diff options
Diffstat (limited to 'main/openvpn/INSTALL')
m--------- | main/openvpn | 0 | ||||
-rw-r--r-- | main/openvpn/INSTALL | 336 |
2 files changed, 0 insertions, 336 deletions
diff --git a/main/openvpn b/main/openvpn new file mode 160000 +Subproject 7aaf01766f9718375986600216607aeb6397200 diff --git a/main/openvpn/INSTALL b/main/openvpn/INSTALL deleted file mode 100644 index 2ef7904b..00000000 --- a/main/openvpn/INSTALL +++ /dev/null @@ -1,336 +0,0 @@ -Installation instructions for OpenVPN, a Secure Tunneling Daemon - -Copyright (C) 2002-2010 OpenVPN Technologies, Inc. This program is free software; -you can redistribute it and/or modify -it under the terms of the GNU General Public License version 2 -as published by the Free Software Foundation. - -************************************************************************* - -QUICK START: - - Unix: - ./configure && make && make-install - - Cross-compile for Windows on Unix - - See INSTALL-win32.txt - -************************************************************************* - -To download OpenVPN, go to: - - http://openvpn.net/download.html - -OpenVPN releases are also available as Debian/RPM packages: - - https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos - -To download easy-rsa go to: - - https://github.com/OpenVPN/easy-rsa - -To download tap-windows driver source code go to: - - https://github.com/OpenVPN/tap-windows - -To get the cross-compilation environment go to: - - https://github.com/OpenVPN/openvpn-build - -For step-by-step instructions with real-world examples see: - - http://openvpn.net/howto.html - https://community.openvpn.net/openvpn/wiki - -For examples see: - - http://openvpn.net/examples.html - -Also see the man page for more information, usage examples, and information on -firewall configuration. - -************************************************************************* - -SUPPORTED PLATFORMS: - (1) Linux (kernel 2.6+) - (2) Solaris - (3) OpenBSD 5.1+ - (4) Mac OS X Darwin 10.5+ - (5) FreeBSD 7.4+ - (6) NetBSD 5.0+ - (7) Windows (WinXP and higher) - -SUPPORTED PROCESSOR ARCHITECTURES: - In general, OpenVPN is word size and endian independent, so - most processors should be supported. Architectures known to - work include Intel x86, Alpha, Sparc, Amd64, and ARM. - -REQUIRES: - (1) TUN and/or TAP driver to allow user-space programs to control - a virtual point-to-point IP or Ethernet device. See - TUN/TAP Driver Configuration section below for more info. - -OPTIONAL (but recommended): - (1) OpenSSL library, necessary for encryption, version 0.9.8 or higher - required, available from http://www.openssl.org/ - (2) PolarSSL library, an alternative for encryption, version 1.1 or higher - required, available from https://polarssl.org/ - (3) LZO real-time compression library, required for link compression, - available from http://www.oberhumer.com/opensource/lzo/ - OpenBSD users can use ports or packages to install lzo, but remember - to add CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" - directives to "configure", since gcc will not find them otherwise. - -OPTIONAL (for developers only): - (1) Autoconf 2.59 or higher + Automake 1.9 or higher - -- available from http://www.gnu.org/software/software.html - (2) Dmalloc library - -- available from http://dmalloc.com/ - (3) If using t_client.sh test framework, fping/fping6 is needed - -- Available from http://www.fping.org/ - Note: t_client.sh needs an external configured OpenVPN server. - See t_client.rc-sample for more info. - -************************************************************************* - -CHECK OUT SOURCE FROM SOURCE REPOSITORY: - - Clone the repository: - - git clone https://github.com/OpenVPN/openvpn - git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn - - Check out stable version: - - git checkout -b 2.2 remotes/origin/release/2.2 - - Check out master (unstable) branch: - - git checkout master - - -************************************************************************* - -BUILD COMMANDS FROM TARBALL: - - ./configure - make - make install - -************************************************************************* - -BUILD COMMANDS FROM SOURCE REPOSITORY CHECKOUT: - - autoreconf -i -v -f - ./configure - make - make install - -************************************************************************* - -BUILD A TARBALL FROM SOURCE REPOSITORY CHECKOUT: - - autoreconf -i -v -f - ./configure - make dist - -************************************************************************* - -TESTS (after BUILD): - -make check (Run all tests below) - -Test Crypto: - -./openvpn --genkey --secret key -./openvpn --test-crypto --secret key - -Test SSL/TLS negotiations (runs for 2 minutes): - -./openvpn --config sample/sample-config-files/loopback-client (In one window) -./openvpn --config sample/sample-config-files/loopback-server (Simultaneously in another window) - -For more thorough client-server tests you can configure your own, private test -environment. See tests/t_client.rc-sample for details. - -************************************************************************* - -OPTIONS for ./configure: - - --disable-lzo disable LZO compression support [default=yes] - --enable-lzo-stub don't compile LZO compression support but still - allow limited interoperability with LZO-enabled - peers [default=no] - --disable-crypto disable crypto support [default=yes] - --disable-ssl disable SSL support for TLS-based key exchange - [default=yes] - --enable-x509-alt-username - enable the --x509-username-field feature - [default=no] - --disable-multi disable client/server support (--mode server + - client mode) [default=yes] - --disable-server disable server support only (but retain client - support) [default=yes] - --disable-plugins disable plug-in support [default=yes] - --disable-management disable management server support [default=yes] - --enable-pkcs11 enable pkcs11 support [default=no] - --disable-socks disable Socks support [default=yes] - --disable-http-proxy disable HTTP proxy support [default=yes] - --disable-fragment disable internal fragmentation support (--fragment) - [default=yes] - --disable-multihome disable multi-homed UDP server support (--multihome) - [default=yes] - --disable-port-share disable TCP server port-share support (--port-share) - [default=yes] - --disable-debug disable debugging support (disable gremlin and verb - 7+ messages) [default=yes] - --enable-small enable smaller executable size (disable OCC, usage - message, and verb 4 parm list) [default=yes] - --enable-password-save allow --askpass and --auth-user-pass passwords to be - read from a file [default=yes] - --enable-iproute2 enable support for iproute2 [default=no] - --disable-def-auth disable deferred authentication [default=yes] - --disable-pf disable internal packet filter [default=yes] - --enable-strict enable strict compiler warnings (debugging option) - [default=no] - --enable-pedantic enable pedantic compiler warnings, will not generate - a working executable (debugging option) [default=no] - --enable-strict-options enable strict options check between peers (debugging - option) [default=no] - --enable-selinux enable SELinux support [default=no] - --enable-systemd enable systemd suppport [default=no] - -ENVIRONMENT for ./configure: - - IFCONFIG full path to ipconfig utility - ROUTE full path to route utility - IPROUTE full path to ip utility - NETSTAT path to netstat utility - MAN2HTML path to man2html utility - GIT path to git utility - TAP_CFLAGS C compiler flags for tap - OPENSSL_CRYPTO_CFLAGS - C compiler flags for OPENSSL_CRYPTO, overriding pkg-config - OPENSSL_CRYPTO_LIBS - linker flags for OPENSSL_CRYPTO, overriding pkg-config - OPENSSL_SSL_CFLAGS - C compiler flags for OPENSSL_SSL, overriding pkg-config - OPENSSL_SSL_LIBS - linker flags for OPENSSL_SSL, overriding pkg-config - POLARSSL_CFLAGS - C compiler flags for polarssl - POLARSSL_LIBS - linker flags for polarssl - LZO_CFLAGS C compiler flags for lzo - LZO_LIBS linker flags for lzo - PKCS11_HELPER_CFLAGS - C compiler flags for PKCS11_HELPER, overriding pkg-config - PKCS11_HELPER_LIBS - linker flags for PKCS11_HELPER, overriding pkg-config - -************************************************************************* - -BUILDING ON LINUX 2.6+ FROM RPM - -You can build a binary RPM directly from the OpenVPN tarball file: - - rpmbuild -tb [tarball] - -This command will build a binary RPM file and place it in the system -RPM directory. You can then install the RPM with the standard RPM -install command: - - rpm -ivh [binary-rpm] - -When you install the binary RPM, it will install -sample-scripts/openvpn.init, which can be used to -automatically start or stop one or more OpenVPN tunnels on system -startup or shutdown, based on OpenVPN .conf files in /etc/openvpn. -See the comments in openvpn.init for more information. - -Installing the RPM will also configure the TUN/TAP device node -for linux 2.6. - -Note that the current openvpn.spec file, which instructs the rpm tool -how to build a package, will build OpenVPN with all options enabled, -including OpenSSL, LZO, and pthread linkage. Therefore all of -these packages will need to be present prior to the RPM build, unless -you edit the openvpn.spec file. - -************************************************************************* - -TUN/TAP Driver Configuration: - -* Linux 2.6 or higher (with integrated TUN/TAP driver): - - (1) load driver: modprobe tun - (2) enable routing: echo 1 > /proc/sys/net/ipv4/ip_forward - - Note that (1) needs to be done once per reboot. If you install from RPM (see - above) and use the openvpn.init script, these steps are taken care of for you. - -* FreeBSD: - - FreeBSD ships with the TUN/TAP driver, and the device nodes for tap0, - tap1, tap2, tap3, tun0, tun1, tun2 and tun3 are made by default. - However, only the TUN driver is linked into the GENERIC kernel. - - To load the TAP driver, enter: - - kldload if_tap - - See man rc(8) to find out how you can do this at boot time. - - The easiest way is to install OpenVPN from the FreeBSD ports system, - the port includes a sample script to automatically load the TAP driver - at boot-up time. - -* OpenBSD: - - OpenBSD has dynamically created tun* devices so you only need - to create an empty /etc/hostname.tun0 (tun1, tun2 and so on) for each tun - you plan to use to create the device(s) at boot. - -* Solaris: - - You need a TUN/TAP kernel driver for OpenVPN to work: - - http://www.whiteboard.ne.jp/~admin2/tuntap/ - -* Windows XP/2003/Vista/7: - - OpenVPN on Windows needs a TUN/TAP kernel driver to work. OpenVPN installers - include this driver, so installing it separately is not usually required. - The driver source code is available here: - - https://github.com/OpenVPN/tap-windows - -************************************************************************* - -CAVEATS & BUGS: - -* I have noticed cases where TCP sessions tunneled over the Linux - TAP driver (kernel 2.4.21 and 2.4.22) stall when lower --mssfix - values are used. The TCP sessions appear to unstall and resume - normally when the remote VPN endpoint is pinged. - -* If run through a firewall using OpenBSDs packet filter PF and the - filter rules include a "scrub" directive, you may get problems talking - to Linux hosts over the tunnel, since the scrubbing will kill packets - sent from Linux hosts if they are fragmented. This is usually seen as - tunnels where small packets and pings get through but large packets - and "regular traffic" don't. To circumvent this, add "no-df" to - the scrub directive so that the packet filter will let fragments with - the "dont fragment"-flag set through anyway. - -* Mixing OFB or CFB cipher modes with static key mode is not recommended, - and is flagged as an error on OpenVPN versions 1.2.1 and greater. - If you use the --cipher option to explicitly select an OFB or CFB - cipher AND you are using static key mode, it is possible that there - could be an IV collision if the OpenVPN daemons on both sides - of the connection are started at exactly the same time, since - OpenVPN uses a timestamp combined with a sequence number as the cipher - IV for OFB and CFB modes. This is not an issue if you are - using CBC cipher mode (the default), or if you are using OFB or CFB - cipher mode with SSL/TLS authentication. |