Category: Windows

As a longtime OpenVPN user on Linux I thought it would be an easy task to set up OpenVPN as a service on Windows. Well, I was right… and couldn’t be wronger. Setting up the service is part of the installation notes for OpenVPN. Just search for “Running OpenVPN as a Windows Service” in the notes and you will find a pretty good description that should get you up and running in no time.

But the devil is of course in the detail. This kind of setup works perfect for servers, or in general for machines with good internet connectivity that never go into standby or hibernation. Once you use a laptop, which you usually put into standby on a regular basis, or you simply have a sluggish WiFi connection, then you have a problem. And the problem is, that OpenVPN is unable to re-establish the tunnels and, at least in my case, causes quite some CPU load on the machine. The problem is actually well known to the OpenVPN team (see here and here).

So what are your options to fix it. In OpenVPN’s people suggest to use either OpenVPN Service for Windows or NSSM. I tried my best with the OpenVPN Service for Windows, but I couldn’t get it to work. So sorry guys, I can’t recommend that one. Then I tried NSSM and hit similar hurdles but the documentation was better and I could get it actually to work.

So without further ado, I present to you the setup of OpenVPN as a service in Windows using NSSM.

For starters you have to download and install the latest version of OpenVPN (Download) and NSSM (Download). NSSM does not come with an installer. That means, you have to create a folder for instance in your “Program Files” directory (or whatever directory name %PROGRAMFILES% represents). And then, depending on your operating system, you copy the win32 or win64 version of nssm.exe into that directory. Now open a console with adminstrator rights and navigate to the newly created folder and you can try to execute NSSM to get the command line parameters:

C:\Program Files\NSSM>nssm.exe
NSSM: The non-sucking service manager
Version 2.24 64-bit, 2014-08-31
Usage: nssm [<args> ...]

To show service installation GUI:

nssm install [<servicename>]

To install a service without confirmation:

nssm install <servicename> <app> [<args> ...]

To show service editing GUI:

nssm edit <servicename>

To retrieve or edit service parameters directly:

nssm get <servicename> <parameter> [<subparameter>]

nssm set <servicename> <parameter> [<subparameter>]

nssm reset <servicename> <parameter> [<subparameter>]

To show service removal GUI:

nssm remove [<servicename>]

To remove a service without confirmation:

nssm remove <servicename> confirm

To manage a service:

nssm start <servicename>

nssm stop <servicename>

nssm restart <servicename>

nssm status <servicename>

nssm rotate <servicename>

C:\Program Files\NSSM>


You can control NSSM completely from the command line, but it also has an actually usable GUI. You can start the installation process by doing the following

nssm install

or if you want to give already a service name (can’t be changed with NSSM once it is installed!). Note that if you have multiple tunnels, then you have to setup multiple services. So give it a meaningful name.

nssm install "My OpenVPN Service"


The second command should give you the following window:

The next step is filling in all the information necessary for NSSM to set up OpenVPN as a service.

Application

Path: This is the path to the OpenVPN binary and should usually be C:\Program Files\OpenVPN\bin\openvpn.exe.
Startup directory: This is the path to the directory where you store your OpenVPN configuration files. Usually that is C:\Program Files\OpenVPN\config. But if you want to run the OpenVPN UI with manual started tunnels in parallel, then you should create a separate folder, e.g. C:\Program Files\OpenVPN\config-nssm. Otherwise it is easy to confuse manual tunnels with service tunnels. In my sample I won’t use manual tunnels, so I go with the default.
Arguments: This is the configuration file for the tunnel, that should reside in the above defined startup directory.

Details

Display name: This is the name that is basically visible everywhere. Most of the time this is the same as the service name, but this is up to you.
Description: As the name says, this is a description, that can be viewed later on in the services area.
Startup type: This is the standard service startup type setting for a windows. Most likely you want to choose Automatic here. But you have the choice between Automatic, Automatic (Delayed Start), Manual and Disabled here.

Log on

Here you can define as who this service needs to run, but unless you are doing something very special here you can leave it to the default setting (Local System Account).

Update

Running Windows 10, this tab can be more important. Using the system account you will be able to install the service, but when starting the service, you might see an error. In the event log it will show up with the following message:

Program C:\Program Files\OpenVPN\bin\openvpn.exe for service OpenVPN siteopsvpn (NSSM) exited with return code 3221225794.


This basically means, that you use an account that has no rights to execute OpenVPN. I solved it, by running the service as a user, that has administrative rights on that machine. You can even create a special user to do that.

Dependencies

The dependencies tab is important, because here we have to add the services that OpenVPN is depending on (Dhcp and tap0901).

Process

In this tab you can control how the service is handled by the processor. For instance if it should only run on a specific processor or a higher priority. For the normal use case this can be left alone.

Shutdown

Unless you run into strange problems you can leave this one alone.

Exit actions

This is again a tab that you don’t have to touch under normal circumstances.

I/O

Now we have to do something again. With the OpenVPN UI you have the ability to take a look at log files. Well, with services you don’t, unless you define them here. You can use the same for all redirections, but I prefer to have a separate log for stdin, stdout and stderr. Log files are usually located in C:\Program Files\OpenVPN\log.

File rotation

This tab is an extension of the I/O tab, as it configures the log rotation. I set it to rotate and left the rest alone. But you can decide on different rotation strategies, so that the files don’t get too big, too old, or whatever the problem might be.

Environment

This last tab can be ignored for the usual use case. But you might have a special case where you have to add or even replace the environment, then this tab is your friend.

Now a last chance to think about the service name… You are good? Okay, then click “Install Service” and NSSM will install OpenVPN as a service that can survive standby and sluggish network connections. You have to start the newly create service with either the net command, the nssm command or via the services in the control panel.

If you have to change anything you can do that by calling NSSM with the edit parameter.

nssm edit "My OpenVPN Service"


And, as mention before, you can do all this on the command line. Here is the sequence.

nssm install "My OpenVPN Service" C:\Program Files\OpenVPN\bin\openvpn.exe
nssm set "My OpenVPN Service" AppDirectory "C:\Program Files\OpenVPN\config"
nssm set "My OpenVPN Service" AppParameters myvpnconfig.ovpn
nssm set "My OpenVPN Service" AppStdin "C:\Program Files\OpenVPN\log\myservice-stdin.log"
nssm set "My OpenVPN Service" AppStdout "C:\Program Files\OpenVPN\log\myservice-stdout.log"
nssm set "My OpenVPN Service" AppStderr "C:\Program Files\OpenVPN\log\myservice-sterr.log"
nssm set "My OpenVPN Service" AppRotateFiles 1
nssm set "My OpenVPN Service" DependOnService Dhcp tap0901


Happy tunneling.

It seems that Microsoft’s products creating more and more foos. This time it is Lync, also known as Skype for Business.

It is okay, that Lync uses the Enter key to send a message or the CTRL-Enter combination start a call. But it is not okay that there is no way to change these key combinations. Especially when all other instant messengers that I use, default to CTRL-Enter to send a message.

So now I have to use Lync at work, which starts a call when I want to send a message and no direct way of changing it. The only thing that is possible, is removing the CTRL-Enter key combination so that I don’t accidentally start a call.

A solution is described in a TechNet blog post. So here is what worked for me in Lync 2013 (a.k.a. Office 15.0).

First open the registry editor (regedit.exe) and navigate to the following key. If you have a different Lync/Office version you might just change the version number. Create the missing pieces of the key, if necessary. In my case I only found the Microsoft part and had to create everything else.

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Lync\DisabledShortcutKeysCheckBoxes

Create a new string value inside that key:

Value Name: CtrlEnter
Value Data: 13,8

Restart Lync and the CTRL-Enter foo should be gone.

Update: Fixed the registry key (Lync, not Office). Thank you Karel, for pointing that out to me.

Windows continues to kick my behind. Out of the blue the Windows 8.1 installation on my workstation didn’t want to open the store app. Not that I really need or want it. But the same happened for the settings app, which was a little bit of a problem.

I should have taken a screenshot but the error message was something along the lines of “This app can’t open” and “Refreshing your PC might help fix it”.

It seems that I was not the only one with that problem there is even a Microsoft blog post about it. The reason seems to be that the affected apps are not registered anymore with Windows.

So here is how it can be fixed. In a command prompt that runs as administrator I ran the following commands. When you look at the blog post it seems that you don’t need administrative rights but you never know. Now enter the following commands to re-register the system apps:

Store app:

powershell -ExecutionPolicy Unrestricted Add-AppxPackage -DisableDevelopmentMode -Register $Env:SystemRoot\WinStore\AppxManifest.XML

Camera app:

powershell -ExecutionPolicy Unrestricted Add-AppxPackage -DisableDevelopmentMode -Register $Env:SystemRoot\camera\AppxManifest.xml

File Manager (One Drive) app:

powershell -ExecutionPolicy Unrestricted Add-AppxPackage -DisableDevelopmentMode -Register $Env:SystemRoot\FileManager\AppxManifest.xml

Settings app:

powershell -ExecutionPolicy Unrestricted Add-AppxPackage -DisableDevelopmentMode -Register $Env:SystemRoot\ImmersiveControlPanel\AppxManifest.xml

These execution of these commands, especially for the store app, might take a while.

This would have been easy, but of course a Microsoft products never make things easy on me. So I hit the problem that the a registry key doesn’t have the right owner and I got the error 0x8007064A.

So you have to open the registry editor (Windows + R and then regedit) and navigate to the registry key:

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages

And then change the ownership of this key to SYSTEM:

1. On the Edit menu, click Permissions.
2. Click Advanced, and then click the Owner tab.
3. Under Change owner to, click the new owner, and then click OK.

HP’s Windows recovery installation seems to be a little bit broken. Or at least for me it was. While restoring the Windows 7 on an HP Elitebook 8540w I ran into some issues when the drivers installed. The system just stalled and nothing was moving anymore. After a reboot I saw this nice error message:

The Computer Restarted unexpectedly or encountered an unexpected error

Well, not nice at all, but there is a way you can continue from here. Here are the steps:

1. On that very same screen press SHIFT-F10 and a command prompt should appear.
2. Enter “regedit” (without the quotes) into the command prompt and press enter.
3. In the registry editor navigate to HKLM/SYSTEM/SETUP/STATUS/ChildCompletion
4. Double click on the entry setup.exe and change the value from 1 to 3.
5. Close the registry editor.
6. Click OK in the error window, which will restart your machine.

After these steps you should be able to continue with your Windows setup. In my case I had some trouble getting all drivers to work, but that is a different story.

This Windows Foo showed it’s ugly head today for the first time and I was simply flabbergasted. Whatever I typed, only the first letter appeared correctly and from there on the system was showing consecutive numbers. Something like this for good ol’ hello world:

H2345678901

It happened first in a Java application so, I suspected a problem with Java and a virus scanner, etc. But nothing could be found. After some testing, I saw that it happened even in native Windows applications like the Powershell or AutoCAD.

Some further testing revealed that the tilde (~) and the back tick (`) seem to work fine and that pressing SHIFT plus any key gives the appropriate symbol for pressing SHIFT and the number that would appear. To make it even more fun the same happened using a remote session.

The whole behavior made me cringe and I thought already I have a key logger or some other kind of malware installed. But the virus scanner showed no problem and in general the system seemed to be fine.

After some more digging and asking repeatedly the great wise oracle with the googly eyes, I found the culprit: GuardedID. According to some other posts a tool from Comcast called Constant Guard causes the same trouble. After de-installing GuardedID, all was fine again. I did my good deed for this Monday.

And now my question to the GuardedID makers: WTF?! This tool supposedly should prevent keylogging. The least I can expect is good programming and not a TheDailyWTF moment. And even worse. After looking at your web site I nearly had to puke. Are you really marketing yourself as a serious product with “as seen on TV” and some actor’s quote?! How about investing your money into a good product rather in cheap marketing campaigns!