Creating a customized OpenVPN installer
19 01 2008Note: See "Creating a customized OpenVPN installer - Round 2" for another approach to a custom OpenVPN installer.
OpenVPN is an excellent product with seemingly infinite configuration options. After setting everything up to your tastes, though, you may find that your end users are a bit too "simple" to install OpenVPN and your custom config files successfully. I find that many users (well, where I work at least) are uncomfortable browsing to and placing files in C:\Program Files\OpenVPN. You can easily get around this by creating a self-extracting executable with a default output path of C:\Program Files\OpenVPN (use IZArc to make nice free SXEs). Although that gets the job done, the end user would still need to install OpenVPN, the run the SXE. Why not cut down the number of steps in half (or by one :p ), while at the same time adding your company's touch to the OpenVPN installer?
Recent documentation on this is not very widespread, but luckily still of good use. The main source of documentation on this can be found here, and is supplied by the creator of OpenVPN GUI. The documentation can be followed, but unfortunately the packages provided are a bit outdated. To get up-to-date (and to become Vista-compatible), we first download a copy of the current release candidate (2.1 RC4 at the time of writing). I actually had to get the Windows installer since I didn't want to bother compiling from source. Next, I downloaded the 2.1 beta 7 package from the OpenVPN GUI site. I installed the Windows installer by accepting all defaults, then extracted the install source (anywhere should work). Next, to get things up-to-date I replaced openvpn.exe and openvpn-gui.exe in the openvpn\bin folder of the extracted archive with that from my Windows installation (C:\Program Files\OpenVPN\bin).
To get our installer to work with Vista, we need to replace the blacklisted 0801 TAP driver with the newer 0901 TAP driver. This is not documented anywhere I could find, but doing this turned out to be easy and effective. Simply make replacements as we did above, but instead copy the contents of C:\Program Files\OpenVPN\driver to the openvpn\tap-win32\i386 folder of the extracted archive. You can safely remove the older 0801 files. To make this work, we now have to edit the openvpn-gui.nsi script in the extracted archive. In any text editor (Notepad++ worked great for me and offered syntax highlighting), open up openvpn-gui.nsi, look for !define TAP "tap0801", and replace that with !define TAP "tap0901". Your archive is now Vista-compatible.
There are many other changes that can be made in the Nullsoft installer script such as including your company name, custom icons, and most importantly your OpenVPN client config. You can look through the script to understand how it works and modify it accordingly. To include your custom config/cert files, browse in your text editor to Section "OpenVPN GUI" SecGUI. You will see a comment indicating where your custom config files go. To include multiple files in the install, simply add more File entries, like so:
SetOutPath "$INSTDIR\config"
File "${HOME}\config\client.ovpn"
File "${HOME}\config\ca.crt"
File "${HOME}\config\dh2048.pem"
File "${HOME}\config\client.crt"
File "${HOME}\config\client.key"
This will include client.ovpn, ca.crt, dh2048.pem, etc. to your custom installer, and will place them in the config folder upon installation.
To compile your masterpiece into an executable, you need to download and install The Nullsoft Scriptable Install System. Although a newer edition may work, I went with the original documentation's recommendation and installed the older v2.05. You can get this here. Once installed, you can simply right-click on the openvpn-gui.nsi script you modified and click on "Compile NSIS Script". A log of the compilation will show and an opportunity to test the installer will show if everything went well. You will also have an installable .exe waiting for you in the current directory waiting to be distributed to your clients.
If you ran into errors, look through the logs to try to identify what's going on. Otherwise, you can simply just make some changes to the archive I already hacked up:
http://www.ameir.net/blog/uploads/openvpn_install_source-2.1rc4-gui-1.0.3.zip
If you're just interested in creating a custom OpenVPN installer for Windows and don't particularly care to dabble in Nullsoft install scripts or are just lazy, download the archive above and make whatever changes you may need. The hacks described above are implemented in this package.
NOTES:
In Vista, if you're using routing (tun mode), the end user must run OpenVPN by running as an administrator. This is because the routing table must be modified to tell your computer how to get to your company network. Otherwise, the client may appear to be connected (he/she actually is), but attempts to access the company network will fail, as packets are instead trying to go through the default route (usually your ISP). Using tap mode eliminates this requirement as clients are given IPs in the company's subnet range, therefore eliminating the need to do routing.
If using certificate authentication, then each of your users will need unique files in their config directory. I don't know of a way to automate this, unless you generate the client certificates on the fly and have a program initiate a compile of openvpn-gui.nsi with the new certificates included. In my install of OpenVPN, users are authenticated via Active Directory, so we don't have to distribute any user-specific files. You may very well just have to use self-extracting archives or train your users how to work with zip files!
Categories : Tech Corner
Trackbacks : 1 Trackback »
Tracked: Jul 23, 15:06