darkness

I like to make Windows installers for OpenVPN that include my CA key and my configuration file. That way, the user only has to drop a given client.key and client.crt file in the config directory and they’re ready to go.

So now I’ve got someone that wants a Vista installer. Looking at the OpenVPN site, it seems I want OpenVPN 2.1 which has some kind of fixes for Vista, especially Vista on AMD64. Something to do with driver signing.

Also, there are notes here and there about how OpenVPN 2.1 will “include” the GUI.

When I want to rebuild OpenVPN 2.0 packages with the GUI there are nice installer source Zip files put out by the OpenVPN GUI author. I grab that, make an edit to the .nsi file, add in my configuration file and my CA cert, rebuild with NSIS and I’m done.

Problem: no such thing exists for OpenVPN 2.1, as of yet.

Further problem: building OpenVPN on Windows needs some Microsoft kits that I don’t care to get right now (I have to sign up, and register, and apply, and… bleh).

So here is the disgusting way that I made my own tree, suitable for rebuilding the installer, using nothing but the NSIS installer for 2.1rc4 given on the OpenVPN site.

Note: I really don’t recommend doing this. Though it does seem to work. When 2.1 is released as stable, I expect they’ll have a nice little package to help you roll your own installer.

Also, I’m going kind of fast, so these directions are probably not step-for-step perfect. If you don’t know what you’re doing, you will quite likely get lost.

You will need:

• MinGW (current version is 5.1.3)
• MSYS (same site as above, current version is 1.0.10… from 2004)
• Perl for Windows; I grabbed ActivePerl, which I guess is the “official” Perl binary offered for Windows?
• Total Commander, a Windows file manager; we’ll use this and the following plug-in to get the files out of the OpenVPN NSIS installer
• The InstallExplorer plug-in for Total Commander
• The OpenVPN 2.1rc4 Windows NSIS installer and the sources
• The OpenVPN GUI installer sources; the ones for 2.0.9/1.0.3 are fine

And the steps:

1. Install MinGW and MSYS. You won’t actually need much out of MinGW, but I think I installed all the standard stuff.
2. Install ActivePerl.
3. Install Total Commander. It’s shareware.

4. Within Total Commander, double click on the InstallExplorer plug-in Zip file. Total Commander will offer to install this; tell it to install the plug-in. Maybe smash the “OK” or “whatever” buttoins on some following dialogs.

   By the way, Total Commander doesn’t deal well if you can’t write to the directory it’s installed in, I believe. So people running non-admin (like me) will need to get a little creative. If the next step doesn’t work, it’s quite possibly because the plug-in wasn’t installed correctly. If you’re running non-admin, that’s probably why the plug-in didn’t get installed correctly; try installing the plug-in while running Total Commander as a user with administrative rights.

   You may also need to restart Total Commander for the plug-in to work, I don’t know.

5. Navigate to the directory containing the OpenVPN installer in Total Commander. Right click it to select it, then press Ctrl+PgDn to browse the archive. (It may take a second.)
6. Go into $INSTDIR within the installer. Copy the whole bin directory out of the installer, as well as icon.ico. By “copy [...] out of the installer” I mean to copy those files to some directory outside of the installer.
7. Open the bin directory in Total Commander. You should see two tapinstall.exe files: one is the i386 version, one is the AMD64 version. Copy both of them out of the installer anyway you’d like (I copied each into separate directories), but you’ll need both files. In the installer I have, tapinstall.exe for i386 is 74,752 bytes, AMD64 is 80,384 (and yes, that’s how I told the difference; another way: install OpenVPN 2.1rc4 on your machine, and then look at the size of the file installed in C:program filesopenvpnbin).
8. Go to ..driver. You should see two files each named OemWin2k.inf, tap0901.cat, and tap0901.sys. Again, one is i386, one is AMD64. Copy both versions of each of these three files out of the installer. i386 files are sized 7,236 bytes, 7,851 bytes, and 25,088 bytes, respectively. AMD64 files are 7,253 bytes, 7,823 bytes, and 29,696 bytes, respectively. (As in the last step, you can also find out which is which by installing OpenVPN and looking at the size of the installed files). After this step, you’re done with Total Commander.
9. Extract the OpenVPN 2.1rc4 sources somewhere and navigate to that directory in a MSYS bash.
10. Edit install-win32/settings.in, comment out the line starting with !define SVC_TEMPLATE, save.
11. mkdir images. Move the icon.ico you pulled out of the installer into images.
12. Find install-whirl.bmp in the OpenVPN GUI installer sources and extract it into the images directory as well.
13. Move the bin directory you extracted from the OpenVPN 2.1rc4 installer into your OpenVPN sources directory (that’s the OpenVPN 2.1rc4 sources, not the OpenVPN GUI sources; keep up here).
14. Delete tapinstall.exe from the bin directory.
15. mkdir -p bin/{tapinstall,driver}/{i386,amd64}
16. Copy each tapinstall.exe for i386 and AMD64 into bin/tapinstall/i386 and bin/tapinstall/amd64, respectively.

17. Copy the OemWin2k.inf, tap0901.cat, and tap0901.sys files for the appropriate architectures into bin/driver/i386 and bin/driver/amd64. Here’s what your bin directory should look like after this step:

    bin
    bin/driver
    bin/driver/amd64
    bin/driver/amd64/OemWin2k.inf
    bin/driver/amd64/tap0901.cat
    bin/driver/amd64/tap0901.sys
    bin/driver/i386
    bin/driver/i386/OemWin2k.inf
    bin/driver/i386/tap0901.cat
    bin/driver/i386/tap0901.sys
    bin/libeay32.dll
    bin/libssl32.dll
    bin/openssl.exe
    bin/openvpn-gui-1.0.3.exe
    bin/openvpn.exe
    bin/openvpnserv.exe
    bin/tapinstall
    bin/tapinstall/amd64
    bin/tapinstall/amd64/tapinstall.exe
    bin/tapinstall/i386
    bin/tapinstall/i386/tapinstall.exe
    

18. Make sure you’ve got perl in your path by running something like perl -e1. You shouldn’t get an error.
19. Run sh -x install-win32/winconfig. It is important that you run this from the root of the OpenVPN sources (supposedly).
20. echo '!define OPENVPN_GUI_DEFINED' >autodefs/guidefs.nsi (see install-win32/getgui).
21. Install NSIS.
22. You should now be able to right click the openvpn.nsi and hit “Compile NSIS script.” NSIS should compile you a nice shiny openvpn-2.1_rc4-install.exe. This is the basic installer.

At this point, you can make mods to openvpn.nsi as you see fit, just like you might with OpenVPN GUI (i.e., with OpenVPN 2.0.9, GUI 1.0.3).

I’d like to give one note to possibly justify this ugliness: first of all, I don’t feel confident that I’d be able to build a Windows binary that works as well as the “official” one, built by people who probably know a lot more about what they’re doing on Windows than I do. What version of OpenSSL should I use? LZO? I don’t see something called (exactly) the “Driver Development Kit.” Of course, I’m sure these are surmountable; in fact, there are some hints in the OpenVPN sources about what versions you should use.

But another note about the OpenVPN binaries: they are supposedly signed by a real key that an OpenVPN developer has. This signing is supposedly necessary to make TAP-Win32 get installed on Vista/AMD64, where driver signing is apparently enforced. So will it be possible to build normally working binaries for Vista/x64 if you don’t have the ability to sign these binaries with some kind of real SSL key (i.e., one issued by a CA approved by Vista, for example Verisign).