Using tuntap under Windows

By Dmitri Varsanofiev

The tun-tap driver is extremely useful for implementing IP tunnels under both Linux and Windows. While the tun-tap driver is a quite popular part of modern Linux and is well documented, its open-source Windows counterpart (developed by Damion K. Wilson and James Yonan) is relatively unknown.

The goal of this page is to provide instructions and examples of use of the tuntap under Win32. I have chosen C#/.Net for the code sample simply to keep the code short and to the point; the sample uses no true .NET features and can be easily rewritten into any other language. For simplicity, the sample also assumes that only one tuntap driver is present in the system, and a fixed static IP allocation address for the tun network (10.3.0.1:255.255.255.0).

How to get tuntap for Windows

The Win32 tuntap code is a part of OpenVPN project. Download the source (I used 2.0.9), unzip the subdirectory tap-win32, and use the Windows DDK "build" command to build the driver. You will also need a config-win32.h file from OpenVPN in the directory above the tap-win32.

Tuntap installation under Windows

Only two files are relevant for the installation, the driver itself (default name is tap0801.sys) and the corresponding .inf file (OemWin2K.inf). To install the driver a DevCon utility from Microsoft will be necessary (the OpenVPN distribution includes a DevCon clone called "tapinstall", but the original DevCon will work just as well. Issue the following commands to install, enable the interface, and set the static IP address (replace <tapname> with the connection name of the tap driver in the Control Panel - it is also a result of the HumanName function in the sample):

DevCon install OemWin2k.inf TAP0801
netsh interface ip set address <tapname> static 10.3.0.1 255.255.255.0

Tap-win32 sample

The sample uses the "tun" (IP) mode of the driver to create an "IP mirror" (an illusion of a remote 10.3.0.xxx network). All packets addressed to this network will be returned back to the local computer, but their IP headers will be modified so that they appear to come from the remote network). Therefore, for example, ping to all addresses in the remote network - and many other IP protocols - will work. Note that the FTP protocol will not work, since it contains an IP address inside the packet.