OpenVPN problems



  • I have been researching this for two days now and I don't think I am much closer than I was when I started.

    I am trying to setup so that when a client connects the windows logon script for that user runs and sets up their shares.

    These are the problems that I am running in to.

    1. The client that is exported using the client export utility has to be run as administrator in order to work.  Not everyone has admin privileges.
    2. When I try to connect the one of the commands in the logon script is net use \server%username%$  - instead of using the login name it wants to use the admin account that the client is run under.
    3. I tried using the OpenVpn Manager which eliminates the need to run the program as an administrator but when I run this it does not run the XXXX_up.bat script.

    I am using LDAP to authenticate the users.

    There has to be an easy way to have a non-admin user connect and automatically have their network drives setup for them.  As I indicated I have been looking for two days.



  • First, unless you've exported both a domain and a dns server, "net use \server%username%$" is not going to work over a routed tunnel (assuming "server" is referring to the "server name").  It will need to be:

    • "net use \IP%username%$"

    • or "net use \FQDN%username%$" if you only export the DNS.

    I found a few posts online with the same request.  Here are two different perspectives on a solution:

    • There are two ways.

      1. Use the openvpn –route-up option, but be aware that OpenVPN does not process any packets while the script is running, so to run a command like "net use", you need to execute a second script, and immediately return control to OpenVPN.

      2. Use my GUI to start the connection. You can then put a script called XXX_up.bat in the config folder, where XXX is the same name as your OpenVPN config file. This batch file is then executed after a successful connection has been made. The batch file should return 0 if it was successful, otherwise the GUI will report that a problem has occurred.

      After the above suggestion, the OP followed up this post by saying he solved his issue with the following script:

      ' –-------- up.vbs ---------------------------------
      Option Explicit
      ' Declare variables
      dim WshShell
      ' Initialise variables
      Set WshShell = WScript.CreateObject("WScript.Shell")
      ' Run up.bat, invisible, don't wait till finished
      call WshShell.Run ("up.bat", 0, false)
      ' ---------------------------------------------------

    • Why not just change the script? Ditch the idea of having the script run when the VPN connects, make a script that is scheduled to run every 5 seconds, checks for the existence of the mapped drive, if it's there.. bail out. If it's not, try to ping the mapping target, if it's there, setup the map, if not bail out.

      Then just stuff that bad boy in the machine's scheduled tasks, and when the VPN comes up it'll run in a few seconds and setup the map.



  • Thanks for the reply.  I appreciate the help but it does not solve my problem.

    I tried using the XXX_up.bat and it does work except for the wrong user name.
    The OpenVPN Gui requires to run as admin, which in itself is a problem, and there for when you run the command net use \IP%username%$ it tries to use the admin username instead of the logged in user.  Giving the user local admin rights is definitely not an option.

    I haven't tried using the command line option yet since I need something very simple.  Unfortunately we have some users that if it takes more than just clicking on an icon and entering a username and password they have a hard time.


  • LAYER 8 Global Moderator

    You can clearly setup openvpn for the user, the user does not need to be admin to start a connection.

    Did you google?  There are many a guide on skinning that cat
    http://www.digitalllama.net/2014/12/allow-non-admin-users-to-connect-with.html
    http://www.informit.com/articles/article.aspx?p=387173&seqNum=9
    etc..

    The current openvpn can use a managment port on the local machine and it can be used to tell it to create connections, here is a gui to help the user with that
    http://openvpn-mi-gui.inside-security.de/

    Once you have a tunnel open create a batch file with your connect commands put it as an icon on the desktop and away you go.  Or just map the drive once and have it reconnect at login yes it will fail and give them a red x when not connected, they can right click on it after on the vpn and say connect..



  • Thanks again for the help.  I was able to get this working using the following.

    Download the client including the gui manager.
    Once installed I was able to go in to services and set the openvpn service to start automatically
    I then downloaded the openvpn-mi-gui program and when I run it I don't have the problem with the admin and it runs the batch files in the config directory as the logged in user.


Log in to reply