Starting a second connection (no matter which order) results in an error message "Connecting to X has failed."
2020-09-01 15:51:23 us=310799 open_tun
2020-09-01 15:51:23 us=330749 CreateFile failed on tap-windows6 device: \\.\Global\{3987121B-4588-43F0-8050-A61D209DB483}.tap
2020-09-01 15:51:23 us=330749 CreateFile failed on tap-windows6 device: \\.\Global\{24B861B9-3EB4-4E0C-8C73-E1E8C36E8253}.tap
2020-09-01 15:51:23 us=331754 MANAGEMENT: Client disconnected
2020-09-01 15:51:23 us=331754 All tap-windows6 adapters on this system are currently in use.
2020-09-01 15:51:23 us=331754 Exiting due to fatal error
I have 2 TUN and 2 TAP devices:
PS C:\Program Files\OpenVPN\bin> .\tapctl.exe list
{5D73BD9C-7565-4325-B876-CC33F4D32B55} OpenVPN Wintun 1
{3987121B-4588-43F0-8050-A61D209DB483} OpenVPN TAP-Windows 1
{24B861B9-3EB4-4E0C-8C73-E1E8C36E8253} OpenVPN TAP-Windows 2
{711704F7-EB84-4137-A95F-26FE093F5747} OpenVPN Wintun 2
Configuration for connection (the other one is the same apart from remote/ca/cert/key values):
client
dev tun
proto udp
remote 217.xxx.xxx.xxx 20452
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert cl18.crt
key cl18.key
remote-cert-tls server
tls-crypt ta.key
verb 4
I can reproduce this. For some reason the second tap adapter created by the tapctl utility is not allowing non-admin user to open it. The first one created during installation works fine though both use the same code path.
As this is beyond the GUI to fix, could you please open a ticket in OpenVPN Trac (https://community.openvpn.net/openvpn/newticket)
Some followup: the second adapter created by tapctl.exe has no AllowNonAdmin registry value. The device properties show AllowNonAdmin as enabled but, iirc, tap-windows6 only cares about this registry entry[*]. No idea why its missing. On manually adding that entry and resetting the adapter makes it work as user. Can anyone reproduce this?
Some more follow up: running tapctl.exe as SYSTEM creates the adapter correctly, so this does point to error in accessing some files installed by the MSI leaving some steps incomplete when run as admin. But no errors on tapctl command line.
[*] The actual value of this registry variable doesn't matter -- somewhere along the way tap-windows6 has code regressed into just checking the presence of this registry key, but that's unrelated to the issue here.
Here is a temporary quick fix:
Go to the list of network adapters in control panel, identify the TAP adapter that doesn't work, right click
Properties->configure->Advanced and select the Non-Admin Access property. Change it from Allowed to Not Allowed, click OK. Then repeat this and change it back to Allowed. This will generate the missing registry key and make the adapter accessible as limited user.
Great to wake up to a workaround. Thanks @selvanair
I didn't see a similar ticket on OpenVPN Trac, so I created a new ticket as advised:
https://community.openvpn.net/openvpn/ticket/1321
Fixed in openvpn repo by
commit f3f09541dcff3f0b307067bdf5dcaabc530db4c7
Author: Selva Nair <selva.nair@gmail.com>
Date: Thu Sep 3 19:56:44 2020 -0400
In tap.c use DiInstallDevice to install the driver on a new adapter
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <1599177404-29996-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20880.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Will be included in the next 2.5 beta release.
