Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Samuli Seppänen]

Il 04/04/20 05:46, blz ha scritto:
> On 4/3/2020 12:06 PM, Nathan Stratton Treadway wrote:
>> On Fri, Apr 03, 2020 at 20:00:54 +0300, Samuli Seppänen wrote:
>>> Hi,
>>>
>>> Il 02/04/20 22:07, Nathan Stratton Treadway ha scritto:
 Would this second option be consistent with the fact that the failed
 setupapi log says the driver package was "already imported?
>>> Seems like it. You can use
>>>
>>> 
>>>
>>> to get rid of all tap-windows instances in the Driver Store. That's what
>>> I use when I need to be 100% positive the latest driver version is
>>> actually being used and not some cached version.
>> Yeah, I will plan to do that once it seems like there's nothing more to
>> learn investigating the system in its current state
>>
 Is "oemvista.inf_amd64_6d4bec28a2ef0cdf" a name that is hard-coded
 inside the TAP-Windows installer, or is that generated dynamically at
 installer-execution time?
>>> I have absolutely no idea. We don't actively create such identifiers,
>>> identifiers so I have to assume it's Windows.
>> Well, I guess the interesting thing is that the same directory name was
>> used on both the failing- and succeeding-installation machines.  So I
>> guess it is baked into the driver-installer somewhere (unlike the
>> "c:\windows\inf\oem*.inf" name used, which was different between the two
>> machines)  But I'm wondering whether or not that directory name is
>> constant across tap-windows versions, etc.
> What I am wondering is Windows Update, which can and does sometimes
> download drivers from Microsoft's repository, could be a possible
> culprit? I've seen WU time and again be the root cause of some pretty
> big driver-related headaches before.

We have not uploaded tap-windows6 to the Microsoft driver repository.
Fortunately it seems :).

Samuli



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Samuli Seppänen]

Il 04/04/20 18:20, Gert Doering ha scritto:
> Hi,
> 
> On Sat, Apr 04, 2020 at 10:37:23AM -0400, Selva Nair wrote:
>> (ii) Add an identifier to the inf file to make the two versions (win7/win10)
>> different.
> 
> If we can figure out how to do that, this sounds like a robust way
>forward.
>

Added https://community.openvpn.net/openvpn/ticket/1269

>> (iii) Have the installer delete all tap adapters and do a cleanup before
>> starting installation. This is very invasive and adversely affects those
>> who have multiple adapters, removes customized adapter names etc.
> 
> I have thought about this, but I find it too intrusive to do on a 
> "default" install.
> 
> We could offer it as an extra submodule?  checkbox item?  that users
> could activate if they have installation problems

We could, though I'd like to avoid any extra work going into the NSIS
installers. I'm not sure how MSI would handle this.

>   [ ] remove all existing TAP adapters before upgrading
> 
> but if we can get identifiers done, this should not even be necessary.
> 
>> By the way, while the Remove-tapwindows.ps1 script is very handy, it
>> works only if all adapters are first removed using deltapall.bat or
>> something
>> equivalent. Adding that functionality to the script would be very useful.
> 
> +1

I added a (private) task about this for me, though I'm open to PRs :).

> 
> Samuli, you're listening? :-)
> 
> gert
> 

Yes, I've read each and every email related to this and there sure have
been plenty :).

Samuli



signature.asc
Description: OpenPGP digital signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Nathan Stratton Treadway]

On Fri, Apr 03, 2020 at 15:06:38 -0400, Nathan Stratton Treadway wrote:
> On Fri, Apr 03, 2020 at 20:00:54 +0300, Samuli Seppänen wrote:
> > Il 02/04/20 22:07, Nathan Stratton Treadway ha scritto:
> > > 
> > > Would this second option be consistent with the fact that the failed
> > > setupapi log says the driver package was "already imported?
> > 
> > Seems like it. You can use
> > 
> > 
> > 
> > to get rid of all tap-windows instances in the Driver Store. That's what
> > I use when I need to be 100% positive the latest driver version is
> > actually being used and not some cached version.
> 
> Yeah, I will plan to do that once it seems like there's nothing more to
> learn investigating the system in its current state


Okay, I took this approach, and now have a working OpenVPN installation
on that system.


I started out by running the TAP-Windows -> "Delete ALL TAP virtual
ethernet adapters" option of the Windows Start Menu.

Then, since I already knew from looking through the setupapi.dev.log
file and the output of "pnputil" that the tap0901 driver was called
"oem43" on that system, I just went ahead and deleted the driver
directly (based on what the Remove-Tapwindows.ps1 script would have
done):


C:\WINDOWS\system32>c:\windows\system32\pnputil /delete-driver oem43.inf

Microsoft PnP Utility

Driver package deleted successfully.


In hindsite it looks like running the "add adapter" script would have
done this automatically, but I went ahead and put the Win10 version of
the driver back in the driver store by right-clicking on "C:\Program
Files\TAP-Windows\driver\OemVista.inf" and choosing "Install" (since I
new that that the files in that directory were indeed the Win10
versions)..

And finally I added the virtual adapter back in by clicking on the
TAP-Windows -> "Add a new TAP virtual Ethernet adapter" Start Menu
entry.


At that point, the "TAP-Windows Provider V9" device showed up again in
Device Manager with no warning triangle in the icon, and when I clicked
on the OpenVPN icon it proceeded to start the VPN connection without any
trouble.  So I think the situation is resolved on this machine.



Given that we now have the correct driver files installed I am no longer
able to do much testing related to the installer being confused by
having the wrong ones in use... but I have kept copies of the various
setupapi* log files, so let me know if I can provide any additional
information


Nathan


Nathan Stratton Treadway  -  natha...@ontko.com  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Nathan Stratton Treadway]

On Fri, Apr 03, 2020 at 20:00:54 +0300, Samuli Seppänen wrote:
> Il 02/04/20 22:07, Nathan Stratton Treadway ha scritto:
> > Anway, I will see if I can determine anything by checking the timestamps
> > for the various c:\windows\ files mentioned in the log, etc.
> 
> Ok, let me know what you find!

Just to close the loop on this part of the discussion:

I don't know very much about the various flavors of "factory reset" for
Windows 10 (using the HP Recovery Manager, in this case)... but looking
through the setupapi.offline.log file, I can see that "sysreset.exe
-continue" and related commands did a bunch of operations with various
device drivers, and then mentioned those drivers again in

  >>>  [Setup PnP Driver Store Property Apply - C:\$WINDOWS.~BT\NewOS\WINDOWS]
and 
  >>>  [Sysprep Specialize Offline - C:\$WINDOWS.~BT\NewOS\Windows]

sections -- and included in that batch of drivers being processed are
mentions of the TAP-Window-related files (tap0901.*/oemvista.inf/
oem43.inf... as well as the drivers for Network hardware devices), 

So, in short, as far as I can figure the "factory reset" which the user
performed did actually involved copying device drivers from the old
installation, including the non-functioning versions of the TAP-Windows
drivers.

It seems like the reset did get rid of some parts of the previous OS
setup (since it cured the system crashes that were happening frequently
beforehand), and it left the system looking "new" (users had to be
created from scratch on the first boot, third-party application were no
longer installed, etc.).  

But it copied just enough of the previous OpenVPN installation that
performing an apparently-from-scratch OpenVPN Windows 10 installer run
resulted in the newly-created "TAP-Windows Adapter V9" device getting
tied to the wrong tap0901.* files


Nathan



Nathan Stratton Treadway  -  natha...@ontko.com  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Nathan Stratton Treadway]

On Fri, Apr 03, 2020 at 15:06:38 -0400, Nathan Stratton Treadway wrote:
> On Fri, Apr 03, 2020 at 20:00:54 +0300, Samuli Seppänen wrote:
> > Il 02/04/20 22:07, Nathan Stratton Treadway ha scritto:
> > > Is "oemvista.inf_amd64_6d4bec28a2ef0cdf" a name that is hard-coded
> > > inside the TAP-Windows installer, or is that generated dynamically at
> > > installer-execution time?
> > 
> > I have absolutely no idea. We don't actively create such identifiers,
> > identifiers so I have to assume it's Windows.
> 
> Well, I guess the interesting thing is that the same directory name was
> used on both the failing- and succeeding-installation machines.  So I
> guess it is baked into the driver-installer somewhere (unlike the
> "c:\windows\inf\oem*.inf" name used, which was different between the two
> machines)  But I'm wondering whether or not that directory name is
> constant across tap-windows versions, etc.

(Looking through the setupapi.offline.log file [and the
DriverStore\FileRepository\ driectory in general], it seems like the
part of this name before the "_amd64" is taken from the name of the .inf
file originally used in the installation process -- and that the usual
convention is have a driver-specific name for the file, e.g. 
"geminilakesystem.inf" or "cannonlake-lpsystemthermal.inf" .

I don't know that changing the name would directly have made any difference
in our case, but as long as you are looking at changing the generation
of the .inf files, I wondered if it would make sense for the TAP-Windows
installer to use a more descriptive name than "oemvista.inf"...?)

Nathan



Nathan Stratton Treadway  -  natha...@ontko.com  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Nathan Stratton Treadway]

On Sat, Apr 04, 2020 at 20:02:02 -0400, Selva Nair wrote:
> Yes, the win7 installer will run on windows 10 and install the wrong driver
> causing the signature error seen in device manager.
> 

Ah, right, thanks.  (I did see your earlier message but missed the
specific mention in there about the Win7 installer running under Win10.)


Given that, it seems pretty likely that the explanation for our
situation was a combination of running the wrong OpenVPN installer
the first time, then assuming that the "factory reset" would completely
blow away all of the existing Windows installation when in fact parts
were preserved across the reset.

Anyway,  (Samuli) would it be possible for the OpenVPN installer to
double-check that it was running in the correct evironment before
proceeding with the installation?  That would presumably have avoided
the broken driver situation in the first place (in our case, at least).

(Separately, the previously-discussed tweaks to the .inf file so that
Windows actually replaces an incorrect driver with the correct one would
be useful to get out of the situation, however one originally into it.)


Nathan



Nathan Stratton Treadway  -  natha...@ontko.com  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Selva Nair]

On Sat, Apr 4, 2020 at 7:45 PM Nathan Stratton Treadway 
wrote:

> On Sat, Apr 04, 2020 at 18:40:06 -0400, Selva Nair wrote:
> > Is it possible that the user might have mistakenly installed the windows
> 7
> > version of 2.4.8  on this machine before the reset? The fact that the
> > offending .sys file and inf came back via the ~BT folder seems to
> indicate
> > it
> > was saved by the reset process and then copied back in.
>
> The user did try to install OpenVPN before the reset, so I guess it's
> possible.
>
> If one downloads the openvpn-install-2.4.8-I602-Win7.exe by mistake,
> will it actually run (and proceed with installing things) under Windows
> 10?
>

Yes, the win7 installer will run on windows 10 and install the wrong driver
causing the signature error seen in device manager.

See my mail earlier today for more details on this.
https://sourceforge.net/p/openvpn/mailman/openvpn-users/thread/CAKuzo_h_KtLnBwt7pMvDxPcOAjU_rh_6K_79A65vbeyNHYc6dw%40mail.gmail.com/#msg36971459

Selva
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Nathan Stratton Treadway]

On Sat, Apr 04, 2020 at 18:40:06 -0400, Selva Nair wrote:
> Is it possible that the user might have mistakenly installed the windows 7
> version of 2.4.8  on this machine before the reset? The fact that the
> offending .sys file and inf came back via the ~BT folder seems to indicate
> it
> was saved by the reset process and then copied back in.

The user did try to install OpenVPN before the reset, so I guess it's
possible.

If one downloads the openvpn-install-2.4.8-I602-Win7.exe by mistake,
will it actually run (and proceed with installing things) under Windows
10?


> It could be that the process was not really a factory reset (not sure
> whether you
> already said otherwise) or the factory version has some program that
> this driver with the same inf file. Though it would sound strange to
> distribute a
> a cross-signed driver with Windows 10, there are some old  flavours
> of Windows 10 where such a driver works, iirc.

We were operating under the assumption that the reset process resulted
in a clean installation of Windows 10... but that assumption could
certainily be incorrect.  (I'll see if I can find out more.)


> 
> Can you check whether the offending .sys is in use by any devices?
> driverquery utility
> may in windows 10 probably help.

After the OpenVPN Win10 installer completed running, the tap0901.sys
driver was in use by the "AP-Windows Adapter V9"  device created by that
installer.  (That's the device that showed up in Device Manager with the
yellow-triangle icon and unable-to-verify-signature warning message.)



Nathan


Nathan Stratton Treadway  -  natha...@ontko.com  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Selva Nair]

Hi


> > The sha1sums of the two versions of the file are:
> > =
> > $ sha1sum *{program,system32}*tap09*
> > 42189b6a1b8c736397113bfc2283f5e1e1a44e8e
> failed_program-files_tap0901.sys
> >   [the 39,920-byte file]
> > 841a86f416a882b0743fd6d9c9f29baf3ed06b6a
> failed_system32-drivers_tap0901.sys
> >   [the 30,720-byte file]
> > =
> >
> >
> > So.. do you recognize this 30,720-byte file at all, or have any ideas
> > where it might have originated from?
>
> It occurred to me that even though we don't need to install OpenVPN on a
> Windows 7 box I could go ahead and download the Win7 installer and
> see if the embedded TAP driver files match the ones included there.
>
> Short answer: yes, the mystery files are exactly the same as the ones in
> that installer.


> So, that doesn't really tell us how those driver files got installed on
> the box before OpenVPN was ever installed -- but at least it tells us
> exactly which files were involved
>

Is it possible that the user might have mistakenly installed the windows 7
version of 2.4.8  on this machine before the reset? The fact that the
offending .sys file and inf came back via the ~BT folder seems to indicate
it
was saved by the reset process and then copied back in.

It could be that the process was not really a factory reset (not sure
whether you
already said otherwise) or the factory version has some program that
distributes
this driver with the same inf file. Though it would sound strange to
distribute a
a cross-signed driver with Windows 10, there are some old  flavours
of Windows 10 where such a driver works, iirc.

Can you check whether the offending .sys is in use by any devices?
driverquery utility
may in windows 10 probably help.

The two versions using identical inf file is what makes it hard to fix it
by just
reinstalling the correct Windows 10 release.

Selva
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Nathan Stratton Treadway]

On Fri, Apr 03, 2020 at 14:56:05 -0400, Nathan Stratton Treadway wrote:
[mystery files found pre-installed on the computer with broken
TAP-Windows:]
>  Directory of 
> C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf
> 10/31/2019  02:11 AM10,042 tap0901.cat
> 10/31/2019  02:09 AM30,720 tap0901.sys

> 
> The sha1sums of the two versions of the file are:
> =
> $ sha1sum *{program,system32}*tap09*
> 42189b6a1b8c736397113bfc2283f5e1e1a44e8e  failed_program-files_tap0901.sys
>   [the 39,920-byte file]
> 841a86f416a882b0743fd6d9c9f29baf3ed06b6a  failed_system32-drivers_tap0901.sys
>   [the 30,720-byte file]
> =
> 
> 
> So.. do you recognize this 30,720-byte file at all, or have any ideas
> where it might have originated from?

It occurred to me that even though we don't need to install OpenVPN on a
Windows 7 box I could go ahead and download the Win7 installer and
see if the embedded TAP driver files match the ones included there.

Short answer: yes, the mystery files are exactly the same as the ones in
that installer.  

So, that doesn't really tell us how those driver files got installed on
the box before OpenVPN was ever installed -- but at least it tells us
exactly which files were involved


Nathan


Here's the transcript of the check:

First, the sha1sums of the "bad" files pulled out of the DriverStore\...
directory:


$ sha1sum failed_system32-driverstore_*
d85f4e65fe10f13ded1780ddbd074edfc75f2d25  
failed_system32-driverstore_oemvista.inf
d99e38968de1ca1850971a2b81bfdab49626aaed  
failed_system32-driverstore_tap0901.cat
841a86f416a882b0743fd6d9c9f29baf3ed06b6a  
failed_system32-driverstore_tap0901.sys

... and the original Windows timestamps:

C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf
03/27/2020  11:09 AM  .
03/27/2020  11:09 AM  ..
10/31/2019  02:09 AM 7,537 oemvista.inf
03/27/2020  11:09 AM 8,828 oemvista.PNF
10/31/2019  02:11 AM10,042 tap0901.cat
10/31/2019  02:09 AM30,720 tap0901.sys





Then, unpack the Win7 installer and check the files inside it:

$ sha1sum openvpn-install-2.4.8-I602-Win7.exe 
8c9f28d7bdbb4613777a9741809e34b91fd45a0f  openvpn-install-2.4.8-I602-Win7.exe

$ 7z e openvpn-install-2.4.8-I602-Win7.exe '$TEMP/tap-windows.exe'

7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,8 CPUs)

Processing archive: openvpn-install-2.4.8-I602-Win7.exe

Extracting  $TEMP/tap-windows.exe

Everything is Ok

Size:   575288
Compressed: 4322568

$ ls -l
total 4788
-rw-rw-r-- 1 nathanst nathanst 4322568 Apr  4 14:28 
openvpn-install-2.4.8-I602-Win7.exe
-rw-rw-r-- 1 nathanst nathanst  575288 Oct 31 03:34 tap-windows.exe

$ sha1sum tap-windows.exe 
f0fd7873544739a0cac4cf93e446efe629c00668  tap-windows.exe

$ 7z x tap-windows.exe 
7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,8 CPUs)

Processing archive: tap-windows.exe
[ ... bunch of files extracted; once again, I had to choose the "A(u)to
  rename all" option because the various flavors all try to unpack into
  the same subdirectories ... ]

$ cd */driver
[ ... the first-level subdirectory name is non-ascii, so use a wildcard
  to get down into the second-level "driver" subdirectory ... ]

$ grep amd *.inf
OemVista.inf:   %Provider% = tap0901, NTamd64
OemVista.inf:[tap0901.NTamd64]

$ file tap0901.*
tap0901.cat: data
tap0901.sys: PE32+ executable (native) x86-64, for MS Windows


$ ls -l {OemVista,tap0901}.*
-rw-rw-r-- 1 nathanst nathanst  7537 Oct 31 02:09 OemVista.inf
-rw-rw-r-- 1 nathanst nathanst 10042 Oct 31 02:11 tap0901.cat
-rw-rw-r-- 1 nathanst nathanst 30720 Oct 31 02:09 tap0901.sys

$ sha1sum {OemVista,tap0901}.*
d85f4e65fe10f13ded1780ddbd074edfc75f2d25  OemVista.inf
d99e38968de1ca1850971a2b81bfdab49626aaed  tap0901.cat
841a86f416a882b0743fd6d9c9f29baf3ed06b6a  tap0901.sys


So, the unpacked-from-archive timestamps and the sha1sums match for
all three files.



Nathan Stratton Treadway  -  natha...@ontko.com  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Gert Doering]

Hi,

On Sat, Apr 04, 2020 at 10:37:23AM -0400, Selva Nair wrote:
> (ii) Add an identifier to the inf file to make the two versions (win7/win10)
> different.

If we can figure out how to do that, this sounds like a robust way
forward.

> (iii) Have the installer delete all tap adapters and do a cleanup before
> starting installation. This is very invasive and adversely affects those
> who have multiple adapters, removes customized adapter names etc.

I have thought about this, but I find it too intrusive to do on a 
"default" install.

We could offer it as an extra submodule?  checkbox item?  that users
could activate if they have installation problems

  [ ] remove all existing TAP adapters before upgrading

but if we can get identifiers done, this should not even be necessary.

> By the way, while the Remove-tapwindows.ps1 script is very handy, it
> works only if all adapters are first removed using deltapall.bat or
> something
> equivalent. Adding that functionality to the script would be very useful.

+1

Samuli, you're listening? :-)

gert


-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Selva Nair]

Hi,

On Fri, Apr 3, 2020 at 5:06 PM Nathan Stratton Treadway 
wrote:

>
> As I mentioned in the previous email, the
> emvista.inf_amd64_6d4bec28a2ef0cdf has a timestamp which coincides with
> the moment that the OpenVPN installer was being run.
>
> However, I noticed that the oem43.inf file does have an earlier
> timestamp:
>
> =
> Directory of c:\windows\inf
> 03/26/2020  04:03 PM 7,537 oem43.inf
> 03/27/2020  11:09 AM 8,828 oem43.PNF
> =
>
> ... though weirdly Windows on that box was reinstalled in the _morning_ of
> 3/26, and 16:03 doesn't correspond to any entries at all in the
> setupapi.dev.log file (which jumps from 2020/03/26 12:30:18 in one entry
> to 2020/03/27 07:50:45 in the next).  So it doesn't quite seem like
> oem43.inf would have been created during the initial reinstall of
> Windows, but I also don't know what would have created it later that
> day...
>
> The c:\windows\inf\oem43.inf file is identical to the one in C:\Program
> Files\TAP-Windows\driver:
>
> =
> $ sha1sum failed_windows-inf_oem43.inf failed_program-files_OemVista.inf
> d85f4e65fe10f13ded1780ddbd074edfc75f2d25  failed_windows-inf_oem43.inf
> d85f4e65fe10f13ded1780ddbd074edfc75f2d25  failed_program-files_OemVista.inf
> =
>
> ... but I suppose that might just indicate that the Win7 and Win10
> versions of that file are identical (if in fact the \windows\inf\ copy
> came from the Win7 drivers somehow).
>

I can confirm that a previously installed cross-signed version of
tap0901.sys does cause the behaviour reported here. I did the
following:

On a Win10 machine with openvpn 2.4.8 installed and working
(i) Install the 2.4.8 Windows 7 release --> installation success, OpenVPN
continues to work
The tap driver properties show the attestation signed driver is still in
use
although that's not what is in the C:\Program Files\Tap-Windows\driver at
this point.

(ii) Delete all adapters, cleanup using samuli's powershell script (this is
important) and run addtap.bat The run succeeds, but no new adapter is
visible, device manager shows the dreaded code52 (signature) error. At
this point the driver has changed to the cross-signed (win7) one.

And here is the rub:
(iii) Install the 2.4.8 Window 10 release on top: this does not fix the
problem. setupapi log shows windows is picking the already installed
tap0901.sys, not the new one. I don't think just uninstalling the old
version
first would have helped.

At this point, deletalltap.bat, followed by cleanup and addtap.bat fixes
the problem.

So, it looks clear that, somehow, a cross-signed tap driver with inf
file matching what we have in 2.4.8 was present in the system as
Nathan has already concluded.

As mistakenly installing Windows 7 version and trying to correct it
without a thorough cleanup could easily happen, we need to do something
to avoid such errors in the next release. Some possibilities (all untested)

(i) In the inf file we have
[Source Disk Files]
tap0901.sys = 1

That line could include the file size as
tap0901.sys = 1,,size-of-file

Not very robust as it depends on just the size of the .sys file (assuming
its different).

(ii) Add an identifier to the inf file to make the two versions (win7/win10)
different.

(iii) Have the installer delete all tap adapters and do a cleanup before
starting installation. This is very invasive and adversely affects those
who have multiple adapters, removes customized adapter names etc.

By the way, while the Remove-tapwindows.ps1 script is very handy, it
works only if all adapters are first removed using deltapall.bat or
something
equivalent. Adding that functionality to the script would be very useful.

Regards,

Selva
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Nathan Stratton Treadway]

I received an off-list reply stating:
> On Fri, Apr 03, 2020 at 18:43:31 -0400, Nathan Stratton Treadway wrote:
> >Based on a quick glance, it looks this log file shows a bunch of
> >drivers getting installed from this c:\$WINDOWS.~BT\ directory
> >into the C:\windows directory.  Does this ring a bell with anyone?
> 
> That's the place Windows stored upgrade files for the 7/8 -> 10 free
> upgrade.

This particular machine was new in Dec 2019 and as far as I can tell it
never had any form of Windows 7 or 8 installed on it.

However, on 3/26 the user did do a "factory reset" operation to achieve
a fresh install of Windows 10, which I guess involves running the
Windows installer off of a hidden partition on the disk drive, so
perhaps that process also uses a c:\$WINDOWS.~BT\ directory?

But that still leaves unanswered the question why the Win7 version of
the tap0901 driver was somehow included as part of that process

Nathan

Nathan Stratton Treadway  -  natha...@ontko.com  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[blz]

On 4/3/2020 12:06 PM, Nathan Stratton Treadway wrote:

On Fri, Apr 03, 2020 at 20:00:54 +0300, Samuli Seppänen wrote:

Hi,

Il 02/04/20 22:07, Nathan Stratton Treadway ha scritto:

Would this second option be consistent with the fact that the failed
setupapi log says the driver package was "already imported?

Seems like it. You can use



to get rid of all tap-windows instances in the Driver Store. That's what
I use when I need to be 100% positive the latest driver version is
actually being used and not some cached version.

Yeah, I will plan to do that once it seems like there's nothing more to
learn investigating the system in its current state


Is "oemvista.inf_amd64_6d4bec28a2ef0cdf" a name that is hard-coded
inside the TAP-Windows installer, or is that generated dynamically at
installer-execution time?

I have absolutely no idea. We don't actively create such identifiers,
identifiers so I have to assume it's Windows.

Well, I guess the interesting thing is that the same directory name was
used on both the failing- and succeeding-installation machines.  So I
guess it is baked into the driver-installer somewhere (unlike the
"c:\windows\inf\oem*.inf" name used, which was different between the two
machines)  But I'm wondering whether or not that directory name is
constant across tap-windows versions, etc.
What I am wondering is Windows Update, which can and does sometimes 
download drivers from Microsoft's repository, could be a possible 
culprit? I've seen WU time and again be the root cause of some pretty 
big driver-related headaches before.


--
blz


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Nathan Stratton Treadway]

On Thu, Apr 02, 2020 at 01:33:11 -0400, Nathan Stratton Treadway wrote:
> =
> $ diff -ui setupapi_TAP-Windows_{succeeded,failed}.log_cleaned
> --- setupapi_TAP-Windows_succeeded.log_cleaned2020-04-02 
> 00:18:12.0 -0400
> +++ setupapi_TAP-Windows_failed.log_cleaned   2020-04-02 00:19:09.0 
> -0400
> @@ -1,5 +1,5 @@
>  >>>  [Device Install (UpdateDriverForPlugAndPlayDevices) - tap0901]
> ->>>  Section start 2020/03/13 HH:MM:SS.sss
> +>>>  Section start 2020/03/27 HH:MM:SS.sss
>cmd: "C:\Program Files\TAP-Windows\bin\tapinstall.exe" install 
> "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
>   ndv: INF path: C:\Program Files\TAP-Windows\driver\OemVista.inf
>   ndv: Install flags: 0x0001
> @@ -9,19 +9,13 @@
>   dvi:  {Build Driver List} HH:MM:SS.sss
>   dvi:   Searching for hardware ID(s):
>   dvi:tap0901
> - sig:   {_VERIFY_FILE_SIGNATURE} HH:MM:SS.sss
> - sig:Key  = oemvista.inf
> - sig:FilePath = c:\program 
> files\tap-windows\driver\oemvista.inf
> - sig:Catalog  = c:\program 
> files\tap-windows\driver\tap0901.cat
> - sig:Success: File is signed in catalog.
> - sig:   {_VERIFY_FILE_SIGNATURE exit(0x)} HH:MM:SS.sss
>   dvi:   Created Driver Node:
>   dvi:HardwareID   - tap0901
>   dvi:InfName  - c:\program 
> files\tap-windows\driver\oemvista.inf
>   dvi:DevDesc  - TAP-Windows Adapter V9
>   dvi:Section  - tap0901.ndi
>   dvi:Rank - 0x00ff
> - dvi:Signer Score - WHQL
> + dvi:Signer Score - Authenticode
>   dvi:DrvDate  - 09/27/2019
>   dvi:Version  - 9.24.2.601
>   dvi:  {Build Driver List - exit(0x)} HH:MM:SS.sss
> @@ -40,70 +34,15 @@
>   ndv:   Inf Name   - oemvista.inf
>   ndv:   Driver Date- 09/27/2019
>   ndv:   Driver Version - 9.24.2.601
> + ndv:  Driver package 
> 'C:\WINDOWS\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf\oemvista.inf'
>  is already imported.
>   sto:  {Setup Import Driver Package: c:\program 
> files\tap-windows\driver\oemvista.inf} HH:MM:SS.sss
> - inf:   Provider: TAP-Windows Provider V9
> - inf:   Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
> - inf:   Driver Version: 09/27/2019,9.24.2.601
> - inf:   Catalog File: tap0901.cat
> - sto:   {Copy Driver Package: c:\program 
> files\tap-windows\driver\oemvista.inf} HH:MM:SS.sss
[...]
> + sto:   Driver package already imported as 'oem43.inf'.

I am still not sure exactly how oem48.inf came to be pre-loaded on this
computer, but at this point it seems like an important question is "how
does Windows decide a driver package is 'already loaded'?"

When I looked around on the machine while the TAP driver was broken, I
believe that the oemvista.inf file that got pre-installed was identical
to the one distributed in the openvpn-install-2.4.8-I602-Win10.exe
file... while obviously the two tap0901.* files were different.

So I'm wondering if Windows just does some sort of file compare on the
.inf files and concludes "no work to do here" if they match?

Whatever the mechinism Windows uses, it seems maybe the .inf files could
to be tweaked in some way between the Win7 and Win10 packages so that if
the wrong one is pre-installed Windows goes ahead and uninstalls that
version rather than leaving it unchanged...

Nathan



Nathan Stratton Treadway  -  natha...@ontko.com  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Nathan Stratton Treadway]

On Fri, Apr 03, 2020 at 23:26:46 +0200, Gert Doering wrote:
> Hi,
> 
> On Fri, Apr 03, 2020 at 05:04:51PM -0400, Nathan Stratton Treadway wrote:
> > Just to wrap up some a few loose ends: the 10,042-byte tap0901.cat file
> > from the DriverStore... directory _does_ seem to have the unwanted
> > "OpenVPN, Inc." signature:
> 
> Now things are starting to get interesting... just this minute, I
> get a question on IRC (#openvpn-devel)
> 
> 23:06 < kitsune1> Anyone knows why Kaspersky anti virus includes tapwindows 
>   driver (looks like 9.23.x). I'm running into a conflict 
> with 
>   it and OpenVPN 2.4.8 install on a Windows machine. No tap 
>   adapter shows up (except the one Kaspersky installed) and 
>   services dont start etc.. Struggling with this for a user 
>   over a remote line.. sigh..
> 
> any chance that you have Kaspersky on the problematic Win10 machines?

I am not sure if this relates in any way to the Kaspersky situation...
but I did just track down a little bit of hint as to the origin of the
incorrect driver files on our failing box.

Specifically, I discoverd that there was a file
C:\Windows\INF\setupapi.offline.log which is dated 03/26/2020 04:04 PM,
so righin sync iwth the 03/26/2020 04:03 PM timestamp for the bizarre
oem43.inf file.

Sure enough, tap0901 is mentioned in that file:


>>>  [Import Driver Package -
>>>  C:\Windows\System32\DriverStore\FileRepository\oem
vista.inf_amd64_6d4bec28a2ef0cdf\oemvista.inf]
>>>  Section start 2020/03/26 12:03:38.780
   os: Version = 10.0.18362, Service Pack = 0.0, Suite = 0x0100, 
ProductType  = 1, Architecture = amd64
  
cmd:C:\$WINDOWS.~BT\Work\8281DF86-CE40-4716-9BC0-D8633386BCF0\dismhost.exe 
{7EE7940C-F55C-48C2-BD75-FFE81BDC58C9}
 sto: Driver Store   = C:\$WINDOWS.~BT\NewOS\Windows\System32\DriverStore 
(10.0.18362)
 sto: Driver Package = 
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf\oemvista.inf
 sto: Architecture   = amd64
 sto: Flags  = 0x0040
 inf: Provider   = TAP-Windows Provider V9
 inf: Class GUID = {4d36e972-e325-11ce-bfc1-08002be10318}
 inf: Driver Version = 09/27/2019,9.24.2.601
 inf: Catalog File   = tap0901.cat
[...]


(I guess the timestamps in the log are 4 hours earlier than the file
timestamps, for some reason...)

Based on a quick glance, it looks this log file shows a bunch of drivers
getting installed from this c:\$WINDOWS.~BT\ directory into the
C:\windows directory.  Does this ring a bell with anyone?


Nathan




Nathan Stratton Treadway  -  natha...@ontko.com  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Nathan Stratton Treadway]

On Fri, Apr 03, 2020 at 23:26:46 +0200, Gert Doering wrote:
> Hi,
> 
> On Fri, Apr 03, 2020 at 05:04:51PM -0400, Nathan Stratton Treadway wrote:
> > Just to wrap up some a few loose ends: the 10,042-byte tap0901.cat file
> > from the DriverStore... directory _does_ seem to have the unwanted
> > "OpenVPN, Inc." signature:
> 
> Now things are starting to get interesting... just this minute, I
> get a question on IRC (#openvpn-devel)
> 
> 23:06 < kitsune1> Anyone knows why Kaspersky anti virus includes tapwindows 
>   driver (looks like 9.23.x). I'm running into a conflict 
> with 
>   it and OpenVPN 2.4.8 install on a Windows machine. No tap 
>   adapter shows up (except the one Kaspersky installed) and 
>   services dont start etc.. Struggling with this for a user 
>   over a remote line.. sigh..
> 
> any chance that you have Kaspersky on the problematic Win10 machines?

That sounds very similar, but as far as I can tell Kaspersky is NOT
installed on the box in question

Nathan



Nathan Stratton Treadway  -  natha...@ontko.com  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Gert Doering]

Hi,

On Fri, Apr 03, 2020 at 05:04:51PM -0400, Nathan Stratton Treadway wrote:
> Just to wrap up some a few loose ends: the 10,042-byte tap0901.cat file
> from the DriverStore... directory _does_ seem to have the unwanted
> "OpenVPN, Inc." signature:

Now things are starting to get interesting... just this minute, I
get a question on IRC (#openvpn-devel)

23:06 < kitsune1> Anyone knows why Kaspersky anti virus includes tapwindows 
  driver (looks like 9.23.x). I'm running into a conflict with 
  it and OpenVPN 2.4.8 install on a Windows machine. No tap 
  adapter shows up (except the one Kaspersky installed) and 
  services dont start etc.. Struggling with this for a user 
  over a remote line.. sigh..

any chance that you have Kaspersky on the problematic Win10 machines?

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Nathan Stratton Treadway]

On Fri, Apr 03, 2020 at 14:56:05 -0400, Nathan Stratton Treadway wrote:
> However, when I search under c:\windwos\, the tap0901.sys files found
> are different:
> 
> =
> C:\Windows>dir /s tap0901.*
>  Volume in drive C is Windows
>  Volume Serial Number is 0687-5D0C
> 
>  Directory of C:\Windows\System32\drivers
> 10/31/2019  02:09 AM30,720 tap0901.sys
>1 File(s) 30,720 bytes
> 
>  Directory of 
> C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf
> 10/31/2019  02:11 AM10,042 tap0901.cat
> 10/31/2019  02:09 AM30,720 tap0901.sys
>2 File(s) 40,762 bytes
> 
>  Total Files Listed:
>3 File(s) 71,482 bytes
>0 Dir(s)  79,828,119,552 bytes free
> =
> 

Just to wrap up some a few loose ends: the 10,042-byte tap0901.cat file
from the DriverStore... directory _does_ seem to have the unwanted
"OpenVPN, Inc." signature:

=
$ ls -l failed_DriverStore_oemvista.inf_amd64_6d4bec28a2ef0cdf_tap0901.cat 
-rw-rw-r-- 1 nathanst nathanst 10042 Apr  3 16:22 
failed_DriverStore_oemvista.inf_amd64_6d4bec28a2ef0cdf_tap0901.cat

$ sha1sum failed_DriverStore_oemvista.inf_amd64_6d4bec28a2ef0cdf_tap0901.cat 
d99e38968de1ca1850971a2b81bfdab49626aaed  
failed_DriverStore_oemvista.inf_amd64_6d4bec28a2ef0cdf_tap0901.cat

$ strings failed_DriverStore_oemvista.inf_amd64_6d4bec28a2ef0cdf_tap0901.cat | 
grep "OpenVPN\|Code Sign"
"DigiCert EV Code Signing CA (SHA2)0
OpenVPN Inc.1
OpenVPN Inc.0
"DigiCert EV Code Signing CA (SHA2)0
"DigiCert EV Code Signing CA (SHA2)

=


As I mentioned in the previous email, the
emvista.inf_amd64_6d4bec28a2ef0cdf has a timestamp which coincides with
the moment that the OpenVPN installer was being run.

However, I noticed that the oem43.inf file does have an earlier
timestamp:

=
Directory of c:\windows\inf
03/26/2020  04:03 PM 7,537 oem43.inf
03/27/2020  11:09 AM 8,828 oem43.PNF
=

... though weirdly Windows on that box was reinstalled in the _morning_ of
3/26, and 16:03 doesn't correspond to any entries at all in the
setupapi.dev.log file (which jumps from 2020/03/26 12:30:18 in one entry
to 2020/03/27 07:50:45 in the next).  So it doesn't quite seem like
oem43.inf would have been created during the initial reinstall of
Windows, but I also don't know what would have created it later that
day...

The c:\windows\inf\oem43.inf file is identical to the one in C:\Program
Files\TAP-Windows\driver:

=
$ sha1sum failed_windows-inf_oem43.inf failed_program-files_OemVista.inf 
d85f4e65fe10f13ded1780ddbd074edfc75f2d25  failed_windows-inf_oem43.inf
d85f4e65fe10f13ded1780ddbd074edfc75f2d25  failed_program-files_OemVista.inf
=

... but I suppose that might just indicate that the Win7 and Win10
versions of that file are identical (if in fact the \windows\inf\ copy
came from the Win7 drivers somehow).


Nathan



Nathan Stratton Treadway  -  natha...@ontko.com  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Nathan Stratton Treadway]

On Fri, Apr 03, 2020 at 20:00:54 +0300, Samuli Seppänen wrote:
> Hi,
> 
> Il 02/04/20 22:07, Nathan Stratton Treadway ha scritto:
> > 
> > Would this second option be consistent with the fact that the failed
> > setupapi log says the driver package was "already imported?
> 
> Seems like it. You can use
> 
> 
> 
> to get rid of all tap-windows instances in the Driver Store. That's what
> I use when I need to be 100% positive the latest driver version is
> actually being used and not some cached version.

Yeah, I will plan to do that once it seems like there's nothing more to
learn investigating the system in its current state

> 
> > Is "oemvista.inf_amd64_6d4bec28a2ef0cdf" a name that is hard-coded
> > inside the TAP-Windows installer, or is that generated dynamically at
> > installer-execution time?
> 
> I have absolutely no idea. We don't actively create such identifiers,
> identifiers so I have to assume it's Windows.

Well, I guess the interesting thing is that the same directory name was
used on both the failing- and succeeding-installation machines.  So I
guess it is baked into the driver-installer somewhere (unlike the
"c:\windows\inf\oem*.inf" name used, which was different between the two
machines)  But I'm wondering whether or not that directory name is
constant across tap-windows versions, etc.


Nathan


Nathan Stratton Treadway  -  natha...@ontko.com  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Nathan Stratton Treadway]

On Thu, Apr 02, 2020 at 21:16:48 +0300, Samuli Seppänen wrote:
> So, with 7zip on Windows I opened
> 
> openvpn-install-2.4.8-i602-Win10.exe
> -> $TEMP
>-> tap-windows.exe
>   -> driver
> 
> That contains OemVista.inf, tap0901.cat and tap0901.sys in three
> flavors: i386, amd64 and arm64. I extracted the cat and sys files and
> checked their signatures. They were all signed by Microsoft. With
> "Get-AuthenticodeSignature " all showed SignerCertificate
> starting with 87D211E3. Checking the File Properties showed that
> corresponds to Microsoft.
> 
> The installer I extracted had a sha1sum of
> 
> 9c3fa39b6dc1ca9a02bf940c0509cf58a13fdf7d

So...

I took our copy of openvpn-install-2.4.8-i602-Win10.exe and was able
extract tap-windows.exe out of it.  (In case it helps anyone following
along on this thread later, I found that the "p7zip-full" Ubuntu
package, and the "7z" command, was needed in order to unpack the NSIS
installer executable.)

=
$ sha1sum openvpn-install-2.4.8-I602-Win10.exe 
9c3fa39b6dc1ca9a02bf940c0509cf58a13fdf7d  openvpn-install-2.4.8-I602-Win10.exe

$ 7z e openvpn-install-2.4.8-I602-Win10.exe '$TEMP/tap-windows.exe'

7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,8 CPUs)

Processing archive: openvpn-install-2.4.8-I602-Win10.exe

Extracting  $TEMP/tap-windows.exe

Everything is Ok

Size:   587928
Compressed: 4335648

$ sha1sum tap-windows.exe 
2dc03ec37fa11783f1d1965961a93237cde12f69  tap-windows.exe

$ 7z x tap-windows.exe
[... bunch of files extracted...]
=

When I did that second extraction, the three flavors you mention all
unpacked into the same subdirectory (which had a non-ASCII directory
name), but I assume that's just a side-effect of the NSIS archive format
somehow.  To proceed with the unpacking I chose the "A(u)to rename
all" option so all the duplicate files were renamed as they unpacked.


Anyway the main point from that is that all nine files unpacked in the
.../drivers/ subdirectory were dated 10/23:

=
$ ls -lR
[...]
./???/driver:
total 176
-rw-rw-r-- 1 nathanst nathanst  7537 Oct 23 04:38 OemVista_1.inf
-rw-rw-r-- 1 nathanst nathanst  7533 Oct 23 04:37 OemVista_2.inf
-rw-rw-r-- 1 nathanst nathanst  7537 Oct 23 04:38 OemVista.inf
-rw-rw-r-- 1 nathanst nathanst 10861 Oct 23 06:00 tap0901_1.cat
-rw-rw-r-- 1 nathanst nathanst 40128 Oct 23 06:00 tap0901_1.sys
-rw-rw-r-- 1 nathanst nathanst 10866 Oct 23 05:02 tap0901_2.cat
-rw-rw-r-- 1 nathanst nathanst 35008 Oct 23 05:02 tap0901_2.sys
-rw-rw-r-- 1 nathanst nathanst 10711 Oct 23 04:58 tap0901.cat
-rw-rw-r-- 1 nathanst nathanst 39920 Oct 23 04:58 tap0901.sys

[...]
=

(and, consistent with what you found under windows, all three .sys files
contain the string "Microsoft Windows Hardware Compatibility
Publisher" no file contains the string "OpenVPN, Inc.").

In this case, the non-auto-renamed files are the amd64 flavor of the
driver:
=
$ grep amd *.inf
OemVista.inf:   %Provider% = tap0901, NTamd64
OemVista.inf:[tap0901.NTamd64]

$ file *.sys
tap0901_1.sys: PE32+ executable (native), for MS Windows
tap0901_2.sys: PE32 executable (native) Intel 80386, for MS Windows
tap0901.sys:   PE32+ executable (native) x86-64, for MS Windows

$ ls -l OemVista.inf tap0901.*
-rw-rw-r-- 1 nathanst nathanst  7537 Oct 23 04:38 OemVista.inf
-rw-rw-r-- 1 nathanst nathanst 10711 Oct 23 04:58 tap0901.cat
-rw-rw-r-- 1 nathanst nathanst 39920 Oct 23 04:58 tap0901.sys
=



So, turning my attention to the Windows box where the installation
failed, I found that the c:\program files\ files do match the
amd64-flavor files unpacked above.

=
Directory of C:\Program Files\TAP-Windows\driver
03/27/2020  11:09 AM  .
03/27/2020  11:09 AM  ..
10/23/2019  04:38 AM 7,537 OemVista.inf
10/23/2019  04:58 AM10,711 tap0901.cat
10/23/2019  04:58 AM39,920 tap0901.sys
=

However, when I search under c:\windwos\, the tap0901.sys files found
are different:

=
C:\Windows>dir /s tap0901.*
 Volume in drive C is Windows
 Volume Serial Number is 0687-5D0C

 Directory of C:\Windows\System32\drivers
10/31/2019  02:09 AM30,720 tap0901.sys
   1 File(s) 30,720 bytes

 Directory of 
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf
10/31/2019  02:11 AM10,042 tap0901.cat
10/31/2019  02:09 AM30,720 tap0901.sys
   2 File(s) 40,762 bytes

 Total Files Listed:
   3 File(s) 71,482 bytes
   0 Dir(s)  79,828,119,552 bytes free
=


These two files .sys files are indeed identical, and looking inside them
with "strings" it appears they are not signed.  (The strings "Microsoft"
and "Hardware" don't occur, and the spot at the end of the file where
the various strings that appear to be related to the signing certificate
in the Oct 23/39,920-byte version of the file has no sim

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Samuli Seppänen]

Hi,

Il 02/04/20 22:07, Nathan Stratton Treadway ha scritto:
> On Thu, Apr 02, 2020 at 21:16:48 +0300, Samuli Seppänen wrote:
>> The installer I extracted had a sha1sum of
>>
>> 9c3fa39b6dc1ca9a02bf940c0509cf58a13fdf7d
>>
>> That matches the sha1sum of openvpn-install-2.4.8-i602-Win10.exe's which
>> I just a few minutes ago downloaded from the official download page and
>> our alternative download server:
> 
> Yes, this matches the other copies of the installer we have (though
> unfortunately on the machine where this failed, the installer .exe file
> was not saved, so I guess there is some remote possibility that it was
> not the same file, somehow).
> 
> 
>>
>> 
>> 
>>
>> At this point I have no clue where a Windows 7 version of the driver
>> could have appeared from, unless:
>>
>> - The installer you're using is somehow accidentally not the correct one
>> - Windows has the Windows 7 driver hidden somewhere (Driver Store)
> 
> Would this second option be consistent with the fact that the failed
> setupapi log says the driver package was "already imported?

Seems like it. You can use



to get rid of all tap-windows instances in the Driver Store. That's what
I use when I need to be 100% positive the latest driver version is
actually being used and not some cached version.

> Is "oemvista.inf_amd64_6d4bec28a2ef0cdf" a name that is hard-coded
> inside the TAP-Windows installer, or is that generated dynamically at
> installer-execution time?

I have absolutely no idea. We don't actively create such identifiers,
identifiers so I have to assume it's Windows.

> 
> Anway, I will see if I can determine anything by checking the timestamps
> for the various c:\windows\ files mentioned in the log, etc.

Ok, let me know what you find!

Samuli


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Nathan Stratton Treadway]

On Thu, Apr 02, 2020 at 21:16:48 +0300, Samuli Seppänen wrote:
> The installer I extracted had a sha1sum of
> 
> 9c3fa39b6dc1ca9a02bf940c0509cf58a13fdf7d
> 
> That matches the sha1sum of openvpn-install-2.4.8-i602-Win10.exe's which
> I just a few minutes ago downloaded from the official download page and
> our alternative download server:

Yes, this matches the other copies of the installer we have (though
unfortunately on the machine where this failed, the installer .exe file
was not saved, so I guess there is some remote possibility that it was
not the same file, somehow).


> 
> 
> 
> 
> At this point I have no clue where a Windows 7 version of the driver
> could have appeared from, unless:
> 
> - The installer you're using is somehow accidentally not the correct one
> - Windows has the Windows 7 driver hidden somewhere (Driver Store)

Would this second option be consistent with the fact that the failed
setupapi log says the driver package was "already imported?

Is "oemvista.inf_amd64_6d4bec28a2ef0cdf" a name that is hard-coded
inside the TAP-Windows installer, or is that generated dynamically at
installer-execution time?

Anway, I will see if I can determine anything by checking the timestamps
for the various c:\windows\ files mentioned in the log, etc.

Nathan


Nathan Stratton Treadway  -  natha...@ontko.com  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Samuli Seppänen]

Hi again,

Il 02/04/20 20:52, Samuli Seppänen ha scritto:
> Il 02/04/20 20:43, Nathan Stratton Treadway ha scritto:
>> On Thu, Apr 02, 2020 at 20:17:23 +0300, Samuli Seppänen wrote:
>>> Il 02/04/20 19:22, Nathan Stratton Treadway ha scritto:
 On Thu, Apr 02, 2020 at 12:17:17 -0400, Nathan Stratton Treadway wrote:
> On Thu, Apr 02, 2020 at 18:07:26 +0200, Gert Doering wrote:
>> Hi,
>>
>> On Thu, Apr 02, 2020 at 11:48:14AM -0400, Nathan Stratton Treadway wrote:
>>> So it does seem like the driver is signed by OpenVPN (and not
>>> Microsoft)... but the version is 9.24.  Does that mean it actually is
>>> the "tap0901" driver, or can the tap-windows6 driver also have a version
>>> of 9.24?
>>
>> All these are "tap-windows6", "tap0901".
>>
>> 2.4.7 ships with 9.23 of the tap-windows6 driver, 2.4.8 with 9.24
>>
>> There used to be a tap-windows with NDIS5, but I think we never
>> shipped a 2.4 installer with it - the installer versions with "-I001"
>> in the name had tap5, the "I601, I602, ..."" ones have tap6.
>
> Okay, thanks, that helps.
>
> So does the openvpn-install-2.4.8-i602-Win10.exe installer contain both
> the Windows 7 and Windows 10 versions of the tap-windows6 driver?
>

 Or, I guess a more precise question is: does the tapinstall.exe file
 included in the openvpn-install-2.4.8-i602-Win10.exe installer (which I
 guess is tapinstall v602 , right?) contain both Win 7 and Win 10
 drivers?
>>>
>>> The OpenVPN installers should contain only Windows 7 (cross-signed) or
>>> Windows 10 (attestation-signed) drivers in i386, amd64 and arm64
>>
>> Are you saying that the openvpn-install-2.4.8-i602-Win10.exe installer
>> should contain *only* the Win 10 version of the TAP-windows driver?  
> 
> Yes, exactly. I had to double-check that from openvpn-build and
> tap-windows6 buildsystems to be sure.
> 
>> If so, then the question is where the cross-signed driver is coming from
>> on this box (which has never had any OpenVPN [or TAP] installer other
>> then openvpn-install-2.4.8-i602-Win10.exe run on it)?
> 
> That is a very good question. I just launched my lovely arm64 Windows 10
> laptop to check the catalog signatures. I'll report back.

So, with 7zip on Windows I opened

openvpn-install-2.4.8-i602-Win10.exe
-> $TEMP
   -> tap-windows.exe
  -> driver

That contains OemVista.inf, tap0901.cat and tap0901.sys in three
flavors: i386, amd64 and arm64. I extracted the cat and sys files and
checked their signatures. They were all signed by Microsoft. With
"Get-AuthenticodeSignature " all showed SignerCertificate
starting with 87D211E3. Checking the File Properties showed that
corresponds to Microsoft.

The installer I extracted had a sha1sum of

9c3fa39b6dc1ca9a02bf940c0509cf58a13fdf7d

That matches the sha1sum of openvpn-install-2.4.8-i602-Win10.exe's which
I just a few minutes ago downloaded from the official download page and
our alternative download server:




At this point I have no clue where a Windows 7 version of the driver
could have appeared from, unless:

- The installer you're using is somehow accidentally not the correct one
- Windows has the Windows 7 driver hidden somewhere (Driver Store)

It is getting late here (9:15 PM) so I won't be around anymore, but will
check back in my morning.


>>> flavors. Verifying that is fairly easy by extracting the installer with
>>> p7zip and checking the signatures of all the *.cat files in it.
>>
>> p7zip on my Ubuntu box (Xenial) refused to open the .exe file, as did
>> 7zr ("Can not open file as archive").  Can you sent a pointer to a
>> website which discusses the type of unpacking-of-installer-file you are
>> talking about?
> 
> I've only ever done it on Windows. Verifying the authenticode signature
> signer might be challenging on Linux.
> 
>> (Note that I don't run Windows myself, and only have limit access to the
>> Windows machines in question.)
> 
> 
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Samuli Seppänen]

Il 02/04/20 20:43, Nathan Stratton Treadway ha scritto:
> On Thu, Apr 02, 2020 at 20:17:23 +0300, Samuli Seppänen wrote:
>> Il 02/04/20 19:22, Nathan Stratton Treadway ha scritto:
>>> On Thu, Apr 02, 2020 at 12:17:17 -0400, Nathan Stratton Treadway wrote:
 On Thu, Apr 02, 2020 at 18:07:26 +0200, Gert Doering wrote:
> Hi,
>
> On Thu, Apr 02, 2020 at 11:48:14AM -0400, Nathan Stratton Treadway wrote:
>> So it does seem like the driver is signed by OpenVPN (and not
>> Microsoft)... but the version is 9.24.  Does that mean it actually is
>> the "tap0901" driver, or can the tap-windows6 driver also have a version
>> of 9.24?
>
> All these are "tap-windows6", "tap0901".
>
> 2.4.7 ships with 9.23 of the tap-windows6 driver, 2.4.8 with 9.24
>
> There used to be a tap-windows with NDIS5, but I think we never
> shipped a 2.4 installer with it - the installer versions with "-I001"
> in the name had tap5, the "I601, I602, ..."" ones have tap6.

 Okay, thanks, that helps.

 So does the openvpn-install-2.4.8-i602-Win10.exe installer contain both
 the Windows 7 and Windows 10 versions of the tap-windows6 driver?

>>>
>>> Or, I guess a more precise question is: does the tapinstall.exe file
>>> included in the openvpn-install-2.4.8-i602-Win10.exe installer (which I
>>> guess is tapinstall v602 , right?) contain both Win 7 and Win 10
>>> drivers?
>>
>> The OpenVPN installers should contain only Windows 7 (cross-signed) or
>> Windows 10 (attestation-signed) drivers in i386, amd64 and arm64
> 
> Are you saying that the openvpn-install-2.4.8-i602-Win10.exe installer
> should contain *only* the Win 10 version of the TAP-windows driver?  

Yes, exactly. I had to double-check that from openvpn-build and
tap-windows6 buildsystems to be sure.

> If so, then the question is where the cross-signed driver is coming from
> on this box (which has never had any OpenVPN [or TAP] installer other
> then openvpn-install-2.4.8-i602-Win10.exe run on it)?

That is a very good question. I just launched my lovely arm64 Windows 10
laptop to check the catalog signatures. I'll report back.

>> flavors. Verifying that is fairly easy by extracting the installer with
>> p7zip and checking the signatures of all the *.cat files in it.
> 
> p7zip on my Ubuntu box (Xenial) refused to open the .exe file, as did
> 7zr ("Can not open file as archive").  Can you sent a pointer to a
> website which discusses the type of unpacking-of-installer-file you are
> talking about?

I've only ever done it on Windows. Verifying the authenticode signature
signer might be challenging on Linux.

> (Note that I don't run Windows myself, and only have limit access to the
> Windows machines in question.)


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Nathan Stratton Treadway]

On Thu, Apr 02, 2020 at 20:17:23 +0300, Samuli Seppänen wrote:
> Il 02/04/20 19:22, Nathan Stratton Treadway ha scritto:
> > On Thu, Apr 02, 2020 at 12:17:17 -0400, Nathan Stratton Treadway wrote:
> >> On Thu, Apr 02, 2020 at 18:07:26 +0200, Gert Doering wrote:
> >>> Hi,
> >>>
> >>> On Thu, Apr 02, 2020 at 11:48:14AM -0400, Nathan Stratton Treadway wrote:
>  So it does seem like the driver is signed by OpenVPN (and not
>  Microsoft)... but the version is 9.24.  Does that mean it actually is
>  the "tap0901" driver, or can the tap-windows6 driver also have a version
>  of 9.24?
> >>>
> >>> All these are "tap-windows6", "tap0901".
> >>>
> >>> 2.4.7 ships with 9.23 of the tap-windows6 driver, 2.4.8 with 9.24
> >>>
> >>> There used to be a tap-windows with NDIS5, but I think we never
> >>> shipped a 2.4 installer with it - the installer versions with "-I001"
> >>> in the name had tap5, the "I601, I602, ..."" ones have tap6.
> >>
> >> Okay, thanks, that helps.
> >>
> >> So does the openvpn-install-2.4.8-i602-Win10.exe installer contain both
> >> the Windows 7 and Windows 10 versions of the tap-windows6 driver?
> >>
> > 
> > Or, I guess a more precise question is: does the tapinstall.exe file
> > included in the openvpn-install-2.4.8-i602-Win10.exe installer (which I
> > guess is tapinstall v602 , right?) contain both Win 7 and Win 10
> > drivers?
> 
> The OpenVPN installers should contain only Windows 7 (cross-signed) or
> Windows 10 (attestation-signed) drivers in i386, amd64 and arm64

Are you saying that the openvpn-install-2.4.8-i602-Win10.exe installer
should contain *only* the Win 10 version of the TAP-windows driver?  

If so, then the question is where the cross-signed driver is coming from
on this box (which has never had any OpenVPN [or TAP] installer other
then openvpn-install-2.4.8-i602-Win10.exe run on it)?



> flavors. Verifying that is fairly easy by extracting the installer with
> p7zip and checking the signatures of all the *.cat files in it.

p7zip on my Ubuntu box (Xenial) refused to open the .exe file, as did
7zr ("Can not open file as archive").  Can you sent a pointer to a
website which discusses the type of unpacking-of-installer-file you are
talking about?

(Note that I don't run Windows myself, and only have limit access to the
Windows machines in question.)

Thanks.

Nathan



Nathan Stratton Treadway  -  natha...@ontko.com  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Samuli Seppänen]

Il 02/04/20 19:22, Nathan Stratton Treadway ha scritto:
> On Thu, Apr 02, 2020 at 12:17:17 -0400, Nathan Stratton Treadway wrote:
>> On Thu, Apr 02, 2020 at 18:07:26 +0200, Gert Doering wrote:
>>> Hi,
>>>
>>> On Thu, Apr 02, 2020 at 11:48:14AM -0400, Nathan Stratton Treadway wrote:
 So it does seem like the driver is signed by OpenVPN (and not
 Microsoft)... but the version is 9.24.  Does that mean it actually is
 the "tap0901" driver, or can the tap-windows6 driver also have a version
 of 9.24?
>>>
>>> All these are "tap-windows6", "tap0901".
>>>
>>> 2.4.7 ships with 9.23 of the tap-windows6 driver, 2.4.8 with 9.24
>>>
>>> There used to be a tap-windows with NDIS5, but I think we never
>>> shipped a 2.4 installer with it - the installer versions with "-I001"
>>> in the name had tap5, the "I601, I602, ..."" ones have tap6.
>>
>> Okay, thanks, that helps.
>>
>> So does the openvpn-install-2.4.8-i602-Win10.exe installer contain both
>> the Windows 7 and Windows 10 versions of the tap-windows6 driver?
>>
> 
> Or, I guess a more precise question is: does the tapinstall.exe file
> included in the openvpn-install-2.4.8-i602-Win10.exe installer (which I
> guess is tapinstall v602 , right?) contain both Win 7 and Win 10
> drivers?

The OpenVPN installers should contain only Windows 7 (cross-signed) or
Windows 10 (attestation-signed) drivers in i386, amd64 and arm64
flavors. Verifying that is fairly easy by extracting the installer with
p7zip and checking the signatures of all the *.cat files in it.

Samuli


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Nathan Stratton Treadway]

On Thu, Apr 02, 2020 at 12:17:17 -0400, Nathan Stratton Treadway wrote:
> On Thu, Apr 02, 2020 at 18:07:26 +0200, Gert Doering wrote:
> > Hi,
> > 
> > On Thu, Apr 02, 2020 at 11:48:14AM -0400, Nathan Stratton Treadway wrote:
> > > So it does seem like the driver is signed by OpenVPN (and not
> > > Microsoft)... but the version is 9.24.  Does that mean it actually is
> > > the "tap0901" driver, or can the tap-windows6 driver also have a version
> > > of 9.24?
> > 
> > All these are "tap-windows6", "tap0901".
> > 
> > 2.4.7 ships with 9.23 of the tap-windows6 driver, 2.4.8 with 9.24
> > 
> > There used to be a tap-windows with NDIS5, but I think we never
> > shipped a 2.4 installer with it - the installer versions with "-I001"
> > in the name had tap5, the "I601, I602, ..."" ones have tap6.
> 
> Okay, thanks, that helps.
> 
> So does the openvpn-install-2.4.8-i602-Win10.exe installer contain both
> the Windows 7 and Windows 10 versions of the tap-windows6 driver?
> 

Or, I guess a more precise question is: does the tapinstall.exe file
included in the openvpn-install-2.4.8-i602-Win10.exe installer (which I
guess is tapinstall v602 , right?) contain both Win 7 and Win 10
drivers?

Nathan


Nathan Stratton Treadway  -  natha...@ontko.com  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Nathan Stratton Treadway]

On Thu, Apr 02, 2020 at 18:07:26 +0200, Gert Doering wrote:
> Hi,
> 
> On Thu, Apr 02, 2020 at 11:48:14AM -0400, Nathan Stratton Treadway wrote:
> > So it does seem like the driver is signed by OpenVPN (and not
> > Microsoft)... but the version is 9.24.  Does that mean it actually is
> > the "tap0901" driver, or can the tap-windows6 driver also have a version
> > of 9.24?
> 
> All these are "tap-windows6", "tap0901".
> 
> 2.4.7 ships with 9.23 of the tap-windows6 driver, 2.4.8 with 9.24
> 
> There used to be a tap-windows with NDIS5, but I think we never
> shipped a 2.4 installer with it - the installer versions with "-I001"
> in the name had tap5, the "I601, I602, ..."" ones have tap6.

Okay, thanks, that helps.

So does the openvpn-install-2.4.8-i602-Win10.exe installer contain both
the Windows 7 and Windows 10 versions of the tap-windows6 driver?


Nathan


Nathan Stratton Treadway  -  natha...@ontko.com  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Gert Doering]

Hi,

On Thu, Apr 02, 2020 at 11:48:14AM -0400, Nathan Stratton Treadway wrote:
> So it does seem like the driver is signed by OpenVPN (and not
> Microsoft)... but the version is 9.24.  Does that mean it actually is
> the "tap0901" driver, or can the tap-windows6 driver also have a version
> of 9.24?

All these are "tap-windows6", "tap0901".

2.4.7 ships with 9.23 of the tap-windows6 driver, 2.4.8 with 9.24

There used to be a tap-windows with NDIS5, but I think we never
shipped a 2.4 installer with it - the installer versions with "-I001"
in the name had tap5, the "I601, I602, ..."" ones have tap6.

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Nathan Stratton Treadway]

On Thu, Apr 02, 2020 at 08:47:57 +0300, Samuli Seppänen wrote:
> I looked at Ralf's logs and they show that - for whatever reason - the
> tap-windows installer chose to install the Windows 7 version of
> tap-windows6 on those Windows 10 instances. The Digital signer in the
> device properties should show "Microsoft Windows Hardware
> Compatibility Publisher" (=attestation signature), not "OpenVPN Inc"
> (cross-signed).

I looked at the Properties for the "TAP-Windows Adapter V9" device in
Device Manger.  The Driver tab shows:
  Driver Proider: TAP-Windows Provider V9
  Driver Date: 9/27/2019
  Driver version: 9.24.2.601
  Digital Signer: OpenVPN Inc.

So it does seem like the driver is signed by OpenVPN (and not
Microsoft)... but the version is 9.24.  Does that mean it actually is
the "tap0901" driver, or can the tap-windows6 driver also have a version
of 9.24?

Nathan



Nathan Stratton Treadway  -  natha...@ontko.com  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Nathan Stratton Treadway]

On Thu, Apr 02, 2020 at 08:47:57 +0300, Samuli Seppänen wrote:
> difference is. Or maybe something changed in Windows which causes this
> misbehavior. Fully removing all traces of tap-windows6 from the system,
> e.g. with Remote-Tapwindows.ps1:
> 
> 
> 
> Can you guys try if that full removal helps with this?

You are saying we should try using that script to fully remove the tap
driver, then then try running the OpenVPN installer again?

(Or, there some tap-driver-only installer that it would be more helpful
for us to be running instead, at this point?)

Nathan


Nathan Stratton Treadway  -  natha...@ontko.com  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Nathan Stratton Treadway]

On Thu, Apr 02, 2020 at 10:03:40 +0300, Samuli Seppänen wrote:
> Hi,
> 
> Il 02/04/20 08:33, Nathan Stratton Treadway ha scritto:
> > On Wed, Apr 01, 2020 at 11:14:08 -0400, Nathan Stratton Treadway wrote:
> >> I should be able to get the setupapi.dev.log  files from both of the
> >> machines if that would be helpful.
> > 
> > I extracted the section of the setupapi.dev.log files related to the
> > TAP-Windows installation from each of the systems in question, and then
> > to try to spot the funtional differences between the two, I ran the
> > following commands to mask off the timestamps contained within the log:
> > 
> >   $ sed "s/10:50:03\/HH:MM:SS.sss/g" setupapi_TAP-Windows_succeeded.log 
> > > setupapi_TAP-Windows_succeeded.log_cleaned
> >   $ sed "s/11:09:33\/HH:MM:SS.sss/g" setupapi_TAP-Windows_failed.log > 
> > setupapi_TAP-Windows_failed.log_cleaned
> > 
> > and then compared the two "_cleaned" files:
> > 
> > =
> > $ diff -ui setupapi_TAP-Windows_{succeeded,failed}.log_cleaned
> > --- setupapi_TAP-Windows_succeeded.log_cleaned  2020-04-02 
> > 00:18:12.0 -0400
> > +++ setupapi_TAP-Windows_failed.log_cleaned 2020-04-02 00:19:09.0 
> > -0400
> > @@ -1,5 +1,5 @@
> >  >>>  [Device Install (UpdateDriverForPlugAndPlayDevices) - tap0901]
> > ->>>  Section start 2020/03/13 HH:MM:SS.sss
> > +>>>  Section start 2020/03/27 HH:MM:SS.sss
> >cmd: "C:\Program Files\TAP-Windows\bin\tapinstall.exe" install 
> > "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
> >   ndv: INF path: C:\Program Files\TAP-Windows\driver\OemVista.inf
> >   ndv: Install flags: 0x0001
> > @@ -9,19 +9,13 @@
> >   dvi:  {Build Driver List} HH:MM:SS.sss
> >   dvi:   Searching for hardware ID(s):
> >   dvi:tap0901
> > - sig:   {_VERIFY_FILE_SIGNATURE} HH:MM:SS.sss
> > - sig:Key  = oemvista.inf
> > - sig:FilePath = c:\program 
> > files\tap-windows\driver\oemvista.inf
> > - sig:Catalog  = c:\program 
> > files\tap-windows\driver\tap0901.cat
> > - sig:Success: File is signed in catalog.
> > - sig:   {_VERIFY_FILE_SIGNATURE exit(0x)} HH:MM:SS.sss
> >   dvi:   Created Driver Node:
> >   dvi:HardwareID   - tap0901
> >   dvi:InfName  - c:\program 
> > files\tap-windows\driver\oemvista.inf
> >   dvi:DevDesc  - TAP-Windows Adapter V9
> >   dvi:Section  - tap0901.ndi
> >   dvi:Rank - 0x00ff
> > - dvi:Signer Score - WHQL
> > + dvi:Signer Score - Authenticode
> 
> Your problem seems to be the same as Ralf's (see my other email). The
> NSIS installer chose to install the Windows 7 version of tap-windows6 on
> this Windows 10 instance, and that will not work.
> 
> WHQL = attestation signed
> Authenticode = cross-signed


Sorry, I don't know much about NSIS operation: is tap-windows6 driver
included in the openvpn-install-2.4.8-i602-Win10.exe installer?

> 
> >   dvi:DrvDate  - 09/27/2019
> >   dvi:Version  - 9.24.2.601
> >   dvi:  {Build Driver List - exit(0x)} HH:MM:SS.sss
> > @@ -40,70 +34,15 @@
> >   ndv:   Inf Name   - oemvista.inf
> >   ndv:   Driver Date- 09/27/2019
> >   ndv:   Driver Version - 9.24.2.601
> > + ndv:  Driver package 
> > 'C:\WINDOWS\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf\oemvista.inf'
> >  is already imported.
> >   sto:  {Setup Import Driver Package: c:\program 
> > files\tap-windows\driver\oemvista.inf} HH:MM:SS.sss
> > - inf:   Provider: TAP-Windows Provider V9
> > - inf:   Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
> > - inf:   Driver Version: 09/27/2019,9.24.2.601
> > - inf:   Catalog File: tap0901.cat
> > - sto:   {Copy Driver Package: c:\program 
> > files\tap-windows\driver\oemvista.inf} HH:MM:SS.sss
> > - sto:Driver Package = c:\program 
> > files\tap-windows\driver\oemvista.inf
> > - sto:Flags  = 0x0007
> > [... skipping the copying of all the driver files, etc...]
> > - sto: {DRIVERSTORE IMPORT END} HH:MM:SS.sss
> > - dvi:  Flushed all driver package files to 
> > disk. Time = 16 ms
> > - sig:  Installed catalog 'tap0901.cat' as 
> > 'oem128.cat'.
> > - sto: {DRIVERSTORE IMPORT END: exit(0x)} 
> > HH:MM:SS.sss
> > - sto:{Core Driver Package Import: exit(0x)} 
> > HH:MM:SS.sss
> > - sto:   {Stage Driver Package: exit(0x)} HH:MM:SS.sss
> > + sto:   Driver package already imported as 'oem43.inf'

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Nathan Stratton Treadway]

On Thu, Apr 02, 2020 at 12:14:07 +0100, tincanteksup wrote:
> 
> 
> On 02/04/2020 06:47, Samuli Seppänen wrote:
> >Hi,
> >
> 
> 
> 
> >
> >I looked at Ralf's logs and they show that - for whatever reason - the
> >tap-windows installer chose to install the Windows 7 version of
> >tap-windows6 on those Windows 10 instances. The Digital signer in the
> >device properties should show "Microsoft Windows Hardware
> >Compatibility Publisher" (=attestation signature), not "OpenVPN Inc"
> >(cross-signed).
> 
> Is this possibly related to a Windows 7 machine being updated to
> Windows 10 ?

At least in our case, no -- we're hitting thise problem on a system that
never had Windows 7 installed

Nathan


Nathan Stratton Treadway  -  natha...@ontko.com  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[tincanteksup]

On 02/04/2020 06:47, Samuli Seppänen wrote:

Hi,







I looked at Ralf's logs and they show that - for whatever reason - the
tap-windows installer chose to install the Windows 7 version of
tap-windows6 on those Windows 10 instances. The Digital signer in the
device properties should show "Microsoft Windows Hardware
Compatibility Publisher" (=attestation signature), not "OpenVPN Inc"
(cross-signed).


Is this possibly related to a Windows 7 machine being updated to Windows 
10 ?




Assuming 9.23.x works it "should be easy"(tm) to figure out what the
difference is. Or maybe something changed in Windows which causes this
misbehavior. Fully removing all traces of tap-windows6 from the system,
e.g. with Remote-Tapwindows.ps1:



Can you guys try if that full removal helps with this?

Samuli


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
.




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Samuli Seppänen]

Hi,

Il 02/04/20 08:33, Nathan Stratton Treadway ha scritto:
> On Wed, Apr 01, 2020 at 11:14:08 -0400, Nathan Stratton Treadway wrote:
>> I should be able to get the setupapi.dev.log  files from both of the
>> machines if that would be helpful.
> 
> I extracted the section of the setupapi.dev.log files related to the
> TAP-Windows installation from each of the systems in question, and then
> to try to spot the funtional differences between the two, I ran the
> following commands to mask off the timestamps contained within the log:
> 
>   $ sed "s/10:50:03\/HH:MM:SS.sss/g" setupapi_TAP-Windows_succeeded.log > 
> setupapi_TAP-Windows_succeeded.log_cleaned
>   $ sed "s/11:09:33\/HH:MM:SS.sss/g" setupapi_TAP-Windows_failed.log > 
> setupapi_TAP-Windows_failed.log_cleaned
> 
> and then compared the two "_cleaned" files:
> 
> =
> $ diff -ui setupapi_TAP-Windows_{succeeded,failed}.log_cleaned
> --- setupapi_TAP-Windows_succeeded.log_cleaned2020-04-02 
> 00:18:12.0 -0400
> +++ setupapi_TAP-Windows_failed.log_cleaned   2020-04-02 00:19:09.0 
> -0400
> @@ -1,5 +1,5 @@
>  >>>  [Device Install (UpdateDriverForPlugAndPlayDevices) - tap0901]
> ->>>  Section start 2020/03/13 HH:MM:SS.sss
> +>>>  Section start 2020/03/27 HH:MM:SS.sss
>cmd: "C:\Program Files\TAP-Windows\bin\tapinstall.exe" install 
> "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
>   ndv: INF path: C:\Program Files\TAP-Windows\driver\OemVista.inf
>   ndv: Install flags: 0x0001
> @@ -9,19 +9,13 @@
>   dvi:  {Build Driver List} HH:MM:SS.sss
>   dvi:   Searching for hardware ID(s):
>   dvi:tap0901
> - sig:   {_VERIFY_FILE_SIGNATURE} HH:MM:SS.sss
> - sig:Key  = oemvista.inf
> - sig:FilePath = c:\program 
> files\tap-windows\driver\oemvista.inf
> - sig:Catalog  = c:\program 
> files\tap-windows\driver\tap0901.cat
> - sig:Success: File is signed in catalog.
> - sig:   {_VERIFY_FILE_SIGNATURE exit(0x)} HH:MM:SS.sss
>   dvi:   Created Driver Node:
>   dvi:HardwareID   - tap0901
>   dvi:InfName  - c:\program 
> files\tap-windows\driver\oemvista.inf
>   dvi:DevDesc  - TAP-Windows Adapter V9
>   dvi:Section  - tap0901.ndi
>   dvi:Rank - 0x00ff
> - dvi:Signer Score - WHQL
> + dvi:Signer Score - Authenticode

Your problem seems to be the same as Ralf's (see my other email). The
NSIS installer chose to install the Windows 7 version of tap-windows6 on
this Windows 10 instance, and that will not work.

WHQL = attestation signed
Authenticode = cross-signed


>   dvi:DrvDate  - 09/27/2019
>   dvi:Version  - 9.24.2.601
>   dvi:  {Build Driver List - exit(0x)} HH:MM:SS.sss
> @@ -40,70 +34,15 @@
>   ndv:   Inf Name   - oemvista.inf
>   ndv:   Driver Date- 09/27/2019
>   ndv:   Driver Version - 9.24.2.601
> + ndv:  Driver package 
> 'C:\WINDOWS\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf\oemvista.inf'
>  is already imported.
>   sto:  {Setup Import Driver Package: c:\program 
> files\tap-windows\driver\oemvista.inf} HH:MM:SS.sss
> - inf:   Provider: TAP-Windows Provider V9
> - inf:   Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
> - inf:   Driver Version: 09/27/2019,9.24.2.601
> - inf:   Catalog File: tap0901.cat
> - sto:   {Copy Driver Package: c:\program 
> files\tap-windows\driver\oemvista.inf} HH:MM:SS.sss
> - sto:Driver Package = c:\program 
> files\tap-windows\driver\oemvista.inf
> - sto:Flags  = 0x0007
> [... skipping the copying of all the driver files, etc...]
> - sto: {DRIVERSTORE IMPORT END} HH:MM:SS.sss
> - dvi:  Flushed all driver package files to disk. 
> Time = 16 ms
> - sig:  Installed catalog 'tap0901.cat' as 
> 'oem128.cat'.
> - sto: {DRIVERSTORE IMPORT END: exit(0x)} 
> HH:MM:SS.sss
> - sto:{Core Driver Package Import: exit(0x)} 
> HH:MM:SS.sss
> - sto:   {Stage Driver Package: exit(0x)} HH:MM:SS.sss
> + sto:   Driver package already imported as 'oem43.inf'.
>   sto:  {Setup Import Driver Package - exit (0x)} HH:MM:SS.sss
>   dvi:  Searching for hardware ID(s):
>   dvi:   tap0901
>   dvi:  Class GUID of device changed to: 
> {4d36e972-e325-11ce-bfc1-08002be10318}.
>   dvi:  {Plug and Play Service: Device Install for ROOT\NET\}
> - dvi:   Driver INF Path: C:\windows\IN

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Samuli Seppänen]

Hi,

Il 01/04/20 18:14, Nathan Stratton Treadway ha scritto:
> On Thu, Mar 26, 2020 at 17:11:27 +0200, Samuli Seppänen wrote:
>> Il 26/03/20 15:47, Ralf Hildebrandt ha scritto:
>>> As you might have heard this covid19 thingy is forcing (our) users to
>>> work from home. 
>>>
>>> We're using openvpn (in the meantime we deployed three openvpn servers
>>> to handle the load adn have optimised the scripts to lower the overall
>>> latency upon execution), and recently we encountered massive problems with
>>> openvpn 2.4.8 on Windows 10. The bundled TAP32 Adapter is having
>>> issues (little yellow triangle with an exclamation mark in the device 
>>> manager).
>>
>> Can you send me (privately) C:\Windows\inf\setupapi.dev.log from one or
>> some of the affected computers? Or just the part of it which describes
>> the failed tap-windows6 installation (rather easy to find).
> 
> We've just hit what I assume is the same problem at our site. 
> Interestingly we have two "twin" Windows 10 machines (same model
> purchased at the same time), but OpenVPN installed fine on one and had
> the problem on the other.
> 
> (Specifically on the failed machine the TAP-Windows Adapter V9 entry in
> the Deveice manger has a Device Status of "Windows cannot verify the
> digital signature for the drivers required for this device. A recent
> hardware or software change might have installed a file that is signed
> incorrectly or damaged, or that might be malicious software from an
> unknown source. (Code 52)"..)
> 
> On both of these machines OpenVPN had never been installed before
> the recent installation.
> 
> I should be able to get the setupapi.dev.log  files from both of the
> machines if that would be helpful.

I looked at Ralf's logs and they show that - for whatever reason - the
tap-windows installer chose to install the Windows 7 version of
tap-windows6 on those Windows 10 instances. The Digital signer in the
device properties should show "Microsoft Windows Hardware
Compatibility Publisher" (=attestation signature), not "OpenVPN Inc"
(cross-signed).

Assuming 9.23.x works it "should be easy"(tm) to figure out what the
difference is. Or maybe something changed in Windows which causes this
misbehavior. Fully removing all traces of tap-windows6 from the system,
e.g. with Remote-Tapwindows.ps1:



Can you guys try if that full removal helps with this?

Samuli


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Nathan Stratton Treadway]

On Wed, Apr 01, 2020 at 11:14:08 -0400, Nathan Stratton Treadway wrote:
> I should be able to get the setupapi.dev.log  files from both of the
> machines if that would be helpful.

I extracted the section of the setupapi.dev.log files related to the
TAP-Windows installation from each of the systems in question, and then
to try to spot the funtional differences between the two, I ran the
following commands to mask off the timestamps contained within the log:

  $ sed "s/10:50:03\/HH:MM:SS.sss/g" setupapi_TAP-Windows_succeeded.log > 
setupapi_TAP-Windows_succeeded.log_cleaned
  $ sed "s/11:09:33\/HH:MM:SS.sss/g" setupapi_TAP-Windows_failed.log > 
setupapi_TAP-Windows_failed.log_cleaned

and then compared the two "_cleaned" files:

=
$ diff -ui setupapi_TAP-Windows_{succeeded,failed}.log_cleaned
--- setupapi_TAP-Windows_succeeded.log_cleaned  2020-04-02 00:18:12.0 
-0400
+++ setupapi_TAP-Windows_failed.log_cleaned 2020-04-02 00:19:09.0 
-0400
@@ -1,5 +1,5 @@
 >>>  [Device Install (UpdateDriverForPlugAndPlayDevices) - tap0901]
->>>  Section start 2020/03/13 HH:MM:SS.sss
+>>>  Section start 2020/03/27 HH:MM:SS.sss
   cmd: "C:\Program Files\TAP-Windows\bin\tapinstall.exe" install 
"C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
  ndv: INF path: C:\Program Files\TAP-Windows\driver\OemVista.inf
  ndv: Install flags: 0x0001
@@ -9,19 +9,13 @@
  dvi:  {Build Driver List} HH:MM:SS.sss
  dvi:   Searching for hardware ID(s):
  dvi:tap0901
- sig:   {_VERIFY_FILE_SIGNATURE} HH:MM:SS.sss
- sig:Key  = oemvista.inf
- sig:FilePath = c:\program 
files\tap-windows\driver\oemvista.inf
- sig:Catalog  = c:\program 
files\tap-windows\driver\tap0901.cat
- sig:Success: File is signed in catalog.
- sig:   {_VERIFY_FILE_SIGNATURE exit(0x)} HH:MM:SS.sss
  dvi:   Created Driver Node:
  dvi:HardwareID   - tap0901
  dvi:InfName  - c:\program 
files\tap-windows\driver\oemvista.inf
  dvi:DevDesc  - TAP-Windows Adapter V9
  dvi:Section  - tap0901.ndi
  dvi:Rank - 0x00ff
- dvi:Signer Score - WHQL
+ dvi:Signer Score - Authenticode
  dvi:DrvDate  - 09/27/2019
  dvi:Version  - 9.24.2.601
  dvi:  {Build Driver List - exit(0x)} HH:MM:SS.sss
@@ -40,70 +34,15 @@
  ndv:   Inf Name   - oemvista.inf
  ndv:   Driver Date- 09/27/2019
  ndv:   Driver Version - 9.24.2.601
+ ndv:  Driver package 
'C:\WINDOWS\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf\oemvista.inf'
 is already imported.
  sto:  {Setup Import Driver Package: c:\program 
files\tap-windows\driver\oemvista.inf} HH:MM:SS.sss
- inf:   Provider: TAP-Windows Provider V9
- inf:   Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
- inf:   Driver Version: 09/27/2019,9.24.2.601
- inf:   Catalog File: tap0901.cat
- sto:   {Copy Driver Package: c:\program 
files\tap-windows\driver\oemvista.inf} HH:MM:SS.sss
- sto:Driver Package = c:\program 
files\tap-windows\driver\oemvista.inf
- sto:Flags  = 0x0007
[... skipping the copying of all the driver files, etc...]
- sto: {DRIVERSTORE IMPORT END} HH:MM:SS.sss
- dvi:  Flushed all driver package files to disk. 
Time = 16 ms
- sig:  Installed catalog 'tap0901.cat' as 
'oem128.cat'.
- sto: {DRIVERSTORE IMPORT END: exit(0x)} 
HH:MM:SS.sss
- sto:{Core Driver Package Import: exit(0x)} 
HH:MM:SS.sss
- sto:   {Stage Driver Package: exit(0x)} HH:MM:SS.sss
+ sto:   Driver package already imported as 'oem43.inf'.
  sto:  {Setup Import Driver Package - exit (0x)} HH:MM:SS.sss
  dvi:  Searching for hardware ID(s):
  dvi:   tap0901
  dvi:  Class GUID of device changed to: 
{4d36e972-e325-11ce-bfc1-08002be10318}.
  dvi:  {Plug and Play Service: Device Install for ROOT\NET\}
- dvi:   Driver INF Path: C:\windows\INF\oem128.inf
+ dvi:   Driver INF Path: C:\WINDOWS\INF\oem43.inf
  dvi:   Driver Node Name: 
oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.24.2.601:tap0901,
  dvi:   Driver Store Path: 
C:\windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf\oemvista.inf
  dvi:   Searching for hardware ID(s):
@@ -141,7 +80,7 @@
  dvi:   Existing files modified, may need to 
restart related services.
  

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Ralf Hildebrandt]

* Nathan Stratton Treadway :

> We've just hit what I assume is the same problem at our site. 
> Interestingly we have two "twin" Windows 10 machines (same model
> purchased at the same time), but OpenVPN installed fine on one and had
> the problem on the other.
> 
> (Specifically on the failed machine the TAP-Windows Adapter V9 entry in
> the Device manger has a Device Status of "Windows cannot verify the
> digital signature for the drivers required for this device. A recent
> hardware or software change might have installed a file that is signed
> incorrectly or damaged, or that might be malicious software from an
> unknown source. (Code 52)"..)

SAME HERE! I have screenshots for that.
 
> On both of these machines OpenVPN had never been installed before
> the recent installation.
> 
> I should be able to get the setupapi.dev.log  files from both of the
> machines if that would be helpful.

Definitely. I sent my copy to Samuli. I also have the setupapi.dev.log
after installation and after the installation of the alternative TAP32
driver. Maybe the diff can be helpful.

Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk

Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin

Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
https://www.charite.de


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Nathan Stratton Treadway]

On Thu, Mar 26, 2020 at 17:11:27 +0200, Samuli Seppänen wrote:
> Il 26/03/20 15:47, Ralf Hildebrandt ha scritto:
> > As you might have heard this covid19 thingy is forcing (our) users to
> > work from home. 
> > 
> > We're using openvpn (in the meantime we deployed three openvpn servers
> > to handle the load adn have optimised the scripts to lower the overall
> > latency upon execution), and recently we encountered massive problems with
> > openvpn 2.4.8 on Windows 10. The bundled TAP32 Adapter is having
> > issues (little yellow triangle with an exclamation mark in the device 
> > manager).
> 
> Can you send me (privately) C:\Windows\inf\setupapi.dev.log from one or
> some of the affected computers? Or just the part of it which describes
> the failed tap-windows6 installation (rather easy to find).

We've just hit what I assume is the same problem at our site. 
Interestingly we have two "twin" Windows 10 machines (same model
purchased at the same time), but OpenVPN installed fine on one and had
the problem on the other.

(Specifically on the failed machine the TAP-Windows Adapter V9 entry in
the Deveice manger has a Device Status of "Windows cannot verify the
digital signature for the drivers required for this device. A recent
hardware or software change might have installed a file that is signed
incorrectly or damaged, or that might be malicious software from an
unknown source. (Code 52)"..)

On both of these machines OpenVPN had never been installed before
the recent installation.

I should be able to get the setupapi.dev.log  files from both of the
machines if that would be helpful.

Nathan


Nathan Stratton Treadway  -  natha...@ontko.com  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Gert Doering]

Hi,

On Mon, Mar 30, 2020 at 10:45:30AM +0300, Samuli Seppänen wrote:
> > Well, that seems to be what Ralf is saying "we install 2.4.7 and that
> > brings 9.23.3, so all is good" - doesn't 2.4.8 bring a newer version
> > of the tap driver, which has upgrade issues on some machines?
> 
> According to Git logs 2.4.8 has tap-windows-9.24.2 which does not have
> any widespread problems on Windows 10: if it did, we would have heard of
> it very soon after the release of 2.4.8.

9.24.2 is certainly good "in itself", but I seem to recall that 
*upgrading* from within NSIS installers was/is problematic in some
cases.

So this might explain why "if we install 2.4.7, things work" - but
yeah, without the log, hard to say for sure.

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Samuli Seppänen]

Il 26/03/20 23:48, Gert Doering ha scritto:
> Hi,
> 
> On Thu, Mar 26, 2020 at 05:11:27PM +0200, Samuli Seppänen wrote:
>>> If this is a know issue -- could we get a recent version of openvpn with
>>> a TAP32 driver that actually works on Win10? Or can we simply
>>> recommend installing 2.4.7 instead (and hope the driver bundled is
>>> 9.23.3)?
>>
>> This is not a known problem. Or at least I've never heard of it.
>>
>> It checked logs of openvpn-build and they indicate that
>> tap-windows-9.23.3-I601 _is_ bundled with
>> openvpn-install-2.4.7-I607-Win10.exe.
> 
> Well, that seems to be what Ralf is saying "we install 2.4.7 and that
> brings 9.23.3, so all is good" - doesn't 2.4.8 bring a newer version
> of the tap driver, which has upgrade issues on some machines?
> 
> (I lost track of the details)
> 
> gert
> 

According to Git logs 2.4.8 has tap-windows-9.24.2 which does not have
any widespread problems on Windows 10: if it did, we would have heard of
it very soon after the release of 2.4.8.

I also don't think Ralf's issue is about the signature, as both 9.23.3
and 9.24.2 are attestation-signed, i.e have Microsoft's own signature.

The changes done between 9.23.3 and 9.24.2 are these:

$ git shortlog 38d6cac...HEAD
Lev Stipakov (2):
  cosmetics: fix debug build
  constants.h: make driver not halt on suspend

Samuli Seppänen (8):
  Fix timestamping when appending signatures
  Document the need to use a statically linked devcon.exe
  Add support for version.m4 overrides
  Add build configuration for HLK builds
  Do not wipe --ti directory when using prebuilt devcon
  Complete removal of --oas option which breaks HLK builds
  Merge pull request #94 from rozmansi/pending/characteristics
  Bump version to 9.24.2.601

Simon Rozman (4):
  Enable code analysis on Release|x64 builds
  Remove NCF_HAS_UI flag from Characteristics
  Match PhysicalMediaType in INF and source code
  Declare adapter as virtual device rather than physical Ethernet NIC

Stephen Stair (2):
  Fix annotation problems noticed by code analysis.
  Fixing some more code analysis issues. * Updated IRQL modification
annotations * Expanded some 32bit additions to 64bit in statistics *
Corrected some edge cases tools were complaining about.

---

There are some which seem to have potential for causing problems (in
some scenarios/corner cases).

Without having a look at setupapi.dev.log it is impossible to tell what
is wrong. If the problem is present on a wide range Windows machines
then a GPO or some other shared configuration to trigger this problem.

Samuli



signature.asc
Description: OpenPGP digital signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Gert Doering]

Hi,

On Thu, Mar 26, 2020 at 05:11:27PM +0200, Samuli Seppänen wrote:
> > If this is a know issue -- could we get a recent version of openvpn with
> > a TAP32 driver that actually works on Win10? Or can we simply
> > recommend installing 2.4.7 instead (and hope the driver bundled is
> > 9.23.3)?
> 
> This is not a known problem. Or at least I've never heard of it.
> 
> It checked logs of openvpn-build and they indicate that
> tap-windows-9.23.3-I601 _is_ bundled with
> openvpn-install-2.4.7-I607-Win10.exe.

Well, that seems to be what Ralf is saying "we install 2.4.7 and that
brings 9.23.3, so all is good" - doesn't 2.4.8 bring a newer version
of the tap driver, which has upgrade issues on some machines?

(I lost track of the details)

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Samuli Seppänen]

Hi,

Il 26/03/20 15:47, Ralf Hildebrandt ha scritto:
> As you might have heard this covid19 thingy is forcing (our) users to
> work from home. 
> 
> We're using openvpn (in the meantime we deployed three openvpn servers
> to handle the load adn have optimised the scripts to lower the overall
> latency upon execution), and recently we encountered massive problems with
> openvpn 2.4.8 on Windows 10. The bundled TAP32 Adapter is having
> issues (little yellow triangle with an exclamation mark in the device 
> manager).

Can you send me (privately) C:\Windows\inf\setupapi.dev.log from one or
some of the affected computers? Or just the part of it which describes
the failed tap-windows6 installation (rather easy to find).

> The workaround is to install
> https://build.openvpn.net/downloads/releases/tap-windows-9.23.3-I601-Win10.exe
> and all is well. Yay!
> 
> If this is a know issue -- could we get a recent version of openvpn with
> a TAP32 driver that actually works on Win10? Or can we simply
> recommend installing 2.4.7 instead (and hope the driver bundled is
> 9.23.3)?

This is not a known problem. Or at least I've never heard of it.

It checked logs of openvpn-build and they indicate that
tap-windows-9.23.3-I601 _is_ bundled with
openvpn-install-2.4.7-I607-Win10.exe.

Samuli


> It doesn't seem to happen with all Win10 installations, though.
> 
> --
> Ralf Hildebrandt
> Charité - Universitätsmedizin Berlin
> Geschäftsbereich IT | Abteilung Netzwerk
> 
> Campus Benjamin Franklin (CBF)
> Haus I | 1. OG | Raum 105
> Hindenburgdamm 30 | D-12203 Berlin
> 
> Tel. +49 30 450 570 155
> ralf.hildebra...@charite.de
> https://www.charite.de
> 
> 
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Ralf Hildebrandt]

As you might have heard this covid19 thingy is forcing (our) users to
work from home. 

We're using openvpn (in the meantime we deployed three openvpn servers
to handle the load adn have optimised the scripts to lower the overall
latency upon execution), and recently we encountered massive problems with
openvpn 2.4.8 on Windows 10. The bundled TAP32 Adapter is having
issues (little yellow triangle with an exclamation mark in the device manager).

The workaround is to install
https://build.openvpn.net/downloads/releases/tap-windows-9.23.3-I601-Win10.exe
and all is well. Yay!

If this is a know issue -- could we get a recent version of openvpn with
a TAP32 driver that actually works on Win10? Or can we simply
recommend installing 2.4.7 instead (and hope the driver bundled is
9.23.3)?

It doesn't seem to happen with all Win10 installations, though.

--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk

Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin

Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
https://www.charite.de


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users