none
OpenVPN TUN Adapter and Windows 7's Firewall

    Question

  • Greetings,

    I am writing to determine what exactly is going on with a connection I'm having and to get more information on how the Windows 7 multiple active firewall profiles works?

    Goals:
    -To lock down any network I physically connect to (be it wireless or wired) to a heavily restricted public firewall profile (HTTPS out, HTTP out, ICMP out, DNS out, VPN OUT).
    -Once connected to the VPN which provides me a default route to the internet over the VPN connection, to apply a more relaxed private profile which allows more connectivity.

    Using OpenVPN 2.1 RC19, I am able to connect to my VPN connection and get internet access appropriately when the firewall is turned off, however, for some reason the Windows Firewall is not detecting the network properly.

    Under Network & Sharing Center, Windows identifies the network as an unidentified network. After doing some research, I've read that this occurs due to Windows using the MAC of the default gateway of that network for identification. OpenVPN doesn't do this by default, instead creating more specific routes to the internet than Windows has for routing. It adds the following "default" routes:

    route 0.0.0.0 mask 128.0.0.0 int 10.8.0.10 gw 10.8.0.9

    I can fix this by applying a default gateway to the TAP/TUN Adapter, and Windows then "identifies" the network, but the Public profile is still applying to it--even though I identified it as a work/private network. I even went in to the windows firewall options and unchecked the public option from affecting "Local Area Connection 2" (the TUN connection), but it still insists on applying.

    Does anyone have any information on this or could help me figure out how to fix this?
    Wednesday, September 16, 2009 7:54 PM

Answers

  • Hi,

     

    Considering this issue is related to specific VPN software and we have limited resources on it, it is recommended that you contact OPENVPN for help.

    Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

     

    Regarding the Windows Firewall as well as how it works, I would like to share the following information with you:

     

    Windows Firewall with Advanced Security Getting Started Guide

     

    Understanding Firewall Profiles

     

    Hope this helps. Thanks.


    Nicholas Li - MSFT
    Tuesday, September 22, 2009 11:04 AM
    Moderator

All replies

  • Hi,

     

    Considering this issue is related to specific VPN software and we have limited resources on it, it is recommended that you contact OPENVPN for help.

    Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

     

    Regarding the Windows Firewall as well as how it works, I would like to share the following information with you:

     

    Windows Firewall with Advanced Security Getting Started Guide

     

    Understanding Firewall Profiles

     

    Hope this helps. Thanks.


    Nicholas Li - MSFT
    Tuesday, September 22, 2009 11:04 AM
    Moderator
  • Hi Nicholas,

    OpenVPN has asked me to contact you guys. I'm more than willing to convince them that it is their software that is the problem (and I'm 99% sure it is), but unfortunately finger pointing doesn't exactly solve the problem I'm having. I've further elaborated on my configuration in another thread.


    Any help would be really useful to try and figure this out.
    Tuesday, October 20, 2009 2:49 PM
  • I'm experiencing the same problem.

    My analysis indicates this is an issue with the way Windows attempts to identify networks without a default gateway.

    See http://social.technet.microsoft.com/Forums/en-IE/w7itpronetworking/thread/5e9a21ae-a116-4584-a917-2a0c244e0de7 .
    Thursday, October 22, 2009 5:22 PM
  • Hi, the only way I could let OpenVPN run as it should was to disable firewall completely on the TUN/TAP adapter.
    If not, even thought access to the vpn was ok from the client to the vpn network, no access was enabled to the client by the vpn networl, because
    windows firewall was blocking any access to the "considered public and unidentified network"...
    To do this, Windows7 needs you to specify it "per profile", instead of "per NIC" as before.
    So, go to Windows Firewall, Advanced Settings, Windows Firewall Properties. Here you can customize network protection for each profile.
    Go into every profile and customize it by disabling it on the TUN/TAP adapter.

    To me, this solved any problem.

    Anyway, I consider it a stupid choice to let the system decide it is a public network based on the absence of a local default gateway...who says you need
    a default gateway to acess a specific private network?? At least, it should let me decide and change it.
    Bah!

    Gabriele.
    Saturday, March 13, 2010 10:49 AM
  • Having the same problem here, and I'd rather not disable the firewall completely on the VPN interface even though technically that interface is not exposed on public networks.  Isn't there a cleaner solution to this problem?
    • Proposed as answer by gmaydude Tuesday, June 26, 2012 5:21 PM
    Thursday, January 13, 2011 9:05 PM
  • I fixed the problem by changing the TAP-Win32 network adapter setting "Media Status" from "Application Controlled" to "Always Connected"

    This can be found in Network Connections and right clicking on the TAP-Win32 adapter and choosing properties.

    Choose "Configure..." the TAP-Win32 adapter and then click on the "Advanced" tab.

    No firewall changes needed and also works on Windows 8



    • Edited by gmaydude Tuesday, June 26, 2012 5:27 PM
    Tuesday, June 26, 2012 5:26 PM
  • I fixed the problem by changing the TAP-Win32 network adapter setting "Media Status" from "Application Controlled" to "Always Connected"

    This can be found in Network Connections and right clicking on the TAP-Win32 adapter and choosing properties.

    Choose "Configure..." the TAP-Win32 adapter and then click on the "Advanced" tab.

    No firewall changes needed and also works on Windows 8



    gmaydude,

    I appreciate if you could provide your OpenVPN client config and TAP config. Running Windows 8 and I've tried numerous "solutions" but still get Unidentified Network.



    Best,
    Bill

    Wednesday, September 05, 2012 11:43 AM
  • I fixed the problem by changing the TAP-Win32 network adapter setting "Media Status" from "Application Controlled" to "Always Connected"

    This can be found in Network Connections and right clicking on the TAP-Win32 adapter and choosing properties.

    Choose "Configure..." the TAP-Win32 adapter and then click on the "Advanced" tab.

    No firewall changes needed and also works on Windows 8



    gmaydude,

    I appreciate if you could provide your OpenVPN client config and TAP config. Running Windows 8 and I've tried numerous "solutions" but still get Unidentified Network.



    Best,
    Bill

    The change in the in the "media status" surely had nothing to do with this... I would also love to see the configs

    I too tried different proposed solution solutions, such has making sure the OpenVPN (TAP) interface has a default gateway, some people are sure this fixes the problem on windows 7... but it didn't work for me on 8!

    I also tried a registry tweak mentioned here on technet, but still no go!

    the odd thing is I have a work VPN and Home VPN.

    When I'm at home and I connect to work it works (maybe because of the domain I guess?) 

    But when I connected from work to the home network whatever I do it still puts OpenVPN in the Unidentified Networks!

    What I don't understand is why can't we someone change this manually? Makes no sense... unless MS wants us to disable Windows Firewall and opt for a 3rd party solution!



    • Edited by MikeC.pt Thursday, December 13, 2012 3:52 PM
    Thursday, December 13, 2012 3:47 PM