Unpacking Software Livestream

Join our monthly Unpacking Software livestream to hear about the latest news, chat and opinion on packaging, software deployment and lifecycle management!

Learn More

Chocolatey Product Spotlight

Join the Chocolatey Team on our regular monthly stream where we put a spotlight on the most recent Chocolatey product releases. You'll have a chance to have your questions answered in a live Ask Me Anything format.

Learn More

Chocolatey Coding Livestream

Join us for the Chocolatey Coding Livestream, where members of our team dive into the heart of open source development by coding live on various Chocolatey projects. Tune in to witness real-time coding, ask questions, and gain insights into the world of package management. Don't miss this opportunity to engage with our team and contribute to the future of Chocolatey!

Learn More

Calling All Chocolatiers! Whipping Up Windows Automation with Chocolatey Central Management

Webinar from
Wednesday, 17 January 2024

We are delighted to announce the release of Chocolatey Central Management v0.12.0, featuring seamless Deployment Plan creation, time-saving duplications, insightful Group Details, an upgraded Dashboard, bug fixes, user interface polishing, and refined documentation. As an added bonus we'll have members of our Solutions Engineering team on-hand to dive into some interesting ways you can leverage the new features available!

Watch On-Demand
Chocolatey Community Coffee Break

Join the Chocolatey Team as we discuss all things Community, what we do, how you can get involved and answer your Chocolatey questions.

Watch The Replays
Chocolatey and Intune Overview

Webinar Replay from
Wednesday, 30 March 2022

At Chocolatey Software we strive for simple, and teaching others. Let us teach you just how simple it could be to keep your 3rd party applications updated across your devices, all with Intune!

Watch On-Demand
Chocolatey For Business. In Azure. In One Click.

Livestream from
Thursday, 9 June 2022

Join James and Josh to show you how you can get the Chocolatey For Business recommended infrastructure and workflow, created, in Azure, in around 20 minutes.

Watch On-Demand
The Future of Chocolatey CLI

Livestream from
Thursday, 04 August 2022

Join Paul and Gary to hear more about the plans for the Chocolatey CLI in the not so distant future. We'll talk about some cool new features, long term asks from Customers and Community and how you can get involved!

Watch On-Demand
Hacktoberfest Tuesdays 2022

Livestreams from
October 2022

For Hacktoberfest, Chocolatey ran a livestream every Tuesday! Re-watch Cory, James, Gary, and Rain as they share knowledge on how to contribute to open-source projects such as Chocolatey CLI.

Watch On-Demand

Downloads:

1,195,925

Downloads of v 2.4.6.20190116:

12,975

Last Update:

20 Jan 2019

Package Maintainer(s):

Software Author(s):

  • OpenVPN Technologies
  • Inc

Tags:

openvpn community tunnel ssl admin

OpenVPN

This is not the latest version of OpenVPN available.

  • 1
  • 2
  • 3

2.4.6.20190116 | Updated: 20 Jan 2019

Downloads:

1,195,925

Downloads of v 2.4.6.20190116:

12,975

Maintainer(s):

Software Author(s):

  • OpenVPN Technologies
  • Inc

OpenVPN 2.4.6.20190116

This is not the latest version of OpenVPN available.

Legal Disclaimer: Neither this package nor Chocolatey Software, Inc. are affiliated with or endorsed by OpenVPN Technologies, Inc. The inclusion of OpenVPN Technologies, Inc trademark(s), if any, upon this webpage is solely to identify OpenVPN Technologies, Inc goods or services and not for commercial purposes.

  • 1
  • 2
  • 3

Some Checks Have Failed or Are Not Yet Complete

Not All Tests Have Passed


Validation Testing Passed


Verification Testing Passed

Details

Scan Testing Resulted in Flagged:

This package was submitted (and approved) prior to automated virus scanning integration into the package moderation processs.

We recommend clicking the "Details" link to make your own decision on installing this package.

Details
Learn More

Deployment Method: Individual Install, Upgrade, & Uninstall

To install OpenVPN, run the following command from the command line or from PowerShell:

>

To upgrade OpenVPN, run the following command from the command line or from PowerShell:

>

To uninstall OpenVPN, run the following command from the command line or from PowerShell:

>

Deployment Method:

NOTE

This applies to both open source and commercial editions of Chocolatey.

1. Enter Your Internal Repository Url

(this should look similar to https://community.chocolatey.org/api/v2/)


2. Setup Your Environment

1. Ensure you are set for organizational deployment

Please see the organizational deployment guide

2. Get the package into your environment

  • Open Source or Commercial:
    • Proxy Repository - Create a proxy nuget repository on Nexus, Artifactory Pro, or a proxy Chocolatey repository on ProGet. Point your upstream to https://community.chocolatey.org/api/v2/. Packages cache on first access automatically. Make sure your choco clients are using your proxy repository as a source and NOT the default community repository. See source command for more information.
    • You can also just download the package and push it to a repository Download

3. Copy Your Script

choco upgrade openvpn -y --source="'INTERNAL REPO URL'" --version="'2.4.6.20190116'" [other options]

See options you can pass to upgrade.

See best practices for scripting.

Add this to a PowerShell script or use a Batch script with tools and in places where you are calling directly to Chocolatey. If you are integrating, keep in mind enhanced exit codes.

If you do use a PowerShell script, use the following to ensure bad exit codes are shown as failures:


choco upgrade openvpn -y --source="'INTERNAL REPO URL'" --version="'2.4.6.20190116'" 
$exitCode = $LASTEXITCODE

Write-Verbose "Exit code was $exitCode"
$validExitCodes = @(0, 1605, 1614, 1641, 3010)
if ($validExitCodes -contains $exitCode) {
  Exit 0
}

Exit $exitCode

- name: Install openvpn
  win_chocolatey:
    name: openvpn
    version: '2.4.6.20190116'
    source: INTERNAL REPO URL
    state: present

See docs at https://docs.ansible.com/ansible/latest/modules/win_chocolatey_module.html.


chocolatey_package 'openvpn' do
  action    :install
  source   'INTERNAL REPO URL'
  version  '2.4.6.20190116'
end

See docs at https://docs.chef.io/resource_chocolatey_package.html.


cChocoPackageInstaller openvpn
{
    Name     = "openvpn"
    Version  = "2.4.6.20190116"
    Source   = "INTERNAL REPO URL"
}

Requires cChoco DSC Resource. See docs at https://github.com/chocolatey/cChoco.


package { 'openvpn':
  ensure   => '2.4.6.20190116',
  provider => 'chocolatey',
  source   => 'INTERNAL REPO URL',
}

Requires Puppet Chocolatey Provider module. See docs at https://forge.puppet.com/puppetlabs/chocolatey.


4. If applicable - Chocolatey configuration/installation

See infrastructure management matrix for Chocolatey configuration elements and examples.

Package Approved

This package was approved as a trusted package on 23 Feb 2019.

Description

OpenVPN provides flexible VPN solutions to secure your data communications, whether it's for Internet privacy, remote access for employees, securing IoT, or for networking Cloud data centers.

Notes

  • This Chocolatey package:

    • installs the old tap driver (9.22.1) when Windows Server or Secure Boot is detected
    • installs the new driver in other cases

    These steps were needed in order to fix the following upstream bug:

    • Upstream installer I601 included tap-windows6 driver 9.22.1 which had one security fix and dropped Windows Vista support.
    • Upstream installer I602 reverted back to tap-windows 9.21.2 due to driver being rejected on freshly installed Windows 10 rev 1607 and later when Secure Boot was enabled. The failure was due to the new, more strict driver signing requirements required by Microsoft.
  • This Chocolatey package considers the following upstream parameters. By default, when not specified, they are considered as being set to 1.

    • /SELECT_OPENVPN: Install OpenVPN user-space components, including openvpn.exe.
    • /SELECT_OPENVPNGUI: Install OpenVPN GUI by Mathias Sundman.
    • /SELECT_TAP: Install/upgrade the TAP virtual device driver.
    • /SELECT_EASYRSA: Install OpenVPN RSA scripts for X509 certificate management. Due to popular demand and contrary to the upstream installer, this Chocolatey package is installing them by default.
    • /SELECT_OPENSSLDLLS: Install OpenSSL DLLs locally (may be omitted if DLLs are already installed globally).
    • /SELECT_LZODLLS: Install LZO DLLs locally (may be omitted if DLLs are already installed globally).
    • /SELECT_PKCS11DLLS: Install PKCS#11 helper DLLs locally (may be omitted if DLLs are already installed globally).
    • /SELECT_SERVICE: Install the OpenVPN service wrappers.
    • /SELECT_OPENSSL_UTILITIES: Install the OpenSSL Utilities (used for generating public/private key pairs).
    • /SELECT_PATH: Add OpenVPN executable directory to the current user's PATH.
    • /SELECT_SHORTCUTS: Add OpenVPN shortcuts to the current user's desktop and start menu.
    • /SELECT_ASSOCIATIONS: Register OpenVPN config file association (*.ovpn).
    • /SELECT_LAUNCH: Launch OpenVPN GUI on user logon.
  • Setting options to 0 while previous installations defined them to 1 won't necessarily disable/remove the feature. This hugely depends on the underling upstream installer. e.g. if you set /SELECT_TAP=0 while the TAP driver has been previously installed by other means, this doesn't automatically uninstall the TAP driver.

  • Using these parameters is done like described in the Chocolatey docs. e.g. to prevent desktop and start menu shortcuts and file associations from being created, use the following command:

    choco install openvpn --params "'/SELECT_SHORTCUTS=0 /SELECT_ASSOCIATIONS=0'"
    
  • An additional Chocolatey package argument (/USING_INTUNE=1) is available to remove tests potentially failing with the Microsoft Intune deployment tool.

Contributions


legal\LICENSE.txt
OpenVPN (TM) -- An Open Source VPN daemon

Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <[email protected]>

This distribution contains multiple components, some
of which fall under different licenses.  By using OpenVPN
or any of the bundled components enumerated below, you
agree to be bound by the conditions of the license for
each respective component.

OpenVPN trademark
-----------------

  "OpenVPN" is a trademark of OpenVPN Technologies, Inc.


OpenVPN license:
----------------

  OpenVPN is distributed under the GPL license version 2 (see Below).

  Special exception for linking OpenVPN with OpenSSL:

  In addition, as a special exception, OpenVPN Technologies, Inc. gives
  permission to link the code of this program with the OpenSSL
  library (or with modified versions of OpenSSL that use the same
  license as OpenSSL), and distribute linked combinations including
  the two.  You must obey the GNU General Public License in all
  respects for all of the code used other than OpenSSL.  If you modify
  this file, you may extend this exception to your version of the
  file, but you are not obligated to do so.  If you do not wish to
  do so, delete this exception statement from your version.

LZO license:
------------

  LZO is Copyright (C) Markus F.X.J. Oberhumer,
  and is licensed under the GPL.

  Special exception for linking OpenVPN with both OpenSSL and LZO:

  Hereby I grant a special exception to the OpenVPN project 
  (http://openvpn.net/) to link the LZO library with 
  the OpenSSL library (http://www.openssl.org).
 
  Markus F.X.J. Oberhumer

TAP-Win32/TAP-Win64 Driver license:
-----------------------------------

  This device driver was inspired by the CIPE-Win32 driver by
  Damion K. Wilson.

  The source and object code of the TAP-Win32/TAP-Win64 driver
  is Copyright (C) 2002-2010 OpenVPN Technologies, Inc., and is released under
  the GPL version 2.

Windows DDK Samples:
--------------------

  The Windows binary distribution includes devcon.exe, a
  Microsoft DDK sample which is redistributed under the terms
  of the DDK EULA.

NSIS License:
-------------

  Copyright (C) 2002-2003 Joost Verburg

  This software is provided 'as-is', without any express or implied
  warranty. In no event will the authors be held liable for any damages
  arising from the use of this software.

  Permission is granted to anyone to use this software for any purpose,
  including commercial applications, and to alter it and redistribute
  it freely, subject to the following restrictions:

  1. The origin of this software must not be misrepresented; 
     you must not claim that you wrote the original software.
     If you use this software in a product, an acknowledgment in the
     product documentation would be appreciated but is not required.
  2. Altered versions must be plainly marked as such,
     and must not be misrepresented as being the original software.
  3. This notice may not be removed or altered from any distribution.

OpenSSL License:
----------------

  The OpenSSL toolkit stays under a dual license, i.e. both the conditions of
  the OpenSSL License and the original SSLeay license apply to the toolkit.
  See below for the actual license texts. Actually both licenses are BSD-style
  Open Source licenses. In case of any license issues related to OpenSSL
  please contact [email protected].

/* ====================================================================
 * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    [email protected].
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * ([email protected]).  This product includes software written by Tim
 * Hudson ([email protected]).
 *
 */

 Original SSLeay License
 -----------------------

/* Copyright (C) 1995-1998 Eric Young ([email protected])
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young ([email protected]).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson ([email protected]).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young ([email protected])"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson ([email protected])"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */

GNU Public License (GPL)
------------------------

  OpenVPN, LZO, and the TAP-Win32 distributions are
  licensed under the GPL version 2 (see COPYRIGHT.GPL).

  In the Windows binary distribution of OpenVPN, the
  GPL is reproduced below.

legal\VERIFICATION.txt
Publishing this package on the chocolatey repository is an initiative
encouraged by the official OpenVPN authors. In the future, they even
intend to publish a daily build of OpenVPN and make this package an
official channel to distribute OpenVPN updates.

These points have been discussed in this ticket:
https://github.com/wget/chocolatey-package-openvpn/issues/2

The binaries included in this package are identical to the ones available
on the OpenVPN community website:
https://openvpn.net/index.php/open-source/downloads.html
tools\.skipAutoUninstall
 
tools\chocolateyInstall.ps1
$packageName = 'openvpn'
# By default: C:\ProgramData\chocolatey\lib\openvpn\tools
$toolsDir = "$(Split-Path -parent $MyInvocation.MyCommand.Definition)"
$fileType = 'exe'

# We previously infected the global AppDomain namespace in a previous Chocolatey
# package version. Try to warn the user about this.
# We cannot call choco list -lo openvpn and parse the output to know the
# previous Chocolatey package version, because when the script reach this
# point, this is already the new Chocolatey package version that is
# being referenced.
$job = Start-Job -ScriptBlock {
    function IsNamespaceInfected() {
        foreach ($assembly in [System.AppDomain]::CurrentDomain.GetAssemblies()) {
            foreach ($type in $assembly.GetTypes()) {
                if ($type.Name -eq "OS") {
                    foreach ($member in $type | Get-Member -Static) {
                        if ($member.Name -eq "IsWindowsServer") {
                        return $true
                        }
                    }
                }
            }
        }
        return $false
    }
    IsNamespaceInfected
}
Wait-Job $job | Out-Null
$isNameSpaceInfected = Receive-Job $job
if ($isNameSpaceInfected) {
    Write-Warning "A bug has been introduced in the previous version of the Chocolatey OpenVPN"
    Write-Warning "package (version 2.4.6.20180710)."
    Write-Warning ""
    Write-Warning "In order to detect whether the computer was running Windows Server, we loaded"
    Write-Warning "C#/.NET assemblies."
    Write-Warning ""
    Write-Warning "The problem is that these assemblies were loaded in the default PowerShell"
    Write-Warning "(AppDomain) namespace and they cannot be unloaded any more."
    Write-Warning "That default PowerShell namespace is thus condamned to have the class ""OS"" loaded"
    Write-Warning "forever which could lead to clashes with other system features or lead to hard"
    Write-Warning "to debug issues."
    Write-Warning ""
    Write-Warning "Rebooting your machine (if possible) is thus recommended in order to get rid of this"
    Write-Warning "namespace pollution."
}

# For a list of all silent arguments used
# https://github.com/OpenVPN/openvpn-build/blob/c92af79befec86f21b257b5defba0becb3d7641f/windows-nsis/openvpn.nsi#L551
# For their description
# https://github.com/OpenVPN/openvpn-build/blob/c92af79befec86f21b257b5defba0becb3d7641f/windows-nsis/openvpn.nsi#L107
$packageParams = Get-PackageParameters
if (!$packageParams['SELECT_SHORTCUTS']) { $packageParams['SELECT_SHORTCUTS'] = '1' }
if (!$packageParams['SELECT_OPENVPN']) { $packageParams['SELECT_OPENVPN'] = '1' }
if (!$packageParams['SELECT_SERVICE']) { $packageParams['SELECT_SERVICE'] = '1' }
if ($packageParams['SELECT_SERVICE'] -eq '1') {
    $serviceWanted = $true
} else {
    $serviceWanted = $false
}
if (!$packageParams['SELECT_TAP']) { $packageParams['SELECT_TAP'] = '1' }
if ($packageParams['SELECT_TAP'] -eq '1') {
    $tapDriverWanted = $true
    # We don't want the installer to install the tap driver for us. We want to
    # do it by ourselves. The tap driver coming with the installer is buggy.
    # We need a specific version of that TAP driver depending on the Windows
    # version.
    $packageParams['SELECT_TAP'] = '0'
} else {
    $tapDriverWanted = $false
}
if (!$packageParams['SELECT_OPENVPNGUI']) { $packageParams['SELECT_OPENVPNGUI'] = '1' }
if (!$packageParams['SELECT_ASSOCIATIONS']) { $packageParams['SELECT_ASSOCIATIONS'] = '1' }
if (!$packageParams['SELECT_OPENSSL_UTILITIES']) { $packageParams['SELECT_OPENSSL_UTILITIES'] = '1' }
# Contrary to the default installer we are installing easyrsa by default
if (!$packageParams['SELECT_EASYRSA']) { $packageParams['SELECT_EASYRSA'] = '1' }
if (!$packageParams['SELECT_PATH']) { $packageParams['SELECT_PATH'] = '1' }
if (!$packageParams['SELECT_LAUNCH']) { $packageParams['SELECT_LAUNCH'] = '1' }
if (!$packageParams['SELECT_OPENSSLDLLS']) { $packageParams['SELECT_OPENSSLDLLS'] = '1' }
if (!$packageParams['SELECT_LZODLLS']) { $packageParams['SELECT_LZODLLS'] = '1' }
if (!$packageParams['SELECT_PKCS11DLLS']) { $packageParams['SELECT_PKCS11DLLS'] = '1' }

# Bypass tests requiring assemblies when using Microsoft Intune
if ($packageParams['USING_INTUNE'] -eq '1') {
    $usingIntune = $true
} else {
    $usingIntune = $false
}

$openvpnInstallerSilentArgs = '/S '
# Entries will be added to the string in random order since this is a dictionary.
foreach ($i in $packageParams.Keys) {
    if ($i -eq "USING_INTUNE") {
        continue
    }
    $openvpnInstallerSilentArgs += "/$i=$($packageParams[$i]) "
}
$tapDriverInstallerSilentArgs = "/S /SELECT_EASYRSA=$($packageParams['SELECT_EASYRSA'])"

$validExitCodes = @(0)

$openvpnInstaller = "$toolsDir\openvpn_installer.exe"
$openvpnInstallerHash = '89E02F55CD34238AAC7CA6983FF54AD1B4CF23101DE82BE08F4C960DA7A41514663FD44B9AB5386815A2A2C97457DF595A369F552F1D8F7837F2D3F9ED0D7268'
$openvpnInstallerPgpSignature = "$toolsDir\openvpn_installer.exe.asc"
$openvpnInstallerPgpSignatureHash = '7BA86B05D9A9AAF82A4F3F9D7D612E12107FEE00803484D32217A89EAF94B5A865468C0279B4709B09AF1A4B6F79C5303E4E32F7BA7E141187137A7D79F59D12'

$pgpPublicKeyOld = "$toolsDir\openvpn_public_key_old.asc"
$pgpPublicKeyOldHash = 'cd4b8eacf5667d335aa89f9860bbb3debad53f877d03609dfcdf578edc27f62131dfeaf678900a2ac0a753d9883046817cf6be5979117ab261d7ce5fc1dec9e0'
$pgpPublicKeyNew = "$toolsDir\openvpn_public_key_new.asc"
$pgpPublicKeyNewHash = '3ed149e5b7bf35103ba65bd019f4285d28e1b15a013cb61fcbad5c03a643cbe9aa1501072b284ef7f809cec5b4b70fcde34447a5bf033e250bea65bd5f2f7d71'

$trustedPublisherCertificateOld = "$toolsDir\openvpn_trusted_publisher_old.cer"
$trustedPublisherCertificateOldHash = '4d04bc2956171ae42a7baba030ca6ddd7a713e3752874c947b9745d58d12758a56bc47880e6f9d9b5db93558d6de17473018882c30f3bdf03ada46aae9d37d8a'
$trustedPublisherCertificateNew = "$toolsDir\openvpn_trusted_publisher_new.cer"
$trustedPublisherCertificateNewHash = 'e4bea4b8a1af6937565685bd83058ec32a138c193520f616b1c9f72dffa5fb2fbe9dc665baf3d0ff96b1479a82b21f59dc8df8f29a9610e83ae62c91ce3b83ea'

$tapDriverInstallerOld = "$toolsDir\tap_driver_installer_old.exe"
$tapDriverInstallerOldHash = '514F0DD1B7D8C4AAD5CC06882A96BE2096E57EB4228DF1D78F2BCC60003AF8EBC057CCE5EEDDA9B8A2DC851A52895C0A4B07556B4535271767817D9EA45E0713'
$tapDriverInstallerOldPgpSignatureHash = '76FC4AB3854A13032FEE735460CCCA6B03DDA570E81913BD576D6DF952654B811CA1D5FC7674D7DBF308E5927780D608C00FA1ADD709E6BC35644D6B699ADCD2'
$tapDriverInstallerNew = "$toolsDir\tap_driver_installer_new.exe"
$tapDriverInstallerNewHash = '13D8E365ED985FC3C510287D977E33205F41B3569B888E745157ECC774DA20AF4D58A98CDC582646A9BB7FD84AAD2A55E9AAD895F12A9A2E125E7A0C88B1726D'
$tapDriverInstallerNewPgpSignatureHash = 'C16CD8B470A92BBC89226DD1B0720E994022F940C1D81F26E2BB27B39B840A21373A3F2848AFD55031DCF1610D0D56C91791AEBD74BE3638B1FF9DF94A1998C7'

# Load custom functions
. "$toolsDir\utils\utils.ps1"

# If GPG has been just added, need to refresh to access to it from this session
Update-SessionEnvironment

Write-Host "Checking OpenVPN installer hash..."
Get-ChecksumValid `
    -File "$openvpnInstaller" `
    -Checksum "$openvpnInstallerHash" `
    -ChecksumType 'sha512'
Write-Host "Checking OpenVPN installer signature hash..."
Get-ChecksumValid `
    -File "$openvpnInstallerPgpSignature" `
    -Checksum "$openvpnInstallerPgpSignatureHash" `
    -ChecksumType 'sha512'
Write-Host "Checking old OpenVPN Inc PGP public key hash..."
Get-ChecksumValid `
    -File "$pgpPublicKeyOld" `
    -Checksum "$pgpPublicKeyOldHash" `
    -ChecksumType 'sha512'
Write-Host "Checking new OpenVPN Inc PGP public key hash..."
Get-ChecksumValid `
    -File "$pgpPublicKeyNew" `
    -Checksum "$pgpPublicKeyNewHash" `
    -ChecksumType 'sha512'
Write-Host "Checking old OpenVPN Inc Trusted Publisher certificate hash..."
Get-ChecksumValid `
    -File "$trustedPublisherCertificateOld" `
    -Checksum "$trustedPublisherCertificateOldHash" `
    -ChecksumType 'sha512'
Write-Host "Checking new OpenVPN Inc Trusted Publisher certificate hash..."
Get-ChecksumValid `
    -File "$trustedPublisherCertificateNew" `
    -Checksum "$trustedPublisherCertificateNewHash" `
    -ChecksumType 'sha512'

# The GPG signature needs to have the same filename as the file checked but
# with the .asc suffix, otherwise gpg reports it cannot verify the file with
# the following message:
# gpg: no signed data
# gpg: can't hash datafile: No data
CheckPGPSignature `
    -pgpKey "$pgpPublicKeyNew" `
    -signatureFile "$openvpnInstallerPgpSignature" `
    -file "$openvpnInstaller"
if ($tapDriverWanted) {
    CheckPGPSignature `
        -pgpKey "$pgpPublicKeyOld" `
        -signatureFile "$tapDriverInstallerOld.asc" `
        -file "$tapDriverInstallerOld"
    CheckPGPSignature `
        -pgpKey "$pgpPublicKeyNew" `
        -signatureFile "$tapDriverInstallerNew.asc" `
        -file "$tapDriverInstallerNew"
}

# Due to this bug https://github.com/OpenVPN/tap-windows6/issues/63, the
# following step is not working any more because the OpenVPN installer
# is overridding our certificate by an outdated (incorrect one).
#Write-Host "Adding OpenVPN to the Trusted Publishers (needed to have a silent install of the TAP driver)..."
#AddTrustedPublisherCertificate -file "$certFileName"

if ($serviceWanted) {
    Write-Host "Getting the state of the current OpenVPN service (if any)..."
    # Needed to reset the state of the Interactive service if upgrading from a
    # branch 2.4 and onwards or reinstalling a build from the branch 2.4
    try {
        $previousInteractiveService = GetServiceProperties "OpenVPNServiceInteractive"
    } catch {
        Write-Host "No previous OpenVPN interactive service detected."
    }
    # Even if 2.4.1 fixes reset of services. This is still needed for all cases 2.3
    # to 2.4 or 2.4 to 2.4.x and onwards.
    try {
        $previousService = GetServiceProperties "OpenVpnService"
    } catch {
        Write-Host "No previous OpenVPN service detected."
    }
}

Install-ChocolateyInstallPackage `
    -PackageName "OpenVPN" `
    -FileType $fileType `
    -SilentArgs $openvpnInstallerSilentArgs `
    -File $openvpnInstaller `
    -ValidExitCodes $validExitCodes

if ($tapDriverWanted) {

    if (!$usingIntune) {
        # Install latest TAP which contains security fixes when possible, otherwise
        # fall back to previously working installer when secure boot is enabled or
        # when on Windows Server (which has stricter signing policies compared to
        # standard Windows editions).
        # In order to avoid infecting the default AppDomain with our class OS, we are
        # creating a sub process
        # src.: https://stackoverflow.com/a/3374673/3514658
        $job = Start-Job -ScriptBlock {
        $Assem = (
            "System",
            "System.Runtime.InteropServices")
        $Source = @"
using System;
using System.Runtime.InteropServices;

public class OS {
    public static bool IsWindowsServer() {
        return OS.IsOS(OS.OS_ANYSERVER);
    }

    const int OS_ANYSERVER = 29;

    [DllImport("shlwapi.dll", SetLastError=true, EntryPoint="#437")]
    private static extern bool IsOS(int os);
}
"@
            Add-Type -ReferencedAssemblies $Assem -TypeDefinition $Source -Language CSharp
            [OS]::IsWindowsServer()
        }
        Wait-Job $job | Out-Null
        $isWindowsServer = Receive-Job $job
    } else {
        Write-Warning "Tests to determine if Windows Server was running have been bypassed because the"
        Write-Warning "user has specified Microsoft Intune was used for deployment purposes."
        $isWindowsServer = $false
    }

    $isSecureBootEnabled = $false
    try {
        $secureBoot = Get-ItemProperty -Path  'HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\State\' -Name UEFISecureBootEnabled -ErrorAction SilentlyContinue
        if ($secureBoot.UEFISecureBootEnabled) {
            $isSecureBootEnabled = $true
        }
    } catch {
    }

    # Needed to fix the aforementioned installer bug.
    Write-Host "Adding OpenVPN to the Trusted Publishers (needed to have a silent install of the TAP driver)..."
    if ($isWindowsServer -or $isSecureBootEnabled) {
        Write-Host "You are running Windows Server or have Secure Boot enabled. Installing previous TAP driver instead..."
        AddTrustedPublisherCertificate -file "$trustedPublisherCertificateOld"
        Install-ChocolateyInstallPackage `
            -PackageName "OpenVPN TAP driver" `
            -FileType $fileType `
            -SilentArgs $tapDriverInstallerSilentArgs `
            -File $tapDriverInstallerOld `
            -ValidExitCodes $validExitCodes
    } else {
        AddTrustedPublisherCertificate -file "$trustedPublisherCertificateNew"
        Install-ChocolateyInstallPackage `
            -PackageName "OpenVPN TAP driver" `
            -FileType $fileType `
            -SilentArgs $tapDriverInstallerSilentArgs `
            -File $tapDriverInstallerNew `
            -ValidExitCodes $validExitCodes
    }
}

if ($serviceWanted) {
    if ($previousInteractiveService) {
        Write-Host "Resetting previous OpenVPN interactive service to " `
            "'$($previousInteractiveService.status)' and " `
            "'$($previousInteractiveService.startupType)'..."
        SetServiceProperties `
            -name "OpenVPNServiceInteractive" `
            -status "$($previousInteractiveService.status)" `
            -startupType "$($previousInteractiveService.startupType)"
    }

    if ($previousService) {
        Write-Host "Resetting previous OpenVPN service to " `
            "'$($previousService.status)' and "  `
            "'$($previousService.startupType)'..."
        SetServiceProperties `
            -name "OpenVPNService" `
            -status "$($previousService.status)" `
            -startupType "$($previousService.startupType)"
    }
}

Write-Host "Removing OpenVPN from the Trusted Publishers..."
if ($isWindowsServer -or $isSecureBootEnabled) {
    RemoveTrustedPublisherCertificate -file "$trustedPublisherCertificateOld"
} else {
    RemoveTrustedPublisherCertificate -file "$trustedPublisherCertificateNew"
}
tools\chocolateyUninstall.ps1
$packageName = 'openvpn'
$fileType = 'exe'
$silentArgs = '/S'
$validExitCodes = @(0)

# If we specify to Uninstall-ChocolateyPackage a silent argument but without
# a path, the command throws an exception. We cannot thus rely on the
# Chocolatey Auto Uninstaller feature. We will need to do manually what the
# PowerShell command does i.e. looking for the right path in the registry
# manually.
[array]$key = Get-UninstallRegistryKey -SoftwareName "OpenVPN*"
if ($key.Count -eq 1) {
    $file = $key.UninstallString

    Uninstall-ChocolateyPackage `
        -PackageName "OpenVPN" `
        -FileType "$fileType" `
        -SilentArgs "$silentArgs" `
        -ValidExitCodes "$validExitCodes" `
        -File "$file" | Out-Null
} elseif ($key.Count -eq 0) {
    Write-Warning "$packageName has already been uninstalled by other means."
} elseif ($key.Count -gt 1) {
    Write-Warning "$key.Count matches found!"
    Write-Warning "To prevent accidental data loss, no programs will be uninstalled."
    Write-Warning "Please alert package maintainer the following keys were matched:"
    $key | % {Write-Warning "- $_.DisplayName"}
}

[array]$key = Get-UninstallRegistryKey -SoftwareName "TAP-Windows*"
if ($key.Count -eq 1) {
    $file = $key.UninstallString

    Uninstall-ChocolateyPackage `
        -PackageName "OpenVPN TAP driver" `
        -FileType "$fileType" `
        -SilentArgs "$silentArgs" `
        -ValidExitCodes "$validExitCodes" `
        -File "$file" | Out-Null
} elseif ($key.Count -eq 0) {
    Write-Warning "The OpenVPN TAP driver has already been uninstalled by other means."
} elseif ($key.Count -gt 1) {
    Write-Warning "$key.Count matches found!"
    Write-Warning "To prevent accidental data loss, the OpenVPN TAP driver will not be uninstalled."
    Write-Warning "Please alert package maintainer the following keys were matched:"
    $key | % {Write-Warning "- $_.DisplayName"}
}

# After the uninstall has performed, choco checks if there are uninstall
# registry keys left and decides to launch or not its auto uninstaller feature.
# However, here, we have a race condition. When choco checks if the following
# registry key is still present, it's already gone.
# SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OpenVPN
# A fix for this issue is already present in choco 0.10.4
# https://github.com/chocolatey/choco/issues/1035
# Let's sleep. Still failing with only 3 secs. 5 seems to work.
Start-Sleep -s 5

# The uninstaller changes the PATH, apply these changes in the current PowerShell
# session (limited to this script).
Update-SessionEnvironment

# This script does not have to take care of removing the gpg4win-vanilla
# dependency as Chocolatey as a built-in function for that. To notify the user
# that a dependency can be removed is unneccessary. If a user wants to
# uninstall a package and its dependencies (as long as no other package depends
# on it) a user can run choco uninstall -x when uninstalling a package.
tools\openvpn_installer.exe
md5: F76FACCF5597D4EB2C0595353A449B12 | sha1: 689BE8A52021209E6476B987006012F7B4F056E6 | sha256: B1CE7454A32FE576267D6C3F49054FA7D6DDD702719C0A2716D013F9719FDFEC | sha512: 89E02F55CD34238AAC7CA6983FF54AD1B4CF23101DE82BE08F4C960DA7A41514663FD44B9AB5386815A2A2C97457DF595A369F552F1D8F7837F2D3F9ED0D7268
tools\openvpn_installer.exe.asc
 
tools\openvpn_public_key_new.asc
 
tools\openvpn_public_key_old.asc
 
tools\openvpn_trusted_publisher_new.cer
 
tools\openvpn_trusted_publisher_old.cer
 
tools\tap_driver_installer_new.exe
md5: 34E9BB050F8612D25EEA1829CE3D884E | sha1: A5D275B809EF5DAB6E3D29C53A5C07696548E92C | sha256: EBED746081AA2131F2871B98184E033E51919B8FB3BB5CBD3C9101389CC04ECE | sha512: 13D8E365ED985FC3C510287D977E33205F41B3569B888E745157ECC774DA20AF4D58A98CDC582646A9BB7FD84AAD2A55E9AAD895F12A9A2E125E7A0C88B1726D
tools\tap_driver_installer_new.exe.asc
 
tools\tap_driver_installer_old.exe
md5: 47FA5F0670CF191D066E5DFBF4F4EE70 | sha1: DB9D441C209FB28B7C07286A74FE000738304DAC | sha256: 645BEE92BA4E9F32DDFDD9F8519DC1B9F9FF0B0A8E87E342F08D39DA77E499A9 | sha512: 514F0DD1B7D8C4AAD5CC06882A96BE2096E57EB4228DF1D78F2BCC60003AF8EBC057CCE5EEDDA9B8A2DC851A52895C0A4B07556B4535271767817D9EA45E0713
tools\tap_driver_installer_old.exe.asc
 
tools\utils\utils.ps1
function CreateTempDirPackageVersion {
<#
.DESCRIPTION
Create a temporary folder in current user temporary location. The folder name
has the name of the package name and version (if any).

.OUTPUTS
The location to the created directory

.NOTES
This function is based on part of the code of the command
Install-ChocolateyPackage
src.: https://goo.gl/jUpwOQ
#>
    $chocTempDir = $env:TEMP
    $tempDir = Join-Path $chocTempDir "$($env:chocolateyPackageName)"
    if ($env:chocolateyPackageVersion -ne $null) {
        $tempDir = Join-Path $tempDir "$($env:chocolateyPackageVersion)"
    }
    $tempDir = $tempDir -replace '\\chocolatey\\chocolatey\\', '\chocolatey\'

    if (![System.IO.Directory]::Exists($tempDir)) {
        [System.IO.Directory]::CreateDirectory($tempDir) | Out-Null
    }

    return $tempDir
}

function PrintWhenVerbose {
<#
.DESCRIPTION
Display the string passed as argument if chocolatey has been run in debug or
verbose mode. The string argument is cut automatically and each line is
prefixed by the "VERBOSE: " statement thanks to the call of Write-Verbose
cmdlet.

.PARAMETER string
The string to display in verbose mode
#>
    param (
        [Parameter(Position=0)]
        [string]
        $string
    )

    # Display the output of the executables if chocolatey is run either in debug
    # or in verbose mode.
    if ($env:ChocolateyEnvironmentDebug -eq 'true' -or
        $env:ChocolateyEnvironmentVerbose -eq 'true') {

        $stringReader = New-Object System.IO.StringReader("$string")
        while (($line = $stringReader.ReadLine()) -ne $null) {
           Write-Verbose "$line"
        }
    }
}

function GetServiceProperties {
<#
.DESCRIPTION
Get service properties

.OUTPUTS
An object made of the following fields:
- name (string)
- status (string)
- startupType (string)
- delayedStart (bool)
#>
    param (
        [Parameter(Mandatory=$true)][string]$name
    )

    # Lets return our own object.
    # src.: http://stackoverflow.com/a/12621314
    $properties = "" | Select-Object -Property name,status,startupType,delayedStart

    # Get-Service is not throwing an exception when the service name
    # contains * (asterisks) and the service is not found. Prevent that.
    if ($name -cmatch "\*") {
        Write-Warning "Asterisks have been discarded from the service name '$name'"
        $name = $name -Replace "\*",""
    }

    # The Get-Service Cmdlet returns a System.ServiceProcess.ServiceController
    # Get-Service throws an exception when the exact case insensitive service
    # is not found. Therefore, there is no need to make any further checks.
    $service = Get-Service "$name" -ErrorAction Stop

    # Correct to the exact service name
    if ($name -cnotmatch $service.Name) {
        Write-Debug "The service name '$name' has been corrected to '$($service.Name)'"
    }
    $properties.name = $service.Name

    # Get the service status. The Status property returns an enumeration
    # ServiceControllerStatus src.: https://goo.gl/oq8Bbx
    # This cannot be tested directly from CLI as the .NET assembly is not
    # loaded, we get an exception
    [array]$statusAvailable = [enum]::GetValues([System.ServiceProcess.ServiceControllerStatus])
    if ($statusAvailable -notcontains "$($service.Status)") {
        $errorString = "The status '$service.status' must be '"
        $errorString += $statusAvailable -join "', '"
        $errorString += "'"
        throw "$errorString"
    }

    $properties.status = $service.Status

    # The property StartType of the class System.ServiceProcess.ServiceController
    # might not available in the .NET Framework when used with PowerShell 2.0
    # (cf. https://goo.gl/5NDtZJ). This property has been made available since
    # .NET 4.6.1 (src.: https://goo.gl/ZSvO7B).
    # Since we cannot rely on this property, we need to find another solution.
    # While WMI is widely available and working, let's parse the registry;
    # later we will need an info exclusively storred in it.

    # To list all the properties of an object:
    # $services[0] | Get-ItemProperty
    $service = Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\$name
    if (!$service) {
        throw "The service '$name' was not found using the registry"
    }

    # The values are the ones defined in
    # [enum]::GetValues([System.ServiceProcess.ServiceStartMode])
    switch ($service.Start) {
        2 { $properties.startupType = "Automatic" }
        3 { $properties.startupType = "Manual" }
        4 { $properties.startupType = "Disabled" }
        default { throw "The startup type is invalid" }
    }

    # If the delayed flag is not set, there is no record DelayedAutoStart to the
    # object.
    if ($service.DelayedAutoStart) {
        $properties.delayedStart = $true
    } else {
        $properties.delayedStart = $false
    }

    return $properties
}

function SetServiceProperties {
<#
.DESCRIPTION
Set service properties supporting delayed services

.PARAMETER name
The service name

.PARAMETER status
One of the following service status:
- 'Stopped'
- 'StartPending'
- 'StopPending'
- 'Running'
- 'ContinuePending'
- 'PausePending'
- 'Paused'

.PARAMETER startupType
One of the following service startup type:
- 'Automatic (Delayed Start)'
- 'Automatic'
- 'Manual'
- 'Disabled'
#>
    param (
        # By default parameter are positional, this means the parameter name
        # can be omitted, but needs to repect the order in which the arguments
        # are declared, except if the PositionalBinding is set to false.
        # src.: https://goo.gl/UpOU62
        [Parameter(Mandatory=$true)][string]$name,
        [Parameter(Mandatory=$true)][string]$status,
        [Parameter(Mandatory=$true)][string]$startupType
    )

    try {
        $service = GetServiceProperties "$name"
    } catch {
        throw "The service '$name' cannot be found"
    }

    if ($env:ChocolateyEnvironmentDebug -eq 'true' -or
        $env:ChocolateyEnvironmentVerbose -eq 'true') {
        Write-Verbose "Before SetServicesProperties:"
        if ($service.delayedStart) {
            Write-Verbose "Service '$($service.name)' was '$($service.status)', with '$($service.startupType)' startup type and delayed"
        } else {
            Write-Verbose "Service '$($service.name)' was '$($service.status)', with '$($service.startupType)' startup type"
        }
    }

    # src.: https://goo.gl/oq8Bbx
    [array]$statusAvailable = [enum]::GetValues([System.ServiceProcess.ServiceControllerStatus])
    if ($statusAvailable -notcontains "$status") {
        $errorString = "The status '$status' must be '"
        $errorString += $statusAvailable -join "', '"
        $errorString += "'"
        throw "$errorString"
    }

    if ($startupType -ne "Automatic (Delayed Start)" -and
        $startupType -ne "Automatic" -and
        $startupType -ne "Manual" -and
        $startupType -ne "Disabled") {
        throw "The startupType '$startupType' must either be 'Automatic (Delayed Start)', 'Automatic', 'Manual' or 'Disabled'"
    }

    # Set delayed auto start
    if ($startupType -eq "Automatic (Delayed Start)") {

        # (src.: https://goo.gl/edhCxm and https://goo.gl/NyVXxM)
        # Modifying the registry does not change the value in services.msc,
        # using sc.exe does. sc.exe uses the Windows NT internal functions
        # OpenServiceW and ChangeServiceConfigW. We could use it in PowerShell,
        # but it would requires a C++ wrapper imported in C# code with
        # DllImport, the same C# code imported in PowerShell. While this is
        # doable, this is way slower than calling the sc utility directly.
        # Set-ItemProperty -Path "Registry::HKLM\System\CurrentControlSet\Services\$($service.Name)" -Name DelayedAutostart -Value 1 -Type DWORD
        # An .exe can be called directly but ensuring the exit code and
        # stdout/stderr are properly redirected can only be checked with
        # this code.
        $psi = New-object System.Diagnostics.ProcessStartInfo
        $psi.CreateNoWindow = $true
        $psi.UseShellExecute = $false
        $psi.RedirectStandardInput = $true
        $psi.RedirectStandardOutput = $true
        $psi.RedirectStandardError = $true
        $process = New-Object System.Diagnostics.Process
        $process.StartInfo = $psi
        $psi.FileName = 'sc.exe'
        $psi.Arguments = "Config ""$($service.Name)"" Start= Delayed-Auto"
        # The [void] casting is actually needed to avoid True or False to be displayed
        # on stdout.
        [void]$process.Start()
        #PrintWhenVerbose $process.StandardOutput.ReadToEnd()
        #PrintWhenVerbose $process.StandardError.ReadToEnd()
        $process.WaitForExit()
        if (!($process.ExitCode -eq 0)) {
            throw "Unable to set the service '$($service.Name)' to a delayed autostart."
        }
    } else {
        # Make sure the property DelayedAutostart is reset otherwise
        # GetServiceProperties could report a service as Manual and delayed
        # which is not possible.
        Set-ItemProperty `
        -Path "Registry::HKLM\System\CurrentControlSet\Services\$($service.Name)" `
        -Name DelayedAutostart -Value 1 -Type DWORD -ErrorAction Stop
    }

    # Cast "Automatic (Delayed Start)" to "Automatic" to have a valid name
    if ($startupType -match "Automatic (Delayed Start)") {
        $startupType = "Automatic"
    }

    # Set-Service cannot stop services properly and complains the service is
    # dependent on other services, which seems to be wrong.
    # src.: http://stackoverflow.com/a/39811972/3514658
    if ($status -eq "Stopped") {
        Stop-Service "$($service.Name)" -ErrorAction Stop
    }

    Set-Service -Name "$($service.Name)" -StartupType "$startupType" -Status "$status" -ErrorAction Stop

    if ($env:ChocolateyEnvironmentDebug -eq 'true' -or
        $env:ChocolateyEnvironmentVerbose -eq 'true') {
        $service = GetServiceProperties "$name"
        Write-Verbose "After SetServicesProperties:"
        if ($service.delayedStart) {
            Write-Verbose "Service '$($service.name)' now '$($service.status)', with '$($service.startupType)' startup type and delayed"
        } else {
            Write-Verbose "Service '$($service.name)' now '$($service.status)', with '$($service.startupType)' startup type"
        }
    }
}

function CheckPGPSignature {
<#
.DESCRIPTION
Check the signature of a file using the public key and signatures provided.

.PARAMETER pgpKey
The path and file name to PGP public key to check the signature.

.PARAMETER signatureFile
The path and file name to the signature file. The signature file must keep
its original filename if the argument 'file' is not specified.

.PARAMETER file (optional)
GPG can find the filename of the file to check by itself, only if the
signatureFile has its original file name. What GnuPG does is to retrieve the
filename of the file to check is to remove the .asc suffix from the
signature file.
#>
    param (
        [Parameter(Mandatory=$true)][string]$pgpKey,
        [Parameter(Mandatory=$true)][string]$signatureFile,
        [Parameter(Mandatory=$false)][string]$file
    )

    # Get-Command throws an error message but continues execution, ask to
    # continue without message at all.
    if (!(Get-Command 'gpg.exe' -ErrorAction SilentlyContinue)) {
        throw "Unable to find the GnuPG executable 'gpg.exe'."
    }

    # Check if folder or path exists. Work for files as well.
    if (!(Test-Path "$pgpKey")) {
        throw "Unable to find the PGP key '$pgpKey'."
    }

    if (!(Test-Path "$signatureFile")) {
        throw "Unable tofind the PGP signature file '$signatureFile'."
    }

    if ($file -and !(Test-Path "$file")) {
        throw "Unable to find the file '$file'."
    }

    # Get temporary folder for the keyring
    # src.: http://stackoverflow.com/a/34559554/3514658
    $tempDirKeyring = Join-Path $(Split-Path $pgpKey) $([System.Guid]::NewGuid())
    [System.IO.Directory]::CreateDirectory($tempDirKeyring) | Out-Null

    $psi = New-object System.Diagnostics.ProcessStartInfo
    $psi.CreateNoWindow = $true
    $psi.UseShellExecute = $false
    $psi.RedirectStandardInput = $true
    $psi.RedirectStandardOutput = $true
    $psi.RedirectStandardError = $true
    $process = New-Object System.Diagnostics.Process
    $process.StartInfo = $psi

    Write-Debug "Importing PGP key '$pgpKey' in the temporary keyring ($tempDirKeyring\pubring.gpg)..."
    # Simply invoing the command gpg.exe and checking the value of $? was not
    # enough. Using the following method worked and was indeed more reliable.
    # src.: https://goo.gl/Ungugv
    $psi.FileName = 'gpg.exe'
    # Surrounding filenames by 2 double quotes is needed, otherwise of the user
    # folder has a space in it, the space is not taken into account and gpg cannot
    # find the signed data to verify.
    if ($env:ChocolateyEnvironmentDebug -eq 'true' -or
        $env:ChocolateyEnvironmentVerbose -eq 'true') {
        $psi.Arguments = "-v --homedir ""$tempDirKeyring"" --import ""$pgpKey"""
    } else {
        $psi.Arguments = "--homedir ""$tempDirKeyring"" --import ""$pgpKey"""
    }
    # The [void] casting is actually needed to avoid True or False to be displayed
    # on stdout.
    [void]$process.Start()
    PrintWhenVerbose $process.StandardOutput.ReadToEnd()
    PrintWhenVerbose $process.StandardError.ReadToEnd()
    $process.WaitForExit()
    if (!($process.ExitCode -eq 0)) {
        throw "Unable to import PGP key '$pgpKey' in the temporary keyring ($tempDirKeyring\pubring.gpg)."
    }

    # This step is actually facultative. It avoids to have this kind of warning
    # by trusting ultimately the key with the highest level available (level 5,
    # number 6, used for the ultimate/owner trust, a level used for own keys.
    # gpg: WARNING: This key is not certified with a trusted signature!
    # gpg:          There is no indication that the signature belongs to the owner.
    Write-Debug "Getting the fingerprint of the PGP key '$pgpKey'..."
    $psi.FileName = 'gpg.exe'
    if ($env:ChocolateyEnvironmentDebug -eq 'true' -or
        $env:ChocolateyEnvironmentVerbose -eq 'true') {
        $psi.Arguments = "-v --homedir ""$tempDirKeyring"" --with-fingerprint --with-colons ""$pgpKey"""
    } else {
        $psi.Arguments = "--homedir ""$tempDirKeyring"" --with-fingerprint --with-colons ""$pgpKey"""
    }
    # Get the full fingerprint of the key
    [void]$process.Start()
    # src.: http://stackoverflow.com/a/8762068/3514658
    $pgpFingerprint = $process.StandardOutput.ReadToEnd()
    $process.WaitForExit()
    $pgpFingerprint = $pgpFingerprint -split ':'
    $pgpFingerprint = $pgpFingerprint[18]

    Write-Debug "Trusting the PGP key '$pgpKey' ultimately based on its fingerprint '$pgpFingerprint'..."
    $psi.FileName = 'gpg.exe'
    if ($env:ChocolateyEnvironmentDebug -eq 'true' -or
        $env:ChocolateyEnvironmentVerbose -eq 'true') {
        $psi.Arguments = "-v --homedir ""$tempDirKeyring"" --import-ownertrust"
    } else {
        $psi.Arguments = "--homedir ""$tempDirKeyring"" --import-ownertrust"
    }
    [void]$process.Start()
    # Specify the fingerprint and the trust level to stdin
    # e.g.: ABCDEF01234567890ABCDEF01234567890ABCDEF:6:
    $input = $process.StandardInput
    $input.WriteLine($pgpFingerprint + ":6:")
    # Not written until the stream is closed. If not closed, the process will
    # still run and the software will hang.
    # src.: https://goo.gl/5oYgk4
    $input.Close()
    $process.WaitForExit()

    Write-Debug "Checking PGP signature..."
    $psi.FileName = 'gpg.exe'
    if ($env:ChocolateyEnvironmentDebug -eq 'true' -or
        $env:ChocolateyEnvironmentVerbose -eq 'true') {
        if ($file) {
            $psi.Arguments = "-v --homedir ""$tempDirKeyring"" --verify ""$signatureFile"" ""$file"""
        } else {
            $psi.Arguments = "-v --homedir ""$tempDirKeyring"" --verify ""$signatureFile"""
        }
    } else {
        if ($file) {
            $psi.Arguments = "--homedir ""$tempDirKeyring"" --verify ""$signatureFile"" ""$file"""
        } else {
            $psi.Arguments = "--homedir ""$tempDirKeyring"" --verify ""$signatureFile"""
        }
    }
    [void]$process.Start()
    PrintWhenVerbose $process.StandardOutput.ReadToEnd()
    PrintWhenVerbose $process.StandardError.ReadToEnd()
    $process.WaitForExit()
    if (!($process.ExitCode -eq 0)) {
        throw "The signature does not match."
    }
}

function GetCertificateInfo {
<#
.DESCRIPTION
Return a X509Certificate object.
This function has ben implemented in a polymorphic way. Either we specify
a file or we specify a store and a certificate fingerprint.

Usage 1: Specify a file to open as a X509 certificate.

Usage 2: Specify a store and a certificate fingerprint to search for.

.PARAMETER file (usage 1)
The path and file name to the certificate file.

.PARAMETER store (usage 2)
The certificate store (X509Store object) which has been previously opened.

.PARAMETER fingerprint (usage 2)
The fingerprint of the certificate to search for from the certificate store.

.OUTPUTS
A X509Certificate object cf. https://goo.gl/VRuWkL to see the documentation
#>
    param (
        [Parameter(Mandatory=$true, ParameterSetName="file")]
        [string]$file,
        [Parameter(Mandatory=$true, ParameterSetName="fingerprint")]
        [System.Security.Cryptography.X509Certificates.X509Store]$store,
        [Parameter(Mandatory=$true, ParameterSetName="fingerprint")]
        [string]$fingerprint
    )

    switch ($PsCmdlet.ParameterSetName) {
        "file" {
            # New-Object does not respect the rule -ErrorAction
            # src.: https://goo.gl/bzXAL0
            try {
                $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate `
                -ArgumentList "$file"
            } catch {
                throw "Unable to open the X509certificate '$file'"
            }
        }
        "fingerprint" {
            # Sanitize the fingerprint
            if ($fingerprint) {
                $fingerprint = $fingerprint.replace(' ','')
            }

            $certificates = New-Object `
            System.Security.Cryptography.X509Certificates.X509CertificateCollection `
            -ArgumentList $store.Certificates

            $i = 0
            while ($i -lt $certificates.Count) {
                if ("$($certificates.item($i).GetCertHashString())" -eq "$fingerprint") {
                    $cert = $certificates.item($i)
                    break
                }
                $i++
            }
            if ($i -gt $certificates.Count) {
                throw "Unable to find the certificate in the store '$($store.Name)' at location '$($store.Location)'"
            }
        }
    }

    return $cert
}

function AddTrustedPublisherCertificate {
<#
.DESCRIPTION
Adds a X509 certificate to the TrustedPublisher certificate store.

.PARAMETER file (usage 1)
The path and file name to the certificate file.

.NOTES
Sometimes setup executables try to install autosigned drivers. Windows asks us
if we want to trust the certificate from the software publisher. In order to
have a complete silent install, it is needed to add that certificate to the
Windows TrustedPublisher keystore.

In order to recover that certificate for firther use, we have to
- Install the driver accepting the certificate
- Tick the checkbox "Always trust software from "Software Publisher, Inc.""
- As by default, only certificates of the local users are displayed in the
  certificate manager, we need to add the view for the whole computer first.
  For that, we need to run the Microsoft Management Console, run mmc.exe
- Then go to "File -> Add/Remove Snap-in..."
- Select "Certificates" from the left list view then run certmgr.msc,
- Click the "Add >" button at the center of the window
- Select the "Computer account" radio button
- Click the "Next >" button
- Click the "Finish" button
- Click the "OK" button
- Expand "Certificates (Local Computer) -> Trusted Publishers -> Certificates"
- Right click the "OpenVPN Technologies, Inc." certificate
- Select "All Tasks -> Export..."
- Click the "Next >" button
- Select the "Base64 encoded x.509 (.CER)" radio button
- Click the "Next" button
- Select a destination and a filename you wish to save the certificate
- Click the "Next >" button
- Click the "Finish" button
- Click the "OK" button from the confirmation dialog box

The certificate is now in the location specified.
src.: https://goo.gl/o3BVGJ
Next time we install the same piece of software, even if we remove that
certificate, Windows will not ask us to confirm the installation as the
driver is cached in the Drivers Store (C:\Windows\Inf).

To simulate a first install we need to remove the cached drivers as well.
src.: https://goo.gl/Zbcs6T
#>
    param (
        [Parameter(Mandatory=$true)][string]$file
    )

    $cert = GetCertificateInfo -file "$file"

    $store = New-Object System.Security.Cryptography.X509Certificates.X509Store `
    -ArgumentList ([System.Security.Cryptography.X509Certificates.StoreName]::TrustedPublisher,`
    [System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)

    $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)

    $store.Add($cert)
    $store.Close()
}

function RemoveTrustedPublisherCertificate {
<#
.DESCRIPTION
Removes a X509 certificate from the TrustedPublisher certificate store.
This function has ben implemented in a polymorphic way. Either we specify
a file or we specify a certificate fingerprint.

Usage 1: Specify a file to remove a X509 certificate from the certificate
         store.

Usage 2: Specify a certificate fingerprint to remove the certificate
         corresponding to that certificate fingerprint.

.PARAMETER file (usage 1)
The path and file name to the certificate file.

.PARAMETER fingerprint (usage 2)
The fingerprint of the certificate to remove from the certificate store.
#>
    param (
        [Parameter(Mandatory=$true, ParameterSetName="file")]
        [string]$file,
        [Parameter(Mandatory=$true, ParameterSetName="fingerprint")]
        [string]$fingerprint
    )

    $store = New-Object System.Security.Cryptography.X509Certificates.X509Store `
    -ArgumentList ([System.Security.Cryptography.X509Certificates.StoreName]::TrustedPublisher,`
    [System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)

    $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)

    switch ($PsCmdlet.ParameterSetName) {
        "file" {
            $cert = GetCertificateInfo -file "$file"
        }
        "fingerprint" {
            $cert = GetCertificateInfo -store $store -fingerprint "$fingerprint"
        }
    }

    $store.Remove($cert)
    $store.Close()
}

Log in or click on link to see number of positives.

In cases where actual malware is found, the packages are subject to removal. Software sometimes has false positives. Moderators do not necessarily validate the safety of the underlying software, only that a package retrieves software from the official distribution point and/or validate embedded software against official distribution point (where distribution rights allow redistribution).

Chocolatey Pro provides runtime protection from possible malware.

Add to Builder Version Downloads Last Updated Status
OpenVPN - Open Source SSL VPN Solution 2.6.11.2 27628 Friday, June 28, 2024 Approved
OpenVPN - Open Source SSL VPN Solution 2.6.11.1 16644 Friday, June 21, 2024 Approved
OpenVPN - Open Source SSL VPN Solution 2.6.10.3 33174 Saturday, May 25, 2024 Approved
OpenVPN - Open Source SSL VPN Solution 2.6.10.2 18231 Monday, May 13, 2024 Approved
OpenVPN - Open Source SSL VPN Solution 2.6.10.001 48860 Saturday, March 23, 2024 Approved
OpenVPN - Open Source SSL VPN Solution 2.6.9.001 40081 Tuesday, February 13, 2024 Approved
OpenVPN - Open Source SSL VPN Solution 2.6.8.001 59259 Saturday, November 18, 2023 Approved
OpenVPN - Open Source SSL VPN Solution 2.6.7.001 16461 Friday, November 10, 2023 Approved
OpenVPN - Open Source SSL VPN Solution 2.6.6.001 59646 Friday, August 18, 2023 Approved
OpenVPN - Open Source SSL VPN Solution 2.6.5.001 42858 Friday, June 16, 2023 Approved
OpenVPN - Open Source SSL VPN Solution 2.6.4.001 36316 Saturday, May 13, 2023 Approved
OpenVPN - Open Source SSL VPN Solution 2.6.3.003 15629 Friday, April 28, 2023 Approved
OpenVPN - Open Source SSL VPN Solution 2.6.3.001 16055 Friday, April 14, 2023 Approved
OpenVPN - Open Source SSL VPN Solution 2.6.2.001 17459 Tuesday, March 28, 2023 Approved
OpenVPN - Open Source SSL VPN Solution 2.6.1.001 17406 Friday, March 10, 2023 Approved
OpenVPN - Open Source SSL VPN Solution 2.6.0.005 13444 Tuesday, February 28, 2023 Approved
OpenVPN - Open Source SSL VPN Solution 2.6.0.004 7976 Saturday, February 25, 2023 Approved
OpenVPN - Open Source SSL VPN Solution 2.6.0 23295 Friday, January 27, 2023 Approved
OpenVPN - Open Source SSL VPN Solution 2.5.8 52874 Thursday, November 3, 2022 Approved
OpenVPN - Open Source SSL VPN Solution 2.5.7 73638 Wednesday, June 1, 2022 Approved
OpenVPN - Open Source SSL VPN Solution 2.5.6 37301 Thursday, March 17, 2022 Approved
OpenVPN - Open Source SSL VPN Solution 2.5.5 16806 Thursday, February 17, 2022 Approved
OpenVPN - Open Source SSL VPN Solution 2.5.4 496 Wednesday, February 16, 2022 Approved
OpenVPN 2.4.7 215600 Saturday, March 23, 2019 Approved
OpenVPN 2.4.6.20190116 12975 Sunday, January 20, 2019 Approved
OpenVPN 2.4.6.20180710 93558 Tuesday, July 10, 2018 Approved
OpenVPN 2.4.6 4849 Monday, June 25, 2018 Approved
OpenVPN 2.4.5 527 Monday, June 25, 2018 Approved
OpenVPN 2.4.4 24115 Tuesday, October 3, 2017 Approved
OpenVPN 2.4.3 7868 Thursday, June 22, 2017 Approved
OpenVPN 2.4.2 3545 Friday, May 26, 2017 Approved
OpenVPN 2.4.1 2585 Saturday, May 13, 2017 Approved
OpenVPN Community 2.4.0 6850 Sunday, January 8, 2017 Approved
OpenVPN Community 2.3.13.20161120 3172 Sunday, November 20, 2016 Approved
OpenVPN Community 2.3.13 3285 Monday, November 7, 2016 Approved
OpenVPN Community 2.3.11 5297 Monday, June 20, 2016 Approved
OpenVPN Community for Windows (incl. OpenVPN GUI) 2.3.10 2900 Monday, January 11, 2016 Approved
OpenVPN 2.3.6 4467 Thursday, December 18, 2014 Approved
openvpn 2.3.2 1721 Tuesday, July 16, 2013 Approved
openvpn 2.2.2.20130718 576 Thursday, July 18, 2013 Approved
openvpn 2.2.2 647 Thursday, July 18, 2013 Approved

Discussion for the OpenVPN Package

Ground Rules:

  • This discussion is only about OpenVPN and the OpenVPN package. If you have feedback for Chocolatey, please contact the Google Group.
  • This discussion will carry over multiple versions. If you have a comment about a particular version, please note that in your comments.
  • The maintainers of this Chocolatey Package will be notified about new comments that are posted to this Disqus thread, however, it is NOT a guarantee that you will get a response. If you do not hear back from the maintainers after posting a message below, please follow up by using the link on the left side of this page or follow this link to contact maintainers. If you still hear nothing back, please follow the package triage process.
  • Tell us what you love about the package or OpenVPN, or tell us what needs improvement.
  • Share your experiences with the package, or extra configuration or gotchas that you've found.
  • If you use a url, the comment will be flagged for moderation until you've been whitelisted. Disqus moderated comments are approved on a weekly schedule if not sooner. It could take between 1-5 days for your comment to show up.
comments powered by Disqus