Discussion:
Permission problem with openvpn moving from WinXP to Win10 causing route changes to fail
(too old to reply)
Roy Tremblay
2017-05-27 01:42:40 UTC
Permalink
Raw Message
Permission problem with openvpn moving from WinXP to Win10 causing route
changes to fail.

On Windows XP, for years, I have been doubleclicking on any openvpn text
file which is set to open in the "OpenVPN Daemon" and that, in and of
itself, connects me to VPN every time.

File association for WinXP:
Loading Image...

File association for Win10:
Loading Image...

Using the same file and procedure on Windows 10, the routes all fail due to
a Windows 10 permission problem.

Here's a summary of the openvpn errors:
|---- start -----
FlushIpNetTable failed on interface [17]
{78A54AAA-5893-4E9A-9FAB-429FF3FB3C87} (status=5) : Access is denied.
ROUTE: route addition failed using CreateIpForwardEntry: Access is denied.
[status=5 if_index=8]
Route addition via IPAPI failed [adaptive]
Route addition fallback to route.exe
env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
ERROR: Windows route add command failed [adaptive]: returned error code 1
C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.211.1.46
ROUTE: route addition failed using CreateIpForwardEntry: Access is denied.
[status=5 if_index=17]
Route addition via IPAPI failed [adaptive]
Route addition fallback to route.exe
env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
ERROR: Windows route add command failed [adaptive]: returned error code 1
C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.211.1.46
ROUTE: route addition failed using CreateIpForwardEntry: Access is denied.
[status=5 if_index=17]
Route addition via IPAPI failed [adaptive]
Route addition fallback to route.exe
env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
ERROR: Windows route add command failed [adaptive]: returned error code 1
Initialization Sequence Completed
|---- end -----

I will send out a more detailed description of the error.

I suspect Windows 10 has a special permission that is needed.
But what?
Roy Tremblay
2017-05-27 01:47:00 UTC
Permalink
Raw Message
On Sat, 27 May 2017 01:42:40 +0000 (UTC),
Post by Roy Tremblay
I will send out a more detailed description of the error.
I suspect Windows 10 has a special permission that is needed.
But what?
Here is the complete log of the error.
Do you know what permissions are needed on Windows 10 that weren't needed on Windows XP?

============================================================================
Fri May 26 04:44:37 2017 OpenVPN 2.4.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 11 2017
Fri May 26 04:44:37 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Fri May 26 04:44:37 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.10
Fri May 26 04:44:37 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri May 26 04:44:37 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]121.123.145.123:1812
Fri May 26 04:44:37 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri May 26 04:44:37 2017 UDP link local: (not bound)
Fri May 26 04:44:37 2017 UDP link remote: [AF_INET]121.123.145.123:1812
Fri May 26 04:44:37 2017 TLS: Initial packet from [AF_INET]121.123.145.123:1812, sid=9cec2ed0 b4a71ddf
Fri May 26 04:44:37 2017 VERIFY OK: depth=2, C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
Fri May 26 04:44:37 2017 VERIFY OK: depth=1, C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
Fri May 26 04:44:37 2017 VERIFY OK: depth=0, OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.opengw.net
Fri May 26 04:44:38 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Fri May 26 04:44:38 2017 [*.opengw.net] Peer Connection Initiated with [AF_INET]121.123.145.123:1812
Fri May 26 04:44:39 2017 SENT CONTROL [*.opengw.net]: 'PUSH_REQUEST' (status=1)
Fri May 26 04:44:39 2017 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.45 10.211.1.46,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.46,redirect-gateway def1'
Fri May 26 04:44:39 2017 OPTIONS IMPORT: timers and/or timeouts modified
Fri May 26 04:44:39 2017 OPTIONS IMPORT: --ifconfig/up options modified
Fri May 26 04:44:39 2017 OPTIONS IMPORT: route options modified
Fri May 26 04:44:39 2017 OPTIONS IMPORT: route-related options modified
Fri May 26 04:44:39 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri May 26 04:44:39 2017 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Fri May 26 04:44:39 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 26 04:44:39 2017 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Fri May 26 04:44:39 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 26 04:44:39 2017 interactive service msg_channel=0
Fri May 26 04:44:39 2017 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=8 HWADDR=01:3a:33:58:22:bd
Fri May 26 04:44:39 2017 open_tun
Fri May 26 04:44:39 2017 TAP-WIN32 device [Ethernet] opened: \\.\Global\{78A54AAA-5893-4E9A-9FAB-429FF3FB3C87}.tap
Fri May 26 04:44:39 2017 TAP-Windows Driver Version 9.21
Fri May 26 04:44:39 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.211.1.45/255.255.255.252 on interface {78A54AAA-5893-4E9A-9FAB-429FF3FB3C87} [DHCP-serv: 10.211.1.46, lease-time: 31536000]
Fri May 26 04:44:39 2017 NOTE: FlushIpNetTable failed on interface [17] {78A54AAA-5893-4E9A-9FAB-429FF3FB3C87} (status=5) : Access is denied.
Fri May 26 04:44:39 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri May 26 04:44:44 2017 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Fri May 26 04:44:44 2017 C:\WINDOWS\system32\route.exe ADD 121.123.145.123 MASK 255.255.255.255 192.168.1.1
Fri May 26 04:44:44 2017 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=8]
Fri May 26 04:44:44 2017 Route addition via IPAPI failed [adaptive]
Fri May 26 04:44:44 2017 Route addition fallback to route.exe
Fri May 26 04:44:44 2017 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Fri May 26 04:44:44 2017 ERROR: Windows route add command failed [adaptive]: returned error code 1
Fri May 26 04:44:44 2017 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.211.1.46
Fri May 26 04:44:44 2017 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=17]
Fri May 26 04:44:44 2017 Route addition via IPAPI failed [adaptive]
Fri May 26 04:44:44 2017 Route addition fallback to route.exe
Fri May 26 04:44:44 2017 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Fri May 26 04:44:44 2017 ERROR: Windows route add command failed [adaptive]: returned error code 1
Fri May 26 04:44:44 2017 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.211.1.46
Fri May 26 04:44:44 2017 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=17]
Fri May 26 04:44:44 2017 Route addition via IPAPI failed [adaptive]
Fri May 26 04:44:44 2017 Route addition fallback to route.exe
Fri May 26 04:44:44 2017 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Fri May 26 04:44:44 2017 ERROR: Windows route add command failed [adaptive]: returned error code 1
Fri May 26 04:44:44 2017 Initialization Sequence Completed
Roy Tremblay
2017-05-27 02:06:20 UTC
Permalink
Raw Message
On Sat, 27 May 2017 01:47:00 +0000 (UTC),
Post by Roy Tremblay
Post by Roy Tremblay
I suspect Windows 10 has a special permission that is needed.
But what?
Here is the complete log of the error.
Do you know what permissions are needed on Windows 10 that weren't needed on Windows XP?
By way of contrast, here's the log of the ovpn file working on WinXP.
Why does any ovpn file work on WinXP but fail due to permissions on Win10?

============================================================================
Fri May 26 04:56:51 2017 OpenVPN 2.3.11 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on May 10 2016
Fri May 26 04:56:51 2017 Windows version 5.1 (Windows XP) 32bit
Fri May 26 04:56:51 2017 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.09
Fri May 26 04:56:51 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri May 26 04:56:52 2017 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri May 26 04:56:52 2017 UDPv4 link local: [undef]
Fri May 26 04:56:52 2017 UDPv4 link remote: [AF_INET]121.123.145.123:1812
Fri May 26 04:56:52 2017 TLS: Initial packet from [AF_INET]121.123.145.123:1812, sid=90e42959 f981c201
Fri May 26 04:56:52 2017 VERIFY OK: depth=2, C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
Fri May 26 04:56:52 2017 VERIFY OK: depth=1, C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
Fri May 26 04:56:52 2017 VERIFY OK: depth=0, OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.opengw.net
Fri May 26 04:56:53 2017 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Fri May 26 04:56:53 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 26 04:56:53 2017 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Fri May 26 04:56:53 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 26 04:56:53 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Fri May 26 04:56:53 2017 [*.opengw.net] Peer Connection Initiated with [AF_INET]121.123.145.123:1812
Fri May 26 04:56:55 2017 SENT CONTROL [*.opengw.net]: 'PUSH_REQUEST' (status=1)
Fri May 26 04:56:55 2017 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.1 10.211.1.2,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.2,redirect-gateway def1'
Fri May 26 04:56:55 2017 OPTIONS IMPORT: timers and/or timeouts modified
Fri May 26 04:56:55 2017 OPTIONS IMPORT: --ifconfig/up options modified
Fri May 26 04:56:55 2017 OPTIONS IMPORT: route options modified
Fri May 26 04:56:55 2017 OPTIONS IMPORT: route-related options modified
Fri May 26 04:56:55 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri May 26 04:56:55 2017 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=2 HWADDR=01:3a:33:58:22:bd
Fri May 26 04:56:55 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri May 26 04:56:55 2017 open_tun, tt->ipv6=0
Fri May 26 04:56:55 2017 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{F1AB3A59-4892-3D3D-3CD9-724A239BA879}.tap
Fri May 26 04:56:55 2017 TAP-Windows Driver Version 9.9
Fri May 26 04:56:55 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.211.1.1/255.255.255.252 on interface {F1AB3A59-4892-3D3D-3CD9-724A239BA879} [DHCP-serv: 10.211.1.2, lease-time: 31536000]
Fri May 26 04:56:55 2017 Successful ARP Flush on interface [3] {F1AB3A59-4892-3D3D-3CD9-724A239BA879}
Fri May 26 18:54:00 2017 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
Fri May 26 18:54:00 2017 Route: Waiting for TUN/TAP interface to come up...
Fri May 26 18:54:01 2017 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Fri May 26 18:54:01 2017 C:\WINDOWS\system32\route.exe ADD 121.123.145.123 MASK 255.255.255.255 192.168.1.1
Fri May 26 18:54:01 2017 Route addition via IPAPI succeeded [adaptive]
Fri May 26 18:54:01 2017 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.211.1.2
Fri May 26 18:54:01 2017 Route addition via IPAPI succeeded [adaptive]
Fri May 26 18:54:01 2017 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.211.1.2
Fri May 26 18:54:01 2017 Route addition via IPAPI succeeded [adaptive]
Fri May 26 18:54:01 2017 Initialization Sequence Completed
Roy Tremblay
2017-05-27 03:07:35 UTC
Permalink
Raw Message
On Sat, 27 May 2017 01:42:40 +0000 (UTC),
Post by Roy Tremblay
Permission problem with openvpn moving from WinXP to Win10 causing route
changes to fail.
Thanks to the suggestion from Good Guy, I solved the problem of *.ovpn
OpenVPN text files not having the permissions to run the necessary route
commands to get onto VPN.

After I installed the Win7/8/Vista/10 64-bit OpenVPN package on Windows 10,
I changed the file associations for doubleclicking on *.ovpn text files to
open up in the "OpenVPN Daemon" instead of the "OpenVPN GUI".
Loading Image...

I did that same file association change many years ago, on Windows XP:
https://s29.postimg.org/estakppgn/openvpn.gif

This allows me to just doubleclick on any of hundreds of *.ovpn openvpn text
files, and they open up in the OpenVPN Daemon, which just looks like a
command windows with a text running log file (which is what I pasted
separately).

When I close the command window with the running log file, that knocks me
off of VPN. So, there is no OpenVPN GUI involved. And there is no link
involved.

I doubleclick on an *.ovpn text file to get on VPN.
I close that running log file to get off of VPN.

On Windows 10, I made the same file association change:
https://s14.postimg.org/y3vs59vnl/Clipboard03.gif

But after clicking on an *.ovpn OpenVPN text file, the running log showed
that it needed more permissions for some very strange reason (unknown to me
at this point).

Predictably, setting the "OpenVPN GUI" link to run as administrator did
nothing:
Loading Image...

But that's probably because I am not using the OpenVPN GUI (and even more to
the point, I'm not using any links to start the program). I'm using file
associations to start the OpenVPN Daemon instead of using the OpenVPN GUI.

So, based on Good Guy's suggestion, I went to the OpenVPN bin directory and
arbitrarily set *all* the exe files to run as administrator:
Loading Image...

That solved the problem of permissions!

Now when I doubleclick in Windows 10 on any *.ovpn OpenVPN text file, the
OpenVPN Daemon pops up the running log file, which shows that there are no
longer permission errors when the route commands are run.

I have no idea why this extra step is required, nor why it's not documented
in any of the OpenVPN setup tutorials for Windows 10.

All I know is that setting all the executables to run as administrator
solved whatever problem Windows 10 has introduced that Windows XP didn't
have.
Roy Tremblay
2017-05-27 03:31:21 UTC
Permalink
Raw Message
On Sat, 27 May 2017 03:07:35 +0000 (UTC),
Post by Roy Tremblay
So, based on Good Guy's suggestion, I went to the OpenVPN bin directory and
https://s9.postimg.org/w1wwgzlrj/Clipboard02.gif
That solved the problem of permissions!
Now when I doubleclick in Windows 10 on any *.ovpn OpenVPN text file, the
OpenVPN Daemon pops up the running log file, which shows that there are no
longer permission errors when the route commands are run.
I have no idea why this extra step is required, nor why it's not documented
in any of the OpenVPN setup tutorials for Windows 10.
All I know is that setting all the executables to run as administrator
solved whatever problem Windows 10 has introduced that Windows XP didn't
have.
To give you an idea of what the documentation says, here are the tutorials I
looked at, none of which explained this mysterious process for the OpenVPN
Daemon (but they did it for the OpenVPN GUI).

How to set up OpenVPN on Windows 10
https://www.hideipvpn.com/setup/how-to-setup-openvpn-on-windows-10/

Windows 10 OpenVPN setup tutorial
https://strongvpn.com/setup-windows-10-openvpn.html

How to set up OpenVPN on Windows 10
https://www.cactusvpn.com/tutorials/how-to-set-up-openvpn-on-windows-10/

How to install OpenVPN on Windows 10
https://www.vpncompare.co.uk/how-to-install-openvpn-on-windows-10/

How to set up a manual OpenVPN connection on Windows 10
https://nordvpn.com/tutorials/windows-10/openvpn/

How to set up OpenVPN on Windows 10
https://www.smartydns.com/support/how-to-set-up-openvpn-on-windows-10/

And this one used a completely different method!

How to Set up a VPN Connection in Windows 10
http://www.tomshardware.com/faq/id-2569630/set-vpn-connection-windows.html

I guess I'm the only one who simply doubleclicks on the *.ovpn OpenVPN text
files to connect to VPN (closing the running log to disconnect from VPN).

Everyone else must be using the OpenVPN GUI, but I find it's a *lot* more
steps to use the GUI than to just doubleclick on the *.ovpn file itself,
especially since I have hundreds of *.ovpn file laying around.

Since I set the windows to all open in the same spot, I can open up a
hundred *.ovpn files in one doubleclick action, and then close the ones that
don't work and keep the one that works (only one will work at a time so
there's no danger if more than one *.ovpn file is good).

I guess I'm the only one using this efficient use model.

Everyone else must be clicking like crazy in the GUI which itself is limited
to a puny 50 files each of which seems to need to be selected manually
anyway (as far as I can tell anyway) so the GUI is a lousy use model if you
ask me.

Loading...