OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: cake on September 02, 2016, 01:23:13 pm
-
The highest version I could get to work with Clayface's 2015 patch is OpenVpn 2.3.11 (Currently it is at 2.3.12)
Here is the steps I took to patch it.
First off this is what versions I started with:
OPNsense 16.7.3-amd64
FreeBSD 10.3-RELEASE-p7
OpenSSL 1.0.2h 3 May 2016
OpenVPN 2.3.12 (soon to be downgraded)
Start a SSH session,
#pkg install wget
#pkg install git
#cd ~
#mkdir XOR
#cd XOR
#wget https://github.com/clayface/openvpn_xorpatch/archive/master.zip
#unzip master.zip
#wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.11.tar.xz
#tar -xf openvpn-*
#cp openvpn_xorpatch-master/openvpn_xor.patch ~/XOR/openvpn-2.3.11/
#cd openvpn-2.3.11
#git apply openvpn_xor.patch
#./configure CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib"
#make
#make install
I know those above commands can be combined, but my skills are not the best, I just keep it simple.
I am guessing at this next bit- go into the web GUI-->System--->Firmware--->Packages---> Lock openvpn from being updated. (even though it says a different version, if you check the log it says openvpn 2.3.11)
That is it. I tested it on my VPS. Hopefully the patch gets updated.
-
Hold on, you do know that we ship the Tunnelblick version of the XOR patch and have also updated it to work with version 2.3.12?
https://tunnelblick.net/cOpenvpn_xorpatch.html
We have done so since version 15.1.10.2. ;)
Cheers,
Franco
-
wait, Franco -your saying I didn't need to patch it, because it is already patched by default? I could have just put in the advanced config area: scramble obfuscate password from the get go?
-
Yes, take a look at this old thread that asked for inclusion: https://forum.opnsense.org/index.php?topic=398
-
doh very nice inclusion :-)
-
If anybody has updated Opnsense, but held back on openvpn (2.3.12_2) (using XOR patch)
You will get:
Shared object "libcrypto.so.8" not found, required by "openvpn"
Shared object "libssl.so.8" not found, required by "openvpn"
To fix it temporarily:
ln -s /usr/local/lib/libssl.so.9 /usr/local/lib/libssl.so.8
ln -s /usr/local/lib/libcrypto.so.9 /usr/local/lib/libcrypto.so.8
-
Not sure why you bring this up, we built all our OpenVPN versions with XOR... ALPHA, BETA, production... :)
-
my bad Franco, for some reason I couldn't apply the git patch to openvpn 2.3.13 source a while back on a ubuntu system, I assumed it wasn't working for anything past 2.3.12. Just checked and now I can apply the patch and make it. I stand corrected.
cheers!