[[TOC(inline, depth=1)]] = Project structure = Look [wiki:CodeRepositories here] for details. = Building natively on *NIX = Building natively on *NIX has not changed much, you can still use roughly the same process as before. If building from Git sources, first do a {{{ $ autoreconf -vi }}} If building from a release tarball, you can skip the above step. To configure, build and install OpenVPN, use these commands: {{{ $ ./configure $ make $ make install }}} In most cases, you'd use something like this: {{{ $ ./configure }}} If you're using password authentication, you may be interested in support for password stored in (properly protected!) files: {{{ $ ./configure --enable-password-save }}} Or, if you want to use smart cards and such, you should use {{{ $ ./configure --enable-pkcs11 }}} = Cross-compiling on *NIX ("generic" subdir) = == Installing prequisites == You can use the ''generic'' buildsystem from ''openvpn-build'' subproject to cross-compile OpenVPN using any toolchain to any target environment. The build host must have a *NIX-like environment, e.g. Linux, *BSD or Cygwin (on Windows). First make sure you have installed the correct tools before you start: * [http://mingw-w64.sourceforge.net/ mingw-w64], preferably version 2.0 or later (for building Windows binaries) * gcc-*-arm-linux-gnueabi (for building Arm binaries) * [http://git-scm.com/ Git] * [http://www.nongnu.org/man2html/ man2html] (for ''windows-nsis'' builds) * [http://waterlan.home.xs4all.nl/dos2unix.html dos2unix] (for ''windows-nsis'' builds) * [http://nsis.sourceforge.net/Main_Page NSIS] * [http://osslsigncode.sourceforge.net/ osslsigncode] ([wiki:BuildingUsingGenericBuildsystem#Installingosslsigncode installation instructions]) On Ubuntu 12.04 (64-bit) you the following commands should take care of everything except osslsigncode: {{{ $ apt-get update $ apt-get install git-core mingw-w64 gcc-4.6-arm-linux-gnueabi man2html dos2unix nsis }}} If you're building using Cygwin on Windows, it's best to configure Git not to translate LF to CR/LF. For this reason it's probably best to use Cygwin's Git. Also take a look at Cygwin's README to see which packages are required. == Checking out openvpn-build repository == Check out the ''openvpn-build'' subproject using Git: {{{ $ git clone https://github.com/OpenVPN/openvpn-build.git }}} Then go to the ''generic'' directory: {{{ $ cd openvpn-build/generic }}} == Customizing the build == To customize the build options, refer to ''build.vars'', it contains the defaults for building, most settings can be customized by setting environment variable before executing the build script. If you want to use your own, local sources (e.g. for OpenSSL or OpenVPN), put them in ''sources'' directory, so that the ''generic'' buildsystem knows not to download them from a remote site. The cached tarballs will be used even if they're of a different version than what would be downloaded. This is useful for building custom version. == Building OpenVPN and it's dependencies == The ''./build'' command fetches all the dependencies, builds them and builds OpenVPN. To build a native binary: {{{ $ IMAGEROOT=`pwd`/image-native ./build }}} To build for Windows 32bit on Linux 64bit: {{{ $ IMAGEROOT=`pwd`/image-win32 CHOST=i686-w64-mingw32 \ CBUILD=x86_64-pc-linux-gnu ./build }}} To build for Windows 64bit on Linux 64bit: {{{ $ IMAGEROOT=`pwd`/image-win64 CHOST=x86_64-w64-mingw32 \ CBUILD=x86_64-pc-linux-gnu ./build }}} To build for Arm on Linux 64bit: {{{ $ IMAGEROOT=`pwd`/image-arm CHOST=arm-linux-gnueabi \ CBUILD=x86_64-pc-linux-gnu ./build }}} == Building dependencies only == To build only dependencies (helpful for developers): {{{ $ DO_ONLY_DEPS=1 IMAGEROOT=`pwd`/deps-win32 CHOST=i686-w64-mingw32 \ CBUILD=x86_64-pc-linux-gnu ./build }}} For typical OpenVPN installations you'll most likely want to use something like this: {{{ $ DEP=location of the dependencies $ ./configure host=... \ CFLAGS="-I$DEP/include" LDFLAGS="-L$DEB/lib" \ --enable-pkcs11 \ PKCS11_HELPER_CFLAGS=" " PKCS11_HELPER_LIBS="-lpkcs11-helper" }}} == Cleaning up == If you want to start from scratch, do {{{ $ cd openvpn-build/generic $ rm -f sources/* $ rm -rf image-* }}} = Creating a NSIS installer ("windows-nsis" subdir) = You can use the scripts in ''openvpn-build/windows-nsis'' to create a [http://nsis.sourceforge.net NSIS] installer for Windows. The scripts use the generic build system to build OpenVPN and it's dependencies (e.g. lzo, openssl), and use [http://sourceforge.net/projects/osslsigncode osslsigncode] for signing the resulting binaries, if requested. NSIS must be available on system. If installed not in path or standard location set MAKENSIS environment variable. Same goes for OSSLSIGNCODE. First check out ''openvpn-build'' as described [wiki:BuildingUsingGenericBuildsystem#Checkingoutopenvpn-buildrepository here]. Then do the following: {{{ $ cd openvpn-build/windows-nsis $ ./build-snapshot }}} If you want to sign the resulting libraries and executables, use something like this: {{{ $ ./build-snapshot --sign --sign-pkcs12=signingkey.p12 --sign-pkcs12-pass=yourpassphrase }}} Refer to ''./build-complete --help'' and ''build-snapshot'' for more options. '''NOTE:''' To make sure fresh tarballs are used, empty ./sources directory before building. = Building natively on Windows using the MSVC toolchain ("msvc" subdir) = == Installing prequisites == MSVC build was written with least dependencies in mind. You'll need only [http://www.activestate.com/activeperl Perl] and Visual Studio 2010 (Express). == Checking out openvpn-build repository == Launch a Git Bash and follow [wiki:BuildingUsingGenericBuildsystem#Checkingoutopenvpn-buildrepository these] instructions. Next go to the ''msvc'' directory and build: {{{ > cd openvpn-build/msvc > build }}} This fetches all the dependencies, builds them and builds OpenVPN. == Building dependencies only == To build only dependencies (helpful for developers): {{{ > set DO_ONLY_DEPS=true > set TARGET=c:\Temp\build-deps > build }}} == Customizing the build == To customize the build options, refer to ''build-env.bat'', it contains the defaults for building, most settings can be customized by setting environment variable before executing the build script. You can also configure the build to use a Git repository or tarball of your liking, for example: {{{ set OPENVPN_GIT=git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn.git set OPENVPN_SOURCE=git set OPENVPN_BRANCH=master }}} == Build OpenVPN manually == Provided you built the dependencies you can use the MSVC build system within OpenVPN tree, edit ''build-env-local.bat'' which is loaded by ''build.bat''. The variables defined in ''build-env-local.bat'' override the defaults given in ''build-env.bat''. For example, you can manually define the location of dependencies: {{{ set OPENVPN_DEPROOT=c:\Temp\build-deps }}} Then open IDE using: {{{ > msvc-dev }}} Or build using: {{{ > msvc-build }}} = Building TAP-Windows = Required software: Recent Windows DDK, [http://nsis.sourceforge.net NSIS]. First clone the ''tap-windows'' repository, e.g. using ''Git Bash'': {{{ $ git clone https://github.com/OpenVPN/tap-windows }}} At command prompt: {{{ > configure > build }}} If you want to sign the TAP-driver, you can add the pkcs12 file and passphrase as variables to ''config-env.bat'', e.g. {{{ set CODESIGN_PKCS12=c:\Users\John\tap-windows\mykey.p12 set CODESIGN_PASS=mypassphrase }}} Further customization for MSVC can be done using ''config-local.m4'' file which overrides variables or with environment variables which override auto detection code. This can be used, for example, to specify a custom DDK location. For details, see {{{ > configure --help }}} = Code-signing = The [http://sourceforge.net/projects/osslsigncode/ osslsigncode] tool is used to sign OpenVPN installer, libraries and executables. [http://msdn.microsoft.com/en-us/library/windows/desktop/aa387764%28v=vs.85%29.aspx SignTool] is used to sign the TAP-drivers. Official OpenVPN releases will be signed with OpenVPN Technologies, Inc. code signing keys. However, it's fairly easy to build a custom version of OpenVPN and sign it with your own code-signing keys. If you have to use MS tools for generating the code-signing certificates, you can still convert them to a format osslsigncode understands. Look at this [wiki:BuildingUsingGenericBuildsystem@51 old version of this page] for details. == Installing osslsigncode == The build system uses [http://sourceforge.net/projects/osslsigncode/ osslsigncode] to sign the produced libraries and executables. A recent version (1.4+) is required, although earlier versions can be used with minor modifications to the codesign() method in the scripts. More specifically, the assumption is that a pkcs12 keystore is used for signing, and osslsigncode 1.3 and earlier don't support pkcs12 yet. After [http://sourceforge.net/projects/osslsigncode/ fetching osslsigncode], make sure you have OpenSSL and Curl3 development libraries installed. On Ubuntu 12.04 you'd do {{{ $ apt-get update $ apt-get install libssl-dev libcurl4-openssl-dev }}} The latter is used for timestamping support. Extract the osslsigncode tarball and issue the usual commands: {{{ $ ./configure $ make $ sudo make install }}} This will put osslsigncode in PATH where the build system can find it. == Using verified certificates == You can reuse your existing, verified (=paid for) certificates fairly easily. Provided you have a .spc and .pvk files at hand, you can use [attachment:spc+pvk-to-p12.sh this script] to convert them into a PKCS12 keystore. If that fails, adapt the manual instructions, below, to your needs. == Creating self-signed code-signing pkcs12 archive using OpenSSL == All of the above can be replaced with two simple OpenSSL commands (from Alon Bar-Lev): {{{ $ openssl req -newkey rsa:1024 -new -x509 -subj "/CN=test1" -out test.crt $ openssl pkcs12 -export -inkey privkey.pem -in test.crt -out test.p12 }}} When building tap with test certificate set CODESIGN_ISTEST=yes before configure. = External links = '''Official OpenVPN Git repositories''' * https://github.com/OpenVPN/openvpn * https://github.com/OpenVPN/openvpn-build * https://github.com/OpenVPN/tap-windows * https://github.com/OpenVPN/easy-rsa '''Installers and files''' * [https://github.com/downloads/alonbl/openvpn/openvpn-install-2.3-alpha1-I000.exe OpenVPN 2.3-alpha1 Windows installer build using this new buildsystem] * [https://github.com/downloads/alonbl/openvpn/openvpn-2.3-alpha1.tar.gz OpenVPN 2.3-alpha1 source directory with integrated buildsystem]