Table of Contents
The OpenVPN's Windows TAP-drivers consists of four files for each platform (32/64-bit):
- <something>.cat: contains cryptographic signature for the actual drivers
- <something>.sys: contains the actual driver
- <something>.inf: contains driver metadata
If you need to run OpenVPN on Windows Vista/7 64-bit you have to use signed TAP drivers. Unless you sign them yourself, you need to extract drivers from an existing OpenVPN installer. See below for instructions.
OpenVPN installers come bundled with a command-line tool called <tap-windows-install-dir>\bin\devcon.exe for managing the TAP-driver. Two wrapper scripts, addtap.bat and deltapall.bat are also available in the same directory. For details on devcon.exe usage look at Microsoft's Devcon.exe documentation.
- OpenVPN 2.3_alpha1 and earlier devcon.exe was called tapinstall.exe.
- OpenVPN 2.3_rc2 installer does not install TAP utilities by default. This bug is fixed in later releases.
Manual configuration of the TAP-Windows adapter
On XP Go to Start -> Control Panel -> Network Connections.
You should see a "TAP-Windows Adapter" with a name like "Local Area Connection 3". Right click and rename this to something shorter and without embedded spaces such as "my-tap".
Now right click again and select properties.
Select Internet Protocol (TCP/IP) from the list and click on "Properties".
Set the IP address and subnet mask of your new TAP device. For the example below we will use an IP of 10.3.0.1 and a subnet mask of 255.255.255.0. Other fields can be left as they are.
Note also that the command line tool "netsh" can do many of these same functions.
For example, the following command will set the IP and subnet for my-tap:
$ netsh interface ip set address my-tap static 10.3.0.1 255.255.255.0
This setting is persistent across reboots.
Installing and uninstalling TAP-drivers
Occasionally you may need play with different TAP-driver versions. In this case you can use devcon.exe from the Windows command-prompt. Below are some common commands:
List available TAP-Windows adapters:
$ openvpn --show-adapters Available TAP-Windows devices:  'my-tap'
List network interfaces (incl. TAP-Windows adapters):
View information about an installed driver:
$ devcon.exe hwids <id>
Uninstall a TAP-driver:
$ devcon.exe remove <id>
Install a new TAP-driver:
$ devcon.exe install <something.inf> <id>
Update a TAP-driver:
$ devcon.exe update <something.inf> <id>
- <id> refers to the driver identifier which is tap0901 for OpenVPN 2.2+, but may be different in older/newer OpenVPN versions.
- <something.inf> is typically OemWin2k.inf.
By installing multiple times, you will create additional TAP-Windows adapter instances, which can be used for multiple concurrent VPN tunnels. It is also possible to install using Control Panel -> Add New Hardware, and it is possible to uninstall using Control Panel -> System -> Hardware -> Device Manager.
Extracting TAP-drivers from OpenVPN installers
Extracting TAP-drivers from an OpenVPN installer is relatively easy: you can use 7-zip to open the installer executable. There are both 32-bit and 64-bit versions, but the latter are larger in size.
Windows TAP device naming
Basically what happens when you install the TAP-Windows driver is that you get a new network adapter that shows up in your network control panel. You right click on the TAP adapter and set the TCP/IP properties, i.e. IP address and netmask. Then you rename the TAP adapter icon to something like "my-tap" and reference it using the --dev-node option in OpenVPN.
Windows also has command line utilities to accomplish these same kinds of tasks such as "devcon", "netsh", and "ipconfig".
Renaming the TAP-driver
Look at this page for a script that can be used to rename TAP-drivers.
Debugging installation problems
People occasionally report tap-windows installation issues, assuming they are all caused by a single bug, because devcon.exe gives the same error message/code. This is unfortunately not the case, and the reason for a install failure could be:
- Lack of privileges for installing the driver(?)
- Broken driver
- Invalid driver signature
- Expired driver signature
- Conflicting drivers: pretty much every OpenVPN-based VPN service has it's own Windows client installer, which install some version of the tap-windows driver. If the installers do a bad job, they could end up installing tap-windows drivers that conflict with the official OpenVPN tap-windows drivers.
- Something else
An exhaustive PPTX presentation of Windows driver installation can be downloaded from here. The basic process of driver installation is this:
- The driver is imported in the driver store
- The driver is installed to driver folder
- The driver is loaded
The setupapi.dev.log (see below) should tell you at which phase the driver installation failed. The presentation linked to above also shows common debugging steps that should prove useful.
In case you have tap-windows installation issues, you should try the following:
- Back up all OpenVPN configuration files, both for official and for unofficial OpenVPN Windows installers
- Uninstall the official OpenVPN Windows client using it's own uninstaller
- Uninstall any unofficial OpenVPN Windows clients using their own uninstallers or Add/Remove? programs
- Note that many of these are not called OpenVPN at all
- Remove all installed tap-windows drivers
- Note that many of these are not called tap-windows at all
- Remove tap-windows drivers from the driver store
- Note that you may not be able to remove all TAP-Windows adapters from the driver store
- Try installing OpenVPN using the official installer
If you're still having issues installing the tap-windows driver, you should try installing it on another computer. If installation to another computer works, it's highly likely the problem is in your system, not in the OpenVPN/tap-windows installer itself.
You can further debug tap-windows installation issues by looking at the common log file for all Windows driver installations, which on Windows 7 is normally located in C:\Windows\inf\setupapi.dev.log. If you're filing a bug report, you should attach the logs for the tap-windows installation part to the bug report.
Sometimes tap-windows install failures are related to registry corruption. For details, look at these forum postings: