OpenVPN on Windows Vista / 7 – Ping says: TTL expired in transit
Hi there!
When I set up my VPN with OpenVPN yesterday, I found out about a little difficulty under Windows Vista and 7. Thankfully it was not that much of a hurdle as the UAC was the reason for this bug just like for a series of other bugs with different software I experimented with over the last few weeks. Nevertheless I hope that this piece of information helps you get rid of the following problem.
If you have set up your VPN and got it running without any major problems, and everything seems to be running just fine (connecting works), but you still can't establish connections to the other machines, you might find that pinging returns the error message "TTL expired in transit". This is due to the fact that Vista (or Windows 7) needs administrator privileges to adjust your computer's settings properly in order to function when you've connected to the VPN successfully. I think it's about the route.exe process, but I'm not 100% sure.
Windows Vista and 7 have the equally famous as infamous UAC (User Account Control) that prevents even administrator privileged accounts from executing programs with administrator rights by default. In order to enable these rights you have to right-click the program (or program shortcut) and click on "Run as administrator" next to the yellow-blue shield if it does not run with administrator rights exclusively anyway (in which case you'd see the yellow-blue shield in the bottom right corner of the program icon itself and would be asked for administrator privileges automatically when you launch it as any other program).
Please note that the following steps are for on-demand OpenVPN connections. For automatic connections, read further below.
OpenVPN on-demand connection
So what you need to do is launch the connection with UAC. But how do you do that if you usually launch OpenVPN connections with a right-click and "Start OpenVPN on this config file"? Even creating a shortcut to the .ovpn file doesn't give you the "Run as administrator" option.
A simple solution is to create a batch file that simply changes to the work directory and executes .ovpn with the openvpn.exe.
Example file "ovpn_connection1.bat":
@echo off D: cd \Programs\OpenVPN\config-ondemand\ D:\Programs\OpenVPN\bin\openvpn.exe D:\Programs\OpenVPN\config-ondemand\connection1.ovpn
This batch file has the following parameters/assumptions:
- Your OpenVPN dir is on the D: partition (otherwise change the drive letter in the respective paths and leave the "D:" line out altogether).
- The path to your OpenVPN dir is D:\Programs\OpenVPN.
- Your connection configuration file is located in the config-ondemand subdirectory.
Basically, you just switch to the work directory and execute OpenVPN's openvpn.exe located in its bin dir on the configuration. In a way, this works as a shortcut, but just as an executable batch.
The @echo off part is just so that you won't see the other commands displayed in the window each time you start the connection.
Now you either make a shortcut to this batch file or use it itself.
Whenever you want to start the connection, right-click on it and select "Run as administrator".
Done! Test your ping and it should be fine.
OpenVPN automatic connection
All you need to do is to move the .ovpn configuration file and all the other required files into the config subdirectory of your OpenVPN installation.
When the OpenVPN service (Start => Run => services.msc) is started, it will look for .ovpn files in its config subdirectory and execute them all - with SYSTEM privileges. No UAC circumvention needed.
So just set your OpenVPN service to "Automatic" and you're good to go!
OpenVPN on-demand connection with OpenVPN service
Just do what is described under the "OpenVPN automatic connection" paragraph except for setting the service to "Manual".
Now each time you want to launch the connection, you just need to type "net start OpenVPNService". To stop it, type "net stop OpenVPNService".
Note on using connections with the OpenVPN service
As the OpenVPN service feature executes *all* .ovpn configuration in the config subdirectory, there is no way to manually interfere with one particular connection of that directory and let's say disable it shortly. All config-connections are handled as a group with the OpenVPN service.
So if you need manual independency, look at the on-demand section.
I hope this wasn't all too fuzzy with the wordings and such.
Please comment or contact me if you have any questions on this matter.
Thanks for reading!