Opened 4 years ago

Last modified 22 months ago

#399 assigned Bug / Defect

Issue with register-dns in Windows 8.1

Reported by: iceh Owned by: Samuli Seppänen
Priority: major Milestone: release 2.5
Component: Generic / unclassified Version: OpenVPN 2.3.4 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Hi,

I noticed an issue with register-dns in Windows 8.1.

"C:\Windows\system32\ipconfig.exe /registerdns" needs to run as administrator in Win 8.1.

Please note! Openvpn / OpenVPN is started as Admin user!

I get a connect! I have an IP! Only register-dns fails.

I get this logfile:

---
Sat May 03 12:51:17 2014 Start net commands...
Sat May 03 12:51:17 2014 C:\Windows\system32\net.exe stop dnscache
Sat May 03 12:51:27 2014 C:\Windows\system32\net.exe start dnscache
Sat May 03 12:51:27 2014 ERROR: Windows ipconfig command failed: returned error code 2
Sat May 03 12:51:27 2014 C:\Windows\system32\ipconfig.exe /flushdns
Sat May 03 12:51:27 2014 C:\Windows\system32\ipconfig.exe /registerdns
Sat May 03 12:51:30 2014 End net commands...
---

I checked the source: in win32.c we have a function openvpn_execve(...)

This calls CreateProcessW(...) a Win32 API method.

Child processes are executed non elevated. Which is a problem.

My conclusion: This needs to be fixed in Openvpn as Win8.1 needs
admin privileges for "ipconfig.exe /registerdns".

Change History (10)

comment:1 Changed 4 years ago by iceh

Note:

After having the connection I can run (as admin):

C:\Windows\system32\ipconfig.exe /flushdns
C:\Windows\system32\ipconfig.exe /registerdns

and get the new DNS registered.

Last edited 4 years ago by iceh (previous) (diff)

comment:2 Changed 4 years ago by iceh

Solved!

In your config file, chage this:

register-dns

to

register-dns
script-security 2
up "C:\\Program Files\\OpenVPN\\config\\up.cmd"

up.cmd is

timeout /t 30
C:\Windows\system32\ipconfig.exe /flushdns
C:\Windows\system32\ipconfig.exe /registerdns

comment:3 Changed 4 years ago by Samuli Seppänen

Resolution: notabug
Status: newclosed

comment:4 Changed 3 years ago by VisualCSharp

I reported the same issue here: http://community.openvpn.net/openvpn/ticket/516

I don't know why this was resolved as notabug. It's quite clearly a bug with the OpenVPN client's connection script.

comment:5 Changed 3 years ago by Samuli Seppänen

Component: ConfigurationGeneric / unclassified
Resolution: notabug
Status: closedreopened

Looks like a closed this ticket, probably after having skimmed through it a bit too fast. From the description it sure looks like this is a bug, so I'll reopen this.

comment:6 Changed 3 years ago by Samuli Seppänen

Milestone: release 2.5
Owner: set to Samuli Seppänen
Status: reopenedassigned

comment:7 Changed 2 years ago by maglub

Last edited 2 years ago by maglub (previous) (diff)

comment:8 Changed 2 years ago by maglub

Hi,

I can reproduce this issue, which in my case show the symptom (even if openvpn is started as administrator) that DNS resolution is not properly working, and it took me a while to figure out what is going on. The issue is reproducible on Windows 7, Windows 8, and Windows 10.

The root cause is that the TAP device is not the primary interface, as can be confirmed by checking the interface "Ethernet" compared to "Ethernet0". The TAP device gets an automatic interface metric, which is higher than Ethernet0, and even if the DNS is set on the Ethernet device, windows will only use the dns settings from Ethernet0.

Show the interface metric:

netsh interface ip show config


Configuration for interface "Ethernet0"
    DHCP enabled:                         Yes
    IP Address:                           172.16.41.132
    Subnet Prefix:                        172.16.41.0/24 (mask 255.255.255.0)
    Default Gateway:                      172.16.41.2
    Gateway Metric:                       0
    InterfaceMetric:                      10
    Statically Configured DNS Servers:    172.16.41.2
    Register with which suffix:           Primary only
    WINS servers configured through DHCP: 172.16.41.2

Configuration for interface "Ethernet"
    DHCP enabled:                         Yes
    IP Address:                           10.99.0.6
    Subnet Prefix:                        10.99.0.4/30 (mask 255.255.255.252)
    InterfaceMetric:                      20
    DNS servers configured through DHCP:  10.20.0.5
                                          10.20.0.6
    Register with which suffix:           Primary only
    WINS servers configured through DHCP: None

If your TAP device has an "InterfaceMetric?: 20", you will need to set the device order.

Start Control Panel, search for the word "adapter", click "View network connections", right click on "Ethernet", "IPv4"->Advanced, uncheck Automatic metric and set the metric to i.e 1.

You can also, if your TAP ethernet adapter is named "Ethernet" use the following command in a cmd window started as Administrator:

netsh interface ipv4 set interface Ethernet metric=1

Once the interfacemetric is set properly, I can use the right dns servers.

comment:9 Changed 2 years ago by heth

None of these workarounds work for me. Windows 8.1 OpenVPN 2.3.10-I002-x86_64. No DNS still :(

comment:10 Changed 22 months ago by Gert Döring

I'll throw in --block-outside-dns for good measure.

Win8.1 might be workable using the metric settings, but with Win10, this won't help anyway - so if you ineed the DNS to go to the tunnel, use block-outside-dns.

Also, 2.4 will use the interactive service to run "registerdns" with full admin rights, so the original ticket subject is also resolved, I think.

Can we close this?

Note: See TracTickets for help on using tickets.