Build OpenVPN with specific OpenSSL version

Asked 16/8, 2016 at 23:16 Answered 23/5, 2018 at 20:15

Solved c linux compilation openssl openvpn

Similar questions have been asked before, but the answers no longer seem to apply as the flags have changed for the configure script. I am trying to compile OpenVPN from the git source on Ubuntu 14.04.5 on both x86 and x64. I have OpenSSL 1.0.1t built and installed to /usr/local/ssl. I've tried various combinations of the configure options and the compiler seems to recognize since

./configure OPENSSL_LIBS="-L/usr/local/ssl/ -lssl -lcrypto" OPENSSL_CFLAGS="-I/usr/local/ssl/include/"

finishes with no errors, but ./configure OPENSSL_LIBS="-L/usr/local/ssl/" OPENSSL_CFLAGS="-I/usr/local/ssl/include/" results in configure: error: openssl check failed. Once you do make and make install, it still reports the system version of OpenSSL:

root@anonymous:/usr/local/src/openvpn# openvpn --version
OpenVPN 2.3_git [git:master/d1bd37fd508ee046] x86_64-unknown-linux-gnu [SSL (OpenSSL)]
[LZO] [LZ4] [EPOLL] [MH] [IPv6] built on Aug 16 2016
library versions: OpenSSL 1.0.1f 6 Jan 2014, LZO 2.06
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <[email protected]>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes
enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown
enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes
enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes
enable_lzo=yes enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no
enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes
enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no
enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no
enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no
 enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl
with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no

System OpenSSL:

root@anonymous:/usr/local/src/openvpn# openssl version

OpenSSL 1.0.1f 6 Jan 2014

Compiled OpenSSL:

root@anonymous:/usr/local/ssl/bin# ./openssl version

OpenSSL 1.0.1t  3 May 2016

I know it has to be something simple, but I saw other users asking about this on the OpenVPN Forums with no responses as of yet.

Jovial answered 16/8, 2016 at 23:16 Comment(1)

Also see Issue 794: Process for builing OpenVPN with OpenSSL reported in the OpenVPN issue tracker. – Tabulate 18/12, 2016 at 5:55

Below is the procedure I used to build OpenVPN with OpenSSL 1.0.2. OpenSSL 1.0.1 vs. 1.0.2 vs. 1.1.0 should not matter. However, some Configure scripts dies on OpenSSL 1.1.0 because 1.1.0 uses OPENSSL_init_ssl rather than SSL_library_init. Note the use of RPATH's on Linux (OS X would use a different technique).

OpenSSL configuration options are mostly documented at Compilation and Installation | Configure Options on their wiki. I did not find similar for OpenVPN, and ./configure --help was not very helpful. Often, for an Autools project, you need to --with-ssl=<path to ssl root>, but OpenVPN does not appear to have that option. For OpenVPN, the process below went adhoc using Autools CFLAGS.

Both libraries disabled compression because it can leak information. For more details, see Spot me if you can: Uncovering spoken phrases in encrypted VoIP conversations. The problem is the variable bit rate encoding, and the fundamental design is prevalent in other compression libraries (like zlib).

OpenSSL 1.0.2

$ wget https://www.openssl.org/source/openssl-1.0.2h.tar.gz
$ tar xzf openssl-1.0.2h.tar.gz
$ cd openssl-1.0.2h

$ ./config shared no-ssl2 no-ssl3 no-comp enable-ec_nistp_64_gcc_128 -Wl,-rpath=/usr/local/ssl/lib --prefix=/usr/local/ssl
$ make -j 4
$ make test
$ sudo make install

# clear program cache
$ hash -r

You can check the openssl program is using the expected shared objects with:

$ ldd /usr/local/ssl/bin/openssl
    linux-vdso.so.1 =>  (0x00007ffc36578000)
    libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0x00007f94b48fb000)
    libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0x00007f94b448b000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f94b40c6000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f94b3ec2000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f94b4b6c000)

You can also make sure the new openssl is on-path with the following. Its not required for your issue, however.

$ sudo ln -s /usr/local/ssl/bin/openssl /usr/local/bin/openssl
$ hash -r
$ command -v openssl
/usr/local/bin/openssl

OpenVPN 2.3.11

$ wget https://swupdate.openvpn.org/community/releases/openvpn-2.3.11.tar.gz
$ tar xzf openvpn-2.3.11.tar.gz
$ cd openvpn-2.3.11

$ CFLAGS="-I/usr/local/ssl/include -Wl,-rpath=/usr/local/ssl/lib -L/usr/local/ssl/lib" ./configure --disable-lzo
$ make -j 4

Next, check the OpenVPN program to see what its linking to:

$ find . -type f -name openvpn
./src/openvpn/openvpn
$ ldd ./src/openvpn/openvpn
    linux-vdso.so.1 =>  (0x00007ffc8bfc4000)
    libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0x00007f74f49f3000)
    libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0x00007f74f4583000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f74f437f000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f74f3fba000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f74f4c64000)

Next, run the self tests:

$ make check
...
make[3]: Entering directory `/home/jwalton/openvpn-2.3.11/tests'
./t_client.sh: cannot find 't_client.rc' in build dir ('..')
./t_client.sh: or source directory ('.'). SKIPPING TEST.
SKIP: t_client.sh
Testing cipher AES-128-CBC... OK
Testing cipher AES-128-CFB... OK
Testing cipher AES-128-CFB1... OK
...

Install OpenVPN if it tests OK:

$ sudo make install
$ hash -r
$ command -v openvpn
/usr/local/sbin/openvpn

Finally, check it:

$ /usr/local/sbin/openvpn --version
OpenVPN 2.3.11 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [EPOLL] [MH] [IPv6] built on Aug 17 2016
library versions: OpenSSL 1.0.2h  3 May 2016
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <[email protected]>
...

If interested, you can find a build script to automate the process at Noloader | Build-Scripts. It includes one for OpenVPN.

Tabulate answered 17/8, 2016 at 21:3 Comment(10)

I upvoted this, but my rep is too low. I didn't follow the steps exactly, but this got it working. The issue was, first that I didn't create the *.so files when I compiled OpenSSL the first time. Second, I wasn't linking them properly with configure during the OpenVPN build. I re-compiled OpenSSL with an edited form of the command you listed, checked that it was properly linked, skipped the symbolic link since I'd already done that, and compiled openvpn with the command you gave and it worked just fine. So thank you very much for the comprehensive and correct answer. – Jovial 18/8, 2016 at 3:26

@Jovial - I'm guessing (and its only a guess) that this was not quite right: OPENSSL_CFLAGS="-I/usr/local/ssl/include/". Those CFLAGS needed to be applied to the entire OpenVPN build, and not just some portion of OpenSSL. I'm not even clear what OPENSSL_CFLAGS and OPENSSL_LIBS does because ./configure --help did not explain it; and Installation notes did not explain it. – Tabulate 18/8, 2016 at 3:41

I figured it had to be something along those lines. The old flags used to be OPENSSL_SSL_FLAGS and OPENSSL_CRYPTO_FLAGS, but they were removed in later versions it would seem. The OpenVPN and configure documentation aren't very clear about what they're used for. Thanks again for your help. I'd been wracking my brain for about 2 days trying to figure out what I was doing wrong. – Jovial 18/8, 2016 at 3:53

@Jovial - I'm thinking OPENSSL_SSL_FLAGS, OPENSSL_CRYPTO_FLAGS and friends may be for building OpenSSL in-tree. I.e., drop OpenSSL into the <openvpn src> directory, and the OpenVPN build system will build OpenSSL for you. But again, its only a guess. If its not that, then I can't think of other reasons those variables would be useful. – Tabulate 19/8, 2016 at 3:50

Great write up, thanks. I had to add an additional flag to get the OpenSSL configuration to work: -Wl,--enable-new-dtags,-rpath.... – Pacificism 14/8, 2017 at 15:7

@DuncanJones - Yeah, Linux is pretty f**k'd up when it comes to library paths. They've been broken 30 years or so now. The Linux folks need to switch to a scheme like Apple's install_name. Things should "just work" for the typical user. Let those who want to swizzle and inject do something special. – Tabulate 15/8, 2017 at 3:47

Do I use the same instructions to configure the newer openssl-1.0.2l ? I did: ./config shared no-ssl2 no-ssl3 no-comp enable-ec_nistp_64_gcc_128 -Wl,-rpath=/usr/local/ssl/lib --prefix=/usr/local/ssl but my build fails when I give the make command. make test fails too – Reconstructionism 16/10, 2017 at 8:7

Great recipe! I just tried it (OpenVPN 2.4.6) with OS X (10.9.5), linking against openssl (1.0.2p) installed by homebrew. The "-Wl,-rpath=/usr/local/ssl/lib" CFLAGS must be removed: CFLAGS="-I/usr/local/opt/openssl/include -L/usr/local/opt/openssl/lib" ./configure --disable-lzo Check the build binary with otool -L ./src/openvpn/openvpn to see what dynamic libs are used. Thx. – Putandtake 26/10, 2018 at 15:25

If going through this kind of trouble I always keep my libs separate for ease of future maintenance. So I would install openssl into /usr/local/openssl-<version>, openvpn onto /usr/local/openvpn-<version> and do the linking and RPATH'ing specifically to those locations. That way openvpn won't stop working if the /usr/local/ssl's library gets upgraded in the future. – Thermograph 25/2, 2019 at 10:29

@Tabulate Thanks for this brilliant tutorial. After compiling it I get the binary inside /usr/local/sbin/openvpn. But where is the main folder? Do I place the binary and configs under /etc/openvpn/server/ ? – Shuntwound 16/7, 2020 at 21:24

OpenVPN reports the version of the runtime library, so what you are seeing here is linking/dynamic library behaviour. Probably your ld.so.conf is setup to prefer /usr/lib/.so over /usr/local/lib/.so

Valleau answered 17/8, 2016 at 9:7 Comment(2)

I think you're on the right path. /etc/ld.so.conf just includes the *.conf files in the /etc/ld.so.conf.d directory. In that directory, libc.conf points to /usr/local/lib, but the libraries for OpenSSL do not reside there, so it probably resorts to the system defaults. I'll see what else I can find out. – Jovial 17/8, 2016 at 17:12

I tried adding both "/usr/local/ssl" or "/usr/local/ssl/lib" to libc.conf and got the same results. At this point, I don't really think it matters since the security fixes in 1.0.1t were backported to 1.0.1f on Ubuntu anyway. – Jovial 17/8, 2016 at 17:49

One solution I have successfully used is the OpenVPN build-system

Simply change the OpenSSL source version in generic/build.vars and let it go (as documented)

If you have trouble with options like --dynamicbase or --nxcompat then also disable those flags in generic/build.vars

Margarethe answered 23/5, 2018 at 20:15 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags