summaryrefslogtreecommitdiff
path: root/main/openvpn/INSTALL
diff options
context:
space:
mode:
Diffstat (limited to 'main/openvpn/INSTALL')
m---------main/openvpn0
-rw-r--r--main/openvpn/INSTALL336
2 files changed, 0 insertions, 336 deletions
diff --git a/main/openvpn b/main/openvpn
new file mode 160000
+Subproject 7aaf01766f9718375986600216607aeb6397200
diff --git a/main/openvpn/INSTALL b/main/openvpn/INSTALL
deleted file mode 100644
index 2ef7904b..00000000
--- a/main/openvpn/INSTALL
+++ /dev/null
@@ -1,336 +0,0 @@
-Installation instructions for OpenVPN, a Secure Tunneling Daemon
-
-Copyright (C) 2002-2010 OpenVPN Technologies, Inc. This program is free software;
-you can redistribute it and/or modify
-it under the terms of the GNU General Public License version 2
-as published by the Free Software Foundation.
-
-*************************************************************************
-
-QUICK START:
-
- Unix:
- ./configure && make && make-install
-
- Cross-compile for Windows on Unix
-
- See INSTALL-win32.txt
-
-*************************************************************************
-
-To download OpenVPN, go to:
-
- http://openvpn.net/download.html
-
-OpenVPN releases are also available as Debian/RPM packages:
-
- https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
-
-To download easy-rsa go to:
-
- https://github.com/OpenVPN/easy-rsa
-
-To download tap-windows driver source code go to:
-
- https://github.com/OpenVPN/tap-windows
-
-To get the cross-compilation environment go to:
-
- https://github.com/OpenVPN/openvpn-build
-
-For step-by-step instructions with real-world examples see:
-
- http://openvpn.net/howto.html
- https://community.openvpn.net/openvpn/wiki
-
-For examples see:
-
- http://openvpn.net/examples.html
-
-Also see the man page for more information, usage examples, and information on
-firewall configuration.
-
-*************************************************************************
-
-SUPPORTED PLATFORMS:
- (1) Linux (kernel 2.6+)
- (2) Solaris
- (3) OpenBSD 5.1+
- (4) Mac OS X Darwin 10.5+
- (5) FreeBSD 7.4+
- (6) NetBSD 5.0+
- (7) Windows (WinXP and higher)
-
-SUPPORTED PROCESSOR ARCHITECTURES:
- In general, OpenVPN is word size and endian independent, so
- most processors should be supported. Architectures known to
- work include Intel x86, Alpha, Sparc, Amd64, and ARM.
-
-REQUIRES:
- (1) TUN and/or TAP driver to allow user-space programs to control
- a virtual point-to-point IP or Ethernet device. See
- TUN/TAP Driver Configuration section below for more info.
-
-OPTIONAL (but recommended):
- (1) OpenSSL library, necessary for encryption, version 0.9.8 or higher
- required, available from http://www.openssl.org/
- (2) PolarSSL library, an alternative for encryption, version 1.1 or higher
- required, available from https://polarssl.org/
- (3) LZO real-time compression library, required for link compression,
- available from http://www.oberhumer.com/opensource/lzo/
- OpenBSD users can use ports or packages to install lzo, but remember
- to add CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib"
- directives to "configure", since gcc will not find them otherwise.
-
-OPTIONAL (for developers only):
- (1) Autoconf 2.59 or higher + Automake 1.9 or higher
- -- available from http://www.gnu.org/software/software.html
- (2) Dmalloc library
- -- available from http://dmalloc.com/
- (3) If using t_client.sh test framework, fping/fping6 is needed
- -- Available from http://www.fping.org/
- Note: t_client.sh needs an external configured OpenVPN server.
- See t_client.rc-sample for more info.
-
-*************************************************************************
-
-CHECK OUT SOURCE FROM SOURCE REPOSITORY:
-
- Clone the repository:
-
- git clone https://github.com/OpenVPN/openvpn
- git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn
-
- Check out stable version:
-
- git checkout -b 2.2 remotes/origin/release/2.2
-
- Check out master (unstable) branch:
-
- git checkout master
-
-
-*************************************************************************
-
-BUILD COMMANDS FROM TARBALL:
-
- ./configure
- make
- make install
-
-*************************************************************************
-
-BUILD COMMANDS FROM SOURCE REPOSITORY CHECKOUT:
-
- autoreconf -i -v -f
- ./configure
- make
- make install
-
-*************************************************************************
-
-BUILD A TARBALL FROM SOURCE REPOSITORY CHECKOUT:
-
- autoreconf -i -v -f
- ./configure
- make dist
-
-*************************************************************************
-
-TESTS (after BUILD):
-
-make check (Run all tests below)
-
-Test Crypto:
-
-./openvpn --genkey --secret key
-./openvpn --test-crypto --secret key
-
-Test SSL/TLS negotiations (runs for 2 minutes):
-
-./openvpn --config sample/sample-config-files/loopback-client (In one window)
-./openvpn --config sample/sample-config-files/loopback-server (Simultaneously in another window)
-
-For more thorough client-server tests you can configure your own, private test
-environment. See tests/t_client.rc-sample for details.
-
-*************************************************************************
-
-OPTIONS for ./configure:
-
- --disable-lzo disable LZO compression support [default=yes]
- --enable-lzo-stub don't compile LZO compression support but still
- allow limited interoperability with LZO-enabled
- peers [default=no]
- --disable-crypto disable crypto support [default=yes]
- --disable-ssl disable SSL support for TLS-based key exchange
- [default=yes]
- --enable-x509-alt-username
- enable the --x509-username-field feature
- [default=no]
- --disable-multi disable client/server support (--mode server +
- client mode) [default=yes]
- --disable-server disable server support only (but retain client
- support) [default=yes]
- --disable-plugins disable plug-in support [default=yes]
- --disable-management disable management server support [default=yes]
- --enable-pkcs11 enable pkcs11 support [default=no]
- --disable-socks disable Socks support [default=yes]
- --disable-http-proxy disable HTTP proxy support [default=yes]
- --disable-fragment disable internal fragmentation support (--fragment)
- [default=yes]
- --disable-multihome disable multi-homed UDP server support (--multihome)
- [default=yes]
- --disable-port-share disable TCP server port-share support (--port-share)
- [default=yes]
- --disable-debug disable debugging support (disable gremlin and verb
- 7+ messages) [default=yes]
- --enable-small enable smaller executable size (disable OCC, usage
- message, and verb 4 parm list) [default=yes]
- --enable-password-save allow --askpass and --auth-user-pass passwords to be
- read from a file [default=yes]
- --enable-iproute2 enable support for iproute2 [default=no]
- --disable-def-auth disable deferred authentication [default=yes]
- --disable-pf disable internal packet filter [default=yes]
- --enable-strict enable strict compiler warnings (debugging option)
- [default=no]
- --enable-pedantic enable pedantic compiler warnings, will not generate
- a working executable (debugging option) [default=no]
- --enable-strict-options enable strict options check between peers (debugging
- option) [default=no]
- --enable-selinux enable SELinux support [default=no]
- --enable-systemd enable systemd suppport [default=no]
-
-ENVIRONMENT for ./configure:
-
- IFCONFIG full path to ipconfig utility
- ROUTE full path to route utility
- IPROUTE full path to ip utility
- NETSTAT path to netstat utility
- MAN2HTML path to man2html utility
- GIT path to git utility
- TAP_CFLAGS C compiler flags for tap
- OPENSSL_CRYPTO_CFLAGS
- C compiler flags for OPENSSL_CRYPTO, overriding pkg-config
- OPENSSL_CRYPTO_LIBS
- linker flags for OPENSSL_CRYPTO, overriding pkg-config
- OPENSSL_SSL_CFLAGS
- C compiler flags for OPENSSL_SSL, overriding pkg-config
- OPENSSL_SSL_LIBS
- linker flags for OPENSSL_SSL, overriding pkg-config
- POLARSSL_CFLAGS
- C compiler flags for polarssl
- POLARSSL_LIBS
- linker flags for polarssl
- LZO_CFLAGS C compiler flags for lzo
- LZO_LIBS linker flags for lzo
- PKCS11_HELPER_CFLAGS
- C compiler flags for PKCS11_HELPER, overriding pkg-config
- PKCS11_HELPER_LIBS
- linker flags for PKCS11_HELPER, overriding pkg-config
-
-*************************************************************************
-
-BUILDING ON LINUX 2.6+ FROM RPM
-
-You can build a binary RPM directly from the OpenVPN tarball file:
-
- rpmbuild -tb [tarball]
-
-This command will build a binary RPM file and place it in the system
-RPM directory. You can then install the RPM with the standard RPM
-install command:
-
- rpm -ivh [binary-rpm]
-
-When you install the binary RPM, it will install
-sample-scripts/openvpn.init, which can be used to
-automatically start or stop one or more OpenVPN tunnels on system
-startup or shutdown, based on OpenVPN .conf files in /etc/openvpn.
-See the comments in openvpn.init for more information.
-
-Installing the RPM will also configure the TUN/TAP device node
-for linux 2.6.
-
-Note that the current openvpn.spec file, which instructs the rpm tool
-how to build a package, will build OpenVPN with all options enabled,
-including OpenSSL, LZO, and pthread linkage. Therefore all of
-these packages will need to be present prior to the RPM build, unless
-you edit the openvpn.spec file.
-
-*************************************************************************
-
-TUN/TAP Driver Configuration:
-
-* Linux 2.6 or higher (with integrated TUN/TAP driver):
-
- (1) load driver: modprobe tun
- (2) enable routing: echo 1 > /proc/sys/net/ipv4/ip_forward
-
- Note that (1) needs to be done once per reboot. If you install from RPM (see
- above) and use the openvpn.init script, these steps are taken care of for you.
-
-* FreeBSD:
-
- FreeBSD ships with the TUN/TAP driver, and the device nodes for tap0,
- tap1, tap2, tap3, tun0, tun1, tun2 and tun3 are made by default.
- However, only the TUN driver is linked into the GENERIC kernel.
-
- To load the TAP driver, enter:
-
- kldload if_tap
-
- See man rc(8) to find out how you can do this at boot time.
-
- The easiest way is to install OpenVPN from the FreeBSD ports system,
- the port includes a sample script to automatically load the TAP driver
- at boot-up time.
-
-* OpenBSD:
-
- OpenBSD has dynamically created tun* devices so you only need
- to create an empty /etc/hostname.tun0 (tun1, tun2 and so on) for each tun
- you plan to use to create the device(s) at boot.
-
-* Solaris:
-
- You need a TUN/TAP kernel driver for OpenVPN to work:
-
- http://www.whiteboard.ne.jp/~admin2/tuntap/
-
-* Windows XP/2003/Vista/7:
-
- OpenVPN on Windows needs a TUN/TAP kernel driver to work. OpenVPN installers
- include this driver, so installing it separately is not usually required.
- The driver source code is available here:
-
- https://github.com/OpenVPN/tap-windows
-
-*************************************************************************
-
-CAVEATS & BUGS:
-
-* I have noticed cases where TCP sessions tunneled over the Linux
- TAP driver (kernel 2.4.21 and 2.4.22) stall when lower --mssfix
- values are used. The TCP sessions appear to unstall and resume
- normally when the remote VPN endpoint is pinged.
-
-* If run through a firewall using OpenBSDs packet filter PF and the
- filter rules include a "scrub" directive, you may get problems talking
- to Linux hosts over the tunnel, since the scrubbing will kill packets
- sent from Linux hosts if they are fragmented. This is usually seen as
- tunnels where small packets and pings get through but large packets
- and "regular traffic" don't. To circumvent this, add "no-df" to
- the scrub directive so that the packet filter will let fragments with
- the "dont fragment"-flag set through anyway.
-
-* Mixing OFB or CFB cipher modes with static key mode is not recommended,
- and is flagged as an error on OpenVPN versions 1.2.1 and greater.
- If you use the --cipher option to explicitly select an OFB or CFB
- cipher AND you are using static key mode, it is possible that there
- could be an IV collision if the OpenVPN daemons on both sides
- of the connection are started at exactly the same time, since
- OpenVPN uses a timestamp combined with a sequence number as the cipher
- IV for OFB and CFB modes. This is not an issue if you are
- using CBC cipher mode (the default), or if you are using OFB or CFB
- cipher mode with SSL/TLS authentication.