1 Installation instructions for OpenVPN, a Secure Tunneling Daemon
3 Copyright (C) 2002-2008 Telethra, Inc. This program is free software;
4 you can redistribute it and/or modify
5 it under the terms of the GNU General Public License version 2
6 as published by the Free Software Foundation.
8 *************************************************************************
13 ./configure && make && make-install
16 ./domake-win (see comments in the script for more info)
18 *************************************************************************
20 To download OpenVPN, go to:
22 http://openvpn.net/download.html
24 For step-by-step installation instructions with real-world
27 http://openvpn.net/howto.html
31 http://openvpn.net/examples.html
33 *************************************************************************
38 (3) OpenBSD 3.0+ (Comes with OpenSSL and TUN devices by default)
42 (7) Windows (Win 2K and higher)
44 SUPPORTED PROCESSOR ARCHITECTURES:
45 In general, OpenVPN is word size and endian independent, so
46 most processors should be supported. Architectures known to
47 work include Intel x86, Alpha, Sparc, Amd64, and ARM.
50 (1) TUN and/or TAP driver to allow user-space programs to control
51 a virtual point-to-point IP or Ethernet device. See
52 TUN/TAP Driver Configuration section below for more info.
54 OPTIONAL (but recommended):
55 (1) OpenSSL library, necessary for encryption, version 0.9.5 or higher
56 required, available from http://www.openssl.org/
57 (2) LZO real-time compression library, required for link compression,
58 available from http://www.oberhumer.com/opensource/lzo/
59 OpenBSD users can use ports or packages to install lzo, but remember
60 to add "--with-lzo-headers" and "--with-lzo-lib" directives to
61 "configure", pointing to /usr/local/include and /usr/local/lib
62 respectively since gcc will not find them otherwise.
65 OPTIONAL (for developers only):
66 (1) Autoconf 2.50 or higher + Automake 1.5 or higher
67 -- available from http://www.gnu.org/software/software.html
69 -- available from http://dmalloc.com/
71 *************************************************************************
73 CHECK OUT SOURCE FROM SUBVERSION REPOSITORY:
75 Check out stable version:
77 svn checkout http://svn.openvpn.net/projects/openvpn/trunk/openvpn openvpn
79 Check out beta21 branch:
81 svn checkout http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn openvpn
83 *************************************************************************
85 BUILD COMMANDS FROM TARBALL:
91 *************************************************************************
93 BUILD COMMANDS FROM SUBVERSION REPOSITORY CHECKOUT:
100 *************************************************************************
102 BUILD A TARBALL FROM SUBVERSION REPOSITORY CHECKOUT:
108 *************************************************************************
110 LOOPBACK TESTS (after BUILD):
112 make check (Run all tests below)
116 ./openvpn --genkey --secret key
117 ./openvpn --test-crypto --secret key
119 Test SSL/TLS negotiations (runs for 2 minutes):
121 ./openvpn --config sample-config-files/loopback-client (In one window)
122 ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window)
124 *************************************************************************
126 OPTIONS for ./configure:
128 --enable-pthread Compile pthread support for
129 improved latency during SSL/TLS key
130 negotiations (Linux or Solaris only)
132 --disable-lzo Do not compile LZO compression support
133 --disable-crypto Do not compile OpenSSL crypto support
134 --disable-ssl Do not compile OpenSSL SSL support for
135 TLS-based key exchange
137 --with-ssl-headers=DIR Crypto/SSL Include files location
138 --with-ssl-lib=DIR Crypto/SSL Library location
139 --with-lzo-headers=DIR LZO Include files location
140 --with-lzo-lib=DIR LZO Library location
142 --with-ifconfig-path=PATH Path to ifconfig tool (only need to
143 specify if in a non-standard location)
145 --with-leak-check=TYPE Build with memory leak checking
146 TYPE = dmalloc or ssl
148 --enable-strict Enable strict compiler warnings
150 --enable-strict-options Enable strict options check between peers
152 *************************************************************************
154 BUILDING ON LINUX 2.4+ FROM RPM
156 You can build a binary RPM directly from the OpenVPN tarball file:
158 rpmbuild -tb [tarball]
160 This command will build a binary RPM file and place it in the system
161 RPM directory. You can then install the RPM with the standard RPM
164 rpm -ivh [binary-rpm]
166 When you install the binary RPM, it will install
167 sample-scripts/openvpn.init, which can be used to
168 automatically start or stop one or more OpenVPN tunnels on system
169 startup or shutdown, based on OpenVPN .conf files in /etc/openvpn.
170 See the comments in openvpn.init for more information.
172 Installing the RPM will also configure the TUN/TAP device node
175 Note that the current openvpn.spec file, which instructs the rpm tool
176 how to build a package, will build OpenVPN with all options enabled,
177 including OpenSSL, LZO, and pthread linkage. Therefore all of
178 these packages will need to be present prior to the RPM build, unless
179 you edit the openvpn.spec file.
181 *************************************************************************
183 TUN/TAP Driver Configuration:
185 * Linux 2.4 or higher (with integrated TUN/TAP driver):
187 (1) make device node: mknod /dev/net/tun c 10 200
188 (2a) add to /etc/modules.conf: alias char-major-10-200 tun
189 (2b) load driver: modprobe tun
190 (3) enable routing: echo 1 > /proc/sys/net/ipv4/ip_forward
192 Note that either of steps (2a) or (2b) is sufficient. While (2a)
193 only needs to be done once per install, (2b) needs to be done once
194 per reboot. If you install from RPM (see above) and use the
195 openvpn.init script, these steps are taken care of for you.
197 * Linux 2.2 or Solaris:
200 version 1.1 of the TUN/TAP driver from
201 http://vtun.sourceforge.net/tun/
202 and follow the installation instructions.
204 If you use OpenVPN on Linux 2.2 or 2.4 or Solaris, you may be
205 suffering from a bug which causes connections to hang under heavy load.
206 The symptoms are very similar to the MTU problems discussed frequently
207 in the OpenVPN mailing lists. But it turns out that this bug is not caused by
208 MTU problems. It's a bug in the tun/tap driver. A patch is provided here:
210 http://openvpn.net/patch/tun-sb.patch
214 For 64 bit, I used the tun-1.1.tar.gz source and compiled it.
216 Of course there is a but :)
217 In the tun-1-1\solaris\Makefile I changed a line so it compiles with 64 bit
219 CFLAGS = $(DEFS) -m64 -O2 -Wall -D_KERNEL -I.
221 I just added -m64 and it worked.
223 The tun driver works fine as said previously, however we noticed there is a
224 minor problem when creating multiple tunnels on Solaris.
225 Mr Tycho Fruru changed the code in tun.c file where he locked the tun device
226 number to -1. This way it is impossible to specify the name of the tun device
227 but it is still possible to have multiple devices.
228 The modification will increment automatically meaning starting from tun0 --->
229 tunX I know you are not responsible for the tun coding but if you think the
230 modification can be useful for you feel free to use it.
232 http://openvpn.net/solaris/tun.c
236 FreeBSD ships with the TUN/TAP driver, and the device nodes for tap0,
237 tap1, tap2, tap3, tun0, tun1, tun2 and tun3 are made by default.
238 However, only the TUN driver is linked into the GENERIC kernel.
240 To load the TAP driver, enter:
244 See man rc(8) to find out how you can do this at boot time.
246 The easiest way is to install OpenVPN from the FreeBSD ports system,
247 the port includes a sample script to automatically load the TAP driver
252 OpenBSD ships with tun0 and tun1 installed by default on pre-3.5 systems,
253 while 3.5 and later have dynamically created tun* devices so you only need
254 to create an empty /etc/hostname.tun0 (tun1, tun2 and so on) for each tun
255 you plan to use to create the device(s) at boot.
259 2005.02.13: Angelo Laub has developed a GUI for OS X:
261 http://rechenknecht.net/OpenVPN-GUI/
263 2004.10.26: Mattias Nissler has developed a new TUN/TAP driver for
266 http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
268 Christoph Pfisterer's old TUN driver can be obtained at
269 http://chrisp.de/en/projects/tunnel.html -- note that it
270 is no longer being maintained.
274 The kernel module for solaris
275 can be generated by adding the -m64 switch to a modern
276 gcc compiler (I'm using 3.2) The resulting kernel driver
277 needs to be manually copied to /kernel/drv/sparcv9/ and then a
278 reconfiguration reboot. (boot -r).
280 * Windows 2000/XP/2003/Vista
282 See domake-win for building instructions.
283 See INSTALL-win32.txt for usage info.
285 See the man page for more information, usage examples, and
286 information on firewall configuration.
288 *************************************************************************
292 * I have noticed cases where TCP sessions tunneled over the Linux
293 TAP driver (kernel 2.4.21 and 2.4.22) stall when lower --mssfix
294 values are used. The TCP sessions appear to unstall and resume
295 normally when the remote VPN endpoint is pinged.
297 * If run through a firewall using OpenBSDs packet filter PF and the
298 filter rules include a "scrub" directive, you may get problems talking
299 to Linux hosts over the tunnel, since the scrubbing will kill packets
300 sent from Linux hosts if they are fragmented. This is usually seen as
301 tunnels where small packets and pings get through but large packets
302 and "regular traffic" don't. To circumvent this, add "no-df" to
303 the scrub directive so that the packet filter will let fragments with
304 the "dont fragment"-flag set through anyway.
306 * Mixing OFB or CFB cipher modes with static key mode is not recommended,
307 and is flagged as an error on OpenVPN versions 1.2.1 and greater.
308 If you use the --cipher option to explicitly select an OFB or CFB
309 cipher AND you are using static key mode, it is possible that there
310 could be an IV collision if the OpenVPN daemons on both sides
311 of the connection are started at exactly the same time, since
312 OpenVPN uses a timestamp combined with a sequence number as the cipher
313 IV for OFB and CFB modes. This is not an issue if you are
314 using CBC cipher mode (the default), or if you are using OFB or CFB
315 cipher mode with SSL/TLS authentication.
317 ******************************************************************************
319 Subject: [Openvpn-users] Re: Windows XP 64 bit
321 Date: Thu, 14 Apr 2005 07:01:17 +0000 (UTC)
323 Well I managed to build a Windows XP 64 bit driver myself and it's working
324 great, I can connect to my server again :)
326 I had to use the WinDDK for Windows 2003 Service Pack 1 and just built the
327 driver in the Windows 2003 AMD64 environment. I had to comment out the
328 MAPINFO:FIXUPS directive in the SOURCES file.
330 Then I copied and renamed (devcon.exe/tapinstall.exe) from
331 C:\WINDDK\3790.1830\tools\devcon\amd64.
333 I had to edit the file OemWin2k.inf and change the Manufactured + Product
337 %Provider% = tap0901, NTamd64
340 %DeviceDescription% = tap0901.ndi, tap0901