Building ======== If you want to build the tun/tap drivers, make sure you have Apple's Developer Tools installed. Then from the top of the tun/tap source tree issue # make This will build the driver kexts and place them as tap.kext and tun.kext in the top tun/tap directory. Installing ========== Note that OS X will refuse to load kernel extensions if they are not owned by root. So you can install the two kexts directly in /Library/Extensions: # sudo make install Note that this also installs launchd jobs to automatically load the kexts at boot. No need to reboot now though, the kexts can be loaded using kextload: # kextload /Library/Extensions/tap.kext/ kextload: /Library/Extensions/tap.kext/ loaded successfully # kextload /Library/Extensions/tun.kext/ kextload: /Library/Extensions/tun.kext/ loaded successfully Note that this will only work if your system allows running kernel extensions that lack a digital signature. See below for more. I have also included the files used to build the installer packages in the directory pkg. They can be made by # make pkg Code signing ============ Beginning with 10.10, Apple requires all kernel extensions to carry a valid digital signature from a certified developer. This means your locally built kernel extensions will only work if (1) you disable kext signature checks for your system or (2) you acquire a developer certificate with kernel extension signing powers and sign your extensions. #1 has obvious security implications and is not recommended, but may be acceptable temporarily for testing changes. If you do have a suitable certificate, here is how you can get the build scripts generate signatures: 1) Export your private signing key and corresponding certificate to a PKCS#12 file that replaces the identity.p12 file in the tuntap source directory. 2) Run # make keysetup This will prompt you for your passphrase, decrypt the identity.p12 file and import its contents into a temporary keychain. The keychain is configured to use a randomly-generated password and to lock after 60 seconds. This means your keys are now available without further password prompts for the next 60 seconds. 3) (Re-)Build the kernel extensions as usual: # make clean all If this fails saying "User interaction is not allowed.", the timeout to lock the temporary keychain created in step #2 has fired already. Re-run step #2 and retry. If you want to switch back to building unsigned kernel extensions, just remove the .signing_identity and .installer_identity files. 4) Note that the installer package created by the pkg target will also be signed if a suitable signing key is available in the identity.p12 file. This is all I have to say at the moment, feel free send mail for any bug reports, problems and suggestions you have at .