summaryrefslogtreecommitdiff
path: root/openvpn/INSTALL
diff options
context:
space:
mode:
Diffstat (limited to 'openvpn/INSTALL')
-rw-r--r--openvpn/INSTALL292
1 files changed, 0 insertions, 292 deletions
diff --git a/openvpn/INSTALL b/openvpn/INSTALL
deleted file mode 100644
index a20b49f..0000000
--- a/openvpn/INSTALL
+++ /dev/null
@@ -1,292 +0,0 @@
-Installation instructions for OpenVPN, a Secure Tunneling Daemon
-
-Copyright (C) 2002-2005 OpenVPN Solutions LLC. This program is free software;
-you can redistribute it and/or modify
-it under the terms of the GNU General Public License version 2
-as published by the Free Software Foundation.
-
-*************************************************************************
-
-To download OpenVPN, go to:
-
- http://openvpn.net/download.html
-
-For step-by-step installation instructions with real-world
-examples see:
-
- http://openvpn.net/howto.html
-
-For examples see:
-
- http://openvpn.net/examples.html
-
-*************************************************************************
-
-SUPPORTED PLATFORMS:
- (1) Linux 2.2+
- (2) Solaris
- (3) OpenBSD 3.0+ (Comes with OpenSSL and TUN devices by default)
- (4) Mac OS X Darwin
- (5) FreeBSD
- (6) NetBSD
- (7) Windows (Win 2K and higher)
-
-SUPPORTED PROCESSOR ARCHITECTURES:
- In general, OpenVPN is word size and endian independent, so
- most processors should be supported. Architectures known to
- work include Intel x86, Alpha, Sparc, Amd64, and ARM.
-
-REQUIRES:
- (1) TUN and/or TAP driver to allow user-space programs to control
- a virtual point-to-point IP or Ethernet device. See
- TUN/TAP Driver Configuration section below for more info.
-
-OPTIONAL (but recommended):
- (1) OpenSSL library, necessary for encryption, version 0.9.5 or higher
- required, available from http://www.openssl.org/
- (2) LZO real-time compression library, required for link compression,
- available from http://www.oberhumer.com/opensource/lzo/
- OpenBSD users can use ports or packages to install lzo, but remember
- to add "--with-lzo-headers" and "--with-lzo-lib" directives to
- "configure", pointing to /usr/local/include and /usr/local/lib
- respectively since gcc will not find them otherwise.
- (3) Pthread library.
-
-OPTIONAL (for developers only):
- (1) Autoconf 2.50 or higher + Automake 1.5 or higher
- -- available from http://www.gnu.org/software/software.html
- (2) Dmalloc library
- -- available from http://dmalloc.com/
-
-*************************************************************************
-
-BUILD COMMANDS FROM TARBALL:
-
- ./configure
- make
- make install
-
-*************************************************************************
-
-BUILD COMMANDS FROM CVS:
-
- autoreconf -i -v
- ./configure
- make
- make install
-
-*************************************************************************
-
-BUILD A TARBALL FROM CVS:
-
- autoreconf -i -v
- ./configure
- make dist
-
-*************************************************************************
-
-LOOPBACK TESTS (after BUILD):
-
-make check (Run all tests below)
-
-Test Crypto:
-
-./openvpn --genkey --secret key
-./openvpn --test-crypto --secret key
-
-Test SSL/TLS negotiations (runs for 2 minutes):
-
-./openvpn --config sample-config-files/loopback-client (In one window)
-./openvpn --config sample-config-files/loopback-server (Simultaneously in another window)
-
-*************************************************************************
-
-OPTIONS for ./configure:
-
- --enable-pthread Compile pthread support for
- improved latency during SSL/TLS key
- negotiations (Linux or Solaris only)
-
- --disable-lzo Do not compile LZO compression support
- --disable-crypto Do not compile OpenSSL crypto support
- --disable-ssl Do not compile OpenSSL SSL support for
- TLS-based key exchange
-
- --with-ssl-headers=DIR Crypto/SSL Include files location
- --with-ssl-lib=DIR Crypto/SSL Library location
- --with-lzo-headers=DIR LZO Include files location
- --with-lzo-lib=DIR LZO Library location
-
- --with-ifconfig-path=PATH Path to ifconfig tool (only need to
- specify if in a non-standard location)
-
- --with-leak-check=TYPE Build with memory leak checking
- TYPE = dmalloc or ssl
-
- --enable-strict Enable strict compiler warnings
-
- --enable-strict-options Enable strict options check between peers
-
-*************************************************************************
-
-BUILDING ON LINUX 2.4+ FROM RPM
-
-You can build a binary RPM directly from the OpenVPN tarball file:
-
- rpmbuild -tb [tarball]
-
-This command will build a binary RPM file and place it in the system
-RPM directory. You can then install the RPM with the standard RPM
-install command:
-
- rpm -ivh [binary-rpm]
-
-When you install the binary RPM, it will install
-sample-scripts/openvpn.init, which can be used to
-automatically start or stop one or more OpenVPN tunnels on system
-startup or shutdown, based on OpenVPN .conf files in /etc/openvpn.
-See the comments in openvpn.init for more information.
-
-Installing the RPM will also configure the TUN/TAP device node
-for linux 2.4.
-
-Note that the current openvpn.spec file, which instructs the rpm tool
-how to build a package, will build OpenVPN with all options enabled,
-including OpenSSL, LZO, and pthread linkage. Therefore all of
-these packages will need to be present prior to the RPM build, unless
-you edit the openvpn.spec file.
-
-*************************************************************************
-
-TUN/TAP Driver Configuration:
-
-* Linux 2.4 or higher (with integrated TUN/TAP driver):
-
- (1) make device node: mknod /dev/net/tun c 10 200
- (2a) add to /etc/modules.conf: alias char-major-10-200 tun
- (2b) load driver: modprobe tun
- (3) enable routing: echo 1 > /proc/sys/net/ipv4/ip_forward
-
- Note that either of steps (2a) or (2b) is sufficient. While (2a)
- only needs to be done once per install, (2b) needs to be done once
- per reboot. If you install from RPM (see above) and use the
- openvpn.init script, these steps are taken care of for you.
-
-* Linux 2.2 or Solaris:
-
- You should obtain
- version 1.1 of the TUN/TAP driver from
- http://vtun.sourceforge.net/tun/
- and follow the installation instructions.
-
- If you use OpenVPN on Linux 2.2 or 2.4 or Solaris, you may be
- suffering from a bug which causes connections to hang under heavy load.
- The symptoms are very similar to the MTU problems discussed frequently
- in the OpenVPN mailing lists. But it turns out that this bug is not caused by
- MTU problems. It's a bug in the tun/tap driver. A patch is provided here:
-
- http://openvpn.net/patch/tun-sb.patch
-
-* Solaris
-
- For 64 bit, I used the tun-1.1.tar.gz source and compiled it.
-
- Of course there is a but :)
- In the tun-1-1\solaris\Makefile I changed a line so it compiles with 64 bit
-
- CFLAGS = $(DEFS) -m64 -O2 -Wall -D_KERNEL -I.
-
- I just added -m64 and it worked.
-
- The tun driver works fine as said previously, however we noticed there is a
- minor problem when creating multiple tunnels on Solaris.
- Mr Tycho Fruru changed the code in tun.c file where he locked the tun device
- number to -1. This way it is impossible to specify the name of the tun device
- but it is still possible to have multiple devices.
- The modification will increment automatically meaning starting from tun0 --->
- tunX I know you are not responsible for the tun coding but if you think the
- modification can be useful for you feel free to use it.
-
- http://openvpn.net/solaris/tun.c
-
-* FreeBSD 4.1.1+:
-
- FreeBSD ships with the TUN/TAP driver, and the device nodes for tap0,
- tap1, tap2, tap3, tun0, tun1, tun2 and tun3 are made by default.
- However, only the TUN driver is linked into the GENERIC kernel.
-
- To load the TAP driver, enter:
-
- kldload if_tap
-
- See man rc(8) to find out how you can do this at boot time.
-
- The easiest way is to install OpenVPN from the FreeBSD ports system,
- the port includes a sample script to automatically load the TAP driver
- at boot-up time.
-
-* OpenBSD:
-
- OpenBSD ships with tun0 and tun1 installed by default on pre-3.5 systems,
- while 3.5 and later have dynamically created tun* devices so you only need
- to create an empty /etc/hostname.tun0 (tun1, tun2 and so on) for each tun
- you plan to use to create the device(s) at boot.
-
-* Mac OS X:
-
- 2005.02.13: Angelo Laub has developed a GUI for OS X:
-
- http://rechenknecht.net/OpenVPN-GUI/
-
- 2004.10.26: Mattias Nissler has developed a new TUN/TAP driver for
- MAC OS X:
-
- http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
-
- Christoph Pfisterer's old TUN driver can be obtained at
- http://chrisp.de/en/projects/tunnel.html -- note that it
- is no longer being maintained.
-
-* Solaris9 Sparc/64
-
- The kernel module for solaris
- can be generated by adding the -m64 switch to a modern
- gcc compiler (I'm using 3.2) The resulting kernel driver
- needs to be manually copied to /kernel/drv/sparcv9/ and then a
- reconfiguration reboot. (boot -r).
-
-* Windows 2000 and XP
-
- See INSTALL-win32.txt for more info
-
- See the man page for more information, usage examples, and
- information on firewall configuration.
-
-*************************************************************************
-
-CAVEATS & BUGS:
-
-* I have noticed cases where TCP sessions tunneled over the Linux
- TAP driver (kernel 2.4.21 and 2.4.22) stall when lower --mssfix
- values are used. The TCP sessions appear to unstall and resume
- normally when the remote VPN endpoint is pinged.
-
-* If run through a firewall using OpenBSDs packet filter PF and the
- filter rules include a "scrub" directive, you may get problems talking
- to Linux hosts over the tunnel, since the scrubbing will kill packets
- sent from Linux hosts if they are fragmented. This is usually seen as
- tunnels where small packets and pings get through but large packets
- and "regular traffic" don't. To circumvent this, add "no-df" to
- the scrub directive so that the packet filter will let fragments with
- the "dont fragment"-flag set through anyway.
-
-* Mixing OFB or CFB cipher modes with static key mode is not recommended,
- and is flagged as an error on OpenVPN versions 1.2.1 and greater.
- If you use the --cipher option to explicitly select an OFB or CFB
- cipher AND you are using static key mode, it is possible that there
- could be an IV collision if the OpenVPN daemons on both sides
- of the connection are started at exactly the same time, since
- OpenVPN uses a timestamp combined with a sequence number as the cipher
- IV for OFB and CFB modes. This is not an issue if you are
- using CBC cipher mode (the default), or if you are using OFB or CFB
- cipher mode with SSL/TLS authentication.