OpenVPN
TUN interface DNSDOMAIN missing on Windows11 24H2
OpenVPN is trying to use wmic.exe to configue DNSDOMAIN for tun interfaces. In Windows 11 wmic is deprecated and can not be added. This is not working anymore.
Errors are logged: 2024-11-13 07:29:23 WMIC: C:\windows\system32\wbem\wmic.exe nicconfig where (InterfaceIndex=17) call SetDNSDomain 'nothing.net' 2024-11-13 07:29:23 openvpn_execve: CreateProcess C:\windows\system32\wbem\wmic.exe failed: Das System kann die angegebene Datei nicht finden. (errno=2)
- OS: Windows 11 24H2
- OpenVPN version: 2.6.12
My personal workaround is an elevated powershell command for setting it up fixed DNSDOMAIN per interface: Set-DnsClient -InterfaceIndex 17 -ConnectionSpecificSuffix "nothing.net"
WMI infrastructure is still there but it seems wmic commandline is deprecated -- I think it can be installed manually on Win11 still.
An option is to replace it with the powershell command Set-DnsClient as shown by @MyOrk64 . Is this available on all Win OS versions we support? Win7 compatibility can be broken, probably, but what about some early releases of Win10? Alternative is to edit the registry but I recall some issues with it -- like not immediately effective or some such.
Confirming here we ran into the same issue. On a fresh install of Windows 11 24H2, wmic is not installed/enabled, so a user was having DNS issues when connected to our VPN. Using 2.6.12 (and 2.6.13), they would get this error in their Windows client: "TUN: adding dns domain failed using service: The system cannot find the file specified. [status=2 if_name=OpenVPN Wintun]"
We instructed them to install wmic, and everything works again. This does not appear to be an issue if someone upgrades to 24H2 on an existing install, since wmic is likely installed already in those scenarios.
Confirming here too. Windows 11 24H2 missing wmic fails to set DNS suffix / domain. Here, set "suffix" manually in Properties of Windows OpenVPN connection.
So I just merged a patch from @d12fk that removes all WMIC from iservice, replacing it with registry edits plus GPO refreshing /( service poking. This looks all very magic but I am ssured that it works :-)
commit ae90cbad50641cdf2579d1a6bcc35144866f68b1 Author: Heiko Hund [email protected]
dns: support multiple domains without DHCP
Instead of using wmic on Windows to set one (the first) DNS domain,
modify the registry directly and let the resolver know that something
changed.
It would be very good to have more test reports on this.
Windows installers should appear in https://github.com/OpenVPN/openvpn-build/actions "today or tomorrow", or you build your own binaries from master.
https://github.com/OpenVPN/openvpn-build/actions/runs/13808257674 -> artifacts has installers for all platforms.
There is now a 2.7_alpha3 installer available which has all the DNS related improvements that we plan for 2.7.0 - hearing about this, whether it works for your environment or not (and if not, logfiles please) would be really helpful.
I'll try to test this tomorrow; I'm not sure if setting Group Policy registry keys will work in domain environment (those are periodically refreshed from domain controllers in background, so it's possible the setting will be lost during such refreshes).
Im having a similar issue with the domain not being registered when using DCO. Fri Aug 1 12:08:56 2025 TUN: adding dns domain failed using service: The system cannot find the file specified. [status=2 if_name=OpenVPN Data Channel Offload]
any help please.
@DaMa-IT Please provide the whole log with verb 4. Also check any relevant errors in Event Log.
DNS suffix / domain is now defined correctly on Windows 11 24H2 build 1742+ since openvpn 2.7 alpha3
There is now a 2.7_alpha3 installer available which has all the DNS related improvements that we plan for 2.7.0 - hearing about this, whether it works for your environment or not (and if not, logfiles please) would be really helpful.
@cron2 I ran into the problem of the DNS search domain not being set with 2.6.14 on a Windows machine that is missing wmic (Windows 11 24H2, OS Build 26100.4946, ARM64).
Using 2.7_alpha3 fixes the issue.
Thank you.
There is now a 2.7_alpha3 installer available which has all the DNS related improvements that we plan for 2.7.0 - hearing about this, whether it works for your environment or not (and if not, logfiles please) would be really helpful.
Thank you. In our env., DNS search domain registration failed with OpenVPN client v2.6.14, but started working properly with 2.7_alpha3.
v2.6.14 logged the following error TUN: adding dns domain failed using service: The system cannot find the file specified.
There is now a 2.7_alpha3 installer available which has all the DNS related improvements that we plan for 2.7.0 - hearing about this, whether it works for your environment or not (and if not, logfiles please) would be really helpful.
Thank you. In our env., DNS search domain registration failed with OpenVPN client v2.6.14, but started working properly with 2.7_alpha3.
v2.6.14 logged the following error
TUN: adding dns domain failed using service: The system cannot find the file specified.
I fixed this temporarly by adding the following to the client .ovpn config file, Until v2.7 is out..
dev tun windows-driver ovpn-dco dns search-domains YOUR-FQDN dns server 0 address YOUR-PRIMARY-DNS-IP-ADDRESS dns server 1 address YOUR-SECONDARY-DNS-IP-ADDRESS
dev tun windows-driver ovpn-dco dns search-domains YOUR-FQDN dns server 0 address YOUR-PRIMARY-DNS-IP-ADDRESS dns server 1 address YOUR-SECONDARY-DNS-IP-ADDRESS
this will not do what you expect - arguably the documentation is a bit misleading. OpenVPN will use the IP addresses (plural) configured for "the DNS server with the lowest prio", only. Being able to put more than one in the config is intended to be able to override pushed settings ("server pushes dns server 1, so you can use dns server 0 to put your own settings in there, which will be used "because lower number").
So to set multiple IP addresses, use dns server 0 address 1.2.3.4 4.5.6.7 2001:db8::54
dev tun windows-driver ovpn-dco dns search-domains YOUR-FQDN dns server 0 address YOUR-PRIMARY-DNS-IP-ADDRESS dns server 1 address YOUR-SECONDARY-DNS-IP-ADDRESS
this will not do what you expect - arguably the documentation is a bit misleading. OpenVPN will use the IP addresses (plural) configured for "the DNS server with the lowest prio", only. Being able to put more than one in the config is intended to be able to override pushed settings ("server pushes
dns server 1, so you can usedns server 0to put your own settings in there, which will be used "because lower number").So to set multiple IP addresses, use
dns server 0 address 1.2.3.4 4.5.6.7 2001:db8::54
Is that the case even if no settings are being pushed by the server ? Because I don't push any DHCP settings at the moment. I will change that when v2.7 is out.
Is there a particular reason why Windows 7 is still catered for/why simple Powershell commands aren't used? I feel like setting registry keys will introduce some unexpected limitations/quirks later down the line.
Registry keys are the only really well documented way to get full NRTP support.
This has nothing to do with Win7 (and 2.7.0 is very likely to not support Win7 anyway - it might work or not, but we do not test it on Win7 and will not spend effort to make it work).
We had this issue as well and were able to solve it. We were using our VPN with SAML too which seemed to exacerbate the issue. The VPN we had is configured to use UDP protocol on port 443 only, The client needs outbound traffic UDP 443. Some routers tend to drop UDP outbound packets, since https should mostly be TCP, so I created a VPN that supports TCP on 443 outbound and the and everything worked.
