OpenVPN 2.4 and pure elliptic curve crypto setup
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
there is no openssl in /usr/local/bin/openssl
you have to edit the following line in the vars file
set_var EASYRSA_OPENSSL "/usr/local/opt/openssl/bin/openssl"
and set this to wherever your openssl is
you have to edit the following line in the vars file
set_var EASYRSA_OPENSSL "/usr/local/opt/openssl/bin/openssl"
and set this to wherever your openssl is
-
- OpenVPN User
- Posts: 35
- Joined: Wed May 17, 2017 4:24 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Newbie question, how do I find where my openssl is located?
Is there a command I could run to find out?
Is there a command I could run to find out?
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
which openssl
But then check if this the right one in case your have multiple versions installed
WhateverPath/openssl version
But then check if this the right one in case your have multiple versions installed
WhateverPath/openssl version
-
- OpenVPN User
- Posts: 35
- Joined: Wed May 17, 2017 4:24 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
which openssl outputs /usr/local/bin/openssl
EDIT: running openssl will output
EDIT: running openssl will output
Code: Select all
openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
Last edited by matt3226 on Mon Jul 17, 2017 10:45 am, edited 1 time in total.
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
And
/usr/local/bin/openssl version
?
/usr/local/bin/openssl version
?
-
- OpenVPN User
- Posts: 35
- Joined: Wed May 17, 2017 4:24 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
same thing:
EDIT: Closest solution I've found was in this thread
I followed along and ran
Code: Select all
openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
EDIT: Closest solution I've found was in this thread
I followed along and ran
Code: Select all
sudo apt-get install libssl1.0.0 libssl-dev
Last edited by matt3226 on Mon Jul 17, 2017 10:48 am, edited 1 time in total.
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Your OpenSSL is corrupted or not installed properly
-
- OpenVPN User
- Posts: 35
- Joined: Wed May 17, 2017 4:24 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Download and do the config, make, make install again?
This time i'll verify the checksum or gpg...
This time i'll verify the checksum or gpg...
- Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
1.
2.
3.
?
Code: Select all
cd /
Code: Select all
find -name openssl
Code: Select all
/path..../openvpn --version
-
- OpenVPN User
- Posts: 35
- Joined: Wed May 17, 2017 4:24 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Code: Select all
find -name openssl
./home/pi/openssl-1.1.0f/include/openssl
./usr/local/include/openssl
./usr/local/share/doc/openssl
./usr/local/bin/openssl
./usr/lib/ruby/2.1.0/openssl
./usr/include/arm-linux-gnueabihf/openssl
./usr/include/openssl
./usr/share/doc/openssl
./usr/share/bash-completion/completions/openssl
./usr/bin/openssl
The openVPN that I'm currently running is version 2.4.3
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
I suggest to use fresh openssl
Download 1.1.0f, untar
./config shared -Wl,-rpath=/opt/openssl-1.1.0f/lib --prefix=/opt/openssl-1.1.0f/
make
sudo make install
It will install fresh openssl in /opt folder so make sure that your easyrsa vars file points to /opt/openssl-1.1.0f/bin/openssl
Download 1.1.0f, untar
./config shared -Wl,-rpath=/opt/openssl-1.1.0f/lib --prefix=/opt/openssl-1.1.0f/
make
sudo make install
It will install fresh openssl in /opt folder so make sure that your easyrsa vars file points to /opt/openssl-1.1.0f/bin/openssl
-
- OpenVPN User
- Posts: 35
- Joined: Wed May 17, 2017 4:24 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Okay, just downloaded and sha256 checks out good. That command looks a little cryptid, what does it do?
Code: Select all
./config shared -Wl,-rpath=/opt/openssl-1.1.0f/lib --prefix=/opt/openssl-1.1.0f/
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
https://wiki.openssl.org/index.php/Comp ... ing_RPATHs
if you don't compile openvpn with openssl (and i understand you use mbedtls) you can omit rpath but I use it to avoid libraries linking problems in other software I use openssl for.
https://stackoverflow.com/questions/389 ... sl-version
if you don't compile openvpn with openssl (and i understand you use mbedtls) you can omit rpath but I use it to avoid libraries linking problems in other software I use openssl for.
https://stackoverflow.com/questions/389 ... sl-version
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
In case you would like to compile openvpn with openssl use following for openvpn:
./configure \
--enable-systemd \
CFLAGS="-I/opt/openssl-1.1.0f/include -Wl,-rpath=/opt/openssl-1.1.0f/lib -L/opt/openssl-1.1.0f/lib" \
./configure \
--enable-systemd \
CFLAGS="-I/opt/openssl-1.1.0f/include -Wl,-rpath=/opt/openssl-1.1.0f/lib -L/opt/openssl-1.1.0f/lib" \
-
- OpenVPN User
- Posts: 35
- Joined: Wed May 17, 2017 4:24 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Ah, I see:
Okay, making now, should take some time..Note well: you should use a RPATH when building both OpenSSL and your program. If you don't add a RPATH to both, then your program could runtime-link to the wrong version of OpenSSL.
-
- OpenVPN User
- Posts: 35
- Joined: Wed May 17, 2017 4:24 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
dariusz wrote:In case you would like to compile openvpn with openssl use following for openvpn:
./configure \
--enable-systemd \
CFLAGS="-I/opt/openssl-1.1.0f/include -Wl,-rpath=/opt/openssl-1.1.0f/lib -L/opt/openssl-1.1.0f/lib" \
So I need to add the rpath for openvpn too so that openvpn also links to the correct version of openSSL? So does this mean I need to re-make the openvpn again?
Is this step really needed or is it optional?
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
It is your decision what encryption library you want to use with your openvpn. You can use mbedtls, openssl or libressl.
You have to add path to openvpn compilation if you use it with openssl.
Please note this is not related to easyrsa openssl usage. easyrsa is just set of shell scripts using openssl to generate certs. For easyrsa you just need working openssl on your computer.
You have to add path to openvpn compilation if you use it with openssl.
Please note this is not related to easyrsa openssl usage. easyrsa is just set of shell scripts using openssl to generate certs. For easyrsa you just need working openssl on your computer.
-
- OpenVPN User
- Posts: 35
- Joined: Wed May 17, 2017 4:24 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
So I just ran the command and then I ran make, I am doing this correctly?
Code: Select all
CFLAGS="-I/opt/openssl-1.1.0f/include -Wl,-rpath=/opt/openssl-1.1.0f/lib -L/opt/openssl-1.1.0f/lib"
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
if you decided to switch from mbedtls to openssl then
command is:
./configure \
--enable-systemd \
CFLAGS="-I/opt/openssl-1.1.0f/include -Wl,-rpath=/opt/openssl-1.1.0f/lib -L/opt/openssl-1.1.0f/lib" \
However if you successfully compiled openvpn already with mbedtls just leave it. Compile openssl to make sure that you have one working on your computer so you can use easyrsa.
command is:
./configure \
--enable-systemd \
CFLAGS="-I/opt/openssl-1.1.0f/include -Wl,-rpath=/opt/openssl-1.1.0f/lib -L/opt/openssl-1.1.0f/lib" \
However if you successfully compiled openvpn already with mbedtls just leave it. Compile openssl to make sure that you have one working on your computer so you can use easyrsa.
-
- OpenVPN User
- Posts: 35
- Joined: Wed May 17, 2017 4:24 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
The --enable-systemd is it a command you run in the terminal? It looks like a line that you would put in your server.conf..
and I ran the in a terminal without issues and then ran make install.
Oh and, does it matter what library I use? Is one more secure than the other or is it all the same level of security?
and I ran the
Code: Select all
CFLAGS="-I/opt/openssl-1.1.0f/include -Wl,-rpath=/opt/openssl-1.1.0f/lib -L/opt/openssl-1.1.0f/lib"
Oh and, does it matter what library I use? Is one more secure than the other or is it all the same level of security?