Opened 7 years ago

Closed 9 months ago

#68 closed Bug / Defect (fixed)

Windows route add command failed

Reported by: agrandville Owned by: d12fk
Priority: major Milestone: release 2.4
Component: Generic / unclassified Version: git master branch
Severity: Not set (if unsure, select this one) Keywords: windows iservice
Cc: samuli

Description

I compiled the source code with Visual Studio and under Vista or Win7 without setting the requestedExecutionLevel parameter (of the manifest file) to requireAdministrator (or highestAvailable if current user is in the Administrators group) the UAC deny the CreateIpForwardEntry? API call and I get this message :

Sat Nov 13 11:31:05 2010 ROUTE: route addition failed using CreateIpForwardEntry
: Access denied.   [status=5 if_index=11]
The requested operation requires elevation. 
Sat Nov 13 11:31:05 2010 ERROR: Windows route add command failed [adaptive]: ret
urned error code 1
Sat Nov 13 11:31:05 2010 Initialization Sequence Completed

In the add_routes function if the call to redirect_default_route_to_vpn failed a second attempt is maid trying to delete route first (if needed) but no action is done if the second attempt also failed. Wouldn't be better to exit the process in this case ?

Change History (12)

comment:1 Changed 4 years ago by samuli

  • Priority changed from critical to minor
  • Version changed from 2.1.2 / 2.1.3 to 2.3.0

OpenVPN is usually run as a service, which runs with administrator privileges. Currently both the OpenVPN-GUI and OpenVPN (command-line) require administrator privileges in order to setup routes. In other words, this behavior is well-known and documented.

That said, perhaps the optimal behavior would be to

  • request appropriate execution level (i.e. admin rights) in OpenVPN
  • print and error message and die if route setup has failed completely

Any thoughts, anyone?

comment:2 Changed 4 years ago by jimrandomh

This is more broken than the previous comment indicates. Currently on Windows 7, if you go through the Windows installer, drop files into the config directory, then double-click to run OpenVPN GUI, it will act like it's successfully connected, but fail to route any traffic. For my company's VPN, users are instructed to right-click the OpenVPN shortcut, pick Properties, and tick the Run As Administrator box. People skipping this step, or doing it to one shortcut but then later running OpenVPN GUI via a different shortcut, are a steady source of tech support calls.

It would be much better if it requested admin rights, or if the installer-created shortcuts made it run as administrator, or if it at least gave some visible indication of having failed.

comment:3 follow-up: Changed 4 years ago by samuli

  • Keywords windows added
  • Milestone set to release 2.4
  • Owner set to d12fk
  • Priority changed from minor to major
  • Status changed from new to assigned
  • Version changed from 2.3.0 to git master branch

This is an old and well-known issue in OpenVPN. There is a patch that works around this issue by forcing the OpenVPN-GUI to start as an administrator automatically. However, that patch will probably not be included as d12fk is currently writing code to solve this problem more elegantly and without granting normal user full administrative privileges. This solution will be included in upcoming OpenVPN 2.4.

comment:4 in reply to: ↑ 3 Changed 4 years ago by VersusBG

Replying to samuli:
First sorry for my bad english, it's not my primary language

Here is two methods that you can use to allow NON Administrative account to add route.

First you must add the user into "Network Configuration Operators"

Then there is two variants to run OpenVPN GUI as elevated "Network Configuration Operators" rights

Method 1:
When the user logon, he/she can right click on OpenVPN GUI shortcut and run as admin (this actualy run the OpenVPN as Elevated righs = Network Configuration Operations group)
User must specify his own username/password.

Method 2:
Create scheduled task with the following options:

General tab
---
Name: OpenVPN GUI
Location: \
When running the taks, use the following user account: Network Configuration Operators
Run only when user is logged on
Run with highest privileges

Triggers tab
---
At Log on - At log on of any user

Actions
Start a program - "C:\Program Files\Open VPN\bin\openvpn-gui.exe"
---
The taks will be executed when the user log on and only if the user is member of Network Configuration Operators and OpenVPN GUI icon will appear on task bar. Otherwise the task will exit with error.

comment:5 Changed 2 years ago by samuli

  • Keywords iservice added; UAC route add removed

The Interactive Service in will fix this for OpenVPN 2.4.

As for 2.3.x the fix is less straightforward. D12fk was opposed to automatically raising the privileges, the rationale being along these lines: "if we turn this on, we will forget to turn it off when it's not needed anymore". However, 2.3.x will never get the Interactive Service, so the privileges could be safely raised automatically. Thoughts?

comment:6 in reply to: ↑ description ; follow-up: Changed 16 months ago by jshep

Replying to agrandville:

I compiled the source code with Visual Studio and under Vista or Win7 without setting the requestedExecutionLevel parameter (of the manifest file) to requireAdministrator (or highestAvailable if current user is in the Administrators group) the UAC deny the CreateIpForwardEntry? API call and I get this message :

Sat Nov 13 11:31:05 2010 ROUTE: route addition failed using CreateIpForwardEntry
: Access denied.   [status=5 if_index=11]
The requested operation requires elevation. 
Sat Nov 13 11:31:05 2010 ERROR: Windows route add command failed [adaptive]: ret
urned error code 1
Sat Nov 13 11:31:05 2010 Initialization Sequence Completed

In the add_routes function if the call to redirect_default_route_to_vpn failed a second attempt is maid trying to delete route first (if needed) but no action is done if the second attempt also failed. Wouldn't be better to exit the process in this case ?

OK, So I think I have solved this. It is a permissions issue for me, but not in the openvpn GUI. It was the openvpn daemon --> openvpn.exe in C:\Program Files\OpenVPN\bin\ that needed the "Run as Administrator" box checked under Properties->Compatibility. After that, worked like a charm.

comment:7 in reply to: ↑ 6 Changed 15 months ago by iben

Replying to jshep:

Replying to agrandville:
It is a permissions issue for me, but not in the openvpn GUI.It was the openvpn daemon --> openvpn.exe in C:\Program Files\OpenVPN\bin\ that needed the "Run as Administrator" box checked under Properties->Compatibility.

Agreed. This worked for me too. Here are the steps I followed on Windows 2012 R2 to use OpenVPN. It took me a while to find it with all the shortcuts and menus so hopefully writting this down will help others. The struggle is real!

1 - open Windows Explorer
2 - search for openvpn.exe
3 - Find it here: C:\Program Files\OpenVPN\bin
4 - Right click and select Properties
5 - Click Comparability
6 - Enable check box for "Run the program as an administrator"
7 - Press button for "Change settings for all users" if desired
8 - Click "OK" or "Apply" to finish

This was tested to work with the latest version of the OpenVPN client here: https://openvpn.net/index.php/open-source/downloads.html
openvpn-install-2.3.11-I601-x86_64.exe

comment:8 Changed 15 months ago by samuli

This problem has been fixed by the interactive service (see comments above) and recent changes to OpenVPN-GUI. You can download Windows installers that have these fixes from here:

Right now these are the latest installers:

That said, OpenVPN 2.3 releases bundles OpenVPN-GUI version 10 which raises privileges automatically, and setting "Run as administrator" for openvpn.exe should not be required. There may be corner-cases where ACLs are in the way and this approach fails.

Last edited 15 months ago by samuli (previous) (diff)

comment:9 Changed 15 months ago by por

route ADD NET 192.168.0.110 MASK 255.255.255.0 10.8.0.53

fails with message "The route addition failed: De parameter is onjuist."(last part is Dutch and translates to "Wrong parameter".

but

route ADD NET 192.168.0.110 MASK 255.255.255.255 10.8.0.53

Version info: OpenVPN 2.3.11 / MS Windows 10

succeeds.

comment:10 Changed 12 months ago by zerok0ol

Receiving this error in 2.3.12 on Windows 10 x64

Checked admin privilages for the OpenVPN GUI exe and they are set to admin, it prompts me for changes when I open the file. For whatever reason the routes are being denied access when trying to create them. Is there a way to do this manually?

I do get access to the local network I VPN into, but it does not appear that my internet traffic is being sent through the VPN

Last edited 12 months ago by zerok0ol (previous) (diff)

comment:11 Changed 12 months ago by zerok0ol

So I started OPENVPN from an elevated command prompt instead of right click run as administrator and the paths successfully created. Still not positive my traffic is going through openvpn though... more to work on.

comment:12 Changed 9 months ago by cron2

  • Cc samuli added
  • Resolution set to fixed
  • Status changed from assigned to closed

*This* we can now close for good :-)

2.3 releases install the GUI with "run with elevated privileges" flag, which makes routing work.

2.4 releases will bring the interactive service, which handles "routing and dns and stuff", and both GUI and openvpn.exe will no longer need special privileges - so, more secure, and less painful.

Note: See TracTickets for help on using tickets.