How to add routes by Service?

[Hunv]

Hi,

currently I implement an automatic connection of OpenVpn in my program for Windows.
I currently have the problem, that my program cannot set the routes, if it does not run "as Administrator".

I recognized, that the OpenVPN GUI can do this. I analized the logs and recognized, that the OpenVPN GUI has this entry:
"Route addition via service succeeded"
The default way using IPAPI and route.exe are failing, but the GUI uses this method on the same config.

I found no hint in the documentation how to say the client, that it should use the service to do this.
So: How can I do this?

I use this command to start OpenVPN:
"[blabla]\openvpn.exe" --config "[blabla]\config.ovpn" --management 127.0.0.1 23321 --script-security 3

I am able to login via telnet and I also can send commands via telnet. The connection is established but the route to the targetnetwork (i.e. 192.168.0.0 MASK 255.255.255.0 192.168.1.4) is not set as already said.

here are logs of the non-working version by my program or running it via cmd and the working one by running via OpenVPN GUI:

Not working (by cmd or my program without elevated rights):

Sat Aug 23 13:24:54 2014 DEPRECATED OPTION: --tls-remote, please update your con
figuration
Sat Aug 23 13:24:54 2014 OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO]
[PKCS11] [IPv6] built on Aug 7 2014
Sat Aug 23 13:24:54 2014 library versions: OpenSSL 1.0.1i 6 Aug 2014, LZO 2.05
Sat Aug 23 13:24:54 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:
23321
Sat Aug 23 13:24:54 2014 WARNING: normally if you use --mssfix and/or --fragment
, you should also set --tun-mtu 1500 (currently it is 1400)
Sat Aug 23 13:24:54 2014 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat Aug 23 13:24:54 2014 UDPv4 link local (bound): [undef]
Sat Aug 23 13:24:54 2014 UDPv4 link remote: [AF_INET]xx.xxx.xx.x:1194
Sat Aug 23 13:24:54 2014 TLS: Initial packet from [AF_INET]xx.xx.x.x:1194, si
d=24637a5b c9927aca
Sat Aug 23 13:24:55 2014 VERIFY OK: depth=1, /C=DE/ST=XX/L=XXXXXXXX/O=XXXXXXXXXX
_XXXXXXXX/OU=XX/CN=XXXXXXXXXXXXXXXXXXX_CA/emailAddress=XXXXXXXXXXXXXXXXXXXXXXXXX
.XX
Sat Aug 23 13:24:55 2014 VERIFY OK: nsCertType=SERVER
Sat Aug 23 13:24:55 2014 VERIFY X509NAME OK: /C=DE/ST=XX/O=XXXXXXXXXXXXXXXXXXX/O
U=XX/CN=XXXXXXXXXXXXX.local
Sat Aug 23 13:24:55 2014 VERIFY OK: depth=0, /C=DE/ST=XX/O=XXXXXXXXXXXXXXXXXXX/O
U=XX/CN=XXXXXXXXXXXXX.local
Sat Aug 23 13:24:55 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized with
128 bit key
Sat Aug 23 13:24:55 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1'
for HMAC authentication
Sat Aug 23 13:24:55 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized with
128 bit key
Sat Aug 23 13:24:55 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1'
for HMAC authentication
Sat Aug 23 13:24:55 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES2
56-SHA, 1024 bit RSA
Sat Aug 23 13:24:55 2014 [XXXXXXXXXX] Peer Connection Initiated with [AF_IN
ET]xx.xx.x.x:1194
Sat Aug 23 13:24:57 2014 SENT CONTROL [XXXXXXXXXX]: 'PUSH_REQUEST' (status=
1)
Sat Aug 23 13:24:57 2014 PUSH: Received control message: 'PUSH_REPLY,route 192.1
68.0.0 255.255.255.0,dhcp-option DOMAIN XX.XXXXX,dhcp-option DNS 192.168.0.1
,dhcp-option WINS 192.168.0.1,route 192.168.1.0 255.255.255.0,topology net
30,ping 10,ping-restart 60,ifconfig 192.168.1.6 192.168.1.5'
Sat Aug 23 13:24:57 2014 OPTIONS IMPORT: timers and/or timeouts modified
Sat Aug 23 13:24:57 2014 OPTIONS IMPORT: --ifconfig/up options modified
Sat Aug 23 13:24:57 2014 OPTIONS IMPORT: route options modified
Sat Aug 23 13:24:57 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options
modified
Sat Aug 23 13:24:57 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Aug 23 13:24:57 2014 open_tun, tt->ipv6=0
Sat Aug 23 13:24:57 2014 TAP-WIN32 device [LAN-Verbindung] opened: \\.\Global\{4
A5EAB71-E0F0-45EC-BF45-BD8BF71E0B03}.tap
Sat Aug 23 13:24:57 2014 TAP-Windows Driver Version 9.21
Sat Aug 23 13:24:57 2014 Notified TAP-Windows driver to set a DHCP IP/netmask of
192.168.1.6/255.255.255.252 on interface {4A5EAB71-E0F0-45EC-BF45-BD8BF71E0B0
3} [DHCP-serv: 192.168.1.5, lease-time: 31536000]
Sat Aug 23 13:24:57 2014 NOTE: FlushIpNetTable failed on interface [5] {4A5EAB71
-E0F0-45EC-BF45-BD8BF71E0B03} (status=5) : Zugriff verweigert
Sat Aug 23 13:25:02 2014 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Sat Aug 23 13:25:02 2014 C:\WINDOWS\system32\route.exe ADD 192.168.0.0 MASK 25
5.255.255.0 192.168.1.5
Sat Aug 23 13:25:02 2014 ROUTE: route addition failed using CreateIpForwardEntry
: Zugriff verweigert [status=5 if_index=5]
Sat Aug 23 13:25:02 2014 Route addition via IPAPI failed [adaptive]
Sat Aug 23 13:25:02 2014 Route addition fallback to route.exe
Sat Aug 23 13:25:02 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\W
INDOWS\System32\Wbem
Sat Aug 23 13:25:02 2014 ERROR: Windows route add command failed [adaptive]: ret
urned error code 1
Sat Aug 23 13:25:02 2014 C:\WINDOWS\system32\route.exe ADD 192.168.1.0 MASK 25
5.255.255.0 192.168.1.5
Sat Aug 23 13:25:02 2014 ROUTE: route addition failed using CreateIpForwardEntry
: Zugriff verweigert [status=5 if_index=5]
Sat Aug 23 13:25:02 2014 Route addition via IPAPI failed [adaptive]
Sat Aug 23 13:25:02 2014 Route addition fallback to route.exe
Sat Aug 23 13:25:02 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\W
INDOWS\System32\Wbem
Sat Aug 23 13:25:02 2014 ERROR: Windows route add command failed [adaptive]: ret
urned error code 1
Sat Aug 23 13:25:02 2014 Initialization Sequence Completed
Sat Aug 23 13:26:06 2014 Closing TUN/TAP interface
Sat Aug 23 13:26:06 2014 SIGTERM[hard,] received, process exiting

From OpenVPN GUI (without elevated Rights!):

Sat Aug 23 13:32:59 2014 OpenVPN 2.1.1 i686-w64-mingw32 [SSL] [LZO2] built on Oct 15 2012
Sat Aug 23 13:32:59 2014 MANAGEMENT: TCP Socket listening on 127.0.0.1:25341
Sat Aug 23 13:32:59 2014 Need hold release from management interface, waiting...
Sat Aug 23 13:33:00 2014 MANAGEMENT: Client connected from 127.0.0.1:25341
Sat Aug 23 13:33:00 2014 MANAGEMENT: CMD 'state on'
Sat Aug 23 13:33:00 2014 MANAGEMENT: CMD 'log all on'
Sat Aug 23 13:33:00 2014 MANAGEMENT: CMD 'hold off'
Sat Aug 23 13:33:00 2014 MANAGEMENT: CMD 'hold release'
Sat Aug 23 13:33:00 2014 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sat Aug 23 13:33:00 2014 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Sat Aug 23 13:33:00 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Aug 23 13:33:00 2014 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Sat Aug 23 13:33:00 2014 Control Channel MTU parms [ L:1445 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Aug 23 13:33:00 2014 Data Channel MTU parms [ L:1445 D:1300 EF:45 EB:4 ET:0 EL:0 ]
Sat Aug 23 13:33:00 2014 Fragmentation MTU parms [ L:1445 D:1300 EF:45 EB:4 ET:0 EL:0 ]
Sat Aug 23 13:33:00 2014 Local Options hash (VER=V4): '37502a8b'
Sat Aug 23 13:33:00 2014 Expected Remote Options hash (VER=V4): 'de0dd523'
Sat Aug 23 13:33:00 2014 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat Aug 23 13:33:00 2014 UDPv4 link local (bound): [undef]:1194
Sat Aug 23 13:33:00 2014 UDPv4 link remote: xx.xx.xx.xx:1194
Sat Aug 23 13:33:00 2014 MANAGEMENT: >STATE:1408793580,WAIT,,,
Sat Aug 23 13:33:00 2014 MANAGEMENT: >STATE:1408793580,AUTH,,,
Sat Aug 23 13:33:00 2014 TLS: Initial packet from xx.xx.xx.xx:1194, sid=a1a57ae3 abd30196
Sat Aug 23 13:33:00 2014 VERIFY OK: depth=1, [...]
Sat Aug 23 13:33:00 2014 VERIFY OK: nsCertType=SERVER
Sat Aug 23 13:33:00 2014 VERIFY X509NAME OK: [...]
Sat Aug 23 13:33:00 2014 VERIFY OK: depth=0, [...]
Sat Aug 23 13:33:01 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Aug 23 13:33:01 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Aug 23 13:33:01 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Aug 23 13:33:01 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Aug 23 13:33:01 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Aug 23 13:33:01 2014 [xxxxxxxx] Peer Connection Initiated with xx.xx.xx.xx:1194
Sat Aug 23 13:33:02 2014 MANAGEMENT: >STATE:1408793582,GET_CONFIG,,,
Sat Aug 23 13:33:03 2014 SENT CONTROL [xxxxxxxx]: 'PUSH_REQUEST' (status=1)
Sat Aug 23 13:33:03 2014 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,dhcp-option DOMAIN xxxxxx,dhcp-option DNS 192.168.0.1,dhcp-option WINS 192.168.0.1,route 192.168.1.0 255.255.255.0,topology net30,ping 10,ping-restart 60,ifconfig 192.168.1.6 192.168.1.5'
Sat Aug 23 13:33:03 2014 OPTIONS IMPORT: timers and/or timeouts modified
Sat Aug 23 13:33:03 2014 OPTIONS IMPORT: --ifconfig/up options modified
Sat Aug 23 13:33:03 2014 OPTIONS IMPORT: route options modified
Sat Aug 23 13:33:03 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Aug 23 13:33:03 2014 ROUTE default_gateway=192.168.8.1
Sat Aug 23 13:33:03 2014 MANAGEMENT: >STATE:1408793583,ASSIGN_IP,,192.168.1.6,
Sat Aug 23 13:33:03 2014 TAP-WIN32 device [LAN-Verbindung] opened: \\.\Global\{4A5EAB71-E0F0-45EC-BF45-BD8BF71E0B03}.tap
Sat Aug 23 13:33:03 2014 TAP-Win32 Driver Version 9.21
Sat Aug 23 13:33:03 2014 TAP-Win32 MTU=1500
Sat Aug 23 13:33:03 2014 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.1.6/255.255.255.252 on interface {4A5EAB71-E0F0-45EC-BF45-BD8BF71E0B03} [DHCP-serv: 192.168.1.5, lease-time: 31536000]
Sat Aug 23 13:33:03 2014 NOTE: FlushIpNetTable failed on interface [5] {4A5EAB71-E0F0-45EC-BF45-BD8BF71E0B03} (status=5) : Zugriff verweigert
Sat Aug 23 13:33:08 2014 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Sat Aug 23 13:33:08 2014 MANAGEMENT: >STATE:1408793588,ADD_ROUTES,,,
Sat Aug 23 13:33:08 2014 C:\WINDOWS\system32\route.exe ADD 192.168.0.0 MASK 255.255.255.0 192.168.1.5
Sat Aug 23 13:33:08 2014 Route addition via service succeeded
Sat Aug 23 13:33:08 2014 C:\WINDOWS\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 192.168.1.5
Sat Aug 23 13:33:08 2014 Route addition via service succeeded
Sat Aug 23 13:33:08 2014 Initialization Sequence Completed
Sat Aug 23 13:33:08 2014 MANAGEMENT: >STATE:1408793588,CONNECTED,SUCCESS,192.168.1.6,xx.xx.xx.xx

[Hunv]

but why does the GUI can this WITHOUT elevated rights and the commandline can't?

[Hunv]

Hi Traffic

the problem is: why I can connect WITHOUT ANY ADMINISTRATIVE rights via GUI and not via CMD? If the old version can and the newer cannot, that would be strange.
Anyway. The GUI handles it another way than the CMD.

Sat Aug 23 13:33:08 2014 C:\WINDOWS\system32\route.exe ADD 192.168.0.0 MASK 255.255.255.0 192.168.1.5
Sat Aug 23 13:33:08 2014 Route addition via service succeeded
Sat Aug 23 13:33:08 2014 C:\WINDOWS\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 192.168.1.5
Sat Aug 23 13:33:08 2014 Route addition via service succeeded
Sat Aug 23 13:33:08 2014 Initialization Sequence Completed

So with or without the current version: How can I do this by using CMD? Running the cmd (or my program) with elevated rights cannot be the solution because:
- Users without administrative permissions are not able the use my program
- There seems to be another way that works without administrative permissions

[Hunv]

Today I uninstalled all OpenVPN-Components (I had several Clients) to clean up the whole mix of different versions.
But: little bit different words in the messages but same result: cmd doesn't work, GUI works

Then I started the Connection by using commandline it don't work:

Tue Aug 26 19:54:12 2014 DEPRECATED OPTION: --tls-remote, please update your con
figuration
Tue Aug 26 19:54:12 2014 OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO]
[PKCS11] [IPv6] built on Aug 7 2014
Tue Aug 26 19:54:12 2014 library versions: OpenSSL 1.0.1i 6 Aug 2014, LZO 2.05
Tue Aug 26 19:54:12 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:
23321
Tue Aug 26 19:54:12 2014 WARNING: normally if you use --mssfix and/or --fragment
, you should also set --tun-mtu 1500 (currently it is 1400)

[...]

Tue Aug 26 19:54:15 2014 SENT CONTROL [xxxxxxxx]: 'PUSH_REQUEST' (status=
1)
Tue Aug 26 19:54:15 2014 PUSH: Received control message: 'PUSH_REPLY,route 192.1
68.0.0 255.255.255.0,dhcp-option DOMAIN xxx.local,dhcp-option DNS 192.168.0.3
1,dhcp-option WINS 192.168.0.31,route 192.168.1.0 255.255.255.0,topology net
30,ping 10,ping-restart 60,ifconfig 192.168.1.6 192.168.1.5'
Tue Aug 26 19:54:15 2014 OPTIONS IMPORT: timers and/or timeouts modified
Tue Aug 26 19:54:15 2014 OPTIONS IMPORT: --ifconfig/up options modified
Tue Aug 26 19:54:15 2014 OPTIONS IMPORT: route options modified
Tue Aug 26 19:54:15 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options
modified
Tue Aug 26 19:54:15 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Aug 26 19:54:15 2014 open_tun, tt->ipv6=0
Tue Aug 26 19:54:15 2014 TAP-WIN32 device [LAN-Verbindung] opened: \\.\Global\{C
E587611-8079-4FD1-9D18-D195041BBA4C}.tap
Tue Aug 26 19:54:15 2014 TAP-Windows Driver Version 9.9
Tue Aug 26 19:54:15 2014 Notified TAP-Windows driver to set a DHCP IP/netmask of
192.168.1.6/255.255.255.252 on interface {CE587611-8079-4FD1-9D18-D195041BBA4
C} [DHCP-serv: 192.168.1.5, lease-time: 31536000]
Tue Aug 26 19:54:15 2014 NOTE: FlushIpNetTable failed on interface [5] {CE587611
-8079-4FD1-9D18-D195041BBA4C} (status=5) : Zugriff verweigert
Tue Aug 26 19:54:20 2014 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Tue Aug 26 19:54:20 2014 C:\WINDOWS\system32\route.exe ADD 192.168.0.0 MASK 25
5.255.255.0 192.168.1.5
Tue Aug 26 19:54:20 2014 ROUTE: route addition failed using CreateIpForwardEntry
: Zugriff verweigert [status=5 if_index=5]
Tue Aug 26 19:54:20 2014 Route addition via IPAPI failed [adaptive]
Tue Aug 26 19:54:20 2014 Route addition fallback to route.exe
Tue Aug 26 19:54:20 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\W
INDOWS\System32\Wbem
Tue Aug 26 19:54:20 2014 ERROR: Windows route add command failed [adaptive]: ret
urned error code 1
Tue Aug 26 19:54:20 2014 C:\WINDOWS\system32\route.exe ADD 192.168.1.0 MASK 25
5.255.255.0 192.168.1.5
Tue Aug 26 19:54:20 2014 ROUTE: route addition failed using CreateIpForwardEntry
: Zugriff verweigert [status=5 if_index=5]
Tue Aug 26 19:54:20 2014 Route addition via IPAPI failed [adaptive]
Tue Aug 26 19:54:20 2014 Route addition fallback to route.exe
Tue Aug 26 19:54:20 2014 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\W
INDOWS\System32\Wbem
Tue Aug 26 19:54:20 2014 ERROR: Windows route add command failed [adaptive]: ret
urned error code 1
Tue Aug 26 19:54:20 2014 Initialization Sequence Completed

And by GUI:

Tue Aug 26 19:59:09 2014 DEPRECATED OPTION: --tls-remote, please update your configuration
Tue Aug 26 19:59:09 2014 OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 7 2014
Tue Aug 26 19:59:09 2014 library versions: OpenSSL 1.0.1i 6 Aug 2014, LZO 2.05

[...]

Tue Aug 26 19:59:13 2014 SENT CONTROL [xxxxxx]: 'PUSH_REQUEST' (status=1)
Tue Aug 26 19:59:13 2014 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,dhcp-option DOMAIN xxx.local,dhcp-option DNS 192.168.0.31,dhcp-option WINS 192.168.0.31,route 192.168.1.0 255.255.255.0,topology net30,ping 10,ping-restart 60,ifconfig 192.168.1.6 192.168.1.5'
Tue Aug 26 19:59:13 2014 OPTIONS IMPORT: timers and/or timeouts modified
Tue Aug 26 19:59:13 2014 OPTIONS IMPORT: --ifconfig/up options modified
Tue Aug 26 19:59:13 2014 OPTIONS IMPORT: route options modified
Tue Aug 26 19:59:13 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Aug 26 19:59:13 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Aug 26 19:59:13 2014 MANAGEMENT: >STATE:1409075953,ASSIGN_IP,,192.168.1.6,
Tue Aug 26 19:59:13 2014 open_tun, tt->ipv6=0
Tue Aug 26 19:59:13 2014 TAP-WIN32 device [LAN-Verbindung] opened: \\.\Global\{CE587611-8079-4FD1-9D18-D195041BBA4C}.tap
Tue Aug 26 19:59:13 2014 TAP-Windows Driver Version 9.9
Tue Aug 26 19:59:13 2014 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.1.6/255.255.255.252 on interface {CE587611-8079-4FD1-9D18-D195041BBA4C} [DHCP-serv: 192.168.1.5, lease-time: 31536000]
Tue Aug 26 19:59:13 2014 Successful ARP Flush on interface [5] {CE587611-8079-4FD1-9D18-D195041BBA4C}

[Hunv]

of cause, only the red "PUSH"-Message. Thats true. But the route is added and it works - with GUI only and without "run as admin". Same procedure with cmd will not add the routes as you see in the logs.

Routes with CMD:

Netzwerkziel Netzwerkmaske Gateway Schnittstelle Metrik
192.168.1.4 255.255.255.252 Auf Verbindung 192.168.1.6 286
192.168.1.6 255.255.255.255 Auf Verbindung 192.168.1.6 286
192.168.1.7 255.255.255.255 Auf Verbindung 192.168.1.6 286

Routes with GUI:

Netzwerkziel Netzwerkmaske Gateway Schnittstelle Metrik
192.168.0.0 255.255.255.0 192.168.1.5 192.168.1.6 30
192.168.1.0 255.255.255.0 192.168.1.5 192.168.1.6 30
192.168.1.4 255.255.255.252 Auf Verbindung 192.168.1.6 286
192.168.1.6 255.255.255.255 Auf Verbindung 192.168.1.6 286
192.168.1.7 255.255.255.255 Auf Verbindung 192.168.1.6 286

[Hunv]

Interesting thing. Today I tried to get the logs of the GUI, but today even the GUI doesn't work.
Strange thing. With my old-version-configuration it worked.