6

Good-day all,

I'm having trouble getting the OpenVPN GUI application to add routes to a Windows 7 client. I'm using the same config file I've used on a Windows XP client except that I added the following two lines:

route-method exe
route-delay 2

I can make a connection, and I am assigned an IP address from the 10.8.0.0 pool - which makes it seem to me that the tunnel is up. But looking at the log below, it appears the routes aren't being added on the Windows 7 machine.

Fri Sep 13 16:02:44 2013 OpenVPN 2.3.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Aug 22 2013
Fri Sep 13 16:02:44 2013 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Sep 13 16:02:44 2013 Need hold release from management interface, waiting...
Fri Sep 13 16:02:45 2013 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Sep 13 16:02:45 2013 MANAGEMENT: CMD 'state on'
Fri Sep 13 16:02:45 2013 MANAGEMENT: CMD 'log all on'
Fri Sep 13 16:02:45 2013 MANAGEMENT: CMD 'hold off'
Fri Sep 13 16:02:45 2013 MANAGEMENT: CMD 'hold release'
Fri Sep 13 16:02:48 2013 MANAGEMENT: CMD 'username "Auth" "username"'
Fri Sep 13 16:02:48 2013 MANAGEMENT: CMD 'password [...]'
Fri Sep 13 16:02:49 2013 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Fri Sep 13 16:02:49 2013 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 13 16:02:49 2013 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 13 16:02:49 2013 Socket Buffers: R=[8192->8192] S=[261360->261360]
Fri Sep 13 16:02:49 2013 UDPv4 link local: [undef]
Fri Sep 13 16:02:49 2013 UDPv4 link remote: [AF_INET]501.2.984.233:1194
Fri Sep 13 16:02:49 2013 MANAGEMENT: >STATE:1379102569,WAIT,,,
Fri Sep 13 16:02:49 2013 MANAGEMENT: >STATE:1379102569,AUTH,,,
Fri Sep 13 16:02:49 2013 TLS: Initial packet from [AF_INET]501.2.984.233:1194, sid=82453eea 30481972
Fri Sep 13 16:02:49 2013 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Sep 13 16:02:49 2013 VERIFY OK: depth=1, O=Central Truck Center, Inc., OU=IT/Systems Department, emailAddress=security@centraltruck.net, L=Landover, ST=MD, C=US, CN=ca.centraltruck.net
Fri Sep 13 16:02:49 2013 VERIFY OK: nsCertType=SERVER
Fri Sep 13 16:02:49 2013 VERIFY OK: depth=0, C=US, ST=MD, O=Central Truck Center, Inc., OU=IT/Systems Department, L=Landover, CN=centraltruck.net, emailAddress=techsupport@centraltruck.net
Fri Sep 13 16:02:49 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 13 16:02:49 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 13 16:02:49 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 13 16:02:49 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 13 16:02:49 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Fri Sep 13 16:02:49 2013 [centraltruck.net] Peer Connection Initiated with [AF_INET]50.242.184.133:1194
Fri Sep 13 16:02:50 2013 MANAGEMENT: >STATE:1379102570,GET_CONFIG,,,
Fri Sep 13 16:02:51 2013 SENT CONTROL [centraltruck.net]: 'PUSH_REQUEST' (status=1)
Fri Sep 13 16:02:51 2013 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 172.23.6.127,dhcp-option WINS 172.23.6.127,dhcp-option DOMAIN centraltruck.net,ip-win32 dynamic,route 172.23.6.0 255.255.255.0,route 172.23.7.0 255.255.255.0,route 208.197.153.0 255.255.255.0,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Fri Sep 13 16:02:51 2013 OPTIONS IMPORT: timers and/or timeouts modified
Fri Sep 13 16:02:51 2013 OPTIONS IMPORT: --ifconfig/up options modified
Fri Sep 13 16:02:51 2013 OPTIONS IMPORT: route options modified
Fri Sep 13 16:02:51 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Sep 13 16:02:52 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Sep 13 16:02:52 2013 MANAGEMENT: >STATE:1379102572,ASSIGN_IP,,10.8.0.6,
Fri Sep 13 16:02:52 2013 open_tun, tt->ipv6=0
Fri Sep 13 16:02:52 2013 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{19F13E2F-B3F0-4E85-A8A2-E3C86ADD1987}.tap
Fri Sep 13 16:02:52 2013 TAP-Windows Driver Version 9.9 
Fri Sep 13 16:02:52 2013 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {19F13E2F-B3F0-4E85-A8A2-E3C86ADD1987} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Fri Sep 13 16:02:52 2013 Successful ARP Flush on interface [41] {19F13E2F-B3F0-4E85-A8A2-E3C86ADD1987}
Fri Sep 13 16:02:54 2013 TEST ROUTES: 0/0 succeeded len=4 ret=0 a=0 u/d=down
Fri Sep 13 16:02:54 2013 Route: Waiting for TUN/TAP interface to come up...

The last two lines above will repeat for about 30 times then a notice will appear showing that the VPN is connected with an IP of 10.8.0.6. The last line of the log, however, shows this:

Fri Sep 13 16:03:24 2013 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )
Fri Sep 13 16:03:24 2013 MANAGEMENT: >STATE:1379102604,CONNECTED,ERROR,10.8.0.6,50.242.184.133

Several Google searches reveal that I needed to run the application with Administrator priviledges. I am doing that, and I have even attempted running the application in Windows Vista compatibility mode. For some strange reason, Windows XP isn't an option I can select. Is there something I'm missing? My config - without the two lines I told you about earlier - works perfectly fine in Windows XP. Also, it works fine on the Windows 7 machine if I use the OpenVPN Client (and not the OpenVPN GUI).

I hope somebody out there has run into this problem before and can offer some assistance. Thanks.

Kismet Agbasi
  • 323
  • 1
  • 4
  • 17
  • Have you been reviewed this page? http://openvpn.net/index.php/open-source/faq/79-client/275-why-cant-i-run-openvpn-on-windows-from-a-non-admin-user-account.html – Zoredache Sep 13 '13 at 20:37
  • Yes I already tried the suggestions, but none worked for me. That document doesn't mention Windows 7 but I still tried the suggestions out anyway. After the connection is made, I can see the routes listed in the route table from the command line using ROUTE PRINT -4. But still nothing works. Interesting indeed......I will continue my pursuit for a solution. Thanks for your assistance. – Kismet Agbasi Sep 13 '13 at 23:39

6 Answers6

6

It has to do with permissions. Run is as an administrator with the UAC disabled and it will work. You have to disable the UAC.

Or you can run the VPN as a service, and it will connect and add routes correctly.

compatibility mode

Those won't make a difference.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • This worked for me. I wish there was a way to do this without disabling the UAC. Looks like I'm gonna have to add another command in my up.bat file to disable the UAC, then another in the down.bat file to enable it when the user closes their VPN connection. – Kismet Agbasi Sep 14 '13 at 00:26
  • The really sad thing is that the main OpenVPN binary has all the functionality it needs built to permit VPN to be stopped and started started via a TCP socket. This exactly how the Tunnelblick operates which is the OSX client. It seems like it would be pretty easy for some developer to duplicate what Tunnelblick is doing over to the Windows side. – Zoredache Sep 14 '13 at 00:30
  • That's strange: I recently had to run OpenVPN on a Windows 7 64-bit machine, and it only took me to explicitly run OpenVPN GUI app with elevated privileges -- UAC has been set to its default value. – kostix Sep 15 '13 at 14:03
  • I don't think the answer is correct. I use OpenVPN on a x64 windows boxes (Win7, Win8) with UAC ON (but it does require to run elevated). From time to time (mostly after resuming from hibernation) I get this very same error. The only way I can get to connect again is by resetting my cable modem. – Vagaus Feb 16 '15 at 11:14
3

Hello All,

I'm truly grateful for the assistance from Zoredache and David Mackintosh. You both offered suggestions that pointed me in the right direction.

Disabling the UAC altogether did work for me, as well as modifying the openvpn-gui binary to always run as administrator for all users. Unfortunately, however, I wasn't comfortable with having my users disable the UAC permanently - or with the mandatory reboot that must be done each time the UAC is enabled or disabled. This meant a reboot each time they used the VPN and disconnected from it.

So I sought out for additional solutions and came across several that suggested disabling the UAC for Admins only. Since most of my users needing to VPN in will usually be local admins on their laptops, I figured this solution would work. So I tested it and it did work. Here's my final solution.

I created two separate .reg files to modify the system registry as follows:

REGISTRY FILE #1: DisableUACforAdmin

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000000

REGISTRY FILE #2: EnableUACforAdmin

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000002

To get this to work, I had to run OpenVPN GUI as administrator. Thanks to David Mackintosh's suggestion, I modified the exe file to always run as administrator for all users. Now, timing was key - I needed to make sure that the UAC was disabled before the VPN connection was even initiated. Fortunately, the OpenVPN GUI supports the creation of a pre-connect script by simply creating a batch file with the same name as the config file with a suffix of _pre.

So I created my pre-connect script to call my DisableUACforAdmin script as follows:

regedit.exe /s DisableUACforAdmin.reg

Finally, I created a down script to re-enable the UAC when the VPN tunnel is disconnected - thus, returning the user's machine to the original state.

Here's what I did:

regedit.exe /s EnableUACforAdmin.reg

With this, OpenVPN GUI runs without any complaints, the routes are pushed from the server and are properly set on the Windows 7 client. I've tested this on multiple Windows 7 machines and all work. By doing it this way, I avoid the mandatory reboot that comes with disabling the UAC. Thanks again for all the assistance, I hope this will benefit somebody out there with the same problem I ran into.

FINAL NOTE: I realized that the OpenVPN GUI provided at http://openvpn.se doesn't like some of the directives in the config file (such as script-security or key-direction) and will not start unless you comment them out. This may not hold true for all, but I had to use the OpenVPN GUI that comes with release 2.3.2 of OpenVPN

Kismet Agbasi
  • 323
  • 1
  • 4
  • 17
2

To get it to work for me, I go to the openvpn-gui binary, select Properties, select Change Settings For All users, and click Run this program as an administrator in that window. Stop and restart the Openvpn-gui.

David Mackintosh
  • 14,293
  • 7
  • 49
  • 78
  • Thanks what I've tried as well but nothing seems to be working. I'm baffled - to say the least. Thanks for your input, I'll keep searching for a solution. – Kismet Agbasi Sep 13 '13 at 23:40
1

The answers above all concentrate on the "official" openvpn client - the Securepoint client http://sourceforge.net/projects/securepoint/ doesn't suffer this problem, and is also open source.

Tom Newton
  • 4,141
  • 2
  • 24
  • 28
  • Confirmed to be working. If UAC is turned on (no local admin), then this SecurePoint OpenVPN client is able to connect without the "Route: Waiting for TUN/TAP interface to come up" errors seen with the offical OpenVPN UI. There is **no** need to run the program in Admin mode. Thanks a lot! – SaeX Mar 05 '16 at 13:46
0

May or may not apply to the version in question: OpenVPN w/ Sophos SSL VPN ran into an issue as well where the "OpenVPN Interactive Service" service was not starting successfully on boot. The client machine was a Lenovo Thinkpad T530 and came with pre-installed services from Lenovo that were causing the issue.

Services in question: Fastboot HyperW7

The issue was less pronounced after running Lenovo & Intel updates but was still occasionally the "OpenVPN Interactive Service" would timeout when booting up the computer.

If you disable both of the Lenovo services above then the "OpenVPN Interactive Service" was able to start. It seems the Lenovo programmers fiddling with what is allowed to start and what it can pause on boot does not play well with OpenVPN.

Once the "OpenVPN Interactive Service" is allowed to properly run at startup it then is able to allow the OpenVPN to commit the routes even with a Standard User logged in.

No need for "Run as administrator" or elevating privileges of a user account.

Arachnid
  • 193
  • 2
  • 10
0

Try restarting DHCP client service (as suggested in this thread https://forums.openvpn.net/topic13043.html#p41604). It worked in my case.

Vagaus
  • 101
  • 2