21H2 PCs will not download updates when connected to VPN. All other OSs are fine

[TanyaC]

Please forgive me if I come across a bit blunt. I'm really struggling with this as the VPN provider's customer service is absolutely terrible. Their answer to all things Network and Internet related is "DNS".
Please also forgive me for the length of this post. I'm not a network expert at all. I'm a complete novice, though I am willing to learn. I just need some guidance.

I am currently testing 21H2 for a rollout in December to all PCs. I have found that when connected to the VPN updates will be detected on our server but will remain in a downloading 0% state indefinitely. Looking at Windows update logs I see two errors 0x802400007 and 0x80200010. Quite by accident I disconnected the VPN and updates started downloading and installing immediately.

The test PC and the server (2012 R2) are connected to the same switch and are littterally 2 feet apart.

We use NordVPN. Their customer service is the worst I've ever encountered, the only other company that is worse is Microsoft. We don't use their client software for many reasosns, not the least of which is it doesn't work properly anyway. We just use OpenVPN software v2.5.7 with the unmodified .ovpn files provided by NordVPN.

I do recall hearing about some Windows patches causing problems with VPNs, but we are not experiencing any problems with the VPN perse. It connects, it's fast and stable. Unless I'm mistaken the issues with Windows have been resolved and were not affecting us anyway.

The test-PC is running 21H2 19044.2132. We have .net 3.5 and .net 6 installed and Office 2016. So 3 products to be updated.
The test-PC connects to the server 2012 R2 (why we're still on that is another story), that runs WSUS, IIS, MySQL and Coldfusion.
Group policy forbids the connection to Microsoft Update Internet locations, and does not allow the download of drivers from Microsoft.
We don't use Delivery Optimization - don't need it because we use WSUS. So BITS is set to Bypass (100).

If I unplug the router from the NBN NTD, so the PCs can get their IP addresses from the DHCP server, but have LAN access only and no Internet access everything works fine. In this scenario it is impossible fot the VPN to connect.
Hence updates download and install fine.

So, is this an OpenVPN issue?
I'm in Australia. I went to the OpenVPN forums and asked some questions and promptly got abused for being Australian and inundated with abuse about how corrupt Australian politicians are. No help there.

So now I'm here.
When connected to the VPN - updates are detected but will not download or install
As soon as the VPN is disconnected they download and install fine.

NordVPNs advice - point the TAP adapter and local adapters to Google's DNS servers, something they previous told me never to do (not because it's google, but because it "breaks VPN security" according to them).

Could this be an LAN configuration issue? Router?
What tests could I do to isolate the issue?
Is anyone familiar with such a scenario and have any advice or pointers to locations that might provide some guidnace?
Doesn't LAN traffic remain local? Are NordVPN really saying ALL LAN traffic should be routed via a public DNS server for updates to download and install?

What information would you like me to provide to assist with resolving this issue?

Again, sorry for the long post.
Would appreciate any guidance any one can provide.

thank you.

 

[RMerlin]

The VPN is required because people here are working from home and their employer requires that they use a VPN. Besides, it's just good sense in this day and age to be using a VPN.

We use NordVPN

That doesn't make any sense... You are supposed to have the remote workers connect to your own VPN server running at the office so they can securely remotely access the office network, not to a third party tunnel provider that will only hide your public Ip from remote servers. These are two totally different setups for different goals.

 

[TanyaC]

It is what it is. The businesses were fine with them using a consumer VPN. But I think I think I've already muddied the water.
Let's forget I mentioned working from home. So maybe they're dumber than me, I'm not going to tell them how to suck eggs.

The VPNs here are clients. The Server here is not used as a "VPN server" it's used for WSUS, file and print, database and internal websites.

The issue I'm trying to resolve has nothing to do with working from home or where the VPN server is. Bottom line, all PCs here are connected to a VPN all of the time that they are powered on.

I have a Windows 10 21H2 PC I've set up for testing. When connected to the VPN updates will hang at 0% downloading. If I disconnect from the VPN updates will download from the WSUS server and install fine.

The description for 0x80200010: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.

 

[Gary_Dexter]

You're using one server for WSUS, file/DFS services, Print services etc.?

 

[TanyaC]

Yes, sorry, I managed to confuse everyone.
I have a server I use for media storage, intranet websites, MySQL, Cold Fusion and Kodi. There are 10 PCs here that connect to it.

A couple of the PCs are used to connect to various employer sites. These employers, who are more tecnically inept than me have required that their employees connect to the office services using a VPN, any VPN. They do NOT run VPN servers at their end... they just feel that having the employees who work remotely using any VPN service is somehow safer. I'm not going to tell them how to suck eggs.

For example, one person is a personal carer. He works for a company called simply helping. He gets his appointments from their website. They told him he must connect to their website, login and get his schedule whilst connected to a VPN. Hence "why are we using a VPN".

So, when he wants to get an update from MY server it was sitting in a Downloading 0% state indefinately when connected to the VPN.

Since the VPN is used for many, many reasons we just stay connected all the time and I have actually automated the connection at startup.

Anyhow... I resovlved the issue. And sorry, but I forgot about this post.

Windows had some broken CU that reading the technotes, should not have affected us, but I found that after updating from OpenVPN 2.5.7 to 2.5.8 and applying the next months preview update that the problem was resolved. The next CU should have the fixes integrated, which is due on Dec patch Tuesday. Fingers crossed that will be the end of this issue.

 

[Weston]

VPN has nothing to do with the updates. Just make sure the WSUS servers are reachable, try to ping the WSUS server IP address, if it is reachable, go and check for the updates.

Try disconnecting the VPN and then download the updates. WSUS server might be blocking the VPN server IP address.