Unable to change Windows network location

The title of this recipe may not seem related to routing issues, but the Windows network location depends on routing to work. Starting with Windows Vista, Microsoft introduced the concept of network locations. By default, there are multiple network locations: HomeWork and Public for Windows 7 and Private and Public for Windows 8 and above. These network locations apply to all network adapters, including OpenVPN's virtual TAP-Win network adapter.

The Home network location is intended for a home network. Similarly, the Work network location also provides a high level of trust at work, allowing the computer to share files, connect to printers and so on. In Windows 8 and above, the Home and Work network locations are merged together to become the trusted Private network location. The Public network location is not trusted and access to network resources is restricted by Windows, even when the Windows firewall is disabled.

The routing properties of an OpenVPN setup determine whether the TAP-Win adapter is trusted or not, and thus whether file sharing is allowed. In this recipe, we will show how to change an OpenVPN setup so that the network location can be altered.

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client was running Windows 7 64bit and OpenVPN 2.3.11. Keep the configuration file example2-7-server.conf from the Redirecting the default gateway recipe from Chapter 2Client-server IP-only Networks at hand, as well as the client configuration file basic-udp-client.ovpn from the Using an ifconfig-pool block recipe from Chapter 2Client-server IP-only Networks.

How to do it...

  1. Start the server using the configuration file example-2-7-server.conf:
            [root@server]# openvpn --config example2-7-server.conf
    
  2. Next, start the client.
    How to do it...
  3. Go to the Network and Sharing Center and observe that the TAP adapter is in the section Public Network and that it is not possible to change this. Also, try to access a file share via the VPN tunnel. This should not be possible.
  4. Change the server configuration by removing def1 from the push redirect-gateway def1 line:
            push "redirect-gateway" 
    
  5. Restart the VPN connection on both sides.
  6. As the VPN connection comes up, Windows will ask you for the location of the new network Network:
    How to do it...
  7. Choose the Work network location, then give the new network the name VPN.
  8. Now, go to the Network and Sharing Center once more and observe that the TAP adapter (named vpn0) is in the work network location VPN:
    How to do it...

How it works...

Even though all network traffic is routed over the VPN (using redirect-gateway def1) Windows does not trust the VPN adapter and hence will refuse full access over the VPN tunnel. Windows will only trust a network adapter if it advertises a default gateway (0.0.0.0/0), or the network adapter must be part of a Windows domain. This can be fixed by changing the server configuration to use:

push "redirect-gateway" 

There's more...

It is also possible to use the Windows Registry editor to change the network location, but this is not recommended, as it will mark all network adapters as trusted.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.142.133.147