Difference between revisions of "OpenVPN"

From WPKG | Open Source Software Deployment and Distribution
Jump to: navigation, search
(Alternative installation by Vince: Add some variables, update version, and some little changes)
(Alternative installation by Dave)
Line 31: Line 31:
 
[http://www.dualsoft.net/majstorije/?p=6 DriverSigning-On/Off tool] or direct link [http://www.boot-land.net/forums/index.php?act=attach&type=post&id=4073 DriverSigning.zip] (you have to register on forum). This tool removes the window that pops-up when unsigned driver installation is required. OpenVPN installs the TAP driver interface.
 
[http://www.dualsoft.net/majstorije/?p=6 DriverSigning-On/Off tool] or direct link [http://www.boot-land.net/forums/index.php?act=attach&type=post&id=4073 DriverSigning.zip] (you have to register on forum). This tool removes the window that pops-up when unsigned driver installation is required. OpenVPN installs the TAP driver interface.
 
''If you can't find it there, try: http://bit.ly/jlpBO9 or [http://reboot.pro/topic/3095-how-to-circumvent-driver-signing-policy-elevation/?p=27510 here]''
 
''If you can't find it there, try: http://bit.ly/jlpBO9 or [http://reboot.pro/topic/3095-how-to-circumvent-driver-signing-policy-elevation/?p=27510 here]''
 +
 +
==Alternative installation by Dave==
 +
 +
we do not need to install a certificate on Win 10 for TAP as the driver for Win10 is (now?) Microsoft signed.
 +
https://github.com/OpenVPN/tap-windows6/pull/100
 +
 +
* add dummy file to avoid "No readable connection profiles found".
 +
* create OpenVPN Administrators group and add "Authenticated Users" to avoid prompt Admin prompt to create group on first run.
 +
* handle upgrades and removal even if OpenVPN services are already running.
 +
 +
<source lang="xml">
 +
<package
 +
id="openvpn"
 +
name="OpenVPN Client"
 +
revision="%version%"
 +
reboot="false"
 +
priority="10">
 +
 +
<variable name="version" value="2.4.9-I601-Win10" />
 +
 +
<!-- check the version no. to check the package state -->
 +
<check type="uninstall" condition="versiongreaterorequal" path="OpenVPN .*" value="%version%" />
 +
 +
<!--
 +
https://github.com/OpenVPN/openvpn-build/blob/c92af79befec86f21b257b5defba0becb3d7641f/windows-nsis/openvpn.nsi#L551
 +
This package considers the following upstream parameters. By default, when not specified, they are considered as being set to 1.
 +
/SELECT_OPENVPN: Install OpenVPN user-space components, including openvpn.exe.
 +
/SELECT_OPENVPNGUI: Install OpenVPN GUI by Mathias Sundman.
 +
/SELECT_TAP: Install/upgrade the TAP virtual device driver.
 +
/SELECT_EASYRSA: Install OpenVPN RSA scripts for X509 certificate management. Might need to set this to 0
 +
/SELECT_OPENSSLDLLS: Install OpenSSL DLLs locally (may be omitted if DLLs are already installed globally).
 +
/SELECT_LZODLLS: Install LZO DLLs locally (may be omitted if DLLs are already installed globally).
 +
/SELECT_PKCS11DLLS: Install PKCS#11 helper DLLs locally (may be omitted if DLLs are already installed globally).
 +
/SELECT_SERVICE: Install the OpenVPN service wrappers.
 +
/SELECT_OPENSSL_UTILITIES: Install the OpenSSL Utilities (used for generating public/private key pairs).
 +
/SELECT_PATH: Add OpenVPN executable directory to the current user's PATH.
 +
/SELECT_SHORTCUTS: Add OpenVPN shortcuts to the current user's desktop and start menu.
 +
/SELECT_ASSOCIATIONS: Register OpenVPN config file association (*.ovpn).
 +
/SELECT_LAUNCH: Launch OpenVPN GUI on user logon.
 +
 +
we do not need to install a certificate on Win 10 for TAP as the driver for Win10 is now Microsoft signed.
 +
https://github.com/OpenVPN/tap-windows6/pull/100
 +
-->
 +
 +
<!-- install the software, timeout 120s, install/upgrade TAP driver -->
 +
<install timeout="120" cmd='"%SOFTWARE%\openvpn\openvpn-install-%version%.exe" /S /SELECT_TAP=1' />
 +
<!-- add dummy file to suppress "No readable connection profiles found" /Y to overwrite if exists,
 +
ideally we'll delete this when the user has a useable profile set up, but it does no harm -->
 +
<install cmd='%COMSPEC% /C COPY /Y "%SOFTWARE%\openvpn\dummy-ignore.ovpn" "%ProgramFiles%\OpenVPN\config\"' />
 +
<!-- make sure the group exists, so users are allowed to import configs -->
 +
<install cmd='%COMSPEC% /C net localgroup | find /i "OpenVPN Administrators" || net localgroup "OpenVPN Administrators" /ADD' > <exit code="any" /> </install>
 +
<install cmd='%COMSPEC% /C net localgroup "OpenVPN Administrators" | find /i "Authenticated Users" || net localgroup "OpenVPN Administrators" "Authenticated Users" /ADD' />
 +
<!-- and remove the desktop icon -->
 +
<install cmd='%COMSPEC% /C if exist "%public%\Desktop\OpenVPN GUI.lnk" del "%public%\Desktop\OpenVPN GUI.lnk"' />
 +
<install cmd='%SystemRoot%\System32\msg.exe * OpenVPN has been installed, in order for it to work properly you will need to restart your computer'/>
 +
 +
<!-- stop any services prior to upgrade -->
 +
<upgrade cmd='net stop "OpenVPN Interactive Service"' >    <exit code="any" /> </upgrade>
 +
<upgrade cmd='net stop "OpenVPN Legacy Service"' >          <exit code="any" /> </upgrade>
 +
<upgrade cmd='net stop "OpenVPNService"' >                  <exit code="any" /> </upgrade>
 +
<!-- and stop any tasks -->
 +
<upgrade cmd="taskkill /F /IM openvpnserv.exe">            <exit code="any" /> </upgrade>
 +
<upgrade cmd="taskkill /F /IM openvpn-gui.exe">            <exit code="any" /> </upgrade>
 +
<upgrade cmd="taskkill /F /IM openvpn.exe">                <exit code="any" /> </upgrade>
 +
<!-- install the software, timeout 120s, install/upgrade TAP driver -->
 +
<upgrade timeout="120" cmd='"%SOFTWARE%\openvpn\openvpn-install-%version%.exe" /S /SELECT_TAP=1' />
 +
<!-- and remove the desktop icon -->
 +
<upgrade cmd='%COMSPEC% /C if exist "%public%\Desktop\OpenVPN GUI.lnk" del "%public%\Desktop\OpenVPN GUI.lnk"' />
 +
<!-- and then start the services again -->
 +
<upgrade cmd='net start "OpenVPNService"' >                <exit code="any" /> </upgrade>
 +
<upgrade cmd='net start "OpenVPN Interactive Service"' >    <exit code="any" /> </upgrade>
 +
<!-- the GUI must be started by the user -->
 +
<upgrade cmd='%SystemRoot%\System32\msg.exe * In order to upgrade OpenVPN we needed to shut it down, you can start it again by running [OpenVPN GUI] or by restarting your computer'/>
 +
 +
<downgrade include="remove" />
 +
<downgrade include="install" />
 +
 +
<!-- stop any services -->
 +
<remove cmd='net stop "OpenVPN Interactive Service"' >    <exit code="any" /> </remove>
 +
<remove cmd='net stop "OpenVPN Legacy Service"' >          <exit code="any" /> </remove>
 +
<remove cmd='net stop "OpenVPNService"' >                  <exit code="any" /> </remove>
 +
<!-- and stop any tasks -->
 +
<remove cmd="taskkill /F /IM openvpnserv.exe">            <exit code="any" /> </remove>
 +
<remove cmd="taskkill /F /IM openvpn-gui.exe">            <exit code="any" /> </remove>
 +
<remove cmd="taskkill /F /IM openvpn.exe">                <exit code="any" /> </remove>
 +
<!-- remove any common config files -->
 +
<remove cmd='%COMSPEC% /C if exist "%ProgramFiles%\OpenVPN\config\*.ovpn" del /F "%ProgramFiles%\OpenVPN\config\*.ovpn"' >  <exit code="any" /> </remove>
 +
<!-- run the NSIS uninstaller, should remove TAP as well -->
 +
<remove cmd='"%ProgramFiles%\OpenVPN\Uninstall.exe" /S' >  <exit code="any" /> </remove>
 +
<!-- remove folder if it didn't get wiped -->
 +
<remove cmd='%COMSPEC% /C if exist "%ProgramFiles%\OpenVPN" rmdir /s /q "%ProgramFiles%\OpenVPN"' />
 +
 +
</package>
 +
</source>
 +
 +
dummy file '''dummy-ignore.ovpn''' just contains:
 +
<source>
 +
# dummy file to suppress the prompt
 +
</source>
 +
  
 
==Alternative installation by Vince==
 
==Alternative installation by Vince==

Revision as of 18:59, 26 June 2020

Silent installer for OpenVPN.

  • See WPKG over VPN, if you don't want WPKG to start when computer is using VPN.
<?xml version="1.0" encoding="UTF-8"?>
<packages>
 	<package 
 		id="openvpn" 
 		name="OpenVPN" 
 		revision="%version%" 
 		reboot="false" 
 		priority="0">
 
                <variable name="version" value="2.3.2" />
 		<check type='uninstall' condition='exists' path='OpenVPN %version%' /> 
 
 		<install cmd='"%SOFTWARE%\openvpn\DriverSigning.exe" -OFF' />
 		<install cmd='"%SOFTWARE%\openvpn\openvpn_%version%" /S' />
 		<install cmd='"%SOFTWARE%\openvpn\DriverSigning.exe" -ON' />
 		<install cmd='%COMSPEC% /c copy "%SOFTWARE%\openvpn\config\*.*" "%PROGRAMFILES%\OpenVPN\config\"' />
 		<install cmd='sc config openvpnservice start= auto' />
 		<!--<install cmd='sc start openvpnservice' />-->
 
 		<remove cmd='%COMSPEC% /c del /q "%PROGRAMFILES%\OpenVPN\config\*.*"' />
 		<remove cmd='"%PROGRAMFILES%\OpenVPN\Uninstall.exe" /S' />
 	</package>
</packages>

DriverSigning-On/Off tool or direct link DriverSigning.zip (you have to register on forum). This tool removes the window that pops-up when unsigned driver installation is required. OpenVPN installs the TAP driver interface. If you can't find it there, try: http://bit.ly/jlpBO9 or here

Alternative installation by Dave

we do not need to install a certificate on Win 10 for TAP as the driver for Win10 is (now?) Microsoft signed. https://github.com/OpenVPN/tap-windows6/pull/100

  • add dummy file to avoid "No readable connection profiles found".
  • create OpenVPN Administrators group and add "Authenticated Users" to avoid prompt Admin prompt to create group on first run.
  • handle upgrades and removal even if OpenVPN services are already running.
<package 
	id="openvpn"
	name="OpenVPN Client"
	revision="%version%"
	reboot="false"
	priority="10">

	<variable name="version" value="2.4.9-I601-Win10" />

	<!-- check the version no. to check the package state -->
	<check type="uninstall" condition="versiongreaterorequal" path="OpenVPN .*" value="%version%" />

	<!--
	https://github.com/OpenVPN/openvpn-build/blob/c92af79befec86f21b257b5defba0becb3d7641f/windows-nsis/openvpn.nsi#L551
	This package considers the following upstream parameters. By default, when not specified, they are considered as being set to 1.
	/SELECT_OPENVPN: Install OpenVPN user-space components, including openvpn.exe.
	/SELECT_OPENVPNGUI: Install OpenVPN GUI by Mathias Sundman.
	/SELECT_TAP: Install/upgrade the TAP virtual device driver.
	/SELECT_EASYRSA: Install OpenVPN RSA scripts for X509 certificate management. Might need to set this to 0
	/SELECT_OPENSSLDLLS: Install OpenSSL DLLs locally (may be omitted if DLLs are already installed globally).
	/SELECT_LZODLLS: Install LZO DLLs locally (may be omitted if DLLs are already installed globally).
	/SELECT_PKCS11DLLS: Install PKCS#11 helper DLLs locally (may be omitted if DLLs are already installed globally).
	/SELECT_SERVICE: Install the OpenVPN service wrappers.
	/SELECT_OPENSSL_UTILITIES: Install the OpenSSL Utilities (used for generating public/private key pairs).
	/SELECT_PATH: Add OpenVPN executable directory to the current user's PATH.
	/SELECT_SHORTCUTS: Add OpenVPN shortcuts to the current user's desktop and start menu.
	/SELECT_ASSOCIATIONS: Register OpenVPN config file association (*.ovpn).
	/SELECT_LAUNCH: Launch OpenVPN GUI on user logon.

	we do not need to install a certificate on Win 10 for TAP as the driver for Win10 is now Microsoft signed.
	https://github.com/OpenVPN/tap-windows6/pull/100
	-->

	<!-- install the software, timeout 120s, install/upgrade TAP driver -->
	<install timeout="120" cmd='"%SOFTWARE%\openvpn\openvpn-install-%version%.exe" /S /SELECT_TAP=1' />
	<!-- add dummy file to suppress "No readable connection profiles found" /Y to overwrite if exists, 
		 ideally we'll delete this when the user has a useable profile set up, but it does no harm -->
	<install cmd='%COMSPEC% /C COPY /Y "%SOFTWARE%\openvpn\dummy-ignore.ovpn" "%ProgramFiles%\OpenVPN\config\"' />
	<!-- make sure the group exists, so users are allowed to import configs -->
	<install cmd='%COMSPEC% /C net localgroup | find /i "OpenVPN Administrators" || net localgroup "OpenVPN Administrators" /ADD' > <exit code="any" /> </install>
	<install cmd='%COMSPEC% /C net localgroup "OpenVPN Administrators" | find /i "Authenticated Users" || net localgroup "OpenVPN Administrators" "Authenticated Users" /ADD' />
	<!-- and remove the desktop icon -->
	<install cmd='%COMSPEC% /C if exist "%public%\Desktop\OpenVPN GUI.lnk" del "%public%\Desktop\OpenVPN GUI.lnk"' />
	<install cmd='%SystemRoot%\System32\msg.exe * OpenVPN has been installed, in order for it to work properly you will need to restart your computer'/>

	<!-- stop any services prior to upgrade -->
	<upgrade cmd='net stop "OpenVPN Interactive Service"' >     <exit code="any" /> </upgrade>
	<upgrade cmd='net stop "OpenVPN Legacy Service"' >          <exit code="any" /> </upgrade>
	<upgrade cmd='net stop "OpenVPNService"' >                  <exit code="any" /> </upgrade>
	<!-- and stop any tasks -->
	<upgrade cmd="taskkill /F /IM openvpnserv.exe">             <exit code="any" /> </upgrade>
	<upgrade cmd="taskkill /F /IM openvpn-gui.exe">             <exit code="any" /> </upgrade>
	<upgrade cmd="taskkill /F /IM openvpn.exe">                 <exit code="any" /> </upgrade>
	<!-- install the software, timeout 120s, install/upgrade TAP driver -->
	<upgrade timeout="120" cmd='"%SOFTWARE%\openvpn\openvpn-install-%version%.exe" /S /SELECT_TAP=1' />
	<!-- and remove the desktop icon -->
	<upgrade cmd='%COMSPEC% /C if exist "%public%\Desktop\OpenVPN GUI.lnk" del "%public%\Desktop\OpenVPN GUI.lnk"' />
	<!-- and then start the services again -->
	<upgrade cmd='net start "OpenVPNService"' >                 <exit code="any" /> </upgrade>
	<upgrade cmd='net start "OpenVPN Interactive Service"' >    <exit code="any" /> </upgrade>
	<!-- the GUI must be started by the user -->
	<upgrade cmd='%SystemRoot%\System32\msg.exe * In order to upgrade OpenVPN we needed to shut it down, you can start it again by running [OpenVPN GUI] or by restarting your computer'/>

	<downgrade include="remove" />
	<downgrade include="install" />

	<!-- stop any services -->
	<remove cmd='net stop "OpenVPN Interactive Service"' >     <exit code="any" /> </remove>
	<remove cmd='net stop "OpenVPN Legacy Service"' >          <exit code="any" /> </remove>
	<remove cmd='net stop "OpenVPNService"' >                  <exit code="any" /> </remove>
	<!-- and stop any tasks -->
	<remove cmd="taskkill /F /IM openvpnserv.exe">             <exit code="any" /> </remove>
	<remove cmd="taskkill /F /IM openvpn-gui.exe">             <exit code="any" /> </remove>
	<remove cmd="taskkill /F /IM openvpn.exe">                 <exit code="any" /> </remove>
	<!-- remove any common config files -->
	<remove cmd='%COMSPEC% /C if exist "%ProgramFiles%\OpenVPN\config\*.ovpn" del /F "%ProgramFiles%\OpenVPN\config\*.ovpn"' >  <exit code="any" /> </remove>
	<!-- run the NSIS uninstaller, should remove TAP as well -->
	<remove cmd='"%ProgramFiles%\OpenVPN\Uninstall.exe" /S' >  <exit code="any" /> </remove>
	<!-- remove folder if it didn't get wiped -->
	<remove cmd='%COMSPEC% /C if exist "%ProgramFiles%\OpenVPN" rmdir /s /q "%ProgramFiles%\OpenVPN"' />

</package>

dummy file dummy-ignore.ovpn just contains:

# dummy file to suppress the prompt


Alternative installation by Vince

It installs the Openvpn certificate first, that allows to get rid of the drivers install confirmation popup. Tested on Windows 10, it may not working on Windows 7.

A) Install first openvpn on a temporary host and extract the certificate as openvpn.cer via certmgr.msc B) Copy the openvpn.cer into your openvpn install folder, on your wpkg server C) Copy your config(s) file(s) info the "config" subfolder


<package
	id="openvpn"
	name="OpenVPN"
	revision="%PKG_VERSION%"
	reboot="false"
	priority="0">

	<variable name="PKG_VERSION"		value="2.4.9" />
	<variable name="PKG_FULL_VERSION"	value="%PKG_VERSION%-I601" />
	<variable name="PKG_SOURCE"		value="%SOFTWARE%\OpenVPN"/>
	<variable name="PKG_NAME"		value="openvpn-install-%PKG_FULL_VERSION%.exe" />
	<variable name="PKG_INSTALL_SWITCH"	value="/S" />
	<variable name="PKG_REMOVE_SWITCH"	value="/S" />
	<variable name="PKG_DESTINATION"	value="%PROGRAMFILES%\OpenVPN" />

	<check type="uninstall" condition="versiongreaterorequal" path="OpenVPN .+" value="%PKG_FULL_VERSION%" />
 
  	<install cmd='certutil -addstore "TrustedPublisher" "%PKG_SOURCE%\openvpn.cer"' />
 	<install cmd='"%PKG_SOURCE%\%PKG_NAME%" %PKG_INSTALL_SWITCH%' />
 	<install cmd='sc config openvpnservice start= auto' />
 	<install cmd='%COMSPEC% /c copy "%PKG_SOURCE%\config\*.*" "%PKG_DESTINATION%\config\"' />
	<install cmd='ping 127.0.0.1 -n 3>NUL' />

	<upgrade include="remove" />
	<upgrade include="install" />
 
	<remove cmd='%COMSPEC% /c del /q "%PROGRAMFILES%\OpenVPN\config\*.*"' />
 	<remove cmd='certutil -delstore "TrustedPublisher" "OpenVPN Technologies, Inc."' />
 	<remove cmd='"%PKG_DESTINATION%\Uninstall.exe" %PKG_REMOVE_SWITCH%' />
	<remove cmd='ping 127.0.0.1 -n 3>NUL' />
</package>

Alternative installation by SkyBeam

I've got a slightly different approach installing OpenVPN. The main difference is that you don't need an additional tool to disable driver signing since the certificate which is used to sign the drivers is added to the certificate store in advance. This works for packages like VirtualBox as well in order to prevent Windows to warn you that the driver is signed by an untrusted publisher.

This approach also includes security settings to allow non-privileged users to start/stop the OpenVPN service. Feel free to alter default OpenVPN-GUI settings in unattended-post.cmd.

My directory contains the following files:

  • install.cmd
  • OpenVPN Certificate.cer
  • openvpn-2.1.1-install.exe
  • subinacl.exe
  • unattended.cmd
  • unattended-post.cmd
  • unattended-pre.cmd
  • unattended-uninstall.cmd

I am using the following, very simple package definition:

<?xml version="1.0" encoding="utf-8" ?>
<packages>

<package id='OpenVPN' name='OpenVPN' revision='211' priority='50' reboot='false' >
  <!-- OpenVPN v.2.1.1 -->
  <check type='uninstall' condition='exists' path='OpenVPN 2.1.1' />
  <install cmd='"%SOFTWARE%\software.free\OpenVPN v.2.1.1\unattended.cmd" > NUL' />
  <remove cmd='"%SOFTWARE%\software.free\OpenVPN v.2.1.1\unattended-uninstall.cmd" > NUL' />
  <upgrade cmd='"%SOFTWARE%\software.free\OpenVPN v.2.1.1\unattended.cmd" > NUL' />
</package>

</packages>

The "subinacl.exe" tool is part of the Windows Resource Kit Tools collection and can be downloaded independently from the Microsoft Download Center.

The certificate "OpenVPN Certificate.cer" needs to be extracted from the archive once. To do this follow these steps:

  • Install 7-Zip or any extractor capable of extracting NSIS installers
  • Extract "openvpn-2.1.1-install.exe"
  • Open (just double-click) "driver/tap0901.cat" from the extracted directory structure
  • In the "Security Catalog" dialog appearing click on "View Signature" in "General" tab
  • Click on "View Certificate" on the "General" tab
  • Go to "Details" tab of the Certificate dialog popping up
  • Click on "Copy to File..."
  • Click "Next" selecting DER encoded binary X.509 (.CER)
  • Enter "OpenVPN Certificate.cer" as the file name and store the file within your OpenVPN installer folder


Here's a listing of all other files required:

Listing of "unattended-pre.cmd":

@echo off
:: This script prepares the system to  install OpenVPN

echo Importing OpenVPN certificate as trusted publisher
certutil -addstore "TrustedPublisher" "%INSTALLER_LOC%OpenVPN Certificate.cer" > NUL

As you can see it's just importing the certificate into the certificate store before the installation is run.

Listing of "unattended-post.cmd":

@echo off
:: Post-installation actions for OpenVPN

set ICON_PREFIX=OpenVPN

set KEY="hklm\system\controlset001\control\nls\language"
set G_USERS=Users

:: Detect language
:select
if "%LANG%" == "en" goto en
if "%LANG%" == "enu" goto en
if "%LANG%" == "de" goto de
if "%LANG%" == "deu" goto de
if "%LANG%" == "nl" goto nl
if "%LANG%" == "nld" goto nl
goto detect

:detect
for /f "Skip=1 Tokens=3*" %%i in ('reg QUERY %KEY% /v Installlanguage') do set language=%%i

if "%language%" == "0407" (
  set LANG=de
  goto select
)
if "%language%" == "0409" (
  set LANG=en
  goto select
)
if "%language%" == "0413" (
  set LANG=nl
  goto select
)
goto select

:en
set G_USERS=Users
goto continue

:de
set G_USERS=Benutzer
goto continue

:nl
set G_USERS=Gebruikers
goto continue

:continue
echo Removing desktop icon
del /F /Q "%USERPROFILE%\Desktop\%ICON_PREFIX%**"

echo Granting users the right to start the OpenVPN service
start /wait "Grant rights" "%~dp0subinacl.exe" /SERVICE "OpenVPNService" /GRANT=%G_USERS%=TO

echo Configure OpenVPN GUI

:: detect 64-bit edition and set correct registry path
set VPN_GUI_KEY=HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI
if not "%ProgramFiles(x86)%" == "" set VPN_GUI_KEY=HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\OpenVPN-GUI

set PROGRAM_FILES=%ProgramFiles%
if not "%ProgramFiles(x86)%" == "" set PROGRAM_FILES=%ProgramFiles(x86)%

reg add "%VPN_GUI_KEY%" /v allow_service /t REG_SZ /d 1 /f > NUL
reg add "%VPN_GUI_KEY%" /v allow_password /t REG_SZ /d 0 /f > NUL
reg add "%VPN_GUI_KEY%" /v allow_edit /t REG_SZ /d 0 /f > NUL
reg add "%VPN_GUI_KEY%" /v allow_proxy /t REG_SZ /d 0 /f > NUL
reg add "%VPN_GUI_KEY%" /v service_only /t REG_SZ /d 1 /f > NUL

:: required standard settings
set VPN_HOME=%PROGRAM_FILES%\OpenVPN
reg add "%VPN_GUI_KEY%" /v config_dir /t REG_SZ /d "%VPN_HOME%\config" /f > NUL
reg add "%VPN_GUI_KEY%" /v config_ext /t REG_SZ /d "ovpn" /f > NUL
reg add "%VPN_GUI_KEY%" /v exe_path /t REG_SZ /d "%VPN_HOME%\bin\openvpn.exe" /f > NUL
reg add "%VPN_GUI_KEY%" /v log_dir /t REG_SZ /d "%VPN_HOME%\log" /f > NUL
reg add "%VPN_GUI_KEY%" /v log_append /t REG_SZ /d 0 /f > NUL
reg add "%VPN_GUI_KEY%" /v priority /t REG_SZ /d "NORMAL_PRIORITY_CLASS" /f > NUL
reg add "%VPN_GUI_KEY%" /v log_viewer /t REG_SZ /d "%SystemRoot%\notepad.exe" /f > NUL
reg add "%VPN_GUI_KEY%" /v editor /t REG_SZ /d "%SystemRoot%\notepad.exe" /f > NUL
reg add "%VPN_GUI_KEY%" /v show_balloon /t REG_SZ /d 1 /f > NUL
reg add "%VPN_GUI_KEY%" /v silent_connection /t REG_SZ /d 0 /f > NUL
reg add "%VPN_GUI_KEY%" /v show_script_window /t REG_SZ /d 1 /f > NUL
reg add "%VPN_GUI_KEY%" /v disconnect_on_suspend /t REG_SZ /d 1 /f > NUL
reg add "%VPN_GUI_KEY%" /v passphrase_attempts /t REG_SZ /d 3 /f > NUL
reg add "%VPN_GUI_KEY%" /v connectscript_timeout /t REG_SZ /d 5 /f > NUL
reg add "%VPN_GUI_KEY%" /v disconnectscript_timeout /t REG_SZ /d 10 /f > NUL
reg add "%VPN_GUI_KEY%" /v preconnectscript_timeout /t REG_SZ /d 10 /f > NUL

Feel free to customize the registry entries as needed. The script works for English and German version of Windows. Feel free to extend the language detection with your own languages as required. The purpose of the language detection is to detect the group name for "normal users" which should be granted the right to start/stop the service.


Listing of "unattended.cmd"

@echo off

:: This script is a generic unattended installer/uninstaller. It helps you to
:: run installer.cmd with the right command line arguments. In addition it
:: allows you to simply add *-preinstall.cmd *-postinstall.cmd scripts:
:: call trace:
::  - unattended.cmd                | - unattended-uninstall.cmd
::   -> unattended-preinstall.cmd   |   -> unattended-uninstall.cmd
::   -> installing application      |   -> remove application
::   -> unattended-postinstall.cmd  |   -> unattended-uninstall-postinstall.cmd


:: Name of the application (just to print it on the command prompt
set PROGRAM_NAME=OpenVPN

:: 32-bit installer command (run on 32-bit Windows)
set CMD32=openvpn-2.1.1-install.exe

:: 64-bit installer command (run on 64-bit Windows)
:: set to %CMD32% to install the same package on 64-bit Windows
set CMD64=%CMD32%

:: Type of installer, select one supported by install.cmd
:: e.g. msiinstall, msiuninstall, nsis, innosetup...
set INSTALLER_TYPE=nsis

:: Additional options to be passed to installer.
set INSTALLER_OPTIONS=

:: Working directory for installer
set INSTALLER_WORKDIR=

:: install helper script name (needs to be within the same directory)
set INSTALLER=install.cmd

:: custom options to pass to the installer
set CUSTOM_OPTIONS=

:: ############################################################################
:: No need to change anything below this line (usually ;-))
:: ############################################################################
set INSTALLER_LOC=%~dp0
set CMDPATH=%~dpn0

if exist "%INSTALLER_LOC%prerun.cmd" (
    call "%INSTALLER_LOC%prerun.cmd"
)

if exist "%CMDPATH%-pre.cmd" (
	call "%CMDPATH%-pre.cmd"
)

:install
echo Installing %PROGRAM_NAME%

set PROGRAM_FILES=%ProgramFiles%
if not "%ProgramFiles(x86)%" == "" set PROGRAM_FILES=%ProgramFiles(x86)%

call "%INSTALLER_LOC%%INSTALLER%" %INSTALLER_TYPE% "%CMD32%" "%CMD64%" "%INSTALLER_WORKDIR%" "%INSTALLER_OPTIONS%"
set EXIT_CODE=%ERRORLEVEL%

if exist "%CMDPATH%-post.cmd" (
	call "%CMDPATH%-post.cmd"
)

if exist "%INSTALLER_LOC%postrun.cmd" (
	call "%INSTALLER_LOC%postrun.cmd"
)

:end
exit /B %EXIT_CODE%

This is just my default unattended script I am using for almost any program. It allows calling my generic install.cmd script while supporting extension points (in this case unattended-pre.cmd and unattended-post.cmd are used).

Listing of "unattended-uninstall.cmd"

@echo off

:: This script is an extended uninstaller script for programs which have tricky
:: uninstallers (e.g. VLC media player).
:: It is able to run an uninstaller application and then to monitor if the
:: uninstaller is erased from the system. Depending on the result (either
:: remove completes or timeout occurs) it exits with different ecit code:
:: code 0: all fine, program uninstalled
:: code 1: failed, uninstaller still exissts after timeout


:: This is required to evaluate the target of %ProgramFiles% on 64-bit systems
:: Please note that this is required only if you uninstall a 32-bit application.
set PROGRAM_FILES=%ProgramFiles%
if not "%ProgramFiles(x86)%" == "" set PROGRAM_FILES=%ProgramFiles(x86)%

:: Path where the uninstaller is located
set APP_DIR=%PROGRAM_FILES%\OpenVPN

:: Path to the uninstaller (see path definition above)
set UNINSTALLER=%APP_DIR%\Uninstall.exe

:: Options to be passed to the uninstaller in order to uninstall silently
set OPTIONS=/S


:: ############################################################################
:: No need to change anything below this line (usually ;-))
:: ############################################################################
echo Remove System privileges
start /wait "Revoke rights" "%~dp0subinacl.exe" /SERVICE "OpenVPNService" /REVOKE=Users

echo Removing Program

if not exist "%UNINSTALLER%" goto good_end
start /wait "Uninstall" "%UNINSTALLER%" %OPTIONS%
REM Unfortunately the uninstaller seems to fork a child process and the parent
REM process exits immediately. So give it some time to uninstall
for /L %%C IN (1,1,30) DO (
  if not exist "%UNINSTALLER%" goto good_end
  ping -n 2 127.0.0.1 > NUL
)
:bad_end
exit /B 1
 
:good_end
if exist "%APP_DIR%" rmdir /s /q "%APP_DIR%"
exit /B 0

This script is just part of my default collection of install/uninstall script. Since OpenVPN uninstaller forks its own process it does not wait until it's really uninstalled. The script waits for the uninstaller itself to disappear before terminating.

Last but not least a listing of my generic install.cmd script:

Listing of "install.cmd"

@echo off

REM Usage:
REM msiinstall.cmd <type> <32-bit-installer> <64-bit-installer> [installer-location [custom-options]]
REM where type is one of
REM     msiinstall     Install the given MSI package
REM     msiuninstall   Uninstall the given MSI package
REM     install4j      Install4J setup
REM     innosetup      Inno setup
REM     installshield  Install shield
REM     nsis           Nullsoft install system (NSIS)
REM     custom         Custom installer - options required in this case
REM 32-bit-installer   Full file name (including extension) of 32-bit installer
REM 64-bit-installer   Full file name (including extension) of 64-bit installer
REM installer-location Path where the installers are stored, if empty assumes directory where install.cmd is
REM custom-options     Replace the default installer options with the ones given

:: Additional options to be passed to the installer
:: set CUSTOM_OPTIONS=

REM Global variables
set INSTALL_CMD=
set EXIT_CODE=0

REM Get command type
set TYPE=%~1

REM Get 32-bit installer name
set CMD32=%~2

REM Get 64-bit installer name
set CMD64=%~3

REM get file path
set INSTALLER_PATH=%~dp0
if not "%~4" == "" (
set INSTALLER_PATH=%~4
)

set OPTIONS=
if not "%~5" == "" goto readOptions
goto noOptions
:readOptions
set OPTIONS=%~5
:noOptions


REM Detect which system is used
if not "%ProgramFiles(x86)%" == "" goto 64bit
goto 32bit


REM ##########################################################################
REM 64-bit system detected
REM ##########################################################################
:64bit
REM Determine 64-bit installer to be used
echo 64-bit system detected.
REM set INSTALLER64=
if not "%CMD64%" == "" (
set INSTALLER64=%CMD64%
) else (
REM Use 32-bit installer if available, no 64-bit installer available.
if not "%CMD32%" == "" (
echo Using 32-bit installer, no 64-bit installer specified.
set INSTALLER64=%CMD32%
) else (
echo Neither 64-bit nor 32-bit installer specified. Exiting.
goto usage
)
)

REM Check if installer is valid
if exist "%INSTALLER_PATH%%INSTALLER64%" (
set INSTALL_CMD=%INSTALLER_PATH%%INSTALLER64%
) else (
echo Installer "%INSTALLER_PATH%%INSTALLER64%" cannot be found! Exiting.
exit /B 97
)
goto installerselection


REM ##########################################################################
REM 32-bit system detected
REM ##########################################################################
:32bit
REM Determine 32-bit installer to be used
echo 32-bit system detected.
set INSTALLER32=
if not "%CMD32%" == "" (
set INSTALLER32=%CMD32%
) else (
echo No 32-bit installer specified. Exiting.
exit /B 96
)


REM Check if installer is valid
if exist "%INSTALLER_PATH%%INSTALLER32%" (
set INSTALL_CMD=%INSTALLER_PATH%%INSTALLER32%
) else (
echo Installer "%INSTALLER_PATH%%INSTALLER32%" cannot be found! Exiting.
exit /B 95
)
goto installerselection



REM ##########################################################################
REM select installer system
REM ##########################################################################
:installerselection
if /i "%TYPE%" == "msiinstall"    goto msiinstaller
if /i "%TYPE%" == "msiuninstall"  goto msiuninstaller
if /i "%TYPE%" == "install4j"     goto install4j
if /i "%TYPE%" == "innosetup"     goto innoinstaller
if /i "%TYPE%" == "installshield" goto installshieldinstaller
if /i "%TYPE%" == "nsis"          goto nsisinstaller
if /i "%TYPE%" == "custom"        goto custominstaller
goto usage



:msiinstaller
echo Installing "%INSTALL_CMD%"
if "%OPTIONS%" == "" (
set OPTIONS=/qn /norestart
)
start /wait "Software installation" msiexec /i "%INSTALL_CMD%" %OPTIONS% %CUSTOM_OPTIONS%
set EXIT_CODE=%ERRORLEVEL%
goto end


:msiuninstaller
echo Uninstalling "%INSTALL_CMD%"
if "%OPTIONS%" == "" (
set OPTIONS=/qn /norestart
)
start /wait "Software uninstallation" msiexec /x "%INSTALL_CMD%" %OPTIONS% %CUSTOM_OPTIONS%
set EXIT_CODE=%ERRORLEVEL%
goto end


:install4j
echo Installing "%INSTALL_CMD%"
start /wait "Software installation" "%INSTALL_CMD%" -q %OPTIONS% %CUSTOM_OPTIONS%
set EXIT_CODE=%ERRORLEVEL%
goto end


:innoinstaller
echo Installing "%INSTALL_CMD%"
REM if "%OPTIONS%" == "" (
REM set OPTIONS=/verysilent /norestart /sp-
REM )
start /wait "Software installation" "%INSTALL_CMD%" /verysilent /norestart /sp- %OPTIONS% %CUSTOM_OPTIONS%
set EXIT_CODE=%ERRORLEVEL%
goto end


:installshieldinstaller
echo Installing "%INSTALL_CMD%"
start /wait "Software installation" "%INSTALL_CMD%" /s %OPTIONS% %CUSTOM_OPTIONS%
set EXIT_CODE=%ERRORLEVEL%
goto end


:nsisinstaller
echo Installing "%INSTALL_CMD%"
start /wait "Software installation" "%INSTALL_CMD%" /S %OPTIONS% %CUSTOM_OPTIONS%
set EXIT_CODE=%ERRORLEVEL%
goto end

:custominstaller
if "%OPTIONS%" == "" goto usage
echo Installing "%INSTALL_CMD%"
start /wait "Software installation" "%INSTALL_CMD%" %OPTIONS% %CUSTOM_OPTIONS%
set EXIT_CODE=%ERRORLEVEL%
goto end

:usage
echo Usage:
echo "%~nx0 <type> <32-bit-installer> <64-bit-installer> [installer-location [custom-options]]"
echo where type is one of
echo     msiinstall        Install the given MSI package
echo     msiuninstall      Uninstall the given MSI package
echo     innosetup         Inno setup
echo     installshield     Install shield
echo     nsis              Nullsoft install system (NSIS)
echo     custom            Custom installer - options required in this case
echo 32-bit-installer      Full file name (including extension) of 32-bit installer
echo 64-bit-installer      Full file name (including extension) of 64-bit installer
echo installer-location    Path where the installers are stored
echo custom-options        Replace the default installer options with the ones given
exit /B 99

:end
exit /B %EXIT_CODE%