Openvpn 2.4 update?

harriman · February 8, 2017, 9:18am

OpenVPN 2.4.0 was released on December 27, 2016.

Changes include AEAD (GCM) data channel cipher support and ECDH key exchange.

Will there be an update for Omnia?

justsomeguy · February 19, 2017, 4:04am

shameless bump.
Openwrt itself does not have 2.4, but lede does.
Since the default ciphers for openvpn now in turris are susceptible to sweet32, it would be nice to have 2.4.

leif.liddy · March 22, 2017, 3:51am

you can just compile the lede openvpn 2.4 package for the turris omnia.

leif.liddy · March 22, 2017, 3:52am

FROM fedora:25

ENV SDK OpenWrt-SDK-mvebu_gcc-4.8-linaro_musl-1.1.15_eabi.Linux-x86_64

RUN dnf upgrade -y &&
dnf install -y git wget bzip2 findutils ccache gcc which automake &&
wget --no-check-certificate https://api.turris.cz/openwrt-repo/omnia/$SDK.tar.bz2 --directory-prefix=/tmp &&
mkdir -p /turris/ipk &&
tar xvjf /tmp/$SDK.tar.bz2 --directory=/turris &&
rm -rf /tmp/$SDK.tar.bz2 &&
git clone git://git.lede-project.org/source.git /turris/lede-source/ &&
cp -r /turris/lede-source/package/network/services/openvpn/ /turris/$SDK/package/ &&
cp -r /turris/lede-source/package/libs/mbedtls/ /turris/$SDK/package/ &&
cp -r /turris/lede-source/package/libs/openssl/ /turris/$SDK/package/ &&
export PATH=$PATH:/turris/$SDK/staging_dir/toolchain-arm_cortex-a9+vfpv3_gcc-4.8-linaro_musl-1.1.15_eabi/bin &&
make CXX=arm-openwrt-linux-g++ LD=arm-openwrt-linux-ld V=s -C /turris/$SDK &&
cp /turris/$SDK/bin/mvebu-musl/packages/base/*.ipk /turris/ipk/

CMD [“cp”,"-r","/turris/ipk/","/tmp"]

leif.liddy · March 22, 2017, 3:55am

put this is a file called “Dockerfile”
**indent every line between RUN and CMD by 3-4 spaces for better readability

docker build -t turris.openvpn .
docker run --rm -v /tmp:/tmp turris.openvpn

these files will now appear in /tmp/ipk/ on the host system
libmbedtls_2.4.2-1_mvebu.ipk
libopenssl_1.0.2k-1_mvebu.ipk
openssl-util_1.0.2k-1_mvebu.ipk
openvpn-mbedtls_2.4.0-4_mvebu.ipk
openvpn-nossl_2.4.0-4_mvebu.ipk
openvpn-openssl_2.4.0-4_mvebu.ipk

**delete docker image
docker rmi turris.openvpn

leif.liddy · March 22, 2017, 3:59am

libopenssl and openssl-util match the current turris version, so you don’t need to install those.
you should just need to install one of the openvpn-{mbedtls, nossl, openssl} packages

**if you’re installing openvpn-mbedtls, you’ll also need to install the libmbedtls package as well.

mbedtls is the new name for polarssl
In fact, if you look at the Makefile for polarssl (openwrt), you’ll see it’s actually pulling in the mbedtls source package and naming it polarssl…bizarre

https://github.com/openwrt/openwrt/blob/master/package/libs/polarssl/Makefile

pav · March 22, 2017, 7:03am

Turris team suppose OpenVPN 2.4 will be available in TurrisOS 3.6.2 https://forum.test.turris.cz/t/openvpn-server-easy-and-fast/3674/26 so I think it’s not so far.

justsomeguy · March 22, 2017, 12:30pm

Thanks for the tutorial. I’m doubting about doing it myself, if I can just wait a few weeks more.