After testing the MSI updating (installing newer MSI package over the
previous one), I have found out that WiX driver installation custom action
uninstalls the previous driver in RemoveExistingProducts pass, which
effectively removes all existing TAP interfaces. Though it installs the new
driver later on, the damage has been done.


This means me going back to the drawing board inventing our own MSI custom
action to install the driver and hopefully update seamlessly.


Best regards,



From: Simon Rozman <si...@rozman.si> 
Sent: Thursday, June 7, 2018 3:51 PM
To: openvpn-devel (openvpn-devel@lists.sourceforge.net)
Subject: [Openvpn-devel] TAP-Windows MSI packages




Finally, I have some MSI material to share with community. My playground is
at https://github.com/rozmansi/tap-windows6.


It proved a lot more work than I estimated back in Karlsruhe. The core
problem was driver install and TAP interface creation within the MSI
package. Well actually, the core problem was lack of my time.



1. tapctl.exe


Anyway, a tapctl.exe utility was developed (msi/src/tapctl). It is a command
line utility to manage TAP interfaces. It is not a snap-in replacement for
devcon/tapinstall - it is GPLv2 licenced and was designed from ground up
especially for OpenVPN.


Main features of tapctl.exe are:

*       Creation of (named) TAP interfaces - being able to set the name of
the TAP interface to be created allows automation. The "Local Area
Connection 2", "Ethernet 2" and random names like that just don't.
*       Removal of individual network interfaces (by name or GUID)
*       Network interface listing
*       It does not install or update TAP driver. The TAP driver must be
installed by other means. It only manipulates (TAP) network interfaces.


The network interface management source is located in separate tap.h/.c
files suitable to be reused in OpenVPN project itself (imagine --mktun on
Windows). That's why I chose C language in the end - though I would prefer
C++. I remember David had an idea at our lunch discussion to be nice to be
able to reuse the code in OpenVPN.


For the time being, there is no "remove all TAP interfaces" function. If
people will miss it, I can add it.



2. Driver installation


The TAP driver installation/upgrade is handled by WiX. WiX already provides
MSI custom actions for this task and that functionality was reused. Since
the driver will need to be build on Windows anyway, I'll leave TAP-Windows6
MSI packaging to WiX. Note that OpenVPN itself will have quite simple setup
in comparison and should allow us to use msitools for packaging.


The MSI package also installs OpenVPN Inc.'s certificate before installing
the driver. This avoids the trust prompt on driver install and is important
when installing MSI package using GPO or some other unattended mean



3. Initial TAP interface installation


Rather than using tapctl.exe to create the initial TAP interface on first
install, an MSI custom action DLL was developed (msi/src/tapca). It


*       Existing TAP interface enumeration on initialization
*       A custom MSI table is used to list the TAP interfaces to create on
install and delete on uninstall. This allows IT admins to author MSI with
own set of TAP interfaces to install.
*       A complete set of execute/rollback/commit functionality is
implemented, allowing complete rollback on install failure.


By default, the MSI packages are authored to install a single TAP interface
named "OpenVPN" if there are no existing TAP interfaces on computer: fresh
installs will create "OpenVPN" TAP interface, upgrades will leave TAP
interfaces intact.



4. The MSI packages


The MSI packages are built using WiX Toolset. They provide simple UI (no
EULA nagging). They detect the previous setup of TAP-Windows6 (including the
NSIS one) and reuse the installation folder. The NSIS leftover files and
registry data is cleaned. As mention before, the MSI setup installs/updates
TAP driver and install "OpenVPN" TAP interface on first install. When any
TAP interface exists (even from NSIS installs) it will skip creation of
"OpenVPN" interface.


There is one MSI file for each platform. ARM and ARM64 platforms are ready
but commented for the time being - waiting for ARM64 driver support (Jon
Kunkee patch), WiX support for ARM64 platform, somebody actually having an
ARM64 Windows 10 device to test etc.



5. Building


The building how-to is described in msi/README.rst. Meanwhile, I have
published binaries for testing at
https://github.com/rozmansi/tap-windows6/releases/tag/9.21.2-1. Remember:
this is TAP driver and TAP network interface installation MSI only.





*       Thoroughly test upgrading (use old TAP drivers to make MSI packages
for past versions)
*       Prepare self-extracting EXE installer to contain all MSI packages
and a bootstrapper to launch msiexec /i with the platform-specific MSI
*       Integrate into tap-windows6 build process - discuss options to
revise building process (Jon Kunkee proposals) 
*       Prepare MSI packages for OpenVPN



Best regards,



Attachment: smime.p7s
Description: S/MIME cryptographic signature

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Openvpn-devel mailing list

Reply via email to