selvanair/ovpn_plap_readme

## ovpn_plap_readme
Quick Start for openvpn-plap module
===================================

Skip to step (iii) in pre-requisites if you have a working setup with OpenVPN
automatic service (openvpnserv2.exe) running and have at least one profile started
through it.

Pre-requisites
--------------

(i) Install a recent version of OpenVPN (2.6.0 or later) using the release MSI.
During installation select "Customize" and choose to install "OpenVPN Service"
and "Enable OpenVPN Pre-Logon Access Provider".

(ii) Add at least one ovpn file into the "config-auto" directory
(C:\Program Files\OpenVPN\config-auto) by default.

(iii) Have the following options in these ovpn files

        management 127.0.0.1 <port> [pwfile]
        management-query-passwords
        auth-user-pass
        management-hold
        auth-retry interact

Use a free port number for <port>. 'pwfile' is optional, but highly recommended.
'auth-user-pass' is required only if you use user/pass authentication.
'auth-retry interact' is required for dynamic challenge to work and is generally
recommended even otherwise. 'management-hold' is optional.

Start/restart 'openvpnservice'

(ii) and (iii) will ensure that openvpn.exe is started at boot and is waiting on
management-hold.

Optionally test the setup using the GUI (this requires GUI version >= 11.30)
----------------------------------------------------------------------------
At this point the above 'prestarted' connection(s) should be visible and controllable
from OpenVPN-GUI. Check that the connection(s) can be stopped (put on hold) and
connected/reconnected from the GUI menu, and all interactive dialogs (username/password etc.)
work.

Register the PLAP dll
---------------------
_This step is required only if Enable PLAP was not selected during installation._

Go to the folder where OpenVPN binaries are installed
(C:\Program Files\OpenVPN\bin by default), and from an elevated cmd prompt run

     reg import openvpn-plap-install.reg

This registers the COM class for OpenVPN PLAP module. Alternatively, this step may be
completed from OpenVPN-GUI settings menu by clicking "Enable Pre-Logon Access Provider".

Test connecting from the login screen
-------------------------------------

Lock the screen, get into the login screen, click the "Network/PLAP" icon: a list of
connection profiles that were set up in step (ii) should show up.
Select the profile and connect. User/pass and certificate dialogs, if any, should appear
on the screen.

If the "Network/PLAP" icon does not show at the lower right corner of the login screen,
check that the registry settings defined in the above reg file are in place.

Notes
-----
The ovpn config file in config-auto folder must be named uniquely from
any other configs in the global config folder or user profiles for it
to be visible in OpenVPN-GUI menu. The GUI gives preference to config files in
user profiles and global config folder (in that order) in case of duplicate
names.

If using auth-user-pass without 2FA, consider adding 'auth-nocache' or
'management-forget-disconnect' in the ovpn file, and save password in the
GUI instead (if required). Without it, after the first connect/disconnect cycle,
anyone at the login screen can connect without providing credentials.

If auth-user-pass dialog is cancelled, openvpn.exe will exit even if
'--auth-retry interact' is in the ovpn file (its an unexpected behavior but that's
how it currently works). It will get restarted by the service but that could take up
to 10 seconds. Subsequent connections will wait until the management interface
comes back up.

--
Selva Nair <selva.nair@gmail.com>   Last modified: April 10, 2024.
	Quick Start for openvpn-plap module
	===================================

	Skip to step (iii) in pre-requisites if you have a working setup with OpenVPN
	automatic service (openvpnserv2.exe) running and have at least one profile started
	through it.

	Pre-requisites
	--------------

	(i) Install a recent version of OpenVPN (2.6.0 or later) using the release MSI.
	During installation select "Customize" and choose to install "OpenVPN Service"
	and "Enable OpenVPN Pre-Logon Access Provider".

	(ii) Add at least one ovpn file into the "config-auto" directory
	(C:\Program Files\OpenVPN\config-auto) by default.

	(iii) Have the following options in these ovpn files

	management 127.0.0.1 <port> [pwfile]
	management-query-passwords
	auth-user-pass
	management-hold
	auth-retry interact

	Use a free port number for <port>. 'pwfile' is optional, but highly recommended.
	'auth-user-pass' is required only if you use user/pass authentication.
	'auth-retry interact' is required for dynamic challenge to work and is generally
	recommended even otherwise. 'management-hold' is optional.

	Start/restart 'openvpnservice'

	(ii) and (iii) will ensure that openvpn.exe is started at boot and is waiting on
	management-hold.

	Optionally test the setup using the GUI (this requires GUI version >= 11.30)
	----------------------------------------------------------------------------
	At this point the above 'prestarted' connection(s) should be visible and controllable
	from OpenVPN-GUI. Check that the connection(s) can be stopped (put on hold) and
	connected/reconnected from the GUI menu, and all interactive dialogs (username/password etc.)
	work.

	Register the PLAP dll
	---------------------
	_This step is required only if Enable PLAP was not selected during installation._

	Go to the folder where OpenVPN binaries are installed
	(C:\Program Files\OpenVPN\bin by default), and from an elevated cmd prompt run

	reg import openvpn-plap-install.reg

	This registers the COM class for OpenVPN PLAP module. Alternatively, this step may be
	completed from OpenVPN-GUI settings menu by clicking "Enable Pre-Logon Access Provider".

	Test connecting from the login screen
	-------------------------------------

	Lock the screen, get into the login screen, click the "Network/PLAP" icon: a list of
	connection profiles that were set up in step (ii) should show up.
	Select the profile and connect. User/pass and certificate dialogs, if any, should appear
	on the screen.

	If the "Network/PLAP" icon does not show at the lower right corner of the login screen,
	check that the registry settings defined in the above reg file are in place.

	Notes
	-----
	The ovpn config file in config-auto folder must be named uniquely from
	any other configs in the global config folder or user profiles for it
	to be visible in OpenVPN-GUI menu. The GUI gives preference to config files in
	user profiles and global config folder (in that order) in case of duplicate
	names.

	If using auth-user-pass without 2FA, consider adding 'auth-nocache' or
	'management-forget-disconnect' in the ovpn file, and save password in the
	GUI instead (if required). Without it, after the first connect/disconnect cycle,
	anyone at the login screen can connect without providing credentials.

	If auth-user-pass dialog is cancelled, openvpn.exe will exit even if
	'--auth-retry interact' is in the ovpn file (its an unexpected behavior but that's
	how it currently works). It will get restarted by the service but that could take up
	to 10 seconds. Subsequent connections will wait until the management interface
	comes back up.

	--
	Selva Nair <selva.nair@gmail.com> Last modified: April 10, 2024.