[[TOC(inline, depth=1)]] = Project structure = Look [wiki:CodeRepositories here] for details. = Building natively on *NIX = Building natively on *NIX has not changed much, you can still use roughly the same process as before. If building from Git sources, first do a {{{ $ autoreconf -vi }}} If building from a release tarball, you can skip the above step. To configure, build and install OpenVPN, use these commands: {{{ $ ./configure $ make $ make install }}} In most cases, you'd use something like this: {{{ $ ./configure }}} If you're using password authentication, you may be interested in support for password stored in (properly protected!) files: {{{ $ ./configure --enable-password-save }}} Or, if you want to use smart cards and such, you should use {{{ $ ./configure --enable-pkcs11 }}} = Cross-compiling on *NIX ("generic" subdir) = == Using openvpn-build Vagrant VM for building == If you use or can install Vagrant and Virtualbox you can make use of the "openvpn-build" Vagrant VM in [https://github.com/OpenVPN/openvpn-vagrant openvpn-vagrant]. That way you don't have to worry about any of the build system setup and can just skip to the actual building. == Installing prerequisites == Content moved [wiki:SettingUpGenericBuildsystem here]. == Checking out openvpn-build repository == Check out the ''openvpn-build'' subproject using Git: {{{ $ git clone https://github.com/OpenVPN/openvpn-build.git }}} Then go to the ''generic'' directory: {{{ $ cd openvpn-build/generic }}} == Customizing the build == To customize the build options, refer to ''build.vars'', it contains the defaults for building, most settings can be customized by setting environment variable before executing the build script. If you want to use your own, local sources (e.g. for OpenSSL or OpenVPN), put them in ''sources'' directory, so that the ''generic'' buildsystem knows not to download them from a remote site. The cached tarballs will be used even if they're of a different version than what would be downloaded. This is useful for building custom version. === Building your own fork of OpenVPN hosted at GitHub === 1. Sources in tarballs downloaded from GitHub are packed inside ''openvpn-'' subfolder, while the build process expects them inside ''openvpn-''. Therefore, set the ''OPENVPN_VERSION'' to the branch name, replacing ''"/"'' with ''"-"'' (e.g. ''"master"'', ''"feature-msi"'' etc.). 2. The build process expects the downloaded tarball to be named ''openvpn-.tar.gz''; GitHub delivers ''.tar.gz''. Set the ''OPENVPN_URL'' to ''"!https://github.com//openvpn/archive/.tar.gz/openvpn-2.6_git.tar.gz"''. The extra trailing ''/openvpn-2.6_git.tar.gz'' makes the downloaded tarball named reasonable to the build process: it begins with ''openvpn'' and it contains a version in the form of ''-![0-9].*''. == Building OpenVPN and it's dependencies == The ''./build'' command fetches all the dependencies, builds them and builds OpenVPN. To build a native binary: {{{ $ IMAGEROOT=`pwd`/image-native ./build }}} To build for Windows 32bit on Linux 64bit: {{{ $ IMAGEROOT=`pwd`/image-win32 CHOST=i686-w64-mingw32 \ CBUILD=x86_64-pc-linux-gnu ./build }}} To build for Windows 64bit on Linux 64bit: {{{ $ IMAGEROOT=`pwd`/image-win64 CHOST=x86_64-w64-mingw32 \ CBUILD=x86_64-pc-linux-gnu ./build }}} To build for Arm on Linux 64bit: {{{ $ IMAGEROOT=`pwd`/image-arm CHOST=arm-linux-gnueabi \ CBUILD=x86_64-pc-linux-gnu ./build }}} If you get an error complaining about missing libpam, add ''--disable-plugin-auth-pam'' to ''generic/build.vars'': {{{ EXTRA_OPENVPN_CONFIG="${EXTRA_OPENVPN_CONFIG:---enable-password-save --disable-debug --disable-snappy --disable-plugin-auth-pam}" }}} == Building dependencies only == To build only dependencies (helpful for developers): {{{ $ DO_ONLY_DEPS=1 IMAGEROOT=`pwd`/deps-win32 CHOST=i686-w64-mingw32 \ CBUILD=x86_64-pc-linux-gnu ./build }}} For typical OpenVPN installations you'll most likely want to use something like this: {{{ $ DEP=location of the dependencies $ ./configure host=... \ CFLAGS="-I$DEP/include" LDFLAGS="-L$DEB/lib" \ --enable-pkcs11 \ PKCS11_HELPER_CFLAGS=" " PKCS11_HELPER_LIBS="-lpkcs11-helper" }}} == Cleaning up == If you want to start from scratch, do {{{ $ cd openvpn-build/generic $ rm -f sources/* $ rm -rf image-* }}} = Creating a NSIS installer ("windows-nsis" subdir) = == Building and packaging == You can use the scripts in ''openvpn-build/windows-nsis'' to create a [http://nsis.sourceforge.net NSIS] installer for Windows. The scripts use the generic build system to build OpenVPN and it's dependencies (e.g. lzo, openssl), and use [http://sourceforge.net/projects/osslsigncode osslsigncode] for signing the resulting binaries, if requested. NSIS must be available on system. If installed not in path or standard location set MAKENSIS environment variable. Same goes for OSSLSIGNCODE. First check out ''openvpn-build'' as described [wiki:BuildingUsingGenericBuildsystem#Checkingoutopenvpn-buildrepository here]. Check ''build-complete.vars'' for variables which you can set in the shell to point the ''build-complete'' script to the correct dependency packages (''easy-rsa'' and ''tap-windows''). If you're building a snapshot, ensure that OPENVPN_VERSION in ''version.m4'' (in Git) matches that in ''../generic/build.vars''; also make sure other variables in that file are correct. Then, if you want to build an (unsigned) installer, do the following: {{{ $ cd openvpn-build/windows-nsis $ ./build-snapshot }}} '''NOTE:''' Ensure that ''OPENVPN_VERSION'' is set to the same value as in ''version.m4'' in OpenVPN sources . If you want to build a signed ''snapshot'' installer (with all included libraries and executables signed) use something like this instead: {{{ $ ./build-snapshot --sign --sign-pkcs12=signingkey.p12 --sign-pkcs12-pass=yourpassphrase --sign-timestamp="http://timestamp.domain.com" }}} If you're doing a release build, use ''build-complete'' instead: {{{ $ ./build-complete --sign --sign-pkcs12=signingkey.p12 --sign-pkcs12-pass=yourpassphrase --sign-timestamp="http://timestamp.domain.com" }}} If you wish to cut down compile time you can use the dependency cache feature. Refer to ''windows-nsis/README'' for more information on it's usage. To make sure fresh tarballs are used, empty ./sources directory before building. == Packaging without building == If you're making changes to the NSI installer (openvpn.nsi), you may want to skip all of the building steps and just generate the installers manually. In this case you can use something like this: {{{ makensis -DARCH=x86_64 -DVERSION_STRING=2.4_alpha1-I601 -DOPENVPN_ROOT=tmp\\installer\\openvpn -DTAP_WINDOWS_INSTALLER=tmp\\tap-windows-9.21.2.exe -DOPENVPNSERV2_EXECUTABLE=tmp\\openvpnserv2-1.1.0.0.exe -DSPECIAL_BUILD -DEASYRSA_ROOT=tmp\\installer\\easy-rsa -DOUTPUT=./openvpn-test.exe -DPACKAGE_NAME=OpenVPN openvpn.nsi }}} This has been tested with OpenVPN 2.4-alpha1 builds, but may fail on other versions due to missing defines (-D). So make sure the variables match your latest complete build. = Building natively on Windows using the MSVC toolchain ("msvc" subdir) = Content moved [wiki:BuildingUsingMsvcBuildsystem here]. = Building TAP-Windows = Content moved [wiki:BuildingTapWindows here]. = Code-signing = The [http://sourceforge.net/projects/osslsigncode/ osslsigncode] tool is used to sign OpenVPN installer, libraries and executables. [http://msdn.microsoft.com/en-us/library/windows/desktop/aa387764%28v=vs.85%29.aspx SignTool] is used to sign the TAP-drivers. Official OpenVPN releases will be signed with OpenVPN Technologies, Inc. code signing keys. However, it's fairly easy to build a custom version of OpenVPN and sign it with your own code-signing keys. Installation instructions for osslsigncode are available [wiki:SettingUpGenericBuildsystem here]. = Making the release builds of OpenVPN = We've now described building the various components of OpenVPN in isolation. In this chapter we put all of it together. == Building signed Windows installers and executables == Building Windows executables and installers is one of the most painful parts of OpenVPN release process due to code-signing requirements etc. To generate universally useful installers you need the following: * Code-signing (=SPC) certificates * Kernel-mode code-signing certificate * CA's cross-certificate for kernel-mode code-signing * User-mode code-signing certificate (a.k.a. Microsoft Authenticode certificate) * A Windows build computer (for building and signing tap-windows) * *NIX build computer (for building and signing everything else) * Lots of patience The build process is ''fairly'' straightforward: * Get the SPC certificates from a CA * Copy the kernel-mode and cross-certificates to the Windows build computer * Copy the user-mode code-signing certificate to the *NIX build computer * Generate an ''easy-rsa'' tarball and put it on a webserver * Generate an ''openvpn-gui'' tarball (unless one has been generated for you): * [http://sourceforge.net/scm/?type=git&group_id=248281 Clone] the [http://sourceforge.net/projects/openvpn-gui/ new openvpn-gui] git repository * Edit ''openvpn-gui/configure.ac'' to change the version number * Run ''autoreconf -vif'' in the ''openvpn-gui'' directory * Run ''make dist'' in the ''openvpn-gui'' directory to produce tarball. * Put the resulting archive on a webserver * Optionally, build ''tap-windows'' and put the latest installer on a webserver * Setup ''openvpn-build/generic/build.vars'' to suit your needs: * dependency locations * build flags * Setup ''openvpn-build/windows-nsis/build-complete.vars'' to suit your needs: * ''easy-rsa'' tarball location * ''tap-windows'' installer location * Ensure your mingw-w64 installation is up-to-date and/or patched * Build the whole thing using ''openvpn-build/windows-nsis/build-complete'' * '''NOTE:''' ''build-snapshot'' is meant for building ''snapshots'', not release packages See corresponding sections for more detailed documentation. = External links = '''Official OpenVPN Git repositories''' * https://github.com/OpenVPN/openvpn * https://github.com/OpenVPN/openvpn-build * https://github.com/OpenVPN/openvpn-vagrant * https://github.com/OpenVPN/tap-windows * https://github.com/OpenVPN/easy-rsa '''Unofficial Git repositories''' * https://github.com/mattock/openvpn-build (openvpn-build with Debian and RPM packaging files, documentation [wiki:CreatingUnixPackages here])