openvpn 2.5 - using wintun
Starting with release 2.5 openvpn added support for wintun adapters (on windows hosts). This is great because wintun is quite a modern piece of software made by the developers of wireguard.
How compares wintun to TAP adapters?
Wintun at it's core is a very compact driver that provides virtual interfaces that may be used to transport layer 3 (IP) packets. This means wintun transports IP packets that should be routed using this adapter - not more, not less. This and the overall efficient codebase provide a higher throughput - some user benchmarks are showing huge improvements here.
Wintap on the other side is a TAP adapter that transports layer 2 (Ethernet) packets. This implies that routed packets are a little bit larger (as there's an additional header to be included). This also implies that there's additional traffic sent - like broadcast traffic that doesn't occur on layer 3.
Overall this means that TAP adapters offer additional use cases like L2 communication and can provide connectivity using alternative protocols. You may use TAP adapters even to bridge networks.
This means:
- If you're openvpn in a roadwarrior scenario and users are connecting to corporate network, you should use wintun because it provides overall faster connection setup and is a perfect match for this scenario.
- If you're using openvpn in an advanced setup and require L2 access or need to bridge networks, use TAP adapters instead.
How to enable wintun?
Switching from TAP to wintun is straight forward.
Install openvpn 2.5
The most important part is that you install openvpn with at least version 2.5 or newer and enable wintun during setup (enabled by default). This will create a wintun network interface.
Adjust configuration
To get openvpn connect using this interface you'll also need to adjust the openvpn configuration files that the client will connect using wintun. Open up configuration file in your favorite editor and add the following directive:
windows-driver wintunConnecting will now show usage of the wintun interface in the log:
Sat Nov 07 17:11:38 2020 OpenVPN 2.5.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 28 2020
Sat Nov 07 17:11:38 2020 Windows version 10.0 (Windows 10 or greater) 64bit
Sat Nov 07 17:11:38 2020 library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10
[...]
Sat Nov 07 17:11:46 2020 [XXX] Peer Connection Initiated with [AF_INET]X.X.X.X:XXXXX
Sat Nov 07 17:11:52 2020 open_tun
Sat Nov 07 17:11:52 2020 Ring buffers registered via service
Sat Nov 07 17:11:52 2020 wintun device [OpenVPN Wintun] opened
Sat Nov 07 17:11:55 2020 IPv4 dns servers set using service
Sat Nov 07 17:11:57 2020 DNS domain set using service
Sat Nov 07 17:11:57 2020 IPv4 MTU set to 1500 on interface 3 using service
Sat Nov 07 17:11:57 2020 Blocking outside dns using service succeeded.
Sat Nov 07 17:11:57 2020 Initialization Sequence Completed
Sat Nov 07 17:11:57 2020 Register_dns request sent to the serviceThat's it - you're now connected successfully using a wintun interface.
Adding wintun interfaces
Depending on your needs you may establish multiple VPN connections at the same time. Using wintun this is working just like using multiple TAP adapters in the past.
# Create a new wintun interface
& 'C:\Program Files\OpenVPN\bin\tapctl.exe' create --hwid "wintun"
# Disable DNS client IP registration for wintun interfaces (optional)
Get-NetAdapter |? InterfaceDescription -like win* | Set-DnsClient -RegisterThisConnectionsAddress $falseThis snipped shows how to create an additional wintun interface and optionally how to disable DNS client to register interface's IP address (unless it's required). You may of course add multiple interfaces by executing the command multiple times - it may be reasonable to stick up to five interfaces, if you need more simultaneous connections you should consider thinking about your overall network architecture :-)
For the sake of completeness: If you want to create additional TAP adapters you may also use tapctl.exe - just omit the hwid or set hwid = "root\\0901".