# Package the SELinux policy %bcond_without selinux %global selinuxtype targeted %bcond_without aws %bcond_without devposture %bcond_without dco %bcond_without unittests #%%define versiontag _dev #%%define releasetag .dev1 %global _hardened_build 1 %global _vpath_srcdir %{name}-linux-%{version}%{?versiontag} Name: openvpn3 Version: 23 Release: 1%{?releasetag}%{?dist} Summary: OpenVPN 3 - TLS based VPN License: AGPLv3 URL: https://codeberg.org/OpenVPN/openvpn3-linux/ Source0: https://swupdate.openvpn.net/community/releases/openvpn3-linux-%{version}%{?versiontag}.tar.xz Source1: https://swupdate.openvpn.net/community/releases/openvpn3-linux-%{version}%{?versiontag}.tar.xz.asc Source2: gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg Patch0: fedora-crypto-policy-compliance.patch Vendor: OpenVPN Inc # Currently the code is buildable on 32-bit architectures ExcludeArch: armv7hl i686 BuildRequires: meson BuildRequires: dbus-devel BuildRequires: glib2-devel BuildRequires: gdbuspp-devel >= 2 BuildRequires: jsoncpp-devel BuildRequires: libcap-ng-devel BuildRequires: libuuid-devel BuildRequires: lz4-devel BuildRequires: openssl-devel BuildRequires: systemd BuildRequires: systemd-devel BuildRequires: zlib-devel %if 0%{?rhel} == 8 # We're currently having tinyxml2-7.0.0 in the Fedora Copr # repo which we want to avoid. tinyxml2-6.0.0 is available # via the CodeReady repository; use that instead BuildRequires: tinyxml2-devel < 7.0.2 %else BuildRequires: tinyxml2-devel %endif BuildRequires: gcc-c++ BuildRequires: python3-dbus BuildRequires: python3-devel BuildRequires: python3-docutils Requires: python3-gobject-base BuildRequires: python3-jinja2 Requires: python3-systemd Requires: dbus Requires: gdbuspp >= 2 Requires: polkit Requires: python(abi) >= 3.6 # DCO support dependencies %if %{with dco} BuildRequires: libnl3-devel BuildRequires: protobuf-compiler BuildRequires: protobuf-devel Recommends: kmod-ovpn-dco >= 0.2 %endif # End - DCO support deps %if %{with selinux} Requires: %{name}-selinux >= %{version}-%{release} %endif %description Next generation OpenVPN client, targeting modern Linux distributions. OpenVPN 3 aims to be protocol compatible with the older OpenVPN 2.x releases, but may not support all features of OpenVPN 2.x. %package devel Summary: Development headers for OpenVPN 3 Linux BuildArch: noarch %description devel Contains generated C header file needed to have correct mapping of constants used by OpenVPN 3 Linux. %package client Summary: OpenVPN 3 Client, TLS based VPN client Requires: %{name}%{?_isa} = %{version}-%{release} %description client OpenVPN 3 Client components. Provides the binaries and D-Bus services required to initiate and manage VPN client configuration profiles. # openvpn3-addon-aws sub-package %if %{with aws} %package addon-aws Summary: OpenVPN 3 Linux AWS VPC integration support %description addon-aws This OpenVPN 3 Linux add-on will push VPN routes to the AWS VPC to enable hosts inside the related VPC to utilize the VPN setup. %endif %if %{with devposture} %package addon-devposture Summary: OpenVPN 3 Linux Device Posture support %description addon-devposture This OpenVPN 3 Linux add-on enables clients to run certain checks locally during the connection phase. Which checks is run is defined by a device posture protocol definition. This feature is not enabled by default, but need to be explicitly enabled in the configuration profile by setting the appropriate Enterprise Profile. %package dpc-openvpninc Summary: Device Posture profile for OpenVPN Inc service BuildArch: noarch %description dpc-openvpninc This contains the 'openvpninc' Device Posture Enterprise Profile used by Cloud Connexa and OpenVPN Access Server %endif # SELinux sub-package %if %{with selinux} %package selinux Summary: OpenVPN 3 Linux SELinux policy BuildArch: noarch BuildRequires: selinux-policy-devel Requires: selinux-policy-%{selinuxtype} %{?selinux_requires} %description selinux Additional SELinux policy required for OpenVPN 3 Linux to function when SELinux is active. %endif %prep gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} %autosetup -c -N %if 0%{?rhel} > 8 || 0%{?fedora} > 31 pushd %{name}-linux-%{version}%{?versiontag} %autopatch -p1 popd %endif %build %if 0%{?fedora} > 39 %global nowerror -Dwerror=false %endif %meson -Dtest_programs=disabled -Dbash-completion=enabled \ %{?with_unittests:-Dunit_tests=enabled} \ %{?with_selinux:-Dselinux_policy=enabled} \ %{?with_dco:-Ddco=enabled} \ %{?nowerror} \ %{?with_aws:-Daddon-aws=enabled} \ %{?with_devposture:-Daddon-deviceposture=enabled} %meson_build %check %meson_test --no-suite dbus --no-suite post-install printf '\n\n\n\ ---------- Unit tests ----------\n' # Exclude PlatformInfo.DBus; it requires D-Bus available pushd %{_vpath_builddir} src/tests/unit/unit-tests --gtest_filter=-PlatformInfo.DBus src/tests/logevent-selftest printf '\n\n\n -------- Version checks --------\n' src/client/openvpn3-service-backendstart --version src/client/openvpn3-service-client --version src/netcfg/openvpn3-service-netcfg --version #src/sessionmgr/openvpn3-service-sessionmgr --version #src/sessionmgr/openvpn3-service-configmgr --version %{python3} -c "from src.python.openvpn3.constants import VERSION; print('Python constants version: {ver}'.format(ver=VERSION))" src/ovpn3cli/openvpn3 version src/ovpn3cli/openvpn3-admin version printf '\n\n' popd %install rm -rf $RPM_BUILD_ROOT %meson_install mkdir -p %{buildroot}%{_sysconfdir}/%{name}/autoload mkdir -p %{buildroot}%{_sharedstatedir}/%{name} # Prepare some docs for the -devel sub-package mkdir -p %{buildroot}/%{_pkgdocdir}-devel mv -v %{buildroot}/%{_pkgdocdir}/dbus %{buildroot}/%{_pkgdocdir}-devel/ %if %{with devposture} mkdir -p %{buildroot}/%{_pkgdocdir}-addon-devposture \ %{buildroot}/%{_pkgdocdir}-dpc-openvpninc mv -v %{buildroot}/%{_pkgdocdir}/device-posture/profile-format.md %{buildroot}/%{_pkgdocdir}-addon-devposture cp -v %{buildroot}/%{_pkgdocdir}/COPYRIGHT.md %{buildroot}/%{_pkgdocdir}-dpc-openvpninc %endif %pre # Ensure we have openvpn user and group accounts getent group openvpn &>/dev/null || groupadd -r openvpn getent passwd openvpn &>/dev/null || \ /usr/sbin/useradd -r -g openvpn -s /sbin/nologin -c OpenVPN \ -d %{_sharedstatedir}/%{name} openvpn exit 0 %post LOGDEST="%{_sharedstatedir}/%{name}/openvpn3-init-config.log" echo "" >> "$LOGDEST" echo "** openvpn3-admin init-config start -- `date`" >> "$LOGDEST" %{_sbindir}/openvpn3-admin version >> "$LOGDEST" 2>&1 %{_sbindir}/openvpn3-admin init-config --write-configs >> "$LOGDEST" 2>&1 echo "** openvpn3-admin init-config done (exit-code: $?)" >> "$LOGDEST" exit 0 %preun # # SELinux sub-package # %if %{with selinux} %post selinux # Install SELinux policy %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{name}.pp.bz2 %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{name}_service.pp.bz2 # Enable the dbus_access_tuntap_device SELinux boolean. # This is needed to make it possbile for the netcfg service # to pass the file descriptor to tun devices it has created # and configured. %selinux_set_booleans -s %{selinuxtype} dbus_access_tuntap_device=1 %postun selinux # Unset dbus_access_tuntap_device SELinux boolean and uninstall the policy %selinux_unset_booleans -s %{selinuxtype} dbus_access_tuntap_device=1 %selinux_modules_uninstall -s %{selinuxtype} %{_datadir}/selinux/packages/%{name}.pp.bz2 %selinux_modules_uninstall -s %{selinuxtype} %{_datadir}/selinux/packages/%{name}_service.pp.bz2 %endif %files %config(noreplace) %{_datarootdir}/dbus-1/system.d/net.openvpn.v3.conf %config(noreplace) %{_datarootdir}/dbus-1/system.d/net.openvpn.v3.configuration.conf %config(noreplace) %{_datarootdir}/dbus-1/system.d/net.openvpn.v3.log.conf %config(noreplace) %{_datarootdir}/dbus-1/system.d/net.openvpn.v3.netcfg.conf %config %dir %{_sysconfdir}/%{name} %config %dir %{_sysconfdir}/%{name}/autoload %{_libexecdir}/openvpn3-linux/openvpn3-service-log %{_libexecdir}/openvpn3-linux/openvpn3-service-configmgr %{_libexecdir}/openvpn3-linux/openvpn3-service-netcfg %{_unitdir}/openvpn3-autoload.service %{_bindir}/openvpn3 %{_sbindir}/openvpn3-admin %{python3_sitelib}/openvpn3/*.py %{python3_sitelib}/openvpn3/__pycache__/* %{_datarootdir}/bash-completion/completions/openvpn* %{_datarootdir}/dbus-1/system-services/net.openvpn.v3.configuration.service %{_datarootdir}/dbus-1/system-services/net.openvpn.v3.log.service %{_datarootdir}/dbus-1/system-services/net.openvpn.v3.netcfg.service %{_datarootdir}/polkit-1/rules.d/net.openvpn.v3.rules %dir %attr(750, openvpn, openvpn)%{_sharedstatedir}/%{name} %dir %attr(750, openvpn, openvpn)%{_sharedstatedir}/%{name}/configs %ghost %config(noreplace) %{_sharedstatedir}/%{name}/log-service.json %ghost %config(noreplace) %{_sharedstatedir}/%{name}/netcfg.json %{_pkgdocdir}/COPYRIGHT.md %{_pkgdocdir}/README.md %{_pkgdocdir}/QUICK-START.md %{_mandir}/man7/openvpn3-linux.7* %{_mandir}/man1/openvpn3.1* %{_mandir}/man1/openvpn3-config*.1* %{_mandir}/man1/openvpn3-log.1* %{_mandir}/man1/openvpn3-session*.1* %{_mandir}/man8/openvpn3-admin*.8* %{_mandir}/man8/openvpn3-autoload.8* %{_mandir}/man8/openvpn3-service-log.8* %{_mandir}/man8/openvpn3-service-configmgr.8* %{_mandir}/man8/openvpn3-service-netcfg.8* %files devel %{_pkgdocdir}-devel/ %{_includedir}/openvpn3 %files client %config(noreplace) %{_datarootdir}/dbus-1/system.d/net.openvpn.v3.backends.conf %config(noreplace) %{_datarootdir}/dbus-1/system.d/net.openvpn.v3.client.conf %config(noreplace) %{_datarootdir}/dbus-1/system.d/net.openvpn.v3.sessions.conf %{_bindir}/openvpn2 %{_bindir}/openvpn3-as %{_sbindir}/openvpn3-autoload %{_libexecdir}/openvpn3-linux/openvpn3-service-backendstart %{_libexecdir}/openvpn3-linux/openvpn3-service-client %{_libexecdir}/openvpn3-linux/openvpn3-service-sessionmgr %{_libexecdir}/openvpn3-linux/openvpn3-systemd %{_datarootdir}/dbus-1/system-services/net.openvpn.v3.backends.service %{_datarootdir}/dbus-1/system-services/net.openvpn.v3.sessions.service %{_unitdir}/openvpn3-session@.service %{_mandir}/man1/openvpn2.1* %{_mandir}/man1/openvpn3-as.1* %{_mandir}/man8/openvpn3-service-backendstart.8* %{_mandir}/man8/openvpn3-service-client.8* %{_mandir}/man8/openvpn3-service-sessionmgr.8* %{_mandir}/man8/openvpn3-systemd.8* %if %{with aws} %files addon-aws %config(noreplace) %{_datarootdir}/dbus-1/system.d/net.openvpn.v3.aws.conf %{_libexecdir}/openvpn3-linux/openvpn3-service-aws %{_unitdir}/openvpn3-aws.service %{_mandir}/man8/openvpn3-service-aws.8* %{_sysconfdir}/%{name}/awscerts %endif %if %{with devposture} %files addon-devposture %config(noreplace) %{_datarootdir}/dbus-1/system.d/net.openvpn.v3.devposture.conf %{_libexecdir}/openvpn3-linux/openvpn3-service-devposture %{_datarootdir}/dbus-1/system-services/net.openvpn.v3.devposture.service %{_mandir}/man8/openvpn3-service-devposture.8* %dir %attr(750, openvpn, openvpn)%{_sharedstatedir}/%{name}/deviceposture %dir %attr(750, openvpn, openvpn)%{_sharedstatedir}/%{name}/deviceposture/profiles %{_sharedstatedir}/%{name}/deviceposture/profiles/example*.json %{_pkgdocdir}-addon-devposture/profile-format.md %files dpc-openvpninc %{_pkgdocdir}-dpc-openvpninc/COPYRIGHT.md %{_sharedstatedir}/%{name}/deviceposture/profiles/openvpninc.json %endif %if %{with selinux} %files selinux %{_datadir}/selinux/packages/%{name}.pp.* %{_datadir}/selinux/packages/%{name}_service.pp.* %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}_service %endif %changelog * Wed Aug 28 2024 David Sommerseth - 23-1 - Release of OpenVPN 3 Linux v23 * Mon Jun 17 2024 David Sommerseth - 22-1.dev1 - Release of OpenVPN 3 Linux v22_dev * Mon Oct 16 2023 David Sommerseth - 21-3 - Don't depend on tinyxml2-7.0.0 on RHEL-8; use tinyxml2-6 from CodeReady repos * Mon Oct 9 2023 David Sommerseth - 21-2 - Build using devtoolset-11 * Fri Sep 22 2023 David Sommerseth - 21-1 - Package the openvpn3-linux-21 stable release * Fri Apr 21 2023 David Sommerseth - 20-2 - Packaging fix only - Recommend kmod-ovpn-dco < 0.2 - openvpn3 v20 is not ready for newer kmod-ovpn-dco versions yet - Improved descriptions * Mon Mar 20 2023 David Sommerseth - 20-1 - Package the openvpn3-linux-20 stable release * Fri Oct 28 2022 David Sommerseth - 19-1.beta - Package the openvpn3-linux-19_beta release * Tue Jun 7 2022 David Sommerseth - 18-1.beta - Package the openvpn3-linux-18_beta release - D-Bus policies has been relocated to %%{_datarootdir}/dbus-1/system.d * Mon Dec 13 2021 David Sommerseth - 17-2.beta1 - Package the openvpn3-linux-17_beta release - Build EPEL-7 using devtoolset-10 * Tue Oct 19 2021 David Sommerseth - 16-1.beta1 - Package openvpn3-linux-16_beta release - Include packaging of the new openvpn3-systemd integration * Wed Jul 14 2021 David Sommerseth - 15-1.beta1 - Package openvpn3-linux-15_beta release * Wed Jul 14 2021 David Sommerseth - 15-0.beta1 - Package openvpn3-linux-15_beta release * Wed Jul 7 2021 David Sommerseth - 14-0.beta1 - Package openvpn3-linux-14_beta release * Sat Dec 5 2020 David Sommerseth - 13-0.beta1 - Package openvpn3-linux-13_beta release * Mon Nov 16 2020 David Sommerseth - 12-0.beta1 - Package openvpn3-linux-12_beta release * Fri Oct 30 2020 David Sommerseth - 11-0.beta1 - Package openvpn3-linux-11_beta release - Enable building with DCO support on Fedora and EL-8 - Ensure D-Bus policies are packaged in the proper sub-package, not all in the main package. - Ensure openvpn3 man pages are in the proper sub-package * Sat Jul 25 2020 David Sommerseth - 10-0.beta1 - Package openvpn3-linux-10_beta release - Move openvpn3 binary from -client to the base package - Install bash-completions for openvpn2 in addition - Install additional AWS region certificates in sysconfdir (openvpn3-addon-aws) - Build RHEL-7 packages with -std=c++1y * Tue Apr 28 2020 David Sommerseth - 9-6.beta1 - Add explicit dependency on python3-gobject-base * Tue Apr 28 2020 David Sommerseth - 9-5.beta1 - Add explicit dependency on python3-dbus * Tue Apr 28 2020 David Sommerseth - 9-4.beta1 - Make use of the %%{selinux_requires} macro for SELinux dependency handling in the -selinux sub-package * Tue Apr 28 2020 David Sommerseth - 9-3.beta1 - Fix various openvpn3-selinux dependency related issues * Sat Apr 25 2020 David Sommerseth - 9-2.beta1 - Remove the Fedora packaging OpenSSL compliance patch on all distro releases older than Fedora 32 * Thu Apr 23 2020 David Sommerseth - 9-1.beta1 - Packaging of the openvpn3-linux-9_beta release - Reworked sub-packaging slightly, use proper bcond macros - Added the new openvpn3-addon-aws sub-package * Thu Feb 20 2020 David Sommerseth - 8-2.beta1 - Package SELinux policy in a separate package * Thu Feb 20 2020 David Sommerseth - 8-1.beta1 - Adhere to Fedora Crypto Policy, using PROFILE=SYSTEM for cipher list init * Mon Feb 10 2020 David Sommerseth - 8-0.beta1 - Packaging of the openvpn3-linux-8_beta release - Added additional compiler flags specific for RHEL-7 * Wed Dec 11 2019 David Sommerseth - 7-0.beta1 - Packaging of the openvpn3-linux-7_beta release - Corrected incorrect packaging of openvpn3-autoload.service file * Fri May 24 2019 David Sommerseth - 6-0.beta1 - Packaging of the openvpn3-linux-6_beta release - This moves over to OpenSSL 1.1 on distributions providing that * Wed Apr 3 2019 David Sommerseth - 5-0.beta1 - Packaging of openvpn3-linux-5_beta release - This release swaps out mbed TLS with OpenSSL - Moving up to Python 3.6 dependency for RHEL 7 * Wed Mar 6 2019 David Sommerseth - 4-0.beta2 - Added missing packaging of /var/lib/openvpn3/configs dir * Fri Mar 1 2019 David Sommerseth - 4-0.beta1 - Packaging of openvpn3-linux-4_beta release * Thu Jan 31 2019 David Sommerseth - 3-0.beta1 - Packaging of openvpn3-linux-3_beta release * Wed Jan 30 2019 David Sommerseth - 2-0.beta1 - Packaging of openvpn3-linux-2_beta release * Sat Dec 8 2018 David Sommerseth - 1-0.beta1 - First openvpn3-linux-1_beta release