From 5a12e7c134274dba706667107d10d231517d3e05 Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Wed, 26 Aug 2009 10:00:38 -0500 Subject: Slackware 13.0 Wed Aug 26 10:00:38 CDT 2009 Slackware 13.0 x86_64 is released as stable! Thanks to everyone who helped make this release possible -- see the RELEASE_NOTES for the credits. The ISOs are off to the replicator. This time it will be a 6 CD-ROM 32-bit set and a dual-sided 32-bit/64-bit x86/x86_64 DVD. We're taking pre-orders now at store.slackware.com. Please consider picking up a copy to help support the project. Once again, thanks to the entire Slackware community for all the help testing and fixing things and offering suggestions during this development cycle. As always, have fun and enjoy! -P. --- source/n/openvpn/README | 26 +++++ source/n/openvpn/openvpn.SlackBuild | 122 ++++++++++++++++++++++++ source/n/openvpn/openvpn.conf.sample | 178 +++++++++++++++++++++++++++++++++++ source/n/openvpn/slack-desc | 19 ++++ 4 files changed, 345 insertions(+) create mode 100644 source/n/openvpn/README create mode 100755 source/n/openvpn/openvpn.SlackBuild create mode 100644 source/n/openvpn/openvpn.conf.sample create mode 100644 source/n/openvpn/slack-desc (limited to 'source/n/openvpn') diff --git a/source/n/openvpn/README b/source/n/openvpn/README new file mode 100644 index 00000000..cf2c6602 --- /dev/null +++ b/source/n/openvpn/README @@ -0,0 +1,26 @@ +OpenVPN is a full-featured SSL VPN which can accomodate a wide +range of configurations, including remote access, site-to-site VPNs, +WiFi security, and enterprise-scale remote access with load +balancing, failover, and fine-grained access-controls. + +OpenVPN implements OSI layer 2 or 3 secure network extension using the +industry standard SSL/TLS protocol, supports flexible client +authentication methods based on certificates, smart cards, and/or +2-factor authentication, and allows user or group-specific access +control policies using firewall rules applied to the VPN virtual +interface. + +This build of OpenVPN depends upon having openssl (not just +openssl-solibs) and lzo installed on your computer. + +Please note that there is no default config file for OpenVPN. This is +by design. OpenVPN can technically use any config file in any location. +However, this script does create an /etc/openvpn/ directory with certs/ +and keys/ subdirectories. Feel free to place config files, keys, and +certificates in these directories. certs/ and keys/ are owned by user +root and group nobody and are not world readable nor writable. +Additionally, they are not writable by group nobody. It is recommended +that you run openvpn nobody:nobody, but you may use another +non-privilaged user and group at your option. Just change the +permissions on these permissions to reflect that if you do. + diff --git a/source/n/openvpn/openvpn.SlackBuild b/source/n/openvpn/openvpn.SlackBuild new file mode 100755 index 00000000..45c1a17d --- /dev/null +++ b/source/n/openvpn/openvpn.SlackBuild @@ -0,0 +1,122 @@ +#!/bin/sh + +# Copyright 2006, Alan Hicks, Lizella, GA +# Copyright 2008, 2009 Patrick J. Volkerding, Sebeka, MN, USA +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +PRGNAM=openvpn +VERSION=2.0.9 +ARCH=${ARCH:-x86_64} +BUILD=${BUILD:-1} + +NUMJOBS=${NUMJOBS:-" -j7 "} + +if [ "$ARCH" = "i486" ]; then + SLKCFLAGS="-O2 -march=i486 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "s390" ]; then + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +fi + +CWD=$(pwd) +TMP=${TMP:-/tmp} +PKG=$TMP/pkg-$PRGNAM + +rm -rf $PKG +mkdir -p $TMP $PKG +cd $TMP +rm -rf $PRGNAM-$VERSION +tar xvf $CWD/$PRGNAM-$VERSION.tar.gz || exit 1 +cd $PRGNAM-$VERSION || exit 1 + +# Fix ownership and permissions inside the source tarball. +# It's appalling how many projects have 777 permissions or +# even suid, sgid, and sticky bits set on things. +chown -R root:root . +find . \ + \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ + -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ + -exec chmod 644 {} \; + +CFLAGS="$SLKCFLAGS" \ +CXXFLAGS="$SLKCFLAGS" \ +./configure \ + --prefix=/usr \ + --libdir=/usr/lib${LIBDIRSUFFIX} \ + --sysconfdir=/etc/openvpn \ + --localstatedir=/var \ + --enable-lzo \ + --build=$ARCH-slackware-linux + +make $NUMJOBS || make || exit 1 +make install-strip DESTDIR=$PKG || exit 1 + +# Create a decent config directory. openvpn doesn't have one by +# default, nor does it have a single config file. +mkdir -p $PKG/etc/openvpn/{certs,keys} +chown root:nobody $PKG/etc/openvpn/{certs,keys} +chmod 750 $PKG/etc/openvpn/{certs,keys} + +# Install a reasonably generic sample config file: +cp -a $CWD/openvpn.conf.sample $PKG/etc/openvpn/openvpn.conf.sample +chmod 644 $PKG/etc/openvpn/openvpn.conf.sample + +# Let folks know about the other configs, if they haven't found them. +# They might even find the documentation there useful. ;-) +cat << EOF > $PKG/etc/openvpn/README.TXT +Have a look in /usr/doc/$PRGNAM-$VERSION/sample-config-files +for some more examples of how to configure OpenVPN. You'll +need to add something to your /etc/rc.d/rc.local to start +OpenVPN, as well as to tell it where to find its config file. + + +See "man openvpn" and the other docs for more information. +EOF + +# Add a link, too: +mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION/sample-config-files +( cd $PKG/usr/doc/$PRGNAM-$VERSION/sample-config-files + ln -sf /etc/openvpn/openvpn.conf.sample . +) + +if [ -d $PKG/usr/man ]; then +( cd $PKG/usr/man + find . -type f -exec gzip -9 {} \; + for i in $(find . -type l) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done +) +fi + +mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION +cp -a AUTHORS COPYING COPYRIGHT.GPL ChangeLog INSTALL INSTALL-win32.txt \ + NEWS PORTS README sample-config-files sample-keys sample-scripts easy-rsa \ + $PKG/usr/doc/$PRGNAM-$VERSION + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc + +cd $PKG +/sbin/makepkg -l y -c n $TMP/$PRGNAM-$VERSION-$ARCH-$BUILD.txz + diff --git a/source/n/openvpn/openvpn.conf.sample b/source/n/openvpn/openvpn.conf.sample new file mode 100644 index 00000000..4314b544 --- /dev/null +++ b/source/n/openvpn/openvpn.conf.sample @@ -0,0 +1,178 @@ +# openvpn.conf.sample +# +# This is a sample configuration file for OpenVPN. +# Not all options are listed here; you can find good documentation +# about all of the options in OpenVPN's manual page - openvpn(8). +# +# You can make a P-t-P connection by creating a shared key, +# copying this key to other hosts in your network, and changing +# the IP addresses in this file. +# +# Commented options are provided for some typical configurations + +# Change the "search" path to /etc/openvpn +# All files referenced in this configuration will be relative to +# whatever directory is specified here - we default to /etc/openvpn +cd /etc/openvpn + +# If running as a server, which local IP address should OpenVPN +# listen on? Specify this as either a hostname or IP address. If +# this is left blank, OpenVPN will default to listening on all +# interfaces. +#local a.b.c.d + +# This option defines the IP or DNS name of the other side of your VPN +# connection. This option is needed if you are making client or P-t-P +# connections. If you are the server, use "local" instead. This may +# be specified as a domain name or IP address. +#remote vpn.server.org + +# This option defins the protocol to use. Valid options are: +# udp, tcp-server, or tcp-client. Default is udp, and generally +# speaking, tcp is a bad idea. +proto udp + +# This option defines the port on which your server will be listening +# or trying to connect. The default is 1194 +port 1194 + +# This option defines whether to use LZO compression. +# If enabled, it must be enabled at both ends of the VPN connection. +#comp-lzo + +# Debug level (default 1) +#verb 3 + +# VPN logfile location +# If you don't specify a location here, logging will be done through +# syslogd and write to /var/log/messages +log-append /var/log/openvpn.log + +# If you want to use OpenVPN as a daemon, uncomment this line. +# Generally speaking, servers should run OpenVPN as a daemon +# and clients should not. +#daemon + +# Device type to use, you can choose between tun or tap. +# TUN is the most common option. If you have multiple connections, +# it is a good idea to bind each connection to a separate TUN/TAP +# interface using tunX/tapX, where X is the number of each interface. +dev tun + +# This option prevents OpenVPN from closing and re-opening the tun/tap +# device every time it receives a SIGUSR1 signal +#persist-tun + +# This is similar to the previous option, but it prevents OpenVPN from +# re-reading the key files every time +#persist-key + +# If you are using a client-server architecture, you need to specify the +# role of your computer in your VPN network. To use one of these options, +# you need to configure TLS options too. +# +# To use the "server" option, you must specify a network subnet such +# as 172.16.1.0 255.255.255.0. The first number is the network, the +# second is the netmask. OpenVPN will take the first available IP +# for itself (in our example, 172.16.1.1) and the rest will be +# given to connecting clients dynamically. +# +# Leave these commented out if you are using OpenVPN in bridging mode. +# +#server 10.1.2.0 255.255.255.0 +#client + +# This option defines a file with IP address to client mapping. +# This is useful in general, and necessary if clients use persist-tun. +#ifconfig-pool-persist ips.txt + +# Enable this option if you want clients connected to this VPN to be +# able to talk directly to each other +#client-to-client + +# This option defines the directory in which configuration files for clients +# will reside. With individual files you can make each client get different +# options using "push" parameters +#client-config-dir ccd + +# If you are using P-t-P, you need to specify the IP addresses at both ends +# of your VPN connection. The IP addresses are reversed at the other side. +# +# You can use this to specify client IP addresses in ccd files (on server) +# or directly in client configuration +#ifconfig 10.1.2.1 10.1.2.2 + +# You can set routes to specific networks. In the sample below, "vpn_gateway" +# is an internal OpenVPN alias to your VPN gateway - leave it as is. +# This will enable you to talk with the networks behind your VPN server. +# Multiple routes can be specified. +# +# +------------+ - - +------------+ +# | Network1 |---| VPN1 |--[10.1.2.0/24]--| VPN2 |---| Network2 | +# +------------+ +------+ +------+ +------------+ +# 192.168.0.0/24 192.168.2.0/24 +# +# The sample below shows how VPN1 server can reach Network2 +#route 192.168.2.0 255.255.255.0 vpn_gateway + +# You can send clients many network configuration options using the +# "push" directive and sending commands. +# Multiple "push" directives can be used. You should only put global +# "push" directives here. You can "push" different options to +# different clients in per-client configuration files. See +# "client-config-dir" above. +# +# Using the same network configuration that you see above, the route statment +# here allows VPN2 to reach Network1 +#push "route-delay 2 600" +#push "route 192.168.2.0 255.255.255.0 vpn_gateway" +#push "persist-key" + +# This option sets the encryption algorithm to use in the VPN connection. +# Available options are: +# DES-CBC, RC2-CBC, DES-EDE-CBC, DES-EDE3-CBC, +# DESX-CBC, BF-CBC, RC2-40-CBC, CAST5-CBC, +# RC2-64-CBC, AES-128-CBC, AES-192-CBC and AES-256-CBC +cipher BF-CBC + +# Shared Key Connection +# --------------------- +# Secret is one shared key between the hosts that want to connect through VPNs. +# Without secret or TLS options, your data will not be encrypted. +# +# To generate an encryption key do: +# openvpn --genkey --secret /etc/openvpn/keys/shared.key +# +# Do the above on one host and copy it to the others +secret keys/shared.key + +# TLS Connections +# --------------- +# TLS must be used if you use option "server" or "client" +# The basic idea there is: You have one Certificate Authority, and all +# machines in your VPN network need to have individual certificates and +# keys signed by Certificate Authority. This means each client can +# have its own key, making it easier to revoke a key without copying +# a shared secret key to every client. +# +# Inside the /usr/doc/openvpn-$VERSION documentation directory, you can +# find "easy-rsa" scripts to make certificate and key management easier. + +# Certificate Authority file +# This file must be identical on all hosts that connect to your VPN +#ca certs/ca.crt + +# If you are the server, you need to specify some Diffie Hellman parameters. +# OpenVPN provides some sample .pem files in documentation directory +#dh my-dh.pem + +# Certificate and Key signed by Certificate Authority +# Each machine needs to have their own unique certificate +#cert certs/machine.cert +#key keys/machine.key + +# To prevent some DoS attacks we can add another authentication layer in the +# TLS control channel. This needs to be enabled at both ends to work +# client uses the value 1; server uses the value 0 +#tls-auth keys/shared.key 0 + diff --git a/source/n/openvpn/slack-desc b/source/n/openvpn/slack-desc new file mode 100644 index 00000000..4f4af4c4 --- /dev/null +++ b/source/n/openvpn/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' +# on the right side marks the last column you can put a character in. You must +# make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':'. + + |-----handy-ruler------------------------------------------------------| +openvpn: openvpn (secure IP tunnel daemon) +openvpn: +openvpn: OpenVPN is a full-featured SSL VPN which can accomodate a wide range +openvpn: of configurations, including remote access, site-to-site VPNs, WiFi +openvpn: security, and enterprise-scale remote access with load balancing, +openvpn: failover, and fine-grained access-controls. +openvpn: +openvpn: OpenVPN's home on the net is: http://openvpn.net +openvpn: +openvpn: +openvpn: -- cgit v1.2.3