none
Set metric for a VPN connection via GPO or Powershell or batch. RRS feed

  • Question

  • Hello guys!

    As we all know the Windows 10 is behaving weird when it comes to DNS resolution while on a VPN.
    In short:
    Windows 10 doesn't give a damn if you have a living  VPN conenction, it will still use the underlying ethernet connection's DNS servers, thus making every resource unreachable trough the VPN.

    I did my research. I disabled the smart multi homed name resolution, I googled the hell out of "Add-VPnConenction, and Add-VPNConnectionRoute.

    And Set-NetIPInterface doesn not work in VPN adapters.

    This anwsers page tells me to change the VPN adapters TCP/IP metric to 15.
    And it works but I can only change the metric via the GUI, I couldn't find one that I could deploy for multiple computers.


    I am aware that this forum is not for script requests, and I am happy to do it myself, but I can't find the proper netsh command or the proper Powershell cmdlet. I only would like a direction where to look further.

    The main goal is something like this:

    Add-VpnConnection -Name "Company VPN" -ServerAddress "company.hu" -SplitTunneling ... -DnsSuffix "company.hu"; Add-VpnConnectionRoute -ConnectionName "Company VPN" -DestinationPrefix 4.5.6.0/24 -RouteMetric 15; Magical-PS-Metric-Setter -Name "Company VPN" DesiredMetric 15

    OR

    netsh something something -15




    • Moved by Bill_Stewart Thursday, July 13, 2017 1:47 PM Move to more appropriate forum
    Tuesday, July 4, 2017 7:59 AM

Answers

  • In the end thesolution was the following:

    No, I coudn't find any scriptable way to set the metric, but I found a way to disable the Windows 10 DNS-leak, super-smart name resolution method via this GPO setting:

    Computer Configuration
      Policies
         AdministrativeTemplated
          Network
            DNS Client

               Turn off smart-multi-homed name resolution
               Turn off smart protoccol reordering
               Preferlink local responses

    That way we achieved the marvel that the windows 10 computers preferred the DNS server over the VPN connection and not the one that the ISP gave us.

    • Marked as answer by PacsoT Friday, July 14, 2017 1:52 PM
    Friday, July 14, 2017 1:52 PM

All replies

  • You are already setting the route metric:

    Add-VpnConnectionRoute -ConnectionName "Company VPN" -DestinationPrefix 4.5.6.0/24 -RouteMetric 15

    This will have no effect on name resolution.  The configured DNS servers will still be used to find hosts by name.

    I think you are mixing up routing and name resolution. 


    \_(ツ)_/



    • Edited by jrv Tuesday, July 4, 2017 8:17 AM
    Tuesday, July 4, 2017 8:14 AM
  • You can also add the domain of the VPN endpoint which will allow fast finding of  hosts on the VPN.

    Add-VpnConnection -DnsSuffix vpndomain.net


    \_(ツ)_/

    Tuesday, July 4, 2017 8:23 AM
  • Hi jrv! :-)

    Been there done that.
    Yes, I'm know the difference between DNS resolution and IP metrics ...and as you can see it -should- work, but it doesn't.

    The root of the problem is this:

    <VPN connection is alive>
    <VPN connection metric is AUTO>

    C:\>nslookup
    Default Server:  <the DNS server name of the ISP >
    Address:  <the ip address of the ISP>

    <VPN connection is alive>
    <VPN connection metric is 15>

    C:\>nslookup
    Default Server:  dns1.company.hu
    Address:  <internal dns ip address>

    I can access every resource on the VPN but the DNS client refuses to use the vpn internal DNS server address. Regardless the -DNSsuffix vpndomain.net option. It should work, but it doesn't.

    Wednesday, July 5, 2017 8:42 AM
  • Have you tried "-SplitTunneling"?

    \_(ツ)_/

    Wednesday, July 5, 2017 8:54 AM
  • Yes.

    The full cmdlet is this:

    Add-VpnConnection -Name "Intalion VPN" -ServerAddress ":-)" -SplitTunneling -UseWinlogonCredential -DnsSuffix "intalion.hu" -TunnelType l2tp -EncryptionLevel Maximum -AuthenticationMethod MSChapv2 -L2tpPsk $credentials.Password -Force

    We own the "intalion.hu" domain, and our AD is also named "intalion.hu".



    • Edited by PacsoT Wednesday, July 5, 2017 9:12 AM
    Wednesday, July 5, 2017 9:07 AM
  • It sounds like your VPN server or you domain DNS servers are configured incorrectly.

    Try tracert to see which interface is being attempted.  Any name resolution should not be coming from the Internet interface.  It should be from the VPN connection.


    \_(ツ)_/

    Wednesday, July 5, 2017 9:11 AM
  • Well for the first look It seems fine. ==> I assuming that there is a client Windows 10 specific issue, because when I set the interface metric ...windows starts to ask the proper DNS server.

    I believe this has to do something witht the DNS client prioritizes the DNS servers. Why it is affected by the VPN adapters metric? Good question.

    While I look into the DNS, do you have any idea for this general interface metric thing?

    Wednesday, July 5, 2017 12:21 PM
  • I have never had or seen that issue.  I have seen similar and odd things when the VPN server is not set up correctly.  I have also seen issues when the VPN DNS servers are unresponsive or unreachable.  When they time out the regular DNS servers will be queried then fail.  Increasing eh metric may cause the DNS client to wait longer for the DNS response so I would test the response time to the domain DNS being assigned to the VPN. 

    I have seen other odd things when a VPN server is in a DMZ and not correctly configured to tunnel through the DMZ or if the VPN server is just too busy and doesn't get the request forwarded quickly enough.  Ideally the VPN server should also be a DNS proxy.  Different vendors may implement this in different ways.

    Post to the VPN vendor's forum to gain more information.


    \_(ツ)_/

    Wednesday, July 5, 2017 12:32 PM
  • I am extreamly happy that you have never heard of that issue. Truely.

    However this is the scripting forum. Is there any way you could help my poor humble self out of his misery, and focus on the question?

    Dude, I wasn't asking to advice how to set up our VPN server. It is working fine for all kinds of clients: Windows 8.1,Windows 7, Macs, even some Linux based systems. etc.   Windows 10 is the only smartass operationg system that goes haywire with pointing to the wrong DNS servers.

    This is why I searched the deep seas of stackoverflow, and technet, and asked the wise people of the Interwebs for a really specific narrowed down question, hoping that someone will throw me a link to a long forgotten netsh page, or some goofy powersherll script where I can target a VPN adapter's networking segment's TCP/IP's metric.

    But apperantly my VPN is bad. Damn.

    Friday, July 7, 2017 8:20 AM
  • Sorry.  I have noted all things that I know of that affect this.

    You should also check the phonebook to be sure it does not have bad entries. The metric entry is in this file.  There is really no way to set it as the phone entry ill just overwrite what you have set.  Change the PB entry to what you need. 


    \_(ツ)_/


    • Edited by jrv Friday, July 7, 2017 8:42 AM
    Friday, July 7, 2017 8:39 AM
  • Thank you for the help. I'm checking it.
    Thursday, July 13, 2017 11:40 AM
  • In the end thesolution was the following:

    No, I coudn't find any scriptable way to set the metric, but I found a way to disable the Windows 10 DNS-leak, super-smart name resolution method via this GPO setting:

    Computer Configuration
      Policies
         AdministrativeTemplated
          Network
            DNS Client

               Turn off smart-multi-homed name resolution
               Turn off smart protoccol reordering
               Preferlink local responses

    That way we achieved the marvel that the windows 10 computers preferred the DNS server over the VPN connection and not the one that the ISP gave us.

    • Marked as answer by PacsoT Friday, July 14, 2017 1:52 PM
    Friday, July 14, 2017 1:52 PM
  • Using the GPO's didn't work for me unfortunately.

    In the end I found out that after creating the VPN Connection, a file is made in %appdata%\Microsoft\network\connections\pbk\rasphone.pbk

    This text file contains all options that create the VPN interface when you start the connection. By default, "IPInterfaceMetric" has value 0, which is automatic.

    A little extra Powershell after creating the VPN connection:

    $username = $((gwmi win32_Computersystem -Property UserName -Impersonation Impersonate).Username).Split("\")[1]
    $rasphone = ('C:\Users\' + $username + '\Appdata\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk')
    $interfacemetric = 'IpInterfaceMetric=0'
    (Get-Content $rasphone) -replace $interfacemetric, 'IpInterfaceMetric=10' | Set-Content $rasphone
    This looks for the currently logged on user, creates the rasphone variable that points to the rasphone.pbk for that user and changes it to a value of your choice. 


    Yannick van Rooyen


    Wednesday, August 1, 2018 11:07 AM
  • Hi Yannick,

    all of the above solutions didn't work for me, as the Synology VPN server would just not assign the proper DNS names to the connection and there is no way to set it via GPO....

    So I extended your script to a complete one that can now run at logon of every user to create the VPN connection if it doesn't exist yet and then set the DNS names and settings in the RAS phonebook as shown in your script:

    try { 
        Get-VpnConnection -Name XYZ-VPN -ErrorAction Stop
        }
    catch 
        { Add-VpnConnection -Name XYZ-VPN -ServerAddress XYZ.dyndns.me -AuthenticationMethod MSChapv2 -DnsSuffix local -EncryptionLevel Required -PassThru -RememberCredential -SplitTunneling -TunnelType Pptp -UseWinlogonCredential
        }
    finally
        { 
        $username = $((gwmi win32_Computersystem -Property UserName -Impersonation Impersonate).Username).Split("\")[1]  "
        $rasphone = ('C:\Users\' + $username + '\Appdata\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk')
    
        $xc = 'IpInterfaceMetric=0'
        (Get-Content $rasphone) -replace $xc, 'IpInterfaceMetric=10' | Set-Content $rasphone
        $xc = 'IpDnsAddress=0.0.0.0'
        (Get-Content $rasphone) -replace $xc, 'IpDnsAddress=192.168.22.10' | Set-Content $rasphone
        $xc = 'IpDns2Address=0.0.0.0'
        (Get-Content $rasphone) -replace $xc, 'IpDns2Address=8.8.8.8' | Set-Content $rasphone
        $xc = 'IpWinsAddress=0.0.0.0'
        (Get-Content $rasphone) -replace $xc, 'IpWinsAddress=192.168.22.10' | Set-Content $rasphone
        $xc = 'IpNameAssign=1'
        (Get-Content $rasphone) -replace $xc, 'IpNameAssign=2' | Set-Content $rasphone
        $xc = 'IpPrioritizeRemote=0'
        (Get-Content $rasphone) -replace $xc, 'IpPrioritizeRemote=1' | Set-Content $rasphone
        $xc = 'Ipv6PrioritizeRemote=0'
        (Get-Content $rasphone) -replace $xc, 'Ipv6PrioritizeRemote=1' | Set-Content $rasphone
        $xc = 'ExcludedProtocols=0'
        (Get-Content $rasphone) -replace $xc, 'ExcludedProtocols=8' | Set-Content $rasphone
        
        }
    
    
    

    Cheers

    Kerry.

    Thursday, November 15, 2018 8:22 PM
  • As an alternative to that, there is a different pbk file that is created for the alluserconnection located in C:\ProgramData\Microsoft\Network\Connections\Pbk. I edit that file via script to accomplish a fully scripted VPN creation. This allows the VPN connection to be available at the logon screen for all users of the PC. Example that we use for a non-split tunnel L2TP VPN below:

    -------------

    Add-VpnConnection -Name 'Your VPN' -ServerAddress example.vpn.com -TunnelType L2TP -L2tpPsk '123456xyz' -AuthenticationMethod Pap -EncryptionLevel "Custom" -DNSSuffix 'yourdomain.com' -PassThru -WarningAction:silentlycontinue -RememberCredential -AllUserConnection -force

    set-VpnConnection -Name 'Your VPN' -AllUserConnection -EncryptionLevel "Custom" -SplitTunneling $false -WarningAction:silentlycontinue -force

    ----------

    (I run this part in a separate script as I sometimes get errors when running together)

    This will set the interface metric to 1, but you can adjust that to whatever you want. This also ticks the "use default gateway" box to selected. The excluded protocol is for IPv6, as it sometimes causes issues with ATT clients, so that disables it. Then we tick the box for 'register this connections address in DNS' with the ipdnsflag=3 option. 

    ----------------

    $rasphone = ('C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk')

        $xc = 'IpInterfaceMetric=0'
        (Get-Content $rasphone) -replace $xc, 'IpInterfaceMetric=1' | Set-Content $rasphone
        $xc = 'IpPrioritizeRemote=0'
        (Get-Content $rasphone) -replace $xc, 'IpPrioritizeRemote=1' | Set-Content $rasphone
        $xc = 'ExcludedProtocols=0'
        (Get-Content $rasphone) -replace $xc, 'ExcludedProtocols=8' | Set-Content $rasphone
        $xc = 'IPDnsFlags=0'
        (Get-Content $rasphone) -replace $xc, 'IPDnsFlags=3' | Set-Content $rasphone
    Friday, May 29, 2020 3:14 PM