Page 3 of 6
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 10:26 am
by dariusz
there is no openssl in /usr/local/bin/openssl
you have to edit the following line in the vars file
set_var EASYRSA_OPENSSL "/usr/local/opt/openssl/bin/openssl"
and set this to wherever your openssl is
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 10:36 am
by matt3226
Newbie question, how do I find where my openssl is located?
Is there a command I could run to find out?
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 10:42 am
by dariusz
which openssl
But then check if this the right one in case your have multiple versions installed
WhateverPath/openssl version
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 10:44 am
by matt3226
which openssl outputs /usr/local/bin/openssl
EDIT: running openssl will output
Code: Select all
openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 10:45 am
by dariusz
And
/usr/local/bin/openssl version
?
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 10:46 am
by matt3226
same thing:
Code: Select all
openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
EDIT: Closest solution I've found was in
this thread
I followed along and ran
Code: Select all
sudo apt-get install libssl1.0.0 libssl-dev
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 10:48 am
by dariusz
Your OpenSSL is corrupted or not installed properly
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 10:49 am
by matt3226
Download and do the config, make, make install again?
This time i'll verify the checksum or gpg...
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 10:50 am
by Pippin
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 10:55 am
by matt3226
./home/pi/openssl-1.1.0f/apps/openssl
./home/pi/openssl-1.1.0f/include/openssl
./usr/local/include/openssl
./usr/local/share/doc/openssl
./usr/local/bin/openssl
./usr/lib/ruby/2.1.0/openssl
./usr/include/arm-linux-gnueabihf/openssl
./usr/include/openssl
./usr/share/doc/openssl
./usr/share/bash-completion/completions/openssl
./usr/bin/openssl
The openVPN that I'm currently running is version 2.4.3
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 10:56 am
by dariusz
I suggest to use fresh openssl
Download 1.1.0f, untar
./config shared -Wl,-rpath=/opt/openssl-1.1.0f/lib --prefix=/opt/openssl-1.1.0f/
make
sudo make install
It will install fresh openssl in /opt folder so make sure that your easyrsa vars file points to /opt/openssl-1.1.0f/bin/openssl
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 11:00 am
by matt3226
Okay, just downloaded and sha256 checks out good. That command looks a little cryptid, what does it do?
Code: Select all
./config shared -Wl,-rpath=/opt/openssl-1.1.0f/lib --prefix=/opt/openssl-1.1.0f/
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 11:07 am
by dariusz
https://wiki.openssl.org/index.php/Comp ... ing_RPATHs
if you don't compile openvpn with openssl (and i understand you use mbedtls) you can omit rpath but I use it to avoid libraries linking problems in other software I use openssl for.
https://stackoverflow.com/questions/389 ... sl-version
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 11:10 am
by dariusz
In case you would like to compile openvpn with openssl use following for openvpn:
./configure \
--enable-systemd \
CFLAGS="-I/opt/openssl-1.1.0f/include -Wl,-rpath=/opt/openssl-1.1.0f/lib -L/opt/openssl-1.1.0f/lib" \
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 11:13 am
by matt3226
Ah, I see:
Note well: you should use a RPATH when building both OpenSSL and your program. If you don't add a RPATH to both, then your program could runtime-link to the wrong version of OpenSSL.
Okay, making now, should take some time..
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 11:17 am
by matt3226
dariusz wrote:In case you would like to compile openvpn with openssl use following for openvpn:
./configure \
--enable-systemd \
CFLAGS="-I/opt/openssl-1.1.0f/include -Wl,-rpath=/opt/openssl-1.1.0f/lib -L/opt/openssl-1.1.0f/lib" \
So I need to add the rpath for openvpn too so that openvpn also links to the correct version of openSSL? So does this mean I need to re-make the openvpn again?
Is this step really needed or is it optional?
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 11:21 am
by dariusz
It is your decision what encryption library you want to use with your openvpn. You can use mbedtls, openssl or libressl.
You have to add path to openvpn compilation if you use it with openssl.
Please note this is not related to easyrsa openssl usage. easyrsa is just set of shell scripts using openssl to generate certs. For easyrsa you just need working openssl on your computer.
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 11:32 am
by matt3226
So I just ran the command
Code: Select all
CFLAGS="-I/opt/openssl-1.1.0f/include -Wl,-rpath=/opt/openssl-1.1.0f/lib -L/opt/openssl-1.1.0f/lib"
and then I ran make, I am doing this correctly?
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 11:37 am
by dariusz
if you decided to switch from mbedtls to openssl then
command is:
./configure \
--enable-systemd \
CFLAGS="-I/opt/openssl-1.1.0f/include -Wl,-rpath=/opt/openssl-1.1.0f/lib -L/opt/openssl-1.1.0f/lib" \
However if you successfully compiled openvpn already with mbedtls just leave it. Compile openssl to make sure that you have one working on your computer so you can use easyrsa.
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 11:41 am
by matt3226
The --enable-systemd is it a command you run in the terminal? It looks like a line that you would put in your server.conf..
and I ran the
Code: Select all
CFLAGS="-I/opt/openssl-1.1.0f/include -Wl,-rpath=/opt/openssl-1.1.0f/lib -L/opt/openssl-1.1.0f/lib"
in a terminal without issues and then ran make install.
Oh and, does it matter what library I use? Is one more secure than the other or is it all the same level of security?