After a long search, I found this article.
It explains some technical workings considering
- NLA – Network Location Awareness
- NCSI – Network Connection Status Indicator
In a nutshell, the problem is related to the gateway in the VPN-adapter. The NLA/NCSI is confused and incorrectly assumes there is no active internet connection because the VPN adapter does not have an explicit default gateway IP defined. Please take note that the client-IP of the VPN adapter is determined by the VPN-server via DHCP. Via Routing rules a gateway is implicitly defined. That is why applications not depending on the NCSI can connect to the internet. The routing table contains that information.
(Temporary) Manual solution:
Within the properties of the VPN-network-adapter, you can define the IP, subnet, gateway and DNS-server.
For this to work, first determine your VPN local IP which could be something like 10.100.5.25.
Based on the client-IP, derive the gateway IP, I assume the gateway will be 10.100.5.1. (You could also look in your route print table.)
Fill this IP into the gateway field.
In your adapted overview the VPN connection will now be marked as having internet access. Your office and windows 10 applications will now be able to connect after you restart them.
You need to update the gateway IP next time you connect to an OpenVPN server because you will most likely receive another IP and therefore another gateway will be valid.
~At the moment I only know how to achieve this via the GUI. Via the command line you could set this, but you are required to define an IP then, which can change every time you reconnect and since I can set a gateway IP but leave the rest op to be assigned to DHCP via the GUI, I would expect this also to be possible via Powershell or another scripting language; I have not found such a solution yet.~ If I did, I could automate setting the gateway IP.
(On that note, a next question could be: can an *.ovpn file configure the adapter to have a gateway IP set?)
Source:
https://blogs.technet.microsoft.com/the_microsoft_excel_support_team_blog/2014/03/24/office-2013-reports-no-internet-connectivity-with-vpn-connection/
Some other information sources that might add complexity but also context:
https://www.ryadel.com/en/yellow-triangle-over-network-connection-status-how-to-fix-it/
https://support.umbrella.com/hc/en-us/articles/230900948-Umbrella-Roaming-Client-Microsoft-Windows-Limited-Network-Connectivity-Warning-Yellow-Triangle-#7hotfix
https://www.interfacett.com/blogs/how-to-disable-network-connectivity-status-indicator-ncsi-with-group-policy/
https://community.spiceworks.com/topic/2131702-limited-connectivity-indicated-but-internet-works
Scripting solution:
Well, a bit unexpected, but I found a command-line answer:
I guess I previously searched on "gateway" which resulted in a lot of noise, but when I searched "default gateway" that gave more relevant results.
Adding the default gateway to your VPN adapter in PowerShell:
Set-Variable vpnadaptername -Value ENTER-NAME
Set-Variable vargateway (Get-NetRoute -DestinationPrefix 0.0.0.0/1 |Select-Object -expandproperty "NextHop"); Write-Host $vargateway
New-NetRoute -InterfaceAlias $vpnadaptername -DestinationPrefix 0.0.0.0/0 -NextHop $vargateway
Get-NetIPConfiguration -InterfaceAlias $vpnadaptername
Assumptions:
- You 'route-pull' in your VPN config and
Get-NetRoute will list your VPN gateway IP as next-hop next to 0.0.0.0/1.
- The VPN connection is active while you run the top script and is down when you run the script below.
- Commands are run with admin privileges though only the set/remove route commands actually require them.
Unfortunately, after a reboot or a reconnect, your VPN-adapter will be assigned a new IP, but the old gateway IP is still in the adapter.
You could update it by replacing 'New-NetRoute' with 'Set-NetRoute', but I guess clearing it before OpenVPN makes a connection is more stable.
So the script before your VPN is connected:
Clearing default gateway ip:
Set-Variable vpnadaptername -Value ENTER-NAME
Set-Variable vargatewayold (Get-NetRoute -InterfaceAlias $vpnadapternam -DestinationPrefix 0.0.0.0/0 |Select-Object -ExpandProperty "NextHop")
Remove-NetRoute -InterfaceAlias $vpnadaptername -DestinationPrefix 0.0.0.0/0 -NextHop $vargatewayold Confirm:$false
Final notes. As you can see, the route command is used to edit gateway IP of an adapter, this means that if the order of the scripts is incorrect, you can mess up your route table. Your adapter could end up with two gateways for example.
Restoring normal operations can always be achieved by manually removing the IP via Network adapter -> properties -> IPv4 --> properties --> select gateway IP and click edit or delete. Reconnecting OpenVPN will reset the routeing table.
Commands found:
https://richardspowershellblog.wordpress.com/2016/02/22/ip-default-gateways-by-cmdlet/
https://www.vexasoft.com/pages/set-networkadaptergateway
(Third-party, didn't feel right, the software might work but seems outdated even though the commands look perfect!)
