18

I have a computer running Windows 7 Pro RTM. This computer has two network connections:

  • A Wi-fi connection to the Internet (through a home router) which works just fine.
  • An OpenVPN virtual network connection. More precisely, this is a virtual Ethernet connection which behaves exactly like a physical Ethernet wired connection.

My problem is that the "Network and sharing center" shows "Unknown network" for the OpenVPN connection. After some research I found that logical networks (outside a domain) are identified by the MAC address of the default gateway of the connection. Problem is, the OpenVPN connection has no default gateway: it is a private network, so I don't need one...

Consequently, the "Unknown network" is always considered public, so the firewall is always in "public mode", which I don't want. Plus, I can't rename "Unknown connection" or anything (which makes sense), so it is kinda ugly.

My goal is to define a proper logical network for the OpenVPN connection with the private profile. I know of some workarounds (disable the firewall, modify security policy to make all unknown networks "private") but they're still workarounds. I just want my clients to connect to the VPN without having to disable their firewall settings, without changing global configuration with potential side-effects (the "security policy" solution) and without having to look at an ugly "Unknown connection" in the Network and sharing center.

Is there any way I can do this? I tried to check what was going on in the registry (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList is interesting), but I still didn't find a way to "force" the OpenVPN connection to be assigned to a logical network.

Any help would be very appreciated.

A related question showed up at Superuser: https://superuser.com/questions/37355/windows-7-cant-identify-network/37422

Community
  • 1
Etienne Dechamps
  • 2,164
  • 8
  • 24
  • 28
  • 2
    Really interesting question, I hope it gets answered. – Massimo Aug 31 '09 at 15:45
  • 1
    I don't have a way to test it right the moment, but could you add the IP address as the gateway also, directing it to itself? – Jes Aug 31 '09 at 21:21
  • Good try, but it doesn't work: Windows doesn't let me set the default gateway address to the NIC IP address. It doesn't show any error but when I go back into the connection's properties, the default gateway is still empty. – Etienne Dechamps Sep 01 '09 at 09:39
  • Jes: following a discussion at Superuser, I tried it again (set own IP as gateway) and it works... until the interface is disabled or the computer rebooted. When I re-enable it, the default gateway is gone once again... any ideas? – Etienne Dechamps Sep 07 '09 at 23:31

7 Answers7

10

I just want my clients to connect to the VPN without having to disable their firewall settings, without changing global configuration with potential side-effects (the "security policy" solution) and without having to look at an ugly "Unknown connection" in the Network and sharing center.

Is there any way I can do this?

The workaround we use is to push a default route to the client via the OpenVPN config file, e.g. like so:

# Dummy default gateway to work around Windows 'unidentified network'/'unknown network'
route-metric 512
route 0.0.0.0 0.0.0.0

You most definitely want to make sure the supplied metric is higher than your Internet default route, else all traffic would be routed through the VPN (which might be desirable in specific cases, but this is another topic).

Please note that fiddling with the network configuration in general and routing in particular can have all sorts of undesired side effects, if done improperly, but as long as you know what you do you should be able to judge the impact:

  • Specifically the provided workaround of having two default gateways like so is considered semantically wrong by some at least and Windows does warn you accordingly, if you configure this via the UI indeed.
  • See How to make a private Unidentified Network identifiable and private? for a discussion of this topic, specifically the question itself and the posters (Jason R. Coombs) reasonable criticism regarding Steve Hathaways short summary of the default gateway method down the page.

That said we have used this workaround successfully for quite some time without any issues at all.

Steffen Opel
  • 5,560
  • 35
  • 55
  • "route 0.0.0.0 0.0.0.0" won't work. The default gateway must be reachable (ARP) on the connection. I agree with the other parts of your answer though. – Etienne Dechamps Jun 18 '10 at 10:39
  • 1
    Oh, as a matter of fact, it works. That's because I misunderstood the syntax of the "route" OpenVPN configuration option. There is a default third parameter which is the VPN gateway, so Windows indeed manages to get a "virtual" ARP response from OpenVPN. – Etienne Dechamps Oct 29 '10 at 17:00
  • I have to say that this is the best option I found so far. The registry hack that lets Windows think the network is the computer's connection to a domain circumvents security altogether and the other tip, adding a permanent route, would leave a nonsensical route around even when OpenVPN is shut down. – Cygon Mar 05 '11 at 11:11
4

There is a Powershell script here that looks like it does what you want.

Fahad Sadah
  • 1,496
  • 11
  • 21
  • Removing all network awareness features on the interface was not the solution I was expecting, but I must admit that it does the trick. It's better than nothing, I guess. I'll accept your answer, at least until a better one comes up. – Etienne Dechamps Mar 11 '10 at 07:36
  • 3
    ah, that's my script (from nivot.org) – x0n Apr 22 '11 at 20:30
1

For OpenVPN AS (Access Server) you may want to add this to the Advanced VPN Settings in the Server Config Directives box:

push "route-metric 512"
push "route 0.0.0.0 0.0.0.0"

Then update the server and, et voilet, Win7 will get the default gw on the TAP device and let you change Network type from Unknown to others.

Thanks @Steffen-Opel for the tip! :)

andreground
  • 11
  • 1
1

I'd like to leave my contribution. See what worked on my case ... Windows 7 and Windows 8...

I spend a lot of time with this problem of client inbound conectivity.

Disabling the TAP interface on firewall works fine, buts it's almost the same of turn off firewall in the VPN context. The VPN machines are running in different security contexts and some can affect others.

I tried the configuration of "default gateway" what recognize the network as a "Work Network" (just in Win7, not on Win8), and nevertheless did not PING!

Manually add a "*NdisDeviceType" record in the registry also not worked at Win8.

So, seeing mindfully Windows Firewall configuration I saw another scope configurations rather than just profiles, so I tried run another service rather than PING and what was my surprise when it worked properly, even in "Unidentified Networks" and "Public Profile"!

So, I tried to isolate de PING problem, and the configuration that make it works was the following: The default Windows Firewall entry thats enable outside IPv4 PING is "File and Printer Sharing (Echo Request - ICMv4-In)", so in his properties, I clicked on "Scope", and in "Remote IP Address" I changed from "Local subnet" to "Any IP address", and this did make PING work.

Dave M
  • 4,494
  • 21
  • 30
  • 30
syncord
  • 11
  • 2
0

Hey I was able to get this working. I went to Network and Sharing Center, then clicked on "Home Group". It says on that screen I can't join a Homegroup because the network is public. Then I clicked on the question "What is a network location?" and it allows me to change the type of network. A screen pops up saying Windows was unable to change the network type, but it will change.

-2

What about adding another Ip of the segment as the default gateway ? Although it will not query or touch external addresses, it will have a default gateway one, which should satisfy Windows. Or change your DHCP to provide one, if it does not.

jfmessier
  • 163
  • 1
  • 8
  • 1
    I don't really understand. If I give Windows a default gateway for this connection, then Windows might use the VPN connection as a default route. Meaning, Windows will use the VPN connection to access the Internet... which of course I don't want (it wouldn't work, anyway). – Etienne Dechamps Sep 02 '09 at 18:18
-3

Try going into the "Network and Sharing Center" while connected to the VPN, and you should see the networks listed. Under each network will be a status like "Work Network" or "Domain Network", you should be able to click it and change what type the network is.

J.Ja

Justin James
  • 50
  • 9