OpenVpn XOR Scramble patch example

[cake]

The highest version I could get to work with Clayface's 2015 patch is OpenVpn 2.3.11 (Currently it is at 2.3.12)
Here is the steps I took to patch it.
First off this is what versions I started with:
  OPNsense 16.7.3-amd64
  FreeBSD 10.3-RELEASE-p7
  OpenSSL 1.0.2h 3 May 2016
  OpenVPN 2.3.12 (soon to be downgraded)

Start a SSH session,

Code: [Select]

#pkg install wget
#pkg install git
#cd ~
#mkdir XOR
#cd XOR
#wget https://github.com/clayface/openvpn_xorpatch/archive/master.zip
#unzip master.zip
#wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.11.tar.xz
#tar -xf openvpn-*
#cp openvpn_xorpatch-master/openvpn_xor.patch ~/XOR/openvpn-2.3.11/
#cd openvpn-2.3.11
#git apply openvpn_xor.patch
#./configure CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib"
#make
#make installI know those above commands can be combined, but my skills are not the best, I just keep it simple.

I am guessing at this next bit- go into the web GUI-->System--->Firmware--->Packages---> Lock openvpn from being updated. (even though it says a different version, if you check the log it says openvpn 2.3.11)

That is it. I tested it on my VPS. Hopefully the patch gets updated.

[franco]

Hold on, you do know that we ship the Tunnelblick version of the XOR patch and have also updated it to work with version 2.3.12?

https://tunnelblick.net/cOpenvpn_xorpatch.html

We have done so since version 15.1.10.2.


Cheers,
Franco

[cake]

wait, Franco -your saying I didn't need to patch it, because it is already patched by default? I could have just put in the advanced config area: scramble obfuscate password from the get go?

[franco]

Yes, take a look at this old thread that asked for inclusion: https://forum.opnsense.org/index.php?topic=398

[cake]

doh very nice inclusion :-)

[cake]

If anybody has updated Opnsense, but held back on openvpn (2.3.12_2) (using XOR patch)
You will get:
Shared object "libcrypto.so.8" not found, required by "openvpn"
Shared object "libssl.so.8" not found, required by "openvpn"

To fix it temporarily:
 ln -s /usr/local/lib/libssl.so.9 /usr/local/lib/libssl.so.8
ln -s /usr/local/lib/libcrypto.so.9 /usr/local/lib/libcrypto.so.8

[franco]

Not sure why you bring this up, we built all our OpenVPN versions with XOR... ALPHA, BETA, production...

[cake]

my bad Franco, for some reason I couldn't apply the git patch to openvpn 2.3.13 source a while back on a ubuntu system, I assumed it wasn't working for anything past 2.3.12. Just checked and now I can apply the patch and make it. I stand corrected.
cheers!