As usual, I wanted instead something tiny and dumb that we can reason about, which does things in a "right" and "boring" way for a narrower use case: layer 3 TUN.

Have we succeeded in accomplishing our goals? Certainly not yet. At the present moment [folks reading this in the future: check the date of this email], I'd except for Wintun to be slower, buggier, and lower quality than anything else out there. But we thought it'd be a good idea to release sooner rather than later in order to have some more eyeballs on it. It's the kind of codebase that _certainly_ needs some cleanup and a thorough security audit. On the plus side, cloc(1) tells me that it's only 950 lines. Still, NT programming is hard, and I'm pretty certain we've made mistakes and left ugly corners. Consider this email a statement of intent rather than an announcement of a completed project.

The classes in this namespace enable you to create, edit, and manage Virtual Private Network (VPN) connections, and to write plugins for controlling a VPN connection using the Windows VPN Platform.

To use the classes in this namespace, you must declare the networkingVpnProvider restricted capability.

If your app declares any restricted capabilities, you must provide info during the app submission process in order to be approved to publish the app to the Microsoft Store. You provide this info on the Submission options page of your submission, explaining how your app uses each restricted capability that it declares.

PD works by allowing a PD client to explicitly manage networking traffic from a network adapter (NIC). PD gives the PD client control of the high performance send and receive functionality of the NIC through the PacketDirect client interface (PDCI). Internally, the PDCI send/receive functions are mapped directly to the PDPI. PD send/receive functions operate on PD queues created by the PD client on PD-capable NICs. PD provides the PD clients with the ability to set custom filters for very specific types of traffic or very generic traffic, based on the needs of the PD client. This allows the PD client to direct certain incoming packets to its PD queues. Packet processing in the PD model always takes place in an execution context that’s owned (or controlled/coordinated) by the PD client. The PD-capable NIC driver is completely passive, meaning it does not actively forward incoming packets or completion indications for sent packets to the PD client in a driver-owned execution context such as a DPC or worker-thread.

If a PD client does not understand how to process a packet or receives a control packet in one of its queues, such as an ARP, LLDP, or other protocol packets, the PD client can reroute the packet back to the current I/O path for processing. This allows PD to continue to process the packets that it has context for and not waste cycles on control traffic.

Important There can be one PD provider and one PD client per net adapter. Therefore, there can be multiple PD clients and PD providers on a single system.

The PD client has control over the resources that are allocated to PD in the system. In cases of high network traffic, the PD client is responsible for minimizing its workload so that the OS can be responsive to other workloads.

The PacketDirect platform implemented by Windows maps the client interface to the provider interface. The platform controls buffer management and ability to re-inject packets received via PD to the current NDIS receive path. It also handles the interaction with PD clients for satisfying the NDIS control path requirements such as NIC disabling, going into low-power, system shutdown, and surprise removal in a fashion that does NOT hamper the PD data path performance.