From patchwork Mon Nov 28 16:49:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 2866 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.27.255.55]) by backend30.mail.ord1d.rsapps.net with LMTP id MDuQNqPnhGMxQAAAIUCqbw (envelope-from ) for ; Mon, 28 Nov 2022 11:53:55 -0500 Received: from proxy5.mail.iad3a.rsapps.net ([172.27.255.55]) by director13.mail.ord1d.rsapps.net with LMTP id 0HI2NqPnhGN/IwAA91zNiA (envelope-from ) for ; Mon, 28 Nov 2022 11:53:55 -0500 Received: from smtp53.gate.iad3a ([172.27.255.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.iad3a.rsapps.net with LMTPS id sDQKL6PnhGNnbwAAhn5joQ (envelope-from ) for ; Mon, 28 Nov 2022 11:53:55 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp53.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=greenie.muc.de X-Suspicious-Flag: YES X-Classification-ID: 3e18a98c-6f3d-11ed-bc8e-5254009c3572-1-1 Received: from [216.105.38.7] ([216.105.38.7:46528] helo=lists.sourceforge.net) by smtp53.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id E0/0C-19712-2A7E4836; Mon, 28 Nov 2022 11:53:55 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1ozhNo-0004hb-1D; Mon, 28 Nov 2022 16:53:28 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1ozhNk-0004hG-FC for openvpn-devel@lists.sourceforge.net; Mon, 28 Nov 2022 16:53:24 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=US4CfM4bRsT3Bewnq+awrfRmRAynEykIWUJ8J4M3vHY=; b=Px2RlWU+yYxZz9NJcyaOsxyFuH pMtoOSkFmwE+PHxWGn3Ynw43FDtjVF2NF/nU9qQUb5oVXb86+9ktD9zPkxDsTPSmId6axndvHQpJT Z6hyqGs8JjEVgYjt2YUttxJAUWeZuwoNYDAKExa+dg1YiBPMR1OikwH9Mjkpv7qJLcc8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=US4CfM4bRsT3Bewnq+awrfRmRAynEykIWUJ8J4M3vHY=; b=W k9LlAWIoomtZHlYmOqVvq9hqfvtxkNL2NqR5vmiHadWQv+/jEUKUImTHY1BbgZ4bCOQJPgguvugtr ol4H7JTii7H6UJIwZ44KEC/NCQTvAGvAc6IyV96fRKmhQ1fyRHwJsCJKOVFA5PixzNKfd6RteD7g1 oiW9D0vLf2cuMwgM=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1ozhNi-00GoTx-1p for openvpn-devel@lists.sourceforge.net; Mon, 28 Nov 2022 16:53:24 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1/8.17.1) with ESMTP id 2ASGnYt0014265 for ; Mon, 28 Nov 2022 17:49:34 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 2ASGnYIk014264 for openvpn-devel@lists.sourceforge.net; Mon, 28 Nov 2022 17:49:34 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Mon, 28 Nov 2022 17:49:32 +0100 Message-Id: <20221128164932.14252-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.35.1 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Update URLs in README Rip out information in INSTALL that is already in PORTS, or is printed by "./configure --help" Update tun/tap driver information where outdated or incomplete. Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record X-Headers-End: 1ozhNi-00GoTx-1p Subject: [Openvpn-devel] [PATCH] rework INSTALL and README to prepare for 2.6 release X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Update URLs in README Rip out information in INSTALL that is already in PORTS, or is printed by "./configure --help" Update tun/tap driver information where outdated or incomplete. Update build prerequisites, add new linux libraries, add git and libtool to developer tools needed, etc. Signed-off-by: Gert Doering Acked-By: Frank Lichtenheld --- INSTALL | 207 ++++++++++++++------------------------------------------ README | 8 +-- 2 files changed, 56 insertions(+), 159 deletions(-) diff --git a/INSTALL b/INSTALL index 9db5b645..a899b148 100644 --- a/INSTALL +++ b/INSTALL @@ -1,6 +1,6 @@ Installation instructions for OpenVPN, a Secure Tunneling Daemon -Copyright (C) 2002-2019 OpenVPN Inc. This program is free software; +Copyright (C) 2002-2022 OpenVPN Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. @@ -52,45 +52,39 @@ Also see the man page for more information. ************************************************************************* -SUPPORTED PLATFORMS: - (1) Linux (kernel 2.6+) - (2) Solaris - (3) OpenBSD 5.1+ - (4) Mac OS X Darwin 10.5+ - (5) FreeBSD 7.4+ - (6) NetBSD 5.0+ - (7) Windows Vista or later for OpenVPN 2.4 - (8) Windows XP or later for OpenVPN 2.3 - -SUPPORTED PROCESSOR ARCHITECTURES: - In general, OpenVPN is word size and endian independent, so - most processors should be supported. Architectures known to - work include Intel x86, Alpha, Sparc, Amd64, and ARM. - -REQUIRES: +For a list of supported platforms and architectures, and for +instructions how to port OpenVPN to a yet-unsupported architecture, +see the file "PORTS". + +************************************************************************* + +SYSTEM REQUIREMENTS: (1) TUN and/or TAP driver to allow user-space programs to control - a virtual point-to-point IP or Ethernet device. See - TUN/TAP Driver Configuration section below for more info. - (2) OpenSSL library, necessary for encryption, version 1.0.2 or higher + a virtual point-to-point IP or Ethernet device. + See TUN/TAP Driver References section below for more info. + (2a) OpenSSL library, necessary for encryption, version 1.0.2 or higher required, available from http://www.openssl.org/ or - (3) mbed TLS library, an alternative for encryption, version 2.0 or higher + (2b) mbed TLS library, an alternative for encryption, version 2.0 or higher required, available from https://tls.mbed.org/ + (3) on Linux, "libnl-gen" is required for kernel netlink support + (4) on Linux, "libcap-ng" is required for Linux capability handling OPTIONAL: - (3) LZO real-time compression library, required for link compression, + (5) LZO real-time compression library, required for link compression, available from http://www.oberhumer.com/opensource/lzo/ - OpenBSD users can use ports or packages to install lzo, but remember - to add CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" - directives to "configure", since gcc will not find them otherwise. + (most supported operating systems have LZO in their installable + packages repository. It might be necessary to add LZO_CFLAGS= + and LZO_LIBS= to the configure call to make it find the LZO pieces) + (6) LZ4 compression library OPTIONAL (for developers only): - (1) Autoconf 2.59 or higher + Automake 1.9 or higher - -- available from http://www.gnu.org/software/software.html - (2) Dmalloc library - -- available from http://dmalloc.com/ + (1) Autoconf 2.59 or higher + Automake 1.9 or higher + Libtool + Git + (2) cmocka test framework (http://cmocka.org) (3) If using t_client.sh test framework, fping/fping6 is needed - -- Available from http://www.fping.org/ Note: t_client.sh needs an external configured OpenVPN server. See t_client.rc-sample for more info. @@ -106,7 +100,7 @@ CHECK OUT SOURCE FROM SOURCE REPOSITORY: Check out stable version: - git checkout release/2.4 + git checkout release/2.6 Check out master (unstable) branch: @@ -119,7 +113,7 @@ BUILD COMMANDS FROM TARBALL: ./configure make - make install + sudo make install ************************************************************************* @@ -128,7 +122,7 @@ BUILD COMMANDS FROM SOURCE REPOSITORY CHECKOUT: autoreconf -i -v -f ./configure make - make install + sudo make install ************************************************************************* @@ -175,98 +169,17 @@ you can install cmocka with these commands: OPTIONS for ./configure: - --disable-lzo disable LZO compression support [default=yes] - --disable-lz4 Disable LZ4 compression support - --enable-comp-stub Don't compile compression support but still allow limited interoperability with compression-enabled peers - --disable-crypto disable crypto support [default=yes] - --disable-ofb-cfb disable support for OFB and CFB cipher modes - [default=yes] - --enable-x509-alt-username - enable the --x509-username-field feature - [default=no] - --disable-server disable server support only (but retain client - support) [default=yes] - --disable-plugins disable plug-in support [default=yes] - --disable-management disable management server support [default=yes] - --enable-pkcs11 enable pkcs11 support [default=no] - --disable-fragment disable internal fragmentation support (--fragment) - [default=yes] - --disable-multihome disable multi-homed UDP server support (--multihome) - [default=yes] - --disable-port-share disable TCP server port-share support (--port-share) - [default=yes] - --disable-debug disable debugging support (disable gremlin and verb - 7+ messages) [default=yes] - --enable-small enable smaller executable size (disable OCC, usage - message, and verb 4 parm list) [default=no] - --enable-iproute2 enable support for iproute2 [default=no] - --disable-def-auth disable deferred authentication [default=yes] - --disable-pf disable internal packet filter [default=yes] - --disable-plugin-auth-pam - disable auth-pam plugin [default=platform specific] - --disable-plugin-down-root - disable down-root plugin [default=platform specific] - --enable-pam-dlopen dlopen libpam [default=no] - --enable-strict enable strict compiler warnings (debugging option) - [default=no] - --enable-pedantic enable pedantic compiler warnings, will not generate - a working executable (debugging option) [default=no] - --enable-werror promote compiler warnings to errors, will cause - builds to fail if the compiler issues warnings - (debugging option) [default=no] - --enable-strict-options enable strict options check between peers (debugging - option) [default=no] - --enable-selinux enable SELinux support [default=no] - --enable-systemd enable systemd support [default=no] - --enable-async-push enable async-push support for plugins providing - deferred authentication [default=no] + To get an overview of all the configure options, run "./configure --help" ENVIRONMENT for ./configure: - PLUGINDIR Path of plug-in directory [default=LIBDIR/openvpn/plugins] - IFCONFIG full path to ipconfig utility - ROUTE full path to route utility - IPROUTE full path to ip utility - NETSTAT path to netstat utility - GIT path to git utility - SYSTEMD_ASK_PASSWORD - path to systemd-ask-password utility - SYSTEMD_UNIT_DIR - Path of systemd unit directory [default=LIBDIR/systemd/system] - TMPFILES_DIR - Path of tmpfiles directory [default=LIBDIR/tmpfiles.d] - RST2MAN Path to rst2man utility - RST2HTML Path to rst2html utility - -ENVIRONMENT variables adjusting parameters related to dependencies - - TAP_CFLAGS C compiler flags for tap - LIBPAM_CFLAGS - C compiler flags for libpam - LIBPAM_LIBS linker flags for libpam - PKCS11_HELPER_CFLAGS - C compiler flags for PKCS11_HELPER, overriding pkg-config - PKCS11_HELPER_LIBS - linker flags for PKCS11_HELPER, overriding pkg-config - OPENSSL_CFLAGS - C compiler flags for OpenSSL - OPENSSL_LIBS - linker flags for OpenSSL - MBEDTLS_CFLAGS - C compiler flags for mbedtls - MBEDTLS_LIBS - linker flags for mbedtls - LZO_CFLAGS C compiler flags for lzo - LZO_LIBS linker flags for lzo - LZ4_CFLAGS C compiler flags for lz4 - LZ4_LIBS linker flags for lz4 - libsystemd_CFLAGS - C compiler flags for libsystemd, overriding pkg-config - libsystemd_LIBS - linker flags for libsystemd, overriding pkg-config - P11KIT_CFLAGS - C compiler flags for P11KIT, overriding pkg-config - P11KIT_LIBS linker flags for P11KIT, overriding pkg-config + For more fine-grained control on include + library paths for external + components etc., configure can be called with environment variables on + the command line, e.g. + + ./configure OPENSSL_CFLAGS="-I/usr/local/include" ... + + these are also explained in "./configure --help", so not repeated here. ************************************************************************* @@ -303,12 +216,12 @@ For more details: https://packages.ubuntu.com/search?keywords=openvpn In addition, the OpenVPN community provides a best-effort APT repository -for Debian and Ubuntu: +for CentOS/Fedora, Debian and Ubuntu: https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos ************************************************************************* -TUN/TAP Driver Configuration: +TUN/TAP Driver References: * Linux 2.6 or higher (with integrated TUN/TAP driver): @@ -322,17 +235,17 @@ TUN/TAP Driver Configuration: FreeBSD ships with the TUN/TAP driver, and the device nodes for tap0, tap1, tap2, tap3, tun0, tun1, tun2 and tun3 are made by default. - However, only the TUN driver is linked into the GENERIC kernel. - To load the TAP driver, enter: + On FreeBSD versions prior to 12.0-RELEASE, there were independent + TUN and TAP drivers, and the TAP driver needed to be loaded manually, + using the command: - kldload if_tap + # kldload if_tap - See man rc(8) to find out how you can do this at boot time. + For recent FreeBSD versions, TUN/TAP are integrated and always loaded. - The easiest way is to install OpenVPN from the FreeBSD ports system, - the port includes a sample script to automatically load the TAP driver - at boot-up time. + FreeBSD 14 contains the ovpn(4) for kernel-level OpenVPN acceleration + (DCO) which will be used by OpenVPN 2.6 and up if available. * OpenBSD: @@ -354,31 +267,15 @@ TUN/TAP Driver Configuration: recent Windows versions it is recommended to use the NDIS 6 driver (tap-windows6) instead. + Windows 10 and Server 2016 and up can use the dco-win driver for + kernel-level acceleration for OpenVPN client setups. This is also + included in the community-provided OpenVPN installers. + ************************************************************************* CAVEATS & BUGS: -* I have noticed cases where TCP sessions tunneled over the Linux - TAP driver (kernel 2.4.21 and 2.4.22) stall when lower --mssfix - values are used. The TCP sessions appear to unstall and resume - normally when the remote VPN endpoint is pinged. - -* If run through a firewall using OpenBSDs packet filter PF and the - filter rules include a "scrub" directive, you may get problems talking - to Linux hosts over the tunnel, since the scrubbing will kill packets - sent from Linux hosts if they are fragmented. This is usually seen as - tunnels where small packets and pings get through but large packets - and "regular traffic" don't. To circumvent this, add "no-df" to - the scrub directive so that the packet filter will let fragments with - the "dont fragment"-flag set through anyway. - -* Mixing OFB or CFB cipher modes with static key mode is not recommended, - and is flagged as an error on OpenVPN versions 1.2.1 and greater. - If you use the --cipher option to explicitly select an OFB or CFB - cipher AND you are using static key mode, it is possible that there - could be an IV collision if the OpenVPN daemons on both sides - of the connection are started at exactly the same time, since - OpenVPN uses a timestamp combined with a sequence number as the cipher - IV for OFB and CFB modes. This is not an issue if you are - using CBC cipher mode (the default), or if you are using OFB or CFB - cipher mode with SSL/TLS authentication. +* see the bug tracker on https://community.openvpn.net/openvpn/report + and the wiki on https://community.openvpn.net/wiki for more detailed + caveats on operating systems, and for open and resolved bug reports. + diff --git a/README b/README index b75a568e..523abb70 100644 --- a/README +++ b/README @@ -1,6 +1,6 @@ OpenVPN -- A Secure tunneling daemon -Copyright (C) 2002-2018 OpenVPN Inc. This program is free software; +Copyright (C) 2002-2022 OpenVPN Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. @@ -9,7 +9,7 @@ as published by the Free Software Foundation. To get the latest release of OpenVPN, go to: - https://openvpn.net/index.php/download/community-downloads.html + https://openvpn.net/community-downloads/ To Build and Install, @@ -30,7 +30,7 @@ For a sample VPN configuration, see http://openvpn.net/howto.html To report an issue, see - https://community.openvpn.net/openvpn/report + https://community.openvpn.net/openvpn/newticket For a description of OpenVPN's underlying protocol, see the file ssl.h included in the source distribution. @@ -64,7 +64,7 @@ Note that easy-rsa and tap-windows are now maintained in their own subprojects. Their source code is available here: https://github.com/OpenVPN/easy-rsa - https://github.com/OpenVPN/tap-windows + https://github.com/OpenVPN/tap-windows6 The old cross-compilation environment (domake-win) and the Python-based buildsystem have been replaced with openvpn-build: