OpenVPN Support Forum

Hi,

Owing to chip shortages I am currently attempting to port a Raspberry Pi 3B based project to a BeagleBone Green base. The BBG is a 32 bit ARM platform. I am currently using the recommended OS for the board which is Debian 10 but I am not tied to it.

After finding problems using the openvpn package in the platforms default repositories (placing a configuration file in /etc/openvpn/ did not result in the connection being made on start up of the OpenVPN service), I tried to install OpenVPN Client by following these instructions: https://openvpn.net/cloud-docs/openvpn- ... for-linux/ . I encountered an error message informing me that the 'armhf' platform is not supported.

Is there a healthy future for OpenVPN on 32 bit ARM platforms or is support being phased out?

If support is expected to continue, how can I use the latest version of OpenVPN on a BBG?

Regards,

Gary

UPDATE: I was retracing my steps while explaining to a college the problem when I expected to show him that 'tun0' could not be found in the output of ipconfig. I ended up proving myself wrong. I have openvpn (2.4.7-1+deb10u1) working fine on the BBG.

I'd still be interested to know the answer to my question about support for armhf and OpenVPN Client 3.

You do not need Openvpn version 3.

Hello GaryOtt,

You should use OpenVPN2 for your use-case. That works on 32 bit ARM just fine and binaries are available for that in various varieties.

If you want OpenVPN3 Linux client though, that's got published binaries for 64 bit only. And 64 bit ARM works just fine too for OpenVPN3 Linux client. There is very little demand for OpenVPN3 Linux client on 32 bit platforms so I don't expect binaries to be published by the maintainer/developer that supports 32 bit ARM. Maybe someone wants to take up that task but I don't see that happening. Most everyone would just go for OpenVPN2.

I don't think any possible benefit of speed is going to be a relevant item for you on a beagle board - I doubt you're going to be even getting near 1000Mbps on that. Probably not even 100Mbps. So yeah. I'd suggest using OpenVPN2 on your beagle.

Kind regards,
Johan

Thank you for your responses.

Bandwidth isn't a concern.

I'm working on an industrial monitoring application that will easily have a deployment lifespan exceeding 10 years.

While accepting that nothing lasts forever, we try to start from a point that offers the greatest longevity. Without an assured upgrade path the combination of a 32 bit platform and OpenVPN maybe an unacceptable combination for the use case. We can't change the component availability situation and we don't want to compromise security so maybe we may have to accept your advice and get agreement to compromise expectations for longevity.

Hi Gary,

What exactly is wrong with openvpn version 2.x that makes you think you are compromising your expectations? I can tell you, there is no issue with it. Someone made an incorrect assumption about openvpn3-linux, that it was supposed to replace version 2.x? So you should adjust those expectations accordingly.

Your device longevity will be challenged by OpenSSL or other SSL/TLS library you choose, and the expiration dates of the certificates and the Certificate Authority you are using; openvpn version 2.x is not going to be your problem.

regards, rob0

Having seen the below discussions, I am now aware that OpenVPN3 supporting 32-bit platforms is not ruled out in future but "not priority" (e.g. not to be depended upon), so that's the answer to my questions:

https://github.com/OpenVPN/openvpn3-linux/issues/49
https://github.com/OpenVPN/openvpn3-linux/issues/113


> What exactly is wrong with openvpn version 2.x that makes you think you are compromising your expectations?

The increased possibility of this security critical software becoming legacy code without an upgrade path.

The project I'm working on is expected to last longer than the some of its supporting software components. Remotely resolving such issues is indeed a challenge that industrial IoT projects have to meet.

Hi Gary,

From my point of view what I see is that you choose a platform (32 bit) that is generally already considered outdated. And then you discover that the new generation of OpenVPN3 software is not choosing to support outdated stuff. In my view, you should then probably consider switching to 64 bit so you'd get the best long term support. If your goal is to have a very long term support, you should go for 64 bit. Already for example there are Linux operating system distributions that simply do not get delivered as 32 bit anymore. Sure you can still get operating systems that do 32 bit and that will be around for quite a while longer but the point is that newer software tends not to support 32 bit. Doesn't that give an incentive already to go to 64 bit?

However I can at least put you at ease even with the platform you've chosen. OpenVPN has been around for about 20 years. I think we have proven longevity over and over. 32 bit is still being used and that is proven by the fact that people still demand OpenVPN2 for 32 bit now. While that may eventually run down, there are still plenty of situations where 32 bit compatibility is needed and it is going to be around for quite a while longer. Therefore with reasonable certainty you can be assured that only once the last dregs of 32 bit seeps away from the hardware and software landscape will OpenVPN finally drop 32 bit. Which may be a very very long time indeed. Probably more than long enough for your needs. And finally, if for some reason OpenVPN2 gets dropped and OpenVPN3 becomes the replacement (this is unlikely) then OpenVPN3 will have to become a complete replacement and if at that time 32 bit support is still a necessity then it will have to add 32 bit support as then it becomes necessary. At this moment that necessity is simply not there.

But if you consider what I explained earlier I'd suggest you consider 64 bit as part of your planning for long lasting support. If you however want to stay on 32 bit, well, then you can expect having to put in some work to support that later on or stick with outdated software or something. However these are just my opinions and you may of course feel free to do with it as you wish.

Kind regards,
Johan

Also note: OpenVPN version 2 is Free Open Source Software.

If security-longevity is a high value concern then financial investment must be on the agenda.