Openvpn running as root

I read somewhere that OpenVPN runs as root by default. I assume they are referring to Linux, but my guess is that it probably applies to Windows too. I.e. I would guess that when you run OpenVPN in Windows, it runs as the Windows equivalent of root. This seems to me to be a very big security risk unless you are connecting to some server that you control. I question whether this is appropriate for someone connecting to a public VPN service.
Many (maybe most) of these public VPN services run through a proprietary front-end, and I have yet to see any discussion of whether these front-ends are running OpenVPN as standard user rather than root. It looks like there is a way to run OpenVPN as a standard user that is explained on the OpenVPN website. Does anyone have any experience with running OpenVPN as a standard user? Can you tell me if it is practical (i.e. can be done without too much inconvenience) to run it that way?

 

I was just asking about that on Unix.SE

As in Windows, OpenVPN must start in Linux as root, in order to create a tun/tap interface, and configure routing and firewall rules. Once that's done, it drops root privileges using the "--group nobody" and "--user nobody" options. When disconnecting, it can use the "openvpn-down-root.so" plugin to regain root privileges for undoing its changes.

I don't see anything in < http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html > about that being Linux-specific. But I don't know enough to say one way or the other

 

Following this thread with intense interest. I'd love to know if there's way to run openvpn+gui as a restricted user in Windows.

 

If a user has to run OpenVPN as root, that still seems to me to be a security risk even if the privilege is dropped at some point. I would like to know what exactly are the ramifications of running it as root. Since OpenVPN is the mechanism for communication between the client and the server, I would assume that it could allow the server to have very dangerous access to the client computer's system. And how can someone verify whether and when it has dropped the root privileges?

 

The OpenVPN client needs to start as a user that can configure networking, routing and firewall rules. That's normally root. I suppose that one could create an openvpn user with just those privileges. That's how you set up Wireshark to capture without full root privileges (as user wireshark). But it would be more complicated, given all that OpenVPN needs to do at startup.

OpenVPN can run scripts as root when it's connecting (using "--up" option) and disconnecting (using "--down" option). And those scripts could be malicious. But I don't believe that the server can push scripts. They would be included in the configuration files (ca.crt, client.crt, etc) or custom client.

Using a stock OpenVPN client, you know what you're installing. If there are scripts, you can review them, or look for online reviews. I don't recall any VPN service that required client-side scripts. But I do recall that some custom clients include scripts. Ironically perhaps, they're used for preventing leaks.