With the current implementation of the TAP-Win32 driver included with OpenVPN, administrator privileges is required to open the TAP device. This means that openvpn.exe must be executed with administrator privileges. In many situations it's un recommended to do your day-to-day work logged on with an administrator account. Especially corporate environments often have a policy that users should never have administrator rights even on their local machine. Fortunately there are a few ways to work around this so OpenVPN can be used even in these environments.
Here I present you with two ways to run OpenVPN / OpenVPN GUI as a non-admin user:
Included in the OpenVPN / OpenVPN GUI installation package there is a small service wrapper for OpenVPN. This service simply starts all configuration files it finds in the OpenVPN\config folder. If you want your OpenVPN tunnel to always be up, regardless of whether you are logged on or not, you can simply configure the OpenVPN Service to start automatically at boot-time. However it might be more convenient to be able to start and stop the tunnel when you want, which you can do by starting and stopping the service. For more information about the OpenVPN Service see the "Running OpenVPN as a Windows Service" section in INSTALL-win32.
The major disadvantage with this method is that there is no way to supply the OpenVPN Service with the password used to encrypt your private key. This means that you must use an un-encrypted private key when using this method. A way to get around the problem with having your private key lying unprotected on your hard drive is to import it to the MS Certificate Store and use the --cryptoapicert option to load it. Remember that the service is running as "Local System" (by default) so you must import the key/cert into the System account, not your user account. (There is work in progress to allow OpenVPN to access also user account key/cert's). To load a key/cert into the System accounts CertStore you must use the Certificates MMC Snap-In, not Internet Explorer.
Normally starting and stopping a service requires administrator privileges, but you can assign a normal user the right to control an individual service. You do this with the subinacl.exe utility included in the Windows Resource Kit. You can also download it here:
To give the user "John" the right to start and stop the OpenVPN service, log on as administrator and run the following command:
subinacl /SERVICE "OpenVPNService" /GRANT=john=TO
You can also give a user right to control a service through the use of Group Policies. See this support article for more info.
A default installation of OpenVPN GUI does not give you any way to control the OpenVPN service. There is however two ways to do this. If you are running as administrator, and just want a convenient way to control the OpenVPN Service, you can enable a hidden menu for this. You enable this by setting the following registry value to "1":
HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI\allow_service
Since OpenVPN GUI 1.0-rc2 there is a special mode called "Service Only" that is suitable for users running without admin privileges. This mode changes the behavior of the "Connect" and "Disconnect" actions to start and stop the OpenVPN service instead of launching openvpn.exe directly, like it usually does. It also hides the "Proxy Settings" menu as it has no effect on the service. To enable this mode set the following registry value to "1":
HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI\service_only
Also remember that a normal user don't have write access to the OpenVPN\config folder, so he won't be able to edit the OpenVPN config file or change his password, unless you give him write access to these files. To hide these menu items set the following registry values to "0":
HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI\allow_edit
HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI\allow_password
Since Windows 2000, there is a feature that allows you to start an application as another user than the currently logged on account. The best way to use this feature is by starting OpenVPN GUI as administrator this way. Since OpenVPN GUI is then running as administrator any number of OpenVPN tunnels can started and stopped as long as OpenVPN GUI is running.
* Keep in mind that by using this feature you are potentially giving
your users a way to escalate their privileges to administrator rights. If your
main reason for not running as administrator is to protect against malicious
code on the web from executing with administrator rights in your computer, then
this could be a good way to run OpenVPN GUI, but if your users under no circumstances
should be able to run other applications as administrator, you should NOT use
this way to run OpenVPN GUI either!
While installing OpenVPN / OpenVPN GUI, make sure to un-check "AutoStart OpenVPN GUI", as you will need to create your start-up shortcut manually.
When you double-click this short-cut, you will now be prompted for the username and password of the user you want to run as. If you want OpenVPN-GUI to auto-start when you logon, move this short-cut to your "Startup" folder on the Start->Programs menu. You will then be prompted for username and password directly every time you log on.
I'm not aware of any way to save the credentials so you don't have to type them every time in Windows 2000.
When you double-click this short-cut, you will now be prompted for the username and password of the user you want to run as. If you want OpenVPN-GUI to auto-start when you logon, move this short-cut to your "Startup" folder on the Start->Programs menu. You will then be prompted for username and password directly every time you log on.
WARNING: When using this method the user will be able to start ANY application as administrator with the right knowledge.
Next time you run this short-cut, it will start OpenVPN GUI as administrator automatically without prompting you for any credentials. If you want OpenVPN-GUI to auto-start when you logon, move this short-cut to your "Startup" folder on the Start->Programs menu.
There is work in progress to enhance the OpenVPN Service so it can be controlled
via a TCP socket. This will allow individual tunnels to started and stopped
at will, as well as supplying OpenVPN with the password used to encrypt the
private key. OpenVPN GUI 2.0 will be rewritten to make use of this service.