OpenVPN on Microsoft Windows has a problem with the TAP-Win32-Adapter driver used for the tunnel. The device needs to be deactivated/reactivated after a Windows restart before any connection can be established. In this article I present a very simple script and solution for automating this process.
OpenVPN is my preferred tool for implementing low-cost VPN solutions for one reason: it simply works. It works very well on Linux and Windows. On Windows I commonly use one of the GUI frontends. On Windows, OpenVPN uses a virtual network card for the tunnelled data, the TAP Win32 Adapter, currently in version 8. Unfortunately this driver has a issue at the moment: the adapter works only once, after restarting windows the device has to be deactivated and reactivated, otherwise it will not come up after the connection to the VPN server has been established.
To get around this anoying issue I wanted to write a script that will reactivate before starting the GUI. As I soon found out, there is no way in standard Windows XP to (de)activate a device from a script. After some time I found a tool in Microsoft’s DDK which can also be downloaded seperately: devcon, a command line tool by Microsoft as an alternative to the Windows Device Manager.
First I needed to find the hardware id of the TAP device I wanted to restart:
> devcon findall *TAP*
ISAPNP\READDATAPORT\0 : ISAPnP-Datenleseport
ROOT\NET\0000 : TAP-Win32 Adapter V8
2 matching device(s) found.
Clearly I am interested in ROOT\NET\0000
in my case. This device can now be (de)activated with “devcon deactivate @ROOT\NET\0000
” resp. “devcon activate @ROOT\NET\0000
“. The @
-sign is important!
As I wanted to explore some alternatives to Microsoft’s shell scripts (.cmd), I discovered KiXtart, a very powerful shell scripting language for Windows. Main advantage is, that KiXtart is able to run the script without showing an anyoing shell window during its runtime (which is the whole VPN connection in my case), as I want to disable the device after OpenVPN is shut down.
The script that needs to be executed is trivial: Instead of launching OpenVPN-GUI directly, I now launch the following KiXtart script from any shortcuts to OpenVPN GUI:
shell "devcon disable @@root\net\0000"
shell "devcon enable @@root\net\0000"
shell "C:\Program Files\OpenVPN\bin\openvpn-gui.exe"
shell "devcon disable @@root\net\0000"
The KiXtart interpreter requries around 1.4MB of RAM during the session (which I accept and don’t care about as my machine has 1.5GB of RAM installed). If you want to spare this amount and you don’t care that the device is not deactivated right after exiting OpenVPN-GUI, you could adapt the script to execute the GUI without waiting for its termination. You’d also have to remove the last line of the script. In this case you can also simply use standard Windows shell commands, as the shell will immideatly close after calling “start C:\...\openvpn-gui.exe
“.
Great stuff! Devcon and KiXtart are wonderful additions to my took kit.
However, the huge problem persists in Amazon’s EC2 Cloud environment. Disabling the TAP-Win32-Adapter (running “devcon disable @@root\net000”) freezes the virtual computer, requiring a reboot.
Any further thoughts?
The solution above is more suited for a local computer than for a remote computer, as taking down the network device on the remote site most likely will kill your remote access… I especially don’t know anything about the EC2 setting, so sorry, I cannot help here.
This blog was… how do I say it? Relevant!! Finally I’ve found something that
helped me. Thank you!