Introduction

The OpenVPN's Windows TAP-drivers consists of four files for each platform (32/64-bit):

• <something>.cat: contains cryptographic signature for the actual drivers
• <something>.sys: contains the actual driver
• <something>.inf: contains driver metadata

If you need to run OpenVPN on Windows Vista/7 64-bit you have to use signed TAP drivers. Unless you sign them yourself, you need to extract drivers from an existing OpenVPN installer. See below for instructions.

OpenVPN installers come bundled with a command-line tool called <tap-windows-install-dir>\bin\devcon.exe for managing the TAP-driver. Two wrapper scripts, addtap.bat and deltapall.bat are also available in the same directory. For details on devcon.exe usage look at ​Microsoft's Devcon.exe documentation.

NOTES:

• OpenVPN 2.3_alpha1 and earlier devcon.exe was called tapinstall.exe.
• OpenVPN 2.3_rc2 installer does not install TAP utilities by default. This bug is fixed in later releases.

Manual configuration of the TAP-Windows adapter

On XP Go to Start -> Control Panel -> Network Connections.

You should see a "TAP-Windows Adapter" with a name like "Local Area Connection 3". Right click and rename this to something shorter and without embedded spaces such as "my-tap".

Now right click again and select properties.

Select Internet Protocol (TCP/IP) from the list and click on "Properties".

Set the IP address and subnet mask of your new TAP device. For the example below we will use an IP of 10.3.0.1 and a subnet mask of 255.255.255.0. Other fields can be left as they are.

Note also that the command line tool "netsh" can do many of these same functions.

For example, the following command will set the IP and subnet for my-tap:

$ netsh interface ip set address my-tap static 10.3.0.1 255.255.255.0

This setting is persistent across reboots.

Installing and uninstalling TAP-drivers

Occasionally you may need play with different TAP-driver versions. In this case you can use devcon.exe from the Windows command-prompt. Below are some common commands:

List available TAP-Windows adapters:

$ openvpn --show-adapters
Available TAP-Windows devices:
[1] 'my-tap'

List network interfaces (incl. TAP-Windows adapters):

$ ipconfig

View information about an installed driver:

$ devcon.exe hwids <id>

Uninstall a TAP-driver:

$ devcon.exe remove <id>

Install a new TAP-driver:

$ devcon.exe install <something.inf> <id>

Update a TAP-driver:

$ devcon.exe update <something.inf> <id>

Notes:

• <id> refers to the driver identifier which is tap0901 for OpenVPN 2.2+, but may be different in older/newer OpenVPN versions.
• <something.inf> is typically OemWin2k.inf.

By installing multiple times, you will create additional TAP-Windows adapter instances, which can be used for multiple concurrent VPN tunnels. It is also possible to install using Control Panel -> Add New Hardware, and it is possible to uninstall using Control Panel -> System -> Hardware -> Device Manager.

Extracting TAP-drivers from OpenVPN installers

Extracting TAP-drivers from an OpenVPN installer is relatively easy: you can use ​7-zip to open the installer executable. There are both 32-bit and 64-bit versions, but the latter are larger in size.

Windows TAP device naming

Basically what happens when you install the TAP-Windows driver is that you get a new network adapter that shows up in your network control panel. You right click on the TAP adapter and set the TCP/IP properties, i.e. IP address and netmask. Then you rename the TAP adapter icon to something like "my-tap" and reference it using the --dev-node option in OpenVPN.

Windows also has command line utilities to accomplish these same kinds of tasks such as "devcon", "netsh", and "ipconfig".

Renaming the TAP-driver

Look at this page for a script that can be used to rename TAP-drivers.