compiling and installing the latest openvpn on Raspbian Stretch

Weekly dev snapshots are available for testing.
We talk about them here. Testing features in the dev snapshot helps the features make it to stable.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please report your experience with testing branch. Include what you were using and how
If there is a problem, the more info the better!
jimdoe
OpenVPN User
Posts: 41
Joined: Fri Oct 13, 2017 10:22 pm

compiling and installing the latest openvpn on Raspbian Stretch

Post by jimdoe » Fri Oct 13, 2017 10:36 pm

First off, I'd just like to say what a great and informative thread this is. Very helpful - thanks! I've used this thread as a reference now on two openvpn server installations :D

So, has anyone tried compiling and installing the latest openvpn on Raspbian Stretch? I'm having issues with the --enable-systemd option for ./configure.

I'm having the exact same problem compiling as matt2336 had
matt3226 wrote:
Tue Jul 18, 2017 2:19 am
When recompiling openvpn to use systemd, I get this:

Code: Select all

checking for libsystemd... no
checking for libsystemd... no
configure: error: Package requirements (libsystemd-daemon) were not met:

No package 'libsystemd-daemon' found
I tried apt-get install libsystemd-daemon0, I thought it was a missing package/dependency?

That didn't work..
and running the 'sudo apt-get install libsystemd-daemon-dev' command doesn't work on stretch, as apparently the daemon-dev package is depreciated now. apt-get reports

Code: Select all

Package libsystemd-daemon-dev is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However the following packages replace it:
  libsystemd-dev
I have libsystemd-dev installed, but the systemd error during compile is still occuring. Seems strange that they have depreciated the daemon-dev package because it is apparently not needed, but they failed to make the new package compatible with software that hasn't yet been updated to this change.

Also, would chacha20 with poly1305 be better to use on a pi? And if so, what is the best ec curve to use when creating the certificates using easy-rsa? They don't seem to be options when I list available ec curves using

Code: Select all

/opt/libressl/bin/openssl ecparam -list-curves

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by TinCanTech » Sat Oct 14, 2017 12:23 am

jimdoe wrote:
Fri Oct 13, 2017 10:36 pm
First off, I'd just like to say what a great and informative thread this is
which thread ? .. this thread:
viewtopic.php?f=4&t=23227

The worse case of thread hijack so far ..

jimdoe
OpenVPN User
Posts: 41
Joined: Fri Oct 13, 2017 10:22 pm

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by jimdoe » Sat Oct 14, 2017 7:47 am

TinCanTech wrote:
Sat Oct 14, 2017 12:23 am
jimdoe wrote:
Fri Oct 13, 2017 10:36 pm
First off, I'd just like to say what a great and informative thread this is
which thread ? .. this thread:
viewtopic.php?f=4&t=23227

The worse case of thread hijack so far ..
:|
I'm not sure exactly how it was the worst case of a thread hijack and why you moved my post? I am trying to set up openvpn servers to use ec. I am a beginner to openvpn and the whole reason I got interested in it was because I was interested in the EC crypto introduced in 2.4, so it was a natural starting place and it has some extremely useful posts. But mostly because I was running into exactly the same problem with systemd that other people in that thread had run into! From my perspective, since I'd been using that thread as a 2.4 reference guide to implementing ec when I started doing this in the summer (there wasn't much documentation on 2.4 or ec), it was just a continuation of the conversation about compiling that the thread had going on.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by TinCanTech » Sat Oct 14, 2017 2:25 pm

Perhaps this was not as bad as it first appeared .. this thread is linked both ways to the other thread.

however:

Your post is regarding compiling openvpn on Raspian Stretch.
Your post is asking a specific question about systemd-dev.
It is not about Elliptic Curve.
jimdoe wrote:
Fri Oct 13, 2017 10:36 pm
I have libsystemd-dev installed, but the systemd error during compile is still occuring
I have just built openvpn on Debian9 (no access to raspian) with --enable-systemd and it works.

There is some kind of issue with the systemd part though, perhaps it is related to what you are experiencing.

For me ./configure --enable-systemd works but the resulting binary shows enable-systemd=no

Asking the devs for advice now ..

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by dariusz » Sun Oct 15, 2017 1:38 pm

I am migrating my RPi to stretch so should have some feedback soon. Running stretch and openvpn on other machines was no problem at all. Compiling with all required options flawlessly. I will share my Raspbian Stretch findings soon.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by TinCanTech » Sun Oct 15, 2017 1:46 pm

After thorough testing, I can say that openvpn on debian 9 runs as expected with systemd.

User avatar
dazo
OpenVPN Inc.
Posts: 155
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ libera.chat

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by dazo » Mon Oct 16, 2017 8:16 am

Please ensure you have both pkg-config and libsystemd-dev (or systemd-devel, or the equivalent) installed. That should help ensuring ./configure detects the systemd library.

User avatar
dazo
OpenVPN Inc.
Posts: 155
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ libera.chat

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by dazo » Mon Oct 16, 2017 8:38 am

Also, would chacha20 with poly1305 be better to use on a pi? And if so, what is the best ec curve to use when creating the certificates using easy-rsa? They don't seem to be options when I list available ec curves using [...]
I believe there are two questions here intertwined.

The easy-rsa (please ensure you use easy-rsa 3 for the latest EC stuff to function, or another CA tool like XCA) is one thing and the certificate requirements are mostly "whatever your OpenSSL can deal with". These things relates to what is handled by the OpenVPN control channel traffic. To control the ciphers there is the --tls-cipher and --show-tls options. But you very seldom need to tweak this setting, as both the local and remote OpenVPN instance will negotiate the best cipher both sides supports. Pretty much a standard TLS handshake, so the control channel utilizes asymmetric encryption (pirvate/public keys) to establish a communication channel for the control messages.

The tunnelled network traffic is a different side of things. If both sides runs OpenVPN 2.4, there is a limited type of negotiation of the --cipher option. To enlist all supported ciphers, you can use --show-ciphers. By default, if both sides run v2.4, the server expects the client to support and switch to AES-256-GCM. There is no EC cipher support on the data channel, and the data channel is symmetric (using a shared secret between the local and remote instance).

So to bind these two things together. The control channel is used to derive a shared secret, where this happens over a TLS enabled communication channel. For v2.4, this is also where the server tells the client which cipher it wants the client to use. Once that is done, the shared secret and cipher parameters is activated and network traffic will now be passed over the data channel using these options - where the encryption is symmetric. And at regular intervals (unless disabled, default is 1 hour) this symmetric encryption key is rotated and replaced with a new one.


And a final word about easy-rsa and the CA side of this. You don't need to use easy-rsa, but it is one of more tools which works fine. But DO NOT save the CA private key on any Internet connected device or host. If someone manages to grab that file, it is fairly trivial to issue new certificates without your knowledge. And this can be used to both act as a server or connecting to your own server as a valid client (couple these two together, and you have a "perfect" setup for a MITM attack, where the attacker can access the tunnelled traffic in clear text). So put your CA on a device not directly connected on the Internet, preferably on an offline device only to be activated when you need to do CA operations.

If a kitten would be killed each time any one reads the various blog posts on the Internet where the CA is configured and installed on the OpenVPN server ... there would not be any kittens left in this world. Seriously. This is the most common error and misguided advices on OpenVPN on the interwebs, because those who wrote it obviously have not understood the full security impact of their "nice howto". So, if you do put your CA on the OpenVPN server ... think about those cute kittens.

User avatar
dazo
OpenVPN Inc.
Posts: 155
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ libera.chat

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by dazo » Mon Oct 16, 2017 8:50 am

Just a final remark, as I forgot a few details.

First regarding the data channel (--cipher), AES-256-GCM (or AES-128-GCM) is by far the best performing ciphers which is considered secure in OpenVPN. the GCM variant gives less network traffic overhead and the decryption and authentication of the packet happens in a single crypto operation. Unless the RPi have the AES-NI instruction set (I doubt it has), the performance is not as good as some other ciphers. But the majority of the alternatives are not as strong and secure as AES. And you should definitely not use the deprecated ciphers (like Blowfish/BF-CBC, DES, RC2 or CAST5).

The alternative is AES-256-CBC (or AES-128-CBC) with SHA1 or SHA256 authentication. Here packets need to be decrypted and authenticated in separate crypto operations. In addition it increases each packet on the wire with 20-32 bytes. This is the overhead. And don't consider anything higher than SHA256. It does not provide much improved security for the tunnel itself, it will just slow it down considerably. For example SHA512 increases each data channel packet with 64 bytes.

For the control channel (--tls-cipher), the gains here of tweaking it makes little impact on the overall performance. This can be tweaked if you fully understand the crypto used in TLS and want to avoid certain TLS ciphers, But otherwise, the default is mostly quite sane and good, at least in OpenVPN 2.4.

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by dariusz » Tue Oct 17, 2017 10:11 am

Compiling and installing the latest openvpn on Raspbian Stretch. I have installed this OS on RPi2 and then successfully compiled openvpn 2.4.4.

./configure --enable-systemd && make -j 4 && sudo make install

results in compiled binary:

openvpn --version

OpenVPN 2.4.4 armv7l-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 17 2017
library versions: OpenSSL 1.1.0f 25 May 2017, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no
enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no



For you reference I've installed following additional packages - most of them are not needed for openvpn but it is my standard set I always install to compile some other programs as well

sudo apt-get install libncurses5-dev texinfo libffi-dev gettext libmount-dev libpcre3-dev libsystemd-dev libssl-dev libpam0g-dev liblzo2-dev libprotobuf10 libprotobuf-dev protobuf-compiler libslang2-dev

pianoquintet
OpenVpn Newbie
Posts: 4
Joined: Tue Mar 13, 2018 3:37 pm

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by pianoquintet » Tue Mar 13, 2018 4:55 pm

I followed the above instructions and yet I am unable to start openvpn:

# systemctl start openvpn.service

Failed to start openvpn.service: Unit openvpn.service not found.

Can someone please advise?

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by dariusz » Tue Mar 13, 2018 5:16 pm

Your error message is rather self explanatory. You are missing openvpn.service unit.

If you are not familiar with systemd configuration I would suggest use some easy way like described here: http://www.pivpn.io

pianoquintet
OpenVpn Newbie
Posts: 4
Joined: Tue Mar 13, 2018 3:37 pm

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by pianoquintet » Wed Mar 21, 2018 5:30 pm

Thank you. Why does "make install" not create the openvpn.service unit in Debian Stretch? I compiled and installed OpenVPN under Debian Jessie and it did create it. Installing under Debian Stretch with apt install openvpn does the same (although it installs a somewhat dated v. 2.4.0).

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by dariusz » Wed Mar 21, 2018 5:40 pm

No idea why not. I have also created it manually.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by TinCanTech » Wed Mar 21, 2018 8:42 pm

pianoquintet wrote:
Wed Mar 21, 2018 5:30 pm
Why does "make install" not create the openvpn.service unit
That unit file is no longer supported by openvpn for systemd enabled OSs.
If you want it I believe you will have to get it from a legacy OS with init.d

These are the service files which are installed and supported:

Code: Select all

root@deb9:/home/openvpn/master# ls -l /usr/local/lib/systemd/system
total 8
-rw-r--r-- 1 root staff 708 Mar 21 20:34 openvpn-client@.service
-rw-r--r-- 1 root staff 814 Mar 21 20:34 openvpn-server@.service

pianoquintet
OpenVpn Newbie
Posts: 4
Joined: Tue Mar 13, 2018 3:37 pm

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by pianoquintet » Thu Mar 22, 2018 8:29 am

Just to be clear, I am not fixated on any particular systemd or inet.d unit. To put it very simply, all I am expecting is the ability to start OpenVPN as a service at boot and to start and stop the service with a simple command later. Unless I am mistaken, as things currently stand:

(i) if you install OpenVPN via packet manager in Debian 8 o 9, it starts on boot and can be started and stopped with a sysctl call
(ii) if you self compile and install under Debian 8 you get the same result
(iii) if you self compile and install under Debian 9 it does not start at boot and you are unable to start it or stop it with sysctl or otherwise

There does not seem to be a simple tutorial around that shows how to start on boot and later start and stop a self compiled OpenVPN in Debian 9. Incidentally, pivpn only seems to support Debian 8.

Thank you all.

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by dariusz » Thu Mar 22, 2018 8:43 am

I was lazy so I installed OpenVPN via package manager to have openvpn.service and openvpn@.service in /lib/systemd/system folder

Please also make sure that /lib/systemd/system-generators/openvpn-generator is also preserved

I uninstalled packaged OpenVPN then installed my own. Edit openvpn.service and openvpn@.service to point to your files.

you might have to run "sudo systemctl unmask openvpn" and you are ready to go.

pianoquintet
OpenVpn Newbie
Posts: 4
Joined: Tue Mar 13, 2018 3:37 pm

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by pianoquintet » Tue Mar 27, 2018 9:46 am

Thanks Dariusz. I tried that but could not figure out how to edit openvpn.service and openvpn@.service to make them work with the self compiled version. I would be grateful if you had any tips.

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by dariusz » Tue Mar 27, 2018 9:51 am

see mine here:

openvpn.service -

[Unit]
Description=OpenVPN service
After=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/true
ExecReload=/bin/true
WorkingDirectory=/etc/openvpn
[Install]
WantedBy=multi-user.target

and openvpn@.service

[Unit]
Description=OpenVPN connection to %i
PartOf=openvpn.service
ReloadPropagatedFrom=openvpn.service
[Service]
Type=forking
ExecStart=/usr/local/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn
[Install]
WantedBy=multi-user.target

jimdoe
OpenVPN User
Posts: 41
Joined: Fri Oct 13, 2017 10:22 pm

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by jimdoe » Fri Mar 30, 2018 9:21 pm

Hi Dariusz. Have you managed to succesfully compile openvpn with the 1.1.0 branch of openssl on stretch, and use some of the modern ciphers included in 1.1?

I seem to have succefully compiled 2.4.5 with openssl 1.1.0h on debian stretch. Running openvpn —version outputs:

Code: Select all

OpenVPN 2.4.5 armv7l-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar 29 2018
library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
However, trying to connect with latest beta of tunnelblick using the same version of openssl (1.1.0h), I’m getting a time out error on the client, and a no shared tls cipher on the server log:

Code: Select all

TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.


Thu Mar 29 22:45:53 2018 OpenSSL: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher


Thu Mar 29 22:45:53 2018 TLS_ERROR: BIO read tls_read_plaintext error


Thu Mar 29 22:45:53 TLS Error: TLS object -> incoming plaintext read error


Thu Mar 29 22:45:53 TLS Error: TLS handshake failed
What’s strange is that I can connect perfectly fine when using openssl 1.0.2o on the tunnelblick client. I’ve asked on the tunnelblick forums, but they think it’s most likely an issue with the compiled openvpn on the server.

What’s also strange is that running —show-tls on both server and client show the exact same list of ciphers. Even including a list of ciphers using the —tls-cipher option in both the server and client config files doesn’t solve this. Have you had any luck connecting a 1.1.0h openssl client to a 1.1.0h openssl server?

Post Reply