Openvpn breaks NLA and NCSI services for Windows / Office 365

This forum is for general conversation and user-user networking.
Post Reply
jcheung22
OpenVpn Newbie
Posts: 1
Joined: Fri Oct 26, 2018 8:14 am

Openvpn breaks NLA and NCSI services for Windows / Office 365

Post by jcheung22 » Fri Oct 26, 2018 8:36 am

Hi all. I'm using client version 2.4.6 on a Windows 10 Pro machine. When connected, the VPN seems to disrupt the Windows NLA service such that Outlook/Office 365 no longer authenticates. I can't even sign in to any Office apps to check account status. Of course, Outlook/email no longer authenticates. OWA and the Office portal works fine - that's just https in a browser. What is it about the VPN client that disrupts NLA?
Thanks.

shagdrum
OpenVpn Newbie
Posts: 1
Joined: Tue Nov 06, 2018 5:18 am

Re: Openvpn breaks NLA and NCSI services for Windows / Office 365

Post by shagdrum » Tue Nov 06, 2018 5:24 am

Same issue here. Any solution to this?

Donchik
OpenVpn Newbie
Posts: 3
Joined: Fri Jun 14, 2019 5:36 am

Re: Openvpn breaks NLA and NCSI services for Windows / Office 365

Post by Donchik » Sun Jun 16, 2019 2:27 pm

The method for determining the presence of an Internet connection these services use involves checking for a route. When OpenVPN program creates a VPN tunnel, the routing in the Microsoft operating system is changed for security associated with the VPN tunnel. The two Microsoft services above are unable to recognize the new VPN route and the existence of a way to get to the Internet, so a message comes back claiming there is no Internet access or no network connection. This is a failure on the part of Microsoft and the NLA and NCSI services.

Here is a long post with many people in a similar situation:
https://answers.microsoft.com/en-us/mso ... d4338e99d4

A dangerous way around this is offered partway through the post above and provided here for transparency:
https://www.macwheeler.com/windows-10-o ... vpn-fixed/

I use the word 'dangerous' because it involves creating a leak in your system to accommodate the Microsoft flaw.

Recognising that this is a flaw in the way the NLA & NCSI services have been programmed does not help much. Microsoft appear disinterested in resolving this problem and are obviously aware.

Do the OpenVPN team have any plans to resolve this through coding a fix without opening up the link? Do you feel it's possible to "Mimic" the NLA & NCSI service server. My understanding is that these services simply ping a fixed IP to validate the internet connection, so possibly OpenVPN could intercept this and respond positively as needed.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8136
Joined: Fri Jun 03, 2016 1:17 pm

Re: Openvpn breaks NLA and NCSI services for Windows / Office 365

Post by TinCanTech » Sun Jun 16, 2019 9:20 pm

Donchik wrote:
Sun Jun 16, 2019 2:27 pm
The method for determining the presence of an Internet connection these services use involves checking for a route. When OpenVPN program creates a VPN tunnel, the routing in the Microsoft operating system is changed for security associated with the VPN tunnel. The two Microsoft services above are unable to recognize the new VPN route and the existence of a way to get to the Internet, so a message comes back claiming there is no Internet access or no network connection. This is a failure on the part of Microsoft and the NLA and NCSI services.
This is what Microsoft claim the problem is caused by:
M$ wrote:The problem here is that NCSI depends on the default gateway to decide if it should “probe” the network connection to decide if it has an internet connection. The way that NCSI probes the network is it attempts to connect to www,msftncsi,com and retrieve a file called ncsi.txt. If it can retrieve that file, it marks the connection as having internet access. When the VPN adapter connection connects, and NCSI detects that a connection was made on an adapter interface. NCSI will attempt to probe the connection, but since there is no default gateway on the VPN adapter it attempts to send the probe packets out the adapter with a default gateway and that fails since the VPN connection is active.


Source:
Office 2013 reports no internet connectivity with VPN connection
https://blogs.technet.microsoft.com/the ... onnection/

Note
:
Third-party VPN client stops Internet connectivity in Windows 7 SP1 or Windows Server 2008 R2 SP1
https://support.microsoft.com/en-us/hel ... s-7-sp1-or

Maybe they just fixed Win10 later on ..
Last edited by TinCanTech on Sun Jun 16, 2019 11:08 pm, edited 1 time in total.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8136
Joined: Fri Jun 03, 2016 1:17 pm

Re: Openvpn breaks NLA and NCSI services for Windows / Office 365

Post by TinCanTech » Sun Jun 16, 2019 10:23 pm

I corrected the source above.

Donchik
OpenVpn Newbie
Posts: 3
Joined: Fri Jun 14, 2019 5:36 am

Re: Openvpn breaks NLA and NCSI services for Windows / Office 365

Post by Donchik » Mon Jun 17, 2019 4:03 pm

Hi TinCanTech,

Many thanks for the update. Can you confirm if a Windows 10 hotfix exists? I like many are still locked out of Office and MS Account when OpenVPN is up and running.

If not, do we have any OpenVPN fixes in the pipeline?

Cheers
Donchik

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8136
Joined: Fri Jun 03, 2016 1:17 pm

Re: Openvpn breaks NLA and NCSI services for Windows / Office 365

Post by TinCanTech » Mon Jun 17, 2019 4:44 pm

Donchik wrote:
Mon Jun 17, 2019 4:03 pm
Can you confirm if a Windows 10 hotfix exists?
I cannot.
Donchik wrote:
Mon Jun 17, 2019 4:03 pm
do we have any OpenVPN fixes in the pipeline?
No.

You could try adding something like:

Code: Select all

allow-pull-fqdn
route www.msftncsi.com net_gateway
to your client config .. but that is only a guess and I do not use M$O so do not have a way to test or verify the result.

Donchik
OpenVpn Newbie
Posts: 3
Joined: Fri Jun 14, 2019 5:36 am

Re: Openvpn breaks NLA and NCSI services for Windows / Office 365

Post by Donchik » Tue Jun 18, 2019 8:41 am

When you are connected to the VPN, all your traffic goes through the VPN default gateway. By adding this configuration, you are basically instructing the OpenVPN to add a static route for the hostname through your default gateway.

Basically, all requests done to 'www.msftncsi.com' will bypass the VPN tunnel, which can be considered as a leak.

I was hoping for OpenVPN to be looking for a resolution from Microsoft. I doubt they'd listen to me, but would hope OpenVPN as a team would have more "Clout" with them

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8136
Joined: Fri Jun 03, 2016 1:17 pm

Re: Openvpn breaks NLA and NCSI services for Windows / Office 365

Post by TinCanTech » Tue Jun 18, 2019 12:47 pm

Microshaft know exactly how OpenVPN works, they have even cloned it on github

FYI: M$ own github, they paid $7BN for it

So, they have chosen to do things this way deliberately ...

jca1981
OpenVpn Newbie
Posts: 1
Joined: Tue Jun 23, 2020 12:46 pm

Re: Openvpn breaks NLA and NCSI services for Windows / Office 365

Post by jca1981 » Tue Jun 23, 2020 12:48 pm

im getting same problem with openvpn 2.4.9 windows 10 and pfsense.
anyone found a sollution without setting manual gateway on all of our machines.

starless
OpenVpn Newbie
Posts: 1
Joined: Wed Jul 01, 2020 1:56 pm

Re: Openvpn breaks NLA and NCSI services for Windows / Office 365

Post by starless » Wed Jul 01, 2020 2:01 pm

Hi,
I'm having the same issue with OpenVPN 2.4.9 on Windows 10, and I cannot fix it even adding a default gateway manually.

Our VPN is already configured to use the local default gateway for all destinations, except for destinations in the company LAN which will use instead the VPN gateway. The "route print" command confirms this.
But the default gateway in the TAP network interface is still empty after connecting.

I tried anyway setting the default gateway to the local default gateway in the TAP network interface, but this is not enough, NLA still breaks.

Any clues?
Thanks.

GodFire62
OpenVpn Newbie
Posts: 3
Joined: Mon Jul 06, 2020 6:07 pm

Re: Openvpn breaks NLA and NCSI services for Windows / Office 365

Post by GodFire62 » Mon Jul 06, 2020 7:30 pm

Same issue here.
There was a fix in windows 7: https://support.microsoft.com/en-us/hel ... s-7-sp1-or

But it seems that Microsoft does not care about it in windows 10...

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8136
Joined: Fri Jun 03, 2016 1:17 pm

Re: Openvpn breaks NLA and NCSI services for Windows / Office 365

Post by TinCanTech » Tue Jul 07, 2020 2:25 am

For the record:
  • OpenVPN does not break these Microsoft services.
  • Technically, the problem is that Microsoft does not respect well established networking principles.
Your choices are:
  1. Do not use Microsoft.
  2. Complain to Microsoft.
  3. Do not use a VPN.
  4. Pay for expert help.
  5. Run your own VPN server and see if you can screw Microsoft.
There is little to no chance that OpenVPN will develop code to pussy-foot around M$ garbage.

Krasnian
OpenVpn Newbie
Posts: 1
Joined: Thu Oct 29, 2020 4:34 am

Re: Openvpn breaks NLA and NCSI services for Windows / Office 365

Post by Krasnian » Thu Oct 29, 2020 4:35 am

This fix seems to work;

HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\DisablePassivePolling
Key Type: DWORD
Value: Decimal 1 (True)

If the entry doesn't exist you must create it

Nevets
OpenVpn Newbie
Posts: 1
Joined: Mon Nov 09, 2020 7:33 pm

Re: Openvpn breaks NLA and NCSI services for Windows / Office 365

Post by Nevets » Mon Nov 09, 2020 8:25 pm

Hi,

We were having the same issue after migrating to Office 365. What seems to fix my issue was adding the default gateway on the tunnel interface (as already mentioned in this thread). As this is not an advised way and also not practical if you have multiple OpenVPN servers. So we needed another solution.

After carefully investigating the problem we found that you can detect the problem with the following PowerShell command

Code: Select all

Get-NetConnectionProfile

Code: Select all

Name             : some-network
InterfaceAlias   : Ethernet
InterfaceIndex   : 1
NetworkCategory  : Private
IPv4Connectivity : Internet
IPv6Connectivity : NoTraffic

Name             : my-domain
InterfaceAlias   : TAP-Interface
InterfaceIndex   : 2
NetworkCategory  : DomainAuthenticated
IPv4Connectivity : NoTraffic
IPv6Connectivity : NoTraffic
This command gives you the following values for your OpenVPN TAP-interface IPv4Connectivety status:
  • NoTraffic: you are having internet connectivity issues
  • Internet: all is well
After some more investigation I was able to solve this issue not by adding a default gateway but something similar an additional default route. This additional default route can be added client side or server side (my preferred option).

Client side you add the following line to your configuration:

Code: Select all

route 0.0.0.0 0.0.0.0 vpn_gateway
Server side you add the following line to your configuration:

Code: Select all

push "route 0.0.0.0 0.0.0.0"
As you my notice this route will probably never be used as OpenVPN already adds two routes for smaller network segments (0.0.0.0/1 and 128.0.0.0/1) which have a higher priority. But it seems to trick the NLA service in thinking that you are connected to the internet and allowing you to access Office 365.

Hope this helps you all.


Additional references:

Post Reply