TAP-Windows driver (NDIS 6)
This is an NDIS 6 implementation of the TAP-Windows driver, used by OpenVPN and other apps. NDIS 6 drivers can run on Windows Vista or higher.
Build
To build, the following prerequisites are required:
- Python 2.7
- Microsoft Windows 7 WDK (Windows Driver Kit)
- Windows code signing certificate
- Git (not strictly required, but useful for running commands using bundled bash shell)
- MakeNSIS (optional)
- Patched source code directory of devcon sample from WDK (optional)
- Prebuilt tapinstall.exe binaries (optional)
Make sure you add Python's install directory (usually c:\python27) to the PATH environment variable.
These instructions have been tested on Windows 7 using Git Bash, as well as on Windows 2012 Server using Git Bash and Windows Powershell.
View build script options:
$ python buildtap.py Usage: buildtap.py [options] Options: -h, --help show this help message and exit -s SRC, --src=SRC TAP-Windows top-level directory, default=<CWD> --ti=TAPINSTALL tapinstall (i.e. devcon) directory (optional) -d, --debug enable debug build -c, --clean do an nmake clean before build -b, --build build TAP-Windows and possibly tapinstall (add -c to clean before build) --sign sign the driver files (disabled by default) -p, --package generate an NSIS installer from the compiled files --cert=CERT Common name of code signing certificate, default=openvpn --crosscert=CERT The cross-certificate file to use, default=MSCV- VSClass3.cer --timestamp=URL Timestamp URL to use, default=http://timestamp.verisign.c om/scripts/timstamp.dll -a, --oas Build for OpenVPN Access Server clients
Edit version.m4 and paths.py as necessary then build:
$ python buildtap.py -b
On successful completion, all build products will be placed in the "dist" directory as well as tap6.tar.gz. The NSIS installer package will be placed to the build root directory.
Note that due to the strict driver signing requirements in Windows 10 you need an EV certificate to sign the driver files. These EV certificates may be stored inside a hardware device, which makes fully automated signing process difficult, dangerous or impossible. Eventually the signing process will become even more involved, with drivers having to be submitted to the Windows Hardware Developer Center Dashboard portal. Therefore, by default, this buildsystem no longer signs any files. You can revert to the old behavior by using the --sign parameter.
Building tapinstall (optional)
The build system supports building tapinstall.exe (a.k.a. devcon.exe). However the devcon source code in WinDDK does not build without modifications which cannot be made public due to licensing restrictions. For these reasons the default behavior is to reuse pre-built executables. To make sure the buildsystem finds the executables create the following directory structure under tap-windows6 directory:
tapinstall └── 7600 ├── objfre_wlh_amd64 │ └── amd64 │ └── tapinstall.exe └── objfre_wlh_x86 └── i386 └── tapinstall.exe
This structure is equal to what building tapinstall would create. Replace 7600 with the major number of your WinDDK version. Finally call buildtap.py with "--ti=tapinstall".
Please note that the NSIS packaging (-p) step will fail if you don't have tapinstall.exe available. Also don't use the "-c" flag or the above directories will get wiped before MakeNSIS is able to find them.
Install/Update/Remove
The driver can be installed using a command-line tool, tapinstall.exe, which is bundled with OpenVPN and tap-windows installers. Note that in some versions of OpenVPN tapinstall.exe is called devcon.exe. To install, update or remove the tap-windows NDIS 6 driver follow these steps:
- place tapinstall.exe/devcon.exe to your PATH
- open an Administrator shell
- cd to dist
- cd to amd64 or i386 depending on your system's processor architecture.
Install:
$ tapinstall install OemVista.inf TAP0901
Update:
$ tapinstall update OemVista.inf TAP0901
Remove:
$ tapinstall remove TAP0901
Notes on proxies
It is possible to build tap-windows6 without connectivity to the Internet but any attempt to timestamp the driver will fail. For this reason configure your outbound proxy server before starting the build. Note that the command prompt also needs to be restarted to make use of new proxy settings.
Notes on Authenticode signatures
Recent Windows versions such as Windows 10 are fairly picky about the Authenticode signatures of kernel-mode drivers. In addition making older Windows versions such as Vista play along with signatures that Windows 10 accepts can be rather challenging. A good starting point on this topic is the building tap-windows6 page on the OpenVPN community wiki. As that page points out, having two completely separate Authenticode signatures may be the only reasonable option. Fortunately there is a tool, Sign-Tap6, which can be used to append secondary signatures to the tap-windows6 driver or to handle the entire signing process if necessary.
License
See the file COPYING.