Join Log in
Score:2
react-dev avatar Server

OpenVPN client works everywhere but Windows 11

in flag
react-dev

I have a VM hosted in Azure running OpenVPN. I have been using it for a number of years without issue. I recently got a new computer with Windows 11 on it and can't figure out why it loses internet when I connect to the VPN. I am using the same config file that currently works on both my old Windows 10 computer and my Linux computer.

Below is my config file:

client
proto udp
explicit-exit-notify
remote [MYVPN].com 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_fx[...]IC name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
<ca>
-----BEGIN CERTIFICATE-----
...

The only difference I can see in the log on Win11 vs Win10 is that the Win10 log stops at the line Blocking outside dns using service succeeded. and Win11 adds the following:

Tue Jun  6 13:08:31 2023 Blocking outside dns using service succeeded.
Tue Jun  6 13:08:31 2023 C:\WINDOWS\system32\route.exe ADD [VPN_IP] MASK 255.255.255.255 192.168.1.1
Tue Jun  6 13:08:31 2023 Route addition via service succeeded
Tue Jun  6 13:08:31 2023 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.1
Tue Jun  6 13:08:31 2023 Route addition via service succeeded
Tue Jun  6 13:08:31 2023 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.1
Tue Jun  6 13:08:31 2023 Route addition via service succeeded
Tue Jun  6 13:08:31 2023 Initialization Sequence Completed
Tue Jun  6 13:08:31 2023 MANAGEMENT: >STATE:1686020911,CONNECTED,SUCCESS,10.8.0.3,[VPN_IP],1194,,
Tue Jun  6 13:08:31 2023 Data Channel: cipher 'AES-128-GCM', peer-id: 0
Tue Jun  6 13:08:31 2023 Timers: ping 10, ping-restart 120
Tue Jun  6 13:08:31 2023 Protocol options: explicit-exit-notify 1

I have tried the usual things like reinstalling, disabling firewall, whitelisting OpenVPN and OpenVPN GUI, ensuring they run as administrator etc.

The connection succeeds, but when connected, I cannot browse to any websites, or ping 8.8.8.8, or tracert 8.8.8.8 everything times out and Windows complains that I have lost internet connectivity. Note that when connected to the VPN, I want all traffic to go through it.

The route table looks like it is being updated correctly when connected:

C:\> route print
===========================================================================
Interface List
 20...........................OpenVPN Data Channel O..load
 12...........................Wintun Userspace Tunnel
  6...00 .. .. .. .. 54 ......TAP-Windows Adapter V9
  5...98 .. .. .. .. a5 ......Microsoft Wi-Fi Direct Virtual Adapter
 18...9a .. .. .. .. a4 ......Microsoft Wi-Fi Direct Virtual Adapter #2
 16...00 .. .. .. .. 01 ......VMware Virtual Ethernet Adapter for VMnet1
 23...00 .. .. .. .. 08 ......VMware Virtual Ethernet Adapter for VMnet8
  7...98 .. .. .. .. a4 ......Intel(R) Wi-Fi 6E AX211 160MHz
 15...98 .. .. .. .. a8 ......Bluetooth Device (Personal Area Network)
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.186     40
          0.0.0.0        128.0.0.0         10.8.0.1         10.8.0.3    259
         10.8.0.0    255.255.255.0         On-link          10.8.0.3    259
         10.8.0.3  255.255.255.255         On-link          10.8.0.3    259
       10.8.0.255  255.255.255.255         On-link          10.8.0.3    259
         [VPN_IP]  255.255.255.255      192.168.1.1    192.168.1.186    296
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        128.0.0.0        128.0.0.0         10.8.0.1         10.8.0.3    259
      192.168.1.0    255.255.255.0         On-link     192.168.1.186    296
    192.168.1.186  255.255.255.255         On-link     192.168.1.186    296
    192.168.1.255  255.255.255.255         On-link     192.168.1.186    296
     192.168.60.0    255.255.255.0         On-link      192.168.60.1    291
     192.168.60.1  255.255.255.255         On-link      192.168.60.1    291
   192.168.60.255  255.255.255.255         On-link      192.168.60.1    291
     192.168.88.0    255.255.255.0         On-link      192.168.88.1    291
     192.168.88.1  255.255.255.255         On-link      192.168.88.1    291
   192.168.88.255  255.255.255.255         On-link      192.168.88.1    291
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link      192.168.88.1    291
        224.0.0.0        240.0.0.0         On-link      192.168.60.1    291
        224.0.0.0        240.0.0.0         On-link          10.8.0.3    259
        224.0.0.0        240.0.0.0         On-link     192.168.1.186    296
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link      192.168.88.1    291
  255.255.255.255  255.255.255.255         On-link      192.168.60.1    291
  255.255.255.255  255.255.255.255         On-link          10.8.0.3    259
  255.255.255.255  255.255.255.255         On-link     192.168.1.186    296
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
 16    291 fe80::/64                On-link
 23    291 fe80::/64                On-link
 20    259 fe80::/64                On-link
  7    296 fe80::/64                On-link
  7    296 fe80::38b:c8fa:8c0f:e7eb/128
                                    On-link
 23    291 fe80::66d1:fa0c:faf:76ae/128
                                    On-link
 16    291 fe80::7cee:ec22:fbe6:b4c5/128
                                    On-link
 20    259 fe80::9ec1:6dd9:f3c4:130b/128
                                    On-link
  1    331 ff00::/8                 On-link
 16    291 ff00::/8                 On-link
 23    291 ff00::/8                 On-link
 20    259 ff00::/8                 On-link
  7    296 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

Not sure where else to look. It has to be something Windows 11 specific as everything is working file on other devices running Windows 10 and Linux. The full OpenVPN log is also below:

Tue Jun  6 13:08:29 2023 OpenVPN 2.6.4 [git:v2.6.4/b4f749f14a8edc75] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on May 11 2023
Tue Jun  6 13:08:29 2023 Windows version 10.0 (Windows 10 or greater), amd64 executable
Tue Jun  6 13:08:29 2023 library versions: OpenSSL 3.1.0 14 Mar 2023, LZO 2.10
Tue Jun  6 13:08:29 2023 DCO version: v0
Tue Jun  6 13:08:29 2023 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Jun  6 13:08:29 2023 Need hold release from management interface, waiting...
Tue Jun  6 13:08:29 2023 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:59984
Tue Jun  6 13:08:29 2023 MANAGEMENT: CMD 'state on'
Tue Jun  6 13:08:29 2023 MANAGEMENT: CMD 'log on all'
Tue Jun  6 13:08:29 2023 MANAGEMENT: CMD 'echo on all'
Tue Jun  6 13:08:29 2023 MANAGEMENT: CMD 'bytecount 5'
Tue Jun  6 13:08:29 2023 MANAGEMENT: CMD 'state'
Tue Jun  6 13:08:29 2023 MANAGEMENT: CMD 'hold off'
Tue Jun  6 13:08:29 2023 MANAGEMENT: CMD 'hold release'
Tue Jun  6 13:08:29 2023 MANAGEMENT: >STATE:1686020909,RESOLVE,,,,,,
Tue Jun  6 13:08:29 2023 TCP/UDP: Preserving recently used remote address: [AF_INET][VPN_IP]:1194
Tue Jun  6 13:08:29 2023 ovpn-dco device [OpenVPN Data Channel Offload] opened
Tue Jun  6 13:08:29 2023 UDP link local: (not bound)
Tue Jun  6 13:08:29 2023 UDP link remote: [AF_INET][VPN_IP]:1194
Tue Jun  6 13:08:29 2023 MANAGEMENT: >STATE:1686020909,WAIT,,,,,,
Tue Jun  6 13:08:29 2023 MANAGEMENT: >STATE:1686020909,AUTH,,,,,,
Tue Jun  6 13:08:29 2023 TLS: Initial packet from [AF_INET][VPN_IP]:1194, sid=320fdc3e bf8fe132
Tue Jun  6 13:08:29 2023 VERIFY OK: depth=1, CN=cn_Kz[...]Eq
Tue Jun  6 13:08:29 2023 VERIFY KU OK
Tue Jun  6 13:08:29 2023 Validating certificate extended key usage
Tue Jun  6 13:08:29 2023 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Jun  6 13:08:29 2023 VERIFY EKU OK
Tue Jun  6 13:08:29 2023 VERIFY X509NAME OK: CN=server_fx[...]IC
Tue Jun  6 13:08:29 2023 VERIFY OK: depth=0, CN=server_fx[...]IC
Tue Jun  6 13:08:30 2023 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit ECprime256v1, signature: ecdsa-with-SHA256
Tue Jun  6 13:08:30 2023 [server_fx[...]IC] Peer Connection Initiated with [AF_INET][VPN_IP]:1194
Tue Jun  6 13:08:30 2023 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Tue Jun  6 13:08:30 2023 TLS: tls_multi_process: initial untrusted session promoted to trusted
Tue Jun  6 13:08:31 2023 MANAGEMENT: >STATE:1686020911,GET_CONFIG,,,,,,
Tue Jun  6 13:08:31 2023 SENT CONTROL [server_fx[...]IC]: 'PUSH_REQUEST' (status=1)
Tue Jun  6 13:08:31 2023 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,redirect-gateway def1 bypass-dhcp,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.3 255.255.255.0,peer-id 0,cipher AES-128-GCM'
Tue Jun  6 13:08:31 2023 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jun  6 13:08:31 2023 OPTIONS IMPORT: route options modified
Tue Jun  6 13:08:31 2023 OPTIONS IMPORT: route-related options modified
Tue Jun  6 13:08:31 2023 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Jun  6 13:08:31 2023 interactive service msg_channel=820
Tue Jun  6 13:08:31 2023 MANAGEMENT: >STATE:1686020911,ASSIGN_IP,,10.8.0.3,,,,
Tue Jun  6 13:08:31 2023 INET address service: add 10.8.0.3/24
Tue Jun  6 13:08:31 2023 IPv4 dns servers set using service
Tue Jun  6 13:08:31 2023 IPv4 MTU set to 1500 on interface 20 using service
Tue Jun  6 13:08:31 2023 Blocking outside dns using service succeeded.
Tue Jun  6 13:08:31 2023 C:\WINDOWS\system32\route.exe ADD [VPN_IP] MASK 255.255.255.255 192.168.1.1
Tue Jun  6 13:08:31 2023 Route addition via service succeeded
Tue Jun  6 13:08:31 2023 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.1
Tue Jun  6 13:08:31 2023 Route addition via service succeeded
Tue Jun  6 13:08:31 2023 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.1
Tue Jun  6 13:08:31 2023 Route addition via service succeeded
Tue Jun  6 13:08:31 2023 Initialization Sequence Completed
Tue Jun  6 13:08:31 2023 MANAGEMENT: >STATE:1686020911,CONNECTED,SUCCESS,10.8.0.3,[VPN_IP],1194,,
Tue Jun  6 13:08:31 2023 Data Channel: cipher 'AES-128-GCM', peer-id: 0
Tue Jun  6 13:08:31 2023 Timers: ping 10, ping-restart 120
Tue Jun  6 13:08:31 2023 Protocol options: explicit-exit-notify 1

EDIT: One other difference I noticed was in the Network and Sharing Center on Windows 11, the active network appears as "OpenVPN Data Channel Offload 2" with the values Access type: No network access and Connections: OpenVPN Data Channel Offload. Where on Windows 10, it appears as an "Unidentified network" with Access type: Internet and Connections: Ethernet and vEthernet (WSL). Not sure if that makes a difference.

558
1 + 0
Score:0
Saxtheowl avatar Server
by flag
Saxtheowl

There might be a problem linked to the routing of your Windows 11, you defined the default gateway to 10.8.0.1 (the VPN server), but for the VPN server's route, it is setting the gateway to your local gateway (192.168.1.1) this can confuse the routing.

Lets try to change the following lines in your OpenVPN config file

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
+ 4
react-dev avatar
in flag
react-dev
I updated the config, but there was no change in the behaviour.
0
Reply
Saxtheowl avatar
by flag
Saxtheowl
try to reload/restart everything, also check if your Azure VM is correctly configured to handle and forward VPN traffic
0
Reply
react-dev avatar
in flag
react-dev
I uninstalled, rebooted, then reinstalled and used the updated client config. Is there anything specifically in the log I should be looking for? It doesn't look any different to the original one posted as far as I can tell.
0
Reply
Saxtheowl avatar
by flag
Saxtheowl
I think your problem come from the fact that your Azure VM is not configured properly, you could also check that you are running everything in admin, that you dont have an anti virus or firewall blocking the traffic, otherwise I am kinda lost here :/
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.