How to Force VPN Interface to Public Network Profile in Domain-Joined Windows Server


2 views

When dealing with domain-joined Windows servers running VPN clients, Network Location Awareness (NLA) often automatically assigns domain-authenticated status to VPN interfaces. This becomes problematic when you need firewall rules to treat the VPN connection as an untrusted public network.

The typical PowerShell approach fails because:

Set-NetConnectionProfile -InterfaceIndex 15 -NetworkCategory Public

throws permission errors even in elevated sessions. The key limitations are:

  • Group Policy restrictions via 'Network List Manager Policies'
  • Domain-authenticated status being system-managed
  • Missing registry profiles for virtual adapters

Method 1: Registry Hack

Manually create the network profile in registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{YOUR-ADAPTER-GUID}]
"Category"=dword:00000001
"Name"="OpenVPN TAP"
"Description"="VPN Public Network"
"Managed"=dword:00000000

Find your adapter GUID from:

Get-NetConnectionProfile | Select-Object InterfaceAlias,InstanceID

Method 2: Network Isolation

Create firewall rules targeting the specific interface:

New-NetFirewallRule -DisplayName "Block VPN Access" 
-Direction Outbound 
-InterfaceAlias "Ethernet 2" 
-Action Block 
-Enabled True

Method 3: Route-Based Separation

Since you're using custom routes, leverage them in firewall rules:

# Match traffic destined for VPN subnet
New-NetFirewallRule -DisplayName "VPN Subnet Filter" 
-RemoteAddress 10.0.0.0/8 
-Action Block

For OpenVPN specifically, consider these config tweaks:

# In client.ovpn
route-metric 5000
route-noexec

This prevents the VPN from influencing network detection while maintaining your manual routes.

Confirm your changes with:

Get-NetConnectionProfile -InterfaceAlias "Ethernet 2"

And test firewall effectiveness using:

Test-NetConnection -ComputerName 8.8.8.8 -InterfaceAlias "Ethernet 2"

When working with OpenVPN on domain-joined Windows servers, you'll often encounter the stubborn DomainAuthenticated network profile assignment. The Network Location Awareness (NLA) service automatically categorizes VPN interfaces alongside your domain network, creating security concerns. Here's why this matters:

# Typical NLA behavior on domain-joined systems
Get-NetConnectionProfile | Select-Object Name,InterfaceAlias,NetworkCategory

# Output would show:
# Name       InterfaceAlias NetworkCategory
# ----       -------------- ---------------
# Network    Ethernet       DomainAuthenticated
# Network 2  Ethernet 2     DomainAuthenticated

Attempting standard PowerShell commands like Set-NetConnectionProfile fails because:

  • Domain-authenticated profiles have higher precedence
  • Group Policy settings may override user changes
  • The registry stores profile information differently for domain networks

Here's the most reliable method I've found after extensive testing:

# First identify the interface GUID
$vpnInterface = Get-NetAdapter | Where-Object {$_.Name -eq "Ethernet 2"}
$interfaceGuid = $vpnInterface.InterfaceGuid

# Then modify the registry (run as Administrator)
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\"
$profiles = Get-ChildItem $registryPath

foreach ($profile in $profiles) {
    $profileData = Get-ItemProperty $profile.PSPath
    if ($profileData.ProfileGuid -eq $interfaceGuid) {
        Set-ItemProperty $profile.PSPath -Name "Category" -Value 0 -Force
        Write-Host "Successfully changed profile to Public"
        break
    }
}

# Restart NLA service to apply changes
Restart-Service -Name NlaSvc -Force

If registry editing isn't feasible, consider network isolation through PowerShell:

# Create firewall rules specifically for the VPN interface
New-NetFirewallRule -DisplayName "Block VPN Interface" -Direction Outbound 
    -InterfaceAlias "Ethernet 2" -Action Block -Enabled True

# Or more granular application control
$apps = @("chrome.exe","firefox.exe")
foreach ($app in $apps) {
    New-NetFirewallRule -DisplayName "Block $app on VPN" -Program "C:\path\to\$app" 
        -InterfaceAlias "Ethernet 2" -Direction Outbound -Action Block
}

The root cause often lies in how NLA detects network characteristics. Try these OpenVPN config adjustments:

# In your OpenVPN client configuration:
route-metric 5000
route-delay 15
route-noexec
script-security 2
route-up "powershell -command \"Restart-Service NlaSvc\""

This forces NLA to re-evaluate network characteristics after VPN connection.

After making changes, verify with:

Get-NetConnectionProfile -InterfaceAlias "Ethernet 2" | 
    Select-Object InterfaceAlias,NetworkCategory

The output should now show:

InterfaceAlias NetworkCategory
-------------- ---------------
Ethernet 2     Public