I have had numerous issues with several Windows 10 users connecting via VPN and they seem to have become even less sensical following the anniversary patch. I have seen several previous posts about VPN-DNS issues but the problem seems to just change with each update. Indeed, it is so ridiculous that Microsoft would bork and then leave unfixed what all sane businesses consider a common and necessary utility for a year without a fix in sight, that we are very likely to transition systems, licenses, and subscriptions to other services. We have currently spent time building in a backup for critical users, such that the cost of expanding that to all of our offsite employees is perhaps less then the time we have wasted troubleshooting this piecemeal.



I appreciate tips from other frustrated customers who have found a configuration I have missed who no doubt are as incensed as I am that this doesn't just work out of the box (as it does on Mac, Linux, and any mobile device).



This is the issue:



1) users can connect to the VPN correctly.



2) users can not access internal web apps which have internal only DNS.



Some more symptoms beyond the basic:



2a) some users can access those apps with ip address.



2b) some users can access internal apps in the network segment but can not access web apps in private network connected with a tunnel.



3) some users can access everything correctly if they use Wifi rather than Ethernet.



I have done the following with mixed success but none of that seems to hold after the anniversary update.



1) I changed the metric of the adapter via netsh.



2) I manually configured DNS and use default gateway via adapter properties.



3) I changed the user's router DNS configuration from automatic to point to google.



4) I made sure split tunnelling is enabled via powershell.



I have run some basic troubleshooting on three devices. They are as follows:



1) Windows 10 Pro laptop with Realtek adapter. I'll call this Rob. Rob is in North America. Rob's version is 1607 and was updated 5 minutes before this post.



2) Windows 8.1 Pro laptop with a JMicron adapter. I'll call this John. John is on the same physical network, same router as Rob. John's build doesn't matter.



3) Windows 10 Pro desktop with Broadcom adapter. I'll call this Fritz. Fritz is in Germany. Fritz's version is 1511.





John can access all network locations on both the private network hosting the VPN and the tunnel connected network hosted elsewhere.



Rob can only access resources on the private network and can do so with FQDN. Rob can not access resources through the tunnel. He can ping IP address on the private network but cannot resolve DNS through command prompt (either using nslookup or ping). Rob can ping resources on the tunnel connected network that do not have a firewall using their private addresses. But those which filter out all but our static public addresses can not be pinged. However, if he uses his wireless adapter, he can access everything correctly.



Fritz cannot resolve DNS in any way shape or form. Internal locations do not resolve. Ping does work for private network address but external lookups always resolve to the DNS provider. Fritz, however, can access important services that have internal and external DNS but filter out unknown public IP addresses, so I am unwilling to do an update.



Everybody shows the same configuration settings from PowerShell Get-VpnConnection except for John who has NAP false.



Here's the output of their current netsh interface ipv4 show interfaces:



Rob wired:



Idx Met MTU State Name

--- ---------- ---------- ------------ ---------------------------

7 8470 1500 disconnected Wireless Network Connection

6 4250 1500 disconnected Local Area Connection* 3

39 35 1400 connected myvpn

1 4300 4294967295 connected Loopback Pseudo-Interface 1

9 4260 1500 connected Local Area Connection



Rob wifi:



Idx Met MTU State Name

--- ---------- ---------- ------------ ---------------------------

7 8470 1500 connected Wireless Network Connection

6 4250 1500 disconnected Local Area Connection* 3

39 45 1400 connected myvpn

1 4300 4294967295 connected Loopback Pseudo-Interface 1

9 4230 1500 disconnected Local Area Connection



John:



Idx Met MTU State Name

--- ---------- ---------- ------------ ---------------------------

4 4250 1500 connected Wi-Fi

1 4275 4294967295 connected Loopback Pseudo-Interface 1

25 4245 1500 connected VirtualBox Host-Only Network

29 4230 1500 disconnected Local Area Connection* 24

2 4230 1500 connected Ethernet

90 20 1400 connected myvpn



Fritz:



Idx Met MTU State Name

--- ---------- ---------- ------------ ---------------------------

15 5 1500 disconnected WiFi

5 5 1500 disconnected LAN-Verbindung* 11

1 50 4294967295 connected Loopback Pseudo-Interface 1

46 10 1400 connected myvpn

16 5 1500 disconnected LAN-Verbindung* 12

10 40 1500 disconnected Bluetooth-Netzwerkverbindung

17 25 1500 connected Ethernet





EDIT: Fritz has been updated to 1607 and is experiencing the same issues.

