OpenVPN compiled statically with OpenSSL 1.0.0-stable-SNAPSHOT

Discussion in 'Tomato Firmware' started by gawd0wns, Aug 9, 2009.

  1. gawd0wns

    gawd0wns Network Guru Member

    I successfully compiled OpenSSL 1.0.0-stable(SNAP) and OpenVPN into a single binary file which can be downloaded and used on our Tomato routers. See the second post for instructions.

    I've been trying to get a newer version of openssl to compile and install into the firmware, though each time I tried, I got an error:

    busybox/examples/ -k
    /root/tomato/release/src/linux/linux/vmlinux -b
    Unable to resolve RSA_free used by
    make[1]: *** [install] Error 1
    make[1]: Leaving directory `/root/tomato/release/src/router'
    make: *** [all] Error 2

    After trying to compile OpenVPN with a new version of OpenSSL in another location and failing with the same error, I tried to compile OpenVPN on its own, and it seems to have worked.

    # wget
    Connecting to (
    # ls -al
    drwx------ 1 root root 0 Dec 31 1969 .
    drwxr-xr-x 1 root root 0 Dec 31 1969 ..
    -rwxr-xr-x 1 root root 2952405 Aug 8 23:46 openvpn
    # chmod +x openvpn
    # ./openvpn
    Usage message not available
    # ./openvpn --show-ciphers
    DES-CFB 64 bit default key (fixed)
    DES-CBC 64 bit default key (fixed)
    DES-EDE-CBC 128 bit default key (fixed)
    DES-EDE3-CBC 192 bit default key (fixed)
    DES-OFB 64 bit default key (fixed)
    DES-EDE-CFB 128 bit default key (fixed)
    DES-EDE3-CFB 192 bit default key (fixed)
    DES-EDE-OFB 128 bit default key (fixed)
    DES-EDE3-OFB 192 bit default key (fixed)
    DESX-CBC 192 bit default key (fixed)
    BF-CBC 128 bit default key (variable)
    BF-CFB 128 bit default key (variable)
    BF-OFB 128 bit default key (variable)
    AES-128-CBC 128 bit default key (fixed)
    AES-128-OFB 128 bit default key (fixed)
    AES-128-CFB 128 bit default key (fixed)
    AES-192-CBC 192 bit default key (fixed)
    AES-192-OFB 192 bit default key (fixed)
    AES-192-CFB 192 bit default key (fixed)
    AES-256-CBC 256 bit default key (fixed)
    AES-256-OFB 256 bit default key (fixed)
    AES-256-CFB 256 bit default key (fixed)
    AES-128-CFB1 128 bit default key (fixed)
    AES-192-CFB1 192 bit default key (fixed)
    AES-256-CFB1 256 bit default key (fixed)
    AES-128-CFB8 128 bit default key (fixed)
    AES-192-CFB8 192 bit default key (fixed)
    AES-256-CFB8 256 bit default key (fixed)
    DES-CFB1 64 bit default key (fixed)
    DES-CFB8 64 bit default key (fixed)
    CAMELLIA-128-CBC 128 bit default key (fixed)
    CAMELLIA-192-CBC 192 bit default key (fixed)
    CAMELLIA-256-CBC 256 bit default key (fixed)
    CAMELLIA-128-CFB 128 bit default key (fixed)
    CAMELLIA-192-CFB 192 bit default key (fixed)
    CAMELLIA-256-CFB 256 bit default key (fixed)
    CAMELLIA-128-CFB1 128 bit default key (fixed)
    CAMELLIA-192-CFB1 192 bit default key (fixed)
    CAMELLIA-256-CFB1 256 bit default key (fixed)
    CAMELLIA-128-CFB8 128 bit default key (fixed)
    CAMELLIA-192-CFB8 192 bit default key (fixed)
    CAMELLIA-256-CFB8 256 bit default key (fixed)
    CAMELLIA-128-OFB 128 bit default key (fixed)
    CAMELLIA-192-OFB 192 bit default key (fixed)
    CAMELLIA-256-OFB 256 bit default key (fixed)

    # ./openvpn --show-tls
    Available TLS Ciphers,
    listed in order of preference:


    # ./openvpn --show-digests

    MD5 128 bit digest size
    RSA-MD5 128 bit digest size
    SHA 160 bit digest size
    RSA-SHA 160 bit digest size
    SHA1 160 bit digest size
    RSA-SHA1 160 bit digest size
    DSA-SHA 160 bit digest size
    DSA-SHA1-old 160 bit digest size
    DSA-SHA1 160 bit digest size
    RSA-SHA1-2 160 bit digest size
    DSA 160 bit digest size
    MD4 128 bit digest size
    RSA-MD4 128 bit digest size
    ecdsa-with-SHA1 160 bit digest size
    RSA-SHA256 256 bit digest size
    RSA-SHA384 384 bit digest size
    RSA-SHA512 512 bit digest size
    RSA-SHA224 224 bit digest size
    SHA256 256 bit digest size
    SHA384 384 bit digest size
    SHA512 512 bit digest size
    SHA224 224 bit digest size
  2. gawd0wns

    gawd0wns Network Guru Member

    An explanation on how to compile it on your own: Be aware that I'm not an expert, and know nothing about programming, so try this at your own risk. I did not alter any source code from OpenSSL or OpenVPN, so it should be safe to use. The advantage of compiling OpenVPN only, is that you don't have to flash anything and worry about bricking your router. After your router reboots, everything you change will be lost. Be sure to backup your openvpn config, and the binary file, if you want to keep using this setup. Let us know how it works!

    Before you proceed, make sure your system is ready to compile the firmware, with all the required folders added to your Path. I used the source for TomatoVPN for building.

    1) Download openssl somewhere, let's say /tmp, extract it, configure it to your liking (you must build for linux-generic32):

    ./Configure linux-generic32 shared no-seed no-krb5 no-idea no-cast no-asm no-whirlpool no-rc2 no-ripemd
    (I also tried building with no-capieng, no-mostasm, no-cms, no-gms, though I didn't notice much difference in size)

    -Before running make depend, open the Makefile and change all entries of gcc to mipsel-uclibc-gcc
    -Delete the value on the CFLAG line, and paste in: -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall (I took these options from the OpenSSL folder included in the firmware)

    Save changes to the Makefile, run make depend, and then make.

    2) You need to enter the lzo directory(/tomato/release/src/router/lzo), and simply type in make.

    3) Go into the openvpn directory in the firmware /tomato/release/src/router/openvpn . Open the Makefile, and edit the location of OpenSSL in the CPPFLAGS line to the folder where you just compiled it. Do the same in the LDFLAGS line. Save the Makefile and close it.
    In the shell prompt in the openvpn folder, enter these 3 lines which are necessary for static linking:
    sed -i -e '/^LIBS/s/LIBS = /LIBS = -static /' Makefile
    export CFLAGS="-Os"
    export CXXFLAGS="$CFLAGS"

    You may now enter 'make', and voila, a single openvpn binary should be compiled with a new version of OpenSSL compiled in... You should be able to tell by the size of the binary. Wget it over to your router, and try it out.

    The binaries I built are 2.49 MB and 2.28 MB (see differences below), so be sure you have enough space on your router. I tested the binary out briefly, it seems to be working fine. I hope this can lead us to a way to figure out how to upgrade Openssl.

    Keep in mind that you have to manually enter the firewall rules, and all other commands usually needed to start an openvpn server from scratch. Some may not be required if you already have another server running (See below).

    You can wget the binary I compiled with ECC-TLS support, and md5 hash, directly to your router ("0" in gawd0wns is a zero):

    The binary below does not have ECC support compiled into openssl, it does not appear to work with OpenVPN, at least I have not been able to get it working... OpenSSL was configured with the following options:

    ./Configure linux-generic32 shared no-seed no-krb5 no-idea no-cast no-asm no-whirlpool no-rc2 no-ripemd no-capieng no-mostasm no-cms no-gms no-hw no-threads no-ec
  3. gawd0wns

    gawd0wns Network Guru Member

    Since you are running openvpn from scratch, and without any startup scripts you have to issue all commands manually. A startup script is probably the most efficient course of action, A few have been made for OpenVPN in the forum, so look around... And post which one works the best based on your experience.

    busybox modprobe tun
    openvpn --mktun --dev tap21(change to what you use) --user nobody

    You may have to pass these for tap as well:
    brctl addif br0 tap21
    ifconfig tap21 promisc up

    These are the firewall rules you need for TUN (taken from the /etc/openvpn/fw folder), I will check out the rules listed for TAP when I try again later:

    iptables -t nat -I PREROUTING -p udp --dport 1194 -j ACCEPT
    iptables -I INPUT -p udp --dport 1194 -j ACCEPT
    iptables -I INPUT -i tun22 -j ACCEPT
    iptables -I FORWARD -i tun22 -j ACCEPT

    Change tun22 to whatever is stated in your config.ovpn, likewise for TAP below:

    For TAP:

    iptables -t nat -I PREROUTING -p udp --dport 1194 -j ACCEPT
    iptables -I INPUT -p udp --dport 1194 -j ACCEPT
    iptables -I INPUT -i tap21 -j ACCEPT
    iptables -I FORWARD -i tap21 -j ACCEPT

    **Note, if you choose to use a TAP interface, you have to modify/create an openvpn bridge-start script ( It would be great if someone could post one.
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Good work. And was about to suggest you grab the firewall rules from the fw directory, but it seems you figured that out. You shouldn't need to do anything with DNS unless you are trying to have the VPN clients use the VPN server as their DNS server.

    Hopefully, this will lead to an updated OpenSSL in Tomato.
  5. gawd0wns

    gawd0wns Network Guru Member

    SgtPepperKSU, which --configure options did you use to configure OpenVPN?

    That is exactly what I was trying to do :) I was wondering if the improvements you made would solve the TAP problem I was having above... I will test it out some more later on when my air conditioner comes back online, I was messing around with many settings at that point.

    Hmm.. It seems the error in my last post regarding redirect gateway when connecting with TUN did not appear after I rebooted the router. I guess I messed around with too many different firewall rules..or it was my excessive use of kill -9 :)

    I will compile the most recent version of 0.9.8 later on, it should be smaller since it doesn't have Elliptic Curve Cryptography enabled by default. Though I hope someone will figure out how to generate ECC certs properly, we'll be way ahead of the "curve" :smile:

    --Update: I was not able to compile 0.9.8k, I was receiving errors during make depend, and it would not make. Looks like it's 1.0.0 or bust.
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You can view the configure options I used here.

    Since you're compiling OpenSSL in shared mode already, have you tried just tossing it in the Tomato firmware tree and creating a whole firmware image? The OpenVPN that I have in the tree should use the updated openssl automatically.
  7. gawd0wns

    gawd0wns Network Guru Member

    I don't know what you mean exactly since I don't know programming lingo, but I'll try to answer your question:

    I tried replacing the openssl directory included in the firmware with v1.0.0, configuring it, and leaving it to build in the firmware make process. In this case, yes, your openvpn version did use it automatically since the openssl folder was overwritten with the new one.

    When that didn't work, I attempted to leave openssl alone as it was (0.9.6d) in the tree, built v1.0.0 in an external folder (/root/ssl1), and changed the location of the openssl headers and libraries in the OpenVPN Makefile to that the v1.0.0 folder... I got the same error on both attempts shown in the first post of this thread.

    The make processes finished on both attempts, so OpenSSL 1.0.0 was built successfully when it was in the tree. I don't know what that error means, but it is one of the last things to run in the firmware build process and it came up in both instances.
  8. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Sounds like you were already trying what I was asking. Not sure why it wasn't working. Interesting.
  9. wcoolnet

    wcoolnet Guest

    Can someone repost this openvpn build? The download links no longer work.
  10. gawd0wns

    gawd0wns Network Guru Member

    I compiled the newest openssl snapshot for this compilation of openvpn 2.1rc_20. The new binary (With support for Elliptic Curve Crypto) and hash file have been uploaded here:

    Have you (anyone reading this post) used these compilations before? How have they worked for you? Any suggestions on how to make the openssl, or openvpn compilation smaller, or with better optimized parameters?
  11. gawd0wns

    gawd0wns Network Guru Member

    I have not been able to get OpenVPN working with Elliptic Curve Crypto.. I've compiled a version without it for those who are interested. The files size is 2.28 MB. The following openssl configure options were used:

    ./Configure linux-generic32 shared no-seed no-krb5 no-idea no-cast no-asm no-whirlpool no-rc2 no-ripemd no-capieng no-mostasm no-cms no-gms no-hw no-threads no-ec
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice