Page 3 of 6
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Wed Jun 21, 2017 5:06 pm
by umdmc
Yep. I checked both and they are different. So I guess it worked?
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Wed Jun 21, 2017 5:10 pm
by dariusz
3des file should indicate that key as encrypted like in my example.
3des or aes key encryption is only important when transferring keys to your client over insecure channel. It protects your private key from being compromised when in transit.
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Wed Jun 21, 2017 5:20 pm
by umdmc
Oh ok. Not sure why I am not getting the same output. Whatever it did, the new key still worked.
EDIT:
I must have typed something wrong initially because I went back and tried it and it worked. Oops.
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 9:31 am
by matt3226
Then I have built the latest OpenVPN 2.4
wget
https://swupdate.openvpn.org/community/ ... 4.0.tar.gz
tar xvf openvpn-2.4.0.tar.gz
cd openvpn-2.4.0
./configure --with-crypto-library=mbedtls
make
sudo make install
I got errors while doing ./configure --with-crypto-library=mbedtls and fixed it following
this thread on stackoverflow
I just drop it here to help out anyone following this tutorial..
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 10:21 am
by matt3226
I'm stuck at the command
There seems to be something wrong with my openssl command, can't attach files here
so here's an imgur
I'm using mbedtls-2.5.1, openssl-1.1.0f , and openvpn-2.4.3
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 10:26 am
by dariusz
there is no openssl in /usr/local/bin/openssl
you have to edit the following line in the vars file
set_var EASYRSA_OPENSSL "/usr/local/opt/openssl/bin/openssl"
and set this to wherever your openssl is
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 10:36 am
by matt3226
Newbie question, how do I find where my openssl is located?
Is there a command I could run to find out?
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 10:42 am
by dariusz
which openssl
But then check if this the right one in case your have multiple versions installed
WhateverPath/openssl version
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 10:44 am
by matt3226
which openssl outputs /usr/local/bin/openssl
EDIT: running openssl will output
Code: Select all
openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 10:45 am
by dariusz
And
/usr/local/bin/openssl version
?
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 10:46 am
by matt3226
same thing:
Code: Select all
openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
EDIT: Closest solution I've found was in
this thread
I followed along and ran
Code: Select all
sudo apt-get install libssl1.0.0 libssl-dev
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 10:48 am
by dariusz
Your OpenSSL is corrupted or not installed properly
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 10:49 am
by matt3226
Download and do the config, make, make install again?
This time i'll verify the checksum or gpg...
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 10:50 am
by Pippin
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 10:55 am
by matt3226
./home/pi/openssl-1.1.0f/apps/openssl
./home/pi/openssl-1.1.0f/include/openssl
./usr/local/include/openssl
./usr/local/share/doc/openssl
./usr/local/bin/openssl
./usr/lib/ruby/2.1.0/openssl
./usr/include/arm-linux-gnueabihf/openssl
./usr/include/openssl
./usr/share/doc/openssl
./usr/share/bash-completion/completions/openssl
./usr/bin/openssl
The openVPN that I'm currently running is version 2.4.3
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 10:56 am
by dariusz
I suggest to use fresh openssl
Download 1.1.0f, untar
./config shared -Wl,-rpath=/opt/openssl-1.1.0f/lib --prefix=/opt/openssl-1.1.0f/
make
sudo make install
It will install fresh openssl in /opt folder so make sure that your easyrsa vars file points to /opt/openssl-1.1.0f/bin/openssl
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 11:00 am
by matt3226
Okay, just downloaded and sha256 checks out good. That command looks a little cryptid, what does it do?
Code: Select all
./config shared -Wl,-rpath=/opt/openssl-1.1.0f/lib --prefix=/opt/openssl-1.1.0f/
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 11:07 am
by dariusz
https://wiki.openssl.org/index.php/Comp ... ing_RPATHs
if you don't compile openvpn with openssl (and i understand you use mbedtls) you can omit rpath but I use it to avoid libraries linking problems in other software I use openssl for.
https://stackoverflow.com/questions/389 ... sl-version
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 11:10 am
by dariusz
In case you would like to compile openvpn with openssl use following for openvpn:
./configure \
--enable-systemd \
CFLAGS="-I/opt/openssl-1.1.0f/include -Wl,-rpath=/opt/openssl-1.1.0f/lib -L/opt/openssl-1.1.0f/lib" \
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 11:13 am
by matt3226
Ah, I see:
Note well: you should use a RPATH when building both OpenSSL and your program. If you don't add a RPATH to both, then your program could runtime-link to the wrong version of OpenSSL.
Okay, making now, should take some time..