Windows OpenVPN Service fails to setup connection to domain with hyphens

[vpetrigo]

Describe the bug
I have a configuraiton in the config-auto. And it fails to setup a connection a system boot when using wintun interface. If I switch to tap-windows6 driver in my configuration, the OpenVPN service can properly init the connection.

Connection log:

2023-07-10 13:34:33 OpenVPN 2.6.4 [git:v2.6.4/b4f749f14a8edc75] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on May 11 2023
2023-07-10 13:34:33 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-07-10 13:34:33 library versions: OpenSSL 3.1.0 14 Mar 2023, LZO 2.10
2023-07-10 13:34:33 DCO version: v0
2023-07-10 13:34:33 TCP/UDP: Preserving recently used remote address: [AF_INET]1.2.3.4:1194
2023-07-10 13:34:33 UDPv4 link local: (not bound)
2023-07-10 13:34:33 UDPv4 link remote: [AF_INET]149.126.16.66:1194
2023-07-10 13:34:33 [ovpn1.my-domain.com] Peer Connection Initiated with [AF_INET]1.2.3.4:1194
2023-07-10 13:34:33 open_tun
2023-07-10 13:34:33 wintun device [OpenVPN Wintun] opened
2023-07-10 13:34:33 NETSH: C:\Windows\system32\netsh.exe interface ip set address 6 static 10.0.41.30 255.255.255.252
2023-07-10 13:34:33 NETSH: C:\Windows\system32\netsh.exe interface ip delete dns 6 all
2023-07-10 13:34:33 NETSH: C:\Windows\system32\netsh.exe interface ip set dns 6 static 192.168.5.5 validate=no
2023-07-10 13:34:33 NETSH: C:\Windows\system32\netsh.exe interface ip add dns 6 192.168.5.2 validate=no
2023-07-10 13:34:33 NETSH: C:\Windows\system32\netsh.exe interface ip delete wins 6 all
2023-07-10 13:34:33 WMIC: C:\Windows\system32\wbem\wmic.exe nicconfig where (InterfaceIndex=6) call SetDNSDomain my-domain.com
2023-07-10 13:34:33 ERROR: command failed: returned error code 44506
2023-07-10 13:34:37 WMIC: command failed
2023-07-10 13:34:37 IPv4 MTU set to 1500 on interface 6 using SetIpInterfaceEntry()
2023-07-10 13:34:37 Block_DNS: WFP engine opened
2023-07-10 13:34:37 Block_DNS: Using existing sublayer
2023-07-10 13:34:37 Block_DNS: Added permit filters for exe_path
2023-07-10 13:34:37 Block_DNS: Added block filters for all interfaces
2023-07-10 13:34:37 Block_DNS: Added permit filters for TAP interface
2023-07-10 13:34:37 Initialization Sequence Completed

Wintun configuration:

dev tun
windows-driver wintun
persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
proto udp
remote ovpn1.my-domain.com 1194
remote ovpn2.my-domain.com 1194
remote-random
setenv opt block-outside-dns
nobind
ca gw-spb-UDP4-1194-ca.crt
tls-auth gw-spb-UDP4-1194-tls.key 1
remote-cert-tls server
auth-nocache
keepalive 10 120
reneg-sec 0
auth-user-pass auth.txt

To Reproduce

• Create a configuration in the config-auto
• Run OpenVPN Service

Expected behavior
OpenVPN automatically connects to the server

Version information (please complete the following information):

• OS: Windows 11 Pro 10.0.22621
• OpenVPN version: 2.6.4 [git:v2.6.4/b4f749f14a8edc75]
• Repeat for peer if relevant

Additional context
I found a ticket that describes the same error code I received with my configuration. It seems that adding double quotes around a domain name with hyphens allows to successfully execute WMIC command.

Maybe it is worth escaping double quotes there:

openvpn/src/openvpn/tun.c

Line 336 in 53055fd

argv_printf(&argv, "%s%s nicconfig where (InterfaceIndex=%ld) call SetDNSDomain %s",

[flichtenheld]

Yeah, looks like 6cf7ce4 by @lstipakov (to fix #306) reintroduced https://community.openvpn.net/openvpn/ticket/1375

[flichtenheld]

This was introduced in 2.6.3 (release/2.6 commit is 77a7435)

[vpetrigo]

Was able to fix it this way:

diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index d1fd6def..60974208 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -333,7 +333,7 @@ do_dns_domain_wmic(bool add, const struct tuntap *tt)
     }

     struct argv argv = argv_new();
-    argv_printf(&argv, "%s%s nicconfig where (InterfaceIndex=%ld) call SetDNSDomain %s",
+    argv_printf(&argv, "%s%s nicconfig where (InterfaceIndex=%ld) call SetDNSDomain '%s'",
                 get_win_sys_path(), WMIC_PATH_SUFFIX, tt->adapter_index, add ? tt->options.domain : "");
     exec_command("WMIC", &argv, 1, M_WARN);

I also tried to wrap SetDNSDomain %s like that SetDNSDomain \"%s\", but for some reason that returned error 44506 as there were no double quotes. Maybe that is due to the way exec_command works, have not digged into that yet.

Here is the log with successful connection via Windows service:

2023-07-10 16:57:43 OpenVPN 2.7_git [git:master/53055fd23efb6209] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jul 10 2023
2023-07-10 16:57:43 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-07-10 16:57:43 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
2023-07-10 16:57:43 DCO version: v0
2023-07-10 16:57:43 TCP/UDP: Preserving recently used remote address: [AF_INET]62.152.75.126:1194
2023-07-10 16:57:43 UDPv4 link local: (not bound)
2023-07-10 16:57:43 UDPv4 link remote: [AF_INET]62.152.75.126:1194
2023-07-10 16:57:43 [ovpn1.my-domain.com] Peer Connection Initiated with [AF_INET]62.152.75.126:1194
2023-07-10 16:57:43 open_tun
2023-07-10 16:57:43 wintun device [OpenVPN Wintun] opened
2023-07-10 16:57:43 NETSH: C:\Windows\system32\netsh.exe interface ip set address 6 static 10.0.41.30 255.255.255.252
2023-07-10 16:57:44 NETSH: C:\Windows\system32\netsh.exe interface ip delete dns 6 all
2023-07-10 16:57:44 NETSH: C:\Windows\system32\netsh.exe interface ip set dns 6 static 192.168.5.5 validate=no
2023-07-10 16:57:44 NETSH: C:\Windows\system32\netsh.exe interface ip add dns 6 192.168.5.2 validate=no
2023-07-10 16:57:44 NETSH: C:\Windows\system32\netsh.exe interface ip delete wins 6 all
2023-07-10 16:57:44 WMIC: C:\Windows\system32\wbem\wmic.exe nicconfig where (InterfaceIndex=6) call SetDNSDomain 'my-domain.com'
2023-07-10 16:57:44 IPv4 MTU set to 1500 on interface 6 using SetIpInterfaceEntry()
2023-07-10 16:57:44 Block_DNS: WFP engine opened
2023-07-10 16:57:44 Block_DNS: Using existing sublayer
2023-07-10 16:57:44 Block_DNS: Added permit filters for exe_path
2023-07-10 16:57:44 Block_DNS: Added block filters for all interfaces
2023-07-10 16:57:44 Block_DNS: Added permit filters for TAP interface
2023-07-10 16:57:44 Initialization Sequence Completed

[lstipakov]

Thanks for reporting it, the fix is on the list. By the way, since you are on Windows 11, any reasons not to use dco-win driver? It should be used by default if you remove windows-driver wintun. This is irrelevant to the bug you've found, though, but might give you a better performance.

[vpetrigo]

Thank you!
I will give dco-win driver a try as initially when I set up OpenVPN Service it had initialized DCO interface, but VPN did not work. So, I assumed that maybe DCO has some platform limitation and switch to a TUN interface and then came up to that issue.

[lstipakov]

Right now it should either work or refuse to establish connection. You might have experienced some options incompatibility - like compression was pushed by server even though client didn't announce its support. This should have been fixed now. Anyway, feel free to open an issue here.

[vpetrigo]

It seems strange though as it says DCO is disabled:

2023-07-11 12:53:37 Option --windows-driver ovpn-dco is ignored because Data Channel Offload is disabled
2023-07-11 12:53:37 OpenVPN 2.6.5 [git:v2.6.5/cbc9e0ce412e7b42] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 13 2023
2023-07-11 12:53:37 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-07-11 12:53:37 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
2023-07-11 12:53:37 DCO version: v0

While I have drivers set up and the DCO interface is present in my system. 🤔

[lstipakov]

Can you provide the full log? I think it should say why dco is disabled.

[vpetrigo]

Sure:

2023-07-11 14:15:11 Option --windows-driver ovpn-dco is ignored because Data Channel Offload is disabled
2023-07-11 14:15:11 OpenVPN 2.6.5 [git:v2.6.5/cbc9e0ce412e7b42] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 13 2023
2023-07-11 14:15:11 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-07-11 14:15:11 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
2023-07-11 14:15:11 DCO version: v0
2023-07-11 14:15:12 TCP/UDP: Preserving recently used remote address: [AF_INET]149.126.16.66:1194
2023-07-11 14:15:12 UDPv4 link local (bound): [AF_INET][undef]:0
2023-07-11 14:15:12 UDPv4 link remote: [AF_INET]149.126.16.66:1194
2023-07-11 14:15:13 [ovpn1.my-domain.com] Peer Connection Initiated with [AF_INET]149.126.16.66:1194
2023-07-11 14:15:13 open_tun
2023-07-11 14:15:13 tap-windows6 device [OpenVPN TAP-Windows6] opened
2023-07-11 14:15:13 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.41.26/255.255.255.252 on interface {CE3FEDE6-DFD6-4D2E-B23A-CF8E26FFCDE5} [DHCP-serv: 10.0.41.25, lease-time: 31536000]
2023-07-11 14:15:13 Successful ARP Flush on interface [19] {CE3FEDE6-DFD6-4D2E-B23A-CF8E26FFCDE5}
2023-07-11 14:15:13 IPv4 MTU set to 1500 on interface 19 using service
2023-07-11 14:15:13 Blocking outside dns using service succeeded.
2023-07-11 14:15:18 Initialization Sequence Completed

[schwabe]

maybe add verb 3 to the config. I think the reason of logging why DCO is not shown at the verbosity you currently have selected.

[vpetrigo]

Thank you for this option!
The very first line after I enabled it showed the following:

2023-07-11 15:22:50 Note: --data-cipher-fallback with cipher 'AES-256-CBC' disables data channel offload.
2023-07-11 15:22:50 Option --windows-driver ovpn-dco is ignored because Data Channel Offload is disabled

In my configuration the following lines were present:

data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
data-ciphers-fallback AES-256-CBC

I updated the configuration and leave only:

data-ciphers AES-256-GCM:AES-128-GCM
data-ciphers-fallback AES-128-GCM

And it now works as expected:

2023-07-11 15:29:58 OpenVPN 2.6.5 [git:v2.6.5/cbc9e0ce412e7b42] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 13 2023
2023-07-11 15:29:58 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-07-11 15:29:58 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
2023-07-11 15:29:58 DCO version: v0
2023-07-11 15:29:58 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
2023-07-11 15:29:58 Need hold release from management interface, waiting...
2023-07-11 15:29:59 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:63360
2023-07-11 15:29:59 MANAGEMENT: CMD 'state on'
2023-07-11 15:29:59 MANAGEMENT: CMD 'log on all'
2023-07-11 15:29:59 MANAGEMENT: CMD 'echo on all'
2023-07-11 15:29:59 MANAGEMENT: CMD 'bytecount 5'
2023-07-11 15:29:59 MANAGEMENT: CMD 'state'
2023-07-11 15:29:59 MANAGEMENT: CMD 'hold off'
2023-07-11 15:29:59 MANAGEMENT: CMD 'hold release'
2023-07-11 15:29:59 MANAGEMENT: CMD 'username "Auth" "vladimir.petrigo@my-domain.com"'
2023-07-11 15:29:59 MANAGEMENT: CMD 'password [...]'
2023-07-11 15:29:59 MANAGEMENT: >STATE:1689067799,RESOLVE,,,,,,
2023-07-11 15:29:59 TCP/UDP: Preserving recently used remote address: [AF_INET]149.126.16.66:1194
2023-07-11 15:29:59 ovpn-dco device [OpenVPN Data Channel Offload] opened
2023-07-11 15:29:59 UDP link local (bound): [AF_INET][undef]:0
2023-07-11 15:29:59 UDP link remote: [AF_INET]149.126.16.66:1194

[vpetrigo]

Just leave a link to DCO supported features if someone will stumble upon this issue. 😅

[luizluca]

When will we have a release that includes this fix? It breaks Network Location Awareness Service Provider (NLA) for dco configurations.

[cron2]

The patch has been merged, and will be part of 2.6.6 release - which will be released in the next days (monday or tuesday, I hope).