Discussion:
Does Windows 11 have any tricks to make free VPN connections easier?
(too old to reply)
Andrew
2024-08-24 16:15:03 UTC
Permalink
This is all about streamlining - and not necessarily about VPN per se.
Does Windows 11 have any tricks to make free VPN connections streamlined?

The way I do my free VPN is simple & direct on Windows 10 with a few tricks
added to get past the UAC prompt and to eliminate typing the login/password
and to eliminate the GUI (as all I need to do is doubleclick on the file);
but I'm hoping to make it less manual and more automatic on Windows 11 if
there's anything new in Windows 11 for streamlining VPN connections.

For starters, here's what I do on Win10 that maybe Win11 might streamline.

1. I manually download free config files from any public VPN site such as
https://vpngate.net {Loading Image...}

2. I add two additional lines which are necessary to run without the GUI
by creating an "append.txt" file containing these two lines:
data-ciphers AES-128-CBC
auth-user-pass C:\\users\\whoami\\vpn\\userpass.txt
Where the data-ciphers line is only needed in newer openvpn versions.
And where the userpass text file contains the VPN username & password:
vpn
vpn
All of which is added via a script to every config file downloaded.
for %i in (*.ovpn) do type C:\\users\\whoami\\vpn\\append.txt >> %i

99 out of 100 people would only use those two steps because they
would be running the openvpn using the GUI which somehow handles
the need to change the routing table requiring elevated privileges.

WARNING: The streamlining steps below are OPTIONAL for free vpn'ing!

3. But I like to start my VPN connection with batch files (which allows
me to auto-randomize the VPN every few hours or so) using this:
set cmd=C:\Progra~1\openvpn\bin\openvpn.exe
set dir=C:\users\whoami\vpn\
set file=vpngate_1.250.96.236_udp_1195.ovpn
%cmd% %dir%%file%

4. And since I dislike rightclicking to "Run as Admin" and I dislike
the UAC prompt (and automation precludes it anyway), I take the
risk that only 1 out of 1000 would do which is I run w/o UAC.
runas.exe /user:administrator /savecred "%cmd% %dir%%file%"

5. There are a few more Windows 10 tricks that I use to streamline
the process which I assume Windows 11 also has, such as setting
the file association for *.ovpn files to the openvpn daemon instead
of to the openvpn GUI (and to set the openvpn daemon to run as
administrator in its rightclick properties advanced settings GUI).

6. Another common Windows 10 streamlining trick which I assume is also
in Windows 11 is to allow the selection of any number of openvpn
config files to run them in sequence as batch with the log files
opening up in the same spot so that they can be stairstepped clicked
on the [x] close box at top right of the log windows which may have
failed (only one will work as it will stop any future ones from
working so any number can be started).
Path: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
Name: MultipleInvokePromptMinimum
Type: DWORD
Data: 15 (decimal) <=== change this to any desired number of files

I will stress that most people will not do anything after steps 1 & 2
so your response can assume that you're only doing steps 1 & 2 where
that's what I would hope to streamline in Windows 11 using whatever new
features Windows 11 allows that you know of and which you can suggest.

The first thing I'd love to streamline is getting the text config
files off of these free open public VPN servers online. If you have
any good solutions for using new commands (curl, wget, winget, ftp,
whatever) that work in Windows 11, please add those hints here,
but I suspect there's nothing new in Win11 that Win10 doesn't already have.

But maybe there is.
Which is why I'm asking.

Please don't make this discussion about why you don't like free VPNs or why
you prefer SudVPN over OstVPN (because that's not what this is about).

Everyone knows the pros and cons of free VPNs where this question is only
about how to streamline the VPN connections (which is useful for all VPNs).

Is there anything new in Windows 11 that can further streamline VPNs?
Paul
2024-08-24 17:27:05 UTC
Permalink
The way I do my free VPN is simple & direct on Windows 10 with a few tricks...
...
Please don't make this discussion
While there are probably a few people using VPN, I don't
know if we have the depth of experience to answer your question.

Maybe a forum that discusses FreeVPN has the right individuals
for a question like this (web forum). Since there are a number
of people hosting this, they must gather somewhere for discussions.

Paul
Andrew
2024-08-24 19:07:53 UTC
Permalink
Post by Paul
While there are probably a few people using VPN, I don't
know if we have the depth of experience to answer your question.
Your advice is always wizened by experience, Paul. I appreciate that.
I thought most people on this newsgroup used VPN daily, don't they?

The main difference is they're probably using payware VPNs, right?
And payware VPNs often come with their own proprietary client setup.

None of those people using proprietary clients can help answer questions.
Only people who use the thousands of free public VPN servers can help.
Post by Paul
Maybe a forum that discusses FreeVPN has the right individuals
for a question like this (web forum). Since there are a number
of people hosting this, they must gather somewhere for discussions.
Long story... (grab a seat)... (you've been there with other products).

Oh, there are forums, allright. Run by VPN nazi's. Serious control freaks.
<https://forums.openvpn.net/>

The vpn moderators (e.g., TinCanTech) are Draconian to the degree that
almost justifies my just-a-bit-too-early use of Godwin's Law on Usenet.
<https://forums.openvpn.net/viewforum.php?f=37&sid=52016d4715a21cabe70e2d9cf34baafe>

It's not so much that the mods don't let you register using a known VPN as
your IP address, nor so much as they don't let you post a new thread until
you've proven yourself for months answering other people's technical
questions (which, let's be serious, a noob just can't do without spewing
garbage into dozens of threads to establish a silly-ass presence).

No. It's not that. All of which is easy to overcome if you already have
knowledge of VPN (which I do as I've been using it for years on Windows).

No. The problem is they are downright religious zealots in terms of how
they want you to use the openvpn product - which is *always* via the GUI.

They cannot stand any question about running openvpn in batch.
They hate it.

They don't only shut down or lock any thread that goes even slightly off
road from how *they* want you to use openvpn, but they *remove* the thread.

That's even worse as you can't search to find anyone else asking the
question where the only questions allowed are on the pavement queries.

They will not allow you to discuss any use model but the GUI use model.

If there's another openvpn-developer specific forum, I'm unaware of it,
although the vpngate.net site has its own forum for its users.
<https://forum.vpngate.net/index.php?sid=c8af5c44d80fc073130539d84145c763>

The problem there is completely different where the main problem is that
the answers are few and far between no matter what topic you may ask.
<https://forum.vpngate.net/viewforum.php?f=11>

Worse, they also only use the product with the GUI that they provide.
<https://forum.vpngate.net/viewforum.php?f=7>

There's no advantage (that I know of) of using their SoftEther GUI.
At least not when you are doing things the way that I am doing them.

Which is to randomly run any one of thousands of free public VPN servers at
any given time using a randomization batch file originally provided by
Herbert Kleebauer (and a wget & geoip geolocation script by Marek Novotny).
Chris
2024-08-25 10:59:09 UTC
Permalink
Post by Andrew
Post by Paul
While there are probably a few people using VPN, I don't
know if we have the depth of experience to answer your question.
Your advice is always wizened by experience, Paul. I appreciate that.
I thought most people on this newsgroup used VPN daily, don't they?
Which of the four cross-posted newsgroups are you referring to?

Why would people use a VPN daily? Not everyone is as paranoid as you.
Andrew
2024-08-25 23:12:52 UTC
Permalink
Post by Chris
Why would people use a VPN daily?
I could provide a hundred examples, but let's take this real-world example
which I learned when reading about Matthew Perry's death after using drugs.

1. In 2019, a kid named Cody McLaury died of ketamine related causes.
2. When told it caused his death, his sister texted the Ketamine Queen
"The ketamine you sold my brother killed him.
It's listed as the cause of death."
3. Investigators say the Ketamine Queen then subsequently searched for
"Can ketamine be listed as a cause of death?"

REFERENCE: <https://www.bbc.com/news/articles/c89wgv98925o>

Now, I don't know how investigators knew that the Ketamine Queen searched
on Google but if they went to Google asking for all the searches from her
IP address, then she is one person who should have known how to use VPN.
Post by Chris
Not everyone is as paranoid as you.
More to your point, since I'm not doing anything nefarious, it's not so
much that I don't want any web site to know that I'm searching for, oh,
"how to put poison oak in my neighbor's panties?" but it's more that basic
privacy on the net requires IP address obfuscation. It just does.

In the words of the below VPN forum moderator: That's the way it is.

BTW, in searching for a solution, I found someone else who did go on the
VPN forum that Paul kindly alluded must exist (and it does) but where the
VPN nazi's shut him down saying, effectively, "We don't support Windows".

More to the point of that particular thread, they don't support using
anything but the openvpn GUI in Windows - as they don't support batching.

Sun Aug 23, 2020
*How do I doubleclick on any arbitrary *.ovpn file*
*& have Windows 10 UAC user account control consent popups NOT come up?*
<https://forums.openvpn.net/viewtopic.php?f=5&t=30838>

They basically said "Windows sucks and it's your fault for using it",
in terms of using VPN in any way other than the GUI that, paradoxically,
JJ suggested isn't the default (but, apparently, the GUI *is* not only the
Windows default for the canonical openvpn software - but worse - nothing
but the GUI is supported based on what that one thread seems to say).
Andrew
2024-08-25 22:17:54 UTC
Permalink
Post by Andrew
Post by Paul
While there are probably a few people using VPN, I don't
know if we have the depth of experience to answer your question.
Your advice is always wizened by experience, Paul. I appreciate that.
I thought most people on this newsgroup used VPN daily, don't they?
Never used a VPN, not even a trial.
Then you have no privacy. And that's OK. If you don't care about privacy.
What a VPN does for me is obfuscate my "real" IP address when I'm online.

That way, when I google for "how to cure my deadly disease", at least the
endpoint server running that search doesn't know my real IP address (and,
yes, I'm well aware of browser fingerprinting techniques so I account for
that in a variety of ways, as I'm also aware of photo fingerprinting too,
and I'm aware of private DNS servers, etc., all of which is about privacy).

You have no privacy. And that's fine. As long as you don't want privacy.
But I do.

And one component of that privacy is to use thousands of VPN servers.

It used to be people had to roll their own VPN servers at home, but now
there are thousands upon thousands of free openvpn servers on the net.

Since I'm not doing anything nefarious, the only thing I need out of a free
openvpn server is the IP address obfuscation that any proxy provides us.

But proxies only work with browsers whereas VPN is a system-wide
obfuscation of your real IP address - so if you have a better way to change
your IP address on the fly, I'm all ears as I'd love to know how you do it.

Since you've never used a VPN, how do *you* change your IP address at will?
wasbit
2024-08-26 08:25:41 UTC
Permalink
Post by Andrew
Post by Andrew
Post by Paul
While there are probably a few people using VPN, I don't
know if we have the depth of experience to answer your question.
Your advice is always wizened by experience, Paul. I appreciate that.
I thought most people on this newsgroup used VPN daily, don't they?
Never used a VPN, not even a trial.
Then you have no privacy. And that's OK. If you don't care about privacy.
What a VPN does for me is obfuscate my "real" IP address when I'm online.
That way, when I google for "how to cure my deadly disease", at least the
endpoint server running that search doesn't know my real IP address (and,
yes, I'm well aware of browser fingerprinting techniques so I account for
that in a variety of ways, as I'm also aware of photo fingerprinting too,
and I'm aware of private DNS servers, etc., all of which is about privacy).
You have no privacy. And that's fine. As long as you don't want privacy.
But I do.
And one component of that privacy is to use thousands of VPN servers.
It used to be people had to roll their own VPN servers at home, but now
there are thousands upon thousands of free openvpn servers on the net.
Since I'm not doing anything nefarious, the only thing I need out of a free
openvpn server is the IP address obfuscation that any proxy provides us.
But proxies only work with browsers whereas VPN is a system-wide
obfuscation of your real IP address - so if you have a better way to change
your IP address on the fly, I'm all ears as I'd love to know how you do it.
Since you've never used a VPN, how do *you* change your IP address at will?
By rebooting the router.
IME static IP addresses cost more than dynamic addresses (in the UK).
Also, IME, those reports of found IP addresses are normally that of an
ISP server not the end user.
--
Regards
wasbit
Andrew
2024-08-27 05:59:38 UTC
Permalink
Post by wasbit
Post by Andrew
Since you've never used a VPN, how do *you* change your IP address at will?
By rebooting the router.
IME static IP addresses cost more than dynamic addresses (in the UK).
Also, IME, those reports of found IP addresses are normally that of an
ISP server not the end user.
Rebooting the router might work for some people, but only if the lease is
so short that a minute or two will be enough to release the IP address back
into the ISP's pool.

But if the lease is hours or days long, then rebooting the router won't
change the IP address (based on my experience last time I had cable).

I'm on a WISP (which means I get my IP address over the air line of sight
from a tower that is, oh, maybe five or six miles away), and I don't get to
control that the local WISP provider assigns every account a static IP.

For me, and for people whose ISP lease is longer than the few seconds that
a router reboot takes to complete, the simplest easiest most direct way to
change my outward-facing IP address is to use any of thousands of free
openvpn configuration files which have been on the Internet for years.

I'm working with JJ to provide all those people with a script that will
a. Run the openvpn daemon on a random free openvpn config file;
b. If the result is no change in IP address (or a null IP address),
then randomly run the openvpn daemon on another free config file;
c. Otherwise, if the result is a new IP address, then you're done.

I will report back when I have that file which everyone can use,
as I always design my scripts to be used by everyone who needs them.
Andrew
2024-08-25 22:32:15 UTC
Permalink
Post by Andrew
Post by Paul
While there are probably a few people using VPN, I don't
know if we have the depth of experience to answer your question.
Your advice is always wizened by experience, Paul. I appreciate that.
I thought most people on this newsgroup used VPN daily, don't they?
Never used a VPN, not even a trial.
This Chromebook I'm posting with has a few DNS choices built into its
security settings. I chose the Google Public DNS. Dunno why other than it
seemed to fit this toy...
Nothing wrong with the Google Public DNS if you're not worried about
privacy but there are better privacy-aware private DNS servers around.

What's irksome is Windows uses the IP address (e.g., 8.8.8.8) for DNS
settings while Android uses the server name instead (which is a pita).

And browsers have their own ways for setting the private DNS servers too!
about:preferences#privacy
Enable DNS over HTTPS using: > Max Protection
Choose Firefox Private DNS Provider:
1. Quad9
2. NextDNS
3. AdGuard
4. Control D
5. Mullvad
6. DeCloudUs
7. ReThinkDNS
8. Cloudflare

Android is the only platform that uses domain names, not IP addresses.
Which you can set in the current Android versions using this menu:
Settings > Connections > More connection settings > Private DNS

Corresponding domain name examples for Android Private DNS Providers are
1. dns.quad9.net
2. nextdns-android
3. dns.adguard.com
4. p2.freedns.controld.com
5. adblock.dns.mullvad.net
6. dns.decloudus.com (DoT) https://dns.decloudus.com/dns-query (DoH)
7. max.rethinkdns.com
8. one.one.one.one

And corresponding examples for Windows Private DNS Providers are
1. 149.112.112.112
2. 104.21.19.106
3. 94.140.14.14
4. 76.76.2.11
5. 194.242.2.3
6. 78.47.212.211
7. 137.66.7.89
8. 1.1.1.1

Plus Windows has its own menus that come & go depending on registry keys.
https://blog.netwrix.com/2022/10/11/dns-over-https/
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\
EnbleAutoDoh=2(0h)

Although that secret menu is on Windows 10, I don't know about Win11.
Let's hope Windows 11 has at least streamlined private DNS setup.

Has it?
Andy Burns
2024-08-28 19:13:48 UTC
Permalink
Post by Andrew
I thought most people on this newsgroup used VPN daily, don't they?
I have used openVPN (and various GUIs) for road warrior access, I don't
use the scareware/hypeware type of VPN (Nord etc).
JJ
2024-08-24 17:45:19 UTC
Permalink
Post by Andrew
This is all about streamlining - and not necessarily about VPN per se.
Does Windows 11 have any tricks to make free VPN connections streamlined?
The way I do my free VPN is simple & direct on Windows 10 with a few tricks
added to get past the UAC prompt and to eliminate typing the login/password
and to eliminate the GUI (as all I need to do is doubleclick on the file);
but I'm hoping to make it less manual and more automatic on Windows 11 if
there's anything new in Windows 11 for streamlining VPN connections.
For the UAC prompt problem, you can use Task Scheduler to run the program
with highest privileges. Make sure the "Run with highest privileges" setting
of the scheduled task is enabled. The user account used to run the the task
doesn't have to be the built-in Administrator account, and instead, should
be your own user account.

However, the problem is that, the VPN client program requires a different
user credential. Windows doesn't have any feature to securely automate
inputting it. So the credential must already been stored in a file -
preferrably under the user's profile folder and with the NTFS encryption
file attribute enabled, so that it won't be readable in plain text by other
than your Windows user account. That being said, any application which is
run using your user account, will be able to read the file.
Andrew
2024-08-24 19:58:01 UTC
Permalink
Post by JJ
For the UAC prompt problem, you can use Task Scheduler to run the program
with highest privileges. Make sure the "Run with highest privileges" setting
of the scheduled task is enabled. The user account used to run the the task
doesn't have to be the built-in Administrator account, and instead, should
be your own user account.
Long story... on Task Scheduler... which many suggest... but none test. :)

Many times I have set up task-scheduled elevated permission actions to
avoid UAC using the task scheduler, e.g., editing the Win10 registry using:
Win+R regopen [return]
Which is a keyword of that same name (i.e., regopen.exe) found in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\regopen.exe
Which defaults to executing the similar shortcut C:\pathto\regopen.lnk
Whose target is C:\Windows\System32\schtasks.exe /run /TN "task regopen"
Where Win+R taskschd.msc will show that task in the Task Scheduler Library
Where in "General" the checkbox is set to "Run with highest privileges"
Where the "Actions" tab is set to "Start a program" (with no options)
And where the program to run without UAC is "C:\Windows\regedit.exe"

All that works fine for many programs which are to be *individually*
started, but the problem here is I never got that working for openvpn.

So I gave up.

To be clear, I got it working for many other tasks, such as turning on and
off the Windows gateway (for isolation to prevent reconnecting at times).
Win+R off [return]
Which is a keyword of that same name (i.e., off.exe) found in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\off.exe
Which defaults to executing a default shortcut C:\pathto\off.lnk
Whose target is C:\Windows\System32\schtasks.exe /run /TN "task off"
Where Win+R taskschd.msc will show that task in the Task Scheduler Library
Where in "General" the checkbox is set to "Run with highest privileges"
Where the "Actions" tab is set to "Start a program" (with options)
And where the program is set to "%comspec%" and where the arguments are
"/c start "" %windir%\system32\route.exe delete 0.0.0.0 192.168.0.1"
Which runs the command below whenever "off" is typed in the run box
%comspec% /c start "" %windir%\system32\route.exe delete 0.0.0.0 192.168.0.1
And where there's a similar "Win+R on" command to turn it back on
%comspec% /c start "" %windir%\system32\route.exe add 0.0.0.0 mask 0.0.0.0 192.168.0.1

I could go on and on with a score of similarly set up task scheduler tasks.

But for the life of me, I have never been able to get the VPN related task
scheduled setup working to work around the UAC for openvpn's privileges.

Win+R vpnopen [return]
Which is a keyword of that same name (i.e., vpnopen.exe) found in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\vpnopen.exe
Which defaults to executing a default shortcut C:\pathto\vpnopen.lnk
Whose target is C:\Windows\System32\schtasks.exe /run /TN "task vpnopen"
Where Win+R taskschd.msc will show that task in the Task Scheduler Library
Where in "General" the checkbox is set to "Run with highest privileges"
Where the "Actions" tab is set to "Start a program" (with options)
And where the program is set to the openvpn daemon C:\pathto\openvpn.exe
And where arguments are set to any one particular VPN configuration file
C:\pathto\vpngate_1.250.96.236_udp_1195.ovpn
Which never worked so I changed it to program "%comspec%" and arguments
/c start "" c:\pathto\openvpn.exe C:\pathto\vpngate_1.250.96.236_udp_1195.ovpn
Which still never worked because it has to be done for thousands of files.

But I set up all those task failures long ago, where probably I should try
anew now that I have a better batch script which chooses the configs using
set cmd=C:pathto\openvpn.exe
set dir=C:\users\whoami\vpn\
set file=vpngate_1.250.96.236_udp_1195.ovpn
REM %cmd% %dir%%file%
runas.exe /user:administrator /savecred "%cmd% %dir%%file%"

Knowing the setup for the task scheduler, do you have any suggestions
for how to run the batch file such that the openvpn.exe GUI has elevated
privileges when it tries to change the routing table with route.exe?
Post by JJ
However, the problem is that, the VPN client program requires a different
user credential. Windows doesn't have any feature to securely automate
inputting it. So the credential must already been stored in a file -
preferrably under the user's profile folder and with the NTFS encryption
file attribute enabled, so that it won't be readable in plain text by other
than your Windows user account. That being said, any application which is
run using your user account, will be able to read the file.
I am confused by that paragraph as I really don't know this stuff well.
What I "think" you're saying is that "/savecred" is a bad idea.
I get that. I know that. I wish I had a better way around UAC.
I really do.

But I tried the task scheduler in the past and failed miserably with
running any of thousands of openvpn config files with the openvpn.exe
daemon which itself has to modify the routing table with route.exe.

Note that I must have a score of commands that I've automated to ignore the
UAC prompt by using the task scheduler method (I only showed you two).

But I have never gotten the Windows task scheduler to work with openvpn.

Do you think it's even possible given openvpn.exe has to itself be able to
modify the route (which I presume it does by calling route.exe internally)?
JJ
2024-08-25 09:56:10 UTC
Permalink
Post by Andrew
...
And where the program is set to the openvpn daemon C:\pathto\openvpn.exe
And where arguments are set to any one particular VPN configuration file
C:\pathto\vpngate_1.250.96.236_udp_1195.ovpn
Which never worked so I changed it to program "%comspec%" and arguments
/c start "" c:\pathto\openvpn.exe C:\pathto\vpngate_1.250.96.236_udp_1195.ovpn
Which still never worked because it has to be done for thousands of files.
How exactly that it "doesn't work"? Any error message? What are you
expecting, and what are the actual result?
Post by Andrew
But I set up all those task failures long ago, where probably I should try
anew now that I have a better batch script which chooses the configs using
set cmd=C:pathto\openvpn.exe
set dir=C:\users\whoami\vpn\
set file=vpngate_1.250.96.236_udp_1195.ovpn
REM %cmd% %dir%%file%
runas.exe /user:administrator /savecred "%cmd% %dir%%file%"
Knowing the setup for the task scheduler, do you have any suggestions
for how to run the batch file such that the openvpn.exe GUI has elevated
privileges when it tries to change the routing table with route.exe?
openvpn.exe doesn't have any GUI. It's a pure console program. Were you
referring to the GUI of openvpn-gui.exe? FYI, openvpn-gui.exe has a
different set of command line usage and arguments.
Post by Andrew
But I have never gotten the Windows task scheduler to work with openvpn.
Do you think it's even possible given openvpn.exe has to itself be able to
modify the route (which I presume it does by calling route.exe internally)?
It normally shouldn't be a problem as long as openvpn already have
administrative rights, since by system default, a child process inherits the
user account and the security access level of the parent process. This does
not apply if the execution is (specifically) delegated to the desktop
process - which doesn't have administrative rights by default.
Andrew
2024-08-25 21:37:45 UTC
Permalink
Post by JJ
Post by Andrew
And where the program is set to the openvpn daemon C:\pathto\openvpn.exe
And where arguments are set to any one particular VPN configuration file
C:\pathto\vpngate_1.250.96.236_udp_1195.ovpn
Which never worked so I changed it to program "%comspec%" and arguments
/c start "" c:\pathto\openvpn.exe C:\pathto\vpngate_1.250.96.236_udp_1195.ovpn
Which still never worked because it has to be done for thousands of files.
How exactly that it "doesn't work"? Any error message?
What are you expecting, and what are the actual result?
Short answer?
I'm terrible at batch scripting. I generally just copy & modify.

Want a longer answer?

The task requires elevated privileges to change the routing table.
And, the task requires running any set of thousands of openvpn
configuration files until one of those config files wins out.

Currently I do that mostly manually.
By turning every configuration file into its own batch script.

But there are thousands (and thousands) of these config files.
So that makes it hard to reproduce with the Task Scheduler.

Of course, I could write a single script which randomly *selects*
the batch openvpn configuration file, but I don't have that yet.
[see short answer above]

So each (of thousands) of openvpn batch scripts is of the format:
set cmd=C:\programs\networking\openvpn\openvpn.exe
set dir=C:\users\whoami\vpn\config\
set file=vpngate_1.250.96.236_udp_1195.ovpn
cd %dir%
REM %cmd% %dir%%file%
runas.exe /user:administrator /savecred "%cmd% %dir%%file%"

The next script is exactly the same except for the config file.
set cmd=C:\programs\networking\openvpn\openvpn.exe
set dir=C:\users\whoami\vpn\config\
set file=vpngate_1.246.33.10_udp_1341.ovpn
cd %dir%
REM %cmd% %dir%%file%
runas.exe /user:administrator /savecred "%cmd% %dir%%file%"

Obviously, before I use the task scheduler, I should figure out
how to write a batch script that can go down a list of files in
any given directory and run them but even that isn't as easy
as one might think as not every configuration file works.

Many https://vpngate.net openvpn config files fail to connect.
The site is designed that way (to foil government censorship, they say).

But even with normal non-censorship-avoiding sites, openvpn configs fail.
It's the nature of free open vpns where there are thousands on the net.

Luckily if you run a dozen (or so) at a time, at least one will work while
the rest will lock up or fail (depending on the vpn server status); so in
the end, only either zero or one configuration file will work.

But notice this requires a *test* of "is it working yet?",
which requires batch scripting that I am not the best at.

So the biggest problem is that I'm terrible at batch scripting.
The next problem is to get the Task Scheduler to run that batch script.
Post by JJ
Post by Andrew
But I set up all those task failures long ago, where probably I should try
anew now that I have a better batch script which chooses the configs using
set cmd=C:pathto\openvpn.exe
set dir=C:\users\whoami\vpn\
set file=vpngate_1.250.96.236_udp_1195.ovpn
REM %cmd% %dir%%file%
runas.exe /user:administrator /savecred "%cmd% %dir%%file%"
Knowing the setup for the task scheduler, do you have any suggestions
for how to run the batch file such that the openvpn.exe GUI has elevated
privileges when it tries to change the routing table with route.exe?
openvpn.exe doesn't have any GUI. It's a pure console program. Were you
referring to the GUI of openvpn-gui.exe? FYI, openvpn-gui.exe has a
different set of command line usage and arguments.
Hmmmm.... while I don't doubt you (because I don't know), every time I've downloaded the openvpn client, it has defaulted to the GUI for ovpn files.

So you know things that I clearly am not aware of, even as I've been using the open source openvpn tools on Windows for, oh, I don't know, ten years.
(1) Go to https://openvpn.net/community-downloads/
(2) Scroll down to the "Windows 64-bit MSI installer" whose URL is
<https://swupdate.openvpn.org/community/releases/OpenVPN-2.6.12-I001-amd64.msi>
(3) Run the installer to put binaries into C:\programs\networking\openvpn

As far as I know, that defaults to the GUI when you doubleclick on an ovpn file, but of course I change that to default to the openvpn daemon instead
(and I have to change the daemon privileges to "Run as administrator").
Post by JJ
Post by Andrew
But I have never gotten the Windows task scheduler to work with openvpn.
Do you think it's even possible given openvpn.exe has to itself be able to
modify the route (which I presume it does by calling route.exe internally)?
It normally shouldn't be a problem as long as openvpn already have
administrative rights, since by system default, a child process inherits the
user account and the security access level of the parent process. This does
not apply if the execution is (specifically) delegated to the desktop
process - which doesn't have administrative rights by default.
I readily and openly admit I don't fully understand that paragraph other
than to acknowledge if you install the openvpn msi installer above onto
Windows, the default is the GUI which doesn't ask for elevated permissions
when it runs any of the thousands of free openvpn config files on the net.
C:\programs\networking\openvpn\bin\openvpn-gui.exe

However, if you run the openvpn.exe daemon from a batch file, as I do,
C:\programs\networking\openvpn\bin\openvpn.exe
then even with "Run as administrator" set on the properties form,
the openvpn daemon will not have the permissions needed to set the
routing table unless you run it as administrator (which I'm not logged
in as, even as the user is supposed to have administrator privileges).

Running that openvpn.exe daemon pops up the UAC, which is why I
use the "savecred" method (but if the task scheduler will work, I'm
all for it but it has to actually work with a batch file).

I'm looking at all my existing task-scheduler tasks to find one
which calls a batch file... because I generally just copy & modify.

OK. Found a batch file that I'm running via the task scheduler.
Win+R printer [return]
Which is a keyword of that same name (i.e., printer.exe) found in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\printer.exe
Which defaults to executing a default shortcut C:\pathto\printer.lnk
Whose target is C:\Windows\System32\schtasks.exe /run /TN "task printer"
Where Win+R taskschd.msc shows that task in the "Task Scheduler Library"
Where the "General" tab checkbox is set to "Run with highest privileges"
Where the "Actions" tab is set to "Start a program" (with options)
And where the program is set %comspec% and where arguments are set to
/c start "" C:\pathto\printer.bat where that printer.bat file is
@echo off
REM printer.bat
REM if the print spooler is off, this batch file will turn it back on
REM if the print spooler is running, this batch file will turn it off
REM if you don't enter a valid y/n response, nothing will be changed
call sc query | findstr /i spooler
if %ERRORLEVEL% == 0 goto :Stopit?
:Startit?
set /p input=Spooler is not running. Start it (y/n)?"
if %input%==y net start spooler
goto :Ciao

:Stopit?
set /p input=Spooler is running. Stop it (y/n)?"
if %input%==y net stop spooler

:Ciao
exit 0

As I said before, I'm not a good batch programmer but I can usually figure
out what a similar program does so I may be able to use this batch file
example (which is already working well) to connect without the UAC prompt.

Looking around for that batch file example using the task scheduler,
I found another batch file that I often use to toggle the gateway.

This is a network toggle that I got long ago from this newsgroup,
which I think was mostly written by Zaidy and which I modified.
Win+R toggle [return]
Which is a keyword of that same name (i.e., toggle.exe) found in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\toggle.exe
Which defaults to executing a default shortcut C:\pathto\toggle.lnk
Whose target is C:\Windows\System32\schtasks.exe /run /TN "task toggle"
Where Win+R taskschd.msc shows that task in the "Task Scheduler Library"
Where the "General" tab checkbox is set to "Run with highest privileges"
Where the "Actions" tab is set to "Start a program" (with options)
And where the program is set %comspec% and where arguments are set to
%comspec% /c start "" c:\pathto\toggle.bat where that file contains
@echo off
REM toggle.bat
REM if the gateway is set, this batch file will turn it off
REM if the gateway is not set, this batch file will set it back
REM Windows connectivity icons will show the status accordingly.
REM If VPN was on when the gateway is removed, nothing happens
REM unless the VPN drops, and then you are without a gateway
REM which protects your IP address from leaking when VPNs fail.
set gateway=192.168.0.1
set "address="
for /f "tokens=2,3 delims={,}" %%a in ('"WMIC NICConfig where IPEnabled="True" get DefaultIPGateway /value | find "I" "') do if not defined address set address=%%~a
if "%address%"=="%gateway%" ( %comspec% /c %windir%\system32\route.exe delete 0.0.0.0 %gateway%) else ( %comspec% /c %windir%\system32\route.exe add 0.0.0.0 mask 0.0.0.0 %gateway%)
exit

Given I suck at writing batch scripts, but I can usually modify existing
batch scripts to do the job I need to do (unless clever tricks are needed),
my problem task now is to first figure out how to tell if a VPN
configuration file has actually worked or not.

To be clear, the problem is that the batch file has to not only select a
random vpn config file in a directory of thousands (which isn't that hard),
but it has to also run a few of those configuration files until one of them
works to connect to a free public VPN (which I don't know how to test for
from within a batch script although "curl ifconfig.me" will tell me that
the IP address is different from my ISP's provided static IP address.

As an additional aside, I normally kill the gateway moments after I
establish a VPN connection (which protects the IP address if the VPN
connection suddenly drops - which it does all the time).

For that, I can run "Win+R off" to remove the 192.168.0.1 gateway; or,
I can use that on/off network toggle (which I think Zaidy had written).

In summary, the main "trick" that I need help on is how to tell for sure
that I've connected to a VPN server - where there are two ways that I know
of offhand, one of which is the VPN log file will say this as the last line
"Initialization Sequence Completed"

The other way is that a curl command will show a different IP address.

Win+R whatismyipaddress [return]
Which is a keyword of that same name (i.e., whatismyipaddress.exe) in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\whatismyipaddress.exe
Which executes the shortcut C:\pathto\whatismyipaddress.lnk
Whose target is %comspec% /k echo "C:\pathto\whatismyipaddress.lnk %myipaddress%" & %Windir%\System32\curl.exe ifconfig.me

This will report the known static ISP IP address plus the current IP
address, where I don't know yet how to compare them in a batch file.

Hence, the two "tricks" of the trade I would like to ask for help on how to
do are (a) how do I compare two IP addresses, and (b) how do I test whether
or not the VPN connection has been established?

Any ideas from anyone out there on those two Windows networking tricks?
JJ
2024-08-26 05:59:33 UTC
Permalink
Post by Andrew
In summary, the main "trick" that I need help on is how to tell for sure
that I've connected to a VPN server - where there are two ways that I know
of offhand, one of which is the VPN log file will say this as the last line
"Initialization Sequence Completed"
The other way is that a curl command will show a different IP address.
Win+R whatismyipaddress [return]
Which is a keyword of that same name (i.e., whatismyipaddress.exe) in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\whatismyipaddress.exe
Which executes the shortcut C:\pathto\whatismyipaddress.lnk
Whose target is %comspec% /k echo "C:\pathto\whatismyipaddress.lnk %myipaddress%" & %Windir%\System32\curl.exe ifconfig.me
This will report the known static ISP IP address plus the current IP
address, where I don't know yet how to compare them in a batch file.
Hence, the two "tricks" of the trade I would like to ask for help on how to
do are (a) how do I compare two IP addresses, and (b) how do I test whether
or not the VPN connection has been established?
Any ideas from anyone out there on those two Windows networking tricks?
It's best to use a batch file for that. Otherwise everything will have to be
placed in one very long command line. It'd be a pain to maintain and update.

The output of that curl accessing ifconfig.me is already just the IP
address, so it can simply be retrieved as is and placed into a variable.
e.g. in a batch file:

@echo off
setlocal
for /f "delims=" %%A in ('%Windir%\System32\curl.exe ifconfig.me') do set
ipcurl=%%A
echo IP from curl = %ipcurl%"

The output of whatismyipaddress.exe however, I don't know. I'm not familiar
with that program, and Googling that exact file name gives no match. If its
output is not just an IP address, then the batch file will need to parse the
output and extract oly the IP address. I can't know how exactly to do that,
since I don't know its exact output. If it's just an IP address, then you
can use the same method as above except with different variable name. Then
you can compare both variable like you did on your other batch file.
Andrew
2024-08-27 05:45:20 UTC
Permalink
Post by JJ
Post by Andrew
Hence, the two "tricks" of the trade I would like to ask for help on how to
do are (a) how do I compare two IP addresses, and (b) how do I test whether
or not the VPN connection has been established?
Any ideas from anyone out there on those two Windows networking tricks?
The output of whatismyipaddress.exe however, I don't know. I'm not familiar
with that program, and Googling that exact file name gives no match. If its
output is not just an IP address, then the batch file will need to parse the
output and extract oly the IP address. I can't know how exactly to do that,
since I don't know its exact output. If it's just an IP address, then you
can use the same method as above except with different variable name. Then
you can compare both variable like you did on your other batch file.
Sorry for the confusion. There is no "whatismyipaddress.exe" executable.
There never was. It's just a keyword. For the AppPaths registry key.

For reasons known only to Microsoft, when you create an AppPaths registry
key, that key *must* end with ".exe" even though there is very likely no
file with that name on your system.

If you create a command "foo", the AppPaths key name has to be "foo.exe".
Even though there is likely no file named "foo.exe" on your system.\

It's how that AppPaths registry key works.
Don't ask me why it works that way. Only Microsoft knows why.

But it has worked that way since Windows had a system registry.
As I've been creating AppPath keys since, oh, Windows 95 or so.

They've always worked flawlessly.
You just create a key and voila! You have a new command.

So, for example, if you wanted to run this command by typing "Win+R foo"
%comspec% /k echo "%Windir%\System32\curl.exe icanhazip.com"
You can create a subkey of the name "foo.exe" in the AppPaths registry key.
Note that there is no file called "foo.exe"; it's just a keyword.
The AppPaths registry key requires all the keywords to end with "exe".

So to create a command "Win+R foo", you just create this AppPaths key.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\foo.exe
When you type "Win+R foo", that AppPaths key will be executed.
You can put almost anything into the value of that AppPaths key.

In this example, that AppPaths "foo.exe" keyword executes a shortcut.
C:\pathto\foo.lnk
Where the TARGET of that shortcut will run the curl command for you.
%comspec% /k echo "%Windir%\System32\curl.exe icanhazip.com"
But it just as well could have executed a batch file instead.

Replace "foo" above with "whatismyipaddress" and it's the same thing.
Post by JJ
It's best to use a batch file for that. Otherwise everything will have to be
placed in one very long command line. It'd be a pain to maintain and update.
Thanks for that advice where I'm fine with a batch file to test if the IP
address is the same as the static IP address assigned to me by my ISP.
Post by JJ
The output of that curl accessing ifconfig.me is already just the IP
address, so it can simply be retrieved as is and placed into a variable.
@echo off
setlocal
for /f "delims=" %%A in ('%Windir%\System32\curl.exe ifconfig.me') do set ipcurl=%%A
echo IP from curl = %ipcurl%"
Thank you for that delims/doset syntax example to test the IP address.
for /f "delims=" %%A in ('%Windir%\System32\curl.exe ifconfig.me') do set ipcurl=%%A

I think only three cases are possible:
1. The curl can report the static IP address (i.e., you're not yet on VPN)
2. The curl can report a different IP address (i.e., you're on VPN)
3. The curl can fail if there's no network (i.e., the connection is in limbo)

Ignoring the third case above error condition (for now), I used your
suggestion to create the script below to compare IP addresses.

@echo off
set myip=123.45.678.9
setlocal
for /f "delims=" %%A in ('%Windir%\System32\curl.exe ifconfig.me') do set ipcurl=%%A
if "%ipcurl%" == "%myip%" (echo Your IP %myip% is not a VPN) else (echo You are on VPN IP %ipcurl% && goto :Next)
:Next
REM We can add commands here for use when you're already on VPN.

I think that I need to reverse that logic though, as the goal is
to keep trying new free openvpn configuration files until one wins.

@echo off
setlocal
set myip=123.45.678.9
for /f "delims=" %%A in ('%Windir%\System32\curl.exe icanhazip.com') do set ipcurl=%%A
if not "%ipcurl%" == "%myip%" (echo You are on VPN %ipcurl% && goto :Ciao) else (echo Your IP is still %ipcurl% && goto :NextVPN)
:NextVPN
echo Put commands to try the next free openvpn config file here
:Ciao

To handle the error situation of no network, I can insert this above.
If [%ipcurl%]==[] echo Error: The IP address is missing && goto :NextVPN

Now what I need to put under ":NextVPN" are commands to look into
a given openvpn config directory and randomly run config files.

This is what I'm manually running now, for each VPN config file.
set cmd=C:pathto\openvpn.exe
set dir=C:\users\whoami\vpn\
set file=vpngate_1.250.96.236_udp_1195.ovpn
REM %cmd% %dir%%file%
runas.exe /user:administrator /savecred "%cmd% %dir%%file%"

What I need to add is a random one-by-one selection of free
openvpn config files from a folder containing thousands of them.

There are many suggestions on how to randomize that, so
I'll use one of these and report back when it's working.
<https://ss64.org/viewtopic.php?t=9>
<https://stackoverflow.com/questions/51487674/open-a-random-file-from-folder-with-batch>
<https://superuser.com/questions/1823076/how-to-get-paul-blacks-random-file-selector-batch-script-not-to-select-itself>

The result should be a batch file enacting this command flow:
a. Run the openvpn daemon on a random free openvpn config file;
b. If the result is no change in IP address (or a null IP address),
then randomly run the openvpn daemon on another free config file.
c. Otherwise, if the result is a new IP address, then you're done.

When I put that batch file into the Windows task scheduler, the hope
is I won't have to use "/savecred" to avoid the UAC prompt anymore.

Cross your fingers...

BTW, do you know why the command above adds extraneous output of
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 15 100 15 0 0 23 0 --:--:-- --:--:-- --:--:-- 23
Graham J
2024-08-25 09:16:58 UTC
Permalink
Post by Andrew
This is all about streamlining - and not necessarily about VPN per se.
Does Windows 11 have any tricks to make free VPN connections streamlined?
[snip all your detail]

Have you thought about off-loading all the VPN setup to your router?

If you configure a LAN-to-LAN VPN in your router, all the credentials
required are stored in the router, not on your PC. To invoke the VPN
all you need to do on the PC is to ping an IP address on the remote LAN,
and a reply confirms that the VPN is up. You configure the router so
that the specific traffic that concerns you is sent via the VPN. Also
set the router so that if no traffic is sent for a specified period, the
VPN is closed.

The LAN-to-LAN VPN means that all the PCs on your LAN can use the active
VPN.

Typically the Vigor routers from Draytek will support 32 VPN channels;
routers from Ciso or the like may support more.

I use this technique to support customers. Each customer's LAN has a
separate IP address; so for example Mr Smith may have 192.168.100.0 / 24
and Mr Jones may have 192.168.101.0 / 24 and of course the customers
must have a suitable router and a static IP address - but usually my
relationship with customers starts when they come to me with a problem
about the unreliability or poor performance of their internet
connections, so changing the router and their ISP is usually the first step.
--
Graham J
Brian Gregory
2024-08-28 20:26:39 UTC
Permalink
Post by Andrew
This is all about streamlining - and not necessarily about VPN per se.
Does Windows 11 have any tricks to make free VPN connections streamlined?
Note: He actually seems to be asking about tricks to make using OpenVPN
easier.
--
Brian Gregory (in England).
Loading...