Compiling and repackaging vpnc with libssl support

Let’s start with some background (skip if you don’t care about that). I moved offices last week, and the new place requires me to interface with a Cisco VPN solution to get internet access. Now, I have to be fair and commend Cisco for providing a source tar-ball of their “vpnclient”, which should in principle allow users of any GNU/Linux distribution to connect to their system. I’m saying in principle, because I didn’t actually try their client. I can attest that the code compiles cleanly after applying a few patches, but after compiling I actually decided not to run the installation.

The thing is, the Cisco vpnclient is built as a kernel module, and I really dislike these manually maintained modules that are requiring attention at every kernel upgrade. Looking at the install script, you can of course expect all these things getting plugged into the init system to load the module. That’s just more intrusive than necessary – as vpnc demonstrates.

In addition to being very unobtrusive – a single, lightweight, userspace process – vpnc of course comes served to you through that wonderful package manager (yes, this is my favourite topic, sorry). Automagically. Or, almost.

One tiny problem: at least on Ubuntu Hardy, vpnc is by default provided without support for “hybrid authentication“. For that to work, vpnc needs to use functionality in libssl, which would make it incompatible with the GPL, apparently (so yeah, it’s not a bug, it’s a feature!). As I understand it, it is ok for end users to connect the two, but you can’t distribute it that way.

So we need to compile vpnc with libssl support ourselves. That’s not a problem: you can check out the Ubuntu-prepared source code using “apt-get source vpnc” (don’t you just love that!) to your current working directory. As the readme-file tells you you will need to have libgcrypt-dev, and now in addition you need libssl-dev (that took me a while to figure out: why isn’t it called libopenssl-dev?). As is clearly documented, there are just two lines in the Makefile that need uncommenting to make your GPL-incompliant version of the tool. That’s about it (run make – I’m assuming you have the build-essential virtual package installed).

Now the part that I just had to be fussy about: how do you distinguish your custom version from the current and future repository-provided binaries? You probably want to put it under package management control (nice for dependencies and such), but if you just install it under the same version number, the package manager seems to want to replace your package by the repository version. At least, so did aptitude on my system. A bit of searching turns up lots of ways in which people solve this problem. It all depends what you want to happen when the repository gets an updated version.

In the end i decided that I want the package manager to suggest an upgrade when a new version arrives. I’ll most likely remember that I need to recompile at that time (and if not, well, I’ll find out soon enough :)). The easiest way to get that working properly is to enter your locally produced package under a different version number. In my case, I changed the version number from “0.5.1r275-1” to “0.5.1r275-1+ssl1”. This style of version naming should, according to the Debian policy manual, produce the desired upgrading behaviour: the current 0.5.1r275-1 version is considered older than our self-cooked package, but 0.5.1r276-1 or 0.5.1r275-2 would both be considered to be newer.

A nice way to have things set up correctly with little effort is to get a few more packaging tools: devscripts (which provides debchange), debhelper and dpatch (which are build-dependencies of vpnc), and dpkg-buildpackage (comes with build-essential, actually). You can read about the details of those in the Debian New Maintainers’ Guide, or in the Ubuntu Packaging Guide (a bit more hands-on perhaps). And they come with extensive man pages.

In the source code directory (one down from where you ran apt-get source), I ran

debchange -v 0.5.1r275-1+ssl1 # then entered sth. in the changelog
sudo dpkg -i ../vpnc_0.5.1r275-1+ssl1_amd64.deb

… yes, we’re really done already! If you don’t like the “+ssl1”, you can also type “debchange -n” which produces version number “0.5.1r275-1ubuntu1” on my system – that should also do.

Many thanks to Kyle who mentioned vpnc to me (I wouldn’t have known, and would be stuck with an ugly Cisco vpnclient on my system now), and who as a result had to endure my bugging him a million times to get me more deb packages while I was still stuck connection-less….


%d bloggers like this: