June 14, 2007

Disgusting way to roll your own OpenVPN 2.1rc4 Windows installer

I like to make Windows installers for OpenVPN that include my CA key and my configuration file. That way, the user only has to drop a given client.key and client.crt file in the config directory and they’re ready to go.

So now I’ve got someone that wants a Vista installer. Looking at the OpenVPN site, it seems I want OpenVPN 2.1 which has some kind of fixes for Vista, especially Vista on AMD64. Something to do with driver signing.

Also, there are notes here and there about how OpenVPN 2.1 will “include” the GUI.

When I want to rebuild OpenVPN 2.0 packages with the GUI there are nice installer source Zip files put out by the OpenVPN GUI author. I grab that, make an edit to the .nsi file, add in my configuration file and my CA cert, rebuild with NSIS and I’m done.

Problem: no such thing exists for OpenVPN 2.1, as of yet.

Further problem: building OpenVPN on Windows needs some Microsoft kits that I don’t care to get right now (I have to sign up, and register, and apply, and… bleh).

So here is the disgusting way that I made my own tree, suitable for rebuilding the installer, using nothing but the NSIS installer for 2.1rc4 given on the OpenVPN site.

Note: I really don’t recommend doing this. Though it does seem to work. When 2.1 is released as stable, I expect they’ll have a nice little package to help you roll your own installer.

Also, I’m going kind of fast, so these directions are probably not step-for-step perfect. If you don’t know what you’re doing, you will quite likely get lost.

You will need:

And the steps:

  1. Install MinGW and MSYS. You won’t actually need much out of MinGW, but I think I installed all the standard stuff.
  2. Install ActivePerl.
  3. Install Total Commander. It’s shareware.
  4. Within Total Commander, double click on the InstallExplorer plug-in Zip file. Total Commander will offer to install this; tell it to install the plug-in. Maybe smash the “OK” or “whatever” buttoins on some following dialogs.

    By the way, Total Commander doesn’t deal well if you can’t write to the directory it’s installed in, I believe. So people running non-admin (like me) will need to get a little creative. If the next step doesn’t work, it’s quite possibly because the plug-in wasn’t installed correctly. If you’re running non-admin, that’s probably why the plug-in didn’t get installed correctly; try installing the plug-in while running Total Commander as a user with administrative rights.

    You may also need to restart Total Commander for the plug-in to work, I don’t know.

  5. Navigate to the directory containing the OpenVPN installer in Total Commander. Right click it to select it, then press Ctrl+PgDn to browse the archive. (It may take a second.)
  6. Go into $INSTDIR within the installer. Copy the whole bin directory out of the installer, as well as icon.ico. By “copy [...] out of the installer” I mean to copy those files to some directory outside of the installer.
  7. Open the bin directory in Total Commander. You should see two tapinstall.exe files: one is the i386 version, one is the AMD64 version. Copy both of them out of the installer anyway you’d like (I copied each into separate directories), but you’ll need both files. In the installer I have, tapinstall.exe for i386 is 74,752 bytes, AMD64 is 80,384 (and yes, that’s how I told the difference; another way: install OpenVPN 2.1rc4 on your machine, and then look at the size of the file installed in C:program filesopenvpnbin).
  8. Go to ..driver. You should see two files each named OemWin2k.inf, tap0901.cat, and tap0901.sys. Again, one is i386, one is AMD64. Copy both versions of each of these three files out of the installer. i386 files are sized 7,236 bytes, 7,851 bytes, and 25,088 bytes, respectively. AMD64 files are 7,253 bytes, 7,823 bytes, and 29,696 bytes, respectively. (As in the last step, you can also find out which is which by installing OpenVPN and looking at the size of the installed files). After this step, you’re done with Total Commander.
  9. Extract the OpenVPN 2.1rc4 sources somewhere and navigate to that directory in a MSYS bash.
  10. Edit install-win32/settings.in, comment out the line starting with !define SVC_TEMPLATE, save.
  11. mkdir images. Move the icon.ico you pulled out of the installer into images.
  12. Find install-whirl.bmp in the OpenVPN GUI installer sources and extract it into the images directory as well.
  13. Move the bin directory you extracted from the OpenVPN 2.1rc4 installer into your OpenVPN sources directory (that’s the OpenVPN 2.1rc4 sources, not the OpenVPN GUI sources; keep up here).
  14. Delete tapinstall.exe from the bin directory.
  15. mkdir -p bin/{tapinstall,driver}/{i386,amd64}
  16. Copy each tapinstall.exe for i386 and AMD64 into bin/tapinstall/i386 and bin/tapinstall/amd64, respectively.
  17. Copy the OemWin2k.inf, tap0901.cat, and tap0901.sys files for the appropriate architectures into bin/driver/i386 and bin/driver/amd64. Here’s what your bin directory should look like after this step:

  18. Make sure you’ve got perl in your path by running something like perl -e1. You shouldn’t get an error.
  19. Run sh -x install-win32/winconfig. It is important that you run this from the root of the OpenVPN sources (supposedly).
  20. echo '!define OPENVPN_GUI_DEFINED' >autodefs/guidefs.nsi (see install-win32/getgui).
  21. Install NSIS.
  22. You should now be able to right click the openvpn.nsi and hit “Compile NSIS script.” NSIS should compile you a nice shiny openvpn-2.1_rc4-install.exe. This is the basic installer.

At this point, you can make mods to openvpn.nsi as you see fit, just like you might with OpenVPN GUI (i.e., with OpenVPN 2.0.9, GUI 1.0.3).

I’d like to give one note to possibly justify this ugliness: first of all, I don’t feel confident that I’d be able to build a Windows binary that works as well as the “official” one, built by people who probably know a lot more about what they’re doing on Windows than I do. What version of OpenSSL should I use? LZO? I don’t see something called (exactly) the “Driver Development Kit.” Of course, I’m sure these are surmountable; in fact, there are some hints in the OpenVPN sources about what versions you should use.

But another note about the OpenVPN binaries: they are supposedly signed by a real key that an OpenVPN developer has. This signing is supposedly necessary to make TAP-Win32 get installed on Vista/AMD64, where driver signing is apparently enforced. So will it be possible to build normally working binaries for Vista/x64 if you don’t have the ability to sign these binaries with some kind of real SSL key (i.e., one issued by a CA approved by Vista, for example Verisign).

Comments (20)

  1. October 23, 2007
    Me said...

    Any chance we could get a copy of this .zip to space us the pain you had to go through?

  2. October 26, 2007
    darkness said...

    I think I didn’t put this up because I (a) didn’t want to post a kind of “unauthorized” set of OpenVPN software, especially when I perceived a real release was coming up shortly; and (b) I didn’t really want to support people using this method for building an installer because it’s so ugly.

    I see a release hasn’t been made, unfortunately. Since you asked nicely, I went and found some Zip file I created: http://www.codefu.org/people/darkness/openvpn-2.1_rc4-installer-build-tree.zip . Theoretically this is the tree I was working off of when I built my installer. I really don’t guarantee it’ll work for you. I kind of suspect it will, but I don’t remember if that last step where you run some Perl to generate stuff in the “autodeps” directory had anything system-dependent that might be true on my system and wrong elsewhere.

  3. March 11, 2008
    grassi said...

    Hey darkness,

    thanks for the great “ugly” howto. It worked fine for me with the 2.1rc7-Branch although I had to combine Total-Commander and Universal Extractor from “legroom.net”, to get all files out of the original installer.
    To contribute to the community, here is the final working zip-file:
    I didn’t test it on AMD64 but see no reason why it shouldn’t work there also.

    Quick-Howto for users:
    1. Download zip-file
    2. install nsis (maybe perl too?)
    3. go to install-win32 and edit openvpn.nsi to your needs.
    4. change the files in the config-dir to something useful
    5. right-click on openvpn.nsi and hit “Compile NSIS script”

  4. September 25, 2008
    anon said...

    Excellent work! I really appreciate this article and especially the .zip included in the comment. I was able to get OpenVPN to work in XP and Vista with a custom installer and configuration files in less than an hour.

    Kudos Darkness!

  5. October 11, 2008
    Stephanie said...

    Hello! if somebody could help me I would be forever greatful…I need to install OpenVPN on a Vista computer to connect a client PC (on windows XP). I’m pretty clueless when it comes to open source programs and networking so I need all the help I can get to get OpenVPN installed successfully. I tried to follow the instructions step by step but unfortunately they arent written for dummies so I got lost quite quickly. If anybody is able to help me please send me an email at pgaralis@gmail.com.

    Thank you in advance for any help!

  6. January 6, 2009
    daili said...

    OpenVPN 2.1_rc15 — released on 2008.11.19

  7. April 15, 2009
    hepek said...

    Can anybody help me how to translate and compile openvpn_gui?

  8. March 1, 2010
    Geert Janssens said...

    I came across your howto because I had trouble compiling my own installer for OpenVPN 2.1.1.

    There is a cleaner way with openvpn 2.1.1.
    You will still need mingw and friends, but you can take advantage of the prebuilt tarball that OpenVPN provides.

    In short:
    * Download the OpenVPN source tarball
    * Inside you will find a script called domake-win
    * Read the comments on top of this script. It explains how to use the prebuilt tarball.
    * In the same script, comment out the two lines regarding tap and tapinstall. You will use the prebuilt ones instead.
    * now go and customize install-win32/settings.in to your likings
    * be sure to uncomment the prebuilt directory in there
    from the openvpn directory, run domake-win

    If all goes well, this should generate the openvpn installer. In my case it didn’t go well, because of a bug in install-win32/trans.pl. I had to add ‘\s*’ to the regular expression that parses the ‘!include’ lines. After that, it worked fine. This bug may have been fixed in more recent openvpn sources.

    Good luck.


  9. April 25, 2010
    Khoa said...

    Hi Geert,
    Can you tell me how to add ‘\s*” to the regular expression that parses thee “!include” lines. When I compile openvpn-2.1.1 with the ./domake-win command on MSYS enviroment. There is an error.
    can’t parse this line: !include “autodefs/version.in”.

  10. April 29, 2010
    Geert Janssens said...

    In file install-win32/trans.pl, you should change


    to read


    That fixed it for me.

  11. May 25, 2010
    reggie said...


    Geert pls can you help me how can I may change sources,
    when I want add my configs with cert and .opvn files?
    Can you give me example, because file settings.in seem to be different like I was changing file for nss script.
    Thanks for reply :)

  12. May 26, 2010
    Geert Janssens said...

    To add custom config files and ovpn files, I edited the nsi configuration file as you would otherwise to configure the installer. The file to modify is in install-win32 and is called openvpn.nsi.

  13. March 22, 2011
    Terry said...


    Referring to your site guidance, I downloaded everything. Withut changing anything just tried to run openvpn.nsi script from /install-win32 by right clicking and selecting “Compile NSIS Script”. This is the result that I get :

    Processing script file: "C:\MinGW\msys\1.0\home\Admin\openvpn-2.1_rc22\install-win32\openvpn.nsi"
    SetCompressor: lzma
    !include: "C:\NSIS\Include\MUI.nsh"
    !include: "C:\NSIS\Contrib\Modern UI\System.nsh"
    NSIS Modern User Interface version 1.8 - Copyright 2002-2009 Joost Verburg (C:\NSIS\Contrib\Modern UI\System.nsh:8)
    !define: "MUI_INCLUDED"=""
    !define: "MUI_SYSVERSION"="1.8"
    !define: "MUI_VERBOSE"="3"
    !include: closed: "C:\NSIS\Contrib\Modern UI\System.nsh"
    !include: closed: "C:\NSIS\Include\MUI.nsh"
    !include: could not find: "defs.nsi"
    Error in script "C:\MinGW\msys\1.0\home\Admin\openvpn-2.1_rc22\install-win32\openvpn.nsi" on line 14 -- aborting creation process

    defs.nsi is already present in gen-prebuilt folder. I have added C:\MinGW\bin, C:\MinGW\msys\1.0\bin and C:\MinGW\msys\1.0\home\Admin to path.

    Can you tell why it cuoldn’t find the “defs.nsi”. Am I missing anything or any settings ?

    One more question, how do I build the “domake-win” file present in openvpn-2.1_rc folder. I fuond that to recompile openvpn with any new changes, we got to make changes in settings.in and run domake-win script at http://article.gmane.org/gmane.network.openvpn.user/22590. But, couldn’t make out how to run the domake-win script.

    I hope you can help me out. Have spend almost whole day trying to build as you have instructed, but just couldn’t make it.



    • March 22, 2011
      darkness said...

      Unfortunately I don’t use Windows anymore at all, so I can’t be much help with this. Sorry!

      • March 23, 2011
        Terry said...

        Thanks darness, I got that part working. Am building it using MingW, MYSYS bash. I get the following error for LZO :

        res_init UNDEFINED
        configure: checking for working epoll implementation…
        checking for epoll_create… no
        LoadLibrary DEFINED
        configure: checking for LZO Library and Header files…
        checking lzo/lzo1x.h usability… no
        checking lzo/lzo1x.h presence… no
        checking for lzo/lzo1x.h… no
        checking lzo1x.h usability… no
        checking lzo1x.h presence… no
        checking for lzo1x.h… no
        LZO headers were not found
        LZO library available from http://www.oberhumer.com/opensource/lzo/
        configure: error: Or try ./configure –disable-lzo
        make: *** No targets specified and no makefile found. Stop.
        cp: cannot stat `windest/sbin/openvpn.exe’: No such file or directory
        cp: cannot stat `windest/sbin/openvpnserv.exe’: No such file or directory
        Not building TAP driver — DDK version 6001.18002 NOT FOUND
        Not building tapinstall — DDK version 6001.18002 NOT BUILT
        Uninstall: 4 pages (256 bytes),
        1 section (1048 bytes), 396 instructions (11088 bytes), 216 strings (3490 bytes)
        , 1 language table (282 bytes).
        Datablock optimizer saved 15434 bytes (~0.9%).

        Its building the openvpn file, but not working properly.

        Greet, Thanks your idea to make changes in “install-win32/trans.pl” helped me solve the same problem with !include autodef/versin.in” statement.

        Can anyone help me how to handle with this LZO header files that. The dir name of lzo I have from prebuilt is /lzo-2.02. I had read somewhere on net reg this problem, but couldn’t find now. Any help is highly appreciated.


        • March 23, 2011
          darkness said...

          Terry, is there an lzo1x.h anywhere under your lzo-2.02 directory? If so, you might need to add something to your environment variable such as CFLAGS=-I/directory/that/contains/lzo/header. If not, maybe you need a 1.x version of LZO? (Again, these are total guesses without looking at the code for even a second.)

          • March 24, 2011
            Terry said...

            darkenss, I configured, build & installed LZO using MinGW and got all required .h files in \lzo-2.02\include\lzo folder and also got the library created under \lzo-2.02\src\.libs (contains liblzo2.a, liblzo2.la & liblzo2.lai).
            In my settings.in I have ,
            !define LZO_DIR “C:/MinGW/msys/1.0/home/Admin/lzo-2.02″
            In makeopenvpn file,
            –with-lzo-headers=$H/$LZO_DIR/include \
            –with-lzo-lib=$H/$LZO_DIR/src \
            I tried alot. Even added /usr/local/lib in lzo-lib, but nothing works. It is able to find headers but not library. I get the error and it quits :

            LoadLibrary DEFINED
            configure: checking for LZO Library and Header files…
            checking lzo/lzo1x.h usability… yes
            checking lzo/lzo1x.h presence… yes
            checking for lzo/lzo1x.h… yes
            checking for lzo1x_1_15_compress in -llzo2… no
            checking for lzo1x_1_15_compress in -llzo… no
            configure: error: LZO headers were found but LZO library was not found
            make: *** No targets specified and no makefile found. Stop.
            cp: cannot stat `windest/sbin/openvpn.exe’: No such file or directory
            cp: cannot stat `windest/sbin/openvpnserv.exe’: No such file or directory
            Uninstall: 4 pages (256 bytes),

            How to solve this Problem ? Am stuck up ? Please help me out. Does it make any difference if I execute any commands in MinGW and in normal dos using bash command ? I had configured, build & installed lzo and doing domake-win in MingW only, but previously was doing on cmd.

          • March 24, 2011
            darkness said...

            Sorry, I’ve got no idea. Maybe someone else can happen by and offer advice. Good luck!

  14. March 25, 2011
    Terry said...

    Does anyone know the name of library file of LZO2-02 generated? I compiled, build and installed but dont’ see any dll or lib file ? But I see liblzo2.a, liblzo2.ai and liblzo.lai

    Which is the library file of LZO and where is it located ?

  15. March 26, 2011
    Gorkhaan said...

    Having the same LZO problem! I’m trying to fix it somehow. no luck so far.