Windows 10: additional tap adapters mssing AllowNonAdmin configuration

[TobiasT]

Starting a second connection (no matter which order) results in an error message "Connecting to X has failed."

OpenVPN version: 2.5_beta1
OpenVPN GUI version: 11.16.00
Windows 10 v2004

To create the second TAP adapter, I used "tapctl create".

Log:

2020-09-01 15:51:23 us=310799 open_tun
2020-09-01 15:51:23 us=330749 CreateFile failed on tap-windows6 device: \\.\Global\{3987121B-4588-43F0-8050-A61D209DB483}.tap
2020-09-01 15:51:23 us=330749 CreateFile failed on tap-windows6 device: \\.\Global\{24B861B9-3EB4-4E0C-8C73-E1E8C36E8253}.tap
2020-09-01 15:51:23 us=331754 MANAGEMENT: Client disconnected
2020-09-01 15:51:23 us=331754 All tap-windows6 adapters on this system are currently in use.
2020-09-01 15:51:23 us=331754 Exiting due to fatal error

I have 2 TUN and 2 TAP devices:

PS C:\Program Files\OpenVPN\bin> .\tapctl.exe list
{5D73BD9C-7565-4325-B876-CC33F4D32B55}  OpenVPN Wintun 1
{3987121B-4588-43F0-8050-A61D209DB483}  OpenVPN TAP-Windows 1
{24B861B9-3EB4-4E0C-8C73-E1E8C36E8253}  OpenVPN TAP-Windows 2
{711704F7-EB84-4137-A95F-26FE093F5747}  OpenVPN Wintun 2

[TobiasT]

This has an issue on GitHub?: ​https://github.com/OpenVPN/openvpn-gui/issues/359

Additional Information from Selva Nair (from that issue):

the second adapter created by tapctl.exe has no AllowNonAdmin? registry value. The device properties show AllowNonAdmin? as enabled but, iirc, tap-windows6 only cares about this registry entry[*]. On manually adding that entry and resetting the adapter makes it work as user. Can anyone reproduce this?

Some more follow up: running tapctl.exe as SYSTEM creates the adapter correctly, so this does point to error in accessing some files installed by the MSI leaving some steps incomplete when run as admin. But no errors on tapctl command line.

[*] The actual value of this registry variable doesn't matter -- somewhere along the way tap-windows6 has code regressed into just checking the presence of this registry key, but that's unrelated to the issue here.

[TobiasT]

Quick fix from Selva Nair (from the GitHub? issue):

Here is a temporary quick fix:
Go to the list of network adapters in control panel, identify the TAP adapter that doesn't work, right click
Properties->configure->Advanced and select the Non-Admin Access property. Change it from Allowed to Not Allowed, click OK. Then repeat this and change it back to Allowed. This will generate the missing registry key and make the adapter accessible as limited user.

[Selva Nair]

Although tapctl.exe completes without error, setupapi.dev log shows this error

>>>  [Configure Driver Package - c:\windows\system32\driverstore\filerepository\oemvista.inf_amd64_8a00bc07868b5df3\oemvista.inf]
>>>  Section start 2020/09/01 23:44:57.965
      cmd: "c:\Program Files\OpenVPN\bin\tapctl.exe"  create --name Tap4 --hwid root\tap0901
     sto: Source Filter  = tap0901.ndi
     sto: Target Filter  = ROOT\NET\0005
     inf: Class GUID     = {4d36e972-e325-11ce-bfc1-08002be10318}
     inf: Class Options  = Configurable
!!!  idb: Failed to open driver package object 'oemvista.inf_amd64_8a00bc07868b5df3'. Error = 0x00000005
<<<  Section end 2020/09/01 23:44:57.980
<<<  [Exit status: FAILURE(0x00000005)]

Error 5 is usually access denied. In spite of that the adpater is created and setup to a usable state except for the missing AllowNonAdmin? key. That's the only "vendor-specific" parameter in this driver.

The same error happens with wintun too, but it still works apparently because wintun sets no extra device parameters.

The log for a "successful" run (in this case generated by running tapctl.exe as SYSTEM) looks like

>>>  [Configure Driver Package - c:\windows\system32\driverstore\filerepository\oemvista.inf_amd64_8a00bc07868b5df3\oemvista.inf]
>>>  Section start 2020/09/01 16:58:17.387
      cmd: "C:\Program Files\OpenVPN\bin\tapctl.exe" create --name Tap3
     sto: Source Filter  = tap0901.ndi
     sto: Target Filter  = ROOT\NET\0004
     inf: Class GUID     = {4d36e972-e325-11ce-bfc1-08002be10318}
     inf: Class Options  = Configurable
     inf: {Configure Driver: TAP-Windows Adapter V9}
     inf:      Section Name = tap0901.ndi
     inf:      {Configure Device: ROOT\NET\0004}
     inf:      {Configure Device: exit(0x00000000)}
     inf: {Configure Driver: exit(0x00000000)}
     inf: {Configure Driver: TAP-Windows Adapter V9}
     inf:      Section Name = tap0901.ndi
     inf: {Configure Driver: exit(0x00000000)}
<<<  Section end 2020/09/01 16:58:17.441
<<<  [Exit status: SUCCESS]

[Selva Nair]

Fixed by

commit f3f09541dcff3f0b307067bdf5dcaabc530db4c7
Author: Selva Nair <selva.nair@…>
Date: Thu Sep 3 19:56:44 2020 -0400

In tap.c use DiInstallDevice? to install the driver on a new adapter

Signed-off-by: Selva Nair <selva.nair@…>
Acked-by: Lev Stipakov <lstipakov@…>
Message-Id: <1599177404-29996-1-git-send-email-selva.nair@…>
URL: ​https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20880.html
Signed-off-by: Gert Doering <gert@…>