Windows clients always have to reinstall the Client GUI

bazzacad · Apr 7, 2020, 8:21 PM

Hi,
I'm running pfSense 2.4.4-RELEASE-p3 with OpenVPN & using the Client Export Tool for Windows 10 (2.4.8-Ix02).
It's running great for most users, but a few of them are a strange issue.
They install the GUI Client & try to connect, but get "Initialization Sequence Completed with Errors."
I've read this post that the error links to: https://community.openvpn.net/openvpn/wiki/259-tap-win32-adapter-is-not-coming-up-initialization-sequence-completed-with-errors

But none of it helps, the DHCP Client Service is running, the TAP adapter isn't being firewalled.
However, if the user uninstalls & reinstalls the OpenVPN Client, then it works perfectly fine on the second instillation.
This happens every time they shutdown or restart their computer. They have to install the OpenVPN client twice to get it to work.
Do you know why this is happening or any suggestions on how to fix it?

Attached is the client log file with verb=4
The client was connected to the VPN fine.
We disconnected & then tried to reconnect & weren't able to reconnect.
We then uninstalled the client & then reinstalled the client and were able to connect fine again.
It seems to have an issues bringing up the TAP interface after a disconnect.
But can bring it up fine after a fresh installation.

pfSense-UDP4-1194-abef-config.log.txt

jimp · Apr 8, 2020, 2:04 PM

Given the problem description, you'd be better off posting about that on the OpenVPN forum. It appears to be a problem with the Windows OpenVPN client on their computers, and wouldn't be related to the server (or pfSense).

I haven't heard of that kind of thing happening before. You might have them uninstall the OpenVPN client and the TAP adapter and then download the client straight from https://openvpn.net/community-downloads/ and install it again.

bazzacad · Apr 8, 2020, 8:55 PM

Thanks for the reply. I did try to post on the OpenVPN forum, but the only reply I received was "I have no idea".
Can you tell me what the difference is by installing from the Client Export package & installing from OpenVPN? Is the only difference that it includes the config & certificate?

jimp · Apr 9, 2020, 12:30 PM

The export package installer has the config+cert and so on but it also only runs the OpenVPN installer conditionally if it's not already installed. So if they have an older version of OpenVPN, for example, running the export package version wouldn't upgrade it.

But mostly my suggestion was about eliminating possible differences to help pinpoint the problem. If it happens with the stock installer directly from OpenVPN, then you know it definitely is not something to do with the export package.

johnpoz · Apr 9, 2020, 1:01 PM

What version of the tap driver exactly.. I would be curious if related to the conditional running of the installer, and not updating the tap driver..

But your saying this happens again, after they reboot - they once again have to install twice?

Is the tap driver the new 9.24.2? That came out with 2.4.8... I just looked on mine and running 9.24.2.601

bazzacad · Apr 9, 2020, 7:46 PM

Thanks for the relays. Yes they're on the latest 9.24.2 TAP driver.

Most of the ones with the issue where never on the old version. They've always had OpenVPN 2.4.8 & TAP 9.24.2, so I don't think it's an upgrade issue. But I'll try the stock installer on one of them anyways.

@johnpoz said in Windows clients always have to reinstall the Client GUI:

But your saying this happens again, after they reboot - they once again have to install twice?

Actually they don't have to reboot for it to happen. They will be connected, then disconnect, then try to reconnect & it won't. Then we do an uninstall & reinstall of OpenVPN (from the export tool) & then it connects fine. So It's not really twice once after another, but twice since it was already previously installed.

johnpoz · Apr 9, 2020, 7:50 PM

these users don't have admin rights? An admin should be installing, or the user needs to be able to elevate the install as admin..

Been using openvpn on windows for a very long time - have never seen such an issue to be honest.. .Don't have a huge sample of machines, etc. But can't say I have seen anything like this..

bazzacad · Apr 9, 2020, 7:53 PM

Ya I know it's kind of a weird one...
I have added the users to the local "Administrators" group to insure that wasn't an issue.

johnpoz · Apr 9, 2020, 8:02 PM

Sure not related to your endpoint protection?

bazzacad · Apr 9, 2020, 8:09 PM

That did cross my mind, but I ruled it out, since all the users have the same protraction, but only a few have the VPN connection issue. I'll disable it just to be sure.

bazzacad · Apr 10, 2020, 1:10 AM

Grrrr, still no luck. I disabled Anti-virus, still didn't work. I installed from the stock installer, still didn't work.
I collected these screen shots of ipconfig of the TAP adapter when it works & when it doesn't.
Why would it Auto configure the IP address & why isn't it receiving the correct DNS server?

And here are the logs when it works & when it doesn't compared side-by-side.

And here are the full log files....
pfSense-UDP4-1194-pintar-config_good.txt
pfSense-UDP4-1194-pintar-config_bad.txt

jimp · Apr 10, 2020, 12:11 PM

Check in the Services control panel on Windows and see the the OpenVPN services which are running are the same when it's in both states. Maybe something is killing its service.

johnpoz · Apr 10, 2020, 12:18 PM

This seems to be related.. You could try the suggestions in there
https://community.openvpn.net/openvpn/ticket/665

Gertjan · Apr 10, 2020, 12:25 PM

Just a wild guess :
I had an issue very comparable with the PC of a fellow home worker.

Someone or something swapped the TAP driver out ....

It was one of the 2 (!) client apps installed for his private VPNxxxxx and VNbbbb access. These often use their own versions.

@bazzacad : check your Network card's list : how many TAP-virtual-NIC drivers are listed there ?
You named one of them to "tipping.lan", but not the other. Up to you to discover where the other came from. There is probably even a program running that 'repairs' it's settings and files after you installed the OpenVPN-client-from-pfSense.

edit : or even multiple OpenVPN instances running with their own TAP versions ...

edit2 : jimp said the same thing. Look and check also all the tasks at services.msc

SteveITS · Apr 10, 2020, 7:37 PM

@johnpoz said in Windows clients always have to reinstall the Client GUI:

An admin should be installing, or the user needs to be able to elevate the install as admin

In addition when running the OpenVPN GUI it needs to be run as admin so it can modify the routes in Windows. (I am a standard user on my PC). Could it still be running as an admin when launching from the install? It's been a long time since I installed...

johnpoz · Apr 10, 2020, 7:38 PM

The current version has a service that will do the admin stuff.. So no the user doesn't have to be admin.

bazzacad · Apr 10, 2020, 7:42 PM

This link: https://community.openvpn.net/openvpn/ticket/665 from @johnpoz look promising, so I'll try those solutions.
The users have full admin rights when installing & running the GUI.

bazzacad · Apr 10, 2020, 8:30 PM

OK, I'm pretty sure I've got it fixed now. Per the bug report link above, all I had to do was add dhcp-renew to the client config file.

johnpoz · Apr 11, 2020, 2:02 AM

Your posting of the log showing the route waiting for interface to come up was key in finding that info...

So glad you got it sorted!