3

I know this has been asked many times but I haven't found anything that actually solves it.

I use VPNs to access international internet, freedom of information is a basic human right, unfortunately I live in China, so I have to use VPNs to exercise that right.

And now Windows 10 falsely reports "No Internet" while the VPN is connected, despite the fact I can visit any blocked website just fine (e.g. www.google.com). Windows correctly reported "Internet Access" while the VPN was active in the past, but somehow it doesn't now.

You might think this is not a big deal, but my ISP constantly tries to disconnect my VPN and sometimes they succeed, and Network Connectivity Status Indicator would fail to tell me when I am actually disconnected.

I of course Googled this, and some results suggested the following registry edits and reboot router:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet]
"ActiveDnsProbeContent"="8.8.8.8"
"ActiveDnsProbeContentV6"="2001:4860:4860::8844"
"ActiveDnsProbeHost"="dns.google"
"ActiveDnsProbeHostV6"="dns.google"
"ActiveWebProbeContent"="success"
"ActiveWebProbeContentV6"="success"
"ActiveWebProbeHost"="detectportal.firefox.com"
"ActiveWebProbeHostV6"="detectportal.firefox.com"
"ActiveWebProbePath"="success.txt"
"ActiveWebProbePathV6"="success.txt"
"CaptivePortalTimer"=dword:00000000
"CaptivePortalTimerBackOffIncrementsInSeconds"=dword:00000005
"CaptivePortalTimerMaxInSeconds"=dword:0000001e
"EnableActiveProbing"=dword:00000001
"PassivePollPeriod"=dword:0000000f
"StaleThreshold"=dword:0000001e
"WebTimeout"=dword:00000023


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies]


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator]
@=""

I tried it and it didn't work.

I can ping the servers used in the test just fine:

PS C:\Users\Xeni> ping detectportal.firefox.com

Pinging prod.detectportal.prod.cloudops.mozgcp.net [34.107.221.82] with 32 bytes of data:
Reply from 34.107.221.82: bytes=32 time=203ms TTL=120
Reply from 34.107.221.82: bytes=32 time=203ms TTL=120
Reply from 34.107.221.82: bytes=32 time=203ms TTL=120
Reply from 34.107.221.82: bytes=32 time=204ms TTL=120


Ping statistics for 34.107.221.82:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 203ms, Maximum = 204ms, Average = 203ms
PS C:\Users\Xeni> ping 8.8.8.8


Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=203ms TTL=120
Reply from 8.8.8.8: bytes=32 time=203ms TTL=120
Reply from 8.8.8.8: bytes=32 time=203ms TTL=120
Reply from 8.8.8.8: bytes=32 time=200ms TTL=120


Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 200ms, Maximum = 203ms, Average = 202ms

I have disabled and re-enabled the network adapter...

Nothing works.

However I know if I disconnect the VPN, the NCSI will immediately correctly report that I have internet access, I have successfully reproduced this many times without failure, but of course this isn't the solution for obvious reasons.

My Settings -> Network & Internet -> Status -> Network Status says:

No Internet access

Your device is connected, but you might not be able to access

anything on the network. If you have a limited data plan, you can

make this network a metered connection or change other

properties.

How do I fix this problem?

P.S. These details are irrelevant, but I will add them here in case someone mentions them:

My operating system is Windows 10 Pro 22H2 x64, and I am using wired Ethernet connection, but they don't affect the problem that much; and no, dism /online /cleanup-image /restorehealth, sfc scannow absolutely don't fix this problem, so doesn't reinstalling the OS; And I have already updated the network driver using Snappy Driver Installer earlier, and I have rebooted my computer...

Ξένη Γήινος
  • 3,223
  • This status is based on Windows ability to reach a certain Microsoft domain. So if nothing has changed on your end, the most likely explaination, is that while connected to the VPN this domain is no longer reachable. I sadly don't remember where I saw the explanation, or the domain, so I don't have a solution for that particular problem (if that is indeed the full explaination). – Ramhound Apr 07 '23 at 15:19

2 Answers2

6

The windows Network Connectivity Status Indicator (ncsi) does at least a DNS and HTTP test. You can usually test these yourself to see which one is failing. By default, it checks:

If the DNS is failing, you can force it to succeed by editing the hosts file

That said, I believe it relies on those registry settings you've changed. You may want to reset them to default or validate that they give you the correct responses for the above tests while you're having the issue.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet]
"ActiveDnsProbeContent"="131.107.255.255"
"ActiveDnsProbeContentV6"="fd3e:4f5a:5b81::1"
"ActiveDnsProbeHost"="dns.msftncsi.com"
"ActiveDnsProbeHostV6"="dns.msftncsi.com"
"ActiveWebProbeContent"="Microsoft Connect Test"
"ActiveWebProbeContentV6"="Microsoft Connect Test"
"ActiveWebProbeHost"="www.msftconnecttest.com"
"ActiveWebProbeHostV6"="ipv6.msftconnecttest.com"
"ActiveWebProbePath"="connecttest.txt"
"ActiveWebProbePathV6"="connecttest.txt"
"CaptivePortalTimer"=dword:00000000
"CaptivePortalTimerBackOffIncrementsInSeconds"=dword:00000005
"CaptivePortalTimerMaxInSeconds"=dword:0000001e
"EnableActiveProbing"=dword:00000001
"PassivePollPeriod"=dword:0000000f
"StaleThreshold"=dword:0000001e
"WebTimeout"=dword:00000023

If your vpn involves a web proxy, then ncsi attempts to automatically detect your proxy settings. If that is failing, you can try to help out ncsi by setting the winHTTP proxy settings manually:

netsh winhttp set proxy [proxy-server=]<server name> [bypass-list=]<hosts list>
Cpt.Whale
  • 7,701
  • I used nslookup and found my ISP hijacked dns.msftncsi.com to 100.64.100.1, an internal address. I edited my %windir%\system32\drivers\etc\hosts file to force dns.msftncsi.com to resolve to the correct address 131.107.255.255. I then restored the original NCSI registry settings and disabled and re-enabled network adapter, the problem is solved. I tried ping 131.107.255.255 but it failed. I then immediately tried tcping 131.107.255.255 and it succeeded. – Ξένη Γήινος Apr 07 '23 at 17:22
  • @ΞένηΓήινος Nice! And yep, the "DNS" hostname is not ping-able, mostly just a name to resolve – Cpt.Whale Apr 07 '23 at 17:49
0

I have identified the root cause of the problem.

Evidently the ISP hijacked dns.msftncsi.com to 100.64.100.1, so the DNS query would fail while connected to a VPN, and the failure of DNS query is what caused NCSI to falsely report "No Internet".

Setting 131.107.255.255 dns.msftncsi.com in the hosts file however will cause the opposite, it will make NCSI falsely report "Internet Access" when my internet was cut off by my ISP.

Both are unwanted, and I have just found a way to make it work properly.

What caused the DNS query to fail is the DNS poisoning of my ISP, so using a known safe DNS will make the DNS query to succeed when it should.

I changed my adapter to use 8.8.8.8 DNS in Control Panel -> Network and Internet -> Network Connections -> Ethernet Properties -> IPv4 Properties page, this will bypass the DNS poisoning caused by the GFW.

But NCSI still will report false negatives after VPN is connected, this is solved by the following commands:

devcon disable *dev_8168*
devcon enable *dev_8168*

(You need to download devcon.exe and put it to %windir%\system32 folder if you want to try it)

Ξένη Γήινος
  • 3,223