GitList

INSTALL

6fbf66fa	Installation instructions for OpenVPN, a Secure Tunneling Daemon
6099ab67	Copyright (C) 2002-2019 OpenVPN Inc. This program is free software;
6fbf66fa	you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. *************************************************************************
f02576fa	QUICK START: Unix:
6099ab67	./configure && make && make install
f02576fa	*************************************************************************
6099ab67	To download OpenVPN source code of releases, go to:
6fbf66fa
6099ab67	https://openvpn.net/community-downloads/
6fbf66fa
607a678d	OpenVPN releases are also available as Debian/RPM packages:
6fbf66fa
607a678d	https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
6099ab67	OpenVPN development versions can be found here:
607a678d
6099ab67	https://github.com/OpenVPN/openvpn https://gitlab.com/OpenVPN/openvpn https://sourceforge.net/p/openvpn/openvpn/ci/master/tree/
607a678d
6099ab67	They should all be in sync at any time.
607a678d
6099ab67	To download easy-rsa go to: https://github.com/OpenVPN/easy-rsa
607a678d
ac341e6d	To download tap-windows (NDIS 6) driver source code go to: https://github.com/OpenVPN/tap-windows6
607a678d	To get the cross-compilation environment go to: https://github.com/OpenVPN/openvpn-build For step-by-step instructions with real-world examples see:
6099ab67	https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
607a678d	https://community.openvpn.net/openvpn/wiki
6099ab67	https://openvpn.net/community-resources/
6fbf66fa
6099ab67	Also see the man page for more information.
6fbf66fa	************************************************************************* SUPPORTED PLATFORMS:
607a678d	(1) Linux (kernel 2.6+)
6fbf66fa	(2) Solaris
607a678d	(3) OpenBSD 5.1+ (4) Mac OS X Darwin 10.5+ (5) FreeBSD 7.4+ (6) NetBSD 5.0+
1c587a11	(7) Windows Vista or later for OpenVPN 2.4 (8) Windows XP or later for OpenVPN 2.3
6fbf66fa	SUPPORTED PROCESSOR ARCHITECTURES: In general, OpenVPN is word size and endian independent, so most processors should be supported. Architectures known to work include Intel x86, Alpha, Sparc, Amd64, and ARM. REQUIRES: (1) TUN and/or TAP driver to allow user-space programs to control a virtual point-to-point IP or Ethernet device. See TUN/TAP Driver Configuration section below for more info.
ec7d0e8e	(2) OpenSSL library, necessary for encryption, version 1.0.2 or higher
6fbf66fa	required, available from http://www.openssl.org/
ec7d0e8e	or (3) mbed TLS library, an alternative for encryption, version 2.0 or higher
ed0e7993	required, available from https://tls.mbed.org/
ec7d0e8e	OPTIONAL:
607a678d	(3) LZO real-time compression library, required for link compression,
6fbf66fa	available from http://www.oberhumer.com/opensource/lzo/ OpenBSD users can use ports or packages to install lzo, but remember
e4d60662	to add CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" directives to "configure", since gcc will not find them otherwise.
6fbf66fa	OPTIONAL (for developers only):
e4d60662	(1) Autoconf 2.59 or higher + Automake 1.9 or higher
6fbf66fa	-- available from http://www.gnu.org/software/software.html (2) Dmalloc library -- available from http://dmalloc.com/
ebcd7549	(3) If using t_client.sh test framework, fping/fping6 is needed -- Available from http://www.fping.org/ Note: t_client.sh needs an external configured OpenVPN server. See t_client.rc-sample for more info.
6fbf66fa	*************************************************************************
e4d60662	CHECK OUT SOURCE FROM SOURCE REPOSITORY:
607a678d	Clone the repository: git clone https://github.com/OpenVPN/openvpn
6099ab67	git clone https://gitlab.com/OpenVPN/openvpn
607a678d	git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn
cecc5e65	Check out stable version:
6099ab67	git checkout release/2.4
e4d60662	Check out master (unstable) branch:
cecc5e65
607a678d	git checkout master
cecc5e65	*************************************************************************
6fbf66fa	BUILD COMMANDS FROM TARBALL: ./configure make make install *************************************************************************
e4d60662	BUILD COMMANDS FROM SOURCE REPOSITORY CHECKOUT:
6fbf66fa
e4d60662	autoreconf -i -v -f
6fbf66fa	./configure make make install *************************************************************************
e4d60662	BUILD A TARBALL FROM SOURCE REPOSITORY CHECKOUT:
6fbf66fa
e4d60662	autoreconf -i -v -f
6fbf66fa	./configure
6099ab67	make distcheck
6fbf66fa	*************************************************************************
607a678d	TESTS (after BUILD):
6fbf66fa	make check (Run all tests below) Test Crypto:
0d80b562	./openvpn --genkey secret key
6fbf66fa	./openvpn --test-crypto --secret key Test SSL/TLS negotiations (runs for 2 minutes):
e4d60662	./openvpn --config sample/sample-config-files/loopback-client (In one window) ./openvpn --config sample/sample-config-files/loopback-server (Simultaneously in another window)
6fbf66fa
607a678d	For more thorough client-server tests you can configure your own, private test environment. See tests/t_client.rc-sample for details.
222e6917	To do the C unit tests, you need to have the "cmocka" test framework installed on your system. More recent distributions already ship this as part of their packages/ports. If your system does not have it, you can install cmocka with these commands: $ git clone https://git.cryptomilk.org/projects/cmocka.git $ cd cmocka $ mkdir build $ cd build $ cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DCMAKE_BUILD_TYPE=Debug .. $ make $ sudo make install
6fbf66fa	************************************************************************* OPTIONS for ./configure:
e4d60662	--disable-lzo disable LZO compression support [default=yes]
6099ab67	--disable-lz4 Disable LZ4 compression support --enable-comp-stub Don't compile compression support but still allow limited interoperability with compression-enabled peers
e4d60662	--disable-crypto disable crypto support [default=yes]
6099ab67	--disable-ofb-cfb disable support for OFB and CFB cipher modes
e4d60662	[default=yes] --enable-x509-alt-username enable the --x509-username-field feature [default=no] --disable-server disable server support only (but retain client support) [default=yes] --disable-plugins disable plug-in support [default=yes] --disable-management disable management server support [default=yes] --enable-pkcs11 enable pkcs11 support [default=no] --disable-fragment disable internal fragmentation support (--fragment) [default=yes] --disable-multihome disable multi-homed UDP server support (--multihome) [default=yes] --disable-port-share disable TCP server port-share support (--port-share) [default=yes] --disable-debug disable debugging support (disable gremlin and verb 7+ messages) [default=yes] --enable-small enable smaller executable size (disable OCC, usage
6099ab67	message, and verb 4 parm list) [default=no]
e4d60662	--enable-iproute2 enable support for iproute2 [default=no] --disable-def-auth disable deferred authentication [default=yes] --disable-pf disable internal packet filter [default=yes]
6099ab67	--disable-plugin-auth-pam disable auth-pam plugin [default=platform specific] --disable-plugin-down-root disable down-root plugin [default=platform specific] --enable-pam-dlopen dlopen libpam [default=no]
e4d60662	--enable-strict enable strict compiler warnings (debugging option) [default=no] --enable-pedantic enable pedantic compiler warnings, will not generate a working executable (debugging option) [default=no]
6099ab67	--enable-werror promote compiler warnings to errors, will cause builds to fail if the compiler issues warnings (debugging option) [default=no]
e4d60662	--enable-strict-options enable strict options check between peers (debugging option) [default=no] --enable-selinux enable SELinux support [default=no]
ccb636c7	--enable-systemd enable systemd support [default=no]
6099ab67	--enable-async-push enable async-push support for plugins providing deferred authentication [default=no]
e4d60662	ENVIRONMENT for ./configure:
6099ab67	PLUGINDIR Path of plug-in directory [default=LIBDIR/openvpn/plugins]
e4d60662	IFCONFIG full path to ipconfig utility ROUTE full path to route utility IPROUTE full path to ip utility NETSTAT path to netstat utility GIT path to git utility
6099ab67	SYSTEMD_ASK_PASSWORD path to systemd-ask-password utility SYSTEMD_UNIT_DIR Path of systemd unit directory [default=LIBDIR/systemd/system] TMPFILES_DIR Path of tmpfiles directory [default=LIBDIR/tmpfiles.d]
f500c49c	RST2MAN Path to rst2man utility RST2HTML Path to rst2html utility
6099ab67	ENVIRONMENT variables adjusting parameters related to dependencies
e4d60662	TAP_CFLAGS C compiler flags for tap
6099ab67	LIBPAM_CFLAGS C compiler flags for libpam LIBPAM_LIBS linker flags for libpam
e4d60662	PKCS11_HELPER_CFLAGS C compiler flags for PKCS11_HELPER, overriding pkg-config PKCS11_HELPER_LIBS linker flags for PKCS11_HELPER, overriding pkg-config
6099ab67	OPENSSL_CFLAGS C compiler flags for OpenSSL OPENSSL_LIBS linker flags for OpenSSL MBEDTLS_CFLAGS C compiler flags for mbedtls MBEDTLS_LIBS linker flags for mbedtls LZO_CFLAGS C compiler flags for lzo LZO_LIBS linker flags for lzo LZ4_CFLAGS C compiler flags for lz4 LZ4_LIBS linker flags for lz4 libsystemd_CFLAGS C compiler flags for libsystemd, overriding pkg-config libsystemd_LIBS linker flags for libsystemd, overriding pkg-config P11KIT_CFLAGS C compiler flags for P11KIT, overriding pkg-config P11KIT_LIBS linker flags for P11KIT, overriding pkg-config
6fbf66fa	*************************************************************************
57ec6cec	Linux distribution packaging:
6fbf66fa
57ec6cec	Each Linux distribution has their own way of doing packaging and their own set of guidelines of how proper packaging should be done. It is therefore recommended to reach out to the Linux distributions you want to have OpenVPN packaged for directly. The OpenVPN project wants to focus more on the OpenVPN development and less on the packaging and how packaging is done in all various distributions.
6fbf66fa
57ec6cec	For more details:
6fbf66fa
57ec6cec	* Arch Linux https://www.archlinux.org/packages/?name=openvpn
6fbf66fa
57ec6cec	* Debian https://packages.debian.org/search?keywords=openvpn&searchon=names https://tracker.debian.org/pkg/openvpn
6fbf66fa
57ec6cec	* Fedora / Fedora EPEL (Red Hat Enterprise Linux/CentOS/Scientific Linux) https://apps.fedoraproject.org/packages/openvpn/overview/ https://src.fedoraproject.org/rpms/openvpn
6fbf66fa
57ec6cec	* Gentoo https://packages.gentoo.org/packages/net-vpn/openvpn https://gitweb.gentoo.org/repo/gentoo.git/tree/net-vpn/openvpn
6fbf66fa
57ec6cec	* openSUSE https://build.opensuse.org/package/show/network:vpn/openvpn * Ubuntu https://packages.ubuntu.com/search?keywords=openvpn In addition, the OpenVPN community provides a best-effort APT repository for Debian and Ubuntu: https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
6fbf66fa	************************************************************************* TUN/TAP Driver Configuration:
607a678d	* Linux 2.6 or higher (with integrated TUN/TAP driver):
6fbf66fa
607a678d	(1) load driver: modprobe tun (2) enable routing: echo 1 > /proc/sys/net/ipv4/ip_forward
6fbf66fa
607a678d	Note that (1) needs to be done once per reboot. If you install from RPM (see above) and use the openvpn.init script, these steps are taken care of for you.
cbc0dada
607a678d	* FreeBSD:
6fbf66fa	FreeBSD ships with the TUN/TAP driver, and the device nodes for tap0, tap1, tap2, tap3, tun0, tun1, tun2 and tun3 are made by default. However, only the TUN driver is linked into the GENERIC kernel. To load the TAP driver, enter: kldload if_tap See man rc(8) to find out how you can do this at boot time. The easiest way is to install OpenVPN from the FreeBSD ports system, the port includes a sample script to automatically load the TAP driver at boot-up time. * OpenBSD:
607a678d	OpenBSD has dynamically created tun* devices so you only need
6fbf66fa	to create an empty /etc/hostname.tun0 (tun1, tun2 and so on) for each tun you plan to use to create the device(s) at boot.
607a678d	* Solaris:
6fbf66fa
607a678d	You need a TUN/TAP kernel driver for OpenVPN to work:
6fbf66fa
607a678d	http://www.whiteboard.ne.jp/~admin2/tuntap/
6fbf66fa
3f0edd8a	* Windows
6fbf66fa
607a678d	OpenVPN on Windows needs a TUN/TAP kernel driver to work. OpenVPN installers include this driver, so installing it separately is not usually required.
3f0edd8a	Windows XP/2003 must use the NDIS 5 (tap-windows) driver, whereas on more recent Windows versions it is recommended to use the NDIS 6 driver (tap-windows6) instead.
6fbf66fa	************************************************************************* CAVEATS & BUGS: * I have noticed cases where TCP sessions tunneled over the Linux TAP driver (kernel 2.4.21 and 2.4.22) stall when lower --mssfix values are used. The TCP sessions appear to unstall and resume normally when the remote VPN endpoint is pinged. * If run through a firewall using OpenBSDs packet filter PF and the filter rules include a "scrub" directive, you may get problems talking to Linux hosts over the tunnel, since the scrubbing will kill packets sent from Linux hosts if they are fragmented. This is usually seen as tunnels where small packets and pings get through but large packets and "regular traffic" don't. To circumvent this, add "no-df" to the scrub directive so that the packet filter will let fragments with the "dont fragment"-flag set through anyway. * Mixing OFB or CFB cipher modes with static key mode is not recommended, and is flagged as an error on OpenVPN versions 1.2.1 and greater. If you use the --cipher option to explicitly select an OFB or CFB cipher AND you are using static key mode, it is possible that there could be an IV collision if the OpenVPN daemons on both sides of the connection are started at exactly the same time, since OpenVPN uses a timestamp combined with a sequence number as the cipher IV for OFB and CFB modes. This is not an issue if you are using CBC cipher mode (the default), or if you are using OFB or CFB cipher mode with SSL/TLS authentication.