compile openvpn to use cryptolib
Posted: Fri Feb 26, 2016 3:44 pm
Hello,
I am running openvpn on an SBC (Hardkernel Odroid c1).
The default Ubuntu offered on this board doesn't have cryptodev.
So, I decided to recompile the kernel, compile cryptodev, compile openvpn THEN compile openvpn.
The issue is : openvpn still use the stock openssl librairies instead of the compiled openssl librairies.
The stock openssl doesn't manage the cryptodev
stock : 1.0.1f
compiled : 1.0.2f
$ openvpn --version
OpenVPN 2.3.9 armv7l-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Feb 25 2016
library versions: OpenSSL 1.0.1f 6 Jan 2014, LZO 2.06
here is my full process to compile it.
can you tell me what is missing ?
Thanks.
I am running openvpn on an SBC (Hardkernel Odroid c1).
The default Ubuntu offered on this board doesn't have cryptodev.
So, I decided to recompile the kernel, compile cryptodev, compile openvpn THEN compile openvpn.
The issue is : openvpn still use the stock openssl librairies instead of the compiled openssl librairies.
The stock openssl doesn't manage the cryptodev
stock : 1.0.1f
compiled : 1.0.2f
$ openvpn --version
OpenVPN 2.3.9 armv7l-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Feb 25 2016
library versions: OpenSSL 1.0.1f 6 Jan 2014, LZO 2.06
here is my full process to compile it.
can you tell me what is missing ?
Thanks.
Code: Select all
root@odroid:/home/odroid#
### cryptodev
$ apt-get install git
$ mkdir cryptodev
$ cd cryptodev
$ git clone https://github.com/cryptodev-linux/cryptodev-linux
$ cd cryptodev-linux
$ make
$ make install
$ echo "cryptodev" >> /etc/modules
$ modprobe cryptodev
$ ls /dev/crypto
### required for next steps
sudo apt-get install libpam0g-dev
### openssl
$ cd /home/odroid
$ wget https://www.openssl.org/source/openssl-1.0.2f.tar.gz
$ tar zxf openssl*
$ cd openssl-1.0.2f/
$ ./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib shared zlib-dynamic -DHAVE_CRYPTODEV -DUSE_CRYPTDEV_DIGESTS
$ make
$ make install
$ openssl version
OpenSSL 1.0.2f 28 Jan 2016
$ which openssl
OpenSSL 1.0.2f 28 Jan 2016
$ openssl engine cryptodev
(cryptodev) BSD cryptodev engine
### openvpn
$ cd /home/odroid/
$ wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.9.tar.xz
$ tar xvf openvpn-*
$ cd openvpn-2.3.9
##./configure --prefix=/opt/custom-openvpn OPENSSL_SSL_LIBS="-L/home/odroid/openssl-1.0.2f/ -lssl" OPENSSL_SSL_CFLAGS="-I/home/odroid/openssl-1.0.2f/include/" OPENSSL_CRYPTO_LIBS="-L/home/odroid/openssl-1.0.2f/ -lcrypto" OPENSSL_CRYPTO_CFLAGS="-I/home/odroid/openssl-1.0.2f/include/"
##./configure OPENSSL_SSL_LIBS="-L/usr/local/ssl/lib/ -lssl" OPENSSL_CRYPTO_LIBS="-L/usr/local/ssl/lib/ -lcrypto" OPESSL_SSL_CFLAGS="-I/usr/local/ssl/include/" OPENSSL_CRYPTO_CFLAGS="-I/usr/local/ssl/include/"
$ ./configure OPENSSL_SSL_LIBS="-L/usr/lib/ -lssl" OPENSSL_CRYPTO_LIBS="-L/usr/lib/ -lcrypto" OPESSL_SSL_CFLAGS="-I/usr/include/openssl/" OPENSSL_CRYPTO_CFLAGS="-I/usr/include/openssl/"
$ make
$ make install
$ openvpn --version
OpenVPN 2.3.9 armv7l-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Feb 25 2016
library versions: OpenSSL 1.0.1f 6 Jan 2014, LZO 2.06
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no
$ openvpn --show-engines
OpenSSL Crypto Engines
Dynamic engine loading support [dynamic]
$ openvpn --engine cryptodev --cd /etc/openvpn --config /etc/openvpn/config.conf --script-security 2 -v
$ tail -10 /var/log/syslog
Feb 26 10:56:00 odroid openvpn[6686]: OpenVPN 2.3.9 armv7l-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Feb 25 2016
Feb 26 10:56:00 odroid openvpn[6686]: library versions: OpenSSL 1.0.1f 6 Jan 2014, LZO 2.06
Feb 26 10:56:00 odroid openvpn[6698]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 26 10:56:00 odroid openvpn[6698]: OpenSSL error: cannot load engine 'cryptodev'
Feb 26 10:56:00 odroid openvpn[6698]: Exiting due to fatal error