OpenVPN · TinCanTech · Feb 1, 2024 · Jan 30, 2024
diff --git a/distro/windows/EasyRSA-Start.bat b/distro/windows/EasyRSA-Start.bat
@@ -1,2 +1,2 @@
 @echo OFF
-bin\sh.exe bin\easyrsa-shell-init.sh
+bin\sh.exe bin\easyrsa-shell-init.sh %*
diff --git a/distro/windows/bin/easyrsa-shell-init.sh b/distro/windows/bin/easyrsa-shell-init.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
-# shellcheck disable=SC2161,SC1091
+# shellcheck disable=SC2161,SC1091,SC2028
 
 # This script is a frontend designed to create & launch a POSIX shell
 # environment suitable for use with Easy-RSA. mksh/Win32 is used with this
@@ -31,6 +31,95 @@ for f in $extern_list; do
 	fi
 done
 
+# Allow options
+non_admin=""
+while [ "$1" ]; do
+	case "$1" in
+		/[Nn][Aa]|--no-adm*)
+			non_admin=1
+			echo "Using no-admin mode"
+		;;
+		*)
+			echo "Ignoring unknown option: '$1'"
+	esac
+	shift
+done
+
+# Access denied
+access_denied() {
+	echo "Access error: $1"
+	echo "
+To use Easy-RSA in a protected system directory, you must have
+elevated privileges via 'Windows User Access Control'.
+You can try 'run-as admin' but that may also fail.
+
+It is recommended to use Easy-RSA in your User/home directory.
+
+Please try using one of the following solutions:
+* Use the Start Menu item: 'Start Easy-RSA Shell (Non-Admin)'
+* Or, in a Non-Admin command prompt window, run two commands:
+
+    cd '\Program Files\Openvpn\easy-rsa\'
+    EasyRSA-Start.bat /no-admin
+
+These will start EasyRSA in your user's 'home directory/easy-rsa'
+
+Press enter to exit."
+
+	#shellcheck disable=SC2162
+	read
+	exit 1
+}
+
+# Use home directory/easy-rsa
+if [ "$non_admin" ]; then
+	[ "${HOMEDRIVE}" ] || \
+		access_denied "Undefined: HOMEDRIVE"
+	user_home_drv="${HOMEDRIVE}"
+
+	[ "${HOMEPATH}" ] || \
+		access_denied "Undefined: HOMEPATH"
+	eval "user_home_dir='\\${HOMEPATH}'"
+
+	# shellcheck disable=SC2154 # user_home_dir is not assigned
+	user_home="${user_home_drv}${user_home_dir}"
+
+	[ -d "$user_home" ] || \
+		access_denied "Missing: $user_home"
+
+	cd "$user_home" 2>/dev/null || \
+		access_denied "Access: $user_home"
+
+	if [ ! -d easy-rsa ]; then
+		mkdir easy-rsa 2>/dev/null || \
+			access_denied "mkdir: easy-rsa"
+		# Required test
+		[ -d easy-rsa ] || \
+			access_denied "Missing: easy-rsa"
+	fi
+
+	cd easy-rsa 2>/dev/null || \
+		access_denied "Access: easy-rsa"
+
+	export HOME="$PWD"
+	unset -v user_home_drv user_home_dir user_home
+fi
+
+# Check for broken administrator access
+# https://github.com/OpenVPN/easy-rsa/issues/1072
+[ -d "$HOME" ] || access_denied "-d HOME"
+win_tst_d="$HOME"/easyrsa-write-test
+
+# Required tests
+mkdir "$win_tst_d" 2>/dev/null || access_denied "mkdir"
+[ -d "$win_tst_d" ] || access_denied "-d"
+echo 1 > "$win_tst_d"/1 2>/dev/null || access_denied "write"
+[ -f "$win_tst_d"/1 ] || access_denied "-f"
+rm -rf "$win_tst_d" 2>/dev/null || access_denied "rm"
+[ ! -d "$win_tst_d" ] || access_denied "! -d"
+unset -v win_tst_d
+unset -f access_denied
+
 # set_var is defined as any vars file needs it.
 # This is the same as in easyrsa, but we _don't_ export
 set_var() {
@@ -62,6 +151,9 @@ echo "Welcome to the EasyRSA 3 Shell for Windows."
 echo "Easy-RSA 3 is available under a GNU GPLv2 license."
 echo ""
 echo "Invoke './easyrsa' to call the program. Without commands, help is displayed."
+echo ""
+echo "Using directory: $HOME"
+echo ""
 
 # Drop to a shell and await input
-bin/sh
+sh.exe