OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: cake on September 02, 2016, 01:23:13 pm

Title: OpenVpn XOR Scramble patch example
Post by: cake on September 02, 2016, 01:23:13 pm
The highest version I could get to work with Clayface's 2015 patch is OpenVpn 2.3.11 (Currently it is at 2.3.12)
Here is the steps I took to patch it.
First off this is what versions I started with:
  OPNsense 16.7.3-amd64
  FreeBSD 10.3-RELEASE-p7
  OpenSSL 1.0.2h 3 May 2016
  OpenVPN 2.3.12 (soon to be downgraded)

Start a SSH session,
Code: [Select]
#pkg install wget
#pkg install git
#cd ~
#mkdir XOR
#cd XOR
#wget https://github.com/clayface/openvpn_xorpatch/archive/master.zip
#unzip master.zip
#wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.11.tar.xz
#tar -xf openvpn-*
#cp openvpn_xorpatch-master/openvpn_xor.patch ~/XOR/openvpn-2.3.11/
#cd openvpn-2.3.11
#git apply openvpn_xor.patch
#./configure CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib"
#make
#make install
I know those above commands can be combined, but my skills are not the best, I just keep it simple.

I am guessing at this next bit- go into the web GUI-->System--->Firmware--->Packages---> Lock openvpn from being updated. (even though it says a different version, if you check the log it says openvpn 2.3.11)

That is it. I tested it on my VPS. Hopefully the patch gets updated.
Title: Re: OpenVpn XOR Scramble patch example
Post by: franco on September 02, 2016, 03:17:41 pm
Hold on, you do know that we ship the Tunnelblick version of the XOR patch and have also updated it to work with version 2.3.12?

https://tunnelblick.net/cOpenvpn_xorpatch.html

We have done so since version 15.1.10.2. ;)


Cheers,
Franco
Title: Re: OpenVpn XOR Scramble patch example
Post by: cake on September 03, 2016, 01:58:16 am
wait, Franco -your saying I didn't need to patch it, because it is already patched by default? I could have just put in the advanced config area: scramble obfuscate password from the get go?

Title: Re: OpenVpn XOR Scramble patch example
Post by: franco on September 03, 2016, 10:17:17 am
Yes, take a look at this old thread that asked for inclusion: https://forum.opnsense.org/index.php?topic=398
Title: Re: OpenVpn XOR Scramble patch example
Post by: cake on September 03, 2016, 11:50:40 am
doh very nice inclusion :-)
Title: Re: OpenVpn XOR Scramble patch example
Post by: cake on December 06, 2016, 08:31:04 am
If anybody has updated Opnsense, but held back on openvpn (2.3.12_2) (using XOR patch)
You will get:
Shared object "libcrypto.so.8" not found, required by "openvpn"
Shared object "libssl.so.8" not found, required by "openvpn"

To fix it temporarily:
 ln -s /usr/local/lib/libssl.so.9 /usr/local/lib/libssl.so.8
ln -s /usr/local/lib/libcrypto.so.9 /usr/local/lib/libcrypto.so.8
Title: Re: OpenVpn XOR Scramble patch example
Post by: franco on December 06, 2016, 10:23:39 am
Not sure why you bring this up, we built all our OpenVPN versions with XOR... ALPHA, BETA, production... :)
Title: Re: OpenVpn XOR Scramble patch example
Post by: cake on December 07, 2016, 01:05:16 am
my bad Franco, for some reason I couldn't apply the git patch to openvpn 2.3.13 source a while back on a ubuntu system, I assumed it wasn't working for anything past 2.3.12. Just checked and now I can apply the patch and make it. I stand corrected.
cheers!