MSI-installed client (v1.6.x) fails to establish tunnel on Windows 11

[kchudy]

Discussed in #824

^{Originally posted by F1L337 April 23, 2026}
Hello everyone,

I am experiencing issues with the Defguard client when installed via MSI (tested with versions 1.6.0 through 1.6.8).

Environment

• OS: Windows 11
• Defguard: v2.0.0-beta1
• Installation method: MSI installer

Issue

The client starts normally and authentication via Keycloak works successfully. However, the VPN tunnel is not established.

Observations

• No VPN adapters are visible in Get-NetAdapter
• The WireGuard interface appears to be created temporarily but fails during configuration
• The following error appears in the logs:

CreateIpForwardEntry2: Element nicht gefunden. (os error 1168)

Troubleshooting performed

• Uninstalled all previous Defguard client versions
• Removed other VPN clients (including OpenVPN and TAP adapters)
• Verified that no VPN adapters are present in the system
• Reset network stack (netsh int ip reset, netsh winsock reset)
• Rebooted the system

Comparison

When using the .exe installer from version 1.5.2, the exact same setup works without any issues.

Question

Is this a known issue related to the MSI installation?
Are there any known workarounds or additional debugging steps I could try?

Logs

Click to expand logs

[23.4.2026, 10:59:37][INFO][Client] Automatically retrieved the newest instance configuration from core for 1 instances, sleeping for 30s
[23.4.2026, 10:59:55][DEBUG][VPN] Initializing ServiceLocationApi
[23.4.2026, 10:59:55][DEBUG][VPN] Creating directory: "C:\\ProgramData\\Defguard\\service_locations"
[23.4.2026, 10:59:55][DEBUG][VPN] Setting ACLs on service locations directory
[23.4.2026, 10:59:55][DEBUG][VPN] Setting secure ACLs on: C:\ProgramData\Defguard\service_locations
[23.4.2026, 10:59:55][DEBUG][VPN] Removing all existing ACL entries for C:\ProgramData\Defguard\service_locations
[23.4.2026, 10:59:55][DEBUG][VPN] Cleared existing ACL entries, now adding secure entries
[23.4.2026, 10:59:55][DEBUG][VPN] Adding SYSTEM with full control
[23.4.2026, 10:59:55][DEBUG][VPN] Adding Administrators with full control
[23.4.2026, 10:59:55][DEBUG][VPN] Successfully set secure ACLs on C:\ProgramData\Defguard\service_locations for SYSTEM and Administrators
[23.4.2026, 10:59:55][DEBUG][VPN] ServiceLocationApi initialized successfully
[23.4.2026, 10:59:55][INFO][VPN] Service locations storage initialized successfully
[23.4.2026, 10:59:55][INFO][VPN] Attempting to auto-connect to service locations (attempt 1/5)
[23.4.2026, 10:59:55][DEBUG][VPN] Attempting to auto-connect to VPN...
[23.4.2026, 10:59:55][INFO][VPN] Starting network change monitoring
[23.4.2026, 10:59:55][INFO][VPN] Starting login/logoff event monitoring
[23.4.2026, 10:59:55][DEBUG][VPN] Starting Defguard interface management daemon
[23.4.2026, 10:59:55][DEBUG][VPN] Creating named pipe server stream
[23.4.2026, 10:59:55][INFO][VPN] Created named pipe server stream
[23.4.2026, 10:59:55][INFO][VPN] Defguard daemon version 1.6.8-9b7b953 started, listening on named pipe \\.\pipe\defguard_daemon
[23.4.2026, 10:59:55][DEBUG][VPN] Defguard daemon configuration: Config { log_level: "info", log_dir: "/Logs/defguard-service", stats_period: 10 }
[23.4.2026, 10:59:55][DEBUG][VPN] Creating tokio secure pipe
[23.4.2026, 10:59:55][DEBUG][VPN] Creating secure named pipe \\.\pipe\defguard_daemon
[23.4.2026, 10:59:55][DEBUG][VPN] Loaded service locations data for 0 instances
[23.4.2026, 10:59:55][DEBUG][VPN] Loaded 0 instance(s) from ServiceLocationApi
[23.4.2026, 10:59:55][DEBUG][VPN] Auto-connect attempt completed
[23.4.2026, 10:59:55][INFO][VPN] All service locations connected successfully (attempt 1/5)
[23.4.2026, 10:59:55][INFO][VPN] Service location auto-connect task finished
[23.4.2026, 10:59:55][INFO][VPN] Created secure named pipe \\.\pipe\defguard_daemon
[23.4.2026, 10:59:55][INFO][VPN] Created tokio secure pipe
[23.4.2026, 11:00:07][INFO][Client] Automatically retrieved the newest instance configuration from core for 1 instances, sleeping for 30s
[23.4.2026, 11:00:15][INFO][Client] Location DOMAIN- VPN .1(ID: 1) preshared key decoded.
[23.4.2026, 11:00:15][INFO][Client] Created windows gRPC client
[23.4.2026, 11:00:15][DEBUG][VPN] Creating tokio secure pipe
[23.4.2026, 11:00:15][DEBUG][VPN] Creating secure named pipe \\.\pipe\defguard_daemon
[23.4.2026, 11:00:15][INFO][VPN] Created secure named pipe \\.\pipe\defguard_daemon
[23.4.2026, 11:00:15][INFO][VPN] Created tokio secure pipe
[23.4.2026, 11:00:15][DEBUG][VPN] Received a request to create a new interface
[23.4.2026, 11:00:15][DEBUG][VPN] Checking if all commands required by wireguard-rs are available
[23.4.2026, 11:00:15][DEBUG][VPN] All commands required by wireguard-rs are available
[23.4.2026, 11:00:15][DEBUG][VPN] Creating new interface DOMAIN-VPN1
[23.4.2026, 11:00:15][DEBUG][VPN] Opening/creating interface DOMAIN-VPN1
[23.4.2026, 11:00:15][ERROR][VPN] wireguard: Failed to find matching adapter name: Element nicht gefunden. (Code 0x00000490)
[23.4.2026, 11:00:15][DEBUG][VPN] Adapter DOMAIN-VPN1 does not exist, creating
[23.4.2026, 11:00:15][INFO][VPN] wireguard: Using existing driver 0.10
[23.4.2026, 11:00:15][INFO][VPN] wireguard: Creating adapter
[23.4.2026, 11:00:15][INFO][VPN] Opened/created interface DOMAIN-VPN1
[23.4.2026, 11:00:15][INFO][VPN] Done creating a new interface DOMAIN-VPN1
[23.4.2026, 11:00:15][DEBUG][VPN] Preparing DNS configuration for interface DOMAIN-VPN1
[23.4.2026, 11:00:15][DEBUG][VPN] DNS configuration for interface DOMAIN-VPN1: DNS: [192.168.100.1, 192.168.100.2], Search domains: ["DOMAIN--gmbh.de"]
[23.4.2026, 11:00:15][DEBUG][VPN] Configuring interface DOMAIN-VPN1 with config: InterfaceConfiguration { name: "DOMAIN-VPN1", addresses: [IpAddrMask { address: 192.168.20.2, cidr: 32 }], port: 0, peers: [Peer { public_key: xxxxxxxxxxxxxxxxxPUBLIC-KEYxxxxxxxxxxxxxxxxxxxxxxx, protocol_version: None, endpoint: Some(34.44.44.100:51820), last_handshake: None, tx_bytes: 0, rx_bytes: 0, persistent_keepalive_interval: Some(25), allowed_ips: [IpAddrMask { address: 0.0.0.0, cidr: 0 }, IpAddrMask { address: ::, cidr: 0 }], .. }], mtu: None, fwmark: None, .. }
[23.4.2026, 11:00:15][DEBUG][VPN] Preparing peers for adapter DOMAIN-VPN1
[23.4.2026, 11:00:15][DEBUG][VPN] Applying configuration for adapter DOMAIN-VPN1
[23.4.2026, 11:00:15][INFO][VPN] endpoint: 34.44.44.100:51820
[23.4.2026, 11:00:15][DEBUG][VPN] Assigning addresses to adapter DOMAIN-VPN1: [IpAddrMask { address: 192.168.20.2, cidr: 32 }]
[23.4.2026, 11:00:15][ERROR][VPN] Failed to configure WireGuard interface DOMAIN-VPN1: CreateIpForwardEntry2: Element nicht gefunden. (os error 1168)
[23.4.2026, 11:00:15][ERROR][VPN] Failed to configure interface DOMAIN-VPN1. Error: code: 'Internal error', message: "Failed to configure WireGuard interface DOMAIN-VPN1: CreateIpForwardEntry2: Element nicht gefunden. (os error 1168)"
[23.4.2026, 11:00:15][DEBUG][VPN] Removing newly created interface DOMAIN-VPN1 due to configuration failure
[23.4.2026, 11:00:15][DEBUG][VPN] Removing interface DOMAIN-VPN1
[23.4.2026, 11:00:15][INFO][VPN] Interface DOMAIN-VPN1 removed successfully
[23.4.2026, 11:00:15][ERROR][Client] Failed to send a request to the background service to create an interface for location DOMAIN- VPN .1(ID: 1) with the following configuration: InterfaceConfiguration { name: "DOMAIN-VPN1", addresses: [IpAddrMask { address: 192.168.20.2, cidr: 32 }], port: 0, peers: [Peer { public_key: xxxxxxxxxxxxxxxxxPUBLIC-KEYxxxxxxxxxxxxxxxxxxxxxxx, protocol_version: None, endpoint: Some(34.44.44.100:51820), last_handshake: None, tx_bytes: 0, rx_bytes: 0, persistent_keepalive_interval: Some(25), allowed_ips: [IpAddrMask { address: 0.0.0.0, cidr: 0 }, IpAddrMask { address: ::, cidr: 0 }], .. }], mtu: None, fwmark: None, .. }. Error: code: 'Internal error', message: "Failed to configure WireGuard interface DOMAIN-VPN1: CreateIpForwardEntry2: Element nicht gefunden. (os error 1168)"
[23.4.2026, 11:00:15][ERROR][Client] Invoking "connect" failed due to unknown error: "Internal error: Failed to send a request to the background service to create an interface for location DOMAIN- VPN .1(ID: 1). Error: code: 'Internal error', message: \"Failed to configure WireGuard interface DOMAIN-VPN1: CreateIpForwardEntry2: Element nicht gefunden. (os error 1168)\". Check logs for details."
[23.4.2026, 11:00:15][ERROR][Client] [unhandled rejection] Invoking "connect" failed due to unknown error: "Internal error: Failed to send a request to the background service to create an interface for location DOMAIN- VPN .1(ID: 1). Error: code: 'Internal error', message: \"Failed to configure WireGuard interface DOMAIN-VPN1: CreateIpForwardEntry2: Element nicht gefunden. (os error 1168)\". Check logs for details."
[23.4.2026, 11:00:37][INFO][Client] Automatically retrieved the newest instance configuration from core for 1 instances, sleeping for 30s
[23.4.2026, 11:00:38][DEBUG][VPN] Initializing ServiceLocationApi
[23.4.2026, 11:00:38][DEBUG][VPN] Creating directory: "C:\\ProgramData\\Defguard\\service_locations"
[23.4.2026, 11:00:38][DEBUG][VPN] Setting ACLs on service locations directory
[23.4.2026, 11:00:38][DEBUG][VPN] Setting secure ACLs on: C:\ProgramData\Defguard\service_locations
[23.4.2026, 11:00:38][DEBUG][VPN] Removing all existing ACL entries for C:\ProgramData\Defguard\service_locations
[23.4.2026, 11:00:38][DEBUG][VPN] Cleared existing ACL entries, now adding secure entries
[23.4.2026, 11:00:38][DEBUG][VPN] Adding SYSTEM with full control
[23.4.2026, 11:00:38][DEBUG][VPN] Adding Administrators with full control
[23.4.2026, 11:00:38][DEBUG][VPN] Successfully set secure ACLs on C:\ProgramData\Defguard\service_locations for SYSTEM and Administrators
[23.4.2026, 11:00:38][DEBUG][VPN] ServiceLocationApi initialized successfully
[23.4.2026, 11:00:38][INFO][VPN] Service locations storage initialized successfully
[23.4.2026, 11:00:38][INFO][VPN] Starting network change monitoring
[23.4.2026, 11:00:38][INFO][VPN] Attempting to auto-connect to service locations (attempt 1/5)
[23.4.2026, 11:00:38][DEBUG][VPN] Attempting to auto-connect to VPN...
[23.4.2026, 11:00:38][INFO][VPN] Starting login/logoff event monitoring
[23.4.2026, 11:00:38][DEBUG][VPN] Starting Defguard interface management daemon
[23.4.2026, 11:00:38][DEBUG][VPN] Creating named pipe server stream
[23.4.2026, 11:00:38][INFO][VPN] Created named pipe server stream
[23.4.2026, 11:00:38][INFO][VPN] Defguard daemon version 1.6.8-9b7b953 started, listening on named pipe \\.\pipe\defguard_daemon
[23.4.2026, 11:00:38][DEBUG][VPN] Defguard daemon configuration: Config { log_level: "info", log_dir: "/Logs/defguard-service", stats_period: 10 }
[23.4.2026, 11:00:38][DEBUG][VPN] Creating tokio secure pipe
[23.4.2026, 11:00:38][DEBUG][VPN] Creating secure named pipe \\.\pipe\defguard_daemon
[23.4.2026, 11:00:38][DEBUG][VPN] Loaded service locations data for 0 instances
[23.4.2026, 11:00:38][DEBUG][VPN] Loaded 0 instance(s) from ServiceLocationApi
[23.4.2026, 11:00:38][DEBUG][VPN] Auto-connect attempt completed
[23.4.2026, 11:00:38][INFO][VPN] All service locations connected successfully (attempt 1/5)
[23.4.2026, 11:00:38][INFO][VPN] Service location auto-connect task finished
[23.4.2026, 11:00:38][INFO][VPN] Created secure named pipe \\.\pipe\defguard_daemon
[23.4.2026, 11:00:38][INFO][VPN] Created tokio secure pipe
[23.4.2026, 11:00:50][INFO][Client] Location DOMAIN- VPN .1(ID: 1) preshared key decoded.
[23.4.2026, 11:00:50][INFO][Client] Created windows gRPC client
[23.4.2026, 11:00:50][DEBUG][VPN] Creating tokio secure pipe
[23.4.2026, 11:00:50][DEBUG][VPN] Creating secure named pipe \\.\pipe\defguard_daemon
[23.4.2026, 11:00:50][INFO][VPN] Created secure named pipe \\.\pipe\defguard_daemon
[23.4.2026, 11:00:50][INFO][VPN] Created tokio secure pipe
[23.4.2026, 11:00:50][DEBUG][VPN] Received a request to create a new interface
[23.4.2026, 11:00:50][DEBUG][VPN] Checking if all commands required by wireguard-rs are available
[23.4.2026, 11:00:50][DEBUG][VPN] All commands required by wireguard-rs are available
[23.4.2026, 11:00:50][DEBUG][VPN] Creating new interface DOMAIN-VPN1
[23.4.2026, 11:00:50][DEBUG][VPN] Opening/creating interface DOMAIN-VPN1
[23.4.2026, 11:00:50][ERROR][VPN] wireguard: Failed to find matching adapter name: Element nicht gefunden. (Code 0x00000490)
[23.4.2026, 11:00:50][DEBUG][VPN] Adapter DOMAIN-VPN1 does not exist, creating
[23.4.2026, 11:00:50][INFO][VPN] wireguard: Using existing driver 0.10
[23.4.2026, 11:00:50][INFO][VPN] wireguard: Creating adapter
[23.4.2026, 11:00:50][INFO][VPN] Opened/created interface DOMAIN-VPN1
[23.4.2026, 11:00:50][INFO][VPN] Done creating a new interface DOMAIN-VPN1
[23.4.2026, 11:00:50][DEBUG][VPN] Preparing DNS configuration for interface DOMAIN-VPN1
[23.4.2026, 11:00:50][DEBUG][VPN] DNS configuration for interface DOMAIN-VPN1: DNS: [192.168.100.1, 192.168.100.2], Search domains: ["DOMAIN--gmbh.de"]
[23.4.2026, 11:00:50][DEBUG][VPN] Configuring interface DOMAIN-VPN1 with config: InterfaceConfiguration { name: "DOMAIN-VPN1", addresses: [IpAddrMask { address: 192.168.20.2, cidr: 32 }], port: 0, peers: [Peer { public_key: xxxxxxxxxxxxxxxxxPUBLIC-KEYxxxxxxxxxxxxxxxxxxxxxxx, protocol_version: None, endpoint: Some(34.44.44.100:51820), last_handshake: None, tx_bytes: 0, rx_bytes: 0, persistent_keepalive_interval: Some(25), allowed_ips: [IpAddrMask { address: 0.0.0.0, cidr: 0 }, IpAddrMask { address: ::, cidr: 0 }], .. }], mtu: None, fwmark: None, .. }
[23.4.2026, 11:00:50][DEBUG][VPN] Preparing peers for adapter DOMAIN-VPN1
[23.4.2026, 11:00:50][DEBUG][VPN] Applying configuration for adapter DOMAIN-VPN1
[23.4.2026, 11:00:50][INFO][VPN] endpoint: 34.44.44.100:51820
[23.4.2026, 11:00:50][DEBUG][VPN] Assigning addresses to adapter DOMAIN-VPN1: [IpAddrMask { address: 192.168.20.2, cidr: 32 }]
[23.4.2026, 11:00:50][ERROR][VPN] Failed to configure WireGuard interface DOMAIN-VPN1: CreateIpForwardEntry2: Element nicht gefunden. (os error 1168)
[23.4.2026, 11:00:50][ERROR][VPN] Failed to configure interface DOMAIN-VPN1. Error: code: 'Internal error', message: "Failed to configure WireGuard interface DOMAIN-VPN1: CreateIpForwardEntry2: Element nicht gefunden. (os error 1168)"
[23.4.2026, 11:00:50][DEBUG][VPN] Removing newly created interface DOMAIN-VPN1 due to configuration failure
[23.4.2026, 11:00:50][DEBUG][VPN] Removing interface DOMAIN-VPN1
[23.4.2026, 11:00:50][INFO][VPN] Interface DOMAIN-VPN1 removed successfully
[23.4.2026, 11:00:50][ERROR][Client] Failed to send a request to the background service to create an interface for location DOMAIN- VPN .1(ID: 1) with the following configuration: InterfaceConfiguration { name: "DOMAIN-VPN1", addresses: [IpAddrMask { address: 192.168.20.2, cidr: 32 }], port: 0, peers: [Peer { public_key: xxxxxxxxxxxxxxxxxPUBLIC-KEYxxxxxxxxxxxxxxxxxxxxxxx, protocol_version: None, endpoint: Some(34.44.44.100:51820), last_handshake: None, tx_bytes: 0, rx_bytes: 0, persistent_keepalive_interval: Some(25), allowed_ips: [IpAddrMask { address: 0.0.0.0, cidr: 0 }, IpAddrMask { address: ::, cidr: 0 }], .. }], mtu: None, fwmark: None, .. }. Error: code: 'Internal error', message: "Failed to configure WireGuard interface DOMAIN-VPN1: CreateIpForwardEntry2: Element nicht gefunden. (os error 1168)"
[23.4.2026, 11:00:50][ERROR][Client] Invoking "connect" failed due to unknown error: "Internal error: Failed to send a request to the background service to create an interface for location DOMAIN- VPN .1(ID: 1). Error: code: 'Internal error', message: \"Failed to configure WireGuard interface DOMAIN-VPN1: CreateIpForwardEntry2: Element nicht gefunden. (os error 1168)\". Check logs for details."
[23.4.2026, 11:00:50][ERROR][Client] [unhandled rejection] Invoking "connect" failed due to unknown error: "Internal error: Failed to send a request to the background service to create an interface for location DOMAIN- VPN .1(ID: 1). Error: code: 'Internal error', message: \"Failed to configure WireGuard interface DOMAIN-VPN1: CreateIpForwardEntry2: Element nicht gefunden. (os error 1168)\". Check logs for details."
[23.4.2026, 11:01:07][INFO][Client] Automatically retrieved the newest instance configuration from core for 1 instances, sleeping for 30s

[F1L337]

Hello @jakub-tldr,

the defguard-service is running:

---

Here are the additional information you requested: (xxx.x is just a placeholder where the real values are between 0 and 255)

Allowed IPs:
10.xxx.x.0/10,10.xxx.x.0/11,10.xxx.x.0/14,10.xxx.x.0/13,10.xxx.x.0/12,10.xxx.x.0/9,172.xxx.x.0/12,192.168.x.0/16,106.xxx.x.40/32,106.xxx.x.175/32,106.xxx.x.0/24,106.xxx.x.64/26,118.xxx.x.0/24,118.xxx.x.0/24
I have also tested 0.0.0.0/0 and left it empty.

Internal VPN address (CIDR):
192.168.xxx.1/24

I couldn´t test the non-MFA location since this location is curerntly used in Prod.
I have tested with different Allowed IPs Predefined and All Traffic.

Are any other pre-requirements required? Are any other user rights necessary?

[F1L337]

In the logs it seems like instance and gateway names containing "_", "-" or " " are ignored in the logs, depending on the circumstance. I have added them when censoring. Might this be a problem? At least it´s a bug.

[lgwapnitsky]

Similar issue here:

[5/13/2026, 7:41:53 AM][ERROR][Client] Error handling interface for location 2 (connect): Invoking "connect" failed due to unknown error: "Internal error: Failed to create a network interface (wglgw) for tunnel wg_lgw(ID: 2), error message: Failed to configure WireGuard interface wglgw: CreateIpForwardEntry2: The parameter is incorrect. (os error 87). Check logs for more details."