OpenVPN

From WPKG | Open Source Software Deployment and Distribution
Jump to: navigation, search

Silent installer for OpenVPN.[edit]

  • See WPKG over VPN, if you don't want WPKG to start when computer is using VPN.
<?xml version="1.0" encoding="UTF-8"?>
<packages>
 	<package 
 		id="openvpn" 
 		name="OpenVPN" 
 		revision="%version%" 
 		reboot="false" 
 		priority="0">
 
                <variable name="version" value="2.3.2" />
 		<check type='uninstall' condition='exists' path='OpenVPN %version%' /> 
 
 		<install cmd='"%SOFTWARE%\openvpn\DriverSigning.exe" -OFF' />
 		<install cmd='"%SOFTWARE%\openvpn\openvpn_%version%" /S' />
 		<install cmd='"%SOFTWARE%\openvpn\DriverSigning.exe" -ON' />
 		<install cmd='%COMSPEC% /c copy "%SOFTWARE%\openvpn\config\*.*" "%PROGRAMFILES%\OpenVPN\config\"' />
 		<install cmd='sc config openvpnservice start= auto' />
 		<!--<install cmd='sc start openvpnservice' />-->
 
 		<remove cmd='%COMSPEC% /c del /q "%PROGRAMFILES%\OpenVPN\config\*.*"' />
 		<remove cmd='"%PROGRAMFILES%\OpenVPN\Uninstall.exe" /S' />
 	</package>
</packages>

DriverSigning-On/Off tool or direct link DriverSigning.zip (you have to register on forum). This tool removes the window that pops-up when unsigned driver installation is required. OpenVPN installs the TAP driver interface. If you can't find it there, try: http://bit.ly/jlpBO9 or here

Alternative installation by SkyBeam[edit]

I've got a slightly different approach installing OpenVPN. The main difference is that you don't need an additional tool to disable driver signing since the certificate which is used to sign the drivers is added to the certificate store in advance. This works for packages like VirtualBox as well in order to prevent Windows to warn you that the driver is signed by an untrusted publisher.

This approach also includes security settings to allow non-privileged users to start/stop the OpenVPN service. Feel free to alter default OpenVPN-GUI settings in unattended-post.cmd.

My directory contains the following files:

  • install.cmd
  • OpenVPN Certificate.cer
  • openvpn-2.1.1-install.exe
  • subinacl.exe
  • unattended.cmd
  • unattended-post.cmd
  • unattended-pre.cmd
  • unattended-uninstall.cmd

I am using the following, very simple package definition:

<?xml version="1.0" encoding="utf-8" ?>
<packages>
 
<package id='OpenVPN' name='OpenVPN' revision='211' priority='50' reboot='false' >
  <!-- OpenVPN v.2.1.1 -->
  <check type='uninstall' condition='exists' path='OpenVPN 2.1.1' />
  <install cmd='"%SOFTWARE%\software.free\OpenVPN v.2.1.1\unattended.cmd" > NUL' />
  <remove cmd='"%SOFTWARE%\software.free\OpenVPN v.2.1.1\unattended-uninstall.cmd" > NUL' />
  <upgrade cmd='"%SOFTWARE%\software.free\OpenVPN v.2.1.1\unattended.cmd" > NUL' />
</package>
 
</packages>

The "subinacl.exe" tool is part of the Windows Resource Kit Tools collection and can be downloaded independently from the Microsoft Download Center.

The certificate "OpenVPN Certificate.cer" needs to be extracted from the archive once. To do this follow these steps:

  • Install 7-Zip or any extractor capable of extracting NSIS installers
  • Extract "openvpn-2.1.1-install.exe"
  • Open (just double-click) "driver/tap0901.cat" from the extracted directory structure
  • In the "Security Catalog" dialog appearing click on "View Signature" in "General" tab
  • Click on "View Certificate" on the "General" tab
  • Go to "Details" tab of the Certificate dialog popping up
  • Click on "Copy to File..."
  • Click "Next" selecting DER encoded binary X.509 (.CER)
  • Enter "OpenVPN Certificate.cer" as the file name and store the file within your OpenVPN installer folder


Here's a listing of all other files required:

Listing of "unattended-pre.cmd":

@echo off
:: This script prepares the system to  install OpenVPN
 
echo Importing OpenVPN certificate as trusted publisher
certutil -addstore "TrustedPublisher" "%INSTALLER_LOC%OpenVPN Certificate.cer" > NUL

As you can see it's just importing the certificate into the certificate store before the installation is run.

Listing of "unattended-post.cmd":

@echo off
:: Post-installation actions for OpenVPN
 
set ICON_PREFIX=OpenVPN
 
set KEY="hklm\system\controlset001\control\nls\language"
set G_USERS=Users

:: Detect language
:select
if "%LANG%" == "en" goto en
if "%LANG%" == "enu" goto en
if "%LANG%" == "de" goto de
if "%LANG%" == "deu" goto de
if "%LANG%" == "nl" goto nl
if "%LANG%" == "nld" goto nl
goto detect
 
:detect
for /f "Skip=1 Tokens=3*" %%i in ('reg QUERY %KEY% /v Installlanguage') do set language=%%i
 
if "%language%" == "0407" (
  set LANG=de
  goto select
)
if "%language%" == "0409" (
  set LANG=en
  goto select
)
if "%language%" == "0413" (
  set LANG=nl
  goto select
)
goto select
 
:en
set G_USERS=Users
goto continue
 
:de
set G_USERS=Benutzer
goto continue
 
:nl
set G_USERS=Gebruikers
goto continue
 
:continue
echo Removing desktop icon
del /F /Q "%USERPROFILE%\Desktop\%ICON_PREFIX%**"
 
echo Granting users the right to start the OpenVPN service
start /wait "Grant rights" "%~dp0subinacl.exe" /SERVICE "OpenVPNService" /GRANT=%G_USERS%=TO
 
echo Configure OpenVPN GUI

:: detect 64-bit edition and set correct registry path
set VPN_GUI_KEY=HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI
if not "%ProgramFiles(x86)%" == "" set VPN_GUI_KEY=HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\OpenVPN-GUI
 
set PROGRAM_FILES=%ProgramFiles%
if not "%ProgramFiles(x86)%" == "" set PROGRAM_FILES=%ProgramFiles(x86)%
 
reg add "%VPN_GUI_KEY%" /v allow_service /t REG_SZ /d 1 /f > NUL
reg add "%VPN_GUI_KEY%" /v allow_password /t REG_SZ /d 0 /f > NUL
reg add "%VPN_GUI_KEY%" /v allow_edit /t REG_SZ /d 0 /f > NUL
reg add "%VPN_GUI_KEY%" /v allow_proxy /t REG_SZ /d 0 /f > NUL
reg add "%VPN_GUI_KEY%" /v service_only /t REG_SZ /d 1 /f > NUL

:: required standard settings
set VPN_HOME=%PROGRAM_FILES%\OpenVPN
reg add "%VPN_GUI_KEY%" /v config_dir /t REG_SZ /d "%VPN_HOME%\config" /f > NUL
reg add "%VPN_GUI_KEY%" /v config_ext /t REG_SZ /d "ovpn" /f > NUL
reg add "%VPN_GUI_KEY%" /v exe_path /t REG_SZ /d "%VPN_HOME%\bin\openvpn.exe" /f > NUL
reg add "%VPN_GUI_KEY%" /v log_dir /t REG_SZ /d "%VPN_HOME%\log" /f > NUL
reg add "%VPN_GUI_KEY%" /v log_append /t REG_SZ /d 0 /f > NUL
reg add "%VPN_GUI_KEY%" /v priority /t REG_SZ /d "NORMAL_PRIORITY_CLASS" /f > NUL
reg add "%VPN_GUI_KEY%" /v log_viewer /t REG_SZ /d "%SystemRoot%\notepad.exe" /f > NUL
reg add "%VPN_GUI_KEY%" /v editor /t REG_SZ /d "%SystemRoot%\notepad.exe" /f > NUL
reg add "%VPN_GUI_KEY%" /v show_balloon /t REG_SZ /d 1 /f > NUL
reg add "%VPN_GUI_KEY%" /v silent_connection /t REG_SZ /d 0 /f > NUL
reg add "%VPN_GUI_KEY%" /v show_script_window /t REG_SZ /d 1 /f > NUL
reg add "%VPN_GUI_KEY%" /v disconnect_on_suspend /t REG_SZ /d 1 /f > NUL
reg add "%VPN_GUI_KEY%" /v passphrase_attempts /t REG_SZ /d 3 /f > NUL
reg add "%VPN_GUI_KEY%" /v connectscript_timeout /t REG_SZ /d 5 /f > NUL
reg add "%VPN_GUI_KEY%" /v disconnectscript_timeout /t REG_SZ /d 10 /f > NUL
reg add "%VPN_GUI_KEY%" /v preconnectscript_timeout /t REG_SZ /d 10 /f > NUL

Feel free to customize the registry entries as needed. The script works for English and German version of Windows. Feel free to extend the language detection with your own languages as required. The purpose of the language detection is to detect the group name for "normal users" which should be granted the right to start/stop the service.


Listing of "unattended.cmd"

@echo off

:: This script is a generic unattended installer/uninstaller. It helps you to
:: run installer.cmd with the right command line arguments. In addition it
:: allows you to simply add *-preinstall.cmd *-postinstall.cmd scripts:
:: call trace:
::  - unattended.cmd                | - unattended-uninstall.cmd
::   -> unattended-preinstall.cmd   |   -> unattended-uninstall.cmd
::   -> installing application      |   -> remove application
::   -> unattended-postinstall.cmd  |   -> unattended-uninstall-postinstall.cmd

 
:: Name of the application (just to print it on the command prompt
set PROGRAM_NAME=OpenVPN

:: 32-bit installer command (run on 32-bit Windows)
set CMD32=openvpn-2.1.1-install.exe

:: 64-bit installer command (run on 64-bit Windows)
:: set to %CMD32% to install the same package on 64-bit Windows
set CMD64=%CMD32%

:: Type of installer, select one supported by install.cmd
:: e.g. msiinstall, msiuninstall, nsis, innosetup...
set INSTALLER_TYPE=nsis

:: Additional options to be passed to installer.
set INSTALLER_OPTIONS=

:: Working directory for installer
set INSTALLER_WORKDIR=

:: install helper script name (needs to be within the same directory)
set INSTALLER=install.cmd

:: custom options to pass to the installer
set CUSTOM_OPTIONS=

:: ############################################################################
:: No need to change anything below this line (usually ;-))
:: ############################################################################
set INSTALLER_LOC=%~dp0
set CMDPATH=%~dpn0
 
if exist "%INSTALLER_LOC%prerun.cmd" (
    call "%INSTALLER_LOC%prerun.cmd"
)
 
if exist "%CMDPATH%-pre.cmd" (
	call "%CMDPATH%-pre.cmd"
)
 
:install
echo Installing %PROGRAM_NAME%
 
set PROGRAM_FILES=%ProgramFiles%
if not "%ProgramFiles(x86)%" == "" set PROGRAM_FILES=%ProgramFiles(x86)%
 
call "%INSTALLER_LOC%%INSTALLER%" %INSTALLER_TYPE% "%CMD32%" "%CMD64%" "%INSTALLER_WORKDIR%" "%INSTALLER_OPTIONS%"
set EXIT_CODE=%ERRORLEVEL%
 
if exist "%CMDPATH%-post.cmd" (
	call "%CMDPATH%-post.cmd"
)
 
if exist "%INSTALLER_LOC%postrun.cmd" (
	call "%INSTALLER_LOC%postrun.cmd"
)
 
:end
exit /B %EXIT_CODE%

This is just my default unattended script I am using for almost any program. It allows calling my generic install.cmd script while supporting extension points (in this case unattended-pre.cmd and unattended-post.cmd are used).

Listing of "unattended-uninstall.cmd"

@echo off

:: This script is an extended uninstaller script for programs which have tricky
:: uninstallers (e.g. VLC media player).
:: It is able to run an uninstaller application and then to monitor if the
:: uninstaller is erased from the system. Depending on the result (either
:: remove completes or timeout occurs) it exits with different ecit code:
:: code 0: all fine, program uninstalled
:: code 1: failed, uninstaller still exissts after timeout

 
:: This is required to evaluate the target of %ProgramFiles% on 64-bit systems
:: Please note that this is required only if you uninstall a 32-bit application.
set PROGRAM_FILES=%ProgramFiles%
if not "%ProgramFiles(x86)%" == "" set PROGRAM_FILES=%ProgramFiles(x86)%

:: Path where the uninstaller is located
set APP_DIR=%PROGRAM_FILES%\OpenVPN

:: Path to the uninstaller (see path definition above)
set UNINSTALLER=%APP_DIR%\Uninstall.exe

:: Options to be passed to the uninstaller in order to uninstall silently
set OPTIONS=/S

 
:: ############################################################################
:: No need to change anything below this line (usually ;-))
:: ############################################################################
echo Remove System privileges
start /wait "Revoke rights" "%~dp0subinacl.exe" /SERVICE "OpenVPNService" /REVOKE=Users
 
echo Removing Program
 
if not exist "%UNINSTALLER%" goto good_end
start /wait "Uninstall" "%UNINSTALLER%" %OPTIONS%
REM Unfortunately the uninstaller seems to fork a child process and the parent
REM process exits immediately. So give it some time to uninstall
for /L %%C IN (1,1,30) DO (
  if not exist "%UNINSTALLER%" goto good_end
  ping -n 2 127.0.0.1 > NUL
)
:bad_end
exit /B 1
 
:good_end
if exist "%APP_DIR%" rmdir /s /q "%APP_DIR%"
exit /B 0

This script is just part of my default collection of install/uninstall script. Since OpenVPN uninstaller forks its own process it does not wait until it's really uninstalled. The script waits for the uninstaller itself to disappear before terminating.

Last but not least a listing of my generic install.cmd script:

Listing of "install.cmd"

@echo off

REM Usage:
REM msiinstall.cmd <type> <32-bit-installer> <64-bit-installer> [installer-location [custom-options]]
REM where type is one of
REM     msiinstall     Install the given MSI package
REM     msiuninstall   Uninstall the given MSI package
REM     install4j      Install4J setup
REM     innosetup      Inno setup
REM     installshield  Install shield
REM     nsis           Nullsoft install system (NSIS)
REM     custom         Custom installer - options required in this case
REM 32-bit-installer   Full file name (including extension) of 32-bit installer
REM 64-bit-installer   Full file name (including extension) of 64-bit installer
REM installer-location Path where the installers are stored, if empty assumes directory where install.cmd is
REM custom-options     Replace the default installer options with the ones given

:: Additional options to be passed to the installer
:: set CUSTOM_OPTIONS=

REM Global variables
set INSTALL_CMD=
set EXIT_CODE=0

REM Get command type
set TYPE=%~1

REM Get 32-bit installer name
set CMD32=%~2

REM Get 64-bit installer name
set CMD64=%~3

REM get file path
set INSTALLER_PATH=%~dp0
if not "%~4" == "" (
set INSTALLER_PATH=%~4
)
 
set OPTIONS=
if not "%~5" == "" goto readOptions
goto noOptions
:readOptions
set OPTIONS=%~5
:noOptions

 
REM Detect which system is used
if not "%ProgramFiles(x86)%" == "" goto 64bit
goto 32bit

 
REM ##########################################################################
REM 64-bit system detected
REM ##########################################################################
:64bit
REM Determine 64-bit installer to be used
echo 64-bit system detected.
REM set INSTALLER64=
if not "%CMD64%" == "" (
set INSTALLER64=%CMD64%
) else (
REM Use 32-bit installer if available, no 64-bit installer available.
if not "%CMD32%" == "" (
echo Using 32-bit installer, no 64-bit installer specified.
set INSTALLER64=%CMD32%
) else (
echo Neither 64-bit nor 32-bit installer specified. Exiting.
goto usage
)
)

REM Check if installer is valid
if exist "%INSTALLER_PATH%%INSTALLER64%" (
set INSTALL_CMD=%INSTALLER_PATH%%INSTALLER64%
) else (
echo Installer "%INSTALLER_PATH%%INSTALLER64%" cannot be found! Exiting.
exit /B 97
)
goto installerselection

 
REM ##########################################################################
REM 32-bit system detected
REM ##########################################################################
:32bit
REM Determine 32-bit installer to be used
echo 32-bit system detected.
set INSTALLER32=
if not "%CMD32%" == "" (
set INSTALLER32=%CMD32%
) else (
echo No 32-bit installer specified. Exiting.
exit /B 96
)

 
REM Check if installer is valid
if exist "%INSTALLER_PATH%%INSTALLER32%" (
set INSTALL_CMD=%INSTALLER_PATH%%INSTALLER32%
) else (
echo Installer "%INSTALLER_PATH%%INSTALLER32%" cannot be found! Exiting.
exit /B 95
)
goto installerselection

 
 
REM ##########################################################################
REM select installer system
REM ##########################################################################
:installerselection
if /i "%TYPE%" == "msiinstall"    goto msiinstaller
if /i "%TYPE%" == "msiuninstall"  goto msiuninstaller
if /i "%TYPE%" == "install4j"     goto install4j
if /i "%TYPE%" == "innosetup"     goto innoinstaller
if /i "%TYPE%" == "installshield" goto installshieldinstaller
if /i "%TYPE%" == "nsis"          goto nsisinstaller
if /i "%TYPE%" == "custom"        goto custominstaller
goto usage
 
 
 
:msiinstaller
echo Installing "%INSTALL_CMD%"
if "%OPTIONS%" == "" (
set OPTIONS=/qn /norestart
)
start /wait "Software installation" msiexec /i "%INSTALL_CMD%" %OPTIONS% %CUSTOM_OPTIONS%
set EXIT_CODE=%ERRORLEVEL%
goto end
 
 
:msiuninstaller
echo Uninstalling "%INSTALL_CMD%"
if "%OPTIONS%" == "" (
set OPTIONS=/qn /norestart
)
start /wait "Software uninstallation" msiexec /x "%INSTALL_CMD%" %OPTIONS% %CUSTOM_OPTIONS%
set EXIT_CODE=%ERRORLEVEL%
goto end
 
 
:install4j
echo Installing "%INSTALL_CMD%"
start /wait "Software installation" "%INSTALL_CMD%" -q %OPTIONS% %CUSTOM_OPTIONS%
set EXIT_CODE=%ERRORLEVEL%
goto end
 
 
:innoinstaller
echo Installing "%INSTALL_CMD%"
REM if "%OPTIONS%" == "" (
REM set OPTIONS=/verysilent /norestart /sp-
REM )
start /wait "Software installation" "%INSTALL_CMD%" /verysilent /norestart /sp- %OPTIONS% %CUSTOM_OPTIONS%
set EXIT_CODE=%ERRORLEVEL%
goto end
 
 
:installshieldinstaller
echo Installing "%INSTALL_CMD%"
start /wait "Software installation" "%INSTALL_CMD%" /s %OPTIONS% %CUSTOM_OPTIONS%
set EXIT_CODE=%ERRORLEVEL%
goto end
 
 
:nsisinstaller
echo Installing "%INSTALL_CMD%"
start /wait "Software installation" "%INSTALL_CMD%" /S %OPTIONS% %CUSTOM_OPTIONS%
set EXIT_CODE=%ERRORLEVEL%
goto end
 
:custominstaller
if "%OPTIONS%" == "" goto usage
echo Installing "%INSTALL_CMD%"
start /wait "Software installation" "%INSTALL_CMD%" %OPTIONS% %CUSTOM_OPTIONS%
set EXIT_CODE=%ERRORLEVEL%
goto end
 
:usage
echo Usage:
echo "%~nx0 <type> <32-bit-installer> <64-bit-installer> [installer-location [custom-options]]"
echo where type is one of
echo     msiinstall        Install the given MSI package
echo     msiuninstall      Uninstall the given MSI package
echo     innosetup         Inno setup
echo     installshield     Install shield
echo     nsis              Nullsoft install system (NSIS)
echo     custom            Custom installer - options required in this case
echo 32-bit-installer      Full file name (including extension) of 32-bit installer
echo 64-bit-installer      Full file name (including extension) of 64-bit installer
echo installer-location    Path where the installers are stored
echo custom-options        Replace the default installer options with the ones given
exit /B 99
 
:end
exit /B %EXIT_CODE%