Last active
April 10, 2024 23:00
-
-
Save selvanair/1a1f12b9b2a040f5b92b9fb5f3d83f91 to your computer and use it in GitHub Desktop.
OpenVPN-PLAP readme
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Quick Start for openvpn-plap module | |
=================================== | |
Skip to step (iii) in pre-requisites if you have a working setup with OpenVPN | |
automatic service (openvpnserv2.exe) running and have at least one profile started | |
through it. | |
Pre-requisites | |
-------------- | |
(i) Install a recent version of OpenVPN (2.6.0 or later) using the release MSI. | |
During installation select "Customize" and choose to install "OpenVPN Service" | |
and "Enable OpenVPN Pre-Logon Access Provider". | |
(ii) Add at least one ovpn file into the "config-auto" directory | |
(C:\Program Files\OpenVPN\config-auto) by default. | |
(iii) Have the following options in these ovpn files | |
management 127.0.0.1 <port> [pwfile] | |
management-query-passwords | |
auth-user-pass | |
management-hold | |
auth-retry interact | |
Use a free port number for <port>. 'pwfile' is optional, but highly recommended. | |
'auth-user-pass' is required only if you use user/pass authentication. | |
'auth-retry interact' is required for dynamic challenge to work and is generally | |
recommended even otherwise. 'management-hold' is optional. | |
Start/restart 'openvpnservice' | |
(ii) and (iii) will ensure that openvpn.exe is started at boot and is waiting on | |
management-hold. | |
Optionally test the setup using the GUI (this requires GUI version >= 11.30) | |
---------------------------------------------------------------------------- | |
At this point the above 'prestarted' connection(s) should be visible and controllable | |
from OpenVPN-GUI. Check that the connection(s) can be stopped (put on hold) and | |
connected/reconnected from the GUI menu, and all interactive dialogs (username/password etc.) | |
work. | |
Register the PLAP dll | |
--------------------- | |
_This step is required only if Enable PLAP was not selected during installation._ | |
Go to the folder where OpenVPN binaries are installed | |
(C:\Program Files\OpenVPN\bin by default), and from an elevated cmd prompt run | |
reg import openvpn-plap-install.reg | |
This registers the COM class for OpenVPN PLAP module. Alternatively, this step may be | |
completed from OpenVPN-GUI settings menu by clicking "Enable Pre-Logon Access Provider". | |
Test connecting from the login screen | |
------------------------------------- | |
Lock the screen, get into the login screen, click the "Network/PLAP" icon: a list of | |
connection profiles that were set up in step (ii) should show up. | |
Select the profile and connect. User/pass and certificate dialogs, if any, should appear | |
on the screen. | |
If the "Network/PLAP" icon does not show at the lower right corner of the login screen, | |
check that the registry settings defined in the above reg file are in place. | |
Notes | |
----- | |
The ovpn config file in config-auto folder must be named uniquely from | |
any other configs in the global config folder or user profiles for it | |
to be visible in OpenVPN-GUI menu. The GUI gives preference to config files in | |
user profiles and global config folder (in that order) in case of duplicate | |
names. | |
If using auth-user-pass without 2FA, consider adding 'auth-nocache' or | |
'management-forget-disconnect' in the ovpn file, and save password in the | |
GUI instead (if required). Without it, after the first connect/disconnect cycle, | |
anyone at the login screen can connect without providing credentials. | |
If auth-user-pass dialog is cancelled, openvpn.exe will exit even if | |
'--auth-retry interact' is in the ovpn file (its an unexpected behavior but that's | |
how it currently works). It will get restarted by the service but that could take up | |
to 10 seconds. Subsequent connections will wait until the management interface | |
comes back up. | |
-- | |
Selva Nair <selva.nair@gmail.com> Last modified: April 10, 2024. |
Thank you, @selvanair! I went and read through the OpenVPN/openvpn-gui GitHub repo you mentioned--good stuff!! They mentioned the same thing about the GUI menu checkbox for the SBL/PLAP feature. Now I'm kinda embarrassed I missed it, haha.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
All the bits and pieces are installed by default, so you can enable it from the GUI menu or by manually running the reg file if missed to customize during install.