Version 3 (modified by Samuli Seppänen, 6 years ago) (diff)



TAP-Windows is an OpenVPN subproject in GitHub. TAP-Windows is built on a Windows box, and the OpenVPN cross-compile buildsystem takes care of embedding the produced TAP-Windows installer into the OpenVPN Windows installer.

Setting up the Windows build computer

First install a recent version of Windows DDK and NSIS.

Next clone the tap-windows repository, e.g. using Git Bash:

$ git clone

Next you need to set some environment variables. For self-signed test certificates use something like this:

set CODESIGN_PKCS12=c:\Users\John\tap-windows\my-self-signed-certificate.p12
set CODESIGN_PASS=mypassphrase

For paid-for software publisher certificates (SPC) you'd use something like this:

set CODESIGN_PKCS12="c:\Users\John\tap-windows\my-software-publisher-certificate.p12"
set CODESIGN_PASS=mypassphrase
set CODESIGN_CROSS="C:\Users\John\tap-windows\ca-cross-certificate.crt"

If you imported the kernel-mode code-signing certicate using Internet Explorer, you can use certmgr.exe to export it in PFX (=PKCS12) format. Just make sure to include the private key in the file and to give it a sufficiently strong password, which you then define using CODESIGN_PASS variable. The CA cross certificate can be obtained from your CA and most likely needs no modifications. The URL for the timestamping service is CA-specific, but trivial to locate.

Building TAP-windows

First you need to configure the tap-windows build to use these using a Visual Studio command prompt:

> configure

This copies the variables to tap-windows\config-env.bat, which is included during build. All that's left is to build the tap-windows drivers:

> build

Further customization for MSVC can be done using config-local.m4 file which overrides variables or with environment variables which override auto detection code. This can be used, for example, to specify a custom DDK location. For details, see

> configure --help

Finally, if you're generating an OpenVPN installer with the your modified TAP-Windows driver, put the TAP-Windows installer on a webserver and point the OpenVPN cross-compile buildsystem to it.