With the introduction of Windows Vista, Microsoft introduced User Access Control (UAC). UAC is meant to safeguard users from running programs that can modify the operating system itself. Before such a program is run, a privilege elevation is required even if the user has full administrator rights. A dialog box appears that the user must click on before the execution begins. In order to run OpenVPN, elevated privileges are needed, as OpenVPN wants to open a system device and start a VPN connection. Especially if routes need to be added to the system, elevated privileges are essential.
With OpenVPN 2.3+, privilege elevation is built into the OpenVPN GUI application. That is, even if the Run as Administrator flag is turned off, the OpenVPN GUI application will still request elevated privileges when it is launched. This recipe will demonstrate this behavior, which was not present in older versions of OpenVPN.
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client computer was running Windows 7 SP1 and OpenVPN 2.3.11. Keep the configuration file, basic-udp-server.conf
, from the Server-side routing recipe from Chapter 2, Client-server IP-only Networks. For the client, keep the configuration file, basic-udp-client.ovpn
, from the Using an ifconfig-pool block recipe from Chapter 2, Client-server IP-only Networks at hand.
[root@server]# openvpn --config basic-udp-server.conf
example5-1
configuration file:c: empopenvpn.log
, has been created.When the OpenVPN GUI application is launched, the user must always confirm that it can run with elevated privileges. This is now built into the OpenVPN GUI application itself, and is visible by noticing the shield at the right bottom of the application's icon:
After that, the OpenVPN GUI can launch other executables that will also inherit these privileges. When the GUI launches the openvpn.exe
process, it can open the VPN adapter, alter the routing tables, and run the up and down scripts.
18.116.63.105