1 # TODO: compare PLD vs upstream provided systemd support, maybe we can switch? (see also files section)
4 %bcond_without pkcs11 # PKCS#11 support
8 Summary(pl.UTF-8): Serwer VPN
13 Group: Networking/Daemons
14 Source0: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.xz
15 # Source0-md5: 336be3b2388cdc65dd8c81f22b1c2836
17 Source2: %{name}.sysconfig
18 Source3: %{name}.tmpfiles
19 Source4: %{name}-service-generator
20 Source5: %{name}.target
21 Source6: %{name}@.service
22 Source7: %{name}-update-resolv-conf
23 Patch0: %{name}-pam.patch
24 Patch1: unsupported-ciphers.patch
25 Patch100: 0038-Deprecate-ecdh-curve-with-OpenSSL-3.0-and-adjust-mbe.patch
26 Patch101: 0039-Use-EVP_PKEY-based-API-for-loading-DH-keys.patch
27 Patch102: 0040-Remove-DES-check-with-OpenSSL-3.0.patch
28 Patch103: 0043-Ensure-the-current-common_name-is-in-the-environment.patch
29 Patch104: 0044-Don-t-manually-free-DH-params-in-OpenSSL-3.patch
30 Patch105: 0045-Do-not-allow-CTS-ciphers.patch
31 Patch106: 0046-Use-new-EVP_MAC-API-for-HMAC-implementation.patch
32 Patch107: 0047-Add-with-openssl-engine-autoconf-option-auto-yes-no.patch
33 URL: https://www.openvpn.net/
34 BuildRequires: autoconf >= 2.59
35 BuildRequires: automake >= 1:1.9
36 BuildRequires: libselinux-devel
37 BuildRequires: libtool
38 BuildRequires: lz4-devel >= 1:1.7.1
39 BuildRequires: lzo-devel
40 # or mbedtls-devel >= 2
41 BuildRequires: openssl-devel >= 1.0.2
42 %{?with_pkcs11:BuildRequires: p11-kit-devel}
43 BuildRequires: pam-devel
44 %{?with_pkcs11:BuildRequires: pkcs11-helper-devel >= 1.11}
45 BuildRequires: pkgconfig
46 BuildRequires: rpmbuild(macros) >= 1.671
47 BuildRequires: systemd-devel >= 1:217
48 BuildRequires: tar >= 1:1.22
50 Requires(post,preun): /sbin/chkconfig
51 Requires(post,preun,postun): systemd-units >= 38
53 Requires: lz4 >= 1:1.7.1
54 Requires: openssl >= 1.0.2
55 %{?with_pkcs11:Requires: pkcs11-helper >= 1.11}
56 Requires: rc-scripts >= 0.4.3.0
57 Requires: systemd-libs >= 1:217
58 Requires: systemd-units >= 38
59 Requires: uname(release) >= 2.4
60 Suggests: %{name}-plugin-auth-pam
61 Suggests: %{name}-plugin-down-root
62 BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
64 %define _localstatedir /var
67 OpenVPN is a robust and highly configurable VPN (Virtual Private
68 Network) daemon which can be used to securely link two or more private
69 networks using an encrypted tunnel over the internet.
71 %description -l pl.UTF-8
72 OpenVPN jest mocnym i silnie konfigurowalnym serwerem VPN (Wirtualne
73 Sieci Prywatne), który może być użyty do bezpiecznego łączenia dwóch
74 lub więcej prywatnych sieci używając zaszyfrowanego tunelu poprzez
77 %package plugin-auth-pam
78 Summary: Plugin for username/password authentication via PAM
79 Summary(pl.UTF-8): Wtyczka do uwierzytelniania nazwą użytkownika i hasłem poprzez PAM
81 Requires: %{name} = %{version}-%{release}
83 %description plugin-auth-pam
84 The openvpn-auth-pam module implements username/password
85 authentication via PAM, and essentially allows any authentication
86 method supported by PAM (such as LDAP, RADIUS, or Linux Shadow
87 passwords) to be used with OpenVPN. While PAM supports
88 username/password authentication, this can be combined with X509
89 certificates to provide two indepedent levels of authentication.
91 This module uses a split privilege execution model which will function
92 even if you drop openvpn daemon privileges using the user, group, or
95 %description plugin-auth-pam -l pl.UTF-8
96 Moduł openvpn-auth-pam implementuje uwierzytelnianie nazwą użytkownika
97 i hasłem poprzez PAM, zasadniczo pozwalając na korzystanie z dowolnej
98 metody uwierzytelniania obsługiwanej przez PAM (np. LDAP, RADIUS,
99 hasła shadow) z OpenVPN. Jako że PAM obsługuje uwierzytelnianie nazwą
100 użytkownika i hasłem, to można je łączyć z certyfikatami X509 w celu
101 zapewniania dwóch różnych poziomów uwierzytelnienia.
103 Ten moduł wykorzystuje model wykonywania z podziałem uprawnień, co
104 działa nawet przy odrzuceniu uprawnień demona openvpn przy użyciu
105 dyrektyw user, group lub chroot.
107 %package plugin-down-root
108 Summary: Plugin to allow root after privilege drop
109 Summary(pl.UTF-8): Wtyczka pozwalająca na wykorzystanie uprawnień roota po odrzuceniu uprawnień
111 Requires: %{name} = %{version}-%{release}
113 %description plugin-down-root
114 The down-root module allows an OpenVPN configuration to call a down
115 script with root privileges, even when privileges have been dropped
116 using --user/--group/--chroot.
118 This module uses a split privilege execution model which will fork()
119 before OpenVPN drops root privileges, at the point where the --up
120 script is usually called. The module will then remain in a wait state
121 until it receives a message from OpenVPN via pipe to execute the down
122 script. Thus, the down script will be run in the same execution
123 environment as the up script.
125 %description plugin-down-root -l pl.UTF-8
126 Moduł down-root pozwala na wywołanie skryptu down z uprawnieniami
127 roota z poziomu konfiguracji OpenVPN-a nawet w przypadku odrzucenia
128 uprawnień przy użyciu opcji --user/--group/--chroot.
130 Ten moduł wykorzystuje model wykonywania z podziałem uprawnień, który
131 wykonuje fork() przed odrzuceniem uprawnień roota, w miejscu, gdzie
132 zwykle jest wywoływany skrypt --up. Moduł pozostaje w stanie
133 oczekiwania do odebrania przez potok od OpenVPN-a komunikatu, aby
134 wykonać skrypt down. Dzięki temu skrypt down zostanie uruchomiony w
135 tym samym środowisku, co skrypt up.
138 Summary: Header files for OpenVPN plugins development
139 Summary(pl.UTF-8): Pliki nagłówkowe do tworzenia wtyczek OpenVPN
140 Group: Development/Libraries
143 This is the package containing the header files for OpenVPN plugins
146 %description devel -l pl.UTF-8
147 Ten pakiet zawiera pliki nagłówkowe do tworzenia wtyczek OpenVPN.
162 sed -e 's,/''usr/lib/openvpn,%{_libdir}/%{name},' %{SOURCE7} > contrib/update-resolv-conf
170 CPPFLAGS="%{rpmcppflags} $(pkg-config --cflags liblz4)"
172 IFCONFIG=/sbin/ifconfig \
174 NETSTAT=/bin/netstat \
176 SYSTEMD_UNIT_DIR=%{systemdunitdir} \
177 ac_cv_nsl_inet_ntoa=no \
178 ac_cv_socket_socket=no \
179 ac_cv_resolv_gethostbyname=no \
181 %{?with_pkcs11:--enable-pkcs11} \
182 --enable-async-push \
185 --enable-x509-alt-username \
186 --with-crypto-library=openssl
195 rm -rf $RPM_BUILD_ROOT
196 install -d $RPM_BUILD_ROOT{%{_sysconfdir}/openvpn,%{_sbindir},%{_mandir}/man8} \
197 $RPM_BUILD_ROOT{/etc/{rc.d/init.d,sysconfig},/var/run/openvpn,%{_includedir}} \
198 $RPM_BUILD_ROOT{%{_libdir}/%{name}/plugins,%{systemdtmpfilesdir},%{systemdunitdir}} \
199 $RPM_BUILD_ROOT%{systemdunitdir}-generators
202 DESTDIR=$RPM_BUILD_ROOT
204 install -p %{SOURCE1} $RPM_BUILD_ROOT/etc/rc.d/init.d/%{name}
205 cp -p %{SOURCE2} $RPM_BUILD_ROOT/etc/sysconfig/%{name}
206 cp -p %{SOURCE3} $RPM_BUILD_ROOT%{systemdtmpfilesdir}/%{name}.conf
208 install -p %{SOURCE4} $RPM_BUILD_ROOT%{systemdunitdir}-generators/openvpn-service-generator
209 install -p %{SOURCE5} $RPM_BUILD_ROOT%{systemdunitdir}/openvpn.target
210 install -p %{SOURCE6} $RPM_BUILD_ROOT%{systemdunitdir}/openvpn@.service
211 ln -s /dev/null $RPM_BUILD_ROOT%{systemdunitdir}/openvpn.service
213 # we use "cp", not "install", not to pull /bin/bash dependency
214 cp -p contrib/pull-resolv-conf/client.down $RPM_BUILD_ROOT%{_libdir}/%{name}
215 cp -p contrib/pull-resolv-conf/client.up $RPM_BUILD_ROOT%{_libdir}/%{name}
216 cp -p contrib/update-resolv-conf $RPM_BUILD_ROOT%{_libdir}/%{name}
218 %{__rm} $RPM_BUILD_ROOT%{_libdir}/%{name}/plugins/*.la
219 %{__rm} -r $RPM_BUILD_ROOT%{_docdir}/%{name}
222 rm -rf $RPM_BUILD_ROOT
225 /sbin/chkconfig --add openvpn
226 %service openvpn restart "OpenVPN"
227 %systemd_post openvpn.target
230 if [ "$1" = "0" ]; then
231 %service openvpn stop
232 /sbin/chkconfig --del openvpn
234 %systemd_preun openvpn.target
239 %triggerpostun -- openvpn < 2.3.2-2
240 [ -f /etc/sysconfig/rpm ] && . /etc/sysconfig/rpm
241 [ ${RPM_ENABLE_SYSTEMD_SERVICE:-yes} = no ] && exit 0
242 [ "$(echo /etc/rc.d/rc[0-6].d/S[0-9][0-9]openvpn)" = "/etc/rc.d/rc[0-6].d/S[0-9][0-9]openvpn" ] && exit 0
243 export SYSTEMD_LOG_LEVEL=warning SYSTEMD_LOG_TARGET=syslog
244 /bin/systemctl --quiet enable openvpn.target || :
248 %defattr(644,root,root,755)
249 %doc AUTHORS COPYING ChangeLog Changes.rst PORTS README* TODO.IPv6 doc/management-notes.txt sample/sample-{config-files,keys,scripts}
250 %dir %{_sysconfdir}/openvpn
251 %config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/%{name}
252 %attr(755,root,root) %{_sbindir}/openvpn
253 %attr(754,root,root) /etc/rc.d/init.d/%{name}
254 %attr(755,root,root) %{systemdunitdir}-generators/openvpn-service-generator
256 %{systemdunitdir}/openvpn.service
257 %{systemdunitdir}/openvpn.target
258 %{systemdunitdir}/openvpn@.service
260 #%{systemdunitdir}/openvpn-client@.service
261 #%{systemdunitdir}/openvpn-server@.service
262 %dir %{_libdir}/%{name}
263 %attr(755,root,root) %{_libdir}/%{name}/client.down
264 %attr(755,root,root) %{_libdir}/%{name}/client.up
265 %attr(755,root,root) %{_libdir}/%{name}/update-resolv-conf
266 %dir %{_libdir}/%{name}/plugins
267 %{_mandir}/man8/openvpn.8*
268 %dir /var/run/openvpn
269 %{systemdtmpfilesdir}/%{name}.conf
271 %files plugin-auth-pam
272 %defattr(644,root,root,755)
273 %doc src/plugins/auth-pam/README.auth-pam
274 %attr(755,root,root) %{_libdir}/%{name}/plugins/openvpn-plugin-auth-pam.so
276 %files plugin-down-root
277 %defattr(644,root,root,755)
278 %doc src/plugins/down-root/README.down-root
279 %attr(755,root,root) %{_libdir}/%{name}/plugins/openvpn-plugin-down-root.so
282 %defattr(644,root,root,755)
283 %doc doc/README.plugins sample/sample-plugins
284 %{_includedir}/openvpn-msg.h
285 %{_includedir}/openvpn-plugin.h