Version 4 (modified by 11 years ago) (diff) | ,
---|
Introduction
TAP-Windows is an OpenVPN subproject in GitHub. TAP-Windows is built on a Windows box, and the OpenVPN cross-compile buildsystem takes care of embedding the produced TAP-Windows installer into the OpenVPN Windows installer.
Setting up the Windows build computer
First install a recent version of Windows DDK and NSIS.
Next clone the tap-windows repository, e.g. using Git Bash:
$ cd /c/users/myuser $ git clone https://github.com/OpenVPN/tap-windows
Now set some environment variables:
set DDK=c:\WINDDK\7600.16385.1 set DEVCON32=c:\WINDDK\7600.16385.1\tools\devcon\i386\devcon.exe set DEVCON64=c:\WINDDK\7600.16385.1\tools\devcon\amd64\devcon.exe set DEVCON_BASENAME=devcon.exe set SIGNTOOL=c:\WINDDK\7600.16385.1\bin\x86\signtool.exe set MAKENSIS=C:\Program Files (x86)\NSIS set OUTDIR=c:\users\myuser\tap-windows
Some of these variables have sane default values, and you many not need to define all of them. If you use self-signed test certificates you also need these variables:
set CODESIGN_PKCS12=c:\Users\John\tap-windows\my-self-signed-certificate.p12 set CODESIGN_PASS=mypassphrase set CODESIGN_ISTEST=yes
For paid-for software publisher certificates (SPC) you'd use something like this:
set CODESIGN_PKCS12="c:\Users\John\tap-windows\my-software-publisher-certificate.p12" set CODESIGN_PASS=mypassphrase set CODESIGN_ISTEST=no set CODESIGN_CROSS="C:\Users\John\tap-windows\ca-cross-certificate.crt" set CODESIGN_TIMESTAMP="http://timestamp.domain.com"
If you imported the kernel-mode code-signing certicate using Internet Explorer, you can use certmgr.exe to export it in PFX (=PKCS12) format. Just make sure to include the private key in the file and to give it a sufficiently strong password, which you then define using CODESIGN_PASS variable. The CA cross certificate can be obtained from your CA and most likely needs no modifications. The URL for the timestamping service is CA-specific, but trivial to locate.
To simplify variable setting in the future, you can create a batch file with all the above commands and run it before running configure.bat.
Building TAP-windows
First you need to configure the tap-windows build to use the variables you defined. Do this from a Visual Studio command prompt:
> configure
This copies the variables to tap-windows\config-env.bat and various other places. All that's left is to build the tap-windows drivers:
> build
If you want to customize the build further, e.g. to build a custom TAP-Windows driver that can coexist with stock OpenVPN TAP-Windows driver, you can edit the version.m4 or create a separate config-local.m4. Any variables in config-local.m4 should override those in version.m4.
For details on available environment variables see
> configure --help
Finally, if you're generating an OpenVPN installer with the your modified TAP-Windows driver, put the TAP-Windows installer on a webserver and point the OpenVPN cross-compile buildsystem to it.