# Package the SELinux policy %bcond_without selinux %global selinuxtype targeted # Enable openvpn3-addon-aws package by default %bcond_without aws %global _hardened_build 1 %define versiontag _beta %define releasetag beta1 Name: openvpn3 Version: 10 Release: 0.%{?releasetag}%{?dist} Summary: OpenVPN 3 TLS based VPN License: AGPLv3 URL: https://github.com/OpenVPN/openvpn3-linux/ Source0: https://swupdate.openvpn.net/community/releases/openvpn3-linux-%{version}%{?versiontag}.tar.xz Source1: https://swupdate.openvpn.net/community/releases/openvpn3-linux-%{version}%{?versiontag}.tar.xz.asc Source2: gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg Patch0: fedora-crypto-policy-compliance.patch Patch1: disable-protect-socket.patch Vendor: OpenVPN Inc # Currently the code is buildable on 32-bit architectures ExcludeArch: armv7hl i686 BuildRequires: autoconf BuildRequires: automake BuildRequires: gcc-c++ BuildRequires: glib2-devel BuildRequires: jsoncpp-devel BuildRequires: libcap-ng-devel BuildRequires: libuuid-devel BuildRequires: lz4-devel BuildRequires: systemd BuildRequires: zlib-devel BuildRequires: openssl-devel %if 0%{?rhel} == 7 %define rhel7_optflags "-std=c++1y" BuildRequires: python36-dbus BuildRequires: python36-devel BuildRequires: python36-jinja2 # We cannot use python36-docutils on RHEL-7 as # the ./configure script does not currently find # the rst2man-3 executable, it only looks for rst2man BuildRequires: python-docutils %else BuildRequires: python3-dbus BuildRequires: python3-devel BuildRequires: python3-jinja2 BuildRequires: python3-docutils %endif %if %{with selinux} BuildRequires: selinux-policy BuildRequires: selinux-policy-devel %endif Requires: openssl Requires: dbus Requires: jsoncpp Requires: lz4 Requires: python(abi) >= 3.6 Requires: python3-dbus %if 0%{?rhel} == 7 Requires: python36-gobject-base %else Requires: python3-gobject-base %endif %if %{with selinux} Requires: %{name}-selinux >= %{version}-%{release} %endif %description Next generation OpenVPN client, targeting modern Linux distributions. OpenVPN 3 aims to be protocol compatible with the older OpenVPN 2.x releases, but may not yet support all features of OpenVPN 2.x. %package client Summary: OpenVPN 3 Client, TLS based VPN client Requires: %{name}%{?_isa} = %{version}-%{release} %description client OpenVPN 3 Client components. Provides the binaries and D-Bus services required to initiate and manage VPN client configuration profiles. # openvpn3-addon-aws sub-package %if %{with aws} %package addon-aws Summary: OpenVPN 3 Linux AWS VPC integration support BuildRequires: tinyxml2-devel Requires: tinyxml2 %description addon-aws This OpenVPN 3 Linux add-on will push VPN routes to the AWS VPC to enable hosts inside the related VPC to utilize the VPN setup. %endif # SELinux sub-package %if %{with selinux} %package selinux Summary: OpenVPN 3 Linux SELinux policy BuildArch: noarch %{?selinux_requires} Requires: selinux-policy-targeted %description selinux Additional SELinux policy required for OpenVPN 3 Linux to function when SELinux is active. %endif %prep gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} %setup -q -n %{name}-linux-%{version}%{?versiontag} %if 0%{?rhel} > 8 || 0%{?fedora} > 31 %patch0 -p1 %endif %patch1 -p1 %build # Configure and build %configure CXXFLAGS="%{?rhel7_optflags} %{optflags}" --disable-build-test-progs SYSTEMD_UNIT_DIR="%{_unitdir}" %{?with_aws:--enable-addons-aws} %{!?with_selinux:--disable-selinux-build} --enable-bash-completion make %{?_smp_mflags} %check src/tests/unit/unit-tests --gtest_output="xml:test_results/openvpn3-linux-tests.xml" make check %install rm -rf $RPM_BUILD_ROOT %make_install mkdir -p %{buildroot}%{_sysconfdir}/%{name}/autoload mkdir -p %{buildroot}%{_sharedstatedir}/%{name} %pre # Ensure we have openvpn user and group accounts getent group openvpn &>/dev/null || groupadd -r openvpn getent passwd openvpn &>/dev/null || \ /usr/sbin/useradd -r -g openvpn -s /sbin/nologin -c OpenVPN \ -d %{_sharedstatedir}/%{name} openvpn exit 0 %preun # # SELinux sub-package # %if %{with selinux} %post selinux # Install SELinux policy %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{name}.pp.bz2 # Enable the dbus_access_tuntap_device SELinux boolean. # This is needed to make it possbile for the netcfg service # to pass the file descriptor to tun devices it has created # and configured. %selinux_set_booleans -s %{selinuxtype} dbus_access_tuntap_device=1 %postun selinux # Unset dbus_access_tuntap_device SELinux boolean # and uninstall the SELinux policy we provide %selinux_unset_booleans -s %{selinuxtype} dbus_access_tuntap_device=1 %selinux_modules_uninstall -s %{selinuxtype} %{_datadir}/selinux/packages/%{name}.pp.bz2 %endif %files %doc COPYRIGHT.md README.md docs/*.md docs/dbus/*.md %config(noreplace) %{_sysconfdir}/dbus-1/system.d/net.openvpn.v3.conf %config(noreplace) %{_sysconfdir}/dbus-1/system.d/net.openvpn.v3.*.conf %config %dir %{_sysconfdir}/%{name} %config %dir %{_sysconfdir}/%{name}/autoload %{_libexecdir}/openvpn3-linux/openvpn3-service-logger %{_libexecdir}/openvpn3-linux/openvpn3-service-configmgr %{_libexecdir}/openvpn3-linux/openvpn3-service-netcfg %{_unitdir}/openvpn3-autoload.service %{_bindir}/openvpn3 %{_sbindir}/openvpn3-autoload %{_sbindir}/openvpn3-admin %{python3_sitelib}/openvpn3/*.py %{python3_sitelib}/openvpn3/__pycache__/* %{_datarootdir}/bash-completion/completions/openvpn* %{_datarootdir}/dbus-1/system-services/net.openvpn.v3.configuration.service %{_datarootdir}/dbus-1/system-services/net.openvpn.v3.log.service %{_datarootdir}/dbus-1/system-services/net.openvpn.v3.netcfg.service %{_datarootdir}/polkit-1/rules.d/net.openvpn.v3.rules %dir %attr(750, openvpn, openvpn)%{_sharedstatedir}/%{name} %{_mandir}/man7/openvpn3-linux.7* %{_mandir}/man8/openvpn3-autoload.8* %{_mandir}/man8/openvpn3-admin*.8* %{_mandir}/man8/openvpn3-service-logger.8* %{_mandir}/man8/openvpn3-service-configmgr.8* %{_mandir}/man8/openvpn3-service-netcfg.8* %files client %{_bindir}/openvpn2 %{_bindir}/openvpn3-as %{_libexecdir}/openvpn3-linux/openvpn3-service-backendstart %{_libexecdir}/openvpn3-linux/openvpn3-service-client %{_libexecdir}/openvpn3-linux/openvpn3-service-sessionmgr %{_datarootdir}/dbus-1/system-services/net.openvpn.v3.backends.service %{_datarootdir}/dbus-1/system-services/net.openvpn.v3.sessions.service %dir %attr(750, openvpn, openvpn)%{_sharedstatedir}/%{name}/configs %{_mandir}/man1/openvpn2.1* %{_mandir}/man1/openvpn3.1* %{_mandir}/man1/openvpn3-as.1* %{_mandir}/man1/openvpn3-config*.1* %{_mandir}/man1/openvpn3-log.1* %{_mandir}/man1/openvpn3-session*.1* %{_mandir}/man8/openvpn3-service-backendstart.8* %{_mandir}/man8/openvpn3-service-client.8* %{_mandir}/man8/openvpn3-service-sessionmgr.8* %if %{with aws} %files addon-aws %config(noreplace) %{_sysconfdir}/dbus-1/system.d/net.openvpn.v3.aws.conf %{_libexecdir}/openvpn3-linux/openvpn3-service-aws %{_unitdir}/openvpn3-aws.service %{_mandir}/man8/openvpn3-service-aws.8* %{_sysconfdir}/%{name}/awscerts %endif %if %{with selinux} %files selinux %{_datadir}/selinux/packages/%{name}.pp.* %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} %endif %changelog * Sat Jul 25 2020 David Sommerseth - 10-0.beta1 - Package openvpn3-linux-10_beta release - Move openvpn3 binary from -client to the base package - Install bash-completions for openvpn2 in addition - Install additional AWS region certificates in sysconfdir (openvpn3-addon-aws) - Build RHEL-7 packages with -std=c++1y * Tue Apr 28 2020 David Sommerseth - 9-6.beta1 - Add explicit dependency on python3-gobject-base * Tue Apr 28 2020 David Sommerseth - 9-5.beta1 - Add explicit dependency on python3-dbus * Tue Apr 28 2020 David Sommerseth - 9-4.beta1 - Make use of the %%{selinux_requires} macro for SELinux dependency handling in the -selinux sub-package * Tue Apr 28 2020 David Sommerseth - 9-3.beta1 - Fix various openvpn3-selinux dependency related issues * Sat Apr 25 2020 David Sommerseth - 9-2.beta1 - Remove the Fedora packaging OpenSSL compliance patch on all distro releases older than Fedora 32 * Thu Apr 23 2020 David Sommerseth - 9-1.beta1 - Packaging of the openvpn3-linux-9_beta release - Reworked sub-packaging slightly, use proper bcond macros - Added the new openvpn3-addon-aws sub-package * Thu Feb 20 2020 David Sommerseth - 8-2.beta1 - Package SELinux policy in a separate package * Thu Feb 20 2020 David Sommerseth - 8-1.beta1 - Adhere to Fedora Crypto Policy, using PROFILE=SYSTEM for cipher list init * Mon Feb 10 2020 David Sommerseth - 8-0.beta1 - Packaging of the openvpn3-linux-8_beta release - Added additional compiler flags specific for RHEL-7 * Wed Dec 11 2019 David Sommerseth - 7-0.beta1 - Packaging of the openvpn3-linux-7_beta release - Corrected incorrect packaging of openvpn3-autoload.service file * Fri May 24 2019 David Sommerseth - 6-0.beta1 - Packaging of the openvpn3-linux-6_beta release - This moves over to OpenSSL 1.1 on distributions providing that * Wed Apr 3 2019 David Sommerseth - 5-0.beta1 - Packaging of openvpn3-linux-5_beta release - This release swaps out mbed TLS with OpenSSL - Moving up to Python 3.6 dependency for RHEL 7 * Wed Mar 6 2019 David Sommerseth - 4-0.beta2 - Added missing packaging of /var/lib/openvpn3/configs dir * Fri Mar 1 2019 David Sommerseth - 4-0.beta1 - Packaging of openvpn3-linux-4_beta release * Thu Jan 31 2019 David Sommerseth - 3-0.beta1 - Packaging of openvpn3-linux-3_beta release * Wed Jan 30 2019 David Sommerseth - 2-0.beta1 - Packaging of openvpn3-linux-2_beta release * Sat Dec 8 2018 David Sommerseth - 1-0.beta1 - First openvpn3-linux-1_beta release