1 Installation instructions for OpenVPN, a Secure Tunneling Daemon
3 Copyright (C) 2002-2010 OpenVPN Technologies, Inc. This program is free software;
4 you can redistribute it and/or modify
5 it under the terms of the GNU General Public License version 2
6 as published by the Free Software Foundation.
8 *************************************************************************
13 ./configure && make && make-install
15 Windows MinGW, using MSYS bash shell:
16 ./domake-win (see comments in the script for more info)
18 Windows Visual Studio:
19 python win\build_all.py
21 *************************************************************************
23 To download OpenVPN, go to:
25 http://openvpn.net/download.html
27 For step-by-step installation instructions with real-world
30 http://openvpn.net/howto.html
34 http://openvpn.net/examples.html
36 *************************************************************************
41 (3) OpenBSD 3.0+ (Comes with OpenSSL and TUN devices by default)
45 (7) Windows (WinXP and higher)
47 SUPPORTED PROCESSOR ARCHITECTURES:
48 In general, OpenVPN is word size and endian independent, so
49 most processors should be supported. Architectures known to
50 work include Intel x86, Alpha, Sparc, Amd64, and ARM.
53 (1) TUN and/or TAP driver to allow user-space programs to control
54 a virtual point-to-point IP or Ethernet device. See
55 TUN/TAP Driver Configuration section below for more info.
57 OPTIONAL (but recommended):
58 (1) OpenSSL library, necessary for encryption, version 0.9.5 or higher
59 required, available from http://www.openssl.org/
60 (2) LZO real-time compression library, required for link compression,
61 available from http://www.oberhumer.com/opensource/lzo/
62 OpenBSD users can use ports or packages to install lzo, but remember
63 to add "--with-lzo-headers" and "--with-lzo-lib" directives to
64 "configure", pointing to /usr/local/include and /usr/local/lib
65 respectively since gcc will not find them otherwise.
68 OPTIONAL (for developers only):
69 (1) Autoconf 2.50 or higher + Automake 1.5 or higher
70 -- available from http://www.gnu.org/software/software.html
72 -- available from http://dmalloc.com/
74 *************************************************************************
76 CHECK OUT SOURCE FROM SUBVERSION REPOSITORY:
78 Check out stable version:
80 svn checkout http://svn.openvpn.net/projects/openvpn/trunk/openvpn openvpn
82 Check out beta21 branch:
84 svn checkout http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn openvpn
86 *************************************************************************
88 BUILD COMMANDS FROM TARBALL:
94 *************************************************************************
96 BUILD COMMANDS FROM SUBVERSION REPOSITORY CHECKOUT:
103 *************************************************************************
105 BUILD A TARBALL FROM SUBVERSION REPOSITORY CHECKOUT:
111 *************************************************************************
113 LOOPBACK TESTS (after BUILD):
115 make check (Run all tests below)
119 ./openvpn --genkey --secret key
120 ./openvpn --test-crypto --secret key
122 Test SSL/TLS negotiations (runs for 2 minutes):
124 ./openvpn --config sample-config-files/loopback-client (In one window)
125 ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window)
127 *************************************************************************
129 OPTIONS for ./configure:
131 --enable-pthread Compile pthread support for
132 improved latency during SSL/TLS key
133 negotiations (Linux or Solaris only)
135 --disable-lzo Do not compile LZO compression support
136 --disable-crypto Do not compile OpenSSL crypto support
137 --disable-ssl Do not compile OpenSSL SSL support for
138 TLS-based key exchange
140 --with-ssl-headers=DIR Crypto/SSL Include files location
141 --with-ssl-lib=DIR Crypto/SSL Library location
142 --with-lzo-headers=DIR LZO Include files location
143 --with-lzo-lib=DIR LZO Library location
145 --with-ifconfig-path=PATH Path to ifconfig tool (only need to
146 specify if in a non-standard location)
148 --with-leak-check=TYPE Build with memory leak checking
149 TYPE = dmalloc or ssl
151 --enable-strict Enable strict compiler warnings
153 --enable-strict-options Enable strict options check between peers
155 *************************************************************************
157 BUILDING ON LINUX 2.4+ FROM RPM
159 You can build a binary RPM directly from the OpenVPN tarball file:
161 rpmbuild -tb [tarball]
163 This command will build a binary RPM file and place it in the system
164 RPM directory. You can then install the RPM with the standard RPM
167 rpm -ivh [binary-rpm]
169 When you install the binary RPM, it will install
170 sample-scripts/openvpn.init, which can be used to
171 automatically start or stop one or more OpenVPN tunnels on system
172 startup or shutdown, based on OpenVPN .conf files in /etc/openvpn.
173 See the comments in openvpn.init for more information.
175 Installing the RPM will also configure the TUN/TAP device node
178 Note that the current openvpn.spec file, which instructs the rpm tool
179 how to build a package, will build OpenVPN with all options enabled,
180 including OpenSSL, LZO, and pthread linkage. Therefore all of
181 these packages will need to be present prior to the RPM build, unless
182 you edit the openvpn.spec file.
184 *************************************************************************
186 TUN/TAP Driver Configuration:
188 * Linux 2.4 or higher (with integrated TUN/TAP driver):
190 (1) make device node: mknod /dev/net/tun c 10 200
191 (2a) add to /etc/modules.conf: alias char-major-10-200 tun
192 (2b) load driver: modprobe tun
193 (3) enable routing: echo 1 > /proc/sys/net/ipv4/ip_forward
195 Note that either of steps (2a) or (2b) is sufficient. While (2a)
196 only needs to be done once per install, (2b) needs to be done once
197 per reboot. If you install from RPM (see above) and use the
198 openvpn.init script, these steps are taken care of for you.
200 * Linux 2.2 or Solaris:
203 version 1.1 of the TUN/TAP driver from
204 http://vtun.sourceforge.net/tun/
205 and follow the installation instructions.
207 If you use OpenVPN on Linux 2.2 or 2.4 or Solaris, you may be
208 suffering from a bug which causes connections to hang under heavy load.
209 The symptoms are very similar to the MTU problems discussed frequently
210 in the OpenVPN mailing lists. But it turns out that this bug is not caused by
211 MTU problems. It's a bug in the tun/tap driver. A patch is provided here:
213 http://openvpn.net/patch/tun-sb.patch
217 For 64 bit, I used the tun-1.1.tar.gz source and compiled it.
219 Of course there is a but :)
220 In the tun-1-1\solaris\Makefile I changed a line so it compiles with 64 bit
222 CFLAGS = $(DEFS) -m64 -O2 -Wall -D_KERNEL -I.
224 I just added -m64 and it worked.
226 The tun driver works fine as said previously, however we noticed there is a
227 minor problem when creating multiple tunnels on Solaris.
228 Mr Tycho Fruru changed the code in tun.c file where he locked the tun device
229 number to -1. This way it is impossible to specify the name of the tun device
230 but it is still possible to have multiple devices.
231 The modification will increment automatically meaning starting from tun0 --->
232 tunX I know you are not responsible for the tun coding but if you think the
233 modification can be useful for you feel free to use it.
235 http://openvpn.net/solaris/tun.c
239 FreeBSD ships with the TUN/TAP driver, and the device nodes for tap0,
240 tap1, tap2, tap3, tun0, tun1, tun2 and tun3 are made by default.
241 However, only the TUN driver is linked into the GENERIC kernel.
243 To load the TAP driver, enter:
247 See man rc(8) to find out how you can do this at boot time.
249 The easiest way is to install OpenVPN from the FreeBSD ports system,
250 the port includes a sample script to automatically load the TAP driver
255 OpenBSD ships with tun0 and tun1 installed by default on pre-3.5 systems,
256 while 3.5 and later have dynamically created tun* devices so you only need
257 to create an empty /etc/hostname.tun0 (tun1, tun2 and so on) for each tun
258 you plan to use to create the device(s) at boot.
262 2005.02.13: Angelo Laub has developed a GUI for OS X:
264 http://rechenknecht.net/OpenVPN-GUI/
266 2004.10.26: Mattias Nissler has developed a new TUN/TAP driver for
269 http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
271 Christoph Pfisterer's old TUN driver can be obtained at
272 http://chrisp.de/en/projects/tunnel.html -- note that it
273 is no longer being maintained.
277 The kernel module for solaris
278 can be generated by adding the -m64 switch to a modern
279 gcc compiler (I'm using 3.2) The resulting kernel driver
280 needs to be manually copied to /kernel/drv/sparcv9/ and then a
281 reconfiguration reboot. (boot -r).
283 * Windows XP/2003/Vista
285 See domake-win for building instructions.
286 See INSTALL-win32.txt for usage info.
288 See the man page for more information, usage examples, and
289 information on firewall configuration.
291 *************************************************************************
295 * I have noticed cases where TCP sessions tunneled over the Linux
296 TAP driver (kernel 2.4.21 and 2.4.22) stall when lower --mssfix
297 values are used. The TCP sessions appear to unstall and resume
298 normally when the remote VPN endpoint is pinged.
300 * If run through a firewall using OpenBSDs packet filter PF and the
301 filter rules include a "scrub" directive, you may get problems talking
302 to Linux hosts over the tunnel, since the scrubbing will kill packets
303 sent from Linux hosts if they are fragmented. This is usually seen as
304 tunnels where small packets and pings get through but large packets
305 and "regular traffic" don't. To circumvent this, add "no-df" to
306 the scrub directive so that the packet filter will let fragments with
307 the "dont fragment"-flag set through anyway.
309 * Mixing OFB or CFB cipher modes with static key mode is not recommended,
310 and is flagged as an error on OpenVPN versions 1.2.1 and greater.
311 If you use the --cipher option to explicitly select an OFB or CFB
312 cipher AND you are using static key mode, it is possible that there
313 could be an IV collision if the OpenVPN daemons on both sides
314 of the connection are started at exactly the same time, since
315 OpenVPN uses a timestamp combined with a sequence number as the cipher
316 IV for OFB and CFB modes. This is not an issue if you are
317 using CBC cipher mode (the default), or if you are using OFB or CFB
318 cipher mode with SSL/TLS authentication.
320 ******************************************************************************
322 Subject: [Openvpn-users] Re: Windows XP 64 bit
324 Date: Thu, 14 Apr 2005 07:01:17 +0000 (UTC)
326 Well I managed to build a Windows XP 64 bit driver myself and it's working
327 great, I can connect to my server again :)
329 I had to use the WinDDK for Windows 2003 Service Pack 1 and just built the
330 driver in the Windows 2003 AMD64 environment. I had to comment out the
331 MAPINFO:FIXUPS directive in the SOURCES file.
333 Then I copied and renamed (devcon.exe/tapinstall.exe) from
334 C:\WINDDK\3790.1830\tools\devcon\amd64.
336 I had to edit the file OemWin2k.inf and change the Manufactured + Product
340 %Provider% = tap0901, NTamd64
343 %DeviceDescription% = tap0901.ndi, tap0901