On Fri, Aug 11, 2017 at 10:05 AM, Simon Rozman via Openvpn-devel <
openvpn-devel@lists.sourceforge.net> wrote:
>
> But that's what I wanted in the first place, as I believe Interactive
> Service "security" scheme makes no sense.
>
> Why does OpenVPN restrict non-admin users from using Interactive Service in
> the first place, while Windows' out-of-the-box VPN connects them just fine?
> If you are afraid a malware would start connecting - they already can:
> using
> Windows' VPN.
>
AFAIK, Windows VPN can be setup without admin rights only if the connection
is not shared with other users. Thus a limited user cannot redirect traffic
of all users. In openvpn we do not have a provision for such a separation
-- at least not as yet.
>
> Flushing ARP cache, client DNS registration, and other tasks OpenVPN can't
> perform as non-admin user is a technical issue of OpenVPN running in user
> space. Not a security one. Interactive Service overcomes that, but in the
> same time it assumes it's a security sensitive issue.
>
These tasks normally require admin rights (or some privilege like Network
Configuration Operators). So admin has to decide who is allowed to do such
actions.
> This limitation can and will be turned off with one or another simple
> administrator task (performed by eduVPN setup). So, this is no biggie...
>
Yes, a simple "administrator task" is all that is required to provide extra
privileges to users. In case of interactive service its supposed to be done
at the time of installation.
Selva
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
