You could compile these in a chrooted environment, along with lzo, and
tarball it up.

Other than that, I don't think so.

Many of Gentoo's ebuild files have options for compiling libraries
statically, which makes them a great reference, even if you use a
different distribution.

In this case you should be able to change the openvpn package Makefile
to do what you want with the following alteration, taken right out of
the ebuild:
sed -i -e '/^LIBS/s/LIBS = /LIBS = -static /' Makefile

I've tested this change against 2.1_rc19 and the build seems to work
fine when performing TLS authentication and data encryption, so it
passes my 2 minute sniff-test. Here's a sample strace output showing
that it is indeed referencing libraries statically:

% egrep '^open.*\.so' strace-normal.log
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/usr/lib/libssl.so.0.9.8", O_RDONLY) = 3
open("/usr/lib/libcrypto.so.0.9.8", O_RDONLY) = 3
open("/usr/lib/liblzo2.so.2", O_RDONLY) = 3
open("/lib/libdl.so.2", O_RDONLY) = 3
open("/lib/libpthread.so.0", O_RDONLY) = 3
open("/lib/libc.so.6", O_RDONLY) = 3
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/lib/libz.so", O_RDONLY) = 3

% egrep '^open.*\.so' strace-static.log
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/lib/libz.so", O_RDONLY) = 3
open("/lib/libc.so.6", O_RDONLY) = 3
open("/lib/ld-linux.so.2", O_RDONLY) = 3

So that'll catch your SSL libraries. The search & replace syntax above
also adds the lzo & threading support to the static build, so tweak what
you make static if this is an issue.

As Josh Cepek has shown, this is possible and can make sense in some
cases. But there is one concern, which I am not sure if you are aware
of or not. If you are aware of it, I'm sorry for this not needed
information :)

Just one thing you need to have in mind, is that you then need to
recompile OpenVPN each time you want to make use of an updated OpenSSL
library (or another static linked in library, for that matter). Why
this is important, is due to security fixes in 3rd parties libraries.

If you then have, for example, linked in a vulnerable OpenSSL (which is
not that uncommon, OpenSSL regularly releases security updates), you
also need to recompile the static OpenVPN and distribute this version.
In Josh' example, you then need to pay attention to openssl, lzo2 and
pthread libraries.

When dynamically linked, which is the normal case with OpenVPN, its
enough to upgrade the systems library, and all programs using the
dynamic library is automatically "updated".

So as said, it can make perfectly sense to do a static linking, but it
do have a side effect doing so as well. So use static linking with care.


kind regards,

David Sommerseth

I am intending to recompile the 3rd party firmware on my Linksys router (TomatoVPN - and yes, I want it to be as small as possible :) ) which has OpenVPN, since the openssl version is old (0.9.6d). Previous attempts to install a recent version of OpenSSL (linux-mipsel arch.) have not been successful, so I'm trying to think of other ways which have not been attempted.

Thanks for all of the info. I will give it a go this weekend.

I followed the instructions in this thread, and it appears to be working! Everything compiled fine, and appears to run without any problem. The TLS negotiation, and connection seems to go ok, though it fails at the end. I now have to figure out all of the firewall rules to add manually, the firmware developers had automatic firewall rules so I never had to worry about it before.

These are the two rules I have added so far:

iptables -t nat -I PREROUTING -p udp --dport 1194 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT


Here is a log from the router:

Aug 9 12:16:53 router daemon.notice openvpn[2463]: MULTI: multi_create_instance called
Aug 9 12:16:53 router daemon.notice openvpn[2463]: 100.100.100.100:443 Re-using SSL/TLS context
Aug 9 12:16:53 router daemon.notice openvpn[2463]: 100.100.100.100:443 LZO compression initialized
Aug 9 12:16:53 router daemon.notice openvpn[2463]: 100.100.100.100:443 Control Channel MTU parms [ L:1602 D:174 EF:74 EB:0 ET:0 EL:0 ]
Aug 9 12:16:53 router daemon.notice openvpn[2463]: 100.100.100.100:443 Data Channel MTU parms [ L:1602 D:1450 EF:70 EB:135 ET:32 EL:0 AF:3/1 ]
Aug 9 12:16:53 router daemon.notice openvpn[2463]: 100.100.100.100:443 Fragmentation MTU parms [ L:1602 D:1500 EF:69 EB:135 ET:33 EL:0 AF:3/1 ]
Aug 9 12:16:53 router daemon.notice openvpn[2463]: 100.100.100.100:443 TLS: Initial packet from 100.100.100.100:443, sid=514619e3 ac081e07
Aug 9 12:16:54 router daemon.notice openvpn[2463]: 100.100.100.100:443 VERIFY OK: depth=1, /C=CA/ST=CA/L=CA/O=none/CN=VPN-CA/emailAddress=***@host.domain
Aug 9 12:16:54 router daemon.notice openvpn[2463]: 100.100.100.100:443 VERIFY OK: depth=0, /C=CA/ST=CA/O=none/CN=client/emailAddress=***@host.domain
Aug 9 12:16:55 router daemon.notice openvpn[2463]: 100.100.100.100:443 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Aug 9 12:16:55 router daemon.notice openvpn[2463]: 100.100.100.100:443 Data Channel Encrypt: Using 224 bit message hash 'SHA224' for HMAC authentication
Aug 9 12:16:55 router daemon.notice openvpn[2463]: 100.100.100.100:443 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Aug 9 12:16:55 router daemon.notice openvpn[2463]: 100.100.100.100:443 Data Channel Decrypt: Using 224 bit message hash 'SHA224' for HMAC authentication
Aug 9 12:16:55 router daemon.notice openvpn[2463]: 100.100.100.100:443 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Aug 9 12:16:55 router daemon.notice openvpn[2463]: 100.100.100.100:443 [client] Peer Connection Initiated with 100.100.100.100:443
Aug 9 12:16:55 router daemon.err openvpn[2463]: client/100.100.100.100:443 MULTI: no dynamic or static remote --ifconfig address is available for client/100.100.100.100:443
Aug 9 12:16:56 router daemon.notice openvpn[2463]: client/100.100.100.100:443 PUSH: Received control message: 'PUSH_REQUEST'
Aug 9 12:16:56 router daemon.notice openvpn[2463]: client/100.100.100.100:443 SENT CONTROL [client]: 'PUSH_REPLY,route-gateway dhcp,ping 10,ping-restart 120' (status=1)
Aug 9 12:16:59 router daemon.notice openvpn[2463]: client/100.100.100.100:443 MULTI: Learn: 00:ff:97:5d:66:63 -> client/100.100.100.100:443

I assume this is the line where the problem is:

Aug 9 12:16:55 router daemon.err openvpn[2463]: client/100.100.100.100:443 MULTI: no dynamic or static remote --ifconfig address is available for client/100.100.100.100:443


The client OpenVPN log shows these two lines over and over again, until it fails:

Route: Waiting for TUN/TAP interface to come up....
TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
Route: Waiting for TUN/TAP interface to come up....
TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
Route: Waiting for TUN/TAP interface to come up....
TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down


I assume there is something prevented from coming through the tunnel, does anyone have any ideas?

Thank you



RE::::
untar the source
cd <untared source code location>
./configure --enable-small
sed -i -e '/^LIBS/s/LIBS = /LIBS = -static /' Makefile
export CFLAGS="-Os"
export CXXFLAGS="$CFLAGS"
make
cp openvpn <wherever you want you're staticly compiled binary>

(I made the assumption that you want the code as small as possible for some
embedded use, usually the only reason to static compile.)

Just bear in mind that you'll have to keep an eye out for security updates
on : OpenVPN + OpenSSL + LZO2 + pThread
and if ANY of the above have a security issue you'll have to recompile and
re-distribute.