wiki:OpenvpnMSIInstaller

Version 3 (modified by Samuli Seppänen, 5 years ago) (diff)

--

Introduction

In the Lviv hackathon the we agreed on the following things:

  • OpenVPN 2.5 Windows installer should be MSI-based
  • The installer should include OpenVPN, OpenVPNService, tap-windows6 etc. each as separate MSI feature
  • People who want to install just tap-windows6 can disable the OpenVPN features
  • We should not try ti embed MSI installers into MSI installers due to lack of good documentation
  • Each installation architecture/target will get its own MSI installer
  • We should bundle all the MSI installer into a thin wrapper executable, such as a self-extracting p7zip archive with a script hook that detect which MSI to launch
  • The individual MSI files should also be made available for more technical users as well as system administrators

Installer targets

There are several "targets" for the installer. We not only have the architecture split (i386, x64, amd64), but also different types of kernel-mode signatures for tap-windows6:

Operating systemKM signature i386x64arm64
Windows 7/8 Cross-signed X X
Windows 10 Attestation-signed[1] X X X
Windows Server 2012r2 Cross-signed X
Windows Server 2016 WHQL-certified X
Windows Server 2019 WHQL-certified X

So we have the following architecture-signature combinations:

  1. i386/x64 cross-signed
  2. i386/x64/arm64 attestation signed
  3. x64 WHQL certified

The user-mode signatures for openvpn.exe, openvpnserv.exe etc. can be created with standard, non-EV authenticode keys on all platforms.

Notes

[1] The requirement for attestation signatures in kernel-mode code came into Windows 10 quite early. It is not know if really old Windows 10 version can load attestation-signed drivers, but that seems likely. Even if they don't we may not want to support those