Since WolfSSL seems to be the library of choice at the moment, can we add an OpenVPN-WolfSSL package? This will avoid having two seperate ssl libraries on the same the device (saving memory).
Possibly other packages can use the OpenSSL compatible API from WolfSSL as well.
2 Likes
Have we some news on this since we now are in 21.02-rc2 with wolfssl as primary ssl base package for OpenWRT and we now run OpenVPN with OpenSSL?
Hi, I was also looking into this
It turns out, OpenVPN and wolfSSL are not yet compatible, but it is in active development.
In other words, OpenVPN supports wolfSSL now, but only on their master branch, no official release, and there is still problems between them.
It's very likely that when OpenVPN 2.6 is released, it will fully support wolfSSL by then, in the meantime we wait
news:
commit:
committed 06:11PM - 17 Mar 21 UTC
This patch adds support for wolfSSL in OpenVPN. Support is added by using
wolfS… SL's OpenSSL compatibility layer. Function calls are left unchanged
and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is
linked against the wolfSSL library. The wolfSSL installation directory is
detected using pkg-config.
As requested by OpenVPN maintainers, this patch does not include
wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN
in the configure script wolfSSL will include wolfssl/options.h on its own
(change added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch
adds an option `--disable-wolfssl-options-h` in case the user would like
to supply their own settings file for wolfSSL.
wolfSSL:
Support added in: https://github.com/wolfSSL/wolfssl/pull/2503
```
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-openvpn
make
sudo make install
```
OpenVPN:
```
autoreconf -i -v -f
./configure --with-crypto-library=wolfssl
make
make check
sudo make install
```
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210317181153.83716-1-juliusz@wolfssl.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21686.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
an open PR to fix issues:
wolfSSL:master
← julek-wolfssl:openvpn-master
opened 02:50PM - 12 Mar 21 UTC
- OpenVPN requires all TLS versions to be enabled because it uses `SSL_CTX_set_m… in_proto_version` to set the min version without checking if support for that version is compiled in
- wolfSSL_HmacCopy return already returns `WOLFSSL_SUCCESS` or `WOLFSSL_FAILURE`
2 Likes
I have noticed this and the answer seems to be from what side you asked the question.
WolfSSL are happily anouncing their working with OpenVPN on their homepage.
OpenVPN on their side has really not any official on this at all, more then it is OpenSSL that is the only supported SSL add-on for OpenVPN.
OpenVPN is happy to add what is necessary to use wolfSSL in terms of detection
wolfSSL has to do the work in order to accommodate OpenVPN. This means they have to keep track of changes in OpenVPN and adapt to them accordingly, not the other way around.
That's not strange though, it just means it will take more time for them to work together well, and I imagine the same idea applies to OpenSSL, but the work to make them compatible was already done a very long time ago.
And then we have the OpenVPN-easyrsa 3 that WoulfSSL need to adapt for also.