Re: [pfSense] OpenVPN & Non-admin users.
Somehow I overlooked that option. Needless fussing. Enabling the OpenVPNManager by default seems like it could be a reasonable option considering that all supported versions of Windows (Vista/7/8/[10]) require users (even admins) to elevate the OpenVPN client (and/or create an elevated shortcut). Is this not default because it's "currently incompatible with the 64-bit OpenVPN installer"? If so, is there any practical downside to running the 32 bit installer on a 64 bit system? Is there a practical downside to running the OpenVPNManager in lieu of an elevated shortcut? On 12/2/2014 5:57 PM, Chris Buechler wrote: On Tue, Dec 2, 2014 at 3:47 AM, Marijn Hofstra wrote: > We add them to the Windows built-in "Network Configuration Operators" Do you know this to work with Windows 8 Enterprise (or Win 10 for that matter)? I've seen this work in some versions of Windows, but when we tried it in Win 8 Enterprise, it didn't seem to work. We didn't probe further, suspecting that it was due to security changes in Windows >=8. I dealt with this issue recently, so I'll chime in for my $0.02. This works for WinXP, but for Vista and newer, you really need the OpenVPN GUI add-on. IIRC, the particular security group no longer provides the desired permissions in Vista and newer. With the GUI add-on, basically you ensure that the openvpn service is running (autostart) and add a few lines to your .ovpn config, something the likes of: You can skip all that if you're using our OpenVPN Client Export package, just check the OpenVPN Manager box and it takes care of all that automatically. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN & Non-admin users.
On Tue, Dec 2, 2014 at 3:47 AM, Marijn Hofstra wrote: >> > We add them to the Windows built-in "Network Configuration >> Operators" >> >> Do you know this to work with Windows 8 Enterprise (or Win 10 >> for that matter)? I've seen this work in some versions of >> Windows, but when we tried it in Win 8 Enterprise, it didn't >> seem to work. We didn't probe further, suspecting that it >> was due to security changes in Windows >=8. > > I dealt with this issue recently, so I'll chime in for my $0.02. > > This works for WinXP, but for Vista and newer, you really need the OpenVPN > GUI add-on. IIRC, the particular security group no longer provides the > desired permissions in Vista and newer. > > With the GUI add-on, basically you ensure that the openvpn service is running > (autostart) and add a few lines to your .ovpn config, something the likes of: > You can skip all that if you're using our OpenVPN Client Export package, just check the OpenVPN Manager box and it takes care of all that automatically. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN & Non-admin users.
Network Configuration Operators group works in Windows 7 (Pro). We explored the MI-GUI as well, and may be the only viable option for Win8 and up. The timing issues mentioned below led us to go w/ the Network config group solution on our Win7 pro machines. Gordon Russell Clarke County IT 540 955 5135 > > This works for WinXP, but for Vista and newer, you really need the OpenVPN > GUI add-on. IIRC, the particular security group no longer provides the > desired permissions in Vista and newer. > > With the GUI add-on, basically you ensure that the openvpn service is running > (autostart) and add a few lines to your .ovpn config, something the likes > of: > > management 127.0.0.1 1194 > management-hold > management-query-passwords > auth-retry interact > > and then the OpenVPN GUI will connect to the openvpn service to manage it > "remotely". So basically the permission issue is avoided by letting the > openvpn service perform all the tasks instead. After putting some registry > settings and adding command line args to the GUI shortcut, it all works nice > enough. > > On a sidenote, setting the openvpn service to autostart may result in some > odd post-login delays. Setting it to delayed start avoids this, but that > means that the user needs to be competent / patient enough to wait until the > service is up and running, which can take a while, and close / re-open the > GUI client afterwards. > > -Marijn > > > > ___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list > ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN & Non-admin users.
> > We add them to the Windows built-in "Network Configuration > Operators" > > Do you know this to work with Windows 8 Enterprise (or Win 10 > for that matter)? I've seen this work in some versions of > Windows, but when we tried it in Win 8 Enterprise, it didn't > seem to work. We didn't probe further, suspecting that it > was due to security changes in Windows >=8. I dealt with this issue recently, so I'll chime in for my $0.02. This works for WinXP, but for Vista and newer, you really need the OpenVPN GUI add-on. IIRC, the particular security group no longer provides the desired permissions in Vista and newer. With the GUI add-on, basically you ensure that the openvpn service is running (autostart) and add a few lines to your .ovpn config, something the likes of: management 127.0.0.1 1194 management-hold management-query-passwords auth-retry interact and then the OpenVPN GUI will connect to the openvpn service to manage it "remotely". So basically the permission issue is avoided by letting the openvpn service perform all the tasks instead. After putting some registry settings and adding command line args to the GUI shortcut, it all works nice enough. On a sidenote, setting the openvpn service to autostart may result in some odd post-login delays. Setting it to delayed start avoids this, but that means that the user needs to be competent / patient enough to wait until the service is up and running, which can take a while, and close / re-open the GUI client afterwards. -Marijn ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN & Non-admin users.
> We add them to the Windows built-in "Network Configuration Operators" Do you know this to work with Windows 8 Enterprise (or Win 10 for that matter)? I've seen this work in some versions of Windows, but when we tried it in Win 8 Enterprise, it didn't seem to work. We didn't probe further, suspecting that it was due to security changes in Windows >=8. On 12/1/2014 3:04 PM, Gordon Russell wrote: We add them to the Windows built-in "Network Configuration Operators" group, and that gives them enough privilege to add routes, and we use the standard Openvpn client & GUI. We need for our end users to be able to bring up/down the tunnel, and so auto-starting as a service proved not workable. Gordon Russell Clarke County IT 540 955 5135 - Original Message - From: "Karl Fife" To: "ESF - Electric Sheep Fencing pfSense Support" Sent: Monday, December 1, 2014 3:37:25 PM Subject: [pfSense] OpenVPN & Non-admin users. I'd like to poll how others have dealt with the issue of non-admin Windows users running OpenVPN (TUN) for remote access. If you recall, non-admin users don't have the privileged of inserting a routes, so even though the tunnel is is established, it won't be used without an explicit route. I've read all of the scenarios, from running the client as a service, disabling username/password, creating client shortcuts with elevated privilege etc, using the Viscosity client for windows (only needs admin to be installed, not to be used). If you feel like showing off your astute reasoning, which route did you take and why? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN & Non-admin users.
Am 01.12.2014 um 21:37 schrieb Karl Fife: > I'd like to poll how others have dealt with the issue of non-admin > Windows users running OpenVPN (TUN) for remote access. > > If you recall, non-admin users don't have the privileged of inserting a > routes, so even though the tunnel is is established, it won't be used > without an explicit route. http://openvpn-mi-gui.inside-security.de/ -Stefan ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN & Non-admin users.
We add them to the Windows built-in "Network Configuration Operators" group, and that gives them enough privilege to add routes, and we use the standard Openvpn client & GUI. We need for our end users to be able to bring up/down the tunnel, and so auto-starting as a service proved not workable. Gordon Russell Clarke County IT 540 955 5135 - Original Message - > From: "Karl Fife" > To: "ESF - Electric Sheep Fencing pfSense Support" > Sent: Monday, December 1, 2014 3:37:25 PM > Subject: [pfSense] OpenVPN & Non-admin users. > > I'd like to poll how others have dealt with the issue of non-admin > Windows users running OpenVPN (TUN) for remote access. > > If you recall, non-admin users don't have the privileged of inserting a > routes, so even though the tunnel is is established, it won't be used > without an explicit route. > > I've read all of the scenarios, from running the client as a service, > disabling username/password, creating client shortcuts with elevated > privilege etc, using the Viscosity client for windows (only needs admin > to be installed, not to be used). > > If you feel like showing off your astute reasoning, which route did you > take and why? > > > ___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list > ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list