OpenVPN version 2.5.0 on windows 10. After the installation, I got two new network adapters: OpenVPN Wintun and OpenVPN TAP-Windows6.
My .ovpn configuration file contains the line dev tun so I was assuming the connection would have used the tun interface, but no, it uses the tap one. I tried reinstalling OpenVPN installing only the tun interface, and the connection fails with this log:
...
open_tun
MANAGEMENT: Client disconnected
All tap-windows6 adapters on this system are currently in use
Exiting due to fatal error
That makes sense because there's no tap adapter installed, but why doesn't it use the tun one if the config says so? The log even tells open_tun.
I tried changing dev tun to dev tap out of curiosity and it fails with multiple errors, so my vpn is really of the tun type. Can anyone explain me why it works this way? What's the use of the OpenVPN Wintun adapter if the tap one is used anyway?
If for any reason this behavior is correct, is it actually operating at level 3 like tun should or not?
Best Answer
For a long time, OpenVPN did not have a real 'tun' interface on Windows. Whenever
dev tunwas used, it would in fact use the "TAP-Windows" driver and would still create an L2 Ethernet interface even for a L3 tunnel – it would just emulate all L2 things like ARP responses on the client side, even serving fake DHCP to the local machine.However, as clunky as it was for L3 links, the TAP-Windows driver has worked for a long time and so remains the default. The "Wintun" driver is a very recent addition to OpenVPN 2.5, so you need to explicitly opt in to using it:
Wintun also has been written with stricter permission checks, so OpenVPN needs to run as a service with System privileges. It seems that OpenVPN uses the "Interactive service" mode for this.