Hi, On Sat, Mar 5, 2016 at 5:35 AM, Németh Tamás <nemeth.tamas....@nyme.hu> wrote:
> > > Well, what if there would be a checkbox in the installer labeled with > something like "Only members of this group are allowed to use OpenVPN:" and > then a dropdown list of local(?) Windows groups. One of the listed groups > migh > be "OpenVPN Users - TO BE CREATED" or something like this (assuming that > this > group hadn't been created before installation) and if chosen, the installer > should create this group. Indirect group membership should be checked and > anyone running OpenVPN GUI but not allowed to connect should be constantly > warned about his/her insufficient permissions. > For an average user all this is confusing, while for an admin such hand-holding is redundant. > > In addition to this OpenVPN should handle both "systemwide" and "personal" > VPN > profiles. Systemwide profiles should only be created and edited by system > admins, but everyone should be able to create and edit his/her own profiles > stored somewhere in her/his own user profile, even despite not being able > to > instruct OpenVPN to connect using these profiles. > This is already supported. At the expense of being repetitive let me briefly explain the current situation regarding the interactive service (after my restrict options/configs commit) - Configs may be stored in a system-wide location writeable only by admins, or in user's profile writeable by users - The system-wide profiles may be started by any user with or without admin privileges - User's profiles may be started by those who are either in the "Administrators" group or in "OpenVPN Administrators" group Note that these restrictions are somewhat orthogonal to what networkmanager (nm) does on linux. The rationale for that is another topic. The locations and group names referred to above may be customized in the registry -- system-wide one's in HKLM and user-changeable one's in HKCU Finally, back to "average user" of the GUI, I plan to offer a dialog to add the user to the special "OpenVPN Administrators" group when they try to start a config that would be otherwise rejected by the service. This will obviously cause UAC or password prompt and will work only if the user knows admin password. This is work in progress, any feedback will be most helpful. For all this, the only requirement at installation is to create the group " OpenVPN Administrators" which may be done without any user intervention. Any thoughts? Selva
------------------------------------------------------------------------------
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
