Hi Selva, Is there any specific reason, why Interactive Service is so paranoid, knowing that it launches openvpn.exe and all external scripts as the interactive user anyway?
The service does privileged operations so some admin has to bless a user to allow certain options when launching openvpn.exe. In other words, options allowed in user editable configs are restricted unless the user is in a designated group. I don't quite agree. OpenVPN needs elevation to set up connection because it runs in user space. IPsec VPN doesn't require elevation for the very same task since it runs in kernel space. Therefore, elevation for OpenVPN is required for technical reasons, not security. Thus, an explicit blessing from the admin is an exaggeration. I have a work-around for this paradox in my sleeve: the eduVPN setup shall create an "eduVPN" subfolder in the "C:\Program Files\OpenVPN\config" folder, and grant all users desirable permissions*: a sort of public spool folder. Setting up such a folder requires admin rights. If your installer has admin rights, just add all users to "OpenVPN Administrators" group or set the registry key ovpn_admin_group to "Users" The installer will require admin rights of course. Here we agree installing software (VPN especially) needs an admin approval. Thank you for your excellent advice. I haven't thought of that before. However, I will not follow it for the following reason… eduVPN will not claim OpenVPN for all by itself. It will install it when missing, but will leave everything to its defaults. We would still like to leave the user an option to make use of OpenVPN for other purposes. Tweaking registry is not a step in this direction. But that would open the OpenVPN Interactive Service to any user and application. This is why we would like your opinion first. Yes the service will then launch openvpn with arbitrary configs as any user, but that is what you want isn't it? True, I want that indeed. I was just trying to find the official way of doing it only to learn it's against OpenVPN team's principles. :( Well, I'll do it anyway. And I suggest you take it as a compliment: the OpenVPN is great for its flexibility so people can and will use it in a million of bizarre ways. :) Best regards, Simon
smime.p7s
Description: S/MIME cryptographic signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
