openvpn 2.5 - using wintun
Starting with release 2.5 openvpn added support for wintun interfaces. To enable utilization of wintun interfaces, you need to make some adjustments.
Starting with release 2.5 openvpn added support for wintun adapters (on windows hosts). This is great because wintun is quite a modern piece of software made by the developers of wireguard.
How compares wintun to TAP adapters?
Wintun at it's core is a very compact driver that provides virtual interfaces that may be used to transport layer 3 (IP) packets. This means wintun transports IP packets that should be routed using this adapter - not more, not less. This and the overall efficient codebase provide a higher throughput - some user benchmarks are showing huge improvements here.
Wintap on the other side is a TAP adapter that transports layer 2 (Ethernet) packets. This implies that routed packets are a little bit larger (as there's an additional header to be included). This also implies that there's additional traffic sent - like broadcast traffic that doesn't occur on layer 3.
Overall this means that TAP adapters offer additional use cases like L2 communication and can provide connectivity using alternative protocols. You may use TAP adapters even to bridge networks.
This means:
- If you're openvpn in a roadwarrior scenario and users are connecting to corporate network, you should use wintun because it provides overall faster connection setup and is a perfect match for this scenario.
- If you're using openvpn in an advanced setup and require L2 access or need to bridge networks, use TAP adapters instead.
How to enable wintun?
Switching from TAP to wintun is straight forward.
Install openvpn 2.5
The most important part is that you install openvpn with at least version 2.5 or newer and enable wintun during setup (enabled by default). This will create a wintun network interface.
Adjust configuration
To get openvpn connect using this interface you'll also need to adjust the openvpn configuration files that the client will connect using wintun. Open up configuration file in your favorite editor and add the following directive:
Connecting will now show usage of the wintun interface in the log:
That's it - you're now connected successfully using a wintun interface.
Adding wintun interfaces
Depending on your needs you may establish multiple VPN connections at the same time. Using wintun this is working just like using multiple TAP adapters in the past.
This snipped shows how to create an additional wintun interface and optionally how to disable DNS client to register interface's IP address (unless it's required). You may of course add multiple interfaces by executing the command multiple times - it may be reasonable to stick up to five interfaces, if you need more simultaneous connections you should consider thinking about your overall network architecture :-)
For the sake of completeness: If you want to create additional TAP adapters you may also use tapctl.exe - just omit the hwid or set hwid = "root\\0901".