Windows 10 2004 breaks wintun driver

[RemoteOne]

I have been using the 2.5 technology preview wintun driver for several months and found it very stable.

I just updated my machine to the 2004 release of Windows 10, and launching my OpenVPN connection prompts for my credentials as normal but then fails to connect with the error

Fri Jun 19 16:14:55 2020 us=30856 open_tun
Fri Jun 19 16:14:55 2020 us=37837 MANAGEMENT: Client disconnected
Fri Jun 19 16:14:55 2020 us=37837 All wintun adapters on this system are currently in use.
Fri Jun 19 16:14:55 2020 us=37837 Exiting due to fatal error

Looking at the Network Adapters control panel, the wintun driver is gone.

Re-installing the package does not make it reappear.

[Gert Döring]

Hi @stipa, any ideas?

[RemoteOne]

Follow-up

My previous re-install was to re-run the installer without uninstalling first. This did nothing.

I subsequently completely uninstalled OpenVPN from the "Apps and Features" panel, and then installed it again cleanly. This time it works again - creating a new "WinTun? Userspace Tunnel #2"

The exact same break and fix were observed on two different laptops.

[stipa]

Not sure how Wintun drivers behaves on system upgrade. It looks like driver was removed, but since openvpn NSIS installer stores flag in registry that driver is installer, on updating openvpn wintun driver wasn't installed "back".

Note that since 2.5 openvpn uses MSI installer, so it could have different behavior. Let's retest in in a few weeks when we'll have 2.5.0 installer.

[tct]

Bump -- @RemoteOne?, have you had a chance to test 2.5 MSI installer:
https://openvpn.net/community-downloads/

It is a Beta so there are still teething problems with the installer.

[RemoteOne]

I just saw it had gotten released. I haven't tested it yet.

FYI - I am not in a position to perform a test of installing the Windows Feature Pack 2004 after the OpenVPN 2.5 installation in any case as both my laptops have already been updated to Windows 10 2004.

[RemoteOne]

I have tried the clients for Win10 - 32-bit and 64-bit. In both cases they did not install over the top of the old Wintun beta client well. I had to uninstall and do a fresh install.

The 64-bit one appears to work well - using my existing client files - both wintun and tap.

The 32-bit one works fine with tap but will not use wintun for some reason. I get the following log entries at the end of the login process.

2020-08-20 11:01:57 us=77487 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 I=5 HWADDR=00:1d:09:c3:8c:d2
2020-08-20 11:01:57 us=111481 open_tun
2020-08-20 11:01:57 us=134483 Register ring buffers failed using service: Insufficient system resources exist to complete the requested service. [status=0x5aa]
2020-08-20 11:01:57 us=134483 Failed to register {77FE2BC6-1A4C-4E6F-920B-12EFD7013E6B} adapter ring buffers
2020-08-20 11:01:57 us=134483 MANAGEMENT: Client disconnected
2020-08-20 11:01:57 us=134483 All wintun adapters on this system are currently in use.
2020-08-20 11:01:57 us=134483 Exiting due to fatal error

The adapter does exist and is not in use.

[tct]

Currently, openvpn does not allow an admin user to Register ring buffers. Please try again with a non-admin user who is in the Openvpn-Users group. This decision to prohibit an admin user from using wintun is under review and may change for the full release.

[tct]

Correction:

An admin user is restricted from using the OpenVPN Interactive-Service, which is a prerequisite to using wintun (unless you do some hacky privilege escalation, which I do not know the details of). So currently, in order to use wintun you must use the iservice and that means you must login as non-admin.

The use of the iservice by an admin account is under review.

[Selva Nair]

A couple of things about the latter part of this ticket on error running 32 bit 2.5-beta1 with wintun.

(i) Its not necessary to login as a non-admin user for the GUI to use the interactive service. Only if you elevate by right-click and "Run as Administrator" or start the GUI from an elevated command prompt will it run as admin and bypass the interactive service. In short, the GUI will behave the same way for both admin and limited users as long as not explicitly elevated. This assumes UAC is not disabled.

(ii) The posted logs show "Register ring buffers failed using service...". So the reason for failure is not running the GUI with admin privileges -- its indeed using the service. Something else has gone wrong. ERROR_NO_SYSTEM_RESOURCES (0x5aa) could be due to various reasons and is hard to troubleshoot. Could be hitting some limit set in memory management, could be anti-virus or something else.

If the 32 bit version is consistently throwing this error, we may have a problem, else this may be a one time thing.

As for the original topic of the ticket -- missing wintun -- I've no idea.

[RemoteOne]

@tincantech

I can confirm that removing my user from the local admin group allowed the 32-bit version to work with the wintun driver.

I am not sure I understand the logic for the restriction though, as many vpn users are home users who will by default be the admins on their own computer.

@Selva Nair
(i) I was not running from CMD as an administrator. Just running the GUI normally.

FYI - Some info that might help debugging the issue - I have 2 laptops - one 32-bit windows 10 and the other 64-bit windows 10. Both have always had my user in the local admin group. The 2.4.x client & pre-release wintun client have worked on both machines with no issues with me as an administrator. The 64-bit client still works on 64-bit windows with no change to the local admin setting. Just the 32-bit client on 32-bit windows is failing with me as a local admin.

(ii) I have no issues running the old wintun beta on the same machine so unlikely to be a resource constraint.

[Selva Nair]

RemoteOne?:
Can you post logs (verb=4) from the 32 bit machine that fails when an admin user runs the GUI (without privilege escalation)? If the logs show the error you posted earlier, its unrelated to the GUI as the service failed to open wintun.

The reason for not allowing connections to the interactive service as admin had to do with an obscure bug in vista that could allow privilege escalation if an admin process connects to a rogue namedpipe running with no privileges but masquerading as the interactive service. We will consider removing this restriction as vista is no longer supported.

[RemoteOne]

verb=4 log for failure of wintun driver on win 10 32-bit using the 32-bit OpenVPN 2.5 beta1 installer

[Selva Nair]

Thanks for the logs. The unexpected error

2020-08-24 17:17:06 us=349410 Register ring buffers failed using service: Insufficient system resources exist to complete the requested service. [status=0x5aa]

is from the service and that should not depend on which user is running the GUI. But you see it only for non-admin user, which is bizarre.

@stipa Any idea why would the interactive service error like this, that too only on 32 bit Windows and when logged in as a limited an admin user even though the service is in use?

[RemoteOne]

@Selva Nair. Log is attached.

[RemoteOne]

@Selva Nair. Follow-up

In order to check if the older preview package still worked, I opened Apps and Features to remove OpenVPN 2.5 beta1. While scrolling to select the package for uninstallation I noticed PureVPN was also installed on that laptop. I uninstalled both OpenVPN and PureVPN, and then re-installed OpenVPN 2.5 beta1. This time it worked correctly, allowing me to use the wintun driver while I was still a local administrator on the box.

The older OpenVPN 2.5 preview client never complained about the existence of PureVPN, and always just worked. Not sure why this new version appears to have a conflict, but it does look as though there is one.

[Samuli Seppänen]

There was a Wintun "technology preview" NSIS installer on our download page for a few months. Was that what you were using @RemoteOne?? Or did you use the test MSI installer that came shortly before OpenVPN 2.5-beta1 was officially released?

[RemoteOne]

@Samuli Seppänen

I had been using the "preview" NSIS ... probably for the last 6 months or so.

[RemoteOne]

@Selva Nair @Samuli Seppänen

One correction on Selva's last comment ...

@stipa Any idea why would the interactive service error like this, that too only on 32 bit Windows and when logged in as a limited user?

It works fine as a limited user. It only exhibits the issue if I am a member of the Administrators group on the machine

[Selva Nair]

Yes, I mistakenly wrote limited user instead of admin user (corrected). The whole error is unusual when it happens only for one user and not other (admin or not). Its the interactive service that errors here and it should handle request from openvpn.exe the same way for all users.

Only when the client (GUI in this case) connects and requests to start openvpn does the service check the user. And the error has nothing to do with that.

[stipa]

Apparently it fails in this function:

​https://github.com/OpenVPN/openvpn/blob/master/src/openvpnserv/interactive.c#L1240

There is not much logging except global "register ring buffer failed", so I cannot say what is going on. I'll try to reproduce it.

[stipa]

Unfortunately I wasn't able to reproduce this.

I tried on Windows 10 2004 (19041.450) 32bit on Hyper-V. I was able to connect using openvpn-gui by admin/non-admin user with wintun.

I see no other options but add more logging to ring buffers registration routine to understand why it fails.

[RemoteOne]

@stipa - Please see my comment 14

At this time I believe that whatever issues were happening were related to some conflict with PureVPN. Once that was removed from the laptop, the new 2.5 client worked for both Admin and non-Admin users.

Today, I even did a full uninstall, put back the old github technology preview, verified it worked, installed the latest beta4 over the top of it, and it stll worked just fine - all as a member of the local Administrators group.

[ValdikSS]

I occasionally still have "register ring buffers failed using service" issue.
I have Microsoft Surface Go tablet with s0ix support. When it's "sleeping", the network interfaces are down. When I press power button to wake it up, 1 out of ~7 times OpenVPN could not reconnect with this error.
Connecting right after this error works fine all the time. I assume there's race condition somewhere.

OpenVPN Community 2.5.7 x86_64.