wiki:BuildingOnWindows

Context Navigation

Version 85 (modified by Samuli Seppänen, 13 years ago) (diff)
--

Introduction

The traditional way to build OpenVPN for Windows is using autotools, either in a MinGW environment or by cross-compiling the Windows binary on *NIX. This works, but does not allow signing the TUN/TAP driver, which is required for Windows Vista/7 and later. Due to this a new, relatively simple Python-based build system was written. This new build system allows building OpenVPN on Windows more easily, but some parts of the build may require a commercial version of the Visual Studio development environment. Fortunately the new build system only uses Visual Studio tools (nmake, compiler, linker, etc.), so learning VS's graphical user interface is not necessary. Full integration with Visual Studio should be possible, too.

Installing prequisites

Visual Studio 2008 Professional

Visual Studio 2008 Professional is used to build OpenVPN on Windows. Note that the free Express edition might not work. Also make sure you select "Typical installation", not "Full installation". Full installation installs x86 cross-tools which may cause nasty, hard to debug issues. See Troubleshooting section for details.

Windows Software Development Kit

Windows Software Development Kit (Wikipedia page) may be necessary to build OpenVPN (verify this).

Windows Driver Kit

Windows Driver Kit (Wikipedia page) is required to build the TUN/TAP driver.

Python

The new Windows build system is written in Python. The Windows installer does not seem to add the python.exe to the PATH, so you need to do it [manually.

WinRAR

WinRAR or some other tool capable of extracting .tar.gz and .tar.bz2 archives is necessary to extract the LZO and OpenSSL release archives.

ActivePerl

ActivePerl is required to build OpenSSL, which in turn is required to build OpenVPN. Look here for details. Probably a standard Perl installation would also do the trick.

Installing Git support (optional)

Git support is needed if you want to conveniently build the latest development code. You don't need Git support if you fetch the sources from another computer and copy them over, or use source code from release tar.gz or zip files.

Git for Windows

Git for Windows or msysgit is required to work with Git repositories on Windows.

GitExtensions

GitExtensions makes working with Git easier on Windows. It includes Visual Studio 2008 plugin, Windows explorer support and a GUI to configure and use Git repositories. It also includes Git Bash, which allows running Git (and other GNU tools) from Bash command-line.

KDiff3

KDiff3 is used in handling merge conflicts. It's required by GitExtensions.

Git Source Control Provider (optional)

Git Source Control Provider is a Visual Studio 2008/2010 plugin. It can also be used to launch Git for Windows and GitExtensions from within Visual Studio.

Building pkcs11-helper

Download latest release of pkcs11-helper from http://www.opensc-project.org and extract it somewhere. The install process for Visual Studio is described in the INSTALL file.

To build pkcs11-helper, do the following:

Go to pkcs11-helper-<version>/lib
Copy <openssl-install-directory>/lib/libeay32.lib to that directory - this is required by the linker
Run nmake -f Makefile.w32-vc OPENSSL=1 OPENSSL_HOME=<path-to-openssl-sources>

In theory this should do it. If you need to rebuild, clean up first with

$ nmake -f Makefile.w32-vc clean

and then repeat the above steps. Unless you're using 1.08 or later, you probably get this error message during build:

pkcs11h-threading.c(477) : error C2036: 'void *' : unknown size

If so, edit that file as suggested here. After this build should succeed, as long as libeay32.lib is present in the build directory.

OpenVPN is only interested is lib/libpkcs11-helper-1.dll and uses it when generating the NSI installer.

Building OpenSSL

First download OpenSSL from here and extract it somewhere. Using the latest one ensures there are no (known) security holes in OpenSSL. For the most part you can then follow the instructions in INSTALL.W32 and INSTALL.W64 files. Before you start, though, launch the Visual Studio 2008 Command Prompt, which can be found from the Start menu. Unlike the standard command prompt it has all the paths to VC binaries set correctly.

From within this command prompt you'll first configure OpenSSL using the provided Perl script:

C:\openssl-1.0.0> perl Configure VC-WIN32 --prefix=c:/<openssl-install-directory>

Some of the crypto routines are written in assembler to increase performance, so you need to/should use an assembler in the next step. If you're building OpenSSL 0.9.8x you can choose between Microsoft Macro Assembler and NASM assembler. On OpenSSL-1.0.0 you need to use NASM as MASM is not supported anymore. Note that you need to add nasm.exe to the PATH. There are good generic instructions here.

If you're using MASM, run

C:\openssl-1.0.0> ms\do_masm

If you're using NASM, run

C:\openssl-1.0.0> ms\do_nasm

Next compile OpenSSL using the generated makefile:

C:\openssl-1.0.0> nmake -f ms\ntdll.mak
C:\openssl-1.0.0> nmake -f ms\ntdll.mak test
C:\openssl-1.0.0> nmake -f ms\ntdll.mak install

Building LZO

The LZO library is required to build OpenVPN. Once you've unpacked the source package, open the B/00README.txt file to get an overview of the Windows build process. If all goes well, you'll only need to run one .bat file:

C:\lzo-2.0.4> B\win32\vc_dll.bat

Note that this does not install lzo; in fact, you need to copy the relevant files to openvpn's build directory manually as shown below.

OpenVPN build

Setting up dependencies

The new Python-based build system we're using in this article has gone through significant changes during late 2010 and early 2011. You're strongly encouraged to fetch latest Git development code using Git for Windows (Git shell) or GitExtensions (GUI). Check these instructions to see which Git URI to use. Alternatively get OpenVPN 2.2-RC2 or later, where most of the buildsystem changes have been implemented.

OpenVPN has several build and runtime dependencies that need to be placed into a strict directory hierarchy along with OpenVPN sources:

<openvpn-build-root>: root build directory, e.g. C:\openvpn-build
- <openvpn-sources>: a directory containing openvpn sources (from tarball/zip/git)
- tapinstall
  - 7600: copy of devcon.exe build directory. Can be found from C:\WINDDK\7600.16385.1\src\setup\devcon or similar, depending on the version of WINDDK. Note that in OpenVPN world devcon.exe is (confusingly) also known as tapinstall.exe. This is not necessary if you use prebuilt TAP-drivers.
- pkcs11-helper: copy of pkcs11-helper build directory
  - lib: must also contain libpkcs11-helper-1.dll and libpkcs11-helper-1.dll.manifest files produced by pkcs11-helper build
- openssl: copy of the openssl install directory
- lzo
  - include: a copy of the include directory in the lzo build directory
  - bin: must also contain the lzo2.dll and lzo2.dll.manifest files generated by lzo build
  - lib: must also contain the lzo2.lib file generated by lzo build
- Microsoft.VC90.CRT: a copy of C:\Program Files\MicrosofT Visual Studio 9.0\VC\redist\x86\Microsoft.VC90.CRT directory; the exact path may vary. Note that using the wrong version will cause issues on 32-bit or 64-bit Windows versions.
- tap-prebuilt: this directory contain prebuilt, signed TAP-drivers and tapinstall.exe from an OpenVPN installer This is only needed if you don't build the TAP-drivers yourself.
  - i386: should contain 32-bit versions of TAP-driver and tapinstall.exe
  - amd64: should contain 64-bit versions of the above
- signtool: this directory should contain signtool.exe, which can be found from the Microsoft SDK directory (e.g. C:\Program

Files\Microsoft SDKs\Windows\V6.0A\bin). However, it's Python wrapper (Sign class) is only available internally at OpenVPN Technologies, so you can skip this dependency.

Setting build parameters

After setting up the directories, you should check if OpenVPN's build configuration files need modifications:

<openvpn-sources>\win\settings.in: build configuration for Python-based builds. Most build configuration - if any - is done in this file.
<openvpn-sources>\win\config.h.in: static header file, functionally the same as config.h generated by autotools; not usually modified.
<openvpn-sources\version.m4: contains TAP-driver version information. Normally there's no need to modify this.

Building OpenVPN

Next fire up a Visual Studio 2008 Command Prompt and go to <openvpn-sources>\win directory. You should now build OpenVPN + the TAP driver using

C:\openvpn-build\openvpn-testing\win> python build_all.py --unsigned

This builds openvpn.exe, openvpnserv.exe and the TAP driver and copies the results to <openvpn-sources>\dist. The --unsigned switch disables TAP driver signing, which would not work anyways because the Sign Python module is only available internally at OpenVPN Technologies. In case you want to test new TAP-driver versions on Windows Vista/7 64-bit you need to self-sign them and jump through several hoops. If you intend to use signed TAP drivers from an existing OpenVPN installer, you can signed TAP drivers from an existing installer and skip building the TAP driver altogether:

C:\openvpn-build\openvpn-testing\win> python build_all.py --unsigned --notap

To clean up before or after the build, issue

C:\openvpn-build\openvpn-testing\win> python build.py clean

To see all available build options, use

C:\openvpn-build\openvpn-testing\win> python build_all.py --help

Extracting signed TAP-drivers from an OpenVPN installer

If you need to run OpenVPN on Windows Vista/7 64-bit you have to use signed TAP drivers. Unless you sign them yourself, you need to do two extra steps:

Extract the TAP-drivers (*.cat, *.sys, *.inf) and tapinstall.exe from an official OpenVPN installer using 7-zip. There are separate versions for 32-bit and 64-bit versions of Windows: 64-bit versions are larger.
Place 32-bit signed TAP drivers and corresponding tapinstall.exe to <openvpn-build-root>\tap-prebuilt\i386
Place 64-bit versions to <openvpn-build-root>\tap-prebuilt\amd64

Packaging OpenVPN

Once OpenVPN build is finished, you may want to make an installer executable. OpenVPN installers are packaged using NSIS, which you can download from here. The buildsystem, or more correctly <openvpn-sources>\win\make_dist.py - puts most of what the NSI script (<openvpn-sources>\win\openvpn.nsi) needs to <openvpn-sources>\dist. The NSI script still (as of 2.2-RC2) pulls some files from directories other that dist, but that will be fixed later.

OpenVPN installer is driven by the <openvpn-sources>\win\openvpn.nsi NSI script, which has to be loaded with the MakeNSIS application to generate an installer. If the <openvpn-sources>\dist directory has been properly set up, you should not encounter any errors. However, if MakeNSIS complains about missing files, make sure the <openvpn-sources>\dist directory contains all of the packaging dependencies:

amd64
- OemWin2k.inf
- tap0901.cat
- tap0901.sys
- tapinstall.exe
bin
- Microsoft.VC90.CRT
  - msvcr90.dll
  - Microsoft.VC90.CRT.manifest
- libeay32.dll
- libpkcs11-helper-1.dll
- lzo2.dll
- openssl.exe
- openvpn-gui-1.0.3.exe
- openvpn.exe
- openvpnserv.exe
- ssleay32.dll
i386
- OemWin2k.inf
- tap0901.cat
- tap0901.sys
- tapinstall.exe
samples
- client.ovpn
- sample.ovpn
- server.ovpn

Integrating Git with Visual Studio (optional)

If you wish to use Windows for OpenVPN development integrating Git with Visual Studio (2008) may make sense.

Using unverified TAP-drivers on 64-bit Windows

The 64-bit versions of Windows Vista/7 (and later) only allow installing drivers with certificates that have Microsoft as CA. Or, in other words, drivers verified by Microsoft. Installation of unsigned nor unauthorized device drivers is not allowed by default. This is very problematic when testing the TAP-driver, as signing it after every small change makes no sense. Fortunately there are two ways to work around this:

Self-sign the TAP-driver and configure Windows to accept self-signed (unauthorized) drivers.
Switch on Test mode during boot. This allows loading unsigned drivers.

To get a good idea how this all works, read these two documents:

Method 1: Self-signing the TAP-drivers

IMPORTANT: so far (18th March 2011) I have not managed to make Windows 7 64-bit accept self-signed certificates created on WinXP 32-bit. Until this is fixed, please use method 2 to test 64-bit TAP-drivers.

Creating a test certificate on build computer

Creating a test certificate (and it's keystore) is easy if Visual Studio is is installed. Open the Visual Studio command-line and issue

Makecert -r -pe -ss teststore -n “CN=OpenVPN project test labs” teststore.cer

For details on the syntax see Makecert.exe reference; for higher-level details look here.

Installing the test certificate to build and target computers

Both build and target computers need to have the test certificate in their keystores. The build computer needs it for signing the driver catalog with signtool.exe. The target computer, on the other hand, needs to have the certificate installed or it won't trust the driver and won't allow loading it to the kernel.

In both cases the certificate is imported using certmgr.exe:

certmgr.exe -add teststore.cer -s -r localMachine root
certmgr.exe -add teststore.cer -s -r localMachine trustedpublisher

You can also launch certmgr.exe without parameters and use the certificate import wizard. Although usage of certmgr.exe is straightforward, it is included (only?) in the massive Microsoft Windows SDK for Windows 7 and .NET Framework 3.5 SP1 package, which you need to install.

Creating the catalog file using makecat

There are two ways to create the catalog file that contains hashes of the TAP-driver files. It is this catalog file that is signed and verified by Windows kernel. The first option is to create a catalog definition file (.cdf) with a text editor and generate the real catalog file from it using MakeCat.exe. The problem with this approach is that makecat does not warn about errors in the .cdf file. This results in everything looking just fine, but failing when loading the driver into the kernel.

Nevertheless, if you want to try this approach, go to <openvpn-sources>/dist/amd64 after building There you'll find tap0901.sys and OemWin2k.inf files. Create a catalog definition file (e.g. tap.cdf) with a text editor; it contents should be similar to the one below:

[CatalogHeader]
Name=tap0901.cat
PublicVersion=0x00000010
ResultDir=.\
EncodingType= 

[CatalogFiles]
tap0901.sys=.\tap0901.sys
OemWin2k.inf=.\OemWin2k.inf

Make sure you have a linefeed at the end. Please note that this file did not work properly for unknown reasons, and the .cdf file format seems mostly undocumented. Once the catalog definition file is finished you can create the real catalog file using makecat:

makecat -v tap.cdf

Creating the catalog file using inf2cat

Inf2Cat.exe is a tool used to generate an unsigned catalog file from driver's INF file. It should be more easier to use than makecat, as it can automatically generate a .cat file with correct syntax. This tool is included in the Windows Driver Kit, which you have to install. Use it like this:

cd C:\WINDDK\\7600.16385.1\bin\selfsign
Inf2Cat.exe /driver:<openvpn-sources>\dist\i386 /os:XP_X86
Inf2Cat.exe /driver:<openvpn-sources>\dist\amd64 /os:Vista_X64

Where <openvpn-sources> is something like C:\openvpn-build\openvpn-macbook.

Signing the catalog file

Sign the catalog file (.cat) with Signtool.exe

Now sign the catalog file with signtool:

signtool sign /v /s teststore /n "OpenVPN project test labs" tap0901.cat

As long as the test certificate has been imported using certmgr.exe (see above), this command should work.

If you want, repeat this process for 32-bit version of the TAP-driver starting from <openvpn-sources>/dist/i386.

Method 2: Enabling test mode on target computer

Test mode boot setting allows loading test-signed drivers to the Windows kernel. You can use the Driver Signature Enforcement Overrider tool to enable it. After a reboot you should see

Test Mode
Windows 7
Build xxxx

Or similar at bottom left corner of the desktop. Windows kernel should now load unsigned drivers without any issues.

Troubleshooting

Compiler warnings during OpenSSL build

When building OpenSSL you're most likely encounter issues with trivial compiler warnings stopping the entire build. To circumvent this remove the /WX flag in the makefile as suggested in INSTALL.W32 file. This is harder than it seems for two reasons:

The correct makefile is ms\ntdll.mak (not the Makefile in build root)
You need to use Wordpad or other UNIX linefeed-aware editor to open and save the makefile

VS 2008 cross-tools issues during OpenSSL build

OpenSSL build is likely to break at several places if you're running Visual Studio 2008 x64 Cross-Tools Command Prompt instead of plain Visual Studio 2008 Command prompt. Consider reinstalling Visual Studio without cross-tools if you encounter either of these errors:

fatal error LNK1112: module machine type X86 conflicts with target machine type x64 (in the middle of the build)
Linker can't find link.obj (at the end of the build)

Issues with self-signed TAP-driver certificates

Certificates Console can be used to view and move around certificates stored for the local computer or the current user. The Device Manager can be used to view driver status and the cause of malfunctions. Event viewer can be used to view Code integratity events, including failures to verify driver signatures. These can be found from Applications and Services Logs -> Microsoft -> Windows -> CodeIntegrity?.

External links

Building OpenVPN using GNU autotools
Visual studio toolchain
Windows driver signing
Other tools
- 7-zip: useful for extracting files (e.g. OpenVPN's signed TAP drivers) from NSI installers
Debugging
- System Information for Windows: a useful tool for debugging processor architecture issues
- Dependency Walker: a tool to debug DLL issues in DLLs and EXEs
- Manifest view: a tool to view contents of embedded manifests in EXEs and DLLs
- Windows Device Manager (for driver signing issues)

Download in other formats:

Plain Text