Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Tue Jan 31, 2017 10:20 am
If anybody is interested I have found out that compiling OpenVPN 2.4 with the latest LibreSSL 2.5.0 library allows me to use ECDHE-ECDSA-CHACHA20-POLY1305 for control channel - potentially it should be faster, lighter for mobile devices with CPU without AES instructions support. Why to use ChaCha?
See https://blog.cloudflare.com/do-the-chac ... ptography/
Different context but principle remains the same - the relatively new kid on the crypto block has some advantages.
Compilation instruction for my Raspberry Pi:
1) LibreSSL
./configure --prefix=/opt/libressl-2.5.0
make -j 4 && sudo make install
2) OpenVPN
./configure --enable-systemd --with-crypto-library=openssl OPENSSL_SSL_LIBS="-L/opt/libressl-2.5.0/lib/ -lssl" OPENSSL_SSL_CFLAGS="-I/opt/libressl-2.5.0/include/" OPENSSL_CRYPTO_LIBS="-L/opt/libressl-2.5.0/lib/ -lcrypto" OPENSSL_CRYPTO_CFLAGS="-I/opt/libressl-2.5.0/include/" LDFLAGS="-L/opt/libressl-2.5.0/lib/"
make -j 4 && sudo make install
Result openvpn --version
OpenVPN 2.4.0 armv7l-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan 27 2017
library versions: LibreSSL 2.5.0, LZO 2.09
Now small change to server.config (do the same on client side if you use tls-cipher directive):
tls-cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
And now when using macOS using latest (3.7.0) tunnelblick with OpenVPN version set to 2.4 with LibreSSL 2.5.0 it nicely connects with latest crypto:
Tue Jan 31 09:32:59 2017 12.210.44.77:59459 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-CHACHA20-POLY1305
Please note that at the moment iOS OpenVPN client does not support 2.4 yet... so it only works from desktop. Let's hope that it will change soon.
See https://blog.cloudflare.com/do-the-chac ... ptography/
Different context but principle remains the same - the relatively new kid on the crypto block has some advantages.
Compilation instruction for my Raspberry Pi:
1) LibreSSL
./configure --prefix=/opt/libressl-2.5.0
make -j 4 && sudo make install
2) OpenVPN
./configure --enable-systemd --with-crypto-library=openssl OPENSSL_SSL_LIBS="-L/opt/libressl-2.5.0/lib/ -lssl" OPENSSL_SSL_CFLAGS="-I/opt/libressl-2.5.0/include/" OPENSSL_CRYPTO_LIBS="-L/opt/libressl-2.5.0/lib/ -lcrypto" OPENSSL_CRYPTO_CFLAGS="-I/opt/libressl-2.5.0/include/" LDFLAGS="-L/opt/libressl-2.5.0/lib/"
make -j 4 && sudo make install
Result openvpn --version
OpenVPN 2.4.0 armv7l-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan 27 2017
library versions: LibreSSL 2.5.0, LZO 2.09
Now small change to server.config (do the same on client side if you use tls-cipher directive):
tls-cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
And now when using macOS using latest (3.7.0) tunnelblick with OpenVPN version set to 2.4 with LibreSSL 2.5.0 it nicely connects with latest crypto:
Tue Jan 31 09:32:59 2017 12.210.44.77:59459 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-CHACHA20-POLY1305
Please note that at the moment iOS OpenVPN client does not support 2.4 yet... so it only works from desktop. Let's hope that it will change soon.