[[TOC(inline, depth=1)]] = Project structure = Starting with OpenVPN 2.3-alpha2 the OpenVPN buildsystem has been separated from the OpenVPN codebase and hosted in a separate Git repository. The following description is adapted from [http://thread.gmane.org/gmane.network.openvpn.devel/6280/focus=6297 here]: * ''openvpn'': a standard open source project, autotools-based build system and like any other project it's buildsystem only builds itself. * ''openvpn-build'': a separate project to build openvpn in various of configurations. This project is divided into the following components: * ''generic'': a generic build using cross compiler, included the complete dependencies. * ''msvc'': a MSVC build using Microsoft specific ''msbuild'' system. * ''windows-nsis'': the Windows installer generator that uses the generic component to build using mingw cross compiler, then package the output using NSIS. * ''tap-windows'': the Windows TAP driver, which is also useful outside OpenVPN * ''easy-rsa'': scripts for generating SSL certificates for use with OpenVPN (or for other purposes) '''NOTE:''' The original contents of this article were adapted from a number of Alon Bar-Lev's emails, who is the buildsystem's original author. = Building natively on *NIX = Building natively on *NIX has not changed much, you can still use roughly the same process as before. If building from Git sources, first do a {{{ $ autoreconf -vi }}} If building from a release tarball, you can skip the above step. To configure, build and install OpenVPN, use these commands: {{{ $ ./configure $ make $ make install }}} In most cases, you'd use something like this: {{{ $ ./configure --enable-lzo }}} If you're using password authentication, you may be interested in support for password stored in (properly protected!) files: {{{ $ ./configure --enable-lzo --enable-password-save }}} Or, if you want to use smart cards and such, you should use {{{ $ ./configure --enable-lzo --enable-pkcs11 }}} = Cross-compiling on *NIX ("generic" subdir) = == Installing prequisites == You can use the ''generic'' buildsystem from ''openvpn-build'' subproject to cross-compile OpenVPN using any toolchain to any target environment. The build host must have a *NIX-like environment, e.g. Linux, *BSD or Cygwin (on Windows). First make sure you have installed the correct tools before you start: * [http://mingw-w64.sourceforge.net/ mingw-w64], preferably version 2.0 or later (for building Windows binaries) * gcc-*-arm-linux-gnueabi (for building Arm binaries) * [http://git-scm.com/ Git] * [http://www.nongnu.org/man2html/ man2html] (for ''windows-nsis'' builds) * [http://waterlan.home.xs4all.nl/dos2unix.html dos2unix] (for ''windows-nsis'' builds) On Ubuntu 12.04 (64-bit) you the following commands shouldtake care of everything: {{{ $ apt-get update $ apt-get install git-core mingw-w64 gcc-4.6-arm-linux-gnueabi man2html dos2unix }}} If you're building using Cygwin on Windows, it's best to configure Git not to translate LF to CR/LF. For this reason it's probably best to use Cygwin's Git. Also take a look at Cygwin's README to see which packages are required. == Checking out openvpn-build repository == Check out the ''openvpn-build'' subproject using Git: {{{ $ git clone https://github.com/OpenVPN/openvpn-build.git }}} Then go to the ''generic'' directory: {{{ $ cd openvpn-build/generic }}} == Customizing the build == To customize the build options, edit ''build.vars'' to your liking, for example: {{{ # -*- mode: sh; -*- BUILD_VERSION="001" OPENSSL_VERSION="${OPENSSL_VERSION:-1.0.0e}" PKCS11_HELPER_VERSION="${PKCS11_HELPER_VERSION:-1.09}" LZO_VERSION="${LZO_VERSION:-2.06}" TAP_WINDOWS_VERSION="${TAP_WINDOWS_VERSION:-9.9}" OPENVPN_VERSION="${OPENVPN_VERSION:-2.3_alpha1}" OPENVPN_GUI_VERSION="${OPENVPN_GUI_VERSION:-1.0.3}" # Formatted for Trac, place each to one line OPENSSL_URL="${OPENSSL_URL:- http://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz}" PKCS11_HELPER_URL="${PKCS11_HELPER_URL:- http://www.opensc-project.org/files/pkcs11-helper/pkcs11-helper-${PKCS11_HELPER_VERSION}.tar.bz2}" TAP_WINDOWS_URL="${TAP_WINDOWS_URL:- https://github.com/downloads/OpenVPN/tap-windows/tap-windows-${TAP_WINDOWS_VERSION}.zip}" LZO_URL="${LZO_URL:- http://www.oberhumer.com/opensource/lzo/download/lzo-${LZO_VERSION}.tar.gz}" OPENVPN_URL="${OPENVPN_URL:- http://build.openvpn.net/downloads/snapshots/openvpn-${OPENVPN_VERSION}.tar.gz}" OPENVPN_GUI_URL="${OPENVPN_GUI_URL:- https://github.com/downloads/OpenVPN/openvpn-gui/openvpn-gui-${OPENVPN_GUI_VERSION}.tar.gz}" #CHOST #CTARGET #CBUILD #IMAGEROOT #BUILDROOT #SOURCESROOT WGET="${WGET:-wget}" CURL="${CURL:-curl}" MAKE="${MAKE:-make}" #WGET_OPTS CURL_OPTS="${CURL_OPTS:---progress-bar --verbose --remote-name}" MAKEOPTS="${MAKEOPTS:--j3}" #DO_NO_STRIP #DO_STATIC= if [ -n "${DO_REALLY_STATIC}" ]; then DO_STATIC=1 export LDFLAGS="-Xcompiler -static" fi #EXTRA_OPENSSL_CONFIG #EXTRA_LZO_CONFIG #EXTRA_PKCS11_HELPER_CONFIG #EXTRA_OPENVPN_CONFIG TARGET_ROOT="${TARGET_ROOT:-/}" }}} If you want to use your own, local sources (e.g. for OpenSSL or OpenVPN), put them in ''sources'' directory, so that the ''generic'' buildsystem knows not to download them from a remote site. The cached tarballs will be used even if they're of a different version than what would be downloaded. == Building OpenVPN and it's dependencies == The ''./build'' command fetches all the dependencies, builds them and builds OpenVPN. To build a native binary: {{{ $ IMAGEROOT=`pwd`/image-native ./build }}} To build for Windows 32bit on Linux 64bit: {{{ $ IMAGEROOT=`pwd`/image-win32 CHOST=i686-w64-mingw32 \ CBUILD=x86_64-pc-linux-gnu ./build }}} To build for Windows 64bit on Linux 64bit: {{{ $ IMAGEROOT=`pwd`/image-win64 CHOST=x86_64-w64-mingw32 \ CBUILD=x86_64-pc-linux-gnu ./build }}} To build for Arm on Linux 64bit: {{{ $ IMAGEROOT=`pwd`/image-arm CHOST=arm-linux-gnueabi \ CBUILD=x86_64-pc-linux-gnu ./build }}} For typical OpenVPN installations you'll most likely want to use something like this: {{{ $ DEP=location of the dependencies $ ./configure host=... \ CFLAGS="-I$DEP/include" LDFLAGS="-L$DEB/lib" \ --enable-lzo --enable-pkcs11 \ PKCS11_HELPER_CFLAGS=" " PKCS11_HELPER_LIBS="-lpkcs11-helper" }}} == Building dependencies only == To build only dependencies (helpful for developers): {{{ $ DO_ONLY_DEPS=1 IMAGEROOT=`pwd`/deps-win32 CHOST=i686-w64-mingw32 \ CBUILD=x86_64-pc-linux-gnu ./build }}} == Cleaning up == If you want to start from scratch, do {{{ $ cd openvpn-build/generic $ rm -f sources/* $ rm -rf image-* }}} = Creating a NSIS installer ("windows-nsis" subdir) = You can use the scripts in ''openvpn-build/windows-nsis'' to create a [http://nsis.sourceforge.net NSIS] installer for Windows. The scripts use the generic build system to build OpenVPN and it's dependencies (e.g. lzo, openssl), and use [http://sourceforge.net/projects/osslsigncode osslsigncode] for signing the resulting binaries, if requested. NSIS must be available on system. If installed not in path or standard location set MAKENSIS environment variable. Same goes for OSSLSIGNCODE. First check out ''openvpn-build'' as described [wiki:BuildingUsingGenericBuildsystem#Checkingoutopenvpn-buildrepository here]. Then do the following: {{{ $ cd openvpn-build/windows-nsis $ ./build-complete }}} Refer to ./build-complete --help for more options. '''NOTE:''' To make sure fresh tarballs are used, empty ../generic/sources directory before building. = Building natively on Windows using the MSVC toolchain ("msvc" subdir) = == Installing prequisites == MSVC build was written with least dependencies in mind. You'll need only [http://www.activestate.com/activeperl Perl] and Visual Studio 2010 (Express). == Checking out openvpn-build repository == Launch a Git Bash and follow [wiki:BuildingUsingGenericBuildsystem#Checkingoutopenvpn-buildrepository these] instructions. Next go to the ''msvc'' directory using a Visual Studio prompt: {{{ > cd openvpn-build/msvc }}} == Customizing the build == The MSVC builds can be customized by creating a new file, ''build-env-local.bat'' which is loaded by ''build.bat''. The variables defined in ''build-env-local.bat'' override the defaults given in ''build-env.bat''. For example, you can manually define the location of dependencies: {{{ set OPENVPN_DEPROOT=c:\Users\JohnDoe\openvpn-build\build-deps set OPENSSL_HOME=%OPENVPN_DEPROOT%\openssl-1.0.0g set LZO_HOME=%OPENVPN_DEPROOT%\lzo-2.06 set PKCS11H_HOME=%OPENVPN_DEPROOT%\pkcs11-helper-1.10 set TAP_WINDOWS_HOME=%OPENVPN_DEPROOT%\tap-windows-9.9 }}} You can also configure the build to use a Git repository or tarball of your liking, for example: {{{ set OPENVPN_GIT=git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn.git set OPENVPN_SOURCE=git set OPENVPN_BRANCH=master }}} == Building OpenVPN and it's dependencies == Normally you'd only need one command: {{{ > build }}} This fetches all the dependencies, builds them and builds OpenVPN. == Building dependencies only == To build only dependencies (helpful for developers): {{{ > set DO_ONLY_DEPS=true > set TARGET=%cd%\deps > build }}} == Other capabilities == You can also launch Visual Studio with {{{ > msvc-dev }}} = Building TAP-Windows = Required software: Recent Windows DDK, [http://nsis.sourceforge.net NSIS]. First clone the ''tap-windows'' repository, e.g. using ''Git Bash'': {{{ $ git clone https://github.com/OpenVPN/tap-windows }}} Then build (using a Visual Studio prompt?): {{{ > configure > build }}} If you want to sign the TAP-driver, you can add the pkcs12 file and passphrase as variables to ''config-env.bat'', e.g. {{{ set CODESIGN_PKCS12=c:\Users\John\tap-windows\mykey.p12 set CODESIGN_PASS=mypassphrase }}} Further customization for MSVC can be done using ''config-local.m4'' file which overrides variables or with environment variables which override auto detection code. This can be used, for example, to specify a custom DDK location. For details, see {{{ > configure --help }}} = Code-signing = The [http://sourceforge.net/projects/osslsigncode/ osslsigncode] tool is used to sign OpenVPN installer, executables and TAP-drivers. Official OpenVPN releases will be signed with OpenVPN Technologies, Inc. code signing keys. However, it's fairly easy to build a custom version of OpenVPN and sign it with your own code-signing keys. == Installing osslsigncode == The build system uses [http://sourceforge.net/projects/osslsigncode/ osslsigncode] to sign the produced libraries and executables. A recent version (1.4+) is required, although earlier versions can be used with minor modifications to the codesign() method in the scripts. More specifically, the assumption is that a pkcs12 keystore is used for signing, and osslsigncode 1.3 and earlier don't support pkcs12 yet. After [http://sourceforge.net/projects/osslsigncode/ fetching osslsigncode], make sure you have OpenSSL and Curl3 development libraries installed. The latter is used for timestamping support. Extract the osslsigncode tarball and issue the usual commands: {{{ $ ./configure $ make $ sudo make install }}} This will put osslsigncode in PATH where the build system can find it. == Using verified certificates == You can reuse your existing, verified (=paid for) certificates fairly easily. Provided you have a .spc and .pvk files at hand, you can use [attachment:spc+pvk-to-p12.sh this script] to convert them into a PKCS12 keystore. If that fails, adapt the manual instructions, below, to your needs. == Creating self-signed code-signing certificate == You can generate self-signed keys and certificates and sign the various OpenVPN components with those. First, create the certificate on a Windows box with ''makecert'' (adapted from [http://stackoverflow.com/questions/84847/how-do-i-create-a-self-signed-certificate-for-code-signing-on-windows here]): {{{ > makecert -r -pe -n "CN=My organization test CA" -ss CA -sr CurrentUser -a sha1 -sky signature -sv testca.pvk testca.cer }}} This will ask you to enter the private key password twice, and then asks for it again. Next, you need to import the key to ''Trusted CA'' keystore: {{{ > certutil -user -addstore Root testca.cer }}} Next you can create the actual code-signing certificate: {{{ > makecert -pe -n "CN=My organization" -a sha1 -sky signature -ic testca.cer -iv testca.pvk -sv testspc.pvk testspc.cer }}} After all of this is done, you should have four files in the current directory, e.g. * testca.cer * testca.pvk * testspc.cer * testspc.pvk == Converting the certificate == The next step is to convert these into a format [http://sourceforge.net/projects/osslsigncode/ osslsigncode] can understand. As described [http://sourceforge.net/projects/osslsigncode/forums/forum/438747/topic/1706587 here], first you need to convert the actual code-signing certificate into p7b format. One way to do that is described below: * Navigate to the directory with the generated certificates using Windows Explorer * Right-click on the code-signing certificate file (e.g. ''testspc.cer'') * Select "Install certificate" and place the certificate into the certificate store of your choosing (e.g. ''Personal'') Next you need to export the just imported certificate in a different format: * Launch ''mmc.exe'' * Add the ''Certificates'' snap-in * Locate the ''My organization'' certificate you just installed using ''mmc.exe'' * Double click on the certificate * Select ''Details'' tab * Click on ''Copy to File'' and export the certificate in p7b format, including "all certificates in certification path, if possible" Now we can use OpenSSL to convert the p7b certificate into proper format: {{{ openssl pkcs7 -in testspc.p7b -inform DER -print_certs -out testspc.crt }}} The resulting certificate will contain the certificate, and the CA certificate. Split the file into two: * ''end.crt'': the certificate * ''chain.crt'': the CA certificate You will need these later, when creating a PKCS12 file. == Converting the private key == As described [http://sourceforge.net/projects/osslsigncode/forums/forum/438747/topic/1706587 here], you will also need to convert the private key. Because it's in a proprietary [http://www.drh-consultancy.demon.co.uk/pvk.html PVK] format, you need to use the [http://www.drh-consultancy.demon.co.uk/pvk.html pvk.exe] tool on the Windows box to convert it into PEM format: {{{ > pvk.exe -in testspc.pvk -nocrypt -out testspc.pem }}} This will prompt you for the private key's password. After this, you can use [http://openssl.org/ OpenSSL] to convert the PEM file into DER format, which ''osslsigncode'' requires. Below we use ''openssl'' on Linux for the job; adapt as necessary for Windows (i.e. ''openssl'' -> ''openssl.exe'': {{{ $ openssl rsa -in testspc.pem -inform PEM -out testpsc.der -outform DER }}} == Creating a PKCS12 file == If you want to integrate the signing into OpenVPN build, you need to create a PKCS12 file. At this point you should have these files: * testca.cer: CA certificate * testca.pvk: CA certificate's private key (in proprietary PVK format) * testspc.cer: Code-signing certificate * testspc.p7b: Code-signing certificate + CA certificate (in P7B format) * testspc.pvk: Code-signing certificate's private key (in proprietary PVK format) * testspc.pem: Code-signing certificate's private key (in PEM format) * testspc.der: Code-signing certificate's private key (in DER format) * end.crt: Code-signing certificate (in DER format) * chain.crt: CA certificate (in DER format) To generate a PKCS12 file use something like this: {{{ $ openssl pkcs12 -export -inkey testspc.pem -in end.crt -certfile chain.crt -out testspc.p12 }}} This command will prompt you for an export password. You'll end up with the PKCS12 file: * testspc.p12: Code-signing certificate and private key (in PKCS12 format) == Signing OpenVPN components == We can now sign whatever executables we want like this: {{{ $ osslsigncode -spc testspc.p7b -key testspc.der -n "OpenVPN custom version" -i "http://company.domain.com" -in openvpn-2.3-alpha1-custom-install.exe -out openvpn-2.3-alpha1-custom-install-signed.exe }}} Next you can test the installer to see whether the ''Program Name'' and ''Verified publisher'' are correct. = External links = '''Official OpenVPN Git repositories''' * https://github.com/OpenVPN/openvpn * https://github.com/OpenVPN/openvpn-build * https://github.com/OpenVPN/tap-windows * https://github.com/OpenVPN/easy-rsa '''Installers and files''' * [https://github.com/downloads/alonbl/openvpn/openvpn-install-2.3-alpha1-I000.exe OpenVPN 2.3-alpha1 Windows installer build using this new buildsyste] * [https://github.com/downloads/alonbl/openvpn/openvpn-2.3-alpha1.tar.gz OpenVPN 2.3-alpha1 source directory with integrated buildsystem]