For building OpenVPN 2.1.4 please refer to Build OpenVPN 2.1.4 with Visual Studio 2010.
For building with Visual Studio 2008 please refer to BuildingOnWindows.
For building with MinGW please refer to Windows下编译OpenVPN 2.1.1.
The building procedure is very similar with building OpenVPN2.1.4 but slightly different.
Why Build OpenVPN Yourself
- The official build does not support tunneling through IPv6.
- The official build comes with a 10Mbps TAP-win32 driver. Although theoretically the port speed doesn't affect the actual performance, but some people do claim they get better speed with custom built higher speed driver.
- You may want to use your own logo or add customized configuration files if you are offering VPN service.
A Clean System
Windows XP SP3 or later versions are required. I cannot suggest you to install a clean system in a virtual machine.
Visual Studio 2010
Express edition is OK and Professional is better. Note there is a small difference in the building procedure between Express edition and Professional / Premium / Ultimate editions. Express edition does not come with Microsoft Visual C++ 2010 Redistributable Package, you have to install it manually.
Windows Driver Kit
Windows Driver Kit is required to build the TUN/TAP driver.
The new OpenVPN Windows build system is written in Python. Version 2.7 is fine. The Windows installer does not seem to add the python.exe to the PATH, so you need to do it manually.
ActivePerl is required to build OpenSSL, which in turn is required to build OpenVPN.
Also required by OpenSSL. And you'll need to add nasm.exe to PATH as well.
First download OpenSSL from here and extract it somewhere. Using the latest one ensures there are no (known) security holes in OpenSSL or 1.0.0a if you want to apply the AES-NI patch. For the most part you can then follow the instructions in INSTALL.W32 and INSTALL.W64 files. Before you start, though, launch the Visual Studio Command Prompt (2010), which can be found from the Start menu. Unlike the standard command prompt it has all the paths to VC binaries set correctly.
From within this command prompt you'll first configure OpenSSL using the provided Perl script:
C:\openssl-1.0.0d> perl Configure VC-WIN32 --prefix=c:/
Some of the crypto routines are written in assembler to increase performance, so you need to/should use an assembler in the next step.
Next compile OpenSSL using the generated makefile:
C:\openssl-1.0.0d> nmake -f ms\ntdll.mak
C:\openssl-1.0.0d> nmake -f ms\ntdll.mak test
C:\openssl-1.0.0d> nmake -f ms\ntdll.mak install
The LZO library is required to build OpenVPN. Once you've unpacked the source package, open the B/00README.txt file to get an overview of the Windows build process. If all goes well, you'll only need to run one .bat file:
Note that this does not install lzo; in fact, you need to copy the relevant files to openvpn's build directory manually as shown below.
Download latest release of pkcs11-helper from http://www.opensc-project.org and extract it somewhere. The install process for Visual Studio is described in the INSTALL file.
To build pkcs11-helper, do the following:
- Go to pkcs11-helper-<version>\lib.
- Copy <openssl-install-directory>\lib\libeay32.lib to that directory - this is required by the linker.
C:\pkcs11-helper-1.07\lib> nmake -f Makefile.w32-vc OPENSSL=1 OPENSSL_HOME=
OpenVPN is only interested is lib/libpkcs11-helper-1.dll and uses it when generating the NSI installer.
OpenVPN source package can be downloaded here.
In socket.c there is a MACRO IF_NAMESIZE at line 2500, which is defined in Windows DDK but it seems to be broken. Replace it by value 256 (this is the correct value and will not cause any problems).
In win\settings.in, change the !define MSVC "C:/Program Files/Microsoft Visual Studio 9.0" to the correct path VS2010 installed to. Change Microsoft.VC90.CRT to Microsoft.VC100.CRT.
In win\make_dist.py, comment or delete any line contains manifest. Visual Studio 2010 doesn't generate manifest at all.
If you want a higher speed TAP-win32 driver, you may modify line 1142 in tap-win32\tapdrvr.c .
In win\config.h.in, add #define USE_PF_INET6 1 after #define USE_LZO 1 (other places are fine too).
/* Use LZO compression library */
#define USE_LZO 1
#define USE_PF_INET6 1
Comment or delete #define socklen_t unsigned int.
/* type to use in place of socklen_t if not defined */
//#define socklen_t unsigned int
In options.c, socket.c, comment or delete all #ifdef USE_PF_INET6 & the matched #endif. Those codes are not supported in VC.
socket.c, line 637, CLEAR(sin6); generates a CE and I have no idea on what lead to this. Simply commenting it will get passed.
Now the pre-steps are almost complete, but the Python-based OpenVPN build system is pretty picky about it's directory layout, which should be like this:
- C:\openvpn-build: root build directory.
- C:\openvpn-build\openvpn-2.2.0: openvpn sources.
- C:\openvpn-build\pkcs11-helper: pkcs11-helper build directory.
- C:\openvpn-build\pkcs11-helper\lib: must contain libpkcs11-helper-1.dll, the product of pkcs11-helper build.
- C:\openvpn-build\openssl: copy of the openssl install directory which contains the openssl libraries you built earlier. It's location depends on the parameter --prefix paramter you when configuring the openssl build.
- C:\openvpn-build\lzo\include: this directory is a copy of the include directory in the lzo source package.
- C:\openvpn-build\lzo\bin: this directory must contain the lzo2.dll file generated during lzo build.
- C:\openvpn-build\lzo\lib: this directory must contain the lzo2.lib file generated during lzo build.
- C:\openvpn-build\Microsoft.VC100.CRT: this directory is a copy of C:\Program Files\MicrosofT Visual Studio 10.0\VC\redist\x86\Microsoft.VC100.CRT directory. The exact path may vary. Visual Studio Express does not have this directory, and you may make a blank directory named that and obtain msvcr100.dll from C:\WINDOWS\system32 (the file comes from Microsoft Visual C++ 2010 Redistributable Package).
Next fire up a Visual Studio Command Prompt in win directory and start the build:
C:\openvpn-build\openvpn-2.2.0\win> python build_all.py --unsigned
The --unsigned switch disables TAP driver signing, which would not work anyway because the Sign Python module is only available internally at OpenVPN Technologies. If you intend to use signed TAP drivers (unsigned drivers will not be accepted on Windows Vista/7 64bit) from an existing OpenVPN installer, you can extract signed TAP drivers from an existing installer and skip building the TAP driver altogether:
C:\openvpn-build\openvpn-2.2.0\win> python build_all.py --unsigned --notap
When building finishes without any errors, openvpn.exe and all DLLs it needs will lie in dist\bin directory.
Building OpenVPN Installer
This is not necessary if you only plan to install the built version yourself, but if you are going to distribute it, building a installer is a more professional way.
You need NSIS and http://openvpn.se/files/binary/openvpn-gui-1.0.3.exe.
Put openvpn-gui-1.0.3.exe in C:\openvpn-build\openvpn-gui an run
C:\> "C:\Program Files\NSIS\makensis.exe" C:\openvpn-build\openvpn-2.2.0\win\openvpn.nsi