OpenVPN 2.4 and pure elliptic curve crypto setup

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Mon Jul 17, 2017 10:26 am

there is no openssl in /usr/local/bin/openssl

you have to edit the following line in the vars file

set_var EASYRSA_OPENSSL "/usr/local/opt/openssl/bin/openssl"

and set this to wherever your openssl is

matt3226
OpenVPN User
Posts: 35
Joined: Wed May 17, 2017 4:24 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by matt3226 » Mon Jul 17, 2017 10:36 am

Newbie question, how do I find where my openssl is located?

Is there a command I could run to find out?

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Mon Jul 17, 2017 10:42 am

which openssl

But then check if this the right one in case your have multiple versions installed

WhateverPath/openssl version

matt3226
OpenVPN User
Posts: 35
Joined: Wed May 17, 2017 4:24 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by matt3226 » Mon Jul 17, 2017 10:44 am

which openssl outputs /usr/local/bin/openssl


EDIT: running openssl will output

Code: Select all

openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
Last edited by matt3226 on Mon Jul 17, 2017 10:45 am, edited 1 time in total.

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Mon Jul 17, 2017 10:45 am

And

/usr/local/bin/openssl version

?

matt3226
OpenVPN User
Posts: 35
Joined: Wed May 17, 2017 4:24 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by matt3226 » Mon Jul 17, 2017 10:46 am

same thing:

Code: Select all

openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory

EDIT: Closest solution I've found was in this thread

I followed along and ran

Code: Select all

sudo apt-get install libssl1.0.0 libssl-dev
Last edited by matt3226 on Mon Jul 17, 2017 10:48 am, edited 1 time in total.

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Mon Jul 17, 2017 10:48 am

Your OpenSSL is corrupted or not installed properly

matt3226
OpenVPN User
Posts: 35
Joined: Wed May 17, 2017 4:24 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by matt3226 » Mon Jul 17, 2017 10:49 am

Download and do the config, make, make install again?

This time i'll verify the checksum or gpg...

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by Pippin » Mon Jul 17, 2017 10:50 am

1.

Code: Select all

cd /
2.

Code: Select all

find -name openssl
3.

Code: Select all

/path..../openvpn --version
?

matt3226
OpenVPN User
Posts: 35
Joined: Wed May 17, 2017 4:24 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by matt3226 » Mon Jul 17, 2017 10:55 am

Code: Select all

find -name openssl
./home/pi/openssl-1.1.0f/apps/openssl
./home/pi/openssl-1.1.0f/include/openssl
./usr/local/include/openssl
./usr/local/share/doc/openssl
./usr/local/bin/openssl
./usr/lib/ruby/2.1.0/openssl
./usr/include/arm-linux-gnueabihf/openssl
./usr/include/openssl
./usr/share/doc/openssl
./usr/share/bash-completion/completions/openssl
./usr/bin/openssl

The openVPN that I'm currently running is version 2.4.3

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Mon Jul 17, 2017 10:56 am

I suggest to use fresh openssl

Download 1.1.0f, untar

./config shared -Wl,-rpath=/opt/openssl-1.1.0f/lib --prefix=/opt/openssl-1.1.0f/
make
sudo make install

It will install fresh openssl in /opt folder so make sure that your easyrsa vars file points to /opt/openssl-1.1.0f/bin/openssl

matt3226
OpenVPN User
Posts: 35
Joined: Wed May 17, 2017 4:24 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by matt3226 » Mon Jul 17, 2017 11:00 am

Okay, just downloaded and sha256 checks out good. That command looks a little cryptid, what does it do?

Code: Select all

 ./config shared -Wl,-rpath=/opt/openssl-1.1.0f/lib --prefix=/opt/openssl-1.1.0f/

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Mon Jul 17, 2017 11:07 am

https://wiki.openssl.org/index.php/Comp ... ing_RPATHs

if you don't compile openvpn with openssl (and i understand you use mbedtls) you can omit rpath but I use it to avoid libraries linking problems in other software I use openssl for.

https://stackoverflow.com/questions/389 ... sl-version

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Mon Jul 17, 2017 11:10 am

In case you would like to compile openvpn with openssl use following for openvpn:

./configure \
--enable-systemd \
CFLAGS="-I/opt/openssl-1.1.0f/include -Wl,-rpath=/opt/openssl-1.1.0f/lib -L/opt/openssl-1.1.0f/lib" \

matt3226
OpenVPN User
Posts: 35
Joined: Wed May 17, 2017 4:24 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by matt3226 » Mon Jul 17, 2017 11:13 am

Ah, I see:
Note well: you should use a RPATH when building both OpenSSL and your program. If you don't add a RPATH to both, then your program could runtime-link to the wrong version of OpenSSL.
Okay, making now, should take some time..

matt3226
OpenVPN User
Posts: 35
Joined: Wed May 17, 2017 4:24 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by matt3226 » Mon Jul 17, 2017 11:17 am

dariusz wrote:In case you would like to compile openvpn with openssl use following for openvpn:

./configure \
--enable-systemd \
CFLAGS="-I/opt/openssl-1.1.0f/include -Wl,-rpath=/opt/openssl-1.1.0f/lib -L/opt/openssl-1.1.0f/lib" \

So I need to add the rpath for openvpn too so that openvpn also links to the correct version of openSSL? So does this mean I need to re-make the openvpn again?

Is this step really needed or is it optional?

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Mon Jul 17, 2017 11:21 am

It is your decision what encryption library you want to use with your openvpn. You can use mbedtls, openssl or libressl.

You have to add path to openvpn compilation if you use it with openssl.

Please note this is not related to easyrsa openssl usage. easyrsa is just set of shell scripts using openssl to generate certs. For easyrsa you just need working openssl on your computer.

matt3226
OpenVPN User
Posts: 35
Joined: Wed May 17, 2017 4:24 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by matt3226 » Mon Jul 17, 2017 11:32 am

So I just ran the command

Code: Select all

CFLAGS="-I/opt/openssl-1.1.0f/include -Wl,-rpath=/opt/openssl-1.1.0f/lib -L/opt/openssl-1.1.0f/lib"
and then I ran make, I am doing this correctly?

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Mon Jul 17, 2017 11:37 am

if you decided to switch from mbedtls to openssl then

command is:

./configure \
--enable-systemd \
CFLAGS="-I/opt/openssl-1.1.0f/include -Wl,-rpath=/opt/openssl-1.1.0f/lib -L/opt/openssl-1.1.0f/lib" \


However if you successfully compiled openvpn already with mbedtls just leave it. Compile openssl to make sure that you have one working on your computer so you can use easyrsa.

matt3226
OpenVPN User
Posts: 35
Joined: Wed May 17, 2017 4:24 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by matt3226 » Mon Jul 17, 2017 11:41 am

The --enable-systemd is it a command you run in the terminal? It looks like a line that you would put in your server.conf..

and I ran the

Code: Select all

CFLAGS="-I/opt/openssl-1.1.0f/include -Wl,-rpath=/opt/openssl-1.1.0f/lib -L/opt/openssl-1.1.0f/lib"
in a terminal without issues and then ran make install.


Oh and, does it matter what library I use? Is one more secure than the other or is it all the same level of security?

Post Reply