compiling and installing the latest openvpn on Raspbian Stretch

Weekly dev snapshots are available for testing.
We talk about them here. Testing features in the dev snapshot helps the features make it to stable.
Forum rules
Please report your experience with testing branch. Include what you were using and how
If there is a problem, the more info the better!
Post Reply
jimdoe
OpenVpn Newbie
Posts: 8
Joined: Fri Oct 13, 2017 10:22 pm

compiling and installing the latest openvpn on Raspbian Stretch

Post by jimdoe » Fri Oct 13, 2017 10:36 pm

First off, I'd just like to say what a great and informative thread this is. Very helpful - thanks! I've used this thread as a reference now on two openvpn server installations :D

So, has anyone tried compiling and installing the latest openvpn on Raspbian Stretch? I'm having issues with the --enable-systemd option for ./configure.

I'm having the exact same problem compiling as matt2336 had
matt3226 wrote:
Tue Jul 18, 2017 2:19 am
When recompiling openvpn to use systemd, I get this:

Code: Select all

checking for libsystemd... no
checking for libsystemd... no
configure: error: Package requirements (libsystemd-daemon) were not met:

No package 'libsystemd-daemon' found
I tried apt-get install libsystemd-daemon0, I thought it was a missing package/dependency?

That didn't work..
and running the 'sudo apt-get install libsystemd-daemon-dev' command doesn't work on stretch, as apparently the daemon-dev package is depreciated now. apt-get reports

Code: Select all

Package libsystemd-daemon-dev is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However the following packages replace it:
  libsystemd-dev
I have libsystemd-dev installed, but the systemd error during compile is still occuring. Seems strange that they have depreciated the daemon-dev package because it is apparently not needed, but they failed to make the new package compatible with software that hasn't yet been updated to this change.

Also, would chacha20 with poly1305 be better to use on a pi? And if so, what is the best ec curve to use when creating the certificates using easy-rsa? They don't seem to be options when I list available ec curves using

Code: Select all

/opt/libressl/bin/openssl ecparam -list-curves

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3735
Joined: Fri Jun 03, 2016 1:17 pm

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by TinCanTech » Sat Oct 14, 2017 12:23 am

jimdoe wrote:
Fri Oct 13, 2017 10:36 pm
First off, I'd just like to say what a great and informative thread this is
which thread ? .. this thread:
viewtopic.php?f=4&t=23227

The worse case of thread hijack so far ..

jimdoe
OpenVpn Newbie
Posts: 8
Joined: Fri Oct 13, 2017 10:22 pm

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by jimdoe » Sat Oct 14, 2017 7:47 am

TinCanTech wrote:
Sat Oct 14, 2017 12:23 am
jimdoe wrote:
Fri Oct 13, 2017 10:36 pm
First off, I'd just like to say what a great and informative thread this is
which thread ? .. this thread:
viewtopic.php?f=4&t=23227

The worse case of thread hijack so far ..
:|
I'm not sure exactly how it was the worst case of a thread hijack and why you moved my post? I am trying to set up openvpn servers to use ec. I am a beginner to openvpn and the whole reason I got interested in it was because I was interested in the EC crypto introduced in 2.4, so it was a natural starting place and it has some extremely useful posts. But mostly because I was running into exactly the same problem with systemd that other people in that thread had run into! From my perspective, since I'd been using that thread as a 2.4 reference guide to implementing ec when I started doing this in the summer (there wasn't much documentation on 2.4 or ec), it was just a continuation of the conversation about compiling that the thread had going on.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3735
Joined: Fri Jun 03, 2016 1:17 pm

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by TinCanTech » Sat Oct 14, 2017 2:25 pm

Perhaps this was not as bad as it first appeared .. this thread is linked both ways to the other thread.

however:

Your post is regarding compiling openvpn on Raspian Stretch.
Your post is asking a specific question about systemd-dev.
It is not about Elliptic Curve.
jimdoe wrote:
Fri Oct 13, 2017 10:36 pm
I have libsystemd-dev installed, but the systemd error during compile is still occuring
I have just built openvpn on Debian9 (no access to raspian) with --enable-systemd and it works.

There is some kind of issue with the systemd part though, perhaps it is related to what you are experiencing.

For me ./configure --enable-systemd works but the resulting binary shows enable-systemd=no

Asking the devs for advice now ..

dariusz
OpenVPN Power User
Posts: 77
Joined: Sat Jan 14, 2017 1:42 pm

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by dariusz » Sun Oct 15, 2017 1:38 pm

I am migrating my RPi to stretch so should have some feedback soon. Running stretch and openvpn on other machines was no problem at all. Compiling with all required options flawlessly. I will share my Raspbian Stretch findings soon.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 3735
Joined: Fri Jun 03, 2016 1:17 pm

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by TinCanTech » Sun Oct 15, 2017 1:46 pm

After thorough testing, I can say that openvpn on debian 9 runs as expected with systemd.

dazo
OpenVPN Inc.
Posts: 124
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ irc.freenode.net

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by dazo » Mon Oct 16, 2017 8:16 am

Please ensure you have both pkg-config and libsystemd-dev (or systemd-devel, or the equivalent) installed. That should help ensuring ./configure detects the systemd library.

dazo
OpenVPN Inc.
Posts: 124
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ irc.freenode.net

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by dazo » Mon Oct 16, 2017 8:38 am

Also, would chacha20 with poly1305 be better to use on a pi? And if so, what is the best ec curve to use when creating the certificates using easy-rsa? They don't seem to be options when I list available ec curves using [...]
I believe there are two questions here intertwined.

The easy-rsa (please ensure you use easy-rsa 3 for the latest EC stuff to function, or another CA tool like XCA) is one thing and the certificate requirements are mostly "whatever your OpenSSL can deal with". These things relates to what is handled by the OpenVPN control channel traffic. To control the ciphers there is the --tls-cipher and --show-tls options. But you very seldom need to tweak this setting, as both the local and remote OpenVPN instance will negotiate the best cipher both sides supports. Pretty much a standard TLS handshake, so the control channel utilizes asymmetric encryption (pirvate/public keys) to establish a communication channel for the control messages.

The tunnelled network traffic is a different side of things. If both sides runs OpenVPN 2.4, there is a limited type of negotiation of the --cipher option. To enlist all supported ciphers, you can use --show-ciphers. By default, if both sides run v2.4, the server expects the client to support and switch to AES-256-GCM. There is no EC cipher support on the data channel, and the data channel is symmetric (using a shared secret between the local and remote instance).

So to bind these two things together. The control channel is used to derive a shared secret, where this happens over a TLS enabled communication channel. For v2.4, this is also where the server tells the client which cipher it wants the client to use. Once that is done, the shared secret and cipher parameters is activated and network traffic will now be passed over the data channel using these options - where the encryption is symmetric. And at regular intervals (unless disabled, default is 1 hour) this symmetric encryption key is rotated and replaced with a new one.


And a final word about easy-rsa and the CA side of this. You don't need to use easy-rsa, but it is one of more tools which works fine. But DO NOT save the CA private key on any Internet connected device or host. If someone manages to grab that file, it is fairly trivial to issue new certificates without your knowledge. And this can be used to both act as a server or connecting to your own server as a valid client (couple these two together, and you have a "perfect" setup for a MITM attack, where the attacker can access the tunnelled traffic in clear text). So put your CA on a device not directly connected on the Internet, preferably on an offline device only to be activated when you need to do CA operations.

If a kitten would be killed each time any one reads the various blog posts on the Internet where the CA is configured and installed on the OpenVPN server ... there would not be any kittens left in this world. Seriously. This is the most common error and misguided advices on OpenVPN on the interwebs, because those who wrote it obviously have not understood the full security impact of their "nice howto". So, if you do put your CA on the OpenVPN server ... think about those cute kittens.

dazo
OpenVPN Inc.
Posts: 124
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ irc.freenode.net

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by dazo » Mon Oct 16, 2017 8:50 am

Just a final remark, as I forgot a few details.

First regarding the data channel (--cipher), AES-256-GCM (or AES-128-GCM) is by far the best performing ciphers which is considered secure in OpenVPN. the GCM variant gives less network traffic overhead and the decryption and authentication of the packet happens in a single crypto operation. Unless the RPi have the AES-NI instruction set (I doubt it has), the performance is not as good as some other ciphers. But the majority of the alternatives are not as strong and secure as AES. And you should definitely not use the deprecated ciphers (like Blowfish/BF-CBC, DES, RC2 or CAST5).

The alternative is AES-256-CBC (or AES-128-CBC) with SHA1 or SHA256 authentication. Here packets need to be decrypted and authenticated in separate crypto operations. In addition it increases each packet on the wire with 20-32 bytes. This is the overhead. And don't consider anything higher than SHA256. It does not provide much improved security for the tunnel itself, it will just slow it down considerably. For example SHA512 increases each data channel packet with 64 bytes.

For the control channel (--tls-cipher), the gains here of tweaking it makes little impact on the overall performance. This can be tweaked if you fully understand the crypto used in TLS and want to avoid certain TLS ciphers, But otherwise, the default is mostly quite sane and good, at least in OpenVPN 2.4.

dariusz
OpenVPN Power User
Posts: 77
Joined: Sat Jan 14, 2017 1:42 pm

Re: compiling and installing the latest openvpn on Raspbian Stretch

Post by dariusz » Tue Oct 17, 2017 10:11 am

Compiling and installing the latest openvpn on Raspbian Stretch. I have installed this OS on RPi2 and then successfully compiled openvpn 2.4.4.

./configure --enable-systemd && make -j 4 && sudo make install

results in compiled binary:

openvpn --version

OpenVPN 2.4.4 armv7l-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 17 2017
library versions: OpenSSL 1.1.0f 25 May 2017, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no
enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no



For you reference I've installed following additional packages - most of them are not needed for openvpn but it is my standard set I always install to compile some other programs as well

sudo apt-get install libncurses5-dev texinfo libffi-dev gettext libmount-dev libpcre3-dev libsystemd-dev libssl-dev libpam0g-dev liblzo2-dev libprotobuf10 libprotobuf-dev protobuf-compiler libslang2-dev

Post Reply