Windows - elevated privileges

With the introduction of Windows Vista, Microsoft introduced User Access Control (UAC). UAC is meant to safeguard users from running programs that can modify the operating system itself. Before such a program is run, a privilege elevation is required even if the user has full administrator rights. A dialog box appears that the user must click on before the execution begins. In order to run OpenVPN, elevated privileges are needed, as OpenVPN wants to open a system device and start a VPN connection. Especially if routes need to be added to the system, elevated privileges are essential.

With OpenVPN 2.3+, privilege elevation is built into the OpenVPN GUI application. That is, even if the Run as Administrator flag is turned off, the OpenVPN GUI application will still request elevated privileges when it is launched. This recipe will demonstrate this behavior, which was not present in older versions of OpenVPN.

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client computer was running Windows 7 SP1 and OpenVPN 2.3.11. Keep the configuration file, basic-udp-server.conf, from the Server-side routing recipe from Chapter 2Client-server IP-only Networks. For the client, keep the configuration file, basic-udp-client.ovpn, from the Using an ifconfig-pool block recipe from Chapter 2Client-server IP-only Networks at hand.

How to do it...

  1. First, start the server:
    [root@server]# openvpn --config basic-udp-server.conf
    
  2. Make sure that the OpenVPN is not running and that the tray icon is not present.
  3. Before starting the OpenVPN GUI, right-click on the OpenVPN GUI icon that was placed on your desktop after installing the OpenVPN 2.3.11 installer for Windows.
  4. In the Properties screen that comes up, click on the Compatibility tab and disable Run this program as an administrator:
    How to do it...
  5. Click on OK.
  6. Start the OpenVPN GUI. Note that it will still prompt for permissions (the following screenshot is for Windows Vista, but a similar window will pop up for Windows 7+):
    How to do it...
  7. Click on Continue to start the OpenVPN GUI as usual.
  8. Start the OpenVPN client by launching the example5-1 configuration file:
    How to do it...
  9. Verify that the VPN connection is established and that the log file, c: empopenvpn.log, has been created.

How it works...

When the OpenVPN GUI application is launched, the user must always confirm that it can run with elevated privileges. This is now built into the OpenVPN GUI application itself, and is visible by noticing the shield at the right bottom of the application's icon:

How it works...

After that, the OpenVPN GUI can launch other executables that will also inherit these privileges. When the GUI launches the openvpn.exe process, it can open the VPN adapter, alter the routing tables, and run the up and down scripts.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
52.14.62.221