Allow limited user account to add routes

20 pts.
Tags:
OpenVPN
User Permissions
How can I give someone using a limited user account the ability to add routes *without* adding them to the network configuration operators group? Specifically, I'd like users to be able to use OpenVPN which needs to create a route after establishing a connection.
ASKED: November 20, 2009  9:43 AM
UPDATED: December 2, 2009  4:22 AM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Wouldn’t it be the same route all the time?
That is, you would create a pre-determined route, with your account. The user would not create an arbitrary route, using their account.

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Veazer
    No, the routes are created by the openvpn service after all credentials and what not have been passed successfully. Here's a log to UltraVPN (free service) using an admin account: Difference shown in bold. OpenVPN 2.1_rc18 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Jun 7 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables LZO compression initialized Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ] Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ] Local Options hash (VER=V4): '69109d17' Expected Remote Options hash (VER=V4): 'c0103fa8' Attempting to establish TCP connection with 87.98.164.142:443 TCP connection established with 87.98.164.142:443 Socket Buffers: R=[8192->8192] S=[8192->8192] TCPv4_CLIENT link local: [undef] TCPv4_CLIENT link remote: 87.98.164.142:443 TLS: Initial packet from 87.98.164.142:443, sid=17e6c66f d7510814 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this VERIFY OK: depth=1, /C=FR/ST=NA/L=BISHKEK/O=OpenVPN-TEST/CN=ludwig/emailAddress=me@myhost.mydomain VERIFY OK: depth=0, /C=FR/ST=NA/O=OpenVPN-TEST/CN=ludwig/emailAddress=me@myhost.mydomain Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA [ludwig] Peer Connection Initiated with 87.98.164.142:443 SENT CONTROL [ludwig]: 'PUSH_REQUEST' (status=1) PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.7.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.7.230.138 10.7.230.137' OPTIONS IMPORT: timers and/or timeouts modified OPTIONS IMPORT: --ifconfig/up options modified OPTIONS IMPORT: route options modified OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified ROUTE default_gateway=10.121.232.1 TAP-WIN32 device [OpenVPN] opened: \.Global{4B38798E-297E-4477-8ED0-07D3A2D17280}.tap TAP-Win32 Driver Version 9.4 TAP-Win32 MTU=1500 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.7.230.138/255.255.255.252 on interface {4B38798E-297E-4477-8ED0-07D3A2D17280} [DHCP-serv: 10.7.230.137, lease-time: 31536000] Successful ARP Flush on interface [3] {4B38798E-297E-4477-8ED0-07D3A2D17280} TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up C:WINDOWSsystem32route.exe ADD 87.98.164.142 MASK 255.255.255.255 10.121.232.1 Route addition via IPAPI succeeded [adaptive] C:WINDOWSsystem32route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.7.230.137 Route addition via IPAPI succeeded [adaptive] C:WINDOWSsystem32route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.7.230.137 Route addition via IPAPI succeeded [adaptive] C:WINDOWSsystem32route.exe ADD 10.7.0.1 MASK 255.255.255.255 10.7.230.137 Route addition via IPAPI succeeded [adaptive] Initialization Sequence Completed And again as a limited user: OpenVPN 2.1_rc18 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Jun 7 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables LZO compression initialized Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ] Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ] Local Options hash (VER=V4): '69109d17' Expected Remote Options hash (VER=V4): 'c0103fa8' Attempting to establish TCP connection with 87.98.164.142:443 TCP connection established with 87.98.164.142:443 Socket Buffers: R=[8192->8192] S=[8192->8192] TCPv4_CLIENT link local: [undef] TCPv4_CLIENT link remote: 87.98.164.142:443 TLS: Initial packet from 87.98.164.142:443, sid=10c2ba52 88d2f821 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this VERIFY OK: depth=1, /C=FR/ST=NA/L=BISHKEK/O=OpenVPN-TEST/CN=ludwig/emailAddress=me@myhost.mydomain VERIFY OK: depth=0, /C=FR/ST=NA/O=OpenVPN-TEST/CN=ludwig/emailAddress=me@myhost.mydomain Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA [ludwig] Peer Connection Initiated with 87.98.164.142:443 SENT CONTROL [ludwig]: 'PUSH_REQUEST' (status=1) PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.7.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.7.230.138 10.7.230.137' OPTIONS IMPORT: timers and/or timeouts modified OPTIONS IMPORT: --ifconfig/up options modified OPTIONS IMPORT: route options modified OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified ROUTE default_gateway=10.121.232.1 TAP-WIN32 device [OpenVPN] opened: \.Global{4B38798E-297E-4477-8ED0-07D3A2D17280}.tap TAP-Win32 Driver Version 9.4 TAP-Win32 MTU=1500 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.7.230.138/255.255.255.252 on interface {4B38798E-297E-4477-8ED0-07D3A2D17280} [DHCP-serv: 10.7.230.137, lease-time: 31536000] NOTE: FlushIpNetTable failed on interface [3] {4B38798E-297E-4477-8ED0-07D3A2D17280} (status=6) : The handle is invalid. TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up C:WINDOWSsystem32route.exe ADD 87.98.164.142 MASK 255.255.255.255 10.121.232.1 ROUTE: route addition failed using CreateIpForwardEntry: Network access is denied. [status=65 if_index=65541] Route addition via IPAPI failed [adaptive] Route addition fallback to route.exe C:WINDOWSsystem32route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.7.230.137 ROUTE: route addition failed using CreateIpForwardEntry: Network access is denied. [status=65 if_index=3] Route addition via IPAPI failed [adaptive] Route addition fallback to route.exe C:WINDOWSsystem32route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.7.230.137 ROUTE: route addition failed using CreateIpForwardEntry: Network access is denied. [status=65 if_index=3] Route addition via IPAPI failed [adaptive] Route addition fallback to route.exe C:WINDOWSsystem32route.exe ADD 10.7.0.1 MASK 255.255.255.255 10.7.230.137 ROUTE: route addition failed using CreateIpForwardEntry: Network access is denied. [status=65 if_index=3] Route addition via IPAPI failed [adaptive] Route addition fallback to route.exe Initialization Sequence Completed
    20 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following