diff --git a/install-win32/buildinstaller b/install-win32/buildinstaller
index 83057bba..a17a0272 100644
--- a/install-win32/buildinstaller
+++ b/install-win32/buildinstaller
@@ -10,5 +10,5 @@ tail -20 makensis.log
 
 # sign the installer
 if [ -d "$SIGNTOOL" ]; then
-    TARGET_EXE="$(echo $(pwd)/$GENOUT/*.exe)" $SIGNTOOL/signexe
+    python $SIGNTOOL/signapp.py "$(echo $(pwd)/$GENOUT/*.exe)"
 fi
diff --git a/install-win32/getgui b/install-win32/getgui
index b53a8f7d..aa83e853 100644
--- a/install-win32/getgui
+++ b/install-win32/getgui
@@ -10,9 +10,6 @@ GUI="$OPENVPN_GUI_DIR/$OPENVPN_GUI"
 if [ -f "$GUI" ]; then
     mkdir -p $GENOUT/bin &>/dev/null    
     cp $GUI $GENOUT/bin
-    if [ -d "$SIGNTOOL" ]; then
-	TARGET_EXE="$GENOUT/bin/$OPENVPN_GUI" $SIGNTOOL/signexe
-    fi
 fi
 
 if [ -f "$GENOUT/bin/$OPENVPN_GUI" ]; then
diff --git a/install-win32/getxgui b/install-win32/getxgui
index d3a21b80..3a1e626f 100644
--- a/install-win32/getxgui
+++ b/install-win32/getxgui
@@ -19,12 +19,6 @@ if [ -d "$OPENVPN_XGUI_DIR" ]; then
 	done
     fi
 
-    for f in $SIGNED_EXES; do
-	if [ -d "$SIGNTOOL" ]; then
-	    TARGET_EXE="$GENOUT/bin/`basename $f`" $SIGNTOOL/signexe
-	fi
-    done
-
     rm -rf $GENOUT/htdocs
     cp -a $OPENVPN_XGUI_DIR/ajax/htdocs $GENOUT/htdocs
 
diff --git a/install-win32/maketap b/install-win32/maketap
index 0d333297..b9c40703 100644
--- a/install-win32/maketap
+++ b/install-win32/maketap
@@ -1,101 +1,17 @@
 #!/bin/sh
 
-# Build the x86 and x64 versions of the TAP driver
-# Requires the Windows DDK
+# Get the x86 and x64 versions of the TAP driver
 
 # get version.nsi definitions
 . autodefs/defs.sh
 
-if [ -n "$DDKVER" ] && [ -d "/c/WINDDK/$DDKVER" ] ; then
-
-# common declarations for all DDK build targets
-. install-win32/ddk-common
-
-# configure tap driver sources
-MACRO="perl install-win32/macro.pl autodefs/defs.in"
-IFDEF="perl install-win32/ifdef.pl"
-rm -rf tap-win32/amd64
-mkdir tap-win32/amd64
-$MACRO <tap-win32/SOURCES.in >tap-win32/SOURCES
-$MACRO <tap-win32/i386/OemWin2k.inf.in | $IFDEF >tap-win32/i386/OemWin2k.inf
-$MACRO <tap-win32/i386/OemWin2k.inf.in | $IFDEF -DAMD64 >tap-win32/amd64/OemWin2k.inf
-
-if [ -n "$PRODUCT_TAP_DEBUG" ] ; then
-    w2ktarget="w2k c"
-    amdtarget="chk $x64_tag WNET"
-else
-    w2ktarget="w2k f"
-    amdtarget="fre $x64_tag WNET"
-fi
-
-if [ -z "$DRVBINSRC" ] ; then
-    if [ -n "$TAP_BIN_AMD64" ]; then
-	amdtarget=""
-    fi
-
-    cd tap-win32
-    t=`pwd`
-    cd ..
-
-    for mode in "$w2ktarget" "$amdtarget"; do
-	echo '**********' build TAP $mode
-	cmd //c "C:\\WINDDK\\$DDKVER\\bin\\setenv.bat C:\\WINDDK\\$DDKVER $mode && cd `perl install-win32/dosname.pl $t` && build -cef"
-	mv tap-win32/tapdrvr.cod "tap-win32/tapdrvr-$(echo $mode | tr ' ' '-').cod"
+if [ -d "$TAPBINSRC" ]; then
+    mkdir -p $GENOUT/driver/i386 &>/dev/null
+    mkdir -p $GENOUT/driver/amd64 &>/dev/null
+    for arch in i386 amd64; do
+	s=$TAPBINSRC/$arch
+	cp $s/*.sys $s/*.cat $s/*.inf $GENOUT/driver/$arch
     done
-
-    title openvpn-build &>/dev/null
-
-    if [ -n "$TAP_BIN_AMD64" ]; then
-	mkdir -p $t/amd64
-	cp "$TAP_BIN_AMD64" $t/amd64
-    fi
-
-    # copy driver files into tap-win32/dist
-    cd tap-win32
-    rm -rf dist
-    mkdir dist
-    cd dist
-    mkdir i386
-    mkdir amd64
-    cd i386
-    x86=`pwd`
-    cd ../amd64
-    x64=`pwd`
-    cd ../..
-    cp i386/OemWin2k.inf $x86
-    cp i386/*.sys $x86
-    cp amd64/OemWin2k.inf $x64
-    cp amd64/*.sys $x64
-    out="TAP driver catalog file is undefined";
-    echo "$out" >$x86/$PRODUCT_TAP_ID.cat
-    echo "$out" >$x64/$PRODUCT_TAP_ID.cat
-    cd ..
-fi
-
-# $DRVBINSRC, if defined, points to prebuilt TAP driver and
-# tapinstall.exe.
-mkdir $GENOUT &>/dev/null
-rm -rf $GENOUT/driver
-if [ -z "$DRVBINSRC" ] ; then
-    # Get TAP drivers
-    cp -a tap-win32/dist $GENOUT/driver
-
-    # Sign TAP drivers
-    if [ -d "$SIGNTOOL" ]; then
-	$SIGNTOOL/signtap
-    fi
 else
-    cp -a $DRVBINSRC/driver $GENOUT/driver
-fi
-
-# $DRVBINDEST, if defined, points to a destination directory
-# where TAP driver and tapinstall.exe will be saved, to be used
-# as a $DRVBINSRC in future builds.
-if [ -n "$DRVBINDEST" ] ; then
-    mkdir $DRVBINDEST &>/dev/null
-    cp -a $GENOUT/driver $DRVBINDEST
-fi
-
-else
-    echo Not building TAP driver -- DDK version $DDKVER NOT FOUND
+    echo Cannot find pre-built tap drivers
 fi
diff --git a/install-win32/maketapinstall b/install-win32/maketapinstall
index eae44712..9fe0470a 100644
--- a/install-win32/maketapinstall
+++ b/install-win32/maketapinstall
@@ -1,77 +1,15 @@
 #!/bin/sh
 
-# Build the x86 and x64 versions of the tapinstall tool
-# Requires the Windows DDK.
-# TISRC should be set to directory containing
-# tapinstall source code.
+# Get the x86 and x64 versions of the tapinstall tool
 
 # get version.nsi definitions
 . autodefs/defs.sh
 
-if [ -n "$DDKVER" ] && [ -d "/c/WINDDK/$DDKVER" ] ; then
-
-if ! [ -d "$TISRC" ] ; then
-    echo "$TISRC" NOT INSTALLED
-    exit 1
-fi
-
-# common declarations for all DDK build targets
-. install-win32/ddk-common
-
-amdtarget=""
-if [ -z "$TI_BIN_AMD64" ]; then
-    amdtarget="fre $x64_tag WNET"
-fi
-
-if [ -z "$DRVBINSRC" ] ; then
-    rm -rf tapinstall
-    cp -a "$TISRC" tapinstall
-
-    if [ -e tapinstall/sources.in ]; then
-	perl install-win32/ifdef.pl autodefs/defs.in <tapinstall/sources.in >tapinstall/sources
-    fi
-
-    cd tapinstall
-    t=`pwd`
-    cd ..
-
-    for mode in "w2k f" "$amdtarget"; do
-	if [ -n "$mode" ]; then
-	    echo '**********' build TAPINSTALL $mode
-	    cmd //c "C:\\WINDDK\\$DDKVER\\bin\\setenv.bat C:\\WINDDK\\$DDKVER $mode && cd `perl install-win32/dosname.pl $t` && build -cef"
-	fi
-    done
-fi
-
-if [ -n "$TI_BIN_AMD64" ]; then
-    mkdir -p $t/objfre_wnet_amd64/amd64
-    cp "$TI_BIN_AMD64" $t/objfre_wnet_amd64/amd64
-fi
-
-# $DRVBINSRC, if defined, points to prebuilt TAP driver and
-# tapinstall.exe.
-if [ -z "$DRVBINSRC" ] ; then
-    # Get tapinstall
+if [ -d "$TAPBINSRC" ]; then
     mkdir -p $GENOUT/tapinstall/i386 &>/dev/null
     mkdir -p $GENOUT/tapinstall/amd64 &>/dev/null
-    cp tapinstall/objfre_w2k_x86/i386/tapinstall.exe $GENOUT/tapinstall/i386
-    cp tapinstall/objfre_wnet_amd64/amd64/tapinstall.exe $GENOUT/tapinstall/amd64
+    cp $TAPBINSRC/i386/tapinstall.exe $GENOUT/tapinstall/i386
+    cp $TAPBINSRC/amd64/tapinstall.exe $GENOUT/tapinstall/amd64
 else
-    mkdir $GENOUT &>/dev/null
-    cp -a $DRVBINSRC/tapinstall $GENOUT/tapinstall
-fi
-
-# $DRVBINDEST, if defined, points to a destination directory
-# where TAP driver and tapinstall.exe will be saved, to be used
-# as a $DRVBINSRC in future builds.
-if [ -n "$DRVBINDEST" ] ; then
-    mkdir $DRVBINDEST &>/dev/null
-    cp -a $GENOUT/driver $DRVBINDEST
-    cp -a $GENOUT/tapinstall $DRVBINDEST
-fi
-
-title openvpn-build &>/dev/null
-
-else
-    echo Not building tapinstall -- DDK version $DDKVER NOT BUILT
+    echo Cannot find pre-built tapinstall
 fi
diff --git a/install-win32/settings.in b/install-win32/settings.in
index 21ea0a7e..4a0a564e 100644
--- a/install-win32/settings.in
+++ b/install-win32/settings.in
@@ -27,42 +27,19 @@
 !define PKCS11_HELPER_DIR "../pkcs11-helper"
 ;!define DMALLOC_DIR	  "../dmalloc-5.4.2"
 
+# Prebuilt TAP drivers and tapinstall
+!define TAPBINSRC "../tap_dist"
+
+# Directory containing python script for signing .exe files
+!define SIGNTOOL        "../signtool"
+
 # Optional directory of prebuilt OpenVPN binary components,
 # to be used as a source when build-from-scratch prerequisites
 # are not met.
 ;!define GENOUT_PREBUILT  "../gen-prebuilt"
 
-# tapinstall.exe source code.
-# Not needed if DRVBINSRC is defined
-# (or if using pre-built mode).
-!define TISRC	"../tapinstall/5600"
-
-# TAP Adapter parameters.  Note that PRODUCT_TAP_ID is
-# defined in version.m4.
-!define PRODUCT_TAP_DEVICE_DESCRIPTION  "TAP-Win32 Adapter V9"
-!define PRODUCT_TAP_PROVIDER            "TAP-Win32 Provider V9"
-!define PRODUCT_TAP_MAJOR_VER           9
-!define PRODUCT_TAP_MINOR_VER           7
-!define PRODUCT_TAP_RELDATE             "04/19/2010"
-
-# TAP adapter icon -- visible=0x81 or hidden=0x89
-!define PRODUCT_TAP_CHARACTERISTICS     0x81
-
-# Build debugging version of TAP driver
-;!define PRODUCT_TAP_DEBUG
-
-# DDK Version.
-# DDK distribution is assumed to be in C:\WINDDK\${DDKVER}
-!define DDKVER	     6001.18002
-!define DDKVER_MAJOR 6001
-
-# Code Signing.
-# If undefined, don't sign any files.
-!define SIGNTOOL        "../signtool.old"
-!define PRODUCT_SIGN_CN "openvpn"
-
 # -j parameter passed to make
-!define MAKE_JOBS 2
+!define MAKE_JOBS 1
 
 # output directory for built binaries
 # and other generated files
diff --git a/version.m4 b/version.m4
index 06d526fd..f37e1c2e 100644
--- a/version.m4
+++ b/version.m4
@@ -1,5 +1,5 @@
 dnl define the OpenVPN version
-define(PRODUCT_VERSION,[2.1.2])
+define(PRODUCT_VERSION,[2.1.3])
 dnl define the TAP version
 define(PRODUCT_TAP_ID,[tap0901])
 define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9])
diff --git a/win/build_ddk.py b/win/build_ddk.py
index ca68e81d..1a0cf82e 100644
--- a/win/build_ddk.py
+++ b/win/build_ddk.py
@@ -2,9 +2,13 @@ import os
 from wb import system, home_fn, choose_arch
 
 def build_ddk(config, dir, x64):
-    setenv_bat = os.path.realpath(os.path.join(config['DDK_PATH'], 'bin/setenv.bat'))
+    ddk_path = config['DDK_PATH']
     ddk_major = int(config['DDKVER_MAJOR'])
     debug = 'PRODUCT_TAP_DEBUG' in config
+    return build_tap(ddk_path, ddk_major, debug, dir, x64)
+
+def build_tap(ddk_path, ddk_major, debug, dir, x64):
+    setenv_bat = os.path.realpath(os.path.join(ddk_path, 'bin/setenv.bat'))
     target = 'chk' if debug else 'fre'
     if x64:
         target += ' x64'
@@ -23,7 +27,7 @@ def build_ddk(config, dir, x64):
 
     system('cmd /c "%s %s %s && cd %s && build -cef"' % (
            setenv_bat,
-           os.path.realpath(config['DDK_PATH']),
+           os.path.realpath(ddk_path),
            target,
            dir
            ))
diff --git a/win/settings.in b/win/settings.in
index 0e1bb1cb..f8eeb204 100644
--- a/win/settings.in
+++ b/win/settings.in
@@ -47,6 +47,9 @@
 !define DDK_PATH "c:/winddk/7600.16385.1"
 ;!define DDK_PATH "c:/winddk/6001.18002"
 
+# output path for tap_span.py
+!define TAP_DIST "tap_dist"
+
 # Visual studio path
 !define MSVC "C:/Program Files/Microsoft Visual Studio 9.0"
 
diff --git a/win/tap_span.py b/win/tap_span.py
new file mode 100644
index 00000000..9cd127ba
--- /dev/null
+++ b/win/tap_span.py
@@ -0,0 +1,129 @@
+import sys, os, shutil
+from wb import config, home_fn, mod_fn, preprocess, autogen, dict_def, build_autodefs, rm_rf, mkdir_silent, cp
+if 'SIGNTOOL' in config:
+    sys.path.append(home_fn(config['SIGNTOOL']))
+from signtool import SignTool
+from build_ddk import build_tap
+
+ti_dir = "c:/src/tapinstall"
+hi = ("c:/winddk/7600.16385.1", 7600, 7600, ("i386", "amd64"))
+low = ("c:/winddk/6001.18002", 6001, 5600, ("win2k",))
+dest_top = home_fn('tap_build')
+dist = home_fn(config['TAP_DIST'])
+
+def copy_tap(src, dest, x64):
+    dir = os.path.join(src, { False : 'i386', True: 'amd64' }[x64])
+    mkdir_silent(dest)
+    for dirpath, dirnames, filenames in os.walk(dir):
+        for f in filenames:
+            root, ext = os.path.splitext(f)
+            if ext in ('.inf', '.cat', '.sys'):
+                cp(os.path.join(dir, f), dest)
+        break
+
+def copy_tapinstall(src, dest, x64):
+    base = { False : 'i386', True: 'amd64' }[x64]
+    mkdir_silent(dest)
+    for dirpath, dirnames, filenames in os.walk(home_fn(src)):
+        for f in filenames:
+            if f == 'tapinstall.exe':
+                dir_name = os.path.basename(dirpath)
+                s = os.path.join(dirpath, f)
+                if dir_name == base:
+                    cp(s, dest)
+
+def main():
+    rm_rf(dest_top)
+    os.mkdir(dest_top)
+
+    rm_rf(dist)
+    os.mkdir(dist)
+
+    for ver in hi, low:
+        top = os.path.join(dest_top, str(ver[1]))
+        os.mkdir(top)
+        tap_dest = os.path.join(top, "tap-win32")
+        ti_dest = os.path.join(top, "tapinstall")
+        ti_src = os.path.join(ti_dir, str(ver[2]))
+        shutil.copytree(home_fn("tap-win32"), tap_dest)
+        shutil.copytree(ti_src, ti_dest)
+
+        i386 = os.path.join(tap_dest, "i386")
+        amd64 = os.path.join(tap_dest, "amd64")
+
+        build_amd64 = (len(ver[3]) >= 2)
+
+        build_autodefs(config, mod_fn('autodefs.h.in'), os.path.join(top, 'autodefs.h'))
+
+        st = SignTool(config, tap_dest)
+
+        preprocess(config,
+                   in_fn=os.path.join(tap_dest, 'SOURCES.in'),
+                   out_fn=os.path.join(tap_dest, 'SOURCES'),
+                   quote_begin='@@',
+                   quote_end='@@',
+                   head_comment='# %s\n\n' % autogen)
+
+        preprocess(config,
+                   in_fn=os.path.join(i386, 'OemWin2k.inf.in'),
+                   out_fn=os.path.join(i386, 'OemWin2k.inf'),
+                   quote_begin='@@',
+                   quote_end='@@',
+                   if_prefix='!',
+                   head_comment='; %s\n\n' % autogen)
+
+        preprocess(config,
+                   in_fn=os.path.join(ti_dest, 'sources.in'),
+                   out_fn=os.path.join(ti_dest, 'sources'),
+                   if_prefix='!',
+                   head_comment='# %s\n\n' % autogen)
+
+        build_tap(ddk_path=ver[0],
+                  ddk_major=ver[1],
+                  debug=False,
+                  dir=tap_dest,
+                  x64=False)
+
+        st.sign_verify(x64=False)
+
+        build_tap(ddk_path=ver[0],
+                  ddk_major=ver[1],
+                  debug=False,
+                  dir=ti_dest,
+                  x64=False)
+
+        tap_dist = os.path.join(dist, ver[3][0])
+
+        copy_tap(tap_dest, tap_dist, x64=False)
+        copy_tapinstall(ti_dest, tap_dist, x64=False)
+
+        if build_amd64:
+            os.mkdir(amd64)
+            preprocess(dict_def(config, [('AMD64', '1')]),
+                       in_fn=os.path.join(i386, 'OemWin2k.inf.in'),
+                       out_fn=os.path.join(amd64, 'OemWin2k.inf'),
+                       quote_begin='@@',
+                       quote_end='@@',
+                       if_prefix='!',
+                       head_comment='; %s\n\n' % autogen)
+
+            build_tap(ddk_path=ver[0],
+                      ddk_major=ver[1],
+                      debug=False,
+                      dir=tap_dest,
+                      x64=True)
+
+            build_tap(ddk_path=ver[0],
+                      ddk_major=ver[1],
+                      debug=False,
+                      dir=ti_dest,
+                      x64=True)
+
+            st.sign_verify(x64=True)
+
+            tap_dist_x64 = os.path.join(dist, ver[3][1])
+
+            copy_tap(tap_dest, tap_dist_x64, x64=True)
+            copy_tapinstall(ti_dest, tap_dist_x64, x64=True)
+
+main()
diff --git a/win/wb.py b/win/wb.py
index 7c2c8b9f..8e236840 100644
--- a/win/wb.py
+++ b/win/wb.py
@@ -1,7 +1,7 @@
 # Python module containing general build functions
 # for OpenVPN on Windows
 
-import os, re, shutil
+import os, re, shutil, stat
 
 autogen = "Automatically generated by OpenVPN Windows build system"
 
@@ -182,4 +182,34 @@ def cp(src, dest, dest_is_dir=True):
     print "COPY %s %s" % (src, dest)
     shutil.copyfile(src, dest)
 
+def rm_rf(path):
+    try:
+        shutil.rmtree(path, onerror=onerror)
+    except:
+        pass
+
+def onerror(func, path, exc_info):
+    """
+    Error handler for ``shutil.rmtree``.
+
+    If the error is due to an access error (read only file)
+    it attempts to add write permission and then retries.
+
+    If the error is for another reason it re-raises the error.
+
+    Usage : ``shutil.rmtree(path, onerror=onerror)``
+    """
+    if not os.access(path, os.W_OK):
+        # Is the error an access error ?
+        os.chmod(path, stat.S_IWUSR)
+        func(path)
+    else:
+        raise
+
+def mkdir_silent(dir):
+    try:
+        os.mkdir(dir)
+    except:
+        pass
+
 config = get_config()