I have a computer running Windows 7 Pro RTM. This computer has two network connections:
- A Wi-fi connection to the Internet (through a home router) which works just fine.
- An OpenVPN virtual network connection. More precisely, this is a virtual Ethernet connection which behaves exactly like a physical Ethernet wired connection.
My problem is that the "Network and sharing center" shows "Unknown network" for the OpenVPN connection. After some research I found that logical networks (outside a domain) are identified by the MAC address of the default gateway of the connection. Problem is, the OpenVPN connection has no default gateway: it is a private network, so I don't need one...
Consequently, the "Unknown network" is always considered public, so the firewall is always in "public mode", which I don't want. Plus, I can't rename "Unknown connection" or anything (which makes sense), so it is kinda ugly.
My goal is to define a proper logical network for the OpenVPN connection with the private profile. I know of some workarounds (disable the firewall, modify security policy to make all unknown networks "private") but they're still workarounds. I just want my clients to connect to the VPN without having to disable their firewall settings, without changing global configuration with potential side-effects (the "security policy" solution) and without having to look at an ugly "Unknown connection" in the Network and sharing center.
Is there any way I can do this? I tried to check what was going on in the registry (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList is interesting), but I still didn't find a way to "force" the OpenVPN connection to be assigned to a logical network.
Any help would be very appreciated.
A related question showed up at Superuser: https://superuser.com/questions/37355/windows-7-cant-identify-network/37422
The workaround we use is to push a default route to the client via the OpenVPN config file, e.g. like so:
You most definitely want to make sure the supplied metric is higher than your Internet default route, else all traffic would be routed through the VPN (which might be desirable in specific cases, but this is another topic).
Please note that fiddling with the network configuration in general and routing in particular can have all sorts of undesired side effects, if done improperly, but as long as you know what you do you should be able to judge the impact:
That said we have used this workaround successfully for quite some time without any issues at all.
There is a Powershell script here that looks like it does what you want.
For OpenVPN AS (Access Server) you may want to add this to the Advanced VPN Settings in the Server Config Directives box:
Then update the server and, et voilet, Win7 will get the default gw on the TAP device and let you change Network type from Unknown to others.
Thanks @Steffen-Opel for the tip! :)
I'd like to leave my contribution. See what worked on my case ... Windows 7 and Windows 8...
I spend a lot of time with this problem of client inbound conectivity.
Disabling the TAP interface on firewall works fine, buts it's almost the same of turn off firewall in the VPN context. The VPN machines are running in different security contexts and some can affect others.
I tried the configuration of "default gateway" what recognize the network as a "Work Network" (just in Win7, not on Win8), and nevertheless did not PING!
Manually add a "*NdisDeviceType" record in the registry also not worked at Win8.
So, seeing mindfully Windows Firewall configuration I saw another scope configurations rather than just profiles, so I tried run another service rather than PING and what was my surprise when it worked properly, even in "Unidentified Networks" and "Public Profile"!
So, I tried to isolate de PING problem, and the configuration that make it works was the following: The default Windows Firewall entry thats enable outside IPv4 PING is "File and Printer Sharing (Echo Request - ICMv4-In)", so in his properties, I clicked on "Scope", and in "Remote IP Address" I changed from "Local subnet" to "Any IP address", and this did make PING work.
Hey I was able to get this working. I went to Network and Sharing Center, then clicked on "Home Group". It says on that screen I can't join a Homegroup because the network is public. Then I clicked on the question "What is a network location?" and it allows me to change the type of network. A screen pops up saying Windows was unable to change the network type, but it will change.
What about adding another Ip of the segment as the default gateway ? Although it will not query or touch external addresses, it will have a default gateway one, which should satisfy Windows. Or change your DHCP to provide one, if it does not.
Try going into the "Network and Sharing Center" while connected to the VPN, and you should see the networks listed. Under each network will be a status like "Work Network" or "Domain Network", you should be able to click it and change what type the network is.
J.Ja