Using OpenVPN as a user


Though the title is quite ironic already, it really is a problem. You can’t just run that oh-so-awesome OpenVPN GUI as a regular (i.e. non-admin) user. You don’t have the required permissions yada yada. The OpenVPN guys say it’s not their fault, it’s the fault of Windows so it can’t be solved. But oh wait, they’re gonna solve it sometime, it’s on the roadmap. So maybe it’s not Windows’ fault or wut?

Whatever. The point is, you can’t run the executable as a user. So the idea is, start the service with sufficient privileges and control the service as a user afterwards, right? No. Users can’t control the OpenVPN service – out of the box. Let’s see what you can do about it.

First, make the GUI control the service instead of running the executable:


Set it to 1.

Then set permissions on the OpenVPN service so that our beloved user can control it. You’ll need the SubInAcl tool made by Microsoft (and is part of the Windows Server Resource Kit). After installation, perform the following on the command line:

set PATH=%PATH%;C:\Program Files\Windows Resource Kits\Tools
subinacl /service \\%COMPUTERNAME%\OpenVPNService /GRANT=DOMAIN\user_name = TO

This will grant the user_name user in the DOMAIN domain start (T) and stop (O) rights for the OpenVPNService service on the local machine. This tool only sets rights so you can safely delete it after making the changes.

Optionally, you can make the OpenVPN GUI start automatically for the user.

That’s it. Now your user can start and stop the connection via the GUI. There’s one caveat though: it won’t work with password protected keys.