In the right
OpenVPN needs administrator permissions, among other things, to configure tunnel end points and to set routes. If you are working under Windows without these permissions, OpenVPN cannot start automatically. The necessary rights are supplied by a desktop shortcut to
runas /u:Administrator openvpn-gui.exe
Once started, it issues a prompt for the administrator password. If you do not want to provide this to the users it is a bit more complicated. It is possible to install OpenVPN as a service that the user is permitted to start and terminate; however, it cannot request the password for the key. In this case, the OpenVPN GUI author recommends importing the key to the MS Certificate Store, which can be accessed by OpenVPN (--cryptoapicert
).
These quirks are not present in OpenVPN 2.1. In that version, non-administrators can also access the TAP device. Membership in the "network configuration operators" group is all that is needed to be able to set routes under XP Professional.
Under Linux, the sudo
mechanism sets the necessary root permissions:
/usr/bin/sudo /usr/sbin/openvpn /etc/openvpn/client.conf
For this to work without a password, the administrator enters the following lines in /etc/sudoers using visudo:
User_Alias VPN = ju, dab
VPN ALL= NOPASSWD: /usr/sbin/openvpn /etc/openvpn/client.conf
replacing, "ju" and "dab", with the appropriate user names.