OpenVPN Interactive Service Notes ================================= Introduction ------------ OpenVPN Interactive Service, also known as "iservice" or "OpenVPNServiceInteractive", is a Windows system service which allows unprivileged openvpn.exe process to do certain privileged operations, such as adding routes. This removes the need to always run OpenVPN as administrator, which was the case for a long time, and continues to be the case for OpenVPN 2.3.x. The 2.4.x release and git "master" versions of OpenVPN contain the Interactive Service code and OpenVPN-GUI is setup to use it by default. Starting from version 2.4.0, OpenVPN-GUI is expected to be started as user (do not right-click and "run as administrator" or do not set the shortcut to run as administrator). This ensures that OpenVPN and the GUI run with limited privileges. How It Works ------------ Here is a brief explanation of how the Interactive Service works, based on `Gert's email`_ to openvpn-devel mailing list. The example user, *joe*, is not an administrator, and does not have any other extra privileges. - OpenVPN-GUI runs as user *joe*. - Interactive Service runs as a local Windows service with maximum privileges. - OpenVPN-GUI connects to the Interactive Service and asks it to "run openvpn.exe with the given command line options". - Interactive Service starts openvpn.exe process as user *joe*, and keeps a service pipe between Interactive Service and openvpn.exe. - When openvpn.exe wants to perform any operation that require elevation (e.g. ipconfig, route, configure DNS), it sends a request over the service pipe to the Interactive Service, which will then execute it (and clean up should openvpn.exe crash). - ``--up`` scripts are run by openvpn.exe itself, which is running as user *joe*, all privileges are nicely in place. - Scripts run by the GUI will run as user *joe*, so that automated tasks like mapping of drives work as expected. This avoids the use of scripts for privilege escalation (as was possible by running an ``--up`` script from openvpn.exe which is run as administrator). Client-Service Communication ---------------------------- Connecting ~~~~~~~~~~ The client (OpenVPN GUI) and the Interactive Service communicate using a named message pipe. By default, the service provides the ``\\.\pipe\openvpn\service`` named pipe. The client connects to the pipe for read/write and sets the pipe state to ``PIPE_READMODE_MESSAGE``:: HANDLE pipe = CreateFile(_T("\\\\.\\pipe\\openvpn\\service"), GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL); if (pipe == INVALID_HANDLE_VALUE) { // Error } DWORD dwMode = PIPE_READMODE_MESSAGE; if (!SetNamedPipeHandleState(pipe, &dwMode, NULL, NULL) { // Error } openvpn.exe Startup ~~~~~~~~~~~~~~~~~~~ After the client is connected to the service, the client must send a startup message to have the service start the openvpn.exe process. The startup message is comprised of three UTF-16 strings delimited by U0000 zero characters:: startupmsg = workingdir WZERO openvpnoptions WZERO stdin WZERO workingdir = WSTRING openvpnoptions = WSTRING stdin = WSTRING WSTRING = *WCHAR WCHAR = %x0001-FFFF WZERO = %x0000 ``workingdir`` Represents the folder openvpn.exe process should be started in. ``openvpnoptions`` String contains ``--config`` and other OpenVPN command line options, without the ``argv[0]`` executable name ("openvpn" or "openvpn.exe"). When there is only one option specified, the ``--config`` option is assumed and the option is the configuration filename. Note that the interactive service validates the options. OpenVPN configuration file must reside in the configuration folder defined by ``config_dir`` registry value. The configuration file can also reside in any subfolder of the configuration folder. For all other folders the invoking user must be a member of local Administrators group, or a member of the group defined by ``ovpn_admin_group`` registry value ("OpenVPN Administrators" by default). ``stdin`` The content of the ``stdin`` string is sent to the openvpn.exe process to its stdin stream after it starts. When a ``--management ... stdin`` option is present, the openvpn.exe process will prompt for the management interface password on start. In this case, the ``stdin`` must contain the password appended with an LF (U000A) to simulate the [Enter] key after the password is "typed" in. The openvpn.exe's stdout is redirected to ``NUL``. Should the client require openvpn.exe's stdout, one should specify ``--log`` option. The message must be written in a single ``WriteFile()`` call. Example:: // Prepare the message. size_t msg_len = wcslen(workingdir) + 1 + wcslen(options ) + 1 + wcslen(manage_pwd) + 1; wchar_t *msg_data = (wchar_t*)malloc(msg_len*sizeof(wchar_t)); _snwprintf(msg_data, msg_len, L"%s%c%s%c%s", workingdir, L'\0', options, L'\0', manage_pwd) // Send the message. DWORD dwBytesWritten; if (!WriteFile(pipe, msg_data, msg_len*sizeof(wchar_t), &dwBytesWritten, NULL)) { // Error } // Sanitize memory, since the stdin component of the message // contains the management interface password. SecureZeroMemory(msg_data, msg_len*sizeof(wchar_t)); free(msg_data); openvpn.exe Process ID ~~~~~~~~~~~~~~~~~~~~~~ After receiving the startup message, the Interactive Service validates the user and specified options before launching the openvpn.exe process. The Interactive Service replies with a process ID message. The process ID message is comprised of three UTF-16 strings delimited by LFs (U000A):: pidmsg = L"0x00000000" WLF L"0x" pid WLF L"Process ID" pid = 8*8WHEXDIG WHEXDIG = WDIGIT / L"A" / L"B" / L"C" / L"D" / L"E" / L"F" WDIGIT = %x0030-0039 WLF = %x000a ``pid`` A UTF-16 eight-character hexadecimal process ID of the openvpn.exe process the Interactive Service launched on client's behalf. openvpn.exe Monitoring and Termination ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ After the openvpn.exe process is launched, the client can disconnect the pipe to the interactive service. However, it should monitor the openvpn.exe process itself. OpenVPN Management Interface is recommended for this. The client may choose to stay connected to the pipe. When the openvpn.exe process terminates, the service disconnects the pipe. Should the openvpn.exe process terminate with an error, the service sends an error message to the client before disconnecting the pipe. Note that Interactive Service terminates all child openvpn.exe processes when the service is stopped or restarted. This allows a graceful elevation-required clean-up (e.g. restore ipconfig, route, DNS). Error Messages ~~~~~~~~~~~~~~ In case of an error, the Interactive Service sends an error message to the client. Error messages are comprised of three UTF-16 strings delimited by LFs (U000A):: errmsg = L"0x" errnum WLF func WLF msg errnum = 8*8WHEXDIG func = WSTRING msg = WSTRING ``errnum`` A UTF-16 eight-character hexadecimal error code. Typically, it is one of the Win32 error codes returned by ``GetLastError()``. However, it can be one of the Interactive Service specific error codes: ===================== ========== Error Code ===================== ========== ERROR_OPENVPN_STARTUP 0x20000000 ERROR_STARTUP_DATA 0x20000001 ERROR_MESSAGE_DATA 0x20000002 ERROR_MESSAGE_TYPE 0x20000003 ===================== ========== ``func`` The name of the function call that failed or an error description. ``msg`` The error description returned by a ``FormatMessageW(FORMAT_MESSAGE_FROM_SYSTEM, 0, errnum, ...)`` call. Interactive Service Configuration --------------------------------- The Interactive Service settings are read from the ``HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN`` registry key by default. All the following registry values are of the ``REG_SZ`` type: *Default* Installation folder (required, hereinafter ``install_dir``) ``exe_path`` The absolute path to the openvpn.exe binary; defaults to ``install_dir "\bin\openvpn.exe"``. ``config_dir`` The path to the configuration folder; defaults to ``install_dir "\config"``. ``priority`` openvpn.exe process priority; one of the following strings: - ``"IDLE_PRIORITY_CLASS"`` - ``"BELOW_NORMAL_PRIORITY_CLASS"`` - ``"NORMAL_PRIORITY_CLASS"`` (default) - ``"ABOVE_NORMAL_PRIORITY_CLASS"`` - ``"HIGH_PRIORITY_CLASS"`` ``ovpn_admin_group`` The name of the local group, whose members are authorized to use the Interactive Service unrestricted; defaults to ``"OpenVPN Administrators"`` Multiple Interactive Service Instances -------------------------------------- OpenVPN 2.4.5 extended the Interactive Service to support multiple side-by-side running instances. This allows clients to use different Interactive Service versions with different settings and/or openvpn.exe binary version on the same computer. OpenVPN installs the default Interactive Service instance only. The default instance is used by OpenVPN GUI client and also provides backward compatibility. Installing a Non-default Interactive Service Instance ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. Choose a unique instance name. For example: "$v2.5-test". The instance name is appended to the default registry path and service name. We choose to start it with a dollar "$" sign analogous to Microsoft SQL Server instance naming scheme. However, this is not imperative. Appending the name to the registry path and service name also implies the name cannot contain characters not allowed in Windows paths: "<", ">", double quote etc. 2. Create an ``HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN$v2.5-test`` registry key and configure the Interactive Service instance configuration appropriately. This allows using slightly or completely different settings from the default instance. See the `Interactive Service Configuration`_ section for the list of registry values. 3. Create and start the instance's Windows service from an elevated command prompt:: sc create "OpenVPNServiceInteractive$v2.5-test" \ start= auto \ binPath= " -instance interactive $v2.5-test" \ depend= tap0901/Dhcp \ DisplayName= "OpenVPN Interactive Service (v2.5-test)" sc start "OpenVPNServiceInteractive$v2.5-test" This allows using the same or a different version of openvpnserv.exe than the default instance. Note the space after "=" character in ``sc`` command line options. 4. Set your OpenVPN client to connect to the ``\\.\pipe\openvpn$v2.5-test\service``. This allows the client to select a different installed Interactive Service instance at run-time, thus allowing different OpenVPN settings and versions. At the time writing, the OpenVPN GUI client supports connecting to the default Interactive Service instance only. .. _`Gert's email`: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg00097.html