appium-ios-tuntap 0.3.0 → 0.4.0

package/CHANGELOG.md

@@ -1,3 +1,9 @@
+## [0.4.0](https://github.com/appium/appium-ios-tuntap/compare/v0.3.0...v0.4.0) (2026-05-30)
+
+### Features
+
+* implement Windows (WinTun) JavaScript platform layer ([#44](https://github.com/appium/appium-ios-tuntap/issues/44)) ([da2a9bb](https://github.com/appium/appium-ios-tuntap/commit/da2a9bba1d7226f67ce0f00c533df72164aac858))
+
 ## [0.3.0](https://github.com/appium/appium-ios-tuntap/compare/v0.2.5...v0.3.0) (2026-05-22)
 
 ### Features

package/README.md

@@ -1,6 +1,6 @@
 # TunTap Bridge
 
-A native TUN/TAP interface module for Node.js that works on both macOS and Linux, with enhanced error handling, signal management, and thread safety.
+A native TUN/TAP interface module for Node.js that works on macOS, Linux, and Windows, with enhanced error handling, signal management, and thread safety.
 
 ## Description
 
@@ -8,7 +8,7 @@ This module provides a Node.js interface to TUN/TAP virtual network devices, all
 
 ## Features
 
-- **Cross-platform**: Works on macOS (utun) and Linux (TUN/TAP)
+- **Cross-platform**: Works on macOS (utun), Linux (TUN/TAP), and Windows (WinTun)
 - **TypeScript support**: Full TypeScript definitions included
 - **Signal handling**: Graceful shutdown on SIGINT/SIGTERM
 - **Thread safety**: Safe to use from multiple Node.js worker threads
@@ -88,6 +88,14 @@ On Linux, the module requires:
    sudo pacman -S linux-headers
    ```
 
+### Windows
+
+On Windows the module uses [WinTun](https://www.wintun.net/) (the same userspace TUN driver shipped with WireGuard). Requirements:
+
+1. **`wintun.dll`**: ships with the package. The official signed binaries for `amd64`, `arm64`, `x86`, and `arm` are bundled under `vendor/wintun/bin/<arch>/wintun.dll`; the addon discovers the right one automatically based on its own compile-time architecture. No download or copy step is required.
+2. **Administrator privileges**: required to create the kernel adapter and configure addresses/routes via `netsh`. Launch your shell with **Run as administrator**.
+3. **Build toolchain (only if compiling from source)**: Visual Studio Build Tools 2022 with the C++ workload, the Windows 10 SDK, and Python 3.x on `PATH`.
+
 ## Usage
 
 ### Basic Usage
@@ -207,7 +215,7 @@ socket.connect(port, host, async () => {
 
 #### Properties
 - `name: string` - The device name (e.g., 'utun0', 'tun0')
-- `fd: number` - The file descriptor of the device
+- `fd: number` - The native file descriptor on POSIX (macOS/Linux). Returns `-1` on Windows; Wintun does not expose a numeric file descriptor.
 
 ### Error Types
 
@@ -294,3 +302,12 @@ This ensures the signal handler works as intended.
 ## License
 
 Apache-2.0
+
+### Third-party software
+
+This package redistributes the official signed **WinTun** DLLs (version 0.14.1) from [wintun.net](https://www.wintun.net/) under the bundled-binary license shipped by the WinTun project. The unmodified binaries and the upstream license live under [vendor/wintun/](vendor/wintun/):
+
+- `vendor/wintun/bin/{amd64,arm64,x86,arm}/wintun.dll`
+- `vendor/wintun/LICENSE.txt` &mdash; the upstream WinTun license; required when redistributing the DLL
+
+Maintainers can refresh the bundled binaries with `npm run refresh:wintun` after bumping `WINTUN_VERSION` in [scripts/fetch-wintun.mjs](scripts/fetch-wintun.mjs).

package/binding.gyp

@@ -51,7 +51,7 @@
         "VCCLCompilerTool": {
           "ExceptionHandling": 1,
           "AdditionalOptions": [
-            "/std:c++17",
+            "/std:c++20",
             "/O2"
           ]
         }

package/lib/platform/create-platform.js

@@ -1,6 +1,7 @@
 import { DarwinTunTapPlatform } from './darwin.js';
 import { LinuxTunTapPlatform } from './linux.js';
 import { UnsupportedTunTapPlatform } from './unsupported.js';
+import { WindowsTunTapPlatform } from './windows.js';
 /** @internal Built-in {@link TunTapPlatform} for a Node `process.platform` value. */
 export function createTunTapPlatform(platform) {
     switch (platform) {
@@ -8,6 +9,8 @@ export function createTunTapPlatform(platform) {
             return new DarwinTunTapPlatform();
         case 'linux':
             return new LinuxTunTapPlatform();
+        case 'win32':
+            return new WindowsTunTapPlatform();
         default:
             return new UnsupportedTunTapPlatform(platform);
     }

package/lib/platform/require-admin.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Throws {@link TunTapPermissionError} unless the current process is an
+ * elevated (Administrator) Windows process. Mirrors `assertEffectiveRoot`
+ * from {@link ./require-root.ts} for POSIX.
+ */
+export declare function assertAdminOnWindows(): Promise<void>;
+/**
+ * Returns true when the current process is running with Administrator
+ * privileges on Windows. Implementation runs `net session` (which always
+ * exists, regardless of locale) and inspects the exit code.
+ *
+ * The result is memoized for the lifetime of the process; admin status cannot
+ * change between calls without restarting the shell.
+ */
+export declare const isAdministrator: (() => Promise<boolean>) & {
+    cache: Map<unknown, Promise<boolean>>;
+};

package/lib/platform/require-admin.js

@@ -0,0 +1,32 @@
+import { util } from '@appium/support';
+import { TunTapPermissionError } from '../errors.js';
+import { execFileAsync } from './exec.js';
+/**
+ * Throws {@link TunTapPermissionError} unless the current process is an
+ * elevated (Administrator) Windows process. Mirrors `assertEffectiveRoot`
+ * from {@link ./require-root.ts} for POSIX.
+ */
+export async function assertAdminOnWindows() {
+    if (await isAdministrator()) {
+        return;
+    }
+    throw new TunTapPermissionError('TUN interface configuration and routing require Administrator privileges on Windows. ' +
+        'Re-launch the shell with "Run as administrator".');
+}
+/**
+ * Returns true when the current process is running with Administrator
+ * privileges on Windows. Implementation runs `net session` (which always
+ * exists, regardless of locale) and inspects the exit code.
+ *
+ * The result is memoized for the lifetime of the process; admin status cannot
+ * change between calls without restarting the shell.
+ */
+export const isAdministrator = util.memoize(async function isAdministratorUncached() {
+    try {
+        await execFileAsync('net', ['session'], { windowsHide: true });
+        return true;
+    }
+    catch {
+        return false;
+    }
+});

package/lib/platform/windows.d.ts

@@ -0,0 +1,13 @@
+import type { TunTapInterfaceStats, TunTapPlatform } from './types.js';
+/** Windows implementation backed by `netsh` for configuration/routing and
+ *  PowerShell `Get-NetAdapterStatistics` for byte counters. */
+export declare class WindowsTunTapPlatform implements TunTapPlatform {
+    /** @inheritdoc */
+    configure(interfaceName: string, address: string, mtu: number): Promise<void>;
+    /** @inheritdoc */
+    addRoute(interfaceName: string, destination: string): Promise<void>;
+    /** @inheritdoc */
+    removeRoute(interfaceName: string, destination: string): Promise<void>;
+    /** @inheritdoc */
+    getStats(interfaceName: string): Promise<TunTapInterfaceStats>;
+}

package/lib/platform/windows.js

@@ -0,0 +1,195 @@
+import { TunTapError } from '../errors.js';
+import { log } from '../logger.js';
+import { assertAdminOnWindows } from './require-admin.js';
+import { execFileAsync } from './exec.js';
+/** Tightly-restricted character set for adapter names passed into PowerShell. */
+const SAFE_NAME_RE = /^[A-Za-z0-9_\- ]+$/;
+/** Phrases that indicate `netsh` could not find the requested route/address. */
+const MISSING_TARGET_HINTS = [
+    'element not found',
+    'cannot find',
+    'no matching',
+    'does not exist',
+    'not found',
+];
+/** Windows implementation backed by `netsh` for configuration/routing and
+ *  PowerShell `Get-NetAdapterStatistics` for byte counters. */
+export class WindowsTunTapPlatform {
+    /** @inheritdoc */
+    async configure(interfaceName, address, mtu) {
+        await assertAdminOnWindows();
+        assertSafeAdapterName(interfaceName);
+        log.debug(`[win] configure: interface=${interfaceName} address=${address} mtu=${mtu}`);
+        await addIpv6Address(interfaceName, address);
+        await setIpv6Mtu(interfaceName, mtu);
+    }
+    /** @inheritdoc */
+    async addRoute(interfaceName, destination) {
+        await assertAdminOnWindows();
+        assertSafeAdapterName(interfaceName);
+        log.debug(`[win] addRoute: interface=${interfaceName} destination=${destination}`);
+        await addIpv6Route(interfaceName, destination);
+        // WinTun presents as an Ethernet adapter, so Windows requires Neighbor
+        // Discovery (NDP) before it will send packets through the interface.
+        // For /128 host routes we seed a static neighbor entry so NDP is bypassed
+        // and the first connection attempt is not silently dropped.
+        if (destination.endsWith('/128')) {
+            const address = destination.slice(0, -4);
+            await addStaticNeighbor(interfaceName, address);
+        }
+    }
+    /** @inheritdoc */
+    async removeRoute(interfaceName, destination) {
+        await assertAdminOnWindows();
+        assertSafeAdapterName(interfaceName);
+        await deleteIpv6Route(interfaceName, destination);
+    }
+    /** @inheritdoc */
+    async getStats(interfaceName) {
+        assertSafeAdapterName(interfaceName);
+        const script = `Get-NetAdapterStatistics -Name '${interfaceName}' ` +
+            '| Select-Object ReceivedBytes,SentBytes,ReceivedUnicastPackets,' +
+            'SentUnicastPackets,ReceivedDiscardedPackets,OutboundDiscardedPackets ' +
+            '| ConvertTo-Json -Compress';
+        const { stdout } = await execFileAsync('powershell', [
+            '-NoProfile',
+            '-NonInteractive',
+            '-ExecutionPolicy',
+            'Bypass',
+            '-Command',
+            script,
+        ]);
+        let parsed;
+        try {
+            parsed = JSON.parse(stdout);
+        }
+        catch {
+            throw new TunTapError(`Failed to parse Get-NetAdapterStatistics output: ${stdout.trim()}`);
+        }
+        const num = (key) => {
+            const value = parsed[key];
+            const n = typeof value === 'number' ? value : parseInt(String(value ?? ''), 10);
+            return Number.isFinite(n) ? n : 0;
+        };
+        return {
+            rxBytes: num('ReceivedBytes'),
+            rxPackets: num('ReceivedUnicastPackets'),
+            rxErrors: num('ReceivedDiscardedPackets'),
+            txBytes: num('SentBytes'),
+            txPackets: num('SentUnicastPackets'),
+            txErrors: num('OutboundDiscardedPackets'),
+        };
+    }
+}
+/** Validates an adapter name before embedding in a PowerShell expression. */
+function assertSafeAdapterName(interfaceName) {
+    if (!SAFE_NAME_RE.test(interfaceName)) {
+        throw new TunTapError(`Refusing to use adapter name with unsupported characters: ${JSON.stringify(interfaceName)}`);
+    }
+}
+function isMissingTargetError(err) {
+    const message = String(err?.message ?? '').toLowerCase();
+    return MISSING_TARGET_HINTS.some((hint) => message.includes(hint));
+}
+async function addIpv6Address(interfaceName, address) {
+    try {
+        const r = await execFileAsync('netsh', [
+            'interface',
+            'ipv6',
+            'add',
+            'address',
+            `interface=${interfaceName}`,
+            `address=${address}/64`,
+            'store=active',
+        ]);
+        log.debug(`[win] add address ok: ${r.stdout.trim() || '(no output)'}`);
+    }
+    catch (err) {
+        const message = err.message ?? '';
+        log.warn(`[win] add address err: ${message}`);
+        if (!/already exists|object already/i.test(message)) {
+            throw err;
+        }
+        log.warn(`Address ${address} may already be configured on ${interfaceName}`);
+    }
+}
+async function setIpv6Mtu(interfaceName, mtu) {
+    try {
+        const r = await execFileAsync('netsh', [
+            'interface',
+            'ipv6',
+            'set',
+            'subinterface',
+            interfaceName,
+            `mtu=${mtu}`,
+            'store=active',
+        ]);
+        log.debug(`[win] set mtu ok: ${r.stdout.trim() || '(no output)'}`);
+    }
+    catch (err) {
+        log.warn(`[win] set mtu err: ${err.message ?? err}`);
+        throw err;
+    }
+}
+async function addIpv6Route(interfaceName, destination) {
+    try {
+        const r = await execFileAsync('netsh', [
+            'interface',
+            'ipv6',
+            'add',
+            'route',
+            destination,
+            interfaceName,
+            'store=active',
+        ]);
+        log.debug(`[win] add route ok: ${r.stdout.trim() || '(no output)'}`);
+    }
+    catch (err) {
+        const message = err.message ?? '';
+        log.warn(`[win] add route err: ${message}`);
+        if (/already exists|object already/i.test(message)) {
+            log.debug(`Route to ${destination} already exists`);
+            return;
+        }
+        throw err;
+    }
+}
+async function deleteIpv6Route(interfaceName, destination) {
+    try {
+        await execFileAsync('netsh', [
+            'interface',
+            'ipv6',
+            'delete',
+            'route',
+            destination,
+            interfaceName,
+            'store=active',
+        ]);
+    }
+    catch (err) {
+        if (isMissingTargetError(err)) {
+            return;
+        }
+        throw err;
+    }
+}
+async function addStaticNeighbor(interfaceName, address) {
+    log.debug(`[win] addStaticNeighbor: interface=${interfaceName} address=${address}`);
+    try {
+        const r = await execFileAsync('netsh', [
+            'interface',
+            'ipv6',
+            'add',
+            'neighbor',
+            interfaceName,
+            address,
+            '00-00-00-00-00-01',
+            'store=active',
+        ]);
+        log.debug(`[win] add neighbor ok: ${r.stdout.trim() || '(no output)'}`);
+    }
+    catch (err) {
+        const msg = err.message ?? String(err);
+        log.warn(`[win] add neighbor err: ${msg}`);
+    }
+}

package/lib/tunnel.d.ts

@@ -1,6 +1,6 @@
 import { TunTap } from './TunTap.js';
 import { EventEmitter } from 'node:events';
-import { Socket } from 'node:net';
+import type { Socket } from 'node:net';
 import { Buffer } from 'node:buffer';
 export interface PacketData {
     protocol: 'TCP' | 'UDP';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "appium-ios-tuntap",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "description": "Native TUN/TAP interface module for Node.js",
   "main": "lib/index.js",
   "types": "lib/index.d.ts",
@@ -15,16 +15,19 @@
     "format": "prettier -w ./src ./test",
     "format:check": "prettier --check ./src ./test",
     "install": "node-gyp-build",
+    "refresh:wintun": "node scripts/fetch-wintun.mjs",
     "prepare": "npm run build",
     "test": "npm run test:integration && npm run test:unit",
-    "test:unit": "mocha 'test/unit/**/*.spec.mjs' --exit --timeout 2m",
-    "test:integration": "mocha 'test/integration/**/*.spec.mjs' --exit --timeout 2m"
+    "test:unit": "mocha \"test/unit/**/*.spec.mjs\" --exit --timeout 2m",
+    "test:integration": "mocha \"test/integration/**/*.spec.mjs\" --exit --timeout 2m"
   },
   "files": [
     "src/tuntap.cc",
     "src/native",
     "lib",
     "prebuilds",
+    "scripts",
+    "vendor",
     "binding.gyp",
     "package.json",
     "README.md",
@@ -56,6 +59,7 @@
     "@semantic-release/changelog": "^6.0.3",
     "@semantic-release/git": "^10.0.1",
     "@types/node": "^25.0.1",
+    "commander": "^14.0.3",
     "conventional-changelog-conventionalcommits": "^9.0.0",
     "mocha": "^11.7.5",
     "prebuildify": "^6.0.1",

package/scripts/fetch-wintun.mjs

@@ -0,0 +1,70 @@
+// Maintainer-only helper that refreshes the bundled WinTun binaries committed
+// under vendor/wintun/. The npm `install` hook does NOT invoke this script —
+// the package ships with the official signed DLLs already checked in. Run
+// `npm run refresh:wintun -- --version <semver>` to pull a different release.
+
+import {fs, logger, net, tempDir, zip} from '@appium/support';
+import {Command} from 'commander';
+import {join, dirname} from 'node:path';
+import {fileURLToPath} from 'node:url';
+
+const log = logger.getLogger('refresh-wintun');
+
+const DEFAULT_WINTUN_VERSION = '0.14.1';
+const BUNDLED_ARCHES = ['amd64', 'arm64', 'x86', 'arm'];
+
+const rootDir = join(dirname(fileURLToPath(import.meta.url)), '..');
+const vendorDir = join(rootDir, 'vendor', 'wintun');
+
+async function deployDll(arch, extractDir) {
+  const destDir = join(vendorDir, 'bin', arch);
+  await fs.mkdir(destDir, {recursive: true});
+  const src = join(extractDir, 'wintun', 'bin', arch, 'wintun.dll');
+  const dest = join(destDir, 'wintun.dll');
+  await fs.copyFile(src, dest);
+  log.info(`wintun.dll (${arch}) -> ${dest}`);
+}
+
+async function deployLicense(extractDir) {
+  const src = join(extractDir, 'wintun', 'LICENSE.txt');
+  const dest = join(vendorDir, 'LICENSE.txt');
+  await fs.copyFile(src, dest);
+  log.info(`LICENSE.txt -> ${dest}`);
+}
+
+async function refreshWintun(version) {
+  const url = `https://www.wintun.net/builds/wintun-${version}.zip`;
+  const tmpDir = await tempDir.openDir();
+  try {
+    const zipPath = join(tmpDir, 'wintun.zip');
+    const extractDir = join(tmpDir, 'out');
+    await fs.mkdir(extractDir, {recursive: true});
+
+    log.info(`Downloading WinTun ${version}...`);
+    await net.downloadFile(url, zipPath);
+    await zip.extractAllTo(zipPath, extractDir);
+
+    await fs.mkdir(vendorDir, {recursive: true});
+    await Promise.all([
+      ...BUNDLED_ARCHES.map((arch) => deployDll(arch, extractDir)),
+      deployLicense(extractDir),
+    ]);
+  } finally {
+    await fs.rimraf(tmpDir);
+  }
+}
+
+const program = new Command();
+program
+  .name('refresh-wintun')
+  .description('Refresh the bundled WinTun binaries under vendor/wintun/')
+  .option(
+    '-v, --version <semver>',
+    'WinTun release version to download',
+    DEFAULT_WINTUN_VERSION,
+  )
+  .action(async (options) => {
+    await refreshWintun(options.version);
+  });
+
+await program.parseAsync(process.argv);

package/src/native/wintun_loader.cc

@@ -8,6 +8,22 @@ namespace {
 
 constexpr LPCWSTR kWintunDllName = L"wintun.dll";
 
+// Compile-time arch slug used to find the bundled DLL under
+// vendor/wintun/bin/<arch>/wintun.dll. The .node addon is built per-arch, so
+// the arch of the host process is the same as the arch of this translation
+// unit.
+#if defined(_M_X64) || defined(__x86_64__)
+constexpr LPCWSTR kVendoredArch = L"amd64";
+#elif defined(_M_ARM64) || defined(__aarch64__)
+constexpr LPCWSTR kVendoredArch = L"arm64";
+#elif defined(_M_IX86) || defined(__i386__)
+constexpr LPCWSTR kVendoredArch = L"x86";
+#elif defined(_M_ARM) || defined(__arm__)
+constexpr LPCWSTR kVendoredArch = L"arm";
+#else
+constexpr LPCWSTR kVendoredArch = L"amd64";
+#endif
+
 // Returns the directory that contains the addon module that this code is
 // linked into. Used to locate `wintun.dll` shipped next to `tuntap.node`.
 std::wstring GetAddonDirectory() {
@@ -75,6 +91,16 @@ bool WintunApi::Load(std::string& error) {
     if (TryLoadFrom(local.c_str())) {
       return ResolveEntryPoints(error);
     }
+
+    // Bundled fallback: the package ships the official signed DLL under
+    // vendor/wintun/bin/<arch>/wintun.dll. Both build/Release and
+    // prebuilds/<plat>-<arch> are two directories below the package root,
+    // so the same relative path works in either install layout.
+    std::wstring vendored = addon_dir + L"\\..\\..\\vendor\\wintun\\bin\\" +
+                            kVendoredArch + L"\\" + kWintunDllName;
+    if (TryLoadFrom(vendored.c_str())) {
+      return ResolveEntryPoints(error);
+    }
   }
 
   // Fall back to the OS-default search list (Application dir, System32, …)

package/vendor/wintun/LICENSE.txt

@@ -0,0 +1,84 @@
+Prebuilt Binaries License
+-------------------------
+
+1. DEFINITIONS. "Software" means the precise contents of the "wintun.dll"
+   files that are included in the .zip file that contains this document as
+   downloaded from wintun.net/builds.
+
+2. LICENSE GRANT. WireGuard LLC grants to you a non-exclusive and
+   non-transferable right to use Software for lawful purposes under certain
+   obligations and limited rights as set forth in this agreement.
+
+3. RESTRICTIONS. Software is owned and copyrighted by WireGuard LLC. It is
+   licensed, not sold. Title to Software and all associated intellectual
+   property rights are retained by WireGuard. You must not:
+   a. reverse engineer, decompile, disassemble, extract from, or otherwise
+      modify the Software;
+   b. modify or create derivative work based upon Software in whole or in
+      parts, except insofar as only the API interfaces of the "wintun.h" file
+      distributed alongside the Software (the "Permitted API") are used;
+   c. remove any proprietary notices, labels, or copyrights from the Software;
+   d. resell, redistribute, lease, rent, transfer, sublicense, or otherwise
+      transfer rights of the Software without the prior written consent of
+      WireGuard LLC, except insofar as the Software is distributed alongside
+      other software that uses the Software only via the Permitted API;
+   e. use the name of WireGuard LLC, the WireGuard project, the Wintun
+      project, or the names of its contributors to endorse or promote products
+      derived from the Software without specific prior written consent.
+
+4. LIMITED WARRANTY. THE SOFTWARE IS PROVIDED "AS IS" AND WITHOUT WARRANTY OF
+   ANY KIND. WIREGUARD LLC HEREBY EXCLUDES AND DISCLAIMS ALL IMPLIED OR
+   STATUTORY WARRANTIES, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS
+   FOR A PARTICULAR PURPOSE, QUALITY, NON-INFRINGEMENT, TITLE, RESULTS,
+   EFFORTS, OR QUIET ENJOYMENT. THERE IS NO WARRANTY THAT THE PRODUCT WILL BE
+   ERROR-FREE OR WILL FUNCTION WITHOUT INTERRUPTION. YOU ASSUME THE ENTIRE
+   RISK FOR THE RESULTS OBTAINED USING THE PRODUCT. TO THE EXTENT THAT
+   WIREGUARD LLC MAY NOT DISCLAIM ANY WARRANTY AS A MATTER OF APPLICABLE LAW,
+   THE SCOPE AND DURATION OF SUCH WARRANTY WILL BE THE MINIMUM PERMITTED UNDER
+   SUCH LAW. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND
+   WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR
+   A PARTICULAR PURPOSE OR NON-INFRINGEMENT ARE DISCLAIMED, EXCEPT TO THE
+   EXTENT THAT THESE DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.
+
+5. LIMITATION OF LIABILITY. To the extent not prohibited by law, in no event
+   WireGuard LLC or any third-party-developer will be liable for any lost
+   revenue, profit or data or for special, indirect, consequential, incidental
+   or punitive damages, however caused regardless of the theory of liability,
+   arising out of or related to the use of or inability to use Software, even
+   if WireGuard LLC has been advised of the possibility of such damages.
+   Solely you are responsible for determining the appropriateness of using
+   Software and accept full responsibility for all risks associated with its
+   exercise of rights under this agreement, including but not limited to the
+   risks and costs of program errors, compliance with applicable laws, damage
+   to or loss of data, programs or equipment, and unavailability or
+   interruption of operations. The foregoing limitations will apply even if
+   the above stated warranty fails of its essential purpose. You acknowledge,
+   that it is in the nature of software that software is complex and not
+   completely free of errors. In no event shall WireGuard LLC or any
+   third-party-developer be liable to you under any theory for any damages
+   suffered by you or any user of Software or for any special, incidental,
+   indirect, consequential or similar damages (including without limitation
+   damages for loss of business profits, business interruption, loss of
+   business information or any other pecuniary loss) arising out of the use or
+   inability to use Software, even if WireGuard LLC has been advised of the
+   possibility of such damages and regardless of the legal or quitable theory
+   (contract, tort, or otherwise) upon which the claim is based.
+
+6. TERMINATION. This agreement is affected until terminated. You may
+   terminate this agreement at any time. This agreement will terminate
+   immediately without notice from WireGuard LLC if you fail to comply with
+   the terms and conditions of this agreement. Upon termination, you must
+   delete Software and all copies of Software and cease all forms of
+   distribution of Software.
+
+7. SEVERABILITY. If any provision of this agreement is held to be
+   unenforceable, this agreement will remain in effect with the provision
+   omitted, unless omission would frustrate the intent of the parties, in
+   which case this agreement will immediately terminate.
+
+8. RESERVATION OF RIGHTS. All rights not expressly granted in this agreement
+   are reserved by WireGuard LLC. For example, WireGuard LLC reserves the
+   right at any time to cease development of Software, to alter distribution
+   details, features, specifications, capabilities, functions, licensing
+   terms, release dates, APIs, ABIs, general availability, or other
+   characteristics of the Software.

package/vendor/wintun/README.md

@@ -0,0 +1,37 @@
+# WinTun (vendored)
+
+This directory contains the unmodified, official signed [WinTun](https://www.wintun.net/) binaries that this package loads at runtime on Windows.
+
+- **Upstream:** https://www.wintun.net/
+- **Version:** 0.14.1
+- **Source archive:** https://www.wintun.net/builds/wintun-0.14.1.zip
+- **License:** see [`LICENSE.txt`](./LICENSE.txt). The DLLs are redistributed under the upstream prebuilt-binary license, which permits bundling unmodified copies alongside software that uses the official `wintun.h` API.
+
+## Layout
+
+```
+vendor/wintun/
+  LICENSE.txt              # Upstream license — MUST ship with the DLLs
+  bin/amd64/wintun.dll     # x64 (Intel/AMD)
+  bin/arm64/wintun.dll     # ARM64
+  bin/x86/wintun.dll       # 32-bit Intel/AMD
+  bin/arm/wintun.dll       # 32-bit ARM
+```
+
+The package's CI prebuild matrix only produces `win32-x64` and `win32-arm64` artifacts, so most users only ever load the `amd64` or `arm64` DLL. The 32-bit binaries are bundled for completeness so anyone compiling the native addon from source on `_M_IX86` / `_M_ARM` finds a matching DLL via the addon's compile-time arch lookup.
+
+The native addon (`src/native/wintun_loader.cc`) discovers the DLL through this layout, so no install-time copy step is required.
+
+## Refreshing the binaries
+
+Maintainers can pull the latest official release with:
+
+```sh
+npm run refresh:wintun
+```
+
+This invokes [`scripts/fetch-wintun.mjs`](../../scripts/fetch-wintun.mjs), which downloads the ZIP from `wintun.net`, extracts the per-architecture DLLs and `LICENSE.txt` into this directory, and overwrites the existing files. Bump `WINTUN_VERSION` in that script before running.
+
+## Do not modify
+
+The DLLs MUST be redistributed unmodified. Do not recompile, repackage, or rename them. If you need to update WinTun, run the refresh script against a new upstream release rather than hand-editing files in this directory.