Thursday, October 23, 2008

Building openvpn with enable-password-save on windows

If you are looking to download openvpn 2.1.1 with enable-password-save you should check this post.
I have added a few updates on how to build openvpn 2.1.1 on this post

Although I know it’s against security best practices I have just finished building my own version of open vpn 2.1 RC 13 passing the --enable-password-save option (you may download it from here). Thus I can now save the credentials in a plain text file. If you can’t acquire private keys and you don’t care about security that much or you think that you can trust your credentials in a plain text file in your computer, you may also build your own openvpn following the following instructions.
First of all I acquired a fresh copy of a virtual hard disk containing windows xp (you may find some already installed vhd drives here). In order to open the vhd file you’ll be needing Virtual pc.

So we do have a virtual pc running and we install the following programs:

  1. MinGW/MSYS environment

    You must download the MinGW setup. This exe will download the required files and then install them. Although I am not sure whether all these were needed, I installed the core compiler, Objective C Compiler and MinGW Make.
    Having installed MinGW you must download and install msys following the steps from the official site
  2. Nullsoft Install System will be needed to create the install file

That’s all the tools we will need. Now let’s download some source files. Since the whole process of gathering all the required source files and compiling open vpn is very intense, we will be using the latest prebuild package which will save us some time. Extract the contents of the tbz using your favorite extractor (mine is 7-zip) in your msys home folder (if you haven’t changed anything during the setup this should be C:\msys\1.0\home\admin\ ). The following folders should exist:

  • gen-prebuilt
  • lzo-2.02
  • openssl-0.9.8i
  • pkcs11-helper
  • openvpn-2.1_rc13

Having the prebuild ready, download the source files. Extract the source files inside the openvpn-2.1_rc13 folder, thus ending up with a bunch of .c (source) and .h (header) files in the root of that folder. Enter the install-win32 folder and edit the makeopenvpn file. Here is where you define the --enable-password-save option in the configure command. In order to add this new argument, go to the last one, add a \ in the end and write the --enable-password-save on a new line just above the fi.

You should probably also delete line 265 in the openvpn.nsi file writing “;!define SF_SELECTED 1” which caused me troubles since SF_SELECTED was already declared. To verify whether you need to delete this line or not, you may press right click and then “Compile NSIS Script” and try to fix any errors that may occur.

Time to fire up msys. Verify that you see the extracted folders by typing "ls" and then pressing the Enter key. Open the openvpn-2.1_rc13 folder by typing "cd openvpn-2.1_rc13" (pressing tab will autocomplete the names). Inside the folder, issue the "./domake-win" command which builds the whole thing up. If the whole process is successful then you’ll have your personal installation of openvpn in the install-win32 folder.

Some note about running openvpn on windows vista. First of all, you must install it by right clicking and then selecting "Run as administrator" and second and more important, you must right click on your openvpn-gui-1.0.3.exe file and click properties. From there navigate to Compatibility and enable the “Run this program as administrator” or it won't be able to add the routes.

Enjoy.

17 comments:

luis enrique said...

Hello Andreas Botsika , I'm Luis Enrique from Mexico and I'm glad to read that you were able to compile the openvpn2.1-rc13 with the mingw environment , actually I'm doing a school work with the same release and prebuilds,but mmm I cannot make it. I'ts showing me a problem with some libraries , like cryptoapi.h and wincrypt.h , a problem with 'CryptAquireCertificatePrivateKey' , i think it's a headers problem, but well i want to know if you found the same problem with the mingw/msys environtment , or may be I've misconfigured mingw .

Thanks in advance for all help
and congratulations for the succesfull in your work

Andreas Botsikas said...

Hello Luis,

I am really sorry but the only problem I got was the one I mentioned in my post. Is it possible that you downloaded a night build which may not compile? Have you googled the compiler error? I would start the process from the beginning, starting with a fresh mingw install just in case something is wrong there. Can you tell me the exact error?

Best wishes,
Andreas

luis enrique said...

Hello again Andreas , well I waste the weekend trying to figure out where is the problem , but to be honest with you I cannot find it out.I follow all the instructions in the mingw page and the same for msys

And well the problem I'm finding is that when compiling openvpn2.1-rc13 i get this error

cryptoapi.c:55 error: 'CryptoAcquireCertificatePrivateKey' redeclared as different kind of symbol
c:/MinGW/bin/../lib/gcc/mingw32/3.4.5/../../../../include/wincrypt.h:1298: error: previous declaration of 'CryptAcquireCertificatePrivateKey' was here
cryptoapi.c:55 error: 'CryptoAcquireCertificatePrivateKey' redeclared as different kind of symbol
c:/MinGW/bin/../lib/gcc/mingw32/3.4.5/../../../../include/wincrypt.h:1298: error: previous declaration of 'CryptAcquireCertificatePrivateKey' was here
make[2]: ***[cryptoapi.o] Error 1
make[2]: *** Waiting for unfinished jobs ....
make[2]: Leaving directory `/c/Download/openvpn-2.1_rc13-prebuild/openvpn-2.1_rc13'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/c/Download/openvpn-2.1_rc13-prebuild/openvpn-2.1_rc13'
make: *** [all] Error 2

and then crash , nothing is done ...i didnt get this error before , i worked with openvpn2.1rc7 with MSVC in that was ok ...but something is no tworking for me with mingw ......And according with the page I'm not using a night build at all.

Thanks !

jonkoon said...

Thank you for posting this very useful code and instructions. It really helped us!

Kamilion Schnook said...

I had the same 'CryptAquireCertificatePrivateKey' failure.

I solved it by opening up cryptoapi.c with notepad++ and commenting out lines 54 to 55 and 381 to 397.

The comments before both of these sections reads:
/* MinGW w32api is incomplete when it comes to CryptoAPI, as per version 3.1
* anyway. This is a hack around that problem. */

Apparently, these hacks are no longer needed with MinGW 5.1.4. and just cause problems.

My edited copy of cryptoapi.c as of March 1st 2009 is here.
http://it.intrinsyx.net/openvpn/cryptoapi.c

And my successful build with --enable-password-save is here:
http://it.intrinsyx.net/openvpn/openvpn-2.1_rc15-itc-install.exe

Anonymous said...

Andreas,

thanks for this work. Maybe you have some time left to compile a newer version of OpenVPN?

Best wishes,
Andreas

Nicholas Polydor said...

I'm about to test this version of RC15 on Windows 7 Release Candidate 64-bit:

http://www.megaupload.com/?d=400N9DT6
( from http://forums.ivacy.com/index.php?topic=269.0 )

Anonymous said...

I hope someone can build RC20 with password enable. Thanks.

Anonymous said...

RC2o is ready:
http://forums.ivacy.com/index.php?topic=269.0

Rico said...

Thanks for the RC20 but seriously what is it with them and so many RC builds... Another build has been released

http://openvpn.net/index.php/open-source/downloads.html
OpenVPN 2.1_rc21 -- released on 2009.11.12

Rico said...

New Built: OpenVPN 2.1 RC 22 enable password save. Thanks goes to Sandbox for kindly posting this.


http://forums.ivacy.com/index.php?topic=269.0
http://www.megaupload.com/?d=W1R2CRS3

Rico said...

2009.12.11 -- Version 2.1.1

* Fixed some breakage in openvpn.spec (which is required to build an
RPM distribution) where it was referencing a non-existent
subdirectory in the tarball, causing it to fail (patch from
David Sommerseth).

http://forums.ivacy.com/index.php?topic=269.0

New Built: OpenVPN 2.1.1 Final --enable-password-save
http://www.megaupload.com/?d=XZYS7QWI
(MD5-Hash:54CF2ABB597E5079E25BEB95BF08D518)
-include lzo 2.03
-include latest OpenSSL 0.9.8l

CW said...

Thanks for this tutorial. Once question. I had to configure and make openssl and lzo packages even though I downloaded the most recent prebuilt packages. I also had to define environment variables for OPENSSL_DIR and LZO_DIR and PKCS11_HELPER for the do-make to start up. I am hung up on this one build error right now "checking for SSL_CTX_new in -lssl... no" Have you seen this any ideas how to get around it?

Raina said...

Hi Andreas,

Ive been through these instructions a few times and after 4 hours Im still not finding success! Could I hire you to help me please! Please contact me on raina.daijour - at - gmail.com

Cheers!

Andreas Botsikas said...

@CW: Sorry, I haven't seen this error before. Perhaps you should check the prerequisites in this post to see if you are missing a MinGW add-on.

Trupti said...

Why are my posts not visible after few hours. Are my questions difficult to answer so, or why I am not being even able to be helped by someone else.

Trupti said...

Does anyone know the library file of LZO2-02 ? I compiles, build and installed but dont' see any dll or lib file ? But I see liblzo2.a, liblzo2.ai and liblzo.lai

Which is the library file of LZO and where does it locate ?