2014-08-31 22:05:13 +02:00
|
|
|
OpenVPN 3
|
|
|
|
=========
|
|
|
|
|
|
|
|
OpenVPN 3 is a C++ class library that implements the functionality
|
|
|
|
of an OpenVPN client, and is protocol-compatible with the OpenVPN
|
|
|
|
2.x branch.
|
|
|
|
|
|
|
|
OpenVPN 3 includes a minimal client wrapper (``cli``) that links in with
|
|
|
|
the library and provides basic command line functionality.
|
|
|
|
|
2015-12-29 05:31:45 +01:00
|
|
|
NOTE: As of early 2016, OpenVPN 3 is primarily of interest to developers
|
2015-11-25 04:04:21 +01:00
|
|
|
because it does not yet replicate the full functionality of OpenVPN 2.x.
|
|
|
|
In particular, server functionality is not yet implemented.
|
2014-08-31 22:05:13 +02:00
|
|
|
|
|
|
|
Building OpenVPN 3 client on Mac OS X
|
|
|
|
-------------------------------------
|
|
|
|
|
|
|
|
OpenVPN 3 should be built in a non-root Mac OS X account.
|
|
|
|
Make sure that Xcode is installed with optional command-line tools.
|
|
|
|
(These instructions have been tested with Xcode 5.1.1).
|
|
|
|
|
|
|
|
Create the directories ``~/src`` and ``~/src/mac``::
|
|
|
|
|
|
|
|
mkdir -p ~/src/mac
|
|
|
|
|
|
|
|
Clone the OpenVPN 3 repo::
|
|
|
|
|
|
|
|
cd ~/src
|
|
|
|
mkdir ovpn3
|
|
|
|
cd ovpn3
|
|
|
|
git clone ... core
|
|
|
|
|
|
|
|
Export the shell variable ``O3`` to point to the OpenVPN 3 top level
|
|
|
|
directory::
|
|
|
|
|
|
|
|
export O3=~/src/ovpn3
|
|
|
|
|
|
|
|
Download source tarballs (``.tar.gz`` or ``.tgz``) for these dependency
|
|
|
|
libraries into ``~/Downloads``
|
|
|
|
|
|
|
|
See the file ``$O3/core/deps/lib-versions`` for the expected
|
|
|
|
version numbers of each dependency. If you want to use a different
|
|
|
|
version of the library than listed here, you can edit this file.
|
|
|
|
|
2015-06-06 18:59:18 +02:00
|
|
|
1. Asio -- https://github.com/chriskohlhoff/asio
|
mbedTLS: Port from polarssl-1.3 to mbedtls-2.3 (functional)
This patch builds on work by David Sommerseth <davids@openvpn.net>
to move the PolarSSL API from polarssl-1.3 to mbedtls-2.3, which
has significant differences in some areas.
- Strings containing keys, certificates, CRLs, and DH parameters
need to be NULL-terminated and the length argument provided to
the corresponding mbedtls parse function must be able to read
the NULL-terminator. These places have been modified with a
'+1' to the length argument (x509cert.hpp, x509crl.hpp, dh.hpp,
pkctx.hpp).
- The SSL context object has been split up in mbedtls-2.3
Now many of the SSL configurations are done in a separate
SSL config object, which is added to the SSL context once
configured. In addition private/public keys are now stored
in a separate pk_context, which is later on attached to the
SSL context. Due to this, many of the calls setting either
SSL configuration parameters or working with pk_contexts have
been refactored. (sslctx.hpp)
- The older API loading the CA chain took a hostname argument.
The new API requires mbedtls_ssl_set_hostname() explicitly to
be called setting hostname. Some refactoring was needed here
too (sslctx.hpp).
- x509_oid_get_description() is now replaced by
mbedtls_oid_get_extended_key_usage().
- when mbedTLS renamed OID_CMP to MBEDTLS_OID_CMP, the return
value was changed so that a return value of 0 now means equal
rather than not-equal.
- mbedtls/platform.h must be loaded before any other mbedtls
include files (sslchoose.hpp).
- All functions and macros related to mbedTLS are now prefixed
with mbedtls_/MBEDTLS_
- Refactored External PKI and added some options to cli.cpp
to make it easier to test that the feature still works
correctly. This included removing the sig_type var and
standardizing on a PKCS#1 digest prefix per RFC 3447.
- Updated test keys to 2048 bits.
- Updated dependency build scripts to build mbedTLS.
- Enable MD4 in mbedTLS build script (needed for NTLM auth).
- Use an allow-all X509 cert profile to preserve compatibility
with older configs. Going forward, we will implement new
options to increase strictness on minimum RSA key size and
required cert signing algs.
- Added human-readable reason strings that explain why
a given cert in the chain wasn't accepted.
- This patch doesn't rename any files or rename internal
OpenVPN 3 symbols such as PolarSSLContext. This will
be done in a separate commit.
Signed-off-by: James Yonan <james@openvpn.net>
2017-02-23 23:20:31 +01:00
|
|
|
2. mbed TLS (2.3.0 or higher) -- https://tls.mbed.org/
|
2015-11-25 04:04:21 +01:00
|
|
|
3. LZ4 -- https://github.com/Cyan4973/lz4
|
2014-08-31 22:05:13 +02:00
|
|
|
|
2015-11-25 04:04:21 +01:00
|
|
|
For dependencies that are typically cloned from github vs.
|
|
|
|
provided as a .tar.gz file, tools are provided to convert
|
|
|
|
the github to a .tar.gz file. See "snapshot" scripts under
|
|
|
|
$O3/core/deps
|
|
|
|
|
|
|
|
Note that while OpenSSL is listed in lib-versions, it is
|
2014-08-31 22:05:13 +02:00
|
|
|
not required for Mac builds.
|
|
|
|
|
|
|
|
Build the dependencies::
|
|
|
|
|
|
|
|
OSX_ONLY=1 $O3/core/scripts/mac/build-all
|
|
|
|
|
|
|
|
Now build the OpenVPN 3 client executable::
|
|
|
|
|
|
|
|
cd $O3/core
|
2015-11-25 04:04:21 +01:00
|
|
|
. vars/vars-osx64
|
2014-08-31 22:05:13 +02:00
|
|
|
. vars/setpath
|
|
|
|
cd test/ovpncli
|
2015-11-25 04:04:21 +01:00
|
|
|
PSSL=1 LZ4=1 build cli
|
2014-08-31 22:05:13 +02:00
|
|
|
|
|
|
|
This will build the OpenVPN 3 client library with a small client
|
|
|
|
wrapper (``cli``). It will also statically link in all external
|
2015-11-25 04:04:21 +01:00
|
|
|
dependencies (Asio, PolarSSL, and LZ4), so ``cli`` may be distributed
|
|
|
|
to other Macs and will run as a standalone executable.
|
2014-08-31 22:05:13 +02:00
|
|
|
|
2015-11-25 04:04:21 +01:00
|
|
|
These build scripts will create a **x86_x64** Mac OS X executable,
|
|
|
|
with a minimum deployment target of 10.8.x. The Mac OS X tuntap driver is not
|
2014-08-31 22:05:13 +02:00
|
|
|
required, as OpenVPN 3 can use the integrated utun interface if
|
|
|
|
available.
|
|
|
|
|
|
|
|
To view the client wrapper options::
|
|
|
|
|
|
|
|
./cli -h
|
|
|
|
|
|
|
|
To connect::
|
|
|
|
|
|
|
|
./cli client.ovpn
|
2017-01-10 14:20:00 +01:00
|
|
|
|
|
|
|
Contributing
|
|
|
|
------------
|
|
|
|
|
|
|
|
See `<CONTRIBUTING.rst>`_.
|
|
|
|
|
|
|
|
License
|
|
|
|
-------
|
|
|
|
|
|
|
|
See `<LICENSE.rst>`_.
|