Why Can't OpenVPN GUI add routes in Windows 7?

It has to do with permissions. Run is as an administrator with the UAC disabled and it will work. You have to disable the UAC.

Or you can run the VPN as a service, and it will connect and add routes correctly.

compatibility mode

Those won't make a difference.


Hello All,

I'm truly grateful for the assistance from Zoredache and David Mackintosh. You both offered suggestions that pointed me in the right direction.

Disabling the UAC altogether did work for me, as well as modifying the openvpn-gui binary to always run as administrator for all users. Unfortunately, however, I wasn't comfortable with having my users disable the UAC permanently - or with the mandatory reboot that must be done each time the UAC is enabled or disabled. This meant a reboot each time they used the VPN and disconnected from it.

So I sought out for additional solutions and came across several that suggested disabling the UAC for Admins only. Since most of my users needing to VPN in will usually be local admins on their laptops, I figured this solution would work. So I tested it and it did work. Here's my final solution.

I created two separate .reg files to modify the system registry as follows:

REGISTRY FILE #1: DisableUACforAdmin

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000000

REGISTRY FILE #2: EnableUACforAdmin

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000002

To get this to work, I had to run OpenVPN GUI as administrator. Thanks to David Mackintosh's suggestion, I modified the exe file to always run as administrator for all users. Now, timing was key - I needed to make sure that the UAC was disabled before the VPN connection was even initiated. Fortunately, the OpenVPN GUI supports the creation of a pre-connect script by simply creating a batch file with the same name as the config file with a suffix of _pre.

So I created my pre-connect script to call my DisableUACforAdmin script as follows:

regedit.exe /s DisableUACforAdmin.reg

Finally, I created a down script to re-enable the UAC when the VPN tunnel is disconnected - thus, returning the user's machine to the original state.

Here's what I did:

regedit.exe /s EnableUACforAdmin.reg

With this, OpenVPN GUI runs without any complaints, the routes are pushed from the server and are properly set on the Windows 7 client. I've tested this on multiple Windows 7 machines and all work. By doing it this way, I avoid the mandatory reboot that comes with disabling the UAC. Thanks again for all the assistance, I hope this will benefit somebody out there with the same problem I ran into.

FINAL NOTE: I realized that the OpenVPN GUI provided at http://openvpn.se doesn't like some of the directives in the config file (such as script-security or key-direction) and will not start unless you comment them out. This may not hold true for all, but I had to use the OpenVPN GUI that comes with release 2.3.2 of OpenVPN