summaryrefslogtreecommitdiff
path: root/openvpn/INSTALL
diff options
context:
space:
mode:
Diffstat (limited to 'openvpn/INSTALL')
-rw-r--r--openvpn/INSTALL292
1 files changed, 292 insertions, 0 deletions
diff --git a/openvpn/INSTALL b/openvpn/INSTALL
new file mode 100644
index 0000000..a20b49f
--- /dev/null
+++ b/openvpn/INSTALL
@@ -0,0 +1,292 @@
+Installation instructions for OpenVPN, a Secure Tunneling Daemon
+
+Copyright (C) 2002-2005 OpenVPN Solutions LLC. This program is free software;
+you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 2
+as published by the Free Software Foundation.
+
+*************************************************************************
+
+To download OpenVPN, go to:
+
+ http://openvpn.net/download.html
+
+For step-by-step installation instructions with real-world
+examples see:
+
+ http://openvpn.net/howto.html
+
+For examples see:
+
+ http://openvpn.net/examples.html
+
+*************************************************************************
+
+SUPPORTED PLATFORMS:
+ (1) Linux 2.2+
+ (2) Solaris
+ (3) OpenBSD 3.0+ (Comes with OpenSSL and TUN devices by default)
+ (4) Mac OS X Darwin
+ (5) FreeBSD
+ (6) NetBSD
+ (7) Windows (Win 2K and higher)
+
+SUPPORTED PROCESSOR ARCHITECTURES:
+ In general, OpenVPN is word size and endian independent, so
+ most processors should be supported. Architectures known to
+ work include Intel x86, Alpha, Sparc, Amd64, and ARM.
+
+REQUIRES:
+ (1) TUN and/or TAP driver to allow user-space programs to control
+ a virtual point-to-point IP or Ethernet device. See
+ TUN/TAP Driver Configuration section below for more info.
+
+OPTIONAL (but recommended):
+ (1) OpenSSL library, necessary for encryption, version 0.9.5 or higher
+ required, available from http://www.openssl.org/
+ (2) LZO real-time compression library, required for link compression,
+ available from http://www.oberhumer.com/opensource/lzo/
+ OpenBSD users can use ports or packages to install lzo, but remember
+ to add "--with-lzo-headers" and "--with-lzo-lib" directives to
+ "configure", pointing to /usr/local/include and /usr/local/lib
+ respectively since gcc will not find them otherwise.
+ (3) Pthread library.
+
+OPTIONAL (for developers only):
+ (1) Autoconf 2.50 or higher + Automake 1.5 or higher
+ -- available from http://www.gnu.org/software/software.html
+ (2) Dmalloc library
+ -- available from http://dmalloc.com/
+
+*************************************************************************
+
+BUILD COMMANDS FROM TARBALL:
+
+ ./configure
+ make
+ make install
+
+*************************************************************************
+
+BUILD COMMANDS FROM CVS:
+
+ autoreconf -i -v
+ ./configure
+ make
+ make install
+
+*************************************************************************
+
+BUILD A TARBALL FROM CVS:
+
+ autoreconf -i -v
+ ./configure
+ make dist
+
+*************************************************************************
+
+LOOPBACK TESTS (after BUILD):
+
+make check (Run all tests below)
+
+Test Crypto:
+
+./openvpn --genkey --secret key
+./openvpn --test-crypto --secret key
+
+Test SSL/TLS negotiations (runs for 2 minutes):
+
+./openvpn --config sample-config-files/loopback-client (In one window)
+./openvpn --config sample-config-files/loopback-server (Simultaneously in another window)
+
+*************************************************************************
+
+OPTIONS for ./configure:
+
+ --enable-pthread Compile pthread support for
+ improved latency during SSL/TLS key
+ negotiations (Linux or Solaris only)
+
+ --disable-lzo Do not compile LZO compression support
+ --disable-crypto Do not compile OpenSSL crypto support
+ --disable-ssl Do not compile OpenSSL SSL support for
+ TLS-based key exchange
+
+ --with-ssl-headers=DIR Crypto/SSL Include files location
+ --with-ssl-lib=DIR Crypto/SSL Library location
+ --with-lzo-headers=DIR LZO Include files location
+ --with-lzo-lib=DIR LZO Library location
+
+ --with-ifconfig-path=PATH Path to ifconfig tool (only need to
+ specify if in a non-standard location)
+
+ --with-leak-check=TYPE Build with memory leak checking
+ TYPE = dmalloc or ssl
+
+ --enable-strict Enable strict compiler warnings
+
+ --enable-strict-options Enable strict options check between peers
+
+*************************************************************************
+
+BUILDING ON LINUX 2.4+ FROM RPM
+
+You can build a binary RPM directly from the OpenVPN tarball file:
+
+ rpmbuild -tb [tarball]
+
+This command will build a binary RPM file and place it in the system
+RPM directory. You can then install the RPM with the standard RPM
+install command:
+
+ rpm -ivh [binary-rpm]
+
+When you install the binary RPM, it will install
+sample-scripts/openvpn.init, which can be used to
+automatically start or stop one or more OpenVPN tunnels on system
+startup or shutdown, based on OpenVPN .conf files in /etc/openvpn.
+See the comments in openvpn.init for more information.
+
+Installing the RPM will also configure the TUN/TAP device node
+for linux 2.4.
+
+Note that the current openvpn.spec file, which instructs the rpm tool
+how to build a package, will build OpenVPN with all options enabled,
+including OpenSSL, LZO, and pthread linkage. Therefore all of
+these packages will need to be present prior to the RPM build, unless
+you edit the openvpn.spec file.
+
+*************************************************************************
+
+TUN/TAP Driver Configuration:
+
+* Linux 2.4 or higher (with integrated TUN/TAP driver):
+
+ (1) make device node: mknod /dev/net/tun c 10 200
+ (2a) add to /etc/modules.conf: alias char-major-10-200 tun
+ (2b) load driver: modprobe tun
+ (3) enable routing: echo 1 > /proc/sys/net/ipv4/ip_forward
+
+ Note that either of steps (2a) or (2b) is sufficient. While (2a)
+ only needs to be done once per install, (2b) needs to be done once
+ per reboot. If you install from RPM (see above) and use the
+ openvpn.init script, these steps are taken care of for you.
+
+* Linux 2.2 or Solaris:
+
+ You should obtain
+ version 1.1 of the TUN/TAP driver from
+ http://vtun.sourceforge.net/tun/
+ and follow the installation instructions.
+
+ If you use OpenVPN on Linux 2.2 or 2.4 or Solaris, you may be
+ suffering from a bug which causes connections to hang under heavy load.
+ The symptoms are very similar to the MTU problems discussed frequently
+ in the OpenVPN mailing lists. But it turns out that this bug is not caused by
+ MTU problems. It's a bug in the tun/tap driver. A patch is provided here:
+
+ http://openvpn.net/patch/tun-sb.patch
+
+* Solaris
+
+ For 64 bit, I used the tun-1.1.tar.gz source and compiled it.
+
+ Of course there is a but :)
+ In the tun-1-1\solaris\Makefile I changed a line so it compiles with 64 bit
+
+ CFLAGS = $(DEFS) -m64 -O2 -Wall -D_KERNEL -I.
+
+ I just added -m64 and it worked.
+
+ The tun driver works fine as said previously, however we noticed there is a
+ minor problem when creating multiple tunnels on Solaris.
+ Mr Tycho Fruru changed the code in tun.c file where he locked the tun device
+ number to -1. This way it is impossible to specify the name of the tun device
+ but it is still possible to have multiple devices.
+ The modification will increment automatically meaning starting from tun0 --->
+ tunX I know you are not responsible for the tun coding but if you think the
+ modification can be useful for you feel free to use it.
+
+ http://openvpn.net/solaris/tun.c
+
+* FreeBSD 4.1.1+:
+
+ FreeBSD ships with the TUN/TAP driver, and the device nodes for tap0,
+ tap1, tap2, tap3, tun0, tun1, tun2 and tun3 are made by default.
+ However, only the TUN driver is linked into the GENERIC kernel.
+
+ To load the TAP driver, enter:
+
+ kldload if_tap
+
+ See man rc(8) to find out how you can do this at boot time.
+
+ The easiest way is to install OpenVPN from the FreeBSD ports system,
+ the port includes a sample script to automatically load the TAP driver
+ at boot-up time.
+
+* OpenBSD:
+
+ OpenBSD ships with tun0 and tun1 installed by default on pre-3.5 systems,
+ while 3.5 and later have dynamically created tun* devices so you only need
+ to create an empty /etc/hostname.tun0 (tun1, tun2 and so on) for each tun
+ you plan to use to create the device(s) at boot.
+
+* Mac OS X:
+
+ 2005.02.13: Angelo Laub has developed a GUI for OS X:
+
+ http://rechenknecht.net/OpenVPN-GUI/
+
+ 2004.10.26: Mattias Nissler has developed a new TUN/TAP driver for
+ MAC OS X:
+
+ http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
+
+ Christoph Pfisterer's old TUN driver can be obtained at
+ http://chrisp.de/en/projects/tunnel.html -- note that it
+ is no longer being maintained.
+
+* Solaris9 Sparc/64
+
+ The kernel module for solaris
+ can be generated by adding the -m64 switch to a modern
+ gcc compiler (I'm using 3.2) The resulting kernel driver
+ needs to be manually copied to /kernel/drv/sparcv9/ and then a
+ reconfiguration reboot. (boot -r).
+
+* Windows 2000 and XP
+
+ See INSTALL-win32.txt for more info
+
+ See the man page for more information, usage examples, and
+ information on firewall configuration.
+
+*************************************************************************
+
+CAVEATS & BUGS:
+
+* I have noticed cases where TCP sessions tunneled over the Linux
+ TAP driver (kernel 2.4.21 and 2.4.22) stall when lower --mssfix
+ values are used. The TCP sessions appear to unstall and resume
+ normally when the remote VPN endpoint is pinged.
+
+* If run through a firewall using OpenBSDs packet filter PF and the
+ filter rules include a "scrub" directive, you may get problems talking
+ to Linux hosts over the tunnel, since the scrubbing will kill packets
+ sent from Linux hosts if they are fragmented. This is usually seen as
+ tunnels where small packets and pings get through but large packets
+ and "regular traffic" don't. To circumvent this, add "no-df" to
+ the scrub directive so that the packet filter will let fragments with
+ the "dont fragment"-flag set through anyway.
+
+* Mixing OFB or CFB cipher modes with static key mode is not recommended,
+ and is flagged as an error on OpenVPN versions 1.2.1 and greater.
+ If you use the --cipher option to explicitly select an OFB or CFB
+ cipher AND you are using static key mode, it is possible that there
+ could be an IV collision if the OpenVPN daemons on both sides
+ of the connection are started at exactly the same time, since
+ OpenVPN uses a timestamp combined with a sequence number as the cipher
+ IV for OFB and CFB modes. This is not an issue if you are
+ using CBC cipher mode (the default), or if you are using OFB or CFB
+ cipher mode with SSL/TLS authentication.