Deploying OpenVPN using Group Policy and Active Directory 2008
I've recently had an issue using OpenVPN in an organisation where non-Administrator users were given access to their work resources. Usually OpenVPN would be run as an administrative user to allow it to create routes but obviously in an organisation it is not practical to give admin rights to all users.
The Solution? Run as a Service
The solution is to roll out a couple of registry changes and permissions that allow OpenVPN to run as a service, and the openVPN GUI tool that runs in the taskbar will start and stop the service.
1 - Create Registry Key
First create a registry key in Group Policy (and scope it appropriately) for HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI\service_only and set the value (of type REG_SZ) to 1. This tells the OpenVPN GUI to control the service (which is installed by the OpenVPN installation, but set to Manual) rather than connect itself. NOTE: On a 64 bit machine, this key should exist in HKEY_CLASSES_ROOT\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\OPENVPN-GUI\service_only so you may need to target the two architectures seperately.
2 - Grant Permissions
Next, give permission to start, stop and pause the service to the appropriate User / Group (Policies > Windows Settings > Security Settings > System Services). I found it easiest to install OpenVPN on the machine that I was editing Group Policy with in order for it to show up in this view and edit the settings for.
3 - Test
Once this has been rolled out to the user, they should then be able to connect using OpenVPN Gui (the bubble will then say "Service Started" rather than stating the users IP Address).
Hope this helps.