Openvpn breaks NLA and NCSI services for Windows / Office 365

This forum is for general conversation and user-user networking.
Post Reply
jcheung22
OpenVpn Newbie
Posts: 1
Joined: Fri Oct 26, 2018 8:14 am

Openvpn breaks NLA and NCSI services for Windows / Office 365

Post by jcheung22 » Fri Oct 26, 2018 8:36 am

Hi all. I'm using client version 2.4.6 on a Windows 10 Pro machine. When connected, the VPN seems to disrupt the Windows NLA service such that Outlook/Office 365 no longer authenticates. I can't even sign in to any Office apps to check account status. Of course, Outlook/email no longer authenticates. OWA and the Office portal works fine - that's just https in a browser. What is it about the VPN client that disrupts NLA?
Thanks.

shagdrum
OpenVpn Newbie
Posts: 1
Joined: Tue Nov 06, 2018 5:18 am

Re: Openvpn breaks NLA and NCSI services for Windows / Office 365

Post by shagdrum » Tue Nov 06, 2018 5:24 am

Same issue here. Any solution to this?

Donchik
OpenVpn Newbie
Posts: 3
Joined: Fri Jun 14, 2019 5:36 am

Re: Openvpn breaks NLA and NCSI services for Windows / Office 365

Post by Donchik » Sun Jun 16, 2019 2:27 pm

The method for determining the presence of an Internet connection these services use involves checking for a route. When OpenVPN program creates a VPN tunnel, the routing in the Microsoft operating system is changed for security associated with the VPN tunnel. The two Microsoft services above are unable to recognize the new VPN route and the existence of a way to get to the Internet, so a message comes back claiming there is no Internet access or no network connection. This is a failure on the part of Microsoft and the NLA and NCSI services.

Here is a long post with many people in a similar situation:
https://answers.microsoft.com/en-us/mso ... d4338e99d4

A dangerous way around this is offered partway through the post above and provided here for transparency:
https://www.macwheeler.com/windows-10-o ... vpn-fixed/

I use the word 'dangerous' because it involves creating a leak in your system to accommodate the Microsoft flaw.

Recognising that this is a flaw in the way the NLA & NCSI services have been programmed does not help much. Microsoft appear disinterested in resolving this problem and are obviously aware.

Do the OpenVPN team have any plans to resolve this through coding a fix without opening up the link? Do you feel it's possible to "Mimic" the NLA & NCSI service server. My understanding is that these services simply ping a fixed IP to validate the internet connection, so possibly OpenVPN could intercept this and respond positively as needed.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6135
Joined: Fri Jun 03, 2016 1:17 pm

Re: Openvpn breaks NLA and NCSI services for Windows / Office 365

Post by TinCanTech » Sun Jun 16, 2019 9:20 pm

Donchik wrote:
Sun Jun 16, 2019 2:27 pm
The method for determining the presence of an Internet connection these services use involves checking for a route. When OpenVPN program creates a VPN tunnel, the routing in the Microsoft operating system is changed for security associated with the VPN tunnel. The two Microsoft services above are unable to recognize the new VPN route and the existence of a way to get to the Internet, so a message comes back claiming there is no Internet access or no network connection. This is a failure on the part of Microsoft and the NLA and NCSI services.
This is what Microsoft claim the problem is caused by:
M$ wrote:The problem here is that NCSI depends on the default gateway to decide if it should “probe” the network connection to decide if it has an internet connection. The way that NCSI probes the network is it attempts to connect to www,msftncsi,com and retrieve a file called ncsi.txt. If it can retrieve that file, it marks the connection as having internet access. When the VPN adapter connection connects, and NCSI detects that a connection was made on an adapter interface. NCSI will attempt to probe the connection, but since there is no default gateway on the VPN adapter it attempts to send the probe packets out the adapter with a default gateway and that fails since the VPN connection is active.


Source:
Office 2013 reports no internet connectivity with VPN connection
https://blogs.technet.microsoft.com/the ... onnection/

Note
:
Third-party VPN client stops Internet connectivity in Windows 7 SP1 or Windows Server 2008 R2 SP1
https://support.microsoft.com/en-us/hel ... s-7-sp1-or

Maybe they just fixed Win10 later on ..
Last edited by TinCanTech on Sun Jun 16, 2019 11:08 pm, edited 1 time in total.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6135
Joined: Fri Jun 03, 2016 1:17 pm

Re: Openvpn breaks NLA and NCSI services for Windows / Office 365

Post by TinCanTech » Sun Jun 16, 2019 10:23 pm

I corrected the source above.

Donchik
OpenVpn Newbie
Posts: 3
Joined: Fri Jun 14, 2019 5:36 am

Re: Openvpn breaks NLA and NCSI services for Windows / Office 365

Post by Donchik » Mon Jun 17, 2019 4:03 pm

Hi TinCanTech,

Many thanks for the update. Can you confirm if a Windows 10 hotfix exists? I like many are still locked out of Office and MS Account when OpenVPN is up and running.

If not, do we have any OpenVPN fixes in the pipeline?

Cheers
Donchik

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6135
Joined: Fri Jun 03, 2016 1:17 pm

Re: Openvpn breaks NLA and NCSI services for Windows / Office 365

Post by TinCanTech » Mon Jun 17, 2019 4:44 pm

Donchik wrote:
Mon Jun 17, 2019 4:03 pm
Can you confirm if a Windows 10 hotfix exists?
I cannot.
Donchik wrote:
Mon Jun 17, 2019 4:03 pm
do we have any OpenVPN fixes in the pipeline?
No.

You could try adding something like:

Code: Select all

allow-pull-fqdn
route www.msftncsi.com net_gateway
to your client config .. but that is only a guess and I do not use M$O so do not have a way to test or verify the result.

Donchik
OpenVpn Newbie
Posts: 3
Joined: Fri Jun 14, 2019 5:36 am

Re: Openvpn breaks NLA and NCSI services for Windows / Office 365

Post by Donchik » Tue Jun 18, 2019 8:41 am

When you are connected to the VPN, all your traffic goes through the VPN default gateway. By adding this configuration, you are basically instructing the OpenVPN to add a static route for the hostname through your default gateway.

Basically, all requests done to 'www.msftncsi.com' will bypass the VPN tunnel, which can be considered as a leak.

I was hoping for OpenVPN to be looking for a resolution from Microsoft. I doubt they'd listen to me, but would hope OpenVPN as a team would have more "Clout" with them

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6135
Joined: Fri Jun 03, 2016 1:17 pm

Re: Openvpn breaks NLA and NCSI services for Windows / Office 365

Post by TinCanTech » Tue Jun 18, 2019 12:47 pm

Microshaft know exactly how OpenVPN works, they have even cloned it on github

FYI: M$ own github, they paid $7BN for it

So, they have chosen to do things this way deliberately ...

Post Reply