVPN (OpenVPN 2.1_rc15 was the version we tested). You have to install this as an Administrator, and you do have to be happy with giving your VPN users slightly elevated privileges - but at least it stops way short of having to give them administrator rights.

For reference, here's the client config file as well :

client
script-security 3 system
dev tun
proto udp
remote <openvpn server address> 1194
nobind
persist-key
persist-tun
ca ca.crt
cert <user.name>.crt
key <user.name>.key
cipher BF-CBC 
comp-lzo
verb 3
mute 20
route-method exe
route-delay 2
Posted by Mark Round on Friday, February 13. 2009 at 09:20 in Sysadmin
Bookmark OpenVPN on Windows XP and Vista at del.icio.us Digg OpenVPN on Windows XP and Vista Bloglines OpenVPN on Windows XP and Vista Technorati OpenVPN on Windows XP and Vista Fark this: OpenVPN on Windows XP and Vista Bookmark OpenVPN on Windows XP and Vista at YahooMyWeb Bookmark OpenVPN on Windows XP and Vista at Furl.net Bookmark OpenVPN on Windows XP and Vista at reddit.com Bookmark OpenVPN on Windows XP and Vista at blinklist.com Bookmark OpenVPN on Windows XP and Vista at Spurl.net Bookmark OpenVPN on Windows XP and Vista at NewsVine Bookmark OpenVPN on Windows XP and Vista at Simpy.com Bookmark OpenVPN on Windows XP and Vista at blogmarks Bookmark OpenVPN on Windows XP and Vista with wists Bookmark OpenVPN on Windows XP and Vista at Ma.gnolia.com wong it! Bookmark using any bookmark manager!

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

Rob says,

Friday, February 13. 2009 at 10:29 (Reply)

One Vista trick is to use the Task Scheduler to launch the OpenVPN GUI with elevated privileges after login. It won't prompt for approval as it can't. Full details lurk somewhere on the OpenVPN mailing list archive (which is where I found them).

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

 
 
 
Submitted comments will be subject to moderation before being displayed.