# # spec file for package openvpn # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %if 0%{?suse_version} < 1230 %define _unitdir /lib/systemd/system %else %define _unitdir /usr/lib/systemd/system %endif %if 0%{?suse_version} > 1210 %define with_systemd 1 %else %define with_systemd 0 %endif Name: openvpn Url: http://openvpn.net/ %if %{with_systemd} %{?systemd_requires} %else PreReq: %insserv_prereq %fillup_prereq %endif Version: 2.3.0 Release: 0 Summary: Full-featured SSL VPN solution using a TUN/TAP Interface License: SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1 Group: Productivity/Networking/Security Source: http://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz Source1: http://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz.asc Source2: %{name}.init Source6: %{name}.sysconfig Source3: %{name}.README.SUSE Source4: client-netconfig.up Source5: client-netconfig.down Source7: %{name}.keyring Source8: %{name}.service Source9: %{name}-tmpfile.conf Patch1: %{name}-2.3-plugin-man.dif Patch5: %{name}-2.3.0-man-dot.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: gpg-offline BuildRequires: iproute2 BuildRequires: lzo-devel BuildRequires: openssl-devel BuildRequires: pam-devel %if %{with_systemd} BuildRequires: systemd %endif BuildRequires: libselinux-devel BuildRequires: pkcs11-helper-devel Requires: pkcs11-helper %if %{with_systemd} BuildRequires: systemd %endif %description OpenVPN is a full-featured SSL VPN solution which can accommodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. OpenVPN implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or 2-factor authentication, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN runs on: Linux, Windows 2000/XP and higher, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris. OpenVPN is not a web application proxy and does not operate through a web browser. %package down-root-plugin Summary: OpenVPN down-root plugin Group: Productivity/Networking/Security Requires: %{name} = %{version} %description down-root-plugin The OpenVPN down-root plugin allows an OpenVPN configuration to call a down script with root privileges, even when privileges have been dropped using --user/--group/--chroot. This module uses a split privilege execution model which will fork() before OpenVPN drops root privileges, at the point where the --up script is usually called. The plugin will then remain in a wait state until it receives a message from OpenVPN via pipe to execute the down script. Thus, the down script will be run in the same execution environment as the up script. %package auth-pam-plugin Summary: OpenVPN auth-pam plugin Group: Productivity/Networking/Security Requires: %{name} = %{version} %description auth-pam-plugin The OpenVPN auth-pam plugin implements username/password authentication via PAM, and essentially allows any authentication method supported by PAM (such as LDAP, RADIUS, or Linux Shadow passwords) to be used with OpenVPN. While PAM supports username/password authentication, this can be combined with X509 certificates to provide two indepedent levels of authentication. This plugin uses a split privilege execution model which will function even if you drop openvpn daemon privileges using the user, group, or chroot directives. %prep %gpg_verify %{S:1} %setup -q -n %{name}-%{version} %patch1 -p0 %patch5 -p0 sed -e "s|\" __DATE__|$(date '+%b %e %Y' -r version.m4)\"|g" -i src/openvpn/options.c # %%doc items shouldn't be executable. find contrib sample -type f -perm +100 \ -exec chmod a-x {} \; %build export CFLAGS="$RPM_OPT_FLAGS -W -Wall -fno-strict-aliasing" export LDFLAGS %configure \ --enable-iproute2 \ --enable-x509-alt-username \ --enable-password-save \ --enable-plugins \ --enable-plugin-down-root \ --enable-plugin-auth-pam \ --with-lzo-headers=%_includedir/lzo \ CFLAGS="$CFLAGS -fPIE $PLUGIN_DEFS" \ LDFLAGS="$LDFLAGS -pie -lpam -rdynamic -Wl,-rpath,%{_libdir}/%{name}/plugin/lib" make %install make DESTDIR=$RPM_BUILD_ROOT install find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/openvpn mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/run/openvpn mkdir -p $RPM_BUILD_ROOT/%{_datadir}/openvpn %if %{with_systemd} install -D -m 755 $RPM_SOURCE_DIR/%{name}.service %{buildroot}/%{_unitdir}/%{name}.service # tmpfiles.d mkdir -p %{buildroot}%{_libexecdir}/tmpfiles.d install -m 0644 $RPM_SOURCE_DIR/%{name}-tmpfile.conf %{buildroot}%{_libexecdir}/tmpfiles.d/%{name}.conf %else install -D -m 755 $RPM_SOURCE_DIR/openvpn.init $RPM_BUILD_ROOT/%{_sysconfdir}/init.d/openvpn ln -sv %{_sysconfdir}/init.d/openvpn $RPM_BUILD_ROOT/%{_sbindir}/rcopenvpn # the /etc/sysconfig/openvpn template only with sysvinit, no needed with systemd install -d -m0755 %{buildroot}/var/adm/fillup-templates install -m0600 $RPM_SOURCE_DIR/openvpn.sysconfig \ %{buildroot}/var/adm/fillup-templates/sysconfig.openvpn %endif cp -p $RPM_SOURCE_DIR/openvpn.README.SUSE README.SUSE install -m 755 $RPM_SOURCE_DIR/client-netconfig.up sample/sample-scripts/client-netconfig.up install -m 755 $RPM_SOURCE_DIR/client-netconfig.down sample/sample-scripts/client-netconfig.down # we install docs via spec into _defaultdocdir/name/management-notes.txt rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/{OpenVPN,%name} %post %if %{with_systemd} %service_add_post %{name}.service %else %{?fillup_and_insserv:%fillup_and_insserv} %endif %preun %if %{with_systemd} %service_del_preun %{name}.service %else %{?stop_on_removal:%stop_on_removal openvpn} %endif %postun %if %{with_systemd} %service_del_postun %{name}.service %else %{?insserv_cleanup:%insserv_cleanup} %endif %files %defattr(-,root,root) %doc AUTHORS COPYING COPYRIGHT.GPL ChangeLog PORTS README %doc src/plugins/{auth-pam/README.auth-pam,down-root/README.down-root} %doc README.* %doc contrib %doc sample/sample-config-files %doc sample/sample-keys %doc sample/sample-scripts %doc doc/management-notes.txt %doc %{_mandir}/man8/openvpn.8.gz %config(noreplace) %{_sysconfdir}/openvpn/ %if %{with_systemd} %{_unitdir}/%{name}.service %{_libexecdir}/tmpfiles.d/%{name}.conf %else %config %{_sysconfdir}/init.d/openvpn /var/adm/fillup-templates/sysconfig.openvpn %{_sbindir}/rcopenvpn %endif %{_sbindir}/openvpn %attr(0755,root,root) %dir %ghost %{_localstatedir}/run/openvpn %{_includedir}/%{name}-plugin.h %files down-root-plugin %defattr(-,root,root) %dir %{_libdir}/%{name} %dir %{_libdir}/%{name}/plugins %{_libdir}/%{name}/plugins/%{name}-plugin-down-root.so %files auth-pam-plugin %defattr(-,root,root) %dir %{_libdir}/%{name} %dir %{_libdir}/%{name}/plugins %{_libdir}/%{name}/plugins/%{name}-plugin-auth-pam.so %changelog