It is considered a security risk to run software accepting connections from untrusted networks (such as the Internet)
under privileged user accounts (such as LocalSystem). Unlike most IPSec based VPN implementations
OpenVPN can be executed under unprivileged user account.
It only needs to access device objects of its own TAP driver and
Windows TCP/IP driver to function properly (of course access to necessary files also is required).
There are two simple ways to achieve this.
Less restrictive, more easy
This will work only with OpenVPN 2.0.9 (and probably up) and Windows XP and later. TAP driver included in this
version of OpenVPN by default allows
Everyone to access its device objects
(although these objects are accessible only when OpenVPN isn't using them). So only problem here is
access to Windows TCP/IP diver. This can be granted by adding this unprivileged account to
Network Configuration
Operators group. This method seems to be very easy, but has several drawbacks:
- Isn't possible on Windows 2000.
- Requires OpenVPN 2.0.9 (or probably up).
- TAP driver device objects remain accessible by Everyone while they are not used by OpenVPN.
- User account running OpenVPN has full access to networking configuration.
More restrictive, less easy
Access permissions for device objects can be customized by command line utility
WDevSec.
To make OpenVPN functional in a limited user account
this script may be
used with WDevSec. It takes one or two command line parameters - user/group name that will run OpenVPN and
any string as second parameter to start OpenVPN service after setting permissions.
This script will make TAP driver device objects accessible only to specified user/group (and additionally
Administrators group). Also access to Windows TCP/IP driver device objects will be granted to this account,
so it will be able to make volatile changes to Windows TCP/IP
configuration (flush ARP cache, add non-persistent routes etc.).
It is also recommended to set
Non-Admin Access
setting (in TAP network "adapter" advanced properties) to
Not Allowed. This setting will protect TAP
driver device objects even before execution of the script.
When using this method OpenVPN must be started after
execution of this script (if OpenVPN is used as service,
Startup type of this service should be set to
Manual
and the script should be used to start it). It is recommended to make this script run on every system startup.
This can be achieved by adding Scheduled Task scheduled to run
At System Startup or by adding it to
startup scripts in Group Policy.
Also if TAP driver is restarted (for example when its virtual Ethernet adapter is disabled and then re-enabled or when
new virtual Ethernet adapters are added) this script must be executed again to regain proper permissions on TAP driver.
This method is more restrictive, because TAP driver is secured (only specified user/group will be able to access it) and
also this user/group will have access to only volatile part of Windows TCP/IP configuration (it wont be able to add persistent
routes, change IP addresses persistently etc.). This method is more complex, but it solves all drawbacks mentioned on previous method.
Also it doesn't work with
ip-win32 netsh OpenVPN option, because netsh makes persistent changes to Windows TCP/IP configuration.
Regardless of method used to make TAP and TCP/IP drivers accessible, additionally permissions on OpenVPN files/folders must be set.
OpenVPN requires
Read, Write & Execute access to its log files, although when it creates new log files they are fully
accessible by
Everyone (so they need to be secured). Also it is recommended to make configuration (especially key)
files (or whole OpenVPN folder) inaccessible by other unprivileged users. So recommended file/folder permissions are:
- On whole OpenVPN folder Full Control to SYSTEM, Full Control to Administrators, Read & Execute to user running OpenVPN process.
- On log folder additionally Write to user running OpenVPN process, with Reset permissions on all child objects and... enabled (this should be reapplied every time a new log file is created).
Implementing abovementioned methods will improve security of computer running OpenVPN, because it would be much harder to compromise the system in case
some kind of remote execution attack would be targeted at OpenVPN.
