Tuesday 16 December 2014

Allow non admin users to connect with OpenVPN client

On Windows OpenVPN creates VPN tunnels and then changes the routes to send all relevant traffic down the tunnel. This is a problem for normal user accounts which do not have permissions to change the routes. Even when a user is given this permission, processes they invoke are not granted this permission by default. The easiest way around this is to make the user an administrator on their machine and set the OpenVPN-Gui shortcut to run as an administrator - however this then gives the user account full admin access to the machine. Not something that is a good idea in many situations.

Most of the guides I found on the internet seemed to be geared towards people who had admin rights and just wanted to avoid the UAC prompt.

A workaround to this that allows "normal" users to use the OpenVPN clinet on Windows without disabling UAC or similar is described below:

First log in with an account that has admin rights and open a command prompt as an administrator. Give the user account permission to edit network settings by adding them to the "Network Configuration Operators" group:
net localgroup "Network Configuration Operators" <username> /add
Next we need to allow this user account to be used for batch services so that scheduled tasks in their name will run. Go to Start -> Run and type "gpedit.msc" then hit enter. Browse to the following entry and add the username of the VPN user.
Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Log on as a batch job 
Finally create a task to start the VPN GUI shortly after the user logs on to the computer by opening "Task Scheduler" (Start -> Run -> taskschd.msc) and selecting "Create a task". This is the step that pulls the solution together as in scheduled tasks you can control the permissions that a task is run with, plus you can automate the startup.

  1. General Tab
    1. Name - Set to OpenVPN
    2. When running the task, use the following user account - set to the user who will be using the VPN
    3. Run only when user is logged in - select this
    4. Run with highest Privileges - select this
  2. Triggers Tab
    1. New Trigger
    2. Begin Task - At log on
    3. Specific User - Set to user who will be using VPN
    4. Delay task for - set to 30 seconds
  3. Actions Tab
    1. New Action, Start a program
    2. Browse to c:\program files\openvpn\bin\openvpn-gui
  4. Conditions Tab
    1. Start the task only if the computer is on AC power - DESELECT THIS or the VPN will only be available when laptop is plugged in
  5. Settings Tab
    1. No changes from defaults

Now test the connection by logging in as the user. The VPN client should automatically start in the system tray shortly after the user logs in and they should be able to bring up the VPN tunnel and access resources over it.

This guide was written based on a Windows 8.1 Pro laptop - it should also apply to Windows 7 but some of the screens might be slightly different. It was based partly on the more advanced solution at http://community.openvpn.net/openvpn/wiki/Nonprivileged - that will automatically do all the above for any user that logs on so is great for a machine many users could use, or an auto deployment system. As a one off for a single user it is more complicated than required though and the 3 steps above have the same end result.