Allow limited user account to add routes
How can I give someone using a limited user account the ability to add routes *without* adding them to the network configuration operators group? Specifically, I'd like users to be able to use OpenVPN which needs to create a route after establishing a connection.
Software/Hardware used:
Software/Hardware used:
ASKED:
November 20, 2009 9:43 AM
UPDATED:
December 2, 2009 4:22 AM
RELATED QUESTIONS
- Route command
- Allow Remote User to RDP to a specific workstation
- Save an Excel Add-in to a network drive
- Add In function in Excel 2010 to download file from iSeries v7.1 exceeding limit, is there something we need to do to up the limit of records from 64K
- Exchange multiple email accounts for 2 domain names
Answer Wiki:
Wouldn't it be the same route all the time?
That is, you would create a pre-determined route, with your account. The user would not create an arbitrary route, using their account.
To see all answers submitted to the Answer Wiki: View Answer History.
No, the routes are created by the openvpn service after all credentials and what not have been passed successfully. Here’s a log to UltraVPN (free service) using an admin account:
Difference shown in bold.
OpenVPN 2.1_rc18 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Jun 7 2009
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
NOTE: OpenVPN 2.1 requires ‘–script-security 2′ or higher to call user-defined scripts or executables
LZO compression initialized
Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Local Options hash (VER=V4): ’69109d17′
Expected Remote Options hash (VER=V4): ‘c0103fa8′
Attempting to establish TCP connection with 87.98.164.142:443
TCP connection established with 87.98.164.142:443
Socket Buffers: R=[8192->8192] S=[8192->8192]
TCPv4_CLIENT link local: [undef]
TCPv4_CLIENT link remote: 87.98.164.142:443
TLS: Initial packet from 87.98.164.142:443, sid=17e6c66f d7510814
WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
VERIFY OK: depth=1, /C=FR/ST=NA/L=BISHKEK/O=OpenVPN-TEST/CN=ludwig/emailAddress=me@myhost.mydomain
VERIFY OK: depth=0, /C=FR/ST=NA/O=OpenVPN-TEST/CN=ludwig/emailAddress=me@myhost.mydomain
Data Channel Encrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
Data Channel Encrypt: Using 160 bit message hash ‘SHA1′ for HMAC authentication
Data Channel Decrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
Data Channel Decrypt: Using 160 bit message hash ‘SHA1′ for HMAC authentication
Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
[ludwig] Peer Connection Initiated with 87.98.164.142:443
SENT CONTROL [ludwig]: ‘PUSH_REQUEST’ (status=1)
PUSH: Received control message: ‘PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.7.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.7.230.138 10.7.230.137′
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: –ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: –ip-win32 and/or –dhcp-option options modified
ROUTE default_gateway=10.121.232.1
TAP-WIN32 device [OpenVPN] opened: \.Global{4B38798E-297E-4477-8ED0-07D3A2D17280}.tap
TAP-Win32 Driver Version 9.4
TAP-Win32 MTU=1500
Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.7.230.138/255.255.255.252 on interface {4B38798E-297E-4477-8ED0-07D3A2D17280} [DHCP-serv: 10.7.230.137, lease-time: 31536000]
Successful ARP Flush on interface [3] {4B38798E-297E-4477-8ED0-07D3A2D17280}
TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
C:WINDOWSsystem32route.exe ADD 87.98.164.142 MASK 255.255.255.255 10.121.232.1
Route addition via IPAPI succeeded [adaptive]
C:WINDOWSsystem32route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.7.230.137
Route addition via IPAPI succeeded [adaptive]
C:WINDOWSsystem32route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.7.230.137
Route addition via IPAPI succeeded [adaptive]
C:WINDOWSsystem32route.exe ADD 10.7.0.1 MASK 255.255.255.255 10.7.230.137
Route addition via IPAPI succeeded [adaptive]
Initialization Sequence Completed
And again as a limited user:
OpenVPN 2.1_rc18 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Jun 7 2009
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
NOTE: OpenVPN 2.1 requires ‘–script-security 2′ or higher to call user-defined scripts or executables
LZO compression initialized
Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Local Options hash (VER=V4): ’69109d17′
Expected Remote Options hash (VER=V4): ‘c0103fa8′
Attempting to establish TCP connection with 87.98.164.142:443
TCP connection established with 87.98.164.142:443
Socket Buffers: R=[8192->8192] S=[8192->8192]
TCPv4_CLIENT link local: [undef]
TCPv4_CLIENT link remote: 87.98.164.142:443
TLS: Initial packet from 87.98.164.142:443, sid=10c2ba52 88d2f821
WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
VERIFY OK: depth=1, /C=FR/ST=NA/L=BISHKEK/O=OpenVPN-TEST/CN=ludwig/emailAddress=me@myhost.mydomain
VERIFY OK: depth=0, /C=FR/ST=NA/O=OpenVPN-TEST/CN=ludwig/emailAddress=me@myhost.mydomain
Data Channel Encrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
Data Channel Encrypt: Using 160 bit message hash ‘SHA1′ for HMAC authentication
Data Channel Decrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
Data Channel Decrypt: Using 160 bit message hash ‘SHA1′ for HMAC authentication
Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
[ludwig] Peer Connection Initiated with 87.98.164.142:443
SENT CONTROL [ludwig]: ‘PUSH_REQUEST’ (status=1)
PUSH: Received control message: ‘PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.7.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.7.230.138 10.7.230.137′
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: –ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: –ip-win32 and/or –dhcp-option options modified
ROUTE default_gateway=10.121.232.1
TAP-WIN32 device [OpenVPN] opened: \.Global{4B38798E-297E-4477-8ED0-07D3A2D17280}.tap
TAP-Win32 Driver Version 9.4
TAP-Win32 MTU=1500
Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.7.230.138/255.255.255.252 on interface {4B38798E-297E-4477-8ED0-07D3A2D17280} [DHCP-serv: 10.7.230.137, lease-time: 31536000]
NOTE: FlushIpNetTable failed on interface [3] {4B38798E-297E-4477-8ED0-07D3A2D17280} (status=6) : The handle is invalid.
TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
C:WINDOWSsystem32route.exe ADD 87.98.164.142 MASK 255.255.255.255 10.121.232.1
ROUTE: route addition failed using CreateIpForwardEntry: Network access is denied. [status=65 if_index=65541]
Route addition via IPAPI failed [adaptive]
Route addition fallback to route.exe
C:WINDOWSsystem32route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.7.230.137
ROUTE: route addition failed using CreateIpForwardEntry: Network access is denied. [status=65 if_index=3]
Route addition via IPAPI failed [adaptive]
Route addition fallback to route.exe
C:WINDOWSsystem32route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.7.230.137
ROUTE: route addition failed using CreateIpForwardEntry: Network access is denied. [status=65 if_index=3]
Route addition via IPAPI failed [adaptive]
Route addition fallback to route.exe
C:WINDOWSsystem32route.exe ADD 10.7.0.1 MASK 255.255.255.255 10.7.230.137
ROUTE: route addition failed using CreateIpForwardEntry: Network access is denied. [status=65 if_index=3]
Route addition via IPAPI failed [adaptive]
Route addition fallback to route.exe
Initialization Sequence Completed