Hi On Thu, Sep 10, 2020 at 3:10 AM Marvin Adeff <volleynb...@gmail.com> wrote:
> Selva, > > Please allow me to back up a moment and restate this: > 1. I installed the beta3 msi from the web site logged in as a user that > has admin privileges. But no elevation was used to install it, just > double-click on the file. > 2. I only used the GUI as installed, with no elevation, to start OpenVPN. > 3. With TAP selected in my .ovpn config file, everything works normally. > 4. I am reporting that (from the same login) if I change the .ovpn to use > wintun (all edits done through the GUI selection), it fails with the error > I showed below. > > Is 4. what you are saying is not supported? > This use case is fully supported and should work. If it's not working, as lev said, something is not right. Please share the full connection log with verb=4 and we may spot something. > In our use, as we have done for the past decade, the client boxes are used > for M2M monitoring. OpenVPN has to connect on bootup (.ovpn config file > contains inline certificates) regardless if there is a user logged in or > not as M2M monitoring occurs in the background. And if a user does login, > most often it is with credentials that have admin privileges. I am trying > to understand if what you’re telling me is that this will no longer work, > or if we will need to do something different now? My testing used the GUI > to see how things will work with wintun so we can continue testing. > > Do I need to NOT use the GUI to get wintun to work? > Connections started at boot using OpenVPNService will also work with wintun (2.5_beta3 and newer). You do not have to use the GUI. When an admin user logs in to Windows the elevated privileges in the token are disabled by default , so the user starting any process including OpenVPN-GUI will run in the *correct* unprivileged mode. Privileges are acquired only when/if a UAC prompt appears and the user consents to it, or when explicitly using run-as-admin. So, OpenVPN-GUi will run without enabling privileges for all users and that is the right way to run the GUI. So does a million other programs. This is the default behaviour of Windows since Vista and is a good thing. Selva
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
