How can I modify/redirect packets in Windows with rewritten OpenVPN tun/tap dirver [closed]

Question

Closed. This question needs to be more focused. It is not currently accepting answers.

---

Want to improve this question? Update the question so it focuses on one problem only by editing this post.

Closed 3 years ago.

Improve this question

I want to make an transparent chain-proxy using a redirect server and chain proxy client written in Qt for Windows. I've tried ndis+tdi but it's too complicated for me. I've started to break through the openVPN code. So the task is to start dummy tap device even if there no need in OpenVPN connection and redirect packets to some addr:port on wich my redirect server will be bound. Maybe it is better to implement new plugin functions ??...

Answer 1

You can use OpenVPN's TUN/TAP driver ("TAP-Win32") as-is to implement a network device backed by software. I'm not sure what you mean by "rewritten OpenVPN tun/tap driver"; you don't need to modify any existing code - just write your own program which opens TAP-Win32 and reads and writes frames/packets. You don't need any other part of OpenVPN, just TAP-Win32.

However, if you use the TUN/TAP driver, you will have to deal with individual frames/packets. If you will be redirecting just TCP (i.e. you'll redirect connections not packets), it may be useful to have your redirection program only provide a local SOCKS server. With SOCKS you get to work with connections and not packets. If a given network program supports SOCKS, you can simply tell it to use your SOCKS server.

On the other hand, if you want to be able to redirect for all applications, not just those which understand SOCKS (or you don't want to configure each application for SOCKS), you can use a program which will allow you to forward raw TCP connections (on packet level) through your SOCKS server. See my program tun2socks.

Once you have a program operating a TAP-Win32 device, update the routing table to get packets routed into it. You probably want to make it the default route, overriding any previous default routes. But be aware that the routing table applies to the redirection program itself too, so you need to add specific routes for hosts that the redirection program connects to, or they will end up going back into the TAP device. The tun2socks page expains how to do that when using SSH forwarding.

Update: tun2socks deals only with the TUN device and simply forwards all incoming connections. It doesn't decide what you want to forward. Even if it had some policies (like port numbers), it couldn't do anything useful with that info. For example, if it responds with a reject packet, the connection will simply fail - and the OS will not look for an alternative route. (it could forward connections to different SOCKS servers - but I think that would be of no use in your case)

The feature you seem to need is called "policy routing", and it needs to be offered by your operating system. Unfortunately, it appears that Windows does not provide policy routing. If you really need it, you may want to use Linux instead, which provides many more network-related features than Windows (policy routing being one).

Alternatively, instead of using tun2socks, some userspace socksification tool may work for you. These are programs that hook network-related system calls when launching a specific application, in order to make the connections go, for example, through SOCKS. If such an application supports routing rules, it may fit your needs.

An example of such a tool for Windows is ProxyCap (commercial software), which claims support for "flexible routing rules".