1Password doesn't work with OpenVPN GUI [Process elevation can prevent Auto-type from typing]
Comments
-
It has been my experience that 1Password for Windows does not work with the standard OpenVPN taskbar-resident GUI. The outlined method referred to by LauraR works for apps like Putty Agent and Quicken, but fails here, and silently fails using the Auto-Type described by MikeT as well. Application login support is the biggest failure I see with 1Password when compared with, for example, KeePass.
If DarkStar has got this to work with the standard OpenVPN GUI (https://community.openvpn.net/openvpn/wiki/OpenVPN-GUI, ships as part of OpenVPN) I would love to see how that is done.
0 -
Hi @NameUnavailable,
I've split your post from the other thread since OpenVPN client is a different application from the one being discussed in the original thread. Since OpenVPN is something we can download, we'll try it on our machines to see what's going on there. Unfortunately, I couldn't get it to show any username/password window to let me test 1Password with and this will make the testing difficult. I'll add this to our bug tracker and we'll investigate this when we have an OpenVPN server ready to go.
Do you have another application like this that we can easily test?
Auto-Type does require the UI to the standard view with just the username and password fields and if it is any different, it won't work well. We are working to improve compatibility with some applications, especially games that uses a custom-built UI. In fact, the next stable update will have some improvements already for Steam. If you can tell us the list of applications that 1Password doesn't work with, we can add it to our list to test.
Thanks!
0 -
Mike,
Thank you for setting up a separate thread for the OpenVPN issue. If you have installed OpenVPN, you can use the following file, which has a dummy set of credentials, to help with the debug.
Save the following as a plain text file with a name like myOpenVPNTest.ovpn. The extension is the important part here. Save the file in C:\Program Files\OpenVPN\config (or the equivalent for your installation of OpenVPN, this step will ask for admin privs). You do not need to restart OpenVPN. If you then bring up the OpenVPN GUI context menu (right-click on the taskbar icon) you should see an entry for myOpenVPNTest.
Hover over that and select Connect. You should get a dialog box labeled OpenVPN Connection (myOpenVPNTest), then another dialog box labeled OpenVPN – User Authentication prompting for a username and password. From that point, create a 1Password entry and have at it.client dev tun proto udp remote www.example.com 1194 float comp-lzo adaptive keepalive 15 60 auth-user-pass <ca> -----BEGIN CERTIFICATE----- DEADBEEF -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- DEADBEEF -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- DEADBEEF -----END PRIVATE KEY----- </key> ns-cert-type server resolv-retry infinite nobind
0 -
Hi @NameUnavailable,
Wow, huge thanks for doing that. I was not sure how to create the configuration file. I was able to test it with your sample file and I couldn't reproduce the issue. Here's a video of me using 1Password to auto-type the data in:
Can you try deleting the application URL for OpenVPN and re-saving it?
0 -
I will retry here and report back.
0 -
Hopefully, with good news.
0 -
Unfortunately, no good news yet. I have removed and reinstalled 1Password, I have changed the login keyboard shortcut, I have created a new login in 1Password, all to no avail. When I use the default Ctrl-\ keyboard shortcut, I get a chime, when I set and use a different shortcut (Ctrl-= for example) I get no chime, but in neither case is there a fill-in of the credentials.. Nor is there fill-in when I use the Auto-Type GUI menu item and select the OpenVPN - User Authentication window in the drop-down list.
Can you tell me what preference selections you use that differ from default, both for 1Password in general and for the specific entry? For the record, below is my entry for the test; it is about a plain as it an be.
0 -
Hi @NameUnavailable,
Just as default as it can be:
Even changing the shortcut still works. This is most unusual and it could explain why some of the customers are seeing something that we're not seeing on our own computers.
Can you email us your diagnostic report, I can use it to try to match my settings as much as possible, including your Windows version and so on. Please use this guide to generate a diagnostic report to email to us, also include the link to this thread in the email.
Let us know here that you've sent it, so we can look for it and confirm we got the email.
0 -
Diagnostic file sent.
0 -
Hi @NameUnavailable,
Thanks, I found the report and will follow up as soon as possible.
Email support ID #: ACT-53671-939
0 -
Safe-mode diags sent 2015-04-19 23:42EST
0 -
Thanks, I've followed up via the email.
0 -
I can't even add an app for the login information because 1Password doesn't see the login window for OpenVPN.
0 -
Hi @DarkStar,
Where did you install OpenVPN GUI from? I'm not seeing that UI with my copy of OpenVPN as shown in this video.
0 -
From a client via a web installer... As far as I know it would be just regular OpenVPN except that it would have certain company's settings for VPN connections. It says the version is OpenVPN Connect 2.0.0.4000. I checked OpenVPN's website - indeed, their software looks different now. I also checked the old releases, I don't think 2.0 is even there. Gee, it looks like my client is using a really old release. I will ask the system administrator about it. Otherwise, don't bother - I don't expect you to make such old release to work. :) Thank you.
0 -
indeed, their software looks different now. I also checked the old releases, I don't think 2.0 is even there
It's not, but v1.6 is. What this means is that they are only presenting the latest in each release line. If you download v2.0.9 you'll likely find that it's the same interface as the one your client has. It's just 5 revisions later.
0 -
Hi guys,
I tested 1.6 but there is no GUI for it there. So, I don't think there's a way for us to test this without getting a copy of the 2.0.x series somehow.
I've also been investigating this with NameUnavailable via emails and we can't pinpoint why it doesn't work for him while it does for me.
0 -
A random thought about what is happening here: Are you running the OpenVPN client components as an administrator? If so, that's the reason this isn't working, processes without the administrative token cannot interact with processes with the administrative token for reasons of security.
While OpenVPN client can run in user mode, it can't set routes, so in many cases the OpenVPN client must run with administrative permissions.
Does this explain the issue from everyone's perspective?
0 -
Hi @TheDave,
That's a good point and it would explain why I'm seeing things differently, I haven't configured anything to require such an escalation to the admin level.
@DarkStar and @NameUnavailable, are you configuring OpenVPN in any way that would require the admin access?
Dave is correct, Auto-type will not see any escalated processes because it runs from the same account as the user, not as the admin.
0 -
To the best of my knowledge OpenVPN is installed by default with Admin privs, since this is required on Win 8.1 (I think Win 7+) for OpenVPN to change the route, which is, after all, what it has to do. Is there a way for 1Password to run with elevated privs, either generally or for specific items?
0 -
Is there a way for 1Password to run with elevated privs, either generally or for specific items?
@NameUnavailable: I'm not sure this is possible without logging in as Administrator. 1Password has a number of moving parts, with the main app, the extensions, and the Helper. /cc @svondutch ?
But more importantly, it's generally just a bad idea to run with admin privileges. Even though your 1Password data is encrypted, there have been vulnerabilities in the past in Windows APIs that could be exploited to piggyback on another app's admin rights. This is why we (should) run as normal users, so that processes can't reach beyond that.
0 -
@DarkStar and @NameUnavailable, are you configuring OpenVPN in any way that would require the admin access?
I just used the installer, so I wouldn't know. There's a Windows service that's running in the background and is required for the GUI application to work. I think it works under the System account.
0 -
Hi @DarkStar,
I don't know if you can recall this but did installing OpenVPN cause Windows to request for admin rights?
You can configure the Task Manager to show you the processes that has been elevated.
- Open Task Manager, go to the Details tab and right-click on one of the columns to select Select Columns
- Check the box next to Elevated, press OK.
- Look at the OpenVPN processes, are they showing up as Elevated?
0 -
The process is not elevated. Sorry, my GUI is in Polish, but I marked that column. It says nie, which means no. The OpenVPN service itself would run under svchost.exe, I assume. But as far as I understand it doesn't matter, because 1Password just needs to access the GUI app.
0 -
@MikeT There is another process capiws.exe, inside it has a service named OpenVPNAccessClient and yes - it is elevated. It runs under the SYSTEM account. I didn't notice it because the Task Manager doesn't display a description for that process, I found it by running tasklist /svc command.
It seems the ovpntray.exe process is for the tray icon (wouldn't it be used by the login UI, too?), while capiws.exe is started when I start the Windows service for OpenVPN.
0 -
Hi @DarkStar,
Thanks for checking that.
There is another process capiws.exe, inside it has a service named OpenVPNAccessClient and yes - it is elevated.
Okay, that would explain why Auto-Type wouldn't work, it's blocked due to its access level. I wonder if there's a way to detect this and notify users. I'll ask our team to investigate this possibility.
It seems the ovpntray.exe process is for the tray icon (wouldn't it be used by the login UI, too?),
No, it can call on another process to handle the Login process. For an example, we call on Windows's consent.exe to create a secure desktop for us that's elevated to the point that no other processes can access it beside us.
0
