OpenVPN client without administrator rights on Win7

My parents use a Win7 laptop. I have set it so that they are not administrators of the device, only I am. I have installed OpenVPN for them to access the home network resources when they are out. The problem is they cannot start the client without admin privileges, since the route cannot be added to the system without.

I made a workaround by letting the OpenVPN client start from scheduled tasks with a trigger when somebody logs in. That works while they're out, but breaks their network connectivity at home. On top of that, since the client is at that time started as a different user, the UI is not visible.

What would be the best way to provide them with the OpenVPN client, without giving them more privileges?

Solution 1:

OpenVPN can be run as a service which can either be run automatically at startup or you can give certain users permissions to control the service. Below is a link to an article describing this configuration:

HowTo Run OpenVPN as a non-admin user in Windows

Also see the install notes on running OpenVPN as a service to see some limitations.

Solution 2:

I have found there is another way to provide users with the ability to start OpenVPN without granting them full admin privileges. To achieve this you can use mmc with the Local Users and Groups snap-in and add a specific user to the Network Configuration Operators group. This provides the said user with the ability to change the routing table (which is critical to VPN) but does not escalate privileges beyond network configuration (e.g. they cannot install software, modify the registry, etc.). To launch OpenVPN the user has to right-click the OpenVPN icon and select Run as administrator, then they need to provide their password.