1
Installation instructions for OpenVPN, a Secure Tunneling Daemon
3
Copyright (C) 2002 by James Yonan. This program is free software;
4
you can redistribute it and/or modify
5
it under the terms of the GNU General Public License as published by
6
the Free Software Foundation; either version 2 of the License, or
7
(at your option) any later version.
9
*************************************************************************
11
For the latest stable version of OpenVPN, go to:
13
http://sourceforge.net/projects/openvpn/
15
For the latest development version of OpenVPN, go to:
17
http://openvpn.sourceforge.net/beta/
19
For step-by-step installation instructions with real-world
22
http://openvpn.sourceforge.net/howto.html
24
For basic examples see:
26
http://openvpn.sourceforge.net/man.html#lbAN
28
*************************************************************************
33
(3) OpenBSD 3.0+ (Comes with OpenSSL and TUN devices by default)
37
(7) Windows (Win 2K + XP only so far
38
-- see INSTALL-win32.txt for more info)
40
SUPPORTED PROCESSOR ARCHITECTURES:
41
In general, OpenVPN is word size and endian independent, so
42
most processors should be supported. Architectures known to
43
work include Intel x86, Alpha, Sparc, and ARM.
46
(1) TUN and/or TAP driver to allow user-space programs to control
47
a virtual point-to-point IP or Ethernet device. See
48
TUN/TAP Driver Configuration section below for more info.
50
OPTIONAL (but recommended):
51
(1) OpenSSL library, necessary for encryption, version 0.9.5 or higher
52
required, available from http://www.openssl.org/
53
(2) LZO real-time compression library, required for link compression,
54
available from http://www.oberhumer.com/opensource/lzo/
55
OpenBSD users can use ports or packages to install lzo, but remember
56
to add "--with-lzo-headers" and "--with-lzo-lib" directives to
57
"configure", pointing to /usr/local/include and /usr/local/lib
58
respectively since gcc will not find them otherwise.
61
OPTIONAL (for developers only):
62
(1) Autoconf 2.50 or higher + Automake 1.5 or higher
63
-- available from http://www.gnu.org/software/software.html
65
-- available from http://dmalloc.com/
67
*************************************************************************
69
BUILD COMMANDS FROM TARBALL:
75
*************************************************************************
77
BUILD COMMANDS FROM CVS:
84
*************************************************************************
86
BUILD A TARBALL FROM CVS:
92
*************************************************************************
94
LOOPBACK TESTS (after BUILD):
98
./openvpn --genkey --secret key
99
./openvpn --test-crypto --secret key
101
Test SSL/TLS negotiations (runs for 2 minutes):
103
./openvpn --config sample-config-files/loopback-client (In one window)
104
./openvpn --config sample-config-files/loopback-server (Simultaneously in another window)
106
*************************************************************************
108
OPTIONS for ./configure:
110
--enable-pthread Compile pthread support for
111
improved latency during SSL/TLS key
112
negotiations (Linux or Solaris only)
114
--disable-lzo Do not compile LZO compression support
115
--disable-crypto Do not compile OpenSSL crypto support
116
--disable-ssl Do not compile OpenSSL SSL support for
117
TLS-based key exchange
119
--with-ssl-headers=DIR Crypto/SSL Include files location
120
--with-ssl-lib=DIR Crypto/SSL Library location
121
--with-lzo-headers=DIR LZO Include files location
122
--with-lzo-lib=DIR LZO Library location
124
--with-ifconfig-path=PATH Path to ifconfig tool (only need to
125
specify if in a non-standard location)
127
--with-leak-check=TYPE Build with memory leak checking
128
TYPE = dmalloc or ssl
130
--enable-strict Enable strict compiler warnings
132
--enable-strict-options Enable strict options check between peers
134
*************************************************************************
136
BUILDING ON LINUX 2.4+ FROM RPM
138
You can build a binary RPM directly from the OpenVPN tarball file:
140
rpmbuild -tb [tarball]
142
This command will build a binary RPM file and place it in the system
143
RPM directory. You can then install the RPM with the standard RPM
146
rpm -ivh [binary-rpm]
148
When you install the binary RPM, it will install
149
sample-scripts/openvpn.init, which can be used to
150
automatically start or stop one or more OpenVPN tunnels on system
151
startup or shutdown, based on OpenVPN .conf files in /etc/openvpn.
152
See the comments in openvpn.init for more information.
154
Installing the RPM will also configure the TUN/TAP device node
157
Note that the current openvpn.spec file, which instructs the rpm tool
158
how to build a package, will build OpenVPN with all options enabled,
159
including OpenSSL, LZO, and pthread linkage. Therefore all of
160
these packages will need to be present prior to the RPM build, unless
161
you edit the openvpn.spec file.
163
*************************************************************************
165
TUN/TAP Driver Configuration:
167
* Linux 2.4 or higher (with integrated TUN/TAP driver):
169
(1) make device node: mknod /dev/net/tun c 10 200
170
(2a) add to /etc/modules.conf: alias char-major-10-200 tun
171
(2b) load driver: modprobe tun
172
(3) enable routing: echo 1 > /proc/sys/net/ipv4/ip_forward
174
Note that either of steps (2a) or (2b) is sufficient. While (2a)
175
only needs to be done once per install, (2b) needs to be done once
176
per reboot. If you install from RPM (see above) and use the
177
openvpn.init script, these steps are taken care of for you.
179
* Linux 2.2 or Solaris:
182
version 1.1 of the TUN/TAP driver from
183
http://vtun.sourceforge.net/tun/
184
and follow the installation instructions.
188
For 64 bit, I used the tun-1.1.tar.gz source and compiled it.
190
Of course there is a but :)
191
In the tun-1-1\solaris\Makefile I changed a line so it compiles with 64 bit
193
CFLAGS = $(DEFS) -m64 -O2 -Wall -D_KERNEL -I.
195
I just added -m64 and it worked.
197
The tun driver works fine as said previously, however we noticed there is a
198
minor problem when creating multiple tunnels on Solaris.
199
Mr Tycho Fruru changed the code in tun.c file where he locked the tun device
200
number to -1. This way it is impossible to specify the name of the tun device
201
but it is still possible to have multiple devices.
202
The modification will increment automatically meaning starting from tun0 --->
203
tunX I know you are not responsible for the tun coding but if you think the
204
modification can be useful for you feel free to use it.
206
http://openvpn.sourceforge.net/solaris/tun.c
210
FreeBSD ships with the TUN/TAP driver, and the device nodes for tap0,
211
tap1, tap2, tap3, tun0, tun1, tun2 and tun3 are made by default.
212
However, only the TUN driver is linked into the GENERIC kernel.
214
To load the TAP driver, enter:
218
See man rc(8) to find out how you can do this at boot time.
220
The easiest way is to install OpenVPN from the FreeBSD ports system,
221
the port includes a sample script to automatically load the TAP driver
226
OpenBSD ships with tun0 and tun1 installed by default.
230
Obtain Christoph Pfisterer's TUN driver at
231
http://chrisp.de/en/projects/tunnel.html
235
The kernel module for solaris
236
can be generated by adding the -m64 switch to a modern
237
gcc compiler (I'm using 3.2) The resulting kernel driver
238
needs to be manually copied to /kernel/drv/sparcv9/ and then a
239
reconfiguration reboot. (boot -r).
241
* Windows 2000 and XP
243
See INSTALL-win32.txt for more info
245
See the man page for more information, usage examples, and
246
information on firewall configuration.
248
*************************************************************************
252
* The Windows TAP-Win32 driver should not be used on SMP systems prior
253
to beta8, and beta8 should be considered experimental when run on
256
* I have noticed cases where TCP sessions tunneled over the Linux
257
TAP driver (kernel 2.4.21 and 2.4.22) stall when lower --mssfix
258
values are used. The TCP sessions appear to unstall and resume
259
normally when the remote VPN endpoint is pinged.
261
* OpenVPN works fine with the 1.1 TUN/TAP driver in the Linux 2.2 kernels,
262
and with the integrated 1.4 TUN/TAP driver in the Linux 2.4 kernels, but
263
there's a "gray area" in the 2.4 kernels before 2.4.7 where various
264
things may break due to the TUN/TAP driver and other kernel components
265
being in a state of flux, so I wouldn't recommend using OpenVPN on these
266
kernels unless you are prepared to do some debugging and testing.
268
* Pthread support is not yet stable on OpenBSD or any platform that implements
269
threads in user-space without supporting true preemptive scheduling
270
between threads. Pthread implementations which are compatible with Linux
271
or Solaris implementations should work fine with OpenVPN.
273
* If run through a firewall using OpenBSDs packet filter PF and the
274
filter rules include a "scrub" directive, you may get problems talking
275
to Linux hosts over the tunnel, since the scrubbing will kill packets
276
sent from Linux hosts if they are fragmented. This is usually seen as
277
tunnels where small packets and pings get through but large packets
278
and "regular traffic" don't.
280
* Mixing OFB or CFB cipher modes with static key mode is not recommended,
281
and is flagged as an error on OpenVPN versions 1.2.1 and greater.
282
If you use the --cipher option to explicitly select an OFB or CFB
283
cipher AND you are using static key mode, it is possible that there
284
could be an IV collision if the OpenVPN daemons on both sides
285
of the connection are started at exactly the same time, since
286
OpenVPN uses a timestamp combined with a sequence number as the cipher
287
IV for OFB and CFB modes. This is not an issue if you are
288
using CBC cipher mode (the default), or if you are using OFB or CFB
289
cipher mode with SSL/TLS authentication.
added
removed
INSTALL
