openvpn icon indicating copy to clipboard operation
openvpn copied to clipboard
verified publisher icon OpenVPN

Windows 11 24H2 with KB5055523 patch causes Critical issue with the OpenVPN and others

Open bitroniq opened this issue 9 months ago • 14 comments

Problem Statement

There is an issue reported by our end-users impacted by the use of OpenVPN 2.6.12

All the cases are reported by the users with Windows 11 Pro with the upgrade of 24H2, with the patch KB5055523.

General information about Windows 11 Release History and Updates

  • KB5055523 is a - 2025-04 Cumulative Update for Windows 11 Version 24H2 for x64-based Systems (KB5055523)- 1.2 GB
    • released on 4/8/2025

This is the latest update for Windows 11 24H2

Summary

  • KB5055523 - which is the 2025-04 Cumulative Update for Windows 11 Version 24H2 impacts only users with Windows 11 - 24H2
  • 24H2 upgrade is available only for machines with TPM2.0
    • 23H2 - (EOL 2026-11-10)` is still ok, and users can still use it.
    • that Windows 11 version will not get the KB5055523 update, which is only available for 24H2

Reference:

  • https://www.catalog.update.microsoft.com/Search.aspx?q=KB5055523
  • https://learn.microsoft.com/en-us/windows/release-health/windows11-release-information
  • https://support.microsoft.com/en-us/topic/april-8-2025-kb5055523-os-build-26100-3775-277a9d11-6ebf-410c-99f7-8c61957461eb

To Reproduce

  • Use the Windows 11 (pro/home) - version 24H2 with patch KB5055523
  • Install latest OpenVPN 2.6.x
  • Try to connect

Expected behavior

  • Connection should work every time
  • Connection should work after the reboot

Version information (please complete the following information):

  • OS: Windows 11 Pro with the upgrade of 24H2, with the patch KB5055523.
  • OpenVPN version: v2.6.12

Remarks

  • https://learn.microsoft.com/en-us/answers/questions/2246832/vpn-connectivity-issues-after-installing-windows-1

After the installation, I attempted to connect to our corporate networks using Cisco VPN and FortiClient VPN, as I do daily. Both VPN clients successfully established connections. However, I was unable to access any internal servers, applications, or URLs that are normally accessible once connected.

And many other people report they have problems with their VPN software.

Looks like it is global issue affecting VPN software in general.

bitroniq avatar Apr 25 '25 17:04 bitroniq

There is lots of information about windows versions and such, but what exactly is the "Criticial issue" reported here? Logfiles, screenshots, anything, please. Otherwise there is nothing we can do about it.

cron2 avatar Apr 25 '25 17:04 cron2

Additional log files:

b6c2553b0b48280cbd7d21861e54a2c5.log

bitroniq avatar Apr 25 '25 18:04 bitroniq

There is a ticket on MS forum, that this version and patch causes an issue with many other VPNs

  • https://learn.microsoft.com/en-us/answers/questions/2246832/vpn-connectivity-issues-after-installing-windows-1

"After the installation, I attempted to connect to our corporate networks using

  • Cisco VPN
  • and FortiClient VPN, as I do daily.
  • Both VPN clients successfully established connections. However, I was unable to access any internal servers, applications, or URLs that are normally accessible once connected.

bitroniq avatar Apr 25 '25 18:04 bitroniq

Looks as if this Win11 version is more broken than usual, aka "messing with routing in new ways". The OpenVPN log you have shared looks basically as expected (= no crash or connection error or anything inside OpenVPN) but "something in the interface config" seems to be failing (OpenVPN signals the TAP driver what I address to present with DHCP, but this address never shows up in windows ipconfig).

I see that you are not using the interactive service and running OpenVPN as privileged user instead, and also are not using the win-dco driver but falling back to tap-windows6 and DHCP. This is all old stuff, so you really want to run openvpn.exe as unprivileged user, and want to use DCO. This will avoid using DHCP and use more recent windows API than netsh so might just work.

cron2 avatar Apr 25 '25 18:04 cron2

oops, didn't intend to close it, misclicked. Sorry.

cron2 avatar Apr 25 '25 18:04 cron2

General information about Windows 11 Release History and Updates

  • KB5055523 is a 2025-04 Cumulative Update for Windows 11 Version 24H2 for x64-based Systems (KB5055523) - 1.2 GB released on 4/8/2025

This is the latest update for Windows 11 24H2

My VM is 23H2 - not getting 24H2 due to lack of the TPM2.0

  • That's why I'm not getting that problematic update KB5055523

Summary

  • KB5055523 - which is the the 2025-04 Cumulative Update for Windows 11 Version 24H2 impacts only users with Windows 11 - 24H2
  • 24H2 upgrade is available only for machines with TPM2.0
  • 23H2 (EOL 2026-11-10) is still ok, and users can still use it.
    • that Windows 11 version will not get the KB5055523 update, which is only available for 24H2

Reference:

  • https://www.catalog.update.microsoft.com/Search.aspx?q=KB5055523
  • https://learn.microsoft.com/en-us/windows/release-health/windows11-release-information
  • https://support.microsoft.com/en-us/topic/april-8-2025-kb5055523-os-build-26100-3775-277a9d11-6ebf-410c-99f7-8c61957461eb

bitroniq avatar Apr 25 '25 19:04 bitroniq

Now we have to make a business decision

  • ACC - Acreto Connect Client - https://acc.acreto.io
    • that uses OpenVPN (latest with DCO)

ACC on Windows - questions regarding Windows 11 with 24H2 and KB5055523

  • situation for 2025-04-25

Case 1: end-users with 24H2 and KB5055523

  • should we tell them to uninstall KB5055523 ?
  • or maybe ask to install ACC 2.9.14? (OpenVPN 5.x)
  • or just warn the users to not install ACC 2.10.2 (OpenVPN 2.6.x) ( on Windows 24H2 with KB5055523)?

Case 2: end-users with 23H2

  • apparently there is no issue with any OpenVPN or ACC version here
  • it is safe to use ACC 2.10.2 with DCO on Windows 11 23H2

bitroniq avatar Apr 25 '25 19:04 bitroniq

@cron2 FYI - I asked the end-user to install latest OpenVPN community:

  • https://swupdate.openvpn.org/community/releases/OpenVPN-2.6.14-I001-amd64.msi>

And try one more time:

  1. The logs show us that netsh.exe failed
  2. the TAP interface received 169.254.x.x IP
  3. The final result was error

You've got the error result in the log file I've shared before.

bitroniq avatar Apr 25 '25 19:04 bitroniq

My team tried to uninstall the KB5055523

All problems are gone without the KB5055523 using OpenVPN 2.5.x and 2.6.x

bitroniq avatar Apr 25 '25 19:04 bitroniq

I cannot comment on ACC (by some reasons it doesn't use dco and interactive service), but do you have logs from openvpn-gui ?

lstipakov avatar Apr 28 '25 09:04 lstipakov

Looks like MSFT has released a fix:

[Dynamic Host Configuration Protocol (DHCP Client)] Fixed: This update addresses an issue affecting internet connectivity on devices after resuming from sleep mode. Users might experience intermittent internet connections.

lstipakov avatar Apr 28 '25 11:04 lstipakov

I'm working today on reproducing the issue using pure OpenVPN-GUI (latest 2.6.x)

Setting up the TestBed:

  1. fresh Lenovo Legion i7
  2. fresh install of Windows 11 Pro 24H2 with the problematic patch KB5055523
  3. OpenVPN GUI - https://swupdate.openvpn.org/community/releases/OpenVPN-2.6.14-I001-amd64.msi

I'll share logs later today.

Meanwhile... Thank you @lstipakov for sharing info about the fix from MS that was released last Friday (right after I created this ticket)

bitroniq avatar Apr 28 '25 12:04 bitroniq

Added remark to the ticket description

Remarks

  • https://learn.microsoft.com/en-us/answers/questions/2246832/vpn-connectivity-issues-after-installing-windows-1

After the installation, I attempted to connect to our corporate networks using Cisco VPN and FortiClient VPN, as I do daily. Both VPN clients successfully established connections. However, I was unable to access any internal servers, applications, or URLs that are normally accessible once connected.

And many other people report they have problems with their VPN software.

Looks like it is global issue affecting VPN software in general.

bitroniq avatar Apr 28 '25 12:04 bitroniq

The new fix from Microsoft is not available on our machines located in USA and Europe.

But we are trying to download and install it manually

  • it's 4.5 GB patch 🤯
  • available here: https://www.catalog.update.microsoft.com/Search.aspx?q=KB5055627

bitroniq avatar Apr 28 '25 12:04 bitroniq

Hello gentlemen any new info about this bug? I encountered this problem today on several machines. Clients successfully established connections (green icon without errors in logs) but they can't access to any internal servers like intranet. i test OpenVPN version 2.6.14 with ovpn-dco and wintun and 2.7 alfa2 with ovpn-dco driver. I don't have the patch KB5055523 in my update history unfortunately so i cant uninstall this update. i use Windows 11 24H2 22631.5624 (1 hour ago i install july update KB5062552 and the bug still exists). one thing i noticed after connecting via OpenVPN, getting an ip address windows keeps identifying the network indefinitely.

edit: the situation is strange because on other computers Windows 11 24H2 of the same type with the same updates everything works correctly even with the update from april KB5055523.

joks-arch avatar Jul 08 '25 19:07 joks-arch

@joks-arch We solved the problem with connectivity by using ovpn-dco only. OpenVPN on latest Windows 11 24H2 updates has issues with releasing the IP from TUN/TAP interfaces. So in case there are frequent reconnections, Windows reports netsh.exe errors (without saying the reason). But I checked that when OpenVPN tries to use another TUN/TAP interface, and assign the same IP, the previous one still has that IP and there is a conflict.

bitroniq avatar Jul 09 '25 12:07 bitroniq

So I will now close the issue as there is nothing we can do in OpenVPN except "stay away from netsh on TAP devices" - which is what we already do in the default config (using iservice and using DCO - either is sufficient to avoid the problem).

cron2 avatar Sep 08 '25 15:09 cron2