Version 51 (modified by Samuli Seppänen, 10 years ago) (diff)


Project structure

Look here for details.

Building natively on *NIX

Building natively on *NIX has not changed much, you can still use roughly the same process as before. If building from Git sources, first do a

$ autoreconf -vi

If building from a release tarball, you can skip the above step. To configure, build and install OpenVPN, use these commands:

$ ./configure <configure-options>
$ make
$ make install

In most cases, you'd use something like this:

$ ./configure --enable-lzo

If you're using password authentication, you may be interested in support for password stored in (properly protected!) files:

$ ./configure --enable-lzo --enable-password-save

Or, if you want to use smart cards and such, you should use

$ ./configure --enable-lzo --enable-pkcs11

Cross-compiling on *NIX ("generic" subdir)

Installing prequisites

You can use the generic buildsystem from openvpn-build subproject to cross-compile OpenVPN using any toolchain to any target environment. The build host must have a *NIX-like environment, e.g. Linux, *BSD or Cygwin (on Windows). First make sure you have installed the correct tools before you start:

On Ubuntu 12.04 (64-bit) you the following commands should take care of everything except osslsigncode:

$ apt-get update
$ apt-get install git-core mingw-w64 gcc-4.6-arm-linux-gnueabi man2html dos2unix nsis

If you're building using Cygwin on Windows, it's best to configure Git not to translate LF to CR/LF. For this reason it's probably best to use Cygwin's Git. Also take a look at Cygwin's README to see which packages are required.

Checking out openvpn-build repository

Check out the openvpn-build subproject using Git:

$ git clone

Then go to the generic directory:

$ cd openvpn-build/generic

Customizing the build

To customize the build options, edit build.vars to your liking, for example:

# -*- mode: sh; -*-


# Formatted for Trac, place each to one line



CURL_OPTS="${CURL_OPTS:---progress-bar --verbose --remote-name}"
if [ -n "${DO_REALLY_STATIC}" ]; then
        export LDFLAGS="-Xcompiler -static"



If you want to use your own, local sources (e.g. for OpenSSL or OpenVPN), put them in sources directory, so that the generic buildsystem knows not to download them from a remote site. The cached tarballs will be used even if they're of a different version than what would be downloaded.

Building OpenVPN and it's dependencies

The ./build command fetches all the dependencies, builds them and builds OpenVPN. To build a native binary:

$ IMAGEROOT=`pwd`/image-native ./build

To build for Windows 32bit on Linux 64bit:

$ IMAGEROOT=`pwd`/image-win32 CHOST=i686-w64-mingw32 \
    CBUILD=x86_64-pc-linux-gnu ./build

To build for Windows 64bit on Linux 64bit:

$ IMAGEROOT=`pwd`/image-win64 CHOST=x86_64-w64-mingw32 \
    CBUILD=x86_64-pc-linux-gnu ./build

To build for Arm on Linux 64bit:

$ IMAGEROOT=`pwd`/image-arm CHOST=arm-linux-gnueabi \
    CBUILD=x86_64-pc-linux-gnu ./build

For typical OpenVPN installations you'll most likely want to use something like this:

$ DEP=location of the dependencies
$ ./configure host=... \
    CFLAGS="-I$DEP/include" LDFLAGS="-L$DEB/lib" \
    --enable-lzo --enable-pkcs11 \
    PKCS11_HELPER_CFLAGS=" " PKCS11_HELPER_LIBS="-lpkcs11-helper"

Building dependencies only

To build only dependencies (helpful for developers):

$ DO_ONLY_DEPS=1 IMAGEROOT=`pwd`/deps-win32 CHOST=i686-w64-mingw32 \
    CBUILD=x86_64-pc-linux-gnu ./build

Cleaning up

If you want to start from scratch, do

$ cd openvpn-build/generic
$ rm -f sources/*
$ rm -rf image-*

Creating a NSIS installer ("windows-nsis" subdir)

You can use the scripts in openvpn-build/windows-nsis to create a NSIS installer for Windows. The scripts use the generic build system to build OpenVPN and it's dependencies (e.g. lzo, openssl), and use osslsigncode for signing the resulting binaries, if requested.

NSIS must be available on system. If installed not in path or standard location set MAKENSIS environment variable. Same goes for OSSLSIGNCODE.

First check out openvpn-build as described here. Then do the following:

$ cd openvpn-build/windows-nsis
$ ./build-snapshot

If you want to sign the resulting libraries and executables, use something like this:

$ ./build-snapshot --sign --sign-pkcs12=signingkey.p12 --sign-pkcs12-pass=yourpassphrase

Refer to ./build-complete --help and build-snapshot for more options.

NOTE: To make sure fresh tarballs are used, empty ../generic/sources directory before building.

Building natively on Windows using the MSVC toolchain ("msvc" subdir)

Installing prequisites

MSVC build was written with least dependencies in mind. You'll need only Perl and Visual Studio 2010 (Express).

Checking out openvpn-build repository

Launch a Git Bash and follow these instructions. Next go to the msvc directory using a Visual Studio prompt:

> cd openvpn-build/msvc

Customizing the build

The MSVC builds can be customized by creating a new file, build-env-local.bat which is loaded by build.bat. The variables defined in build-env-local.bat override the defaults given in build-env.bat. For example, you can manually define the location of dependencies:

set OPENVPN_DEPROOT=c:\Users\JohnDoe\openvpn-build\build-deps
set PKCS11H_HOME=%OPENVPN_DEPROOT%\pkcs11-helper-1.10

You can also configure the build to use a Git repository or tarball of your liking, for example:

set OPENVPN_GIT=git://

Building OpenVPN and it's dependencies

Normally you'd only need one command:

> build

This fetches all the dependencies, builds them and builds OpenVPN.

Building dependencies only

To build only dependencies (helpful for developers):

> set DO_ONLY_DEPS=true
> set TARGET=%cd%\deps
> build

Other capabilities

You can also launch Visual Studio with

> msvc-dev

Building TAP-Windows

Required software: Recent Windows DDK, NSIS.

First clone the tap-windows repository, e.g. using Git Bash:

$ git clone

Then build (using a Visual Studio prompt?):

> configure
> build

If you want to sign the TAP-driver, you can add the pkcs12 file and passphrase as variables to config-env.bat, e.g.

set CODESIGN_PKCS12=c:\Users\John\tap-windows\mykey.p12
set CODESIGN_PASS=mypassphrase

Further customization for MSVC can be done using config-local.m4 file which overrides variables or with environment variables which override auto detection code. This can be used, for example, to specify a custom DDK location. For details, see

> configure --help


The osslsigncode tool is used to sign OpenVPN installer, libraries and executables. SignTool is used to sign the TAP-drivers. Official OpenVPN releases will be signed with OpenVPN Technologies, Inc. code signing keys. However, it's fairly easy to build a custom version of OpenVPN and sign it with your own code-signing keys.

Installing osslsigncode

The build system uses osslsigncode to sign the produced libraries and executables. A recent version (1.4+) is required, although earlier versions can be used with minor modifications to the codesign() method in the scripts. More specifically, the assumption is that a pkcs12 keystore is used for signing, and osslsigncode 1.3 and earlier don't support pkcs12 yet.

After fetching osslsigncode, make sure you have OpenSSL and Curl3 development libraries installed. On Ubuntu 12.04 you'd do

$ apt-get update
$ apt-get install libssl-dev libcurl4-openssl-dev

The latter is used for timestamping support. Extract the osslsigncode tarball and issue the usual commands:

$ ./configure
$ make
$ sudo make install

This will put osslsigncode in PATH where the build system can find it.

Using verified certificates

You can reuse your existing, verified (=paid for) certificates fairly easily. Provided you have a .spc and .pvk files at hand, you can use this script to convert them into a PKCS12 keystore. If that fails, adapt the manual instructions, below, to your needs.

Using self-signed code-signing certificate generated using MS tools

Creating the certificate

You can generate self-signed keys and certificates and sign the various OpenVPN components with those. First, create the certificate on a Windows box with makecert (adapted from here):

> makecert -r -pe -n "CN=My organization test CA" -ss CA -sr CurrentUser -a sha1 -sky signature -sv testca.pvk testca.cer

This will ask you to enter the private key password twice, and then asks for it again. Next, you need to import the key to Trusted CA keystore:

> certutil -user -addstore Root testca.cer

Next you can create the actual code-signing certificate:

> makecert -pe -n "CN=My organization" -a sha1 -sky signature -ic testca.cer -iv testca.pvk -sv testspc.pvk testspc.cer

After all of this is done, you should have four files in the current directory, e.g.

  • testca.cer
  • testca.pvk
  • testspc.cer
  • testspc.pvk

Converting the certificate

The next step is to convert these into a format osslsigncode can understand. As described here, first you need to convert the actual code-signing certificate into p7b format. One way to do that is described below:

  • Navigate to the directory with the generated certificates using Windows Explorer
  • Right-click on the code-signing certificate file (e.g. testspc.cer)
  • Select "Install certificate" and place the certificate into the certificate store of your choosing (e.g. Personal)

Next you need to export the just imported certificate in a different format:

  • Launch mmc.exe
  • Add the Certificates snap-in
  • Locate the My organization certificate you just installed using mmc.exe
  • Double click on the certificate
  • Select Details tab
  • Click on Copy to File and export the certificate in p7b format, including "all certificates in certification path, if possible"

Now we can use OpenSSL to convert the p7b certificate into proper format:

$ openssl pkcs7 -in testspc.p7b -inform DER -print_certs -out testspc.crt

The resulting certificate will contain the certificate, and the CA certificate. Split the file into two:

  • end.crt: the certificate
  • chain.crt: the CA certificate

You will need these later, when creating a PKCS12 file.

Converting the private key

As described here, you will also need to convert the private key. Because it's in a proprietary PVK format, you need to use the pvk.exe tool on the Windows box to convert it into PEM format:

> pvk.exe -in testspc.pvk -nocrypt -out testspc.pem

This will prompt you for the private key's password. After this, you can use OpenSSL to convert the PEM file into DER format, which osslsigncode requires. Below we use openssl on Linux for the job; adapt as necessary for Windows (i.e. openssl -> openssl.exe:

$ openssl rsa -in testspc.pem -inform PEM -out testpsc.der -outform DER

Creating a PKCS12 file

If you want to integrate the signing into OpenVPN build, you need to create a PKCS12 file. At this point you should have these files:

  • testca.cer: CA certificate
  • testca.pvk: CA certificate's private key (in proprietary PVK format)
  • testspc.cer: Code-signing certificate
  • testspc.p7b: Code-signing certificate + CA certificate (in P7B format)
  • testspc.pvk: Code-signing certificate's private key (in proprietary PVK format)
  • testspc.pem: Code-signing certificate's private key (in PEM format)
  • testspc.der: Code-signing certificate's private key (in DER format)
  • end.crt: Code-signing certificate (in DER format)
  • chain.crt: CA certificate (in DER format)

To generate a PKCS12 file use something like this:

$ openssl pkcs12 -export -inkey testspc.pem -in end.crt -certfile chain.crt -out testspc.p12

This command will prompt you for an export password. You'll end up with the PKCS12 file:

  • testspc.p12: Code-signing certificate and private key (in PKCS12 format)

Creating self-signed code-signing pkcs12 archive using OpenSSL

All of the above can be replaced with two simple OpenSSL commands (from Alon Bar-Lev):

$ openssl req -newkey rsa:1024 -new -x509 -subj "/CN=test1" -out test.crt	
$ openssl pkcs12 -export -inkey privkey.pem -in test.crt -out test.p12	

This is method is easiest for self-signed test keys.

Signing OpenVPN components

We can now sign whatever executables we want like this:

$ osslsigncode -spc testspc.p7b -key testspc.der -n "OpenVPN custom version" -i "" -in openvpn-2.3-alpha1-custom-install.exe -out openvpn-2.3-alpha1-custom-install-signed.exe

Alternatively, you can use your pkcs12 archive (with osslsigncode 1.4+) to sign. After signing, test the installer to see whether the Program Name and Verified publisher are correct.

External links

Official OpenVPN Git repositories

Installers and files

Attachments (1)

Download all attachments as: .zip