1 # TODO: compare PLD vs upstream provided systemd support, maybe we can switch? (see also files section)
4 %bcond_without pkcs11 # PKCS#11 support
8 Summary(pl.UTF-8): Serwer VPN
13 Group: Networking/Daemons
14 Source0: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.xz
15 # Source0-md5: 3d0717bd3eb498b3dec1277b3a65a0a1
17 Source2: %{name}.sysconfig
18 Source3: %{name}.tmpfiles
19 Source4: %{name}-service-generator
20 Source5: %{name}.target
21 Source6: %{name}@.service
22 Source7: %{name}-update-resolv-conf
23 Patch0: %{name}-pam.patch
24 Patch1: unsupported-ciphers.patch
25 Patch100: 0038-Deprecate-ecdh-curve-with-OpenSSL-3.0-and-adjust-mbe.patch
26 Patch101: 0039-Use-EVP_PKEY-based-API-for-loading-DH-keys.patch
27 Patch102: 0040-Remove-DES-check-with-OpenSSL-3.0.patch
28 Patch104: 0044-Don-t-manually-free-DH-params-in-OpenSSL-3.patch
29 Patch105: 0045-Do-not-allow-CTS-ciphers.patch
30 Patch106: 0046-Use-new-EVP_MAC-API-for-HMAC-implementation.patch
31 Patch107: 0047-Add-with-openssl-engine-autoconf-option-auto-yes-no.patch
32 URL: https://www.openvpn.net/
33 BuildRequires: autoconf >= 2.59
34 BuildRequires: automake >= 1:1.9
35 BuildRequires: libselinux-devel
36 BuildRequires: libtool
37 BuildRequires: lz4-devel >= 1:1.7.1
38 BuildRequires: lzo-devel
39 # or mbedtls-devel >= 2
40 BuildRequires: openssl-devel >= 1.0.2
41 %{?with_pkcs11:BuildRequires: p11-kit-devel}
42 BuildRequires: pam-devel
43 %{?with_pkcs11:BuildRequires: pkcs11-helper-devel >= 1.11}
44 BuildRequires: pkgconfig
45 BuildRequires: rpmbuild(macros) >= 1.671
46 BuildRequires: systemd-devel >= 1:217
47 BuildRequires: tar >= 1:1.22
49 Requires(post,preun): /sbin/chkconfig
50 Requires(post,preun,postun): systemd-units >= 38
52 Requires: lz4 >= 1:1.7.1
53 Requires: openssl >= 1.0.2
54 %{?with_pkcs11:Requires: pkcs11-helper >= 1.11}
55 Requires: rc-scripts >= 0.4.3.0
56 Requires: systemd-libs >= 1:217
57 Requires: systemd-units >= 38
58 Requires: uname(release) >= 2.4
59 Suggests: %{name}-plugin-auth-pam
60 Suggests: %{name}-plugin-down-root
61 BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
63 %define _localstatedir /var
66 OpenVPN is a robust and highly configurable VPN (Virtual Private
67 Network) daemon which can be used to securely link two or more private
68 networks using an encrypted tunnel over the internet.
70 %description -l pl.UTF-8
71 OpenVPN jest mocnym i silnie konfigurowalnym serwerem VPN (Wirtualne
72 Sieci Prywatne), który może być użyty do bezpiecznego łączenia dwóch
73 lub więcej prywatnych sieci używając zaszyfrowanego tunelu poprzez
76 %package plugin-auth-pam
77 Summary: Plugin for username/password authentication via PAM
78 Summary(pl.UTF-8): Wtyczka do uwierzytelniania nazwą użytkownika i hasłem poprzez PAM
80 Requires: %{name} = %{version}-%{release}
82 %description plugin-auth-pam
83 The openvpn-auth-pam module implements username/password
84 authentication via PAM, and essentially allows any authentication
85 method supported by PAM (such as LDAP, RADIUS, or Linux Shadow
86 passwords) to be used with OpenVPN. While PAM supports
87 username/password authentication, this can be combined with X509
88 certificates to provide two indepedent levels of authentication.
90 This module uses a split privilege execution model which will function
91 even if you drop openvpn daemon privileges using the user, group, or
94 %description plugin-auth-pam -l pl.UTF-8
95 Moduł openvpn-auth-pam implementuje uwierzytelnianie nazwą użytkownika
96 i hasłem poprzez PAM, zasadniczo pozwalając na korzystanie z dowolnej
97 metody uwierzytelniania obsługiwanej przez PAM (np. LDAP, RADIUS,
98 hasła shadow) z OpenVPN. Jako że PAM obsługuje uwierzytelnianie nazwą
99 użytkownika i hasłem, to można je łączyć z certyfikatami X509 w celu
100 zapewniania dwóch różnych poziomów uwierzytelnienia.
102 Ten moduł wykorzystuje model wykonywania z podziałem uprawnień, co
103 działa nawet przy odrzuceniu uprawnień demona openvpn przy użyciu
104 dyrektyw user, group lub chroot.
106 %package plugin-down-root
107 Summary: Plugin to allow root after privilege drop
108 Summary(pl.UTF-8): Wtyczka pozwalająca na wykorzystanie uprawnień roota po odrzuceniu uprawnień
110 Requires: %{name} = %{version}-%{release}
112 %description plugin-down-root
113 The down-root module allows an OpenVPN configuration to call a down
114 script with root privileges, even when privileges have been dropped
115 using --user/--group/--chroot.
117 This module uses a split privilege execution model which will fork()
118 before OpenVPN drops root privileges, at the point where the --up
119 script is usually called. The module will then remain in a wait state
120 until it receives a message from OpenVPN via pipe to execute the down
121 script. Thus, the down script will be run in the same execution
122 environment as the up script.
124 %description plugin-down-root -l pl.UTF-8
125 Moduł down-root pozwala na wywołanie skryptu down z uprawnieniami
126 roota z poziomu konfiguracji OpenVPN-a nawet w przypadku odrzucenia
127 uprawnień przy użyciu opcji --user/--group/--chroot.
129 Ten moduł wykorzystuje model wykonywania z podziałem uprawnień, który
130 wykonuje fork() przed odrzuceniem uprawnień roota, w miejscu, gdzie
131 zwykle jest wywoływany skrypt --up. Moduł pozostaje w stanie
132 oczekiwania do odebrania przez potok od OpenVPN-a komunikatu, aby
133 wykonać skrypt down. Dzięki temu skrypt down zostanie uruchomiony w
134 tym samym środowisku, co skrypt up.
137 Summary: Header files for OpenVPN plugins development
138 Summary(pl.UTF-8): Pliki nagłówkowe do tworzenia wtyczek OpenVPN
139 Group: Development/Libraries
142 This is the package containing the header files for OpenVPN plugins
145 %description devel -l pl.UTF-8
146 Ten pakiet zawiera pliki nagłówkowe do tworzenia wtyczek OpenVPN.
160 sed -e 's,/''usr/lib/openvpn,%{_libdir}/%{name},' %{SOURCE7} > contrib/update-resolv-conf
168 CPPFLAGS="%{rpmcppflags} $(pkg-config --cflags liblz4)"
170 IFCONFIG=/sbin/ifconfig \
172 NETSTAT=/bin/netstat \
174 SYSTEMD_UNIT_DIR=%{systemdunitdir} \
175 ac_cv_nsl_inet_ntoa=no \
176 ac_cv_socket_socket=no \
177 ac_cv_resolv_gethostbyname=no \
179 %{?with_pkcs11:--enable-pkcs11} \
180 --enable-async-push \
183 --enable-x509-alt-username \
184 --with-crypto-library=openssl
193 rm -rf $RPM_BUILD_ROOT
194 install -d $RPM_BUILD_ROOT{%{_sysconfdir}/openvpn,%{_sbindir},%{_mandir}/man8} \
195 $RPM_BUILD_ROOT{/etc/{rc.d/init.d,sysconfig},/var/run/openvpn,%{_includedir}} \
196 $RPM_BUILD_ROOT{%{_libdir}/%{name}/plugins,%{systemdtmpfilesdir},%{systemdunitdir}} \
197 $RPM_BUILD_ROOT%{systemdunitdir}-generators
200 DESTDIR=$RPM_BUILD_ROOT
202 install -p %{SOURCE1} $RPM_BUILD_ROOT/etc/rc.d/init.d/%{name}
203 cp -p %{SOURCE2} $RPM_BUILD_ROOT/etc/sysconfig/%{name}
204 cp -p %{SOURCE3} $RPM_BUILD_ROOT%{systemdtmpfilesdir}/%{name}.conf
206 install -p %{SOURCE4} $RPM_BUILD_ROOT%{systemdunitdir}-generators/openvpn-service-generator
207 install -p %{SOURCE5} $RPM_BUILD_ROOT%{systemdunitdir}/openvpn.target
208 install -p %{SOURCE6} $RPM_BUILD_ROOT%{systemdunitdir}/openvpn@.service
209 ln -s /dev/null $RPM_BUILD_ROOT%{systemdunitdir}/openvpn.service
211 # we use "cp", not "install", not to pull /bin/bash dependency
212 cp -p contrib/pull-resolv-conf/client.down $RPM_BUILD_ROOT%{_libdir}/%{name}
213 cp -p contrib/pull-resolv-conf/client.up $RPM_BUILD_ROOT%{_libdir}/%{name}
214 cp -p contrib/update-resolv-conf $RPM_BUILD_ROOT%{_libdir}/%{name}
216 %{__rm} $RPM_BUILD_ROOT%{_libdir}/%{name}/plugins/*.la
217 %{__rm} -r $RPM_BUILD_ROOT%{_docdir}/%{name}
220 rm -rf $RPM_BUILD_ROOT
223 /sbin/chkconfig --add openvpn
224 %service openvpn restart "OpenVPN"
225 %systemd_post openvpn.target
228 if [ "$1" = "0" ]; then
229 %service openvpn stop
230 /sbin/chkconfig --del openvpn
232 %systemd_preun openvpn.target
237 %triggerpostun -- openvpn < 2.3.2-2
238 [ -f /etc/sysconfig/rpm ] && . /etc/sysconfig/rpm
239 [ ${RPM_ENABLE_SYSTEMD_SERVICE:-yes} = no ] && exit 0
240 [ "$(echo /etc/rc.d/rc[0-6].d/S[0-9][0-9]openvpn)" = "/etc/rc.d/rc[0-6].d/S[0-9][0-9]openvpn" ] && exit 0
241 export SYSTEMD_LOG_LEVEL=warning SYSTEMD_LOG_TARGET=syslog
242 /bin/systemctl --quiet enable openvpn.target || :
246 %defattr(644,root,root,755)
247 %doc AUTHORS COPYING ChangeLog Changes.rst PORTS README* TODO.IPv6 doc/management-notes.txt sample/sample-{config-files,keys,scripts}
248 %dir %{_sysconfdir}/openvpn
249 %config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/%{name}
250 %attr(755,root,root) %{_sbindir}/openvpn
251 %attr(754,root,root) /etc/rc.d/init.d/%{name}
252 %attr(755,root,root) %{systemdunitdir}-generators/openvpn-service-generator
254 %{systemdunitdir}/openvpn.service
255 %{systemdunitdir}/openvpn.target
256 %{systemdunitdir}/openvpn@.service
258 #%{systemdunitdir}/openvpn-client@.service
259 #%{systemdunitdir}/openvpn-server@.service
260 %dir %{_libdir}/%{name}
261 %attr(755,root,root) %{_libdir}/%{name}/client.down
262 %attr(755,root,root) %{_libdir}/%{name}/client.up
263 %attr(755,root,root) %{_libdir}/%{name}/update-resolv-conf
264 %dir %{_libdir}/%{name}/plugins
265 %{_mandir}/man5/openvpn-examples.5*
266 %{_mandir}/man8/openvpn.8*
267 %dir /var/run/openvpn
268 %{systemdtmpfilesdir}/%{name}.conf
270 %files plugin-auth-pam
271 %defattr(644,root,root,755)
272 %doc src/plugins/auth-pam/README.auth-pam
273 %attr(755,root,root) %{_libdir}/%{name}/plugins/openvpn-plugin-auth-pam.so
275 %files plugin-down-root
276 %defattr(644,root,root,755)
277 %doc src/plugins/down-root/README.down-root
278 %attr(755,root,root) %{_libdir}/%{name}/plugins/openvpn-plugin-down-root.so
281 %defattr(644,root,root,755)
282 %doc doc/README.plugins sample/sample-plugins
283 %{_includedir}/openvpn-msg.h
284 %{_includedir}/openvpn-plugin.h