I like to make Windows installers for OpenVPN that include my CA key
and my configuration file. That way, the user only has to drop a
given client.key and client.crt file in the config directory and
they’re ready to go.
So now I’ve got someone that wants a Vista installer. Looking at the
OpenVPN site, it seems I want OpenVPN 2.1
which has some kind of fixes for Vista, especially Vista on AMD64.
Something to do with driver signing.
Also, there are notes here and there about how OpenVPN 2.1 will
“include” the GUI.
When I want to rebuild OpenVPN 2.0 packages with the
GUI there are nice installer source Zip
files put out by the OpenVPN GUI author. I grab that, make an edit to
the .nsi file, add in my configuration file and my CA cert, rebuild
with NSIS and I’m done.
Problem: no such thing exists for OpenVPN 2.1, as of yet.
Further problem: building OpenVPN on
Windows needs some Microsoft
kits that I don’t care to get right now (I have to sign up, and
register, and apply, and… bleh).
So here is the disgusting way that I made my own tree, suitable for
rebuilding the installer, using nothing but the NSIS installer for
2.1rc4 given on the OpenVPN site.
Note: I really don’t recommend doing this. Though it does seem to
work. When 2.1 is released as stable, I expect they’ll have a nice
little package to help you roll your own installer.
Also, I’m going kind of fast, so these directions are probably not
step-for-step perfect. If you don’t know what you’re doing, you will
quite likely get lost.
You will need:
And the steps:
- Install MinGW and MSYS. You won’t actually need much out of
MinGW, but I think I installed all the standard stuff.
- Install ActivePerl.
- Install Total Commander. It’s shareware.
-
Within Total Commander, double click on the InstallExplorer
plug-in Zip file. Total Commander will offer to install this;
tell it to install the plug-in. Maybe smash the “OK” or
“whatever” buttoins on some following dialogs.
By the way, Total Commander doesn’t deal well if you can’t write
to the directory it’s installed in, I believe. So people running
non-admin (like me) will need to get a little creative. If the
next step doesn’t work, it’s quite possibly because the plug-in
wasn’t installed correctly. If you’re running non-admin, that’s
probably why the plug-in didn’t get installed correctly; try
installing the plug-in while running Total Commander as a user
with administrative rights.
You may also need to restart Total Commander for the plug-in to
work, I don’t know.
- Navigate to the directory containing the OpenVPN installer in
Total Commander. Right click it to select it, then press
Ctrl+PgDn to browse the archive. (It may take a second.)
- Go into
$INSTDIR within the installer. Copy the whole bin
directory out of the installer, as well as icon.ico. By “copy
[…] out of the installer” I mean to copy those files to some
directory outside of the installer.
- Open the
bin directory in Total Commander. You should see two
tapinstall.exe files: one is the i386 version, one is the AMD64
version. Copy both of them out of the installer anyway you’d like
(I copied each into separate directories), but you’ll need both
files. In the installer I have, tapinstall.exe for i386 is
74,752 bytes, AMD64 is 80,384 (and yes, that’s how I told the
difference; another way: install OpenVPN 2.1rc4 on your machine,
and then look at the size of the file installed in C:\program
files\openvpn\bin).
- Go to
..\driver. You should see two files each named
OemWin2k.inf, tap0901.cat, and tap0901.sys. Again, one is
i386, one is AMD64. Copy both versions of each of these three
files out of the installer. i386 files are sized 7,236 bytes,
7,851 bytes, and 25,088 bytes, respectively. AMD64 files are
7,253 bytes, 7,823 bytes, and 29,696 bytes, respectively. (As in
the last step, you can also find out which is which by installing
OpenVPN and looking at the size of the installed files). After
this step, you’re done with Total Commander.
- Extract the OpenVPN 2.1rc4 sources somewhere and navigate to that
directory in a MSYS bash.
- Edit
install-win32/settings.in, comment out the line starting
with !define SVC_TEMPLATE, save.
-
mkdir images. Move the icon.ico you pulled out of the
installer into images.
- Find
install-whirl.bmp in the OpenVPN GUI installer sources and
extract it into the images directory as well.
- Move the
bin directory you extracted from the OpenVPN 2.1rc4
installer into your OpenVPN sources directory (that’s the OpenVPN
2.1rc4 sources, not the OpenVPN GUI sources; keep up here).
- Delete
tapinstall.exe from the bin directory.
mkdir -p bin/{tapinstall,driver}/{i386,amd64}- Copy each
tapinstall.exe for i386 and AMD64 into
bin/tapinstall/i386 and bin/tapinstall/amd64, respectively.
-
Copy the OemWin2k.inf, tap0901.cat, and tap0901.sys files
for the appropriate architectures into bin/driver/i386 and
bin/driver/amd64. Here’s what your bin directory should look
like after this step:
bin
bin/driver
bin/driver/amd64
bin/driver/amd64/OemWin2k.inf
bin/driver/amd64/tap0901.cat
bin/driver/amd64/tap0901.sys
bin/driver/i386
bin/driver/i386/OemWin2k.inf
bin/driver/i386/tap0901.cat
bin/driver/i386/tap0901.sys
bin/libeay32.dll
bin/libssl32.dll
bin/openssl.exe
bin/openvpn-gui-1.0.3.exe
bin/openvpn.exe
bin/openvpnserv.exe
bin/tapinstall
bin/tapinstall/amd64
bin/tapinstall/amd64/tapinstall.exe
bin/tapinstall/i386
bin/tapinstall/i386/tapinstall.exe
- Make sure you’ve got
perl in your path by running something like
perl -e1. You shouldn’t get an error.
- Run
sh -x install-win32/winconfig. It is important that you run
this from the root of the OpenVPN sources (supposedly).
-
echo '!define OPENVPN_GUI_DEFINED' >autodefs/guidefs.nsi (see
install-win32/getgui).
- Install NSIS.
- You should now be able to right click the
openvpn.nsi and hit
“Compile NSIS script.” NSIS should compile you a nice shiny
openvpn-2.1_rc4-install.exe. This is the basic installer.
At this point, you can make mods to openvpn.nsi as you see fit, just
like you might with OpenVPN GUI (i.e., with OpenVPN 2.0.9, GUI 1.0.3).
I’d like to give one note to possibly justify this ugliness: first of
all, I don’t feel confident that I’d be able to build a Windows binary
that works as well as the “official” one, built by people who probably
know a lot more about what they’re doing on Windows than I do. What
version of OpenSSL should I use? LZO? I don’t see something called
(exactly) the “Driver Development Kit.” Of course, I’m sure these are
surmountable; in fact, there are some hints in the OpenVPN sources
about what versions you should use.
But another note about the OpenVPN binaries: they are supposedly
signed by a real key that an OpenVPN developer has. This signing is
supposedly necessary to make TAP-Win32 get installed on Vista/AMD64,
where driver signing is apparently enforced. So will it be possible
to build normally working binaries for Vista/x64 if you don’t have the
ability to sign these binaries with some kind of real SSL key (i.e.,
one issued by a CA approved by Vista, for example Verisign).