In the Lviv hackathon the we agreed on the following things:

  • OpenVPN 2.5 Windows installer should be MSI-based
  • We won't provide NSIS installers for 2.5 unless there are major issues in the MSI
  • The installer should include OpenVPN, OpenVPNService, tap-windows6 etc. each as separate MSI feature
  • People who want to install just tap-windows6 can disable the OpenVPN features
  • We should not try to embed MSI installers into MSI installers due to lack of good documentation
  • Each installation architecture/target will get its own MSI installer
  • We should bundle all the MSI installer into a thin wrapper executable, such as a self-extracting p7zip archive with a script hook that detect which MSI to launch
  • The individual MSI files should also be made available for more technical users as well as system administrators
  • The custom action DLL used in the tap-windows6 MSI installation logic could be included in openvpn.git, so that openvpn-build could easily build and sign it, just as is done with openvpn.exe and openvpnserv.exe. Having it in tap-windows6 repository would make signing that DLL slightly more problematic, as we don't really sign anything with the tap-windows6 buildsystem anymore.
  • The MSI (WiX) code can be placed into a subdirectory in openvpn-build Git repository alongside "generic", "msvc" and "windows-nsis". The MSI should consume the artefacts that the openvpn-build cross-compile process produces.
  • The documentation and instructions on how to deploy, transform, or parameterize MSI packages should be published on Wiki and/or in the openvpn-build readme.

Installer targets

There are several "targets" for the installer. We not only have the architecture split (i386, x64, amd64), but also different types of kernel-mode signatures for tap-windows6:

Operating systemKM signature i386x64arm64
Windows 7/8 Cross-signed X X
Windows 10 Attestation-signed[1] X X X
Windows Server 2012r2 Cross-signed X
Windows Server 2016 WHQL-certified X
Windows Server 2019 WHQL-certified X

So we have the following architecture-signature combinations for tap-windows6:

  1. i386/x64 cross-signed
  2. i386/x64/arm64 attestation signed
  3. x64 WHQL certified

The user-mode signatures for openvpn.exe, openvpnserv.exe etc. can be created with standard, non-EV authenticode keys on all platforms.


[1] The requirement for attestation signatures in kernel-mode code came into Windows 10 quite early. It is not know if really old Windows 10 version can load attestation-signed drivers, but that seems likely. Even if they don't we may not want to support those

Last modified 2 weeks ago Last modified on 10/10/18 07:10:23