The TAP-Windows is a network driver used by OpenVPN to establish remote connections.
It is included on its main GUI installer, but it prompts to the user to accept unsigned driver.
OpenVPN Windows installer can be installed unattendedly, for example via SSH or Telnet remote console. Something like:
openvpn-install-2.3.7-I003-i686.exe /S /D=c:\OpenVPN
… and the installation goes OK, except for the TAP-Windows driver, that is not installed at all.
The standalone TAP-Windows driver installer has too a silent installation option:
tap-windows-9.9.2_3.exe /S /D=c:\TapWindows
but it keeps prompting the user to accept the driver installation:
I have not been able to find on the OpenVPN forums any solved threads about a method to install it.
The closest I have found is this set of scripts (.bat and .nis files) on GitHub that are supposed to do the magic, but I have not enough knowledge to use them.
Does anyone know the detailed procedure to perform a silent install of TAP-Windows driver?
I need to solve this for Windows XP and Windows 7 (I know the NDIS installer is different, so maybe the methods are too).
If possible, a solution working on any Windows (Servers, 8 and even 10) would be fine.
NOTE: This similar thread offers a solution based on driver signing, but it is rather incomplete.
Best Answer
It's cumbersome but it can be done. The issue is with the trust for the OpenVpn Technologies publisher certificate.
A blog post explains in detail that clicking the checkbox in the security dialog included in your question imports the publisher cert to your local trusted certs store (
Get-ChildItem Cert:\CurrentUser\TrustedPublisher- in powershell). If that's happened, the silent install will work because your computer then trusts the publisher. The problem with the blog post is that it encourages you to download the authors copy of the cert from a file store on the web controlled by the author. Which defeats the purpose of the cert entirely. A slightly better approach is to obtain a copy of the cert for yourself. If you download the openvpn installer and then validate its checksum to determine that you have an unaltered installer, certified by OpenVPN, then manually install it, and approve the trust dialog, you can then grab the cert from your local cert store, export the OpenVPN cert and then include your trusted copy of the cert with your installation mechanism.To export the cert (once you've got it):
get the Serial Number (should have a line similar to
Subject: CN=OpenVPN Technologies ...):certutil -store TrustedPublisherexport the cert:
certutil -exportPFX TrustedPublisher <serial_number> openvpn.pfxOn instances where you want to install OpenVPN silently, you just need to first import and trust the cert with a command like:
certutil -importPFX openvpn.pfx