# Package the SELinux policy %bcond_without selinux %global selinuxtype targeted %bcond_without aws %bcond_without devposture %bcond_without dco %bcond_without unittests # All upstream version numbers are unique, but they may # have a "release tag" (_dev, _beta, _qa) after the version # number, indicating various degree of non-stable releases. # Stable releases does not have such a tag - thus not enabled # on stable release builds. # For non-stable builds, the version comparison can get # confused by these additional tags. The RPM packaging # moves these release tags tags after the RPM Release # number instead. # #%%define versiontag _dev #%%define releasetag .dev1 %global _hardened_build 1 %global _vpath_srcdir %{name}-linux-%{version}%{?versiontag} Name: openvpn3 Version: 24 Release: 1%{?releasetag}%{?dist} Summary: OpenVPN 3 - TLS based VPN License: AGPL-3.0-only URL: https://codeberg.org/OpenVPN/openvpn3-linux/ Source0: https://swupdate.openvpn.net/community/releases/openvpn3-linux-%{version}%{?versiontag}.tar.xz Source1: https://swupdate.openvpn.net/community/releases/openvpn3-linux-%{version}%{?versiontag}.tar.xz.asc Source2: gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg Patch0: fedora-crypto-policy-compliance.patch Vendor: OpenVPN Inc # Code is not buildable on 32-bit architectures ExcludeArch: armv7hl i686 BuildRequires: meson BuildRequires: gcc-c++ BuildRequires: dbus-devel BuildRequires: glib2-devel BuildRequires: gdbuspp-devel >= 2 BuildRequires: jsoncpp-devel BuildRequires: libcap-ng-devel BuildRequires: libuuid-devel BuildRequires: lz4-devel BuildRequires: openssl-devel BuildRequires: systemd BuildRequires: systemd-devel BuildRequires: zlib-devel BuildRequires: python3-dbus BuildRequires: python3-devel BuildRequires: python3-docutils BuildRequires: python3-jinja2 %if 0%{?rhel} == 8 # We're currently having tinyxml2-7.0.0 in the Fedora Copr # repo which we want to avoid. tinyxml2-6.0.0 is available # via the CodeReady repository; use that instead BuildRequires: tinyxml2-devel < 7.0.2 %else BuildRequires: tinyxml2-devel %endif # DCO support dependencies %if %{with dco} BuildRequires: libnl3-devel BuildRequires: protobuf-compiler BuildRequires: protobuf-devel Recommends: kmod-ovpn-dco >= 0.2 %endif # End - DCO support deps Requires: dbus Requires: gdbuspp >= 2 Requires: polkit Requires: python(abi) >= 3.6 Requires: python3-gobject-base Requires: python3-systemd %if %{with selinux} Requires: %{name}-selinux >= %{version}-%{release} %endif %description Next generation OpenVPN client, targeting modern Linux distributions. OpenVPN 3 aims to be protocol compatible with the older OpenVPN 2.x releases, but may not support all features of OpenVPN 2.x. %package devel Summary: Development headers for OpenVPN 3 Linux BuildArch: noarch %description devel Contains generated C header file needed to have correct mapping of constants used by OpenVPN 3 Linux. %package client Summary: OpenVPN 3 Client, TLS based VPN client Requires: %{name}%{?_isa} = %{version}-%{release} %description client OpenVPN 3 Client components. Provides the binaries and D-Bus services required to initiate and manage VPN client configuration profiles. # openvpn3-addon-aws sub-package %if %{with aws} %package addon-aws Summary: OpenVPN 3 Linux AWS VPC integration support Requires: %{name}-client %description addon-aws This OpenVPN 3 Linux add-on will push VPN routes to the AWS VPC to enable hosts inside the related VPC to utilize the VPN setup. %endif %if %{with devposture} %package addon-devposture Summary: OpenVPN 3 Linux Device Posture support Requires: %{name}-client %description addon-devposture This OpenVPN 3 Linux add-on enables clients to run certain checks locally during the connection phase. Which checks is run is defined by a device posture protocol definition. This feature is not enabled by default, but need to be explicitly enabled in the configuration profile by setting the appropriate Enterprise Profile. %package dpc-openvpninc Summary: Device Posture profile for OpenVPN Inc service BuildArch: noarch Requires: %{name}-addon-devposture %description dpc-openvpninc This contains the 'openvpninc' Device Posture Enterprise Profile used by Cloud Connexa and OpenVPN Access Server %endif # SELinux sub-package %if %{with selinux} %package selinux Summary: OpenVPN 3 Linux SELinux policy BuildArch: noarch BuildRequires: selinux-policy-devel Requires: %{name} Requires: selinux-policy-%{selinuxtype} %{?selinux_requires} %description selinux Additional SELinux policy required for OpenVPN 3 Linux to function when SELinux is active. %endif %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -c -N # The Fedora Crypto Policy Patch will only apply on # Fedora and RHEL-9 and newer %if 0%{?rhel} > 8 || 0%{?fedora} > 31 pushd %{name}-linux-%{version}%{?versiontag} %autopatch -p1 popd %endif %build %meson -Dtest_programs=disabled -Dbash-completion=enabled \ %{?with_unittests:-Dunit_tests=enabled} \ %{?with_selinux:-Dselinux_policy=enabled} \ %{?with_dco:-Ddco=enabled} \ %{?with_aws:-Daddon-aws=enabled} \ %{?with_devposture:-Daddon-deviceposture=enabled} %meson_build %check %meson_test --no-suite dbus --no-suite post-install printf '\n\n\n\ ---------- Unit tests ----------\n' # Exclude PlatformInfo.DBus; it requires D-Bus available pushd %{_vpath_builddir} src/tests/unit/unit-tests --gtest_filter=-PlatformInfo.DBus src/tests/logevent-selftest printf '\n\n\n -------- Version checks --------\n' src/client/openvpn3-service-backendstart --version src/client/openvpn3-service-client --version src/netcfg/openvpn3-service-netcfg --version %{python3} -c "from src.python.openvpn3.constants import VERSION; print('Python constants version: {ver}'.format(ver=VERSION))" src/ovpn3cli/openvpn3 version src/ovpn3cli/openvpn3-admin version printf '\n\n' popd %install %meson_install mkdir -p %{buildroot}%{_sharedstatedir}/%{name} # Installed by default via meson.build; this is # handled via %%license in the %%files section instead rm -f %{buildroot}/%{_pkgdocdir}/COPYRIGHT.md # Remove openvpn3-autoload and related files; this feature # is deprecated by upstream and will be removed in a later release. # No reason to expose Fedora users for this feature when it # will be removed anyway rm -f %{buildroot}/%{_unitdir}/openvpn3-autoload.service \ %{buildroot}/%{_mandir}/man8/openvpn3-autoload.8* \ %{buildroot}/%{_sbindir}/openvpn3-autoload # Prepare some docs for the -devel sub-package mkdir -p %{buildroot}/%{_pkgdocdir}-devel mv -v %{buildroot}/%{_pkgdocdir}/dbus %{buildroot}/%{_pkgdocdir}-devel/ %if %{with devposture} mkdir -p %{buildroot}/%{_pkgdocdir}-addon-devposture \ %{buildroot}/%{_pkgdocdir}-dpc-openvpninc mv -v %{buildroot}/%{_pkgdocdir}/device-posture/profile-format.md %{buildroot}/%{_pkgdocdir}-addon-devposture %endif %pre # Ensure we have openvpn user and group accounts getent group openvpn &>/dev/null || groupadd -r openvpn getent passwd openvpn &>/dev/null || \ /usr/sbin/useradd -r -g openvpn -s /sbin/nologin -c OpenVPN \ -d %{_sharedstatedir}/%{name} openvpn exit 0 %post %systemd_post openvpn3-session@*.service %systemd_post openvpn3-aws@*.service LOGDEST="%{_sharedstatedir}/%{name}/openvpn3-init-config.log" echo "" >> "$LOGDEST" echo "** openvpn3-admin init-config start -- `date`" >> "$LOGDEST" %{_sbindir}/openvpn3-admin version >> "$LOGDEST" 2>&1 %{_sbindir}/openvpn3-admin init-config --write-configs >> "$LOGDEST" 2>&1 echo "** openvpn3-admin init-config done (exit-code: $?)" >> "$LOGDEST" exit 0 %preun %systemd_post openvpn3-session@*.service %systemd_post openvpn3-aws@*.service %postun %systemd_postun openvpn3-session@*.service %systemd_postun_with_restart openvpn3-aws@*.service # # SELinux sub-package # %if %{with selinux} %post selinux # Install SELinux policy %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{name}.pp.bz2 %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{name}_service.pp.bz2 # Enable the dbus_access_tuntap_device SELinux boolean. # This is needed to make it possbile for the netcfg service # to pass the file descriptor to tun devices it has created # and configured. %selinux_set_booleans -s %{selinuxtype} dbus_access_tuntap_device=1 %postun selinux # Unset dbus_access_tuntap_device SELinux boolean and uninstall the policy %selinux_unset_booleans -s %{selinuxtype} dbus_access_tuntap_device=1 %selinux_modules_uninstall -s %{selinuxtype} %{_datadir}/selinux/packages/%{name}.pp.bz2 %selinux_modules_uninstall -s %{selinuxtype} %{_datadir}/selinux/packages/%{name}_service.pp.bz2 %endif %files %license %{name}-linux-%{version}/COPYRIGHT.md %{_datarootdir}/dbus-1/system.d/net.openvpn.v3.conf %{_datarootdir}/dbus-1/system.d/net.openvpn.v3.configuration.conf %{_datarootdir}/dbus-1/system.d/net.openvpn.v3.log.conf %{_datarootdir}/dbus-1/system.d/net.openvpn.v3.netcfg.conf %config %dir %{_sysconfdir}/%{name} %{_libexecdir}/openvpn3-linux/openvpn3-service-log %{_libexecdir}/openvpn3-linux/openvpn3-service-configmgr %{_libexecdir}/openvpn3-linux/openvpn3-service-netcfg %{_bindir}/openvpn3 %{_sbindir}/openvpn3-admin %{python3_sitelib}/openvpn3/*.py %{python3_sitelib}/openvpn3/__pycache__/* %{_datarootdir}/bash-completion/completions/openvpn* %{_datarootdir}/dbus-1/system-services/net.openvpn.v3.configuration.service %{_datarootdir}/dbus-1/system-services/net.openvpn.v3.log.service %{_datarootdir}/dbus-1/system-services/net.openvpn.v3.netcfg.service %{_datarootdir}/polkit-1/rules.d/net.openvpn.v3.rules %dir %attr(750, openvpn, openvpn)%{_sharedstatedir}/%{name} %dir %attr(750, openvpn, openvpn)%{_sharedstatedir}/%{name}/configs %ghost %{_sharedstatedir}/%{name}/log-service.json %ghost %{_sharedstatedir}/%{name}/netcfg.json %{_pkgdocdir}/README.md %{_pkgdocdir}/QUICK-START.md %{_mandir}/man7/openvpn3-linux.7* %{_mandir}/man1/openvpn3.1* %{_mandir}/man1/openvpn3-config*.1* %{_mandir}/man1/openvpn3-log.1* %{_mandir}/man1/openvpn3-session*.1* %{_mandir}/man8/openvpn3-admin*.8* %{_mandir}/man8/openvpn3-service-log.8* %{_mandir}/man8/openvpn3-service-configmgr.8* %{_mandir}/man8/openvpn3-service-netcfg.8* %files devel %{_pkgdocdir}-devel/ %{_includedir}/openvpn3 %files client %{_datarootdir}/dbus-1/system.d/net.openvpn.v3.backends.conf %{_datarootdir}/dbus-1/system.d/net.openvpn.v3.client.conf %{_datarootdir}/dbus-1/system.d/net.openvpn.v3.sessions.conf %{_bindir}/openvpn2 %{_bindir}/openvpn3-as %{_libexecdir}/openvpn3-linux/openvpn3-service-backendstart %{_libexecdir}/openvpn3-linux/openvpn3-service-client %{_libexecdir}/openvpn3-linux/openvpn3-service-sessionmgr %{_libexecdir}/openvpn3-linux/openvpn3-systemd %{_datarootdir}/dbus-1/system-services/net.openvpn.v3.backends.service %{_datarootdir}/dbus-1/system-services/net.openvpn.v3.sessions.service %{_unitdir}/openvpn3-session@.service %{_mandir}/man1/openvpn2.1* %{_mandir}/man1/openvpn3-as.1* %{_mandir}/man8/openvpn3-service-backendstart.8* %{_mandir}/man8/openvpn3-service-client.8* %{_mandir}/man8/openvpn3-service-sessionmgr.8* %{_mandir}/man8/openvpn3-systemd.8* %if %{with aws} %files addon-aws %{_datarootdir}/dbus-1/system.d/net.openvpn.v3.aws.conf %{_libexecdir}/openvpn3-linux/openvpn3-service-aws %{_unitdir}/openvpn3-aws.service %{_mandir}/man8/openvpn3-service-aws.8* %{_sysconfdir}/%{name}/awscerts %endif %if %{with devposture} %files addon-devposture %{_datarootdir}/dbus-1/system.d/net.openvpn.v3.devposture.conf %{_libexecdir}/openvpn3-linux/openvpn3-service-devposture %{_datarootdir}/dbus-1/system-services/net.openvpn.v3.devposture.service %{_mandir}/man8/openvpn3-service-devposture.8* %dir %attr(750, openvpn, openvpn)%{_sharedstatedir}/%{name}/deviceposture %dir %attr(750, openvpn, openvpn)%{_sharedstatedir}/%{name}/deviceposture/profiles %{_sharedstatedir}/%{name}/deviceposture/profiles/example*.json %{_pkgdocdir}-addon-devposture/profile-format.md %files dpc-openvpninc %{_sharedstatedir}/%{name}/deviceposture/profiles/openvpninc.json %endif %if %{with selinux} %files selinux %{_datadir}/selinux/packages/%{name}.pp.* %{_datadir}/selinux/packages/%{name}_service.pp.* %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}_service %endif %changelog * Tue Dec 10 2024 David Sommerseth - 24-1 - Release of OpenVPN 3 Linux v24