Opened 3 months ago

Last modified 6 days ago

#1295 assigned Bug / Defect

Windows 10 2004 breaks wintun driver

Reported by: RemoteOne Owned by: stipa
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.4.8 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: Samuli Seppänen

Description

I have been using the 2.5 technology preview wintun driver for several months and found it very stable.

I just updated my machine to the 2004 release of Windows 10, and launching my OpenVPN connection prompts for my credentials as normal but then fails to connect with the error

Fri Jun 19 16:14:55 2020 us=30856 open_tun
Fri Jun 19 16:14:55 2020 us=37837 MANAGEMENT: Client disconnected
Fri Jun 19 16:14:55 2020 us=37837 All wintun adapters on this system are currently in use.
Fri Jun 19 16:14:55 2020 us=37837 Exiting due to fatal error

Looking at the Network Adapters control panel, the wintun driver is gone.

Re-installing the package does not make it reappear.

Attachments (1)

Verb4Log32bitWintunFailure.log (23.4 KB) - added by RemoteOne 4 weeks ago.
verb=4 log for failure of wintun driver on win 10 32-bit using the 32-bit OpenVPN 2.5 beta1 installer

Download all attachments as: .zip

Change History (22)

comment:1 Changed 3 months ago by Gert Döring

Cc: Samuli Seppänen added
Owner: set to stipa
Status: newassigned

Hi @stipa, any ideas?

comment:2 Changed 3 months ago by RemoteOne

Follow-up

My previous re-install was to re-run the installer without uninstalling first. This did nothing.

I subsequently completely uninstalled OpenVPN from the "Apps and Features" panel, and then installed it again cleanly. This time it works again - creating a new "WinTun? Userspace Tunnel #2"

The exact same break and fix were observed on two different laptops.

comment:3 Changed 2 months ago by stipa

Not sure how Wintun drivers behaves on system upgrade. It looks like driver was removed, but since openvpn NSIS installer stores flag in registry that driver is installer, on updating openvpn wintun driver wasn't installed "back".

Note that since 2.5 openvpn uses MSI installer, so it could have different behavior. Let's retest in in a few weeks when we'll have 2.5.0 installer.

comment:4 Changed 5 weeks ago by tincantech

Bump -- @RemoteOne?, have you had a chance to test 2.5 MSI installer:
https://openvpn.net/community-downloads/

It is a Beta so there are still teething problems with the installer.

comment:5 Changed 5 weeks ago by RemoteOne

I just saw it had gotten released. I haven't tested it yet.

FYI - I am not in a position to perform a test of installing the Windows Feature Pack 2004 after the OpenVPN 2.5 installation in any case as both my laptops have already been updated to Windows 10 2004.

comment:6 Changed 4 weeks ago by RemoteOne

I have tried the clients for Win10 - 32-bit and 64-bit. In both cases they did not install over the top of the old Wintun beta client well. I had to uninstall and do a fresh install.

The 64-bit one appears to work well - using my existing client files - both wintun and tap.

The 32-bit one works fine with tap but will not use wintun for some reason. I get the following log entries at the end of the login process.

2020-08-20 11:01:57 us=77487 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 I=5 HWADDR=00:1d:09:c3:8c:d2
2020-08-20 11:01:57 us=111481 open_tun
2020-08-20 11:01:57 us=134483 Register ring buffers failed using service: Insufficient system resources exist to complete the requested service. [status=0x5aa]
2020-08-20 11:01:57 us=134483 Failed to register {77FE2BC6-1A4C-4E6F-920B-12EFD7013E6B} adapter ring buffers
2020-08-20 11:01:57 us=134483 MANAGEMENT: Client disconnected
2020-08-20 11:01:57 us=134483 All wintun adapters on this system are currently in use.
2020-08-20 11:01:57 us=134483 Exiting due to fatal error

The adapter does exist and is not in use.

comment:7 Changed 4 weeks ago by tincantech

Currently, openvpn does not allow an admin user to Register ring buffers. Please try again with a non-admin user who is in the Openvpn-Users group. This decision to prohibit an admin user from using wintun is under review and may change for the full release.

comment:8 Changed 4 weeks ago by tincantech

Correction:

An admin user is restricted from using the OpenVPN Interactive-Service, which is a prerequisite to using wintun (unless you do some hacky privilege escalation, which I do not know the details of). So currently, in order to use wintun you must use the iservice and that means you must login as non-admin.

The use of the iservice by an admin account is under review.

comment:9 Changed 4 weeks ago by Selva Nair

A couple of things about the latter part of this ticket on error running 32 bit 2.5-beta1 with wintun.

(i) Its not necessary to login as a non-admin user for the GUI to use the interactive service. Only if you elevate by right-click and "Run as Administrator" or start the GUI from an elevated command prompt will it run as admin and bypass the interactive service. In short, the GUI will behave the same way for both admin and limited users as long as not explicitly elevated. This assumes UAC is not disabled.

(ii) The posted logs show "Register ring buffers failed using service...". So the reason for failure is not running the GUI with admin privileges -- its indeed using the service. Something else has gone wrong. ERROR_NO_SYSTEM_RESOURCES (0x5aa) could be due to various reasons and is hard to troubleshoot. Could be hitting some limit set in memory management, could be anti-virus or something else.

If the 32 bit version is consistently throwing this error, we may have a problem, else this may be a one time thing.

As for the original topic of the ticket -- missing wintun -- I've no idea.

comment:10 Changed 4 weeks ago by RemoteOne

@tincantech

I can confirm that removing my user from the local admin group allowed the 32-bit version to work with the wintun driver.

I am not sure I understand the logic for the restriction though, as many vpn users are home users who will by default be the admins on their own computer.

@Selva Nair
(i) I was not running from CMD as an administrator. Just running the GUI normally.

FYI - Some info that might help debugging the issue - I have 2 laptops - one 32-bit windows 10 and the other 64-bit windows 10. Both have always had my user in the local admin group. The 2.4.x client & pre-release wintun client have worked on both machines with no issues with me as an administrator. The 64-bit client still works on 64-bit windows with no change to the local admin setting. Just the 32-bit client on 32-bit windows is failing with me as a local admin.

(ii) I have no issues running the old wintun beta on the same machine so unlikely to be a resource constraint.

comment:11 Changed 4 weeks ago by Selva Nair

RemoteOne?:
Can you post logs (verb=4) from the 32 bit machine that fails when an admin user runs the GUI (without privilege escalation)? If the logs show the error you posted earlier, its unrelated to the GUI as the service failed to open wintun.

The reason for not allowing connections to the interactive service as admin had to do with an obscure bug in vista that could allow privilege escalation if an admin process connects to a rogue namedpipe running with no privileges but masquerading as the interactive service. We will consider removing this restriction as vista is no longer supported.

Last edited 4 weeks ago by Selva Nair (previous) (diff)

Changed 4 weeks ago by RemoteOne

verb=4 log for failure of wintun driver on win 10 32-bit using the 32-bit OpenVPN 2.5 beta1 installer

comment:12 Changed 4 weeks ago by Selva Nair

Thanks for the logs. The unexpected error

2020-08-24 17:17:06 us=349410 Register ring buffers failed using service: Insufficient system resources exist to complete the requested service. [status=0x5aa]

is from the service and that should not depend on which user is running the GUI. But you see it only for non-admin user, which is bizarre.

@stipa Any idea why would the interactive service error like this, that too only on 32 bit Windows and when logged in as a limited an admin user even though the service is in use?

Last edited 4 weeks ago by Selva Nair (previous) (diff)

comment:13 Changed 4 weeks ago by RemoteOne

@Selva Nair. Log is attached.

comment:14 Changed 4 weeks ago by RemoteOne

@Selva Nair. Follow-up

In order to check if the older preview package still worked, I opened Apps and Features to remove OpenVPN 2.5 beta1. While scrolling to select the package for uninstallation I noticed PureVPN was also installed on that laptop. I uninstalled both OpenVPN and PureVPN, and then re-installed OpenVPN 2.5 beta1. This time it worked correctly, allowing me to use the wintun driver while I was still a local administrator on the box.

The older OpenVPN 2.5 preview client never complained about the existence of PureVPN, and always just worked. Not sure why this new version appears to have a conflict, but it does look as though there is one.

comment:15 Changed 4 weeks ago by Samuli Seppänen

There was a Wintun "technology preview" NSIS installer on our download page for a few months. Was that what you were using @RemoteOne?? Or did you use the test MSI installer that came shortly before OpenVPN 2.5-beta1 was officially released?

comment:16 Changed 4 weeks ago by RemoteOne

@Samuli Seppänen

I had been using the "preview" NSIS ... probably for the last 6 months or so.

comment:17 Changed 4 weeks ago by RemoteOne

@Selva Nair @Samuli Seppänen

One correction on Selva's last comment ...

@stipa Any idea why would the interactive service error like this, that too only on 32 bit Windows and when logged in as a limited user?

It works fine as a limited user. It only exhibits the issue if I am a member of the Administrators group on the machine

comment:18 Changed 4 weeks ago by Selva Nair

Yes, I mistakenly wrote limited user instead of admin user (corrected). The whole error is unusual when it happens only for one user and not other (admin or not). Its the interactive service that errors here and it should handle request from openvpn.exe the same way for all users.

Only when the client (GUI in this case) connects and requests to start openvpn does the service check the user. And the error has nothing to do with that.

comment:19 Changed 9 days ago by stipa

Apparently it fails in this function:

https://github.com/OpenVPN/openvpn/blob/master/src/openvpnserv/interactive.c#L1240

There is not much logging except global "register ring buffer failed", so I cannot say what is going on. I'll try to reproduce it.

comment:20 Changed 6 days ago by stipa

Unfortunately I wasn't able to reproduce this.

I tried on Windows 10 2004 (19041.450) 32bit on Hyper-V. I was able to connect using openvpn-gui by admin/non-admin user with wintun.

I see no other options but add more logging to ring buffers registration routine to understand why it fails.

comment:21 Changed 6 days ago by RemoteOne

@stipa - Please see my comment 14

At this time I believe that whatever issues were happening were related to some conflict with PureVPN. Once that was removed from the laptop, the new 2.5 client worked for both Admin and non-Admin users.

Today, I even did a full uninstall, put back the old github technology preview, verified it worked, installed the latest beta4 over the top of it, and it stll worked just fine - all as a member of the local Administrators group.

Note: See TracTickets for help on using tickets.