I have a domain joined Windows Server 2012 R2 box that has the OpenVPN 2.3.13 client software installed on it. When the VPN connection is active the "Ethernet 2" (TAP interface) connection is placed into the Domain Network category alongside the main LAN NIC by NLA. Ideally I want to be able to assign the VPN interface to the Public category. I've tried via PowerShell, but get this error constantly:
Unable to set the NetworkCategory due to one of the following possible reasons: not running PowerShell elevated; the NetworkCategory cannot be changed from 'DomainAuthenticated'; user initiated changes to NetworkCategory are being prevented due to the Group Policy setting 'Network List Manager Policies'. At line:1 char:1 + Set-NetConnectionProfile -InterfaceIndex 15 -NetworkCategory Public + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (MSFT_NetConnect...72AADA665483}"):root/StandardCi...nnectionProfile) [Set-NetConnectionProfile], CimException + FullyQualifiedErrorId : MI RESULT 2,Set-NetConnectionProfile
15 is the interface number of "Ethernet 2"
Its worth noting, I am running this command in an elevated PowerShell session and have I tried all the available GPO policies but the error is constantly thrown. Most information about NLA suggest switching between Private and Public should work, but DomainAuthenicated seems a little bit different.
The registry method doesn't have an actual profile for Ethernet 2, so it can't be changed that way either.
Is there anyway to force the TAP adapter to be Public? The OpenVPN connection itself does not override the default gateway of the main NIC and uses the 10.0.0.0/8 subnet. The fact I use route-nopull and override the routes might be part of the problem with the way NLA detects the networks.
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::xxxx:xxxx:xxxx:xxxx%xx
IPv4 Address. . . . . . . . . . . : 10.xx.xx.xx
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . :
The main reason for needing to assign the Public profile is for firewall rules, I am having trouble preventing certain applications from only using the VPN interface, being able to write network profile based firewall rules seems to work best in this case, I've tried writing rules based on the local IP address but this didn't work.
The below will use WMI/CIM.
Removing the adresses of the 'public' adapter from the list of listening addresses of your DNS server would do the trick.
Review the third option "Using the Firewall" on this page: https://evansblog.thebarrs.info/2013/02/windows-server-force-your-network.html
You can prevent DomainAuthenticated network profile by using the Windows Firewall to create an Outbound rule to block the Windows service "Network Location Awareness". Make sure to specify the Local IP of the VPN adapter in the rule so it doesn't affect other adapters. The VPN adapter should now be classified as "Public" network profile.