I'm connecting from my Windows 10 machine to a Windows Server 2012 R2 machine in the same subnet. I also have an OpenVPN connection that goes to the office and the server also has its own connection.

When I'm accessing files on the server sometimes the connection goes through the VPN without me noticing. Of course this is not what I want since I have a gigabit connection to it in the local network and a lot slower through the VPN.

The strange thing about this is that I have set the server name in the hosts file to point to the local IP. And even stranger: even if I write \\\share to Explorer address line the connection will actually go through the VPN (where it would be \\\share)!

The only way I can get it to work properly is to disable the VPN, access files and then maybe enable VPN.

Is there some way to tell Windows that it should never attempt to use the VPN address for that server and always use the local network address?

The metrics for local route is, for example, 276 and for the VPN connection it's set to 5120 in an attempt to stop it from using it. Still Windows decides to ignore my given IP and use the IP that goes through the VPN.

Local network is and VPN network is so they are completely separate. No IPv6 on the VPN, local network has the local IPv6 addresses.

I can also stop OpenVPN while transfering files or doing whatever with the file shares. The Windows 10 machine will just wait a moment, then switch to the non-VPN connection and continue. And if I restart it the transfers will switch to the VPN connection. So Windows is internally choosing which IP to use to that server, not just using the IP I give.

The server has also now been upgraded to 2016 but that hasn't changed anything. The problem is somehow in the Windows 10 machine. This also doesn't happen at all from another Windows 10 machine in the same subnet, same domain with the same OpenVPN configuration. But that machine is usually with ethernet and/or better wifi connection.

Edit: At some point it seemed that Windows sees OpenVPN adapter as 1Gbps network and thinks it’s better than wifi, which is of course not 1Gbps. So is there a way to say “ignore this functionality”, if that is the case? Or say “VPN is actually a bad bad network, use only if you can’t use other ways”?

Edit: Here's the routing table:

IPv4 Route Table
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
    266   5120         On-link    356         On-link    356         On-link    356         On-link    331         On-link    331         On-link    331
    VPN.SERVER.IP   5120         On-link    266         On-link    266         On-link    266         On-link    331         On-link    266         On-link    356         On-link    331         On-link    266         On-link    356

As mentioned, accessing \\\share connects to \\\share instead if the VPN is on. Just like any other machine in block if they also have a address available. If VPN is off it goes fine. If I turn it off while copying files it'll switch to transparently. If I turn it back on it will again switch to transparently. Routing is fine everywhere and naturally any server that only has address is accessible just fine, just like any machine in that does not have address in the VPN block is fine.

The server has the two IPs set in internal DNS, nothing anywhere else, so if Windows wants to resolve something it can and will get either nothing or both IPs, so that will not explain any behavior.

Here's a shot of Wireshark dumping information. As you can see, I've gone to \\192.168... path but Windows still asks for information about the shares and files. So there's no question it literally uses the other IP of the server, not the one I manually write to the address bar.

enter image description here

As I wrote before, the wifi adapter is 300Mbps and VPN is 1Gbps and I do remember sometimes the VPN showing as lower speed and then this didn't happen. So it may be Windows assuming the 1Gbps VPN is better than the wifi to connect to the server, even though it obviously is not 1Gbps connection. But I can't find any information about this nor how to disable it.

The TAP adapter doesn't have settings to change it from 1Gbps to something smaller if that would help.

arp -a:

Interface: --- 0x5
  Internet Address      Physical Address      Type         d8-cb-8a-xx-xx-xx     dynamic        c4-6e-1f-xx-xx-xx     dynamic        ff-ff-ff-ff-ff-ff     static             01-00-5e-00-00-02     static            01-00-5e-00-00-16     static           01-00-5e-00-00-fb     static           01-00-5e-00-00-fc     static       01-00-5e-7f-ff-fa     static

Interface: --- 0x7
  Internet Address      Physical Address      Type          e2-e0-45-xx-xx-xx     dynamic         00-ff-52-xx-xx-xx     dynamic        ff-ff-ff-ff-ff-ff     static             01-00-5e-00-00-02     static            01-00-5e-00-00-16     static           01-00-5e-00-00-fb     static           01-00-5e-00-00-fc     static       01-00-5e-7f-ff-fa     static       ff-ff-ff-ff-ff-ff     static

I also dumped again what happens when I start copying a file without VPN and then turn VPN on in the middle. There's DNS queries about the domain.local (not the server I'm connected to, just the domain), WPAD queries, SRV record queries, NBNS registration of my machine to the network, Negotiate Protocol Request/Response, Session Setup Request/Response, and then the file data starts flowing through the VPN instead if direct connection without interruption.

  • is the OpenVPN network's subnet different than the subnet you're trying to use with the local server? Have you tried simply using route to add a route to that IP through that interface? Commented Jul 11, 2016 at 16:16
  • @Ƭᴇcʜιᴇ007 Yes, they are completely separate. Edited the question. There is of course a route to the local network since I can access it fine if the VPN is off. It just somehow goes the wrong route sometimes when the VPN is on, even with the IP address. Commented Jul 11, 2016 at 16:20
  • Did you try to disable IPv6 on the local network ? You might only have set routes for IPv4.
    – harrymc
    Commented Sep 18, 2017 at 13:21
  • @harrymc Yes, disabling IPv6 doesn't change anything. And OpenVPN doesn't do IPv6 anyway, it's all IPv4. Commented Sep 18, 2017 at 17:46
  • The question here is Windows routing. Questions: (1) Why is the metric at 276? (2) What are the IPv4 Properties on both adapters? (if they are not automatic), (3) How can you be sure that it's accessing the VPN (for DNS I assume) ?
    – harrymc
    Commented Sep 18, 2017 at 18:32

4 Answers 4


OpenVPN should have a "virtual" network adapter installed on your computer alongside your other physical adapters.

Try to change the priority of those network adapters as seen in this article: https://blogs.technet.microsoft.com/networking/2015/08/14/adjusting-the-network-protocol-bindings-in-windows-10/

You want the OpenVPN interface to be a larger number (lower priority) than your physical adapter.

  • Get-NetIPInterface says my OpenVPN connection's InterfaceMetric is 35 while the LAN interface is 25. So if should be using the LAN before OVPN? Commented Sep 26, 2017 at 5:40
  • 1
    Yes, this sounds correct. It was worth a shot I guess. :) Commented Sep 26, 2017 at 5:41
  • Even with priority of 5000 and the wifi having 300 it still chooses to go through the VPN, so this didn't help the situation unfortunately Commented Apr 19, 2020 at 5:32

(Old answer from when the question was written differently.)

You might be encountering a DNS wait on the VPN, because of the way that Windows 10 issues DNS requests for VPN split-dns, which is very different from previous Windows versions.

Windows 10 issues DNS queries in parallel to all adapters, then is supposed to take the first answer to arrive.

Unfortunately, it may, rather than take the first answer, wait for all answers. If this not-new bug was not yet fixed, to return the behavior as much as possible to that of previous Windows versions, do the following registry modifications :

DisableSmartNameResolution (DWORD)

In registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient.
The value is 1 to disable, 0 to enable smart resolution.
From Turn off smart multi-homed name resolution :

Specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received the network binding order is used to determine which response to accept.If you enable this policy setting the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail followed by NetBT queries if LLMNR queries fail. If you disable this policy setting or if you do not configure this policy, setting name resolution will be optimized when issuing DNS LLMNR and NetBT queries.

DisableParallelAandAAAA (DWORD)

In registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters.
The value is 0 to enable, 1 to disable DNS A and AAAA queries from executing in parallel on all configured DNS servers, with the fastest response theoretically accepted first.

You may also set these policies by using PowerShell :

Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient" -Name DisableSmartNameResolution -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters‌​" -Name DisableParallelAandAAAA -Value 1 -Type DWord
  • I don’t know how DNS would relate. Note: I access by IP and Windows goes through the VPN still. I have set up IPs in hosts files. Still goes through VPN. I can start VPN after starting to move files to shares and it will jump to VPN. DNS wouldn’t affect any of these. Commented Sep 18, 2017 at 18:50
  • We are talking of a Windows bug or deficiency introduced in Windows 10, and these fixes turn off much of the new options. Wouldn't hurt to try.
    – harrymc
    Commented Sep 21, 2017 at 18:32

If you're using OpenVPN Client for your VPN Connection, then you can add custom routes for specific domains/IPs.

So that once you add the route, the connection to those domains/IPs will go through the specific route.

A route syntax for OpenVPN Config file is :

route [ip or website name] [subnet mask] [your gateway]

So in your case, if the gateway is then you'll need to add this line to your OpenVPN Config file :

  • As I said, there is a route. The client just chooses to use a different IP to connect to that server and use the VPN route. Commented Jul 17, 2016 at 16:48

You have two network interfaces on your computer, Ethernet and VPN, and you are using SMB for accessing a network share on one specific network interface, but find yourself using a share by the same name, but on the other network interface. Using an IP address for the computer hosting the share does not help.

Server Message Block (SMB) is a very old protocol, dating from much before the Internet and IP. Microsoft's article Direct hosting of SMB over TCP/IP has this phrase:

NetbiosSmb is a global device, and is not bound on a per-adapter basis. This means that direct-hosted SMB's cannot be disabled in Windows without disabling File and Printer Sharing for Microsoft Networks completely.

I believe that some computer on the VPN has set itself up as the master browser of the network, so all SMB requests go to the VPN, regardless of the routing table. The VPN master browser does not check the IP demanded, just the share-name, and connects you to the named share.

Some measures that might help by modifying the properties of the VPN adapter:

Go to Control Panel > Network and Internet > Network Connections, enter the Properties of the VPN network adapter, then try the following. When finished click OK.

  • Disable "File and Printer Sharing for Microsoft Networks".

  • Click on "Internet Protocol Version 4 (TCP/IPv4)", click the Properties button, click the Advanced button, position to the WINS tab and set "Disable NetBIOS over TCP/IP". Click OK to return to the adapter's properties.

  • Disable "Internet Protocol Version 6 (TCP/IPv6)".

If any of the above measures solved the problem, you could complain to the VPN Support for having it set up in the first place when creating the VPN adapter.

The network-adapter option of "File and Printer Sharing for Microsoft Networks" can be disabled or enabled for a network adapter from the command-line, for ease of use:

  • But when I need to access it through the VPN I would need to enable them again, and again disable, and enable... But it might still help disabling the whole sharing. I’d rather understand why a master browser would affect this in any way though. I mean it’s easier to turn off vpn than change settings all the time since I need to access other servers through the VPN Commented Apr 20, 2020 at 8:34
  • When a master browser sets itself up, LAN manager forwards it all SMB connect requests. Each network on both adapters will have its own master browser, and the results for your computer are not always predictable. If you need to access shares on the VPN network, then you will need to undo the above. If this answer does indeed solve the basic problem, there might be a way to switch between adapter states more easily via scripts.
    – harrymc
    Commented Apr 20, 2020 at 8:41
  • It of course would give a result since it would disable sharing, but as I mentioned that would be easier done by disabling the VPN. And that’s not reasonable either. So it doesn’t fix the problem. I need to be able to access servers behind the VPN and not at the same time through their own networks. This also doesn’t explain why the results for other machines would be predictable, or why network speed affects it. Commented Apr 20, 2020 at 9:10
  • The choice of the master browser might depend on the metrics in the routing table, which might be why the VPN always takes priority. In any case, I think I have well explained what you are seeing. You might explain more about how you are using the VPN: Is it only for sharing or also for internet access, and are you accessing shares on both networks?
    – harrymc
    Commented Apr 20, 2020 at 9:19
  • I added some command-line commands for disabling/enabling file sharing,easier than using the GUI.
    – harrymc
    Commented Apr 20, 2020 at 14:03

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .