Openvpn breaks NLA and NCSI services for Windows / Office 365
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 1
- Joined: Fri Oct 26, 2018 8:14 am
Openvpn breaks NLA and NCSI services for Windows / Office 365
Hi all. I'm using client version 2.4.6 on a Windows 10 Pro machine. When connected, the VPN seems to disrupt the Windows NLA service such that Outlook/Office 365 no longer authenticates. I can't even sign in to any Office apps to check account status. Of course, Outlook/email no longer authenticates. OWA and the Office portal works fine - that's just https in a browser. What is it about the VPN client that disrupts NLA?
Thanks.
Thanks.
-
- OpenVpn Newbie
- Posts: 1
- Joined: Tue Nov 06, 2018 5:18 am
Re: Openvpn breaks NLA and NCSI services for Windows / Office 365
Same issue here. Any solution to this?
-
- OpenVpn Newbie
- Posts: 3
- Joined: Fri Jun 14, 2019 5:36 am
Re: Openvpn breaks NLA and NCSI services for Windows / Office 365
The method for determining the presence of an Internet connection these services use involves checking for a route. When OpenVPN program creates a VPN tunnel, the routing in the Microsoft operating system is changed for security associated with the VPN tunnel. The two Microsoft services above are unable to recognize the new VPN route and the existence of a way to get to the Internet, so a message comes back claiming there is no Internet access or no network connection. This is a failure on the part of Microsoft and the NLA and NCSI services.
Here is a long post with many people in a similar situation:
https://answers.microsoft.com/en-us/mso ... d4338e99d4
A dangerous way around this is offered partway through the post above and provided here for transparency:
https://www.macwheeler.com/windows-10-o ... vpn-fixed/
I use the word 'dangerous' because it involves creating a leak in your system to accommodate the Microsoft flaw.
Recognising that this is a flaw in the way the NLA & NCSI services have been programmed does not help much. Microsoft appear disinterested in resolving this problem and are obviously aware.
Do the OpenVPN team have any plans to resolve this through coding a fix without opening up the link? Do you feel it's possible to "Mimic" the NLA & NCSI service server. My understanding is that these services simply ping a fixed IP to validate the internet connection, so possibly OpenVPN could intercept this and respond positively as needed.
Here is a long post with many people in a similar situation:
https://answers.microsoft.com/en-us/mso ... d4338e99d4
A dangerous way around this is offered partway through the post above and provided here for transparency:
https://www.macwheeler.com/windows-10-o ... vpn-fixed/
I use the word 'dangerous' because it involves creating a leak in your system to accommodate the Microsoft flaw.
Recognising that this is a flaw in the way the NLA & NCSI services have been programmed does not help much. Microsoft appear disinterested in resolving this problem and are obviously aware.
Do the OpenVPN team have any plans to resolve this through coding a fix without opening up the link? Do you feel it's possible to "Mimic" the NLA & NCSI service server. My understanding is that these services simply ping a fixed IP to validate the internet connection, so possibly OpenVPN could intercept this and respond positively as needed.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Openvpn breaks NLA and NCSI services for Windows / Office 365
This is what Microsoft claim the problem is caused by:Donchik wrote: ↑Sun Jun 16, 2019 2:27 pmThe method for determining the presence of an Internet connection these services use involves checking for a route. When OpenVPN program creates a VPN tunnel, the routing in the Microsoft operating system is changed for security associated with the VPN tunnel. The two Microsoft services above are unable to recognize the new VPN route and the existence of a way to get to the Internet, so a message comes back claiming there is no Internet access or no network connection. This is a failure on the part of Microsoft and the NLA and NCSI services.
M$ wrote:The problem here is that NCSI depends on the default gateway to decide if it should “probe” the network connection to decide if it has an internet connection. The way that NCSI probes the network is it attempts to connect to www,msftncsi,com and retrieve a file called ncsi.txt. If it can retrieve that file, it marks the connection as having internet access. When the VPN adapter connection connects, and NCSI detects that a connection was made on an adapter interface. NCSI will attempt to probe the connection, but since there is no default gateway on the VPN adapter it attempts to send the probe packets out the adapter with a default gateway and that fails since the VPN connection is active.
Source:
Office 2013 reports no internet connectivity with VPN connection
https://blogs.technet.microsoft.com/the ... onnection/
Note:
Third-party VPN client stops Internet connectivity in Windows 7 SP1 or Windows Server 2008 R2 SP1
https://support.microsoft.com/en-us/hel ... s-7-sp1-or
Maybe they just fixed Win10 later on ..
Last edited by TinCanTech on Sun Jun 16, 2019 11:08 pm, edited 1 time in total.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Openvpn breaks NLA and NCSI services for Windows / Office 365
I corrected the source above.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Fri Jun 14, 2019 5:36 am
Re: Openvpn breaks NLA and NCSI services for Windows / Office 365
Hi TinCanTech,
Many thanks for the update. Can you confirm if a Windows 10 hotfix exists? I like many are still locked out of Office and MS Account when OpenVPN is up and running.
If not, do we have any OpenVPN fixes in the pipeline?
Cheers
Donchik
Many thanks for the update. Can you confirm if a Windows 10 hotfix exists? I like many are still locked out of Office and MS Account when OpenVPN is up and running.
If not, do we have any OpenVPN fixes in the pipeline?
Cheers
Donchik
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Openvpn breaks NLA and NCSI services for Windows / Office 365
I cannot.
No.
You could try adding something like:
Code: Select all
allow-pull-fqdn
route www.msftncsi.com net_gateway
-
- OpenVpn Newbie
- Posts: 3
- Joined: Fri Jun 14, 2019 5:36 am
Re: Openvpn breaks NLA and NCSI services for Windows / Office 365
When you are connected to the VPN, all your traffic goes through the VPN default gateway. By adding this configuration, you are basically instructing the OpenVPN to add a static route for the hostname through your default gateway.
Basically, all requests done to 'www.msftncsi.com' will bypass the VPN tunnel, which can be considered as a leak.
I was hoping for OpenVPN to be looking for a resolution from Microsoft. I doubt they'd listen to me, but would hope OpenVPN as a team would have more "Clout" with them
Basically, all requests done to 'www.msftncsi.com' will bypass the VPN tunnel, which can be considered as a leak.
I was hoping for OpenVPN to be looking for a resolution from Microsoft. I doubt they'd listen to me, but would hope OpenVPN as a team would have more "Clout" with them
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Openvpn breaks NLA and NCSI services for Windows / Office 365
Microshaft know exactly how OpenVPN works, they have even cloned it on github
FYI: M$ own github, they paid $7BN for it
So, they have chosen to do things this way deliberately ...
FYI: M$ own github, they paid $7BN for it
So, they have chosen to do things this way deliberately ...
-
- OpenVpn Newbie
- Posts: 1
- Joined: Tue Jun 23, 2020 12:46 pm
Re: Openvpn breaks NLA and NCSI services for Windows / Office 365
im getting same problem with openvpn 2.4.9 windows 10 and pfsense.
anyone found a sollution without setting manual gateway on all of our machines.
anyone found a sollution without setting manual gateway on all of our machines.
-
- OpenVpn Newbie
- Posts: 1
- Joined: Wed Jul 01, 2020 1:56 pm
Re: Openvpn breaks NLA and NCSI services for Windows / Office 365
Hi,
I'm having the same issue with OpenVPN 2.4.9 on Windows 10, and I cannot fix it even adding a default gateway manually.
Our VPN is already configured to use the local default gateway for all destinations, except for destinations in the company LAN which will use instead the VPN gateway. The "route print" command confirms this.
But the default gateway in the TAP network interface is still empty after connecting.
I tried anyway setting the default gateway to the local default gateway in the TAP network interface, but this is not enough, NLA still breaks.
Any clues?
Thanks.
I'm having the same issue with OpenVPN 2.4.9 on Windows 10, and I cannot fix it even adding a default gateway manually.
Our VPN is already configured to use the local default gateway for all destinations, except for destinations in the company LAN which will use instead the VPN gateway. The "route print" command confirms this.
But the default gateway in the TAP network interface is still empty after connecting.
I tried anyway setting the default gateway to the local default gateway in the TAP network interface, but this is not enough, NLA still breaks.
Any clues?
Thanks.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Mon Jul 06, 2020 6:07 pm
Re: Openvpn breaks NLA and NCSI services for Windows / Office 365
Same issue here.
There was a fix in windows 7: https://support.microsoft.com/en-us/hel ... s-7-sp1-or
But it seems that Microsoft does not care about it in windows 10...
There was a fix in windows 7: https://support.microsoft.com/en-us/hel ... s-7-sp1-or
But it seems that Microsoft does not care about it in windows 10...
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Openvpn breaks NLA and NCSI services for Windows / Office 365
For the record:
- OpenVPN does not break these Microsoft services.
- Technically, the problem is that Microsoft does not respect well established networking principles.
- Do not use Microsoft.
- Complain to Microsoft.
- Do not use a VPN.
- Pay for expert help.
- Run your own VPN server and see if you can screw Microsoft.
-
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Oct 29, 2020 4:34 am
Re: Openvpn breaks NLA and NCSI services for Windows / Office 365
This fix seems to work;
HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\DisablePassivePolling
Key Type: DWORD
Value: Decimal 1 (True)
If the entry doesn't exist you must create it
HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\DisablePassivePolling
Key Type: DWORD
Value: Decimal 1 (True)
If the entry doesn't exist you must create it
-
- OpenVpn Newbie
- Posts: 1
- Joined: Mon Nov 09, 2020 7:33 pm
Re: Openvpn breaks NLA and NCSI services for Windows / Office 365
Hi,
We were having the same issue after migrating to Office 365. What seems to fix my issue was adding the default gateway on the tunnel interface (as already mentioned in this thread). As this is not an advised way and also not practical if you have multiple OpenVPN servers. So we needed another solution.
After carefully investigating the problem we found that you can detect the problem with the following PowerShell command
This command gives you the following values for your OpenVPN TAP-interface IPv4Connectivety status:
Client side you add the following line to your configuration:
Server side you add the following line to your configuration:
As you my notice this route will probably never be used as OpenVPN already adds two routes for smaller network segments (0.0.0.0/1 and 128.0.0.0/1) which have a higher priority. But it seems to trick the NLA service in thinking that you are connected to the internet and allowing you to access Office 365.
Hope this helps you all.
Additional references:
We were having the same issue after migrating to Office 365. What seems to fix my issue was adding the default gateway on the tunnel interface (as already mentioned in this thread). As this is not an advised way and also not practical if you have multiple OpenVPN servers. So we needed another solution.
After carefully investigating the problem we found that you can detect the problem with the following PowerShell command
Code: Select all
Get-NetConnectionProfile
Code: Select all
Name : some-network
InterfaceAlias : Ethernet
InterfaceIndex : 1
NetworkCategory : Private
IPv4Connectivity : Internet
IPv6Connectivity : NoTraffic
Name : my-domain
InterfaceAlias : TAP-Interface
InterfaceIndex : 2
NetworkCategory : DomainAuthenticated
IPv4Connectivity : NoTraffic
IPv6Connectivity : NoTraffic
- NoTraffic: you are having internet connectivity issues
- Internet: all is well
Client side you add the following line to your configuration:
Code: Select all
route 0.0.0.0 0.0.0.0 vpn_gateway
Code: Select all
push "route 0.0.0.0 0.0.0.0"
Hope this helps you all.
Additional references:
-
- OpenVpn Newbie
- Posts: 2
- Joined: Wed Mar 31, 2021 9:20 pm
Re: Openvpn breaks NLA and NCSI services for Windows / Office 365
Nevets, this little tip resolved an annoyance for our organisation using OpenVPN. Despite the "No Internet Access" message with VPN connected, we had zero issues over the last year ... until installing a few Office 365 desktop apps. We don't route all traffic over VPN, particularly with all the demands of remote working right now. Outlook 365 failing to connect to Exchange and crashing while OpenVPN is in use is a show stopper I was able to manually add a default gateway to the TAP interface on a client (also fixes the issue), but the prospect of doing this on 60 clients was not appealing at all.
Adding
Both the Push and default gateway are not very obvious solutions if searching google so I registered for the forum specifically to thank you and hopefully raise the google ranking a bit
Cheers,
Dennis.
Adding
to our pFsense OpenVPN server configuration solved the issue very nicely for the entire organization. Thanks again for posting this solution!!push "route 0.0.0.0 0.0.0.0"
Both the Push and default gateway are not very obvious solutions if searching google so I registered for the forum specifically to thank you and hopefully raise the google ranking a bit
Cheers,
Dennis.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 2
- Joined: Wed Mar 31, 2021 9:20 pm
Re: Openvpn breaks NLA and NCSI services for Windows / Office 365
Well, it works. Zero user complaints. We're routing seven networks via VPN IPSEC tunnels, combined with about 60 users via OpenVPN. No issues. We don't force all traffic via the VPN due to our covid/remote demands.
Add the push 0.0.0.0, and the TAP connector gets a gateway on Windows 10 for remote clients. Remove the push and no gateway is defined. I should mention that this has not been an issue until we installed office 365. Outlook will not work correctly with a VPN connection active.
Add the push 0.0.0.0, and the TAP connector gets a gateway on Windows 10 for remote clients. Remove the push and no gateway is defined. I should mention that this has not been an issue until we installed office 365. Outlook will not work correctly with a VPN connection active.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Openvpn breaks NLA and NCSI services for Windows / Office 365
That is because Microsoft do not agree with your use of a VPN.
Rather than twisting your network and users to the point of insanity, you should ask Microsoft for assistance.
FTR; I already know why Office-365 does not co-operate with you and I don't even use M$ crapola.
-
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Jul 26, 2021 8:55 pm
Re: Openvpn breaks NLA and NCSI services for Windows / Office 365
Setting the Gateway within the adapter and adding the route to the server config fixed this issue for me.
Last edited by itsangiep on Mon Jul 26, 2021 9:00 pm, edited 1 time in total.