Deploying OpenVPN using Group Policy and Active Directory 2008

I've recently had an issue using OpenVPN in an organisation where non-Administrator users were given access to their work resources. Usually OpenVPN would be run as an administrative user to allow it to create routes but obviously in an organisation it is not practical to give admin rights to all users.

The Solution? Run as a Service

The solution is to roll out a couple of registry changes and permissions that allow OpenVPN to run as a service, and the openVPN GUI tool that runs in the taskbar will start and stop the service.

1 - Create Registry Key

First create a registry key in Group Policy (and scope it appropriately) for HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI\service_only and set the value (of type REG_SZ) to 1. This tells the OpenVPN GUI to control the service (which is installed by the OpenVPN installation, but set to Manual) rather than connect itself. NOTE: On a 64 bit machine, this key should exist in HKEY_CLASSES_ROOT\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\OPENVPN-GUI\service_only so you may need to target the two architectures seperately.

2 - Grant Permissions

Next, give permission to start, stop and pause the service to the appropriate User / Group (Policies > Windows Settings > Security Settings > System Services). I found it easiest to install OpenVPN on the machine that I was editing Group Policy with in order for it to show up in this view and edit the settings for.

3 - Test

Once this has been rolled out to the user, they should then be able to connect using OpenVPN Gui (the bubble will then say "Service Started" rather than stating the users IP Address).

Hope this helps.

Chris

Author Chris Pont

Comments

UU0113 said:

"Hi.

This is a very good idea in general. Good Work.

In order to make this working you also have to create a security group on the domain controller, then creating a security template to allow the specific group to start/stop/pause the service (http://www.administrator.de/index.php?content=eca8828fdd577fb6820af6497d93abe3).

But we have another issue to deal with! Normally the VPN configs are stored in "C:\Program Files\OpenVPN\config" which is a big security flaw. Any logged on user can read those files (e.g. copy them, move them to an own machine and start OpenVPN with those configs.

I am currently researching a solution to start the service with a user-based config (e.g. stored on the currently logged on user'

s desktop).

I see do not see how to implement this. Maybe we can start the service with parameters? What about Symlinks or Junction Points?

11/Feb/2012 21:13 PM

jekader said:

thanks for the article!

UU0113 - I think it would be a solution to use authentication after certificate-based connection is established. Although if run as a service, I don't know where the username/password should be introduced

17/Oct/2012 15:56 PM

Add Comment

Name
Comment
 

Your comment has been received and will be shown once it passes moderation.