GUIDE

OpenVPN Client: Autorun and autoconnect

At BestVPN we always recommend using OpenVPN, as by far it is always the most secure tunnelling method. While a number of providers create their own VPN software, these are usually based on the standard OpenVPN Client. Though we usually prefer open source software, we also like to see proprietary software with plenty of added features built in. In the latter case you have to trust the provider that they do not put anything malicious into their software, but since you never know what happens server side, you’ll need to trust your service provider anyway.

With OpenVPN there are plenty of configurations that can be achieved and this means that the .ovpn files can vary to some extent between providers. There are two big differences, compared to proprietary software,  that are directly noticeable to the user – both of which we will provide solutions to within this article, as well as an issue that effects a smaller number of users:

  1. The OpenVPN client does not automatically launch when you start your computer / log in
  2. Some companies rely on the slightly weaker username and password authentication method (unlike secure companies such as VikingVPN and Buffered) and you’re required to input this every time you connect/ change server
  3. How to run OpenVPN without needing an administrator account/password (after the inital setup) so that if you have others people using the same computer they can use the VPN without being able to modify anything else [or if like me you use a standard account for your daily activities to increase security].

To be able to override all of these issues, you will need to have Administrator privileges.  We are using a Windows 7 for our demonstrations but the steps will be very similar for Windows Vista and 8.

Autorun OpenVPN

When most programmes launch at start up, this is usually done through the registry which can be changed using the regedit tool. However, we have found that using the Task Scheduler is not only more customisable, but also easier to work with. So with the preamble out of the way, let’s start:

  1. Click the Windows button, type ‘Task Scheduler’ and start it. (Make sure you’re doing this as an administrator)
  2. Click ‘Create Task’ in the right hand column
    OpenVPN_AutoRun_SchTasks1
  3. In the General tab, do the following:
    1. Enter a suitable name and description
    2. Select the user you wish for it to work on
    3. Enable ‘Run with highest privilages’
    4. Configure for your system.
      OpenVPN_AutoRun_SchTasks2
  4. In the Triggers tab
    1. Click New to define when to launch OpenVPN
    2. The simplest method is to launch it when the selected user logs in
      OpenVPN_AutoRun_SchTasks3
  5. In the Actions tab
    1. Click New
    2. Select Start a program as the action
    3. Browse for the OpenVPN GUI client and set it as the programme
    4. If you want it to automatically connect to a server enter –connect xxxxxxx.ovpn into Add arguments (where xxx is the name of the .ovpn file)
      OpenVPN_AutoRun_SchTasks4
  6. In the Conditions tab you can set some extra settings. We always like to have VPN running so we have disabled all of it, the Network option is the one that could be very useful for some people
    OpenVPN_AutoRun_SchTasks5
  7. In the Settings tab you can specify additional behaviours.
    OpenVPN_AutoRun_SchTasks6
  8. In the History tab you can view any errors/ problems (as long as you have History tracking enabled)
    OpenVPN_AutoRun_SchTasks7
  9. Once you have done everything, click OK and your Task will be created
  10. To check that it is running you need to do the following.
    1. Make sure OpenVPN GUI is closed
    2. In Task Scheduler right click on the Task you just created and click Run
    3. OpenVPN should now launch and if automatically connect if you have set it up.OpenVPN_AutoRun_SchTasks8

Connect without requiring VPN login details

The default folder for .ovpn files is  “C:\Program Files\OpenVPN\config”. You will need to carry out step 1 for every OpenVPN file that you use. We do not recommend this method very much as you will be storing your login name and password in a plain text file, but some people might find it useful. HMA does provide a log-in tool to help with this to some extent, but as mentioned it is a lot more secure if key authentication is used instead of user/pass.

  1. Open the .ovpn file using a text editor. In the line that says auth-user-pass, add password.txt to the end of it.
    OpenVPN_AutoLogin_1
  2. In the same folder create a text file called password.txt. In the first line enter your username and on the second line your password
    OpenVPN_AutoLogin_2

Allow normal users to access OpenVPN

While there is a minimal security compromise with the method we will present, it does mean that normal users can use the VPN connection [thereby allowing a constant secure internet connection] without having to give them admin rights. The backbone on the method relies on the fact that the OpenVPN client requires administrator rights to be able to change the network connection. Therefore, by giving administrator rights to the network connection, and nothing else, the need for this will be removed.

In order to do this follow these steps:

  1. Click the Windows button, type ‘mmc’ and start it. (Make sure you’re doing this as an administrator)
    OpenVPN_NoAdmin_1
  2. Go to File -> Add/Remove Plugins
    1. Under Snap-ins locate Local Users and Groups and add it
    2. Click OK
      OpenVPN_NoAdmin_2
  3. Next you will give the network access
    1. In the left hand column expand Local User and Groups
    2. Click Groups
    3. Right click Network Configuration Operators
      OpenVPN_NoAdmin_3
  4. Click the Add button and add the users that you’d like to be able to run OpenVPN without requiring an administrator password
    OpenVPN_NoAdmin_4

Peter Selmeczy I am an engineer by trade and tech geek by night, who's passionate about sharing his knowledge with the people. Find me on Google+.

Related Coverage


7 responses to “OpenVPN Client: Autorun and autoconnect

  1. Peter,

    When you create a client cert and key there is information in that key that identifies the client. Take a look at this generic one I found on the net.

    http://pastebin.com/N7mXRKgG

    Now this one wont show you any sensitive data because this was distributed by a VPN that had no idea on how PKI works. They gave this cert and key out to everyone. But it still serves as a good example of how certs and keys are structured. Look at the stuff below when a service creates unique certificates for each user they are going to use real user data in case they need to revoke those certificates in the future. Where is that data stored you ask? In the certificate. Look into it. I know for a fact cryptostorm forums has pointed this out in the past but I am not sure of the link.

    1. Hi Ryan
      Take a look at this one I got from an actual commercial VPN http://pastebin.com/e8gDRMeB as you can see there is no personally identifiable information in it.
      It’s possible to put extra information in to the OpenVPN file irrelevant of the type of authentication they use and yes you’re right that business VPNs do do this for easier management but this isn’t the case for public/commercial VPNs.
      Peter

      1. Peter,

        I think you are miss informed. When a certificate is made some services may strip out the certificate info and just keep the signature but that certificate info has still been created. I work at a service that uses unique client keys unlike the one you posted. Our VPN service uses the certificate data to identify who the owner is when they authenticate. If we didn’t we would never know who to revoke when the user cancels. We went back and forth about this point in depth at the office and the truth is right now neither user/pass or certificate/key are ideally for consumer based services. Anyone saying otherwise is flat out wrong.

        1. Hi Danny

          Clearly you’re very knowledgeable in the topic and made me realise a few things that I haven’t been informed about/ aware of before, do you mind me using your email address to contact you so we can continue this in private?
          I’ve removed the mass of the information for safety purposes but the reason that you can find ‘bestvpn’ in there is because it’s our username for them.

          Peter

  2. P.S

    Take a look at your client certificate for one of those VPNs. Do you REALLY want that info to get out? There is a very valid reason why many services do not use certificate based authentication. In an enterprise using certificates like OpenVPN recommends is desirable because in an enterprise you want to know who is logging into your network and it is more desirable for the enterprise to use certificates because certificates are harder to brute force.

    This site is not aimed at enterprises. It is aimed at end users wanting privacy. This is really misleading.

    1. Hi Ryan
      I’m a little confused about your comments.
      Key/ Cert authentication doesn’t contain any personal information so I’m not really sure what you mean.
      The difference is that there is an extra key in your .ovpn file and do not require a user/pass. I’ll be writing more about this in an upcoming article but it’s more secure not because of a technical aspect but because of human nature – which is what I think you we’re trying to point it?
      I think you might be thinking about different certificate logins? If you could give some links to what you mean or explain it better that would be helpful.
      Peter

  3. Peter,

    You might want to check your facts. Certificate based logins are recommended for Enterprises only because of how much personal information is contained in the certificate. For instance if I belong to a provider that uses certificates and someone gets their hand on my certificate they suddenly have identifiable information about me. This is NOT ideal.

Leave a Reply

Your email address will not be published. Required fields are marked *