rework INSTALL and README to prepare for 2.6 release

Update URLs in README Rip out information in INSTALL that is already in PORTS, or is printed by "./configure --help" Update tun/tap driver information where outdated or incomplete. Update build prerequisites, add new linux libraries, add git and libtool to developer tools needed, etc. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Message-Id: <20221128164932.14252-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25566.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
2025-05-09 13:41:06 +08:00 · 2022-11-28 17:49:32 +01:00 · 2022-11-28 17:49:32 +01:00 · c291c95f6c
commit c291c95f6c
parent 16d773eb1f
2 changed files with 52 additions and 156 deletions
--- a/200
+++ b/200
@ -1,6 +1,6 @@
 Installation instructions for OpenVPN, a Secure Tunneling Daemon
-Copyright (C) 2002-2019 OpenVPN Inc. This program is free software;
+Copyright (C) 2002-2022 OpenVPN Inc. This program is free software;
 you can redistribute it and/or modify
 it under the terms of the GNU General Public License version 2
 as published by the Free Software Foundation.
@ -52,45 +52,39 @@ Also see the man page for more information.
 *************************************************************************
-SUPPORTED PLATFORMS:
+For a list of supported platforms and architectures, and for
-  (1) Linux (kernel 2.6+)
+instructions how to port OpenVPN to a yet-unsupported architecture,
-  (2) Solaris
+see the file "PORTS".
  (3) OpenBSD 5.1+
  (4) Mac OS X Darwin 10.5+
  (5) FreeBSD 7.4+
  (6) NetBSD 5.0+
  (7) Windows Vista or later for OpenVPN 2.4
  (8) Windows XP or later for OpenVPN 2.3
-SUPPORTED PROCESSOR ARCHITECTURES:
+*************************************************************************
   In general, OpenVPN is word size and endian independent, so
   most processors should be supported.  Architectures known to
   work include Intel x86, Alpha, Sparc, Amd64, and ARM.
-REQUIRES:
+SYSTEM REQUIREMENTS:
  (1) TUN and/or TAP driver to allow user-space programs to control
-      a virtual point-to-point IP or Ethernet device.  See
+      a virtual point-to-point IP or Ethernet device.
-      TUN/TAP Driver Configuration section below for more info.
+      See TUN/TAP Driver References section below for more info.
-  (2) OpenSSL library, necessary for encryption, version 1.0.2 or higher
+  (2a) OpenSSL library, necessary for encryption, version 1.0.2 or higher
      required, available from http://www.openssl.org/
      or
-  (3) mbed TLS library, an alternative for encryption, version 2.0 or higher
+  (2b) mbed TLS library, an alternative for encryption, version 2.0 or higher
      required, available from https://tls.mbed.org/
  (3) on Linux, "libnl-gen" is required for kernel netlink support
  (4) on Linux, "libcap-ng" is required for Linux capability handling
 OPTIONAL:
-  (3) LZO real-time compression library, required for link compression,
+  (5) LZO real-time compression library, required for link compression,
      available from http://www.oberhumer.com/opensource/lzo/
-      OpenBSD users can use ports or packages to install lzo, but remember
+      (most supported operating systems have LZO in their installable
-      to add CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib"
+      packages repository.  It might be necessary to add LZO_CFLAGS=
-      directives to "configure", since gcc will not find them otherwise.
+      and LZO_LIBS= to the configure call to make it find the LZO pieces)
  (6) LZ4 compression library
 OPTIONAL (for developers only):
-  (1) Autoconf 2.59 or higher + Automake 1.9 or higher
+  (1) Autoconf 2.59 or higher
-      -- available from http://www.gnu.org/software/software.html
+      Automake 1.9 or higher
-  (2) Dmalloc library
+      Libtool
-      -- available from http://dmalloc.com/
+      Git
  (2) cmocka test framework (http://cmocka.org)
  (3) If using t_client.sh test framework, fping/fping6 is needed
      -- Available from http://www.fping.org/
      Note: t_client.sh needs an external configured OpenVPN server.
      See t_client.rc-sample for more info.
@ -106,7 +100,7 @@ CHECK OUT SOURCE FROM SOURCE REPOSITORY:
  Check out stable version:
-    git checkout release/2.4
+    git checkout release/2.6
  Check out master (unstable) branch:
@ -119,7 +113,7 @@ BUILD COMMANDS FROM TARBALL:
 	./configure
 	make
-	make install
+	sudo make install
 *************************************************************************
@ -128,7 +122,7 @@ BUILD COMMANDS FROM SOURCE REPOSITORY CHECKOUT:
 	autoreconf -i -v -f
 	./configure
 	make
-	make install
+	sudo make install
 *************************************************************************
@ -175,98 +169,17 @@ you can install cmocka with these commands:
 OPTIONS for ./configure:
-  --disable-lzo           disable LZO compression support [default=yes]
+  To get an overview of all the configure options, run "./configure --help"
  --disable-lz4           Disable LZ4 compression support
  --enable-comp-stub      Don't compile compression support but still allow limited interoperability with compression-enabled peers
  --disable-crypto        disable crypto support [default=yes]
  --disable-ofb-cfb       disable support for OFB and CFB cipher modes
                          [default=yes]
  --enable-x509-alt-username
                          enable the --x509-username-field feature
                          [default=no]
  --disable-server        disable server support only (but retain client
                          support) [default=yes]
  --disable-plugins       disable plug-in support [default=yes]
  --disable-management    disable management server support [default=yes]
  --enable-pkcs11         enable pkcs11 support [default=no]
  --disable-fragment      disable internal fragmentation support (--fragment)
                          [default=yes]
  --disable-multihome     disable multi-homed UDP server support (--multihome)
                          [default=yes]
  --disable-port-share    disable TCP server port-share support (--port-share)
                          [default=yes]
  --disable-debug         disable debugging support (disable gremlin and verb
                          7+ messages) [default=yes]
  --enable-small          enable smaller executable size (disable OCC, usage
                          message, and verb 4 parm list) [default=no]
  --enable-iproute2       enable support for iproute2 [default=no]
  --disable-def-auth      disable deferred authentication [default=yes]
  --disable-pf            disable internal packet filter [default=yes]
  --disable-plugin-auth-pam
                          disable auth-pam plugin [default=platform specific]
  --disable-plugin-down-root
                          disable down-root plugin [default=platform specific]
  --enable-pam-dlopen     dlopen libpam [default=no]
  --enable-strict         enable strict compiler warnings (debugging option)
                          [default=no]
  --enable-pedantic       enable pedantic compiler warnings, will not generate
                          a working executable (debugging option) [default=no]
  --enable-werror         promote compiler warnings to errors, will cause
                          builds to fail if the compiler issues warnings
                          (debugging option) [default=no]
  --enable-strict-options enable strict options check between peers (debugging
                          option) [default=no]
  --enable-selinux        enable SELinux support [default=no]
  --enable-systemd        enable systemd support [default=no]
  --enable-async-push     enable async-push support for plugins providing
                          deferred authentication [default=no]
 ENVIRONMENT for ./configure:
-  PLUGINDIR   Path of plug-in directory [default=LIBDIR/openvpn/plugins]
+  For more fine-grained control on include + library paths for external
-  IFCONFIG    full path to ipconfig utility
+  components etc., configure can be called with environment variables on
-  ROUTE       full path to route utility
+  the command line, e.g.
  IPROUTE     full path to ip utility
  NETSTAT     path to netstat utility
  GIT         path to git utility
  SYSTEMD_ASK_PASSWORD
              path to systemd-ask-password utility
  SYSTEMD_UNIT_DIR
              Path of systemd unit directory [default=LIBDIR/systemd/system]
  TMPFILES_DIR
              Path of tmpfiles directory [default=LIBDIR/tmpfiles.d]
  RST2MAN     Path to rst2man utility
  RST2HTML    Path to rst2html utility
-ENVIRONMENT variables adjusting parameters related to dependencies
+     ./configure OPENSSL_CFLAGS="-I/usr/local/include" ...
-  TAP_CFLAGS  C compiler flags for tap
+  these are also explained in "./configure --help", so not repeated here.
  LIBPAM_CFLAGS
              C compiler flags for libpam
  LIBPAM_LIBS linker flags for libpam
  PKCS11_HELPER_CFLAGS
              C compiler flags for PKCS11_HELPER, overriding pkg-config
  PKCS11_HELPER_LIBS
              linker flags for PKCS11_HELPER, overriding pkg-config
  OPENSSL_CFLAGS
              C compiler flags for OpenSSL
  OPENSSL_LIBS
              linker flags for OpenSSL
  MBEDTLS_CFLAGS
              C compiler flags for mbedtls
  MBEDTLS_LIBS
              linker flags for mbedtls
  LZO_CFLAGS  C compiler flags for lzo
  LZO_LIBS    linker flags for lzo
  LZ4_CFLAGS  C compiler flags for lz4
  LZ4_LIBS    linker flags for lz4
  libsystemd_CFLAGS
              C compiler flags for libsystemd, overriding pkg-config
  libsystemd_LIBS
              linker flags for libsystemd, overriding pkg-config
  P11KIT_CFLAGS
              C compiler flags for P11KIT, overriding pkg-config
  P11KIT_LIBS linker flags for P11KIT, overriding pkg-config
 *************************************************************************
@ -302,13 +215,13 @@ For more details:
 * Ubuntu
  https://packages.ubuntu.com/search?keywords=openvpn
-In addition, the OpenVPN community provides a best-effort APT repository
+In addition, the OpenVPN community provides best-effort package
-for Debian and Ubuntu:
+repositories for CentOS/Fedora, Debian and Ubuntu:
 https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
 *************************************************************************
-TUN/TAP Driver Configuration:
+TUN/TAP Driver References:
 * Linux 2.6 or higher (with integrated TUN/TAP driver):
@ -322,17 +235,17 @@ TUN/TAP Driver Configuration:
  FreeBSD ships with the TUN/TAP driver, and the device nodes for tap0,
  tap1, tap2, tap3, tun0, tun1, tun2 and tun3 are made by default.
  However, only the TUN driver is linked into the GENERIC kernel.
-  To load the TAP driver, enter: 
+  On FreeBSD versions prior to 12.0-RELEASE, there were independent
  TUN and TAP drivers, and the TAP driver needed to be loaded manually,
  using the command:
-	kldload if_tap
+	# kldload if_tap
-  See man rc(8) to find out how you can do this at boot time.
+  For recent FreeBSD versions, TUN/TAP are integrated and always loaded.
-  The easiest way is to install OpenVPN from the FreeBSD ports system,
+  FreeBSD 14 contains the ovpn(4) for kernel-level OpenVPN acceleration
-  the port includes a sample script to automatically load the TAP driver
+  (DCO) which will be used by OpenVPN 2.6 and up if available.
  at boot-up time.
 * OpenBSD:
@ -354,31 +267,14 @@ TUN/TAP Driver Configuration:
  recent Windows versions it is recommended to use the NDIS 6 driver
  (tap-windows6) instead.
  Windows 10 and Server 2016 and up can use the dco-win driver for
  kernel-level acceleration for OpenVPN client setups.  This is also
  included in the community-provided OpenVPN installers.
 *************************************************************************
 CAVEATS & BUGS:
-* I have noticed cases where TCP sessions tunneled over the Linux
+* see the bug tracker on https://community.openvpn.net/openvpn/report
-  TAP driver (kernel 2.4.21 and 2.4.22) stall when lower --mssfix
+  and the wiki on https://community.openvpn.net/wiki for more detailed
-  values are used.  The TCP sessions appear to unstall and resume
+  caveats on operating systems, and for open and resolved bug reports.
  normally when the remote VPN endpoint is pinged.
 * If run through a firewall using OpenBSDs packet filter PF and the
  filter rules include a "scrub" directive, you may get problems talking
  to Linux hosts over the tunnel, since the scrubbing will kill packets
  sent from Linux hosts if they are fragmented. This is usually seen as
  tunnels where small packets and pings get through but large packets
  and "regular traffic" don't. To circumvent this, add "no-df" to
  the scrub directive so that the packet filter will let fragments with
  the "dont fragment"-flag set through anyway.
 * Mixing OFB or CFB cipher modes with static key mode is not recommended,
  and is flagged as an error on OpenVPN versions 1.2.1 and greater.
  If you use the --cipher option to explicitly select an OFB or CFB
  cipher AND you are using static key mode, it is possible that there
  could be an IV collision if the OpenVPN daemons on both sides
  of the connection are started at exactly the same time, since
  OpenVPN uses a timestamp combined with a sequence number as the cipher
  IV for OFB and CFB modes.  This is not an issue if you are
  using CBC cipher mode (the default), or if you are using OFB or CFB
  cipher mode with SSL/TLS authentication.
--- a/8
+++ b/8
@ -1,6 +1,6 @@
 OpenVPN -- A Secure tunneling daemon
-Copyright (C) 2002-2018 OpenVPN Inc. This program is free software;
+Copyright (C) 2002-2022 OpenVPN Inc. This program is free software;
 you can redistribute it and/or modify
 it under the terms of the GNU General Public License version 2
 as published by the Free Software Foundation.
@ -9,7 +9,7 @@ as published by the Free Software Foundation.
 To get the latest release of OpenVPN, go to:
-	https://openvpn.net/index.php/download/community-downloads.html
+	https://openvpn.net/community-downloads/
 To Build and Install,
@ -30,7 +30,7 @@ For a sample VPN configuration, see
  http://openvpn.net/howto.html
 To report an issue, see
-  https://community.openvpn.net/openvpn/report
+  https://community.openvpn.net/openvpn/newticket
 For a description of OpenVPN's underlying protocol,
  see the file ssl.h included in the source distribution.
@ -64,7 +64,7 @@ Note that easy-rsa and tap-windows are now maintained in their own subprojects.
 Their source code is available here:
  https://github.com/OpenVPN/easy-rsa
-  https://github.com/OpenVPN/tap-windows
+  https://github.com/OpenVPN/tap-windows6
 The old cross-compilation environment (domake-win) and the Python-based
 buildsystem have been replaced with openvpn-build: