OpenVPN
From InstallationWiki
| Official Page |
| Project Documentation |
| Download |
|
OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls.
OpenVPN implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or 2-factor authentication, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser.
Installing OpenVPN is easy, independent from the platform you are using. In this tutorial we will install it on Windows, Mac OS X, different Linux versions and FreeBSD. Furthermore, we will compile the source code provided by the OpenVPN project and enable the required network support in your kernel for the TUN/TAP devices. We will start with the graphical installation under Windows, Mac OS X and SuSE and finish with building our own OpenVPN version from the source code, including hints for the configuration of a individual kernel.
[edit] Prerequisites
Some prerequisites have to be fulfilled if you want to install OpenVPN on your System. Windows Users must use Windows 2000 or XP, Mac OS X is required on Apple platforms. This is already all that is required for those operating systems, but Linux/Unix systems must meet the following demands:
- Your system must provide support for the Universal TUN/TAP Driver.
The kernels newer than 2.4. of almost all modern Linux Distributions provide support for TUN/TAP devices. Only if you are using an old distribution or if you have built your own kernel, you will have to add this support to your configuration. The last paragraph of this tutorial deals with this problem. This project's website is http://vtun.sourceforge.net/tun/ .
- OpenSSL Libraries have to be installed on your system.
I have not encountered modern Linux/Unix systems that do not meet this requirement. However,if you want to compile OpenVPN from source code, the SSL development package may be necessary. The Website is http://www.openssl.org/ .
- The LZO Compression library has to be installed.
Again, most modern Linux/UNIX systems provide these packages, so there won't be any problem. LZO is a real-time compression library that is used by OpenVPN for compression of data before sending them. Packages can be found on http://openvpn.net/download.html, the website of this project is: http://www.oberhumer.com/opensource/lzo/.
Most Linux/Unix systems' installation tools are able to solve these so-called dependencies on their own, but it might be helpful to know where to get the required software.
[edit] Obtaining the Software
Basically, installation of OpenVPN can be done in either one of the following ways:
- For Microsoft Windows operating systems you have to download the binary .exe file from http://openvpn.net/download.html or the package containing a graphical user interface from http://openvpn.se/.
- On Macintosh systems running Mac OS X there is a graphical installation wizard and Management tool called Tunnelblick.
- Most commercial Linux systems like SuSE provide installation tools like YaST and contain up-to-date versions of OpenVPN on their installation media (CD or DVD). Furthermore systems based on Redhat Package Management (RPM) software can also install and manage OpenVPN software at the command line.
- Linux systems like Debian use sophisticated package management tools that can install software provided by repositories on web servers. No local media is needed, the package management will resolve potential dependencies itself and install the newest or safest possible version of OpenVPN.
- FreeBSD (like other BSD-style systems)
- Like all open source projects, OpenVPN source code is provided for download. These compressed tar.gz or tar.bz2 archives can be downloaded from http://openvpn.net/download.html and unpacked to a local directory. This source code has to be configured and translated (compiled) for your operation system.
- You can also install unstable, developer or older versions of OpenVPN from http://openvpn.net/download.html . This may be interesting if you want to test new features of forthcoming versions.
- Daily (unstable!) snapshots of OpenVPN Source Code can be obtained from http://sourceforge.net/cvs/?group_id=48978. Here you find the CVS (Concurrent Versions System) repository, where all OpenVPN developers post their changes to the project files.
Please note that all OpenVPN versions not tagged as stable should never be used in productive environment. There may be security issues and bugs that cause the code to crash or open your complete network to intruders. The stable versions have been tested for stability and security flaws and will not be published as stable as long as they do not meet the developer team's requirements.
[edit] Installing OpenVPN on Windows
If you want to install OpenVPN on Windows, you have to make a choice before downloading: You can install the original OpenVPN software from http://openvpn.net/download.html, or and this is my preferred suggestion install the OpenVPN GUI (Graphical User Interface) from http://openvpn.se/. This package contains the OpenVPN software plus a grafical user interface to bring up or close down tunnels. Especially if you setup a OpenVPN Client, be it a laptop or desktop PC of a home worker, which is only connecting temporarily to your VPN, the Windows User will want to have an easy-to-use, clickable interface. However, if you do not want the Users to interact with the VPN tunnels, the original OpenVPN software will do.
OpenVPN can be run as a service on the Windows PC, which means it is started automatically on startup. It can be configured to enable the tunnel automatically or forced by a mouse click of a user. The Installation is pretty straightforward and should not pose any problem to the experienced Windows user. The following sections give you a guided installation process.
If you are prompted that the driver has not passed Windows Logo testing, click on Continue anyway.
[edit] Downloading and starting installation
Download the newest version of the OpenVPN GUI from http://openvpn.se/ to your local drive. Login as Administrator or privileged user and double click on the downloaded file to start the Setup Wizard. If you are using a Desktop Firewall, you will be prompted to allow OpenVPN being installed and connecting to the Internet later.
The OpenVPN GUI installation wizard, probably the most convenient way to install OpenVPN on Windows, is started. Click on Next to proceed.
Even though OpenVPN and the OpenVPN GUI are completely available under the open source license GPL (General Public License), you have to accept a license agreement. You should read the license to make sure that your planned use of OpenVPN is conform with it. Click on I Agree to proceed.
[edit] Selecting Components and Location
The next dialog window offers a choice on the OpenVPN components you may want to install. Thus the standard selection of components makes sense in almost all cases.
In this dialog you have several options to choose from. Even if you normally don't need to make changes here, the following table gives an overview over the entries and when you should install which feature. The Client-Install is a system which only connects to another OpenVPN system, whereas the Server Install is a OpenVPN System that allows incoming connections.
| Option | Feature | Client-Install | Server-Install |
|---|---|---|---|
| OpenVPN User-Space Components | the openvpn program | x | x |
| OpenVPN RSA Certificate Management Scripts | Easy-rsa for Windows | x | |
| OpenVPN GUI | the grafical user interface | x | |
| AutoStart OpenVPN GUI | Link for autostart | x | |
| My Certificate Wizard | Certificate requests for a Certificate Authority | x | |
| Hide the TAP-Win32 VEA | Interface is not shown in network setup | ||
| OpenVPN Service | configure OpenVPN as a service | x | |
| OpenVPN File Associations | Konfiuration files (*.ovpn) are associated with openvpn | x | x |
| OpenSSL DLLs | Dynamic link libaries | x | x |
| TAP-WIN32 VEA | virtual network interface | x | x |
| Add OpenVPN to PATH | Openvpn.exe is in the path of every users command line | x | x |
| Add Shortcuts to Start Menu | shortcut to start menu | x | x |
As you can see, the only differences are the RSA Management and the Option to run OpenVPn as a service. Both can be configured with different means, like the configuration file, the Windows system management or Software like xca that we will use to generate and administrate certificates.
Press Next to continue installation.
Now you have to select a installation directory for OpenVPN. The standard installation path of OpenVPN under Windows is C:\Program Files\OpenVPN, and this should work fine in almost any case. However, you can set this path as you please. After clicking on Install, the installation process is started.
[edit] Finishing Installation
While OpenVPN is installing, you can read its output in the installation window and follow the creation of folders, files and shortcuts and the installation of drivers (TAP) for networking.
If you've made it so far, you have successfully installed OpenVPN on your Windows System. If you want to read the Readme File (which today [September 2005] is pretty poor and contains only a link to the website), activate the button Show Readme before you click Finish.
Testing the installation - a first look at the Panel applet
After Installation of OpenVPN GUI, OpenVPN is started and a panel applet is created. In the screenshot below it is the icon close to the left.
The Panel applet of OpenVPN
This applet provides a convenient method for Windows Users to control and configure (partly) OpenVPN. However, as there is no interface for configuration yet, the configuration file can only be edited using an editor. And until a first configuration is created, the context menu may look rather poor. Right-click on the panel applet.
Once we have configured a first connection, this menu will be populated with new entries. With the entries Connect and Disconnect you can start and stop the configured tunnels.
[edit] Installing OpenVPN on Mac Os X (Tunnelblick)
Of course there is a also OpenVPN software for Mac OS X. Its name is Tunnelblick, it is free open sourcesoftware and released under the BSD license and it contains a graphical installation wizard. You can download it from http://www.tunnelblick.net/. Tunnelblick comes as an disk image file including the command line application (by the OpenVPN project) and the Tunnelblick GUI for Macintosh PCs.
If you need more detailed information on installing and uninstalling Tunnelblick, the online readme http://www.tunnelblick.net/README.txt file is the best place to look first. It contains a full list of files that are installed on your system. For version 3.0 these files are:
/System/Library/Extensions/tap.kext /System/Library/Extensions/tun.kext /System/Library/StartupItems/tap /System/Library/StartupItems/tun /usr/local/sbin/openvpn /usr/local/sbin/openvpnstop /usr/local/sbin/openvpnstart /Applications/Tunnelblick.app
To uninstall tunnelblick from your system, you just need to remove these files and reboot your machine.
But before that. let's install Tunnelblick: The installation is started simply by double-clicking on the file Tunnelblick-Complete.mpkg to start the installation wizard.
[edit] The installation wizard
An installation wizard will guide you through the five steps. Simply choose the installation location and type and the wizard will solve all questions for you. The file README.txt contains information on installing, uninstalling and configuration of OpenVPN with special regards to Macintosh and Os X 10.3 or later.
[edit] Testing the installation - the Tunnelblick panel applet
After installation you will find the tunnelblick icon in the system tray of your panel:
If you select the menu entry Edit configuration, you will be presented the standard configuration file in a texteditor:
If you need more information on OpenVPN on Macintosh, the following links are a good place to visit:
Detailed installation instructions for Mac OS 10.3: http://www.helsinki.fi/atk/english/hy-ppp/hy-vpn/hy-vpn-mac.html
- Homepage of the Tunnelblick OpenVPN GUI for Macintosh: http://www.tunnelblick.net/. Installing OpenVPN on SuSE Linux
Installing OpenVPN on SuSE Linux is almost as easy as under Windows or on the Mac. Linux users may say, it is even easier. On SuSE Linux almost all administratitive tasks can be done using the administration interface YaST (Yet Another Setup Tool). OpenVPN software can be installed completely with YaST. The SuSE people have always tried to include up-to-date software in their distribution and thus the installation media of SuSE 9.3 already contains the version 2.0 of OpenVPN.
[edit] Using YaST to install Software
Start YaST. Under KDE (the Standard Desktop under SuSE Linux), you will find YaST in the main menu under System YaST.
If you are logged in as a normal user, you will be prompted to enter your root Password. Confirm it with OK. The YaST control center is started. This administration interface consists of many different modules, which are represented by symbols in the right half of the window and grouped by the labels on the left. After starting YaST, click on the symbol labeled Install and Remove Software to start the software management interface of YaST.
The software management tool in YaST is very powerful. Under SuSE data about installed and installable software is kept in a database which can be searched very comfortably. Select the entry Search in the drop-down list Filter: and enter openvpn in the Field Search:. YaST will find up to two entries that match your search value: openvpn and openvpn-devel. The first package is the one containing the openvpn software. The second package provides software for developers who want to program with OpenVPN and may only be available if you have online installation sources in your setup. Select the entry openvpn by clicking the entry in the first column until the check mark appears. If you want to obtain information about the OpenVPN package, have a look at the lower half of the right side: Here you will find the software description, technical data, dependencies and more information about the package you selected.
Click on the button Accept to start the OpenVPN installation.
Put your CD or DVD in your local drive. YaST will retrieve the OpenVPN files from your installation media. If you have configured your system to use one of SuSE's web or ftp servers for installation, this might take a while. The files are unpacked and installed into your system, and YaST is updating your configuration. This is managed by the script SuSEconfig and other scripts called by it.
SuSEconfig and YaST once were very infamous for deleting local configuration created by the local administator, or omitting relevant changes. This problem was only relevant on updating and re-installing software previously installed. The last SuSE versions, however, have proven very reliable and the system configuration tools never delete configuration files you have added manually. Instead, the standard configuration files installed with the new software package may be renamed to <file>.rpmnew or similar and your configuration is loaded.
In the screen shot above you see SuSEconfig calling several helper scripts and updating your configuration. After successful software installation, you are prompted if you want to install more packages or exit installation. Click the Button Finish
[edit] Installing OpenVPN on Redhat Fedora using yum
If you are using Redhat Fedora, the Yellow dog Updater, Modified yum is probably the easiest way to install software. It can be found on http://linux.duke.edu/projects/yum/ and provides many interesting features like automatic updates, solving dependency problems and managing installation of software packages.
Even though OpenVPN installation on Fedora can only be done on the command line, it still is a very easy task. The installation makes use of the commands wget, rpm and yum.
- wget: A command line download manager suitable for ftp or http downloads
- rpm: The Redhat Package Manager is a software management system used by distributions like SuSE or Redhat. It keeps track of changes and can solve dependencies between programs.
- yum: yum provides a simple installation program for rpm- based software.
To use yum, you have to adapt its configuration file.
- Login as administrator (root)
- Change to Fedora's configuration directory /etc.
- Save the old, probably the original configuration file yum.conf by renaming or moving it. You can use the commands like
mv yum.conf yum.conf_fedora_orgto accomplish this. - The web site http://www.fedorafaq.org/ provides a suitable configuration file for yum. Download the file http://www.fedorafaq.org/samples/yum.conf using wget. The command line syntax is
wget http://www.fedorafaq.org/samples/yum.conf. - At the same site a sophisticated yum configuration is available for download. Install this as well:
rpm -Uvh http://www.fedorafaq.org/yum.
The following excerpt shows the output of these five steps on my system:
[root@fedora ~]# cd /etc [root@fedora etc]# mv yum.conf yum.conf.org [root@fedora etc]# wget http://www.fedorafaq.org/samples/yum.conf --11:33:25-- http://www.fedorafaq.org/samples/yum.conf => `yum.conf' Resolving www.fedorafaq.org... 70.84.209.18 Connecting to www.fedorafaq.org[70.84.209.18]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 595 [text/plain] 100%[================================================>] 595 --.--K/s 11:33:25 (405.20 KB/s) - `yum.conf' saved [595/595] [root@fedora etc]# rpm -Uvh http://www.fedorafaq.org/yum Retrieving http://www.fedorafaq.org/yum Preparing... ########################################### [100%] 1:yum-fedorafaq ########################################### [100%] [root@fedora etc]#
The rest of OpenVPN installation is very simple. just enter yum install openvpn in your root shell. Now yum will start and give you a lot of output. We will have a short look at the things yum does:
[root@fedora ~]#yum install openvpn Setting up Install Process Setting up repositories livna 100% |=========================| 951 B 00:00 updates-released 100% |=========================| 951 B 00:00 base 100% |=========================| 1.1 kB 00:00 extras 100% |=========================| 1.1 kB 00:00 Reading repository metadata in from local files primary.xml.gz 100% |=========================| 127 kB 00:00 livna : ################################################## 380/380 Added 380 new packages, deleted 0 old in 1.36 seconds primary.xml.gz 100% |=========================| 371 kB 00:00 updates-re: ################################################## 1053/1053 Added 0 new packages, deleted 13 old in 0.93 seconds
Yum has set up the installation process and integrated online repositories for installation of software. This feature is the reason why fedora does not need a URL source for installing OpenVPN. The repository metadata contains information about location, availability and dependencies between packages. And resolving dependencies is yum's next step:
Parsing package install arguments Resolving Dependencies --> Populating transaction set with selected packages. Please wait. ---> Downloading header for openvpn to pack into transaction set. openvpn-2.0.2-1.fc4.i386. 100% |=========================| 18 kB 00:00 ---> Package openvpn.i386 0:2.0.2-1.fc4 set to be updated --> Running transaction check --> Processing Dependency: liblzo.so.1 for package: openvpn --> Restarting Dependency Resolution with new changes. --> Populating transaction set with selected packages. Please wait. ---> Downloading header for lzo to pack into transaction set. lzo-1.08-4.i386.rpm 100% |=========================| 3.2 kB 00:00 ---> Package lzo.i386 0:1.08-4 set to be updated --> Running transaction check Dependencies Resolved
OpenVPN needs the lzo library for installation, and yum is about to resolve this dependency.In a next step yum tests whether this library has unresolved dependencies. This is not the case, and so we are presented an overview over the packages to be installed:
============================================================================= Package Arch Version Repository Size ============================================================================= Installing: openvpn i386 2.0.2-1.fc4 extras 298 k Installing for dependencies: lzo i386 1.08-4 extras 59 k Transaction Summary ============================================================================= Install 2 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 357 k Is this ok [y/N]:y
Confirm by entering y and press the return key. Yum will start downloading the required packages.
Downloading Packages: (1/2): lzo-1.08-4.i386.rp 100% |=========================| 59 kB 00:00 (2/2): openvpn-2.0.2-1.fc 100% |=========================| 298 kB 00:00 warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 1ac70ce6 public key not available for lzo-1.08-4.i386.rpm Retrieving GPG key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-extras Importing GPG key 0x1AC70CE6 "Fedora Pre Extras Release <pre-extras@fedoraproject.org>" Is this ok [y/N]: y
The RPM process that yum is using to install the software packages has encountered a missing encryption key. This PGP key is used to control the authenticity of the packages selected for installation. Confirm the import of this key from fedoraproject.org by by entering y and pressing the return key.
Key imported successfully Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing: lzo ######################### [1/2] Installing: openvpn ######################### [2/2] Installed: openvpn.i386 0:2.0.2-1.fc4 Dependency Installed: lzo.i386 0:1.08-4 Complete! [root@fedora etc]#
That's all. Yum has downloaded, checked and installed openvpn and the lzo libraries.
[edit] Installing OpenVPN on RPM-based systems
On both SuSE and Fedora, there is another possible way to install OpenVPN. The command line interface rpm is available on all systems using the redhat package management system. rpm is a very powerful command that can install, remove, update, test and query software packages. Installing software with rpm is done in three steps:
- Downloading the software
- Testing installation and resolving dependencies
- Installing the rpm files with the appropriate rpm command
Whenever you run into problems with rpm, its manpage is the best reference for all of its abundant options.
The best place to look for the right version of OpenVPN under SuSE will be ftp://ftp.suse.com/, Fedora rpms can be obtained from Dag Wieers site http://dag.wieers.com/packages/openvpn/. The command line snapshot below shows the typical process of obtaining and installing openvpn on SuSE 9.3, but this procedure will work exactly the same way on Fedora or any other rpm-based System.
[edit] Using wget to download OpenVPN rpms
Enter wget ftp://ftp.suse.com/pub/suse/i386/9.3/suse/i586/openvpn-2.0-5.i586.rpm' on your SuSE System to download openvpn in version 2.0.5.
suse93:~/ # wget 'ftp://ftp.suse.com/pub/suse/i386/9.3/suse/i586/openvpn-2.0-5.i586.rpm' --09:17:50-- ftp://ftp.suse.com/pub/suse/i386/9.3/suse/i586/openvpn-2.0-5.i586.rpm => `openvpn-2.0-5.i586.rpm.1' Auflsen des Hostnamen ftp.suse.com.... 195.135.221.132 Connecting to ftp.suse.com|195.135.221.132|:21... verbunden. Anmelden als anonymous ... Angemeldet! ==> SYST ... fertig. ==> PWD ... fertig. ==> TYPE I ... fertig. ==> CWD /pub/suse/i386/9.3/suse/i586 ... fertig. ==> PASV ... fertig. ==> RETR openvpn-2.0-5.i586.rpm ... fertig. Lnge: 293,771 (287K) (unmageblich) 100%[==============================>] 293,771 3.15K/s ETA 00:00 09:19:38 (4.10 KB/s) - `openvpn-2.0-5.i586.rpm' saved [293771] suse93:~/ #
After Downloading the file , you can use rpm to test the installation.
[edit] Testing installation and installing with rpm
One of the very interesting features of rpm is that you can test the installation of a specific rpm file in a dry-run. This is done with the command: rpm -ivh --test openvpn-2.0.2-0.1.i586.rpm. The options are simple:
- -i stands for install,
- -v means verbose output
- -h prints a progress bar.
- --test lets rpm do a dry-run to install the package.
In almost all cases you will receive the following output:
suse93:~ # rpm -ivh --test openvpn-2.0-5.i586.rpm Preparing... ########################################### [100%] suse93:~ #
OK, rpm reports no errors, so we can install OpenVPN without the test switch:
suse93:~ # rpm -ivh --test openvpn-2.0-5.i586.rpm
[edit] Installing OpenVPN and the lzo library with wget and rpm
If your system is still missing the lzo library, our test-installation will fail. rpm reports an error, already pointing you to the solution: We have to download the rpm and install it. Again, wget is a good choice for this issue:
suse93:~ # wget 'ftp://ftp.suse.com/pub/suse/i386/9.3/suse/i586/lzo-1.08-107.i586.rpm'
A good idea may be creating a local directory and downloading both rpm files to this directory.
suse93:~ # mkdir openvpn-rpms suse93:~ # cd openvpn-rpms suse93:~/openvpn-rpms # wget 'ftp://ftp.suse.com/pub/suse/i386/9.3/suse/i586/lzo-1.08-107.i586.rpm' (...) suse93:~/openvpn-rpms # wget 'ftp://ftp.suse.com/pub/suse/i386/9.3/suse/i586/openvpn-2.0-5.i586.rpm' (...) suse93:~/openvpn-rpms # rpm -ivh *rpm Preparing... ########################################### [100%] 1:openvpn ########################################### [ 50%] 2:lzo ########################################### [100%] suse93:~/openvpn-rpms #
As the last command shows, you can call rpm with wildcards and order it to install all rpm files it finds in this directory at once.
Rpm can also have a remote location for the package to be installed, but this only works, if there are no dependencies. Because this can only be checked after download, you may have to try several times. This is why wget is the better choice in most cases.
suse93:~ # rpm -Uvh 'ftp://ftp.suse.com/pub/suse/i386/9.3/suse/i586/openvpn-2.0-5.i586.rpm'
[edit] Using rpm to obtain information on the installed OPENVPN version
You can use rpm to query the software database by adding options beginning with -q to the command:
[root@fedora openvpn]# rpm -qi openvpn Name : openvpn Relocations: (not relocatable) Version : 2.0.2 Vendor: (none) Release : 1.fc4 Build Date: Sat 27 Aug 2005 05:01:57 PM CEST Install Date: Mon 29 Aug 2005 11:35:27 AM CEST Build Host: hammer1.fedora.redhat.com Group : Applications/Internet Source RPM: openvpn-2.0.2-1.fc4.src.rpm Size : 632024 License: GPL Signature : DSA/SHA1, Sun 28 Aug 2005 10:19:53 PM CEST, Key ID 82ed95041ac70ce6 URL : http://openvpn.net/ Summary : A full-featured SSL VPN solution Description : OpenVPN is a robust and highly flexible tunneling application that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single UDP or TCP port. It can use the Marcus Franz Xaver Johannes Oberhumer's LZO library for compression. [root@fedora openvpn]#
Whereas rpm -qi provides Information about the installed version, rpm -qli will print all files that have been installed by this software package including their full path:
[root@fedora ~]# rpm -ql openvpn /etc/openvpn /etc/rc.d/init.d/openvpn /usr/lib/openvpn /usr/lib/openvpn/plugin /usr/lib/openvpn/plugin/lib /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so /usr/lib/openvpn/plugin/lib/openvpn-down-root.so /usr/sbin/openvpn /usr/share/doc/openvpn-2.0.2 /usr/share/doc/openvpn-2.0.2/AUTHORS /usr/share/doc/openvpn-2.0.2/COPYING /usr/share/doc/openvpn-2.0.2/COPYRIGHT.GPL /usr/share/doc/openvpn-2.0.2/INSTALL
The following table shows the function of the most important directories and files of this list:
| Full Path and file installed by openvpn | function |
|---|---|
| /etc/openvpn | directory containing configuration files |
| /etc/init.d/openvpn,
/usr/sbin/rcopenvpn | start/stop script for services |
| /usr/sbin/openvpn | the binary |
| /usr/share/doc/openvpn | documentation files |
| /usr/share/man/man8/openvpn.8.gz | manual Page |
| /usr/share/doc/openvpn/examples/sample-config-files | example configuration files |
| /usr/share/doc/openvpn/examples/sample-keys | example keys and certificates |
| /usr/share/doc/openvpn/examples/easy-rsa | easy rsa - a collection of scripts useful for creating tunnels |
| /usr/share/doc/openvpn/changelog.Debian.gz
/usr/share/doc/openvpn/changelog.gz | version history |
| /usr/share/openvpn/verify-cn | verify-cn function (revoke command) |
| /usr/lib/openvpn/openvpn-auth-pam.so
/usr/lib/openvpn/openvpn-down-root.so | libraries for PAM-Authentication and chroot mode |
| /usr/share/doc/packages/openvpn/suse
/usr/share/doc/packages/openvpn/suse/openvpn.init | SuSE specific start/stop scripts |
| /var/run/openvpn | Process ID of the running openvpn process |
[edit] Installing OpenVPN on Debian
Probably the easiest distribution to install OpenVPN is Debian. Just type apt-get install openvpn, answer two questions and OpenVPN is installed and can be used.
The Debian package management system is capable of solving all issues that might occur during the installation. If your system is configured correctly, the automatic installation covers these steps:
- the installation helper apt-get will find the software on the installation servers,
- download the chosen package,
- and unpack it to your local system.
- A interactive configuration skript is executed and configures your system and the newly installed software for later usage with the parameters you enter.
Below is the standard output of apt-get install openvpn on a Debian system. Depending on your previous software selection this output may vary, and in many cases the compression library lzo will have to be installed. On some systems apt will install openssl libraries, but in most cases, apt-get is able to solve all problems for you.
debian01:~# apt-get install openvpn Reading Package Lists... Done Building Dependency Tree... Done The following NEW packages will be installed: openvpn 0 upgraded, 1 newly installed, 0 to remove and 7 not upgraded. Need to get 293kB of archives. After unpacking 762kB of additional disk space will be used. Get:1 http://ftp.uni-erlangen.de testing/main openvpn 2.0-4 [293kB] Fetched 293kB in 1s (247kB/s) Preconfiguring packages ... Selecting previously deselected package openvpn. (Reading database ... 9727 files and directories currently installed.) Unpacking openvpn (from .../openvpn_2.0-4_i386.deb) ... Setting up openvpn (2.0-4) ... Restarting virtual private network daemon:. debian01:~#
During this process, you will be prompted to answer the following two questions:
You have to allow apt to create a tun/tap device for use by OpenVPN software. If you click No here, your tunnels will not be created, and your tunnel software won't work.
The second question raises a security issue: OpenVPN software should be stopped during an update, so you have to select YES and hit return.
You have to stop the old tunnel software when an update is running. All tunneling will be stopped, and your users may not be able to connect to your system during this time. From now on, all tunnels are created by the new OpenVPN software including patches and bugfixes. This is the safe way to go.
However, if you choose No, you risk that the old software and libraries is still running, even after installation of new OpenVPN software. Bugfixes and patches of the new version may not apply to existing tunnels, until they are started again. You may run into serious inconsistencies on your system, if you have several tunnels and they are running different versions of your software. Thus it is safer to have a short time where users may not be able to connect.
[edit] Installing Debian packages
Software packages for debian systems are provided in the so-called deb file format. Deb files are usually stored in online repositories on ftp or web servers, and every Debian system holds a list of reposititories to be used for installation. You will find this list in /etc/apt/sources.list. The setup program base-config provides a menu-based configuration interface for apt.
If you want to add source repositories to your debian installation, type base-config and change to the menu configure apt. Select the country you live in and the repository of your choice. Conform with OK. Now all software packages of this server can automatically be installed on your system, as simple as apt-get install <package>.
A debian package contains the software and information about it like name, version, description, contents, prerequisites, dependencies and configuration scripts to be started after installation.
Debian systems offer some very powerful programs with which you can control software installation very specifically. Because listing all programs and options would go far beyond the scope of this article, but here is a short overview over handy package management commands:
| command | function |
|---|---|
| apt-get install <package> | installs the selected package from repostitories listed in /etc/apt/sources.list |
| apt-get remove <package> | removes the selected package from your system |
| apt-get update | updates the list of available packages on the repositories listed in /etc/apt/sources.list |
| apt-get upgrade | installs the latest available versions of all your installed software |
| apt-get dist-upgrade | installs the latest available plus new software related to your config. |
| dpkg-reconfigure | (re)start the configuration script inside the package. This will bring up the menu-based dialogs like after installation. |
| apt-cache show <package> | prints detailed information about the software package |
| dpkg -l <package> | prints information on the installed software package |
| dpkg -L <package> | lists all files installed by the software package |
| dpkg -i <file> | install a local (.deb) file to your system |
| dpkg -S <file> | prints information about the software package owning <file> |
| apt-cache search <string> | searches apt database for packages containing <string> in their name and description |
These programs should solve all possible questions, issues and problems about the installation of software on debian systems. Just try these commands with the freshly installed openvpn package on your system. Type apt-cache show openvpn to receive information about the installed package:
debian:~# apt-cache show openvpn Package: openvpn Priority: optional Section: net Installed-Size: 744 Maintainer: Alberto Gonzalez Iniesta <agi@inittab.org> Architecture: i386 Version: 2.0-4 Depends: debconf, libc6 (>= 2.3.2.ds1-21), liblzo1, libssl0.9.7 Filename: pool/main/o/openvpn/openvpn_2.0-4_i386.deb Size: 293492 MD5sum: dcc638e084f7b3143c614a33b26d5750 Description: Virtual Private Network daemon An application to securely tunnel IP networks over a single UDP or TCP port. It can be used to access remote sites, make secure point to point connnections, enhance WiFi security, etc. . OpenVPN uses all of the encryption, authentication, and certification features of the OpenSSL library (any cipher, key size, or HMAC digest). . OpenVPN may use static, pre-shared keys or TLS-based dynamic key exchange. It also supports VPNs with dynamic endpoints (DHCP or dial-up clients), tunnels over NAT or connection-oriented stateful firewalls (like Linux's iptables). Tag: security::cryptography, interface::daemon debian:~#
[edit] Using aptitude to search and install packages
Although the Debian command line tools are very powerful, there are more programs that help you retrieve and install software. Probably the most common software for this purpose is aptitude. Type aptitude in a command line to start the menu-based installation interface.
Note. If aptitude is not installed on your system, type apt-get install aptitude.
Aptitude consists of a menu at the top of the screen, a list of packages and a window showing details on the software selected in the package list. If you have console mouse support, you can click on menu entries.
Click on the menu entry Search, or hit the F10 key and navigate to the menu Search. Select the entry Find. You will be prompted with a search mask. Enter openvpn. While you are typing, aptitude is steadily updating the main window. Click OK and have a look at the output.
Aptitude will find the OpenVPN version you have installed previously, the entries in the menus Action and Package help you select and install software. Depending on the selection of repositories you have added to your sources.list during installation, aptitude can also help you choose different versions of openvpn.
[edit] OpenVPN - The Files installed on Debian
The following table gives an overview over the files installed by the debian package management system:
| Full Path and file installed by openvpn | function |
|---|---|
| /etc/openvpn | directory containing configuration files |
| /etc/network/if-up.d/openvpn
/etc/network/if-down.d /etc/network/if-down.d/openvpn | start/stop openvpn when the network goes up/down |
| /etc/init.d/openvpn | start/stop script for services |
| /sbin/openvpn | the binary |
| /usr/share/doc/openvpn | documentation files |
| /usr/share/man/man8/openvpn.8.gz | manual Page |
| /usr/share/doc/openvpn/examples/sample-config-files | example configuration files |
| /usr/share/doc/openvpn/examples/sample-keys | example keys |
| /usr/share/doc/openvpn/examples/easy-rsa | easy rsa a collection of scripts useful for creating tunnels |
| /usr/share/doc/openvpn/changelog.Debian.gz
/usr/share/doc/openvpn/changelog.gz | version history |
| /usr/share/openvpn/verify-cn | verify-cn function (revoke command) |
| /usr/lib/openvpn/openvpn-auth-pam.so
/usr/lib/openvpn/openvpn-down-root.so ) | libraries for PAM-Authentication and chroot mode |
[edit] Installing OpenVPN on FreeBSD
FreeBSD and BSD in general are UNIX systems of outstanding stability and security and are therefore very popular among network administrators. Unfortunately the price for the FreeBSD philosophy concerning security that this system is rather conservative concerning new software versions. In practice this means that you do not have to worry much about security issues of the software you install, but you may not always get up-to-date versions.
FreeBSD also has a modern software management. Simply type pkg_add -vr openvpn, and OpenVPN software is installed on your system. Calling pkg_add with the parameter -r installs software from remote servers, similar to apt-get or rpm. If you run into problems, increasing verbosity with the parameter -v can be helpful.
The following excerpt shows the output of pkg_add,
freebsd# pkg_add -vr openvpn looking up ftp.freebsd.org connecting to ftp.freebsd.org:21 setting passive mode opening data connection initiating transfer Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-5.4-release/Latest/openvpn.tbz...x +CONTENTS x +COMMENT (...) x share/doc/openvpn/sample-scripts/verify-cn tar command returns 0 status Done. Package 'openvpn-1.6.0' depends on 'lzo-1.08_1' with 'archivers/lzo' origin. setting passive mode opening data connection initiating transfer Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-5.4-release/All/lzo-1.08_1.tbz...x +CONTENTS (...) tar command returns 0 status Done. Finished loading lzo-1.08_1 over FTP. extract: Package name is lzo-1.08_1 (...) 'lzo-1.08_1' loaded successfully. (...) extract: Package name is openvpn-1.6.0 (...) Package openvpn-1.6.0 registered in /var/db/pkg/openvpn-1.6.0 ### ---------------------------------------------------------------------- ### ### To use the tap driver, you may need to do: kldload if_tap ### ### See ${PREFIX}/etc/rc.d/openvpn.sh.sample for how to do this ### ### automatically at system boot-up time. ### ### ---------------------------------------------------------------------- ### ### To retain backwards compatibility of OpenVPN 1.3.0 with OpenVPN peers ### ### that run older versions (back to 1.1.0), you will have to set the MTU ### ### explicitly by command line options since OpenVPN 1.3.0. ### ### ### ### When connecting to 1.4.X or older peers with a TAP-style tunnel, set ### ### --tun-mtu 1500 --tun-mtu-extra 32 on the peer. ### ### ### ### When using TLS security and your peer runs OpenVPN 1.3.X, the PEER ### ### must use --disable-occ. This version of OpenVPN cannot use TLS mode ### ### to peers running OpenVPN 1.2.x or older. ### ### ### ### Note: use at most --verb 4 for regular use, --verb 5 is for debugging ### ### ---------------------------------------------------------------------- ### freebsd#
pkg_add looks for an appropriate install candidate, downloads it and checks for dependencies. Because lzo is required but not installed, pkg_add starts over with downloading this package first. After successful installation of lzo, openvpn is installed. When called with the parameter -v, pkg_add gives you also a list of all files installed.
After this installation, there are four issues to be noticed:
- The openvpn binary is not in the standard path. Call openvpn with full path or add its path to your startup file.
- In our example OpenVPN version 1.6.0 was installed. There are some features of version 2.0 that can not be used. The section below shows how you can install a newer version on your system.
- The standard configuration files path is /usr/local/etc/openvpn/.
- The init skript used to start openvpn and its tunnels at system boot must be edited before we can use it
The OpenVPN installation on FreeBSD provides a sample startup skript that needs a little editing after which it can be used at system boot. It is located in /usr/local/etc/rc.d/openvpn.sh. Copy this file to /etc/rc.d/openvpn and correct the path variables to your needs. To start openvpn at boot time, we have to change three entries in the file /etc/rc.conf, containing startup configuration for the services.
Simply add or edit the following lines in your /etc/rc.conf to this values:
openvpn_enable="YES" openvpn_if=tun openvpn-dir=/etc/openvpn
If you have set correct paths in your init skript, openvpn will be started next time you boot your system.
[edit] Installing a newer version of OpenVPN on FreeBSD the port system
If you want to install OpenVPN version 2.0 on FreeBSD, you can install a FreeBSD port of openvpn. But before that, we should uninstall the version of OpenVPN we have just installed. Just type pkg_delete openvpn-1.0.6.
freebsd# pkg_delete openvpn-1.6.0
Then browse to the FreeBSD Website www.freebsd.org, which is the first place to look for documentation, help and software for FreeBSD. Click on the link Ported Applications in the section Software, which will lead you to http://www.freebsd.org/ports/index.html. The ports are patches (tar.gz files) to the original source code of applications plus download routines and informations for the software installation management.
[edit] Installing the port system with sysinstall
To make use of these ports, the so-called port system has to be installed on your machine. This can easily be done with FreeBSD's setup tool called sysinstall. Start it by typing sysinstall.
Use the up/down keys to select the entry Configure and press Enter. In the following window called FreeBSD Configuration Menu we change to the module Distributions.
The distributions dialog contains many different distributions to install, but only The FreeBSD Ports collection is relevant for our purpose. Activate this entry with your space bar and hit return. You will be asked to choose a source from where you want to install these ports, just confirm with enter here (3 times). The Port system is being downloaded and installed.
[edit] Downloading and installing a BSD port
Now we must download the port package from the bsd website and extract it to a local folder. Point your browser to http://www.freebsd.org/ports/index.html, enter openvpn in the search field and click on the button Submit.
As result for your search you will be presented openvpn in a version 2.0.2 or newer in the section security. Click on the download link and save the tarball to a local directory.
Enter this directory and type make. The port system will fetch the appropriate sources for this port, patch them and start the compilation process. When make is ready, type make install to install the binaries in your system.
freebsd# make install ===> Installing for openvpn-2.0.2 ===> openvpn-2.0.2 depends on shared library: lzo.1 - found ===> Generating temporary packing list ===> Checking if security/openvpn already installed test -z "/usr/local/sbin" || /root/openvpn/work/openvpn-2.0.2/install-sh -d "/usr/local/sbin" install -s -o root -g wheel -m 555 'openvpn' '/usr/local/sbin/openvpn' (...) This port has installed the following files which may act as network servers and may therefore pose a remote security risk to the system. /usr/local/sbin/openvpn This port has installed the following startup scripts which may cause these network services to be started at boot time. /usr/local/etc/rc.d/openvpn.sh If there are vulnerabilities in these programs there may be a security risk to the system. FreeBSD makes no guarantee about the security of ports included in the Ports Collection. Please type 'make deinstall' to deinstall the port if this is a concern. For more information, and contact details about the security status of this software, see the following webpage: http://openvpn.sourceforge.net/ freebsd#
That's it. A new version of OpenVPN has successfully been installed on your system. You can test it with /usr/local/sbin/openvpn version.
If you need more details on installing and running OpenVPN on, have a look at these websites: http://blog.innerewut.de/articles/2005/07/04/openvpn-2-0-on-openbsd and http://blog.innerewut.de/articles/2005/07/08/improving-openvpn-s-security.
[edit] Troubleshooting advanced Installation methods
Normally, the techniques discussed above should work fine for any platform. However, I want to provide advanced installation techniques that will enable you to install OpenVPN in situations where the other standard methods fail.
Our next installation example installing from source code - will cover a procedure that is possible on every platform and enables the administrator to change the basic behavior of OpenVPN. Many developers and administrators consider this the should-be standard installation procedure for all systems. There are some advantages regarding stability and performance that can only be optimized for your individual system by compiling as much relevant software as possible (the gentoo approach...). In most cases, however the installation tools provided with the systems are much easier to use. But if you are looking for detailed debugging information, the source code will be first choice.
When building OpenVPN from sources, there is also the possibility to produce rpm-files for your SuSE or Redhat Systems, which is covered in the second section. The last troubleshooting hint may be useful for anybody running self-compiled kernels and who need to activate the TUN/TAP driver in the kernel which should only seldomly be necessary.
[edit] Installing OpenVPN from sources
Provided that your system has installed several basic development tools like make and a C compiler, the following guideline is system-independent. Based on a Debian system, we will download OpenVPN source code and install it using make and configure. As prerequisites we have to install the compression library liblzo, the corresponding development package liblzo-devel and the headers of openssl, libssl-devel. On debian with kernel 2.6., simply type apt-get install liblzo1 liblzo-dev libssl-dev:
debian01:~# apt-get install liblzo1 liblzo-dev and libssl-dev Reading Package Lists... Done Building Dependency Tree... Done The following NEW packages will be installed: and liblzo-dev liblzo1 libssl-dev 0 upgraded, 4 newly installed, 0 to remove and 7 not upgraded. Need to get 23.5kB/2726kB of archives. After unpacking 8040kB of additional disk space will be used. Get:1 http://ftp.uni-erlangen.de testing/main and 1.2.1-2 [23.5kB] Fetched 23.5kB in 0s (50.7kB/s) Selecting previously deselected package and. (Reading database ... 11232 files and directories currently installed.) Unpacking and (from .../archives/and_1.2.1-2_i386.deb) ... Selecting previously deselected package liblzo1. Unpacking liblzo1 (from .../liblzo1_1.08-2_i386.deb) ... Selecting previously deselected package liblzo-dev. Unpacking liblzo-dev (from .../liblzo-dev_1.08-2_i386.deb) ... Selecting previously deselected package libssl-dev. Unpacking libssl-dev (from .../libssl-dev_0.9.7e-3_i386.deb) ... Setting up and (1.2.1-2) ... Starting auto nice daemon: and. Setting up liblzo1 (1.08-2) ... Setting up liblzo-dev (1.08-2) ... Setting up libssl-dev (0.9.7e-3) ... debian01:~#
As next step, we have to download the openvpn source code.
debian01:~# wget 'http://openvpn.net/release/openvpn-2.0.2.tar.gz'
We have to untar the tar.gz archive to a local directory:
debian01:~# tar -xzf openvpn-2.0.2.tar.gz
A directory called openvpn-2.0.2 is created. The name of this directory depends on the version you downloaded. Change into this directory. and type ./configure.
debian01:~/openvpn-2.0.2# ./configure checking for ifconfig... /sbin/ifconfig checking for ip... ip checking for route... /sbin/route checking build system type... i686-pc-linux checking host system type... i686-pc-linux checking target system type... i686-pc-linux checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for gawk... no checking for mawk... mawk checking whether make sets $(MAKE)... yes checking for gcc... gcc (...) checking for SSL_CTX_new in -lssl... yes configure: creating ./config.status config.status: creating Makefile config.status: creating openvpn.spec config.status: creating config-win32.h config.status: creating install-win32/openvpn.nsi config.status: creating config.h config.status: executing depfiles commands debian01:~/openvpn-2.0.2#
You will receive some screens full of output. The configure script checks for software dependencies, compatibility of the source code with your system and creates a so-called makefile which is used as a sort of guideline for later compilation. The command make interprets the makefile and compiles the programm and all needed libraries. Type make to start this process.
debian01:~/openvpn-2.0.2# make make all-am make[1]: Entering directory `/root/openvpn-2.0.2' if gcc -DHAVE_CONFIG_H -I. -I. -I. -I. -g -O2 -MT base64.o -MD -MP -MF ".deps/base64.Tpo" -c -o base64.o base64.c; \ then mv -f ".deps/base64.Tpo" ".deps/base64.Po"; else rm -f ".deps/base64.Tpo"; exit 1; fi (...)
On slow systems, you can have a coffee now. OpenVPN and its components are compiled now. Make calls gcc with parameters according to the makefile that configure has created. Gcc compiles the source code files to binary files you (or your operating system) can execute. These binary files have to be installed to the proper places in your system. Type make install to accomplish that:
debian01:~/openvpn-2.0.2# make install make[1]: Entering directory `/root/openvpn-2.0.2' test -z "/usr/local/sbin" || mkdir -p -- . "/usr/local/sbin" /usr/bin/install -c 'openvpn' '/usr/local/sbin/openvpn' test -z "/usr/local/man/man8" || mkdir -p -- . "/usr/local/man/man8" /usr/bin/install -c -m 644 './openvpn.8' '/usr/local/man/man8/openvpn.8' make[1]: Leaving directory `/root/openvpn-2.0.2' debian01:~/openvpn-2.0.2#
We see that only three files are installed: /usr/local/sbin and two manual pages. Now openvpn is ready to be used on your system. If you don't believe, just type openvpn --version
debian01:~/openvpn-2.0.2# openvpn --version OpenVPN 2.0.2 i686-pc-linux [SSL] [LZO] [EPOLL] built on Sep 4 2005 Developed by James Yonan Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net> debian01:~/openvpn-2.0.2#
The OpenVPN binary used was compiled (built) on September 4, 2005 and is available in your Path.
[edit] Building your own rpm file from the OpenVPN source code
As you may have seen in the section on Redhat and SuSE, RPM files are quite handy: You can copy them to any other system of the same type and have them installed automatically. If you need to use a specific version of OpenVPN, you may want to create your own rpm files from a source code file and distributed them to your servers. This may sound complicated, but it is done with one single command (and some prerequisites).
The programm rpmbuild can create rpms for your platform from an ordinary tar.gz source code archive. Download the newest stable version of OpenVPN and enter the command rpmbuild -tb openvpn-2.0.2.tar.gz. Replace the filename with the name of the file you want to install.
suse93:~ # wget 'http://openvpn.net/release/openvpn-2.0.2.tar.gz' suse93:~ # rpmbuild -tb openvpn-2.0.2.tar.gz error: Failed build dependencies: openssl-devel >= 0.9.6 is needed by openvpn-2.0.2-1 pam-devel is needed by openvpn-2.0.2-1 suse93:~ #
Rpmbuild has failed on this SuSE system because two libraries are missing. On SuSE systems, you simply install them with YaST, on Redhat Systems, you can use yum. After installing them, start rpmbuild again:
suse93:~ # rpmbuild -tb openvpn-2.0.2.tar.gz Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.62341 + umask 022 + cd /usr/src/packages/BUILD + cd /usr/src/packages/BUILD + rm -rf openvpn-2.0.2 + /usr/bin/gzip -dc /root/openvpn-2.0.2.tar.gz + tar -xf - + STATUS=0 + '[' 0 -ne 0 ']' + cd openvpn-2.0.2 ++ /usr/bin/id -u + '[' 0 = 0 ']' + /bin/chown -Rhf root .
(...)
Requires(preun): /bin/sh Requires: openssl >= 0.9.6 lzo >= 1.07 pam Checking for unpackaged file(s): /usr/lib/rpm/check-files /var/tmp/openvpn-root Wrote: /usr/src/packages/RPMS/i586/openvpn-2.0.2-1.i586.rpm Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.68581 + umask 022 + cd /usr/src/packages/BUILD + cd openvpn-2.0.2 + '[' /var/tmp/openvpn-root '!=' / ']' + rm -rf /var/tmp/openvpn-root + exit 0
While you receive several screens of output, the OpenVPN source code is configured and compiled. At the end the rpm file is placed in /usr/src/packages/RPMS/i586/ and can be installed with rpm from this location:
suse93:~ # rpm -ivh /usr/src/packages/RPMS/i586/openvpn-2.0.2-1.i586.rpm Preparing... ########################################### [100%] 1:openvpn ########################################### [100%] openvpn 0:off 1:off 2:off 3:on 4:off 5:on 6:off Shutting down openvpn: done Starting openvpn: done suse93:~ #
[edit] Building and distributing your own .deb packages
One great feature of the debian package management is automatic installation and update of software packages. You can install your own (individually improved and tested) OpenVPN version on all your Tunnel servers automatically, simply by placing a file in your own repository. Four prerequisites have to be fulfilled for this purpose:
- Configure one of your http or ftp servers to act as an debian repository. A detailed Howto can be found here: http://www.debian.org/doc/manuals/repository-howto/repository-howto.en.html
Add your repository to the sources.list of all the debian systems you want to automatically install your software.
Add a cronjob to your Debian systems which runs apt-get upgrade on a regular basis.
- Create your own OpenVPN debian file from the source code. The Debian New Maintainers' Guide (http://www.debian.org/doc/manuals/maint-guide/index.en.html) describes how you build debian binaries.
- Place the binaries on your repository server
The next time your debian server runs the software update, it will automatically download the new OpenVPN software.
[edit] Enabling Linux kernel support for TUN/TAP devices
If your kernel does not support TUN/TAP devices, you have to enable it in the kernel configuration. All modern Linux /Unix distributions support TUN/TAP devices, so it is very unlikely for you to run into this problem. Probably this only happens if you have built your own kernel. In this case you will already guess how to enable TUN/TAP support.
If you are not running your own kernel, but your system does not support TUN/TAP devices, you have to build a kernel of your own. Even though this process is not that complicated, the documentation would go beyond the scope of this book.
The process of kernel compilation is documented in www.linuxhaven.de/dlhp/HOWTO/DE-Kernel-HOWTO.html, and the Linux kernel source code can be obtained from http://www.kernel.org/.
In short, you have to:
- Install the sources of the kernel of your choice
- Change to the directory where you installed the sources. In most cases they can be found in /usr/src/linux.
- Configure the kernel with one of the appropriate configuration tools like menuconfig or Xconfig.
- Compile the kernel and the modules using make and make modules
- Install the kernel and configure your boot manager's settings.
If you want TUN/TAP device support, you have to select the driver during the process of kernel configuration. This can be done with various tools like Xconfig or menuconfig. Xconfig is probably best when you have a workstation with a running X-Server, whereas menuconfig is best on a simple command line.
[edit] Using menuconfig to enable TUN/TAP support
The following three steps show you how to enable module support for your linux kernel before building it.
Type make menuconfig to configure the sources of your kernel. You can navigate through menuconfig using the up/down and Tabulator keys. Select an entry by highlighting it with your coursor and pressing Return.
Select the entry Device Drivers and press Return to receive the list of available devices that the kernel source code supports.
Select Networking Support and press return.
In the list of available network drivers you will see the entry Universal TUN/TAP driver.
By pressing the spacebar you can select if the driver is loaded permanently, as a module or not at all. In the first column, a letter will show your selection. (M is for module, * for permanent, empty for not to be installed).
In the screenshot above, this driver is selected as a module, which means the driver is only loaded when needed. This is probably the best selection, because the tunnel driver is unloaded when it is not needed and system's resources are set free.
Now you can continue your kernel configuration. After compilation, installation and reboot, your system should be able to provide TUN/TAP devices.
[edit] Internet Links, Installation Guidelines and Help
This section of links can give you help for the Installation of OpenVPN on various platforms-
OpenVPN and Debian:
http://www.debian-administration.org/articles/35
OpenVPN and SuSE:
http://freifunk.net/wiki/OpenVPN
http://sarwiki.informatik.hu-berlin.de/OpenVPN_(deutsch)
OpenVPN and Redhat:
http://mia.ece.uic.edu/~papers/volans/openvpn.html
Installing OpenVPN Devices run by OpenWRT:
OpenWRT is a Linux variant designed to run on devices like Linksys or Asus WLAN or DSL routers. These appliances have about 4 MB Flash chips, which can be used for Linux hotspots, VPN Servers, Internet Gateways and Firewalls:
http://martybugs.net/wireless/openwrt/openvpn.cgi
[edit] Summary
In this article we have seen in numerous installations on different systems, that the OpenVPN installation is very easy. Apart from Linux systems like SuSE, Redhat, Debian or Freebsd that provide sophisticated installation and package management systems, OpenVPN can also easily be installed on other systems like Windows. And there are several possibilities for installing openvpn from sources and generating installation packets for your own systems.
[edit] Additional References
- For instructions on Troubleshooting OpenVPN, click here
[edit] Source
The source of this content is Chapter 4: Installing OpenVPN of http://www.packtpub.com/openvpn/book by Markus Feilner (Packt Publishing, 2007).
