OpenVPN version 2.5.0 on windows 10. After the installation, I got two new network adapters: OpenVPN Wintun
and OpenVPN TAP-Windows6
.
My .ovpn configuration file contains the line dev tun
so I was assuming the connection would have used the tun
interface, but no, it uses the tap
one. I tried reinstalling OpenVPN installing only the tun
interface, and the connection fails with this log:
...
open_tun
MANAGEMENT: Client disconnected
All tap-windows6 adapters on this system are currently in use
Exiting due to fatal error
That makes sense because there's no tap
adapter installed, but why doesn't it use the tun
one if the config says so? The log even tells open_tun
.
I tried changing dev tun
to dev tap
out of curiosity and it fails with multiple errors, so my vpn is really of the tun
type. Can anyone explain me why it works this way? What's the use of the OpenVPN Wintun
adapter if the tap
one is used anyway?
If for any reason this behavior is correct, is it actually operating at level 3 like tun
should or not?
Best Answer
For a long time, OpenVPN did not have a real 'tun' interface on Windows. Whenever
dev tun
was used, it would in fact use the "TAP-Windows" driver and would still create an L2 Ethernet interface even for a L3 tunnel – it would just emulate all L2 things like ARP responses on the client side, even serving fake DHCP to the local machine.However, as clunky as it was for L3 links, the TAP-Windows driver has worked for a long time and so remains the default. The "Wintun" driver is a very recent addition to OpenVPN 2.5, so you need to explicitly opt in to using it:
Wintun also has been written with stricter permission checks, so OpenVPN needs to run as a service with System privileges. It seems that OpenVPN uses the "Interactive service" mode for this.