Static OpenVPN + LibreSSL
23.06.2015 15:23 in technical-notes
Subsequent to the Court of Record letter to Google, "Heartbleed" and other vulnerabilities of OpenSSL were reported and fixed. Other vulnerabilities like the bash "shell shock" show the outline of systematic attack on open source software at a deep level.
We suggest competent developers investigate the gcc and clang tool chains and the glibc libary. At the system level, BIOS, kernel, video/network drivers, binary firware blobs, and random sources/code must be investigated. At the hardware level, we suggest reverse engineering and posting the details of all chips/motherboards.
Compiling a non-glibc static LibreSSL and OpenVPN
We have used this openvpn+libressl+musl-static-compile.sh script to download and compile a musl 1.1.10 based non-glibc static OpenVPN 2.3.7 and LibreSSL 2.1.7 using gcc on 64 bit Funtoo/Gentoo Linux. The resulting x86_64 static binaries are openvpn and openssl. PGP detached signatures signed by our support.asc key are openvpn.sig and openssl.sig.
If you have a 32 bit system, use the script. Otherwise the instructions below may save you some time.
Download
$ mkdir -p ~/Downloads/openvpn+libressl
$ cd ~/Downloads/openvpn+libressl
$ wget --no-check-certificate --prefer-family=IPv4 https://image.rayservers.com/ssl/vpn/openvpn
$ wget --no-check-certificate --prefer-family=IPv4 https://image.rayservers.com/ssl/vpn/openssl
Verify MD5 sum
$ md5sum openvpn
933ec49cb9c68335f140494235c1aa96 openvpn
$ md5sum openssl
1059d0e46a5cf1528cd9a74ce216561d openssl
Optional: verify GPG signature
$ wget --no-check-certificate --prefer-family=IPv4 https://image.rayservers.com/ssl/vpn/support.asc -O - | gpg --import
$ wget --no-check-certificate --prefer-family=IPv4 https://image.rayservers.com/ssl/vpn/openvpn.sig
$ wget --no-check-certificate --prefer-family=IPv4 https://image.rayservers.com/ssl/vpn/openssl.sig
$ gpg --verify openssl.sig
gpg: Signature made Sat Jun 20 22:57:35 2015 UTC using RSA key ID 079CCE10
gpg: Good signature from "Rayservers Support <support@rayservers.com>"
$ gpg --verify openvpn.sig
gpg: Signature made Sat Jun 20 22:56:56 2015 UTC using RSA key ID 079CCE10
gpg: Good signature from "Rayservers Support <support@rayservers.com>"
Note that the GPG verification is authoritative. Our techs may update the binaries and signatures but not the md5sum in this article.
Install the binary
$ sudo install -D -m 755 openvpn /usr/local/sbin/openvpn.static
$ sudo install -D -m 755 openssl /usr/local/bin/openssl.static
Note that .static has been added to the binary name. Call the binary with full pathname in your scripts. The static binary expects /bin/ifconfig and /bin/route. Your system may have these in /sbin.
$ sudo su
# which ifconfig
If the output is /sbin/ifconfig
# ln -s /sbin/ifconfig /bin/ifconfig
Similarly:
# which route
# ln -s /sbin/route /bin/route
Downloading our VPN config tarball
If you have purchased a VPN from us, you will have received a link that looks like this: https://image.rayservers.com/ssl/vpn/abc1234.zip
If you have been a customer for some time, then you will already have unpacked it in /etc/openvpn. If a new install, do the following:
$ sudo su
# cd /etc/openvpn
# wget --no-check-certificate --prefer-family=IPv4 https://image.rayservers.com/ssl/vpn/abc1234.zip
# unzip abc1234.zip
Using OpenVPN
We recommend you start and stop the openvpn.static by hand, using a terminal.
Starting openvpn
$ sudo su
# cd /etc/openvpn
# /usr/local/sbin/openvpn.static abc1234.conf
Stopping openvpn
$ sudo su
# pkill -TERM openvpn
That's all folks.