Microsoft Windows does not natively support Generic Routing Encapsulation (GRE) or IP-in-IP (IPIP) tunnels. However with the assistance of a userland client (available to all X4B clients) these features can be emulated and it therefore possible to fully encapsulate (preserve backend IP) services running on the Microsoft Windows platform.

This software which is provided through the Dashboard of your X4B Account, from the service Page Action > Setup will automatically configure a GRE, IP-in-IP (IPIP).


  • Windows Firewall must be enabled on the server, ensure all your services are whitelisted in your firewall.
  • Tested on Windows Server 2010, Windows 8.1 & Windows Server 2012 R2 (Requires Windows 7/Server 2010 or later)
  • Requires an Ethernet (802.1) Internet Connection
  • The tunnel software supports multiple tunnels in a single instance. Running multiple instances of the tunnel software is not supported.


Step 1

Download and install WinPcap from the WinPCAP Downloads page. WinPCAP is a Driver for capturing packets from the Network card before the Operating system's network stack processes them.

Step 2

Automatically Start WinPCAP Driver

While installing WinPcap you will be asked if you would like the driver to start on boot. Please ensure that you configure the driver to start on boot automatically.

Step 3

Download and install OpenVPN's TUN/TAP Driver. If you have already installed OpenVPN you should already have the driver installed.

Only the TUN/TAP driver is required to be installed, OpenVPN is not required. We recommend installing the latest version of the driver, latest tested 9.21.0.

Step 4

Components to Install

When installing the TUN/TAP driver select to install the supplied utilities when asked. The screen may look like the above, note that both the Adapter (driver) and TAP Utilities are selected.

Step 5

Install Tun/Tap Driver

If asked during setup, you must agree to trust the driver developed by OpenVPN. OpenVPN developed of the TUN/TAP driver being installed.

Step 6

If you have not installed it already, we recommend installing the Microsoft Visual Studio 2013 Runtime.

Step 7

Restart your server to load / activate the WinPCAP and OpenVPN drivers.

This is an Important Step. Please do not skip. Skipping usually results in adapter not found or not supported issues.

Step 8

Tunnel Setup

From your X4B services Tunnels page, find your tunnel and navigate to Action > Setup. From here you can download the customized tunnel application to your Windows server.

Step 9

Run this application as Administrator. On Windows 7 or greater this can be done via Right Click > Run as Administrator if you are not logged in as the Administrator user.

You may also wish to add this executable to your startup to run on boot.

Conclusion & Testing

Windows IPIP Tunnel

Your tunnel should now be online. You should now be able to ping the EncapsulatedRemote address:

Windows GRE Tunnel Ping

Running the Web Server / Game Server / Service

Ensure that your game server, web server or service is correctly bound to the 10.x.x.x interface on your PC. The IP address for your backend tunnel can be found in the Tunnel Information page.


Like Tunnels running on Linux or BSD ensure your game server or service is bound to the tunnel IP address (running on 10.x.x.x). This will ensure all communication is made through the protected IP, and received through the protected IP.

We also recommend adding a ICMPv4 allow all rule in "Windows Firewall with Advanced Security" to allow us to ping your backend. This will look something like:ICMP Allow


If you are behind NAT, or the Local address provided in our interface is not found on the server X4B WinTunnel will ask you to provide an interface and the application will bind to the main IP of that interface. It is your responsibility to ensure that GRE/IP-in-IP traffic sent to the publicly routable address provided in the interface is delivered to your backend.

We can not provide you with much assistance with these setups as each router / NAT device is different. You may however be able to set your backend server to the DMZ and this may forward the IP traffic to your backend server.