Duplicate IP address, and permissions problems on Windows

Tue Apr 6 11:29:47 UTC 2021

I'm looking at porting the Windows build of OpenConnect¹ to use Wintun
instead of the OpenVPN TAP-Windows driver.

The Wintun example.c shows how to add a Legacy IP address using
CreateUnicastIpAddressEntry(), and I tried to do it that way.

But it doesn't always work. When I reconnect to the VPN using Wintun
after connecting to the same VPN using TAP-Windows, the Legacy IP
address remains associated with the other adapter despite it being
*down*. Even though CreateUnicastIpAddressEntry() returns success.

I ended up writing something to iterate over the table returned by
GetUnicastIpAddressTable() and *remove* the address from every other
adapter:
https://gitlab.com/openconnect/openconnect/-/commit/60d1f092e35#71552d5f529101dd4a1be98f9ac9afffc3c5c9d1_0_141

Is it expected that this is necessary? Do we have similar problems if
the IP address is set by invoking 'netsh interface ip set address'?

The second issue I have on Windows is permissions. With TAP-Windows the
user had to install the adapter with elevated permissions, but could
run the VPN client in their user account. Using Wintun that doesn't
seem to work, and Administrator privileges are required. What is the
"correct" way of handling that? Are the elevated privileges only needed
to *create* the Wintun adapter, and can it be used without them after
the driver is already loaded?

This doesn't seem to be covered by the documentation or example code.

-- 
dwmw2
¹ OpenConnect is the open source client for the various proprietary SSL
  VPNs — Cisco AnyConnect, Juniper/Pulse Secure, GlobalProtect, F5,
  Fortinet, etc.: https://www.infradead.org/openconnect/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5174 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20210406/76242425/attachment.bin>